The Cyber Ranch Podcast

This is another "'E' for explicit" show as this one is another LIVE! show from the CISO XC conference in Dallas-Fort Worth. Why the 'E'?  Because halfway through Allan Alford's conversation with Andy Ellis (CISO at Orca, Operating Partner at YL Ventures, former CISO at Akamai), Chris Roberts (CISO at Boom Supersonic) joins the stage with some fine whisky and his own clever takes on measuring risk.
Join Allan, Andy, and Chris as they deconstruct risk, extolling its virtues, and hopefully change the way you think about risk altogether. Is likelihood times impact valid? Is the 5x5 grid valid? What is plausibility vs. probability? Find out on this great LIVE! episode!
Sponsor Links:
Thank you to our sponsor Axonius for bringing this episode to life! The Axonius solution correlates asset data from existing solutions to provide an always up-to-date inventory, uncover gaps, and automate action — giving IT and security teams the confidence to control complexity. Learn more at axonius.com/hackervalley
 

In this episode, Allan Alford plays Devil's advocate - challenging the practitioner community to refute the idea that we should quit trying to make the organization care and simply make suggestions and accept the organization's level of risk tolerance.
Allan posted this topic on LinkedIn and it created quite a buzz. The show features quotes from Simon Goldsmith, Kevin Pope, Malcolm Harkins, and others.
Listen to hear a deconstruction of this position, and hear some great arguments both for and against it. We'll give away the ending - the argument is ultimately refuted - but it is a great thought exercise and a wonderful journey getting to that conclusion. Hint: The show's ending is more apt than ever: "Ya'll be good now!"
Sponsor Links:
Thank you to our sponsor Axonius for bringing this episode to life! The Axonius solution correlates asset data from existing solutions to provide an always up-to-date inventory, uncover gaps, and automate action — giving IT and security teams the confidence to control complexity. Learn more at axonius.com/hackervalley
 

Scott Schindler, veteran CISO, vCISO, and adjunct professor joins Allan at the ranch to talk about how to build, strengthen, participate in, contribute to and benefit from a cybersecurity community. Allan chose Scott for this show because of his incredible community focus and the high level of participation and engagement he demonstrates in his own career.
How can we, as privacy and security professionals, overcome our paranoia in order to build community?
How do we, as new members of cybersecurity, break into the community?
How do I start a local community?
How do we welcome others?
What is wrong with the cybersecurity community today that we need to fix?
Sponsor Links:
Thank you to our sponsor Axonius for bringing this episode to life! The Axonius solution correlates asset data from existing solutions to provide an always up-to-date inventory, uncover gaps, and automate action — giving IT and security teams the confidence to control complexity. Learn more at axonius.com/hackervalley
 

Dan Holden, a 20+ year industry veteran, former vendor, and current CISO at Big Commerce joins Allan Alford at the ranch to talk about the BIG picture.  Join them on this wild trail ride that goes as far back as the Monroe Doctrine of 1823, the pre-cursors to WWI, Regan-era cyber doctrine, cyber and modern warfare, lessons learned from the COVID economy (hint: GDP is now part of critical infrastructure), famous APT heists, modern global imperialism... This show ties these threads together into a forward-looking vision for cybersecurity that includes shifts in global prioritization of cybersecurity, federal regulations, and changes to the VC investment landscape.  Saddle up and get ready for a wild ride!
 
Sponsor Links:
Thank you to our sponsor Axonius for bringing this episode to life! The Axonius solution correlates asset data from existing solutions to provide an always up-to-date inventory, uncover gaps, and automate action — giving IT and security teams the confidence to control complexity. Learn more at axonius.com/hackervalley
 

This week Allan Alford is joined by Duane Gran, Director of Information Security at Converge Technology Solutions to discuss three different aspects of the CISO craft -- and to offer practical, concrete guidance on how to achieve the right outcomes:
Eliminating the culture of "No!"
Managing Third-Party Risk
Building a "No Blame" Culture
The common thread behind all of these themes is relationship building and goodwill - but the details are well worth the listen!
Sponsor Links:
Thank you to our sponsor Axonius for bringing this episode to life! The Axonius solution correlates asset data from existing solutions to provide an always up-to-date inventory, uncover gaps, and automate action — giving IT and security teams the confidence to control complexity. Learn more at axonius.com/hackervalley
 

In this week's show, Allan and his guest Andy Bennett (a very clever CISO with a heck of a pedigree) decide to tackle some thought exercises with a series of questions that all start with "Should the CISO...?"
Should the CISO be the one to decide whether to report breaches?
Should the CISO own the SOC?
Should the CISO report to the CIO?
Should the CISO have an MBA?
Should the CISO be mentoring individual contributors in their team?
Should the CISO be sharing the political realities of “upstairs”?
Should the CISO own Identity?
Enjoy this fantastic conversation that goes to a lot of surprising places!
Sponsor Links:
Thank you to our sponsor Axonius for bringing this episode to life! The Axonius solution correlates asset data from existing solutions to provide an always up-to-date inventory, uncover gaps, and automate action — giving IT and security teams the confidence to control complexity. Learn more at axonius.com/hackervalley

Once again, Allan, Rich, and Michael dissect topics in our community that are, well, tired. Topics are brought up to spur online debate, but for which a conclusion is never reached. Topics that bifurcate our community without moving our industry forward.  Topics that cause us to overly rotate on the wrong areas.
In this show we address:
Defining terms: zero trust, ML, AI, hacker vs. cracker, cybersecurity vs information security
How to pronounce "CISO"
Work from home vs coming to the office
Do we deserve a seat at the table or is it earned?
Hopefully, these three are stepping beyond the tired answers to these topics and are raising the bar on how we should approach the information security profession.  You be the judge...
 
Sponsor Links:
Thank you to our sponsor Axonius for bringing this episode to life! The Axonius solution correlates asset data from existing solutions to provide an always up-to-date inventory, uncover gaps, and automate action — giving IT and security teams the confidence to control complexity. Learn more at axonius.com/hackervalley

We have all seen the conversations on LinkedIn where someone starts with a hotly debated topic, and the debate goes on and on, nothing is concluded, and then the next week, someone else posts the same topic and starts the gerbil wheel spinning again. We have seen this phenomenon with common complaints too. These are, in short, tired conversations.
Join Allan Alford, Rich Mason, and Michael Santarcangelo as they rope in some of these tired topics and propose alternative ways of looking at them.
This one runs a bit longer than usual because the conversation is that good. Also, there are a few naughty words...
 
In this Part One episode they offer some alternative takes on the following tired topics:
Who should the CISO report to?
Users as the weakest link
Talent Shortage
CISO Burnout
Imposter Syndrome
Awards Marketing
Bad Vendor Behavior
 
Sponsor Links:
Thank you to our sponsor Axonius for bringing this episode to life!The Axonius solution correlates asset data from existing solutions to provide an always up-to-date inventory, uncover gaps, and automate action — giving IT and security teams the confidence to control complexity. Learn more at axonius.com/hackervalley
 

CISOs and other security executives have relied on spreadsheets to perform a great deal of the management functions of their programs. What if there was a better way?  Derly Gutierrez is back on the ranch for a third time now to discuss his alternative - the humble ticketing system.  It might seem obvious in some cases, but Derly has pushed the use cases far beyond what you might imagine.  Topics Derly and Allan cover include:
Risk Management Lifecycle
Vendor Management Lifecycle
Personnel Onboarding/Offboarding (Joiners, Movers, Leavers)
Data Governance Lifecycle
SOC2 Audits
Internal Audits
UI Considerations
Organizational Familiarity with the Tool
Automation &  Integration
In this short but sweet episode, a lot of very practical tips are addressed.  Y'all be good now!
 
Links:
Thank you to our sponsor Axonius for bringing this episode to life!The Axonius solution correlates asset data from existing solutions to provide an always up-to-date inventory, uncover gaps, and automate action — giving IT and security teams the confidence to control complexity. Learn more at axonius.com/hackervalley
 

Josiah Dykstra, Cybersecurity Technical Fellow at the NSA and Author, kicks up the dust off some previous topics discussed on the Ranch and deepens the conversation on cybersecurity myths and behavioral economics. Prior to the release of his latest book, Cybersecurity Myths and Misconceptions, Josiah breaks down some biases, fallacies, myths, and magical thinking that cybersecurity practitioners fall victim to. Josiah taps into cyber’s psyche and exposes the errors behind practitioners playing make-believe.
 
Timecoded Guide:
[00:00] Researching cybersecurity psychology & other exciting industry mashups
[09:22] Security logical fallacies: straw man, gambler’s, & ad hominem
[15:19] Cyber cognitive biases: confirmation, omission, and zero risk bias
[19:24] Perverse incentives & cobra effect: security vendors, bug bounties, & cyber insurance
[25:55] Creating an accurate measure of how secure we really are 
 
Sponsor Links:
Thank you to our sponsor Axonius for bringing this episode to life!The Axonius solution correlates asset data from existing solutions to provide an always up-to-date inventory, uncover gaps, and automate action — giving IT and security teams the confidence to control complexity. Learn more at axonius.com/hackervalley
 
In the context of cybersecurity, what are some examples of magical thinking? 
Magical thinking, or the belief that thoughts can influence the material world, appears alongside the most common assumptions in cyber, according to Josiah. Recognizing the harmful practice of cyber practitioners blaming users for bad decisions, Josiah uncovered that many security pros believe the user will make the right choice without any additional training. Unfortunately, this magical thinking only leads to users being unprepared and uneducated.
“We assume users will pick good passwords without providing them education. We can't just think in our heads that things will go right, that never happens. We need to make careful decisions, whether it’s how we configure systems, or develop software, or conduct training.”
 
Can you walk us through common fallacies in cybersecurity, like the gambler's fallacy?
While the straw man fallacy and ad hominem are often easy to identify in the cyber industry, Josiah explains that the gambler’s fallacy is just as pervasive and detrimental. The gambler’s fallacy involves seeing trends and “hidden” meanings in independent events. Most often, in security, cyber practitioners will believe a breach won’t happen if a company recently had a breach, even though these breaches would have nothing to do with each other.
“Imagine you’re flipping a fair coin, like a penny, and you get heads, heads, heads. Your brain starts to see an error, like, ‘I'm due for tails, if I had so many heads in a row.’ The fact is, the penny doesn't care about the last flip. These are all independent events.”
 
What about common cyber biases, such as zero risk, confirmation, and omission bias?
The cyber industry is ripe with biases. In fact, over 180 cognitive biases exist. Josiah’s book tackles a select few that appear time and time again, including zero-risk bias. Zero-risk bias is extremely common in cybersecurity. Security is about risk— understanding it, preventing it, and reacting to it. Many cyber companies will put all their eggs in one expensive basket, such as encryption, believing that this will create the impossible scenario of them having “zero” risk.
“We talk in the book a little bit about how you can never get risk to zero, right? Cybersecurity is always about risk management. There is somewhere between more than zero and less than 100% chance that your computer will get infected today.”
 
“The goal of a security vendor is to keep you secure.” Why is that a misconception?
Just like biases and fallacies, cybersecurity misconceptions can be costly mindset mistakes that lead to easily preventable errors. Josiah wants us to consider that security vendors are not altruistic, they’re running a business and making a sale. While many vendors have a goal to keep customers secure, that will not be the only goal they have. Josiah recommends taking precautions and never assuming the vendor will always put security first.
“The goal of any business is to make money. That's why that business exists. You could argue with me that it isn't an ‘either or.’ They can make money and we can be secured, we can have both, but that's an ideal world. I think, in reality, it's a little bit bumpier than that.” 
----------
Links:
Learn more about Josiah Dykstra on his LinkedIn and his website
Check out Josiah’s book, Cybersecurity Myths and Misconceptions: Avoiding the Hazards and Pitfalls That Derail Us
Follow Allan Alford on LinkedIn and Twitter
Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store 
Continue this conversation on our Discord
Listen to more from the Hacker Valley Studio and The Cyber Ranch Podcast

Christian Espinosa, Author, Speaker, and CEO, comes down to the Ranch to talk about the journey of starting, growing, selling, and moving on from the business he created, Alpine Security. From correcting the problems with his high IQ staff to unshackling himself from the golden handcuffs of a business sale, Christian breaks down the specific conflicts he faced on his entrepreneurial journey— and reveals how these experiences have inspired two books about cybersecurity, business ownership, and life itself.
 
Timecoded Guide:
[00:00] Finding business coherency in the one-page strategic plan
[08:39] Selling Alpine security & transitioning from leader to participant
[13:46] Escaping the golden handcuffs & embarking on a new career journey
[17:35] Outlining seven steps to emotional intelligence in cyber with his first book
[20:34] Embarking on appreciation of life’s little moments with book number two
 
Sponsor Links:
Thank you to our sponsor Axonius for bringing this episode to life!
Manual asset inventory just doesn't cut it anymore. That's where Axonious comes in. Take control of security complexities by uncovering gaps in your organization. Sign up for a free walk through of the platform at Axonius.com/Get-A-Tour
 
What were the challenges in growing the business you started, and how did you overcome those?
Christian’s inspiration for Alpine Security, his first business, was actually the stress of a conflicted relationship with a CEO he worked with. Feeling misaligned with the company he worked for, Christian left and began his journey towards entrepreneurship, thinking that his work ethic and willingness to do it all would lead to his success. Instead, refusing to delegate and lack of focus on leadership created conflicts between himself and his employees.
“I had to get over myself. Initially, I thought I’d do everything. I thought I could brute force this and make this work. I just tried to do it all myself. If my staff was having problems with something, I would jump in and help, but there's only so many hours in the day.”
 
Was your intention to sell your business from the beginning? What was the process of selling like?
Although he advises every entrepreneur to have an exit strategy, Christian admits he didn’t initially create one with Alpine Security. After agreeing to a deal with Cerberus, Christian learned the hard way that the process of a business sale can be like a pair of golden handcuffs. Struggling with a lack of control and feeling constantly under scrutiny, Alpine Security eventually lost its founder as Christian embarked on a new journey in his career.
“In my company, I was in charge of the culture, the core values, the emotional intelligence, the touchpoints, the clients, all of that. Now that I was part of the larger organization, I wasn't in charge of that. I had to approach things differently.”
 
Can you tell us about your first book and the seven-step process it outlines in cybersecurity?
Major struggles during Alpine Security’s founding were due to a lack of emotional intelligence and people skills amongst staff, in Christian’s opinion. These conflicts inspired the 7 steps of emotional intelligence for cybersecurity practitioners that Christian outlines in his first book, The Smartest Person in the Room. These steps include: awareness, mindset, acknowledgement, communication, mono-tasking, empathy, and Kaizen (continuous improvement).
“My first book is really about all the challenges I had in the company I started. 99% of the challenges I had were because of my staff, who were super bright, super high IQ penetration testers that didn't have emotional intelligence or people skills.”
 
What are you going to do with your new book? Is that also cybersecurity related?
In contrast to his first book, which focused solely on cybersecurity professionals and the struggles they face with people skills in the workplace, Christian’s second book dives deeper into mindset. Focusing more on the value of life and the ideas around mono-tasking, Christian inspires his readers to care more about the micro moments. This second book is all about slowing down, seeing what’s happening around you, and seriously absorbing the information we take in every day— from the big moments to the little moments and everything in between.
“I think a lot of us go through this zombie state in life, going from one thing to the next thing, and we're distracted with our phones and everything else. We're missing a lot of things that are right in front of us.”
----------
Links:
Learn more about Christian Espinosa on his LinkedIn, Twitter, and website
Check out Christian’s book, The Smartest Person in the Room: The Root Cause & New Solutions for Cybersecurity
Follow Allan Alford on LinkedIn and Twitter
Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store 
Continue this conversation on our Discord
Listen to more from the Hacker Valley Studio and The Cyber Ranch Podcast

Chuck Herrin, CTO at Wib, came down to the Ranch to explain the risks and threats currently facing APIs, or application programming interfaces. Simply put, APIs facilitate people and applications in communicating with other applications, but Chuck sees the lack of protocols, regulations, and security plans laid out for these APIs as a massive security threat. Breaking down the process using an API hack he performed as an example, Chuck talks about what the state of API security is and where it needs to be headed.
 
Timecoded Guide:
[00:00] Bringing a background in finance into the cybersecurity API world
[05:25] "Hacking" a bank’s API using business logic instead of hacking
[12:17] Implementing standard API protocols and processes
[14:27] Flipping the API language and preparing injection threats
[19:03] Evolving defenses overtime to meet both new needs and new risks
 
Sponsor Links:
Thank you to our sponsor Axonius for bringing this episode to life!
Manual asset inventory just doesn't cut it anymore. That's where Axonious comes in. Take control of security complexities by uncovering gaps in your organization. Sign up for a free walk through of the platform at Axonius.com/Get-A-Tour
 
What does your current role look like and how does it relate to API security?
Chuck began his career in tech and security in the banking industry, and felt particularly concerned over time with the lack of security around APIs and related technology. Now, with his CTO position at Wib, Chuck works with Wib to focus on providing continuous visibility into API attack surfaces. Outside of just the newness and the tech of APId, Chuck explains that there are critical infrastructure and national security ramifications for API security. 
“The basic premise is: If you could do it differently, knowing what you know now, what would you build in an API security platform? What I'm bringing to the table is 20 years as a defender in US financial services, where I know what we need from a governance perspective.”
 
Akamai recently ran a study of internet traffic. What were their findings about APIs?
As someone well researched in his work with APIs, Chuck pays close attention to recent studies, like one from Akamai, that recently claims 91% of their global internet traffic is API traffic. Chuck explains that this is a huge development in the popularity and impact of APIs on global security, especially when relating it to a separate study that estimates 50% of APIs are actually unmanaged. Although this stat seems shocking, many in the industry believe even that estimate is low, and the issue might be even worse than studies are showing. 
“91% of the traffic that Akamai handles is API traffic. So, 91% of global internet traffic is API traffic. Another stat which is a little harder to prove estimates that roughly 50% of API's are completely unmanaged.”
 
You actually performed a hack live on an API, but it wasn't even a hack at all. Can you tell me that story? 
At the most recent Black Hat, Chuck dissected and presented a few case studies, one of which was a bank’s API, hacked using a logic-based attack. Using the errors in business logic present within the banking API, Chuck’s team was able to bypass the front-end system and transfer fees, managing to convert money into more valuable currency over and over again. The wildest part, to both Chuck and to presentation attendees, was that this didn’t require tech hacking, it only required exploiting business logic. 
“We didn't tear apart the mobile app and find the stored credentials, the API keys, which are probably in there. We didn't crack any passwords. We just abused the logic, and it responded in the way it was designed and here we are.”
 
If we can’t anticipate every possible business logic flaw or abuse case, how can we reduce the impact and blast radius of API threats?
Reducing the impact of API security threats feels daunting, but Chuck explains that security has to go back to the basics in order to identify and acknowledge what has to change over time. You can't protect what you can't see and our teams have to evolve over time to defend against the changing attackers we might end up facing with APIs. When push comes to shove, Chuck firmly believes in having a defense strongly informed by the offenses and threats around you.
“This was cloud security 10 years ago, and it's API security today, right? History doesn't repeat, but it rhymes. It's the same basics and same fundamentals. Now, you need to change tooling. The attackers evolve over time, and your defenses have to evolve over time.”
----------
Links:
Learn more about Chuck Herrin on LinkedIn and the Wib website
Follow Allan Alford on LinkedIn and Twitter
Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store 
Continue this conversation on our Discord
Listen to more from the Hacker Valley Studio and The Cyber Ranch Podcast

Matthew Lang, former CISO at SECU, former CISO of 3D Systems, and former Chief Petty Officer in the US Navy, comes on down to the Ranch to talk about what it really means to be a CISO. Many folks wear the title of CISO, but the role itself is still often considered a confusing mixed bag when talking about what it entails and who should have this role. Matthew walks through what a CISO is, what a CISO isn’t, and where the bridges between the CISO role and other roles in the company should be.
 
Timecoded Guide:
[00:00] Defining what a CISO isn’t in order to discover what a CISO is
[06:45] Finding the bridges between CISO & other company roles  
[12:12] Getting things clear between CISO, COO, CIO, and CEO
[16:20] Understanding a CISO’s peers & meeting with security points of contact
[24:49] What the CISO role should be & solidifying the CISO definition 
 
Sponsor Links:
Thank you to our sponsor Axonius for bringing this episode to life!
Manual asset inventory just doesn't cut it anymore. That's where Axonious comes in. Take control of security complexities by uncovering gaps in your organization. Sign up for a free walk through of the platform at Axonius.com/Get-A-Tour
 
What is the CISO not? 
The role of CISO, or Chief Information Security Officer, is nuanced and occasionally complicated to define. However, in Matthew’s opinion, the things that a CISO absolutely is not is (1) a BISO, or Business Information Security Office, and on the other hand, (2) someone with no experience in information security. The strongest CISOs Matthew has come across know how to combine information security experience with an understanding of business, all while being guided by a desire to protect the company and prevent incidents. 
“The CISO is a preventer of something bad happening at the organization. You can't prevent every breach, it's never going to happen, but if the CISO is involved, he can possibly prevent a merger or acquisition that is not in the best interest of the company.”
 
Who should the CISO be interfacing with as we bridge in and out of that defined role?
To be an effective CISO, Matt believes that you have to build strong relationships with individuals in departments like legal and HR. Referring to them as security points of contact, Matthew explains that keeping in touch with these individuals can give the CISO the full scope of the company. Additionally, Matthew says that a CISO should always be friends with the COO, or Chief Operating Officer, because those roles have essential communication between one another. 
“If your company is large enough to have a chief operating officer, the CISO and the COO should be the best of friends, because they rely on each other more than they realize.”
 
How does the Board of Directors shape and influence what the CISO is and isn't?
The Board of Directors’ involvement with a company’s CISO can be just as nuanced as the CISO role itself. Matt explains that the largest gaps between a CISO and the Board they have to report to are due to either a weak board structure or a misunderstanding of security amongst Board members. In Matthew’s experience, being thorough in security explanations with transparency about topics that members may not know helps to bridge the gap and develop a stronger and more positive relationship between the CISO and Board. 
“I think, personally, CISOs struggle a lot with their presentations to the Board of Directors, because they don't really know what information the Board wants and the Board won't ask them questions.”
 
What should be the role of the CISO?
While a large majority of the conversation in this episode is about what a CISO isn’t, Matthew defines what a CISO is using the words “preventer” and “leader.” A CISO should prevent risky behaviors that are not in the best interest of a company, and they lead the cybersecurity division of a company through establishing security and governance practices. Overall, CISOs help a business to meet goals and go where it wants to go safely and effectively, like a good brake system on a high-end car. 
“There's a lot of different responsibilities a CISO could have, but I'm gonna say the role is cybersecurity leadership. They should be responsible for establishing the right security and governance type practices, and a framework to scale the business.” 
-------------
Links:
Learn more about Matthew Lang’s work with the SECU
Follow Allan Alford on LinkedIn and Twitter
Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store 
Continue this conversation on our Discord
Listen to more from the Hacker Valley Studio and The Cyber Ranch Podcast

Leon Ravenna, CISO & CIO at KAR Global, former VP of Security & Compliance at Interactive Intelligence joins Allan this week to talk about the increases in cybersecurity threats and risks - increases in breadth and depth of various attacks and increases in our own problems in dealing with those attacks. It has implications for all of us, as we have not necessarily seen an increase in the right defensive capabilities to maintain parity. COVID and work-from-home have not helped either...
Questions covered this show:
1. You mentioned firewall attacks, social engineering, HR/interview/job fraud.  Of course there is ransomware.  What else is on the rise?
2. How much has COVID and work-from-home impacted the landscape?
3. What are the vendors doing wrong about this landscape?
4. What are they doing right?
5. So what are the real solutions to these problems? Let’s break it down, starting with ransomware, my personal favorite.
   -Firewall attacks
   -HR/Interview/Job Fraud
   -Phishing
   -Insider Threat (another one possibly impacted by work-from-home and COVID)
   -Credential Stuffing
   -Zero Day Exploits
   -1,000 Day Exploits
6. If everything is on the rise, and if spending in cybersecurity is steadily on the rise (it is a rapidly growing industry), then why aren’t we solving the problems?
7. If you could change any one thing in cybersecurity, what would that thing be?
-------------
Links:
Keep up with Leon Ravenna on LinkedIn
Follow Allan Alford on LinkedIn and Twitter
Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store 
Continue this conversation on our Discord
Listen to more from the Hacker Valley Studio and The Cyber Ranch Podcast

Yaron Levi, current CISO at Dolby and former CISO at Blue Cross Blue Shield in Kansas City, comes down to the Ranch to talk about the March 2022 proposal from Securities and Exchange Commission (SEC). Titled the Cybersecurity Risk Management Strategy: Governance and Incident Disclosure, this report has huge implications for cybersecurity in any publicly-traded company. Yaron walks through his research into this report and explains what this means in the future for real-world cyber practitioners.
 
Timecoded Guide:
[00:00] Introducing the Cybersecurity Risk Management Strategy: Governance and Incident Disclosure
[08:45] Explaining filing 8-Ks and 4-day turnaround disclosures
[14:03] Debating the obligations of a third party in an incident (i.e. supply chain)
[16:04] Comparing SEC’s cyber proposal to accounting’s GAAPs
[25:33] Involving the Board of Directors in cyber risk management 
 
Sponsor Links:
Thank you to our sponsor Axonius for bringing this episode to life!
Manual asset inventory just doesn't cut it anymore. That's where Axonious comes in. Take control of security complexities by uncovering gaps in your organization. Sign up for a free walk through of the platform at Axonius.com/Get-A-Tour
 
This is a proposed set of amendments and not a ruling. What does that mean, in terms of the real world?
Although the proposal was initially released in March 2022, Yaron explains these current rulings have been floating around the industry since 2018 and aren’t expected to become solidified until October 2022. In the meantime, many in the industry are curious about what these regulations mean for any and all cyber practitioners. Yaron understands the concerns many have, but also emphasizes that this is a maturity progression for the cyber industry.
“With everything happening around us over the last several years, we see security becoming a higher priority and a higher maturity in many organizations. By and large, organizations understand that security is not a luxury anymore, or something that doesn't apply to them.”
 
Is this proposal starting to put some real pressure on organizations to not just give lip service to cybersecurity?
Lip service to cyber is an unfortunate commonality among publicly traded companies that want to look safe without putting the effort or expertise into security. Thankfully, Yaron believes this SEC proposal will accomplish a great deal in encouraging companies to develop and mature their cybersecurity teams and protocols. As cyber management roles and board integration becomes a must, lip service will give way to real strategic change and a better understanding of the impacts and implications of security.
“I think, as we mature as an industry, and as we more and more understand the implications and the impacts of security on everything we do, strategy is something that will be very important for us to have. I would assume that every company will need to have one.”
 
Is this the right time for people to be excited about if there's gonna be a lot more CISO jobs open up, or if there's gonna be more board seats opening up for CISOs?
Yaron believes this SEC proposal will elevate processes and initiatives already in place to continue to elevate the expertise and opportunities within cyber. While many may see an increase in CISO roles and board opportunities, it's important to note that it is not just about roles and jobs, it’s about cyber’s maturity. Our community, not just in cybersecurity but throughout the world, has become dependent on technology and its vital to have individuals leading with maturity and competence to keep these technical processes secure. 
“Overall, I think these strategies are a really positive move, in terms of elevating the conversation, educating, providing more expertise, providing more knowledge, which ultimately, all of us will benefit from. All of us, and community and society in general.”
 
Do you have any closing thoughts or comments on this SEC proposal?
While Yaron breaks down individual elements of the Securities and Exchange Commission proposal with Allan, he understands that the most essential impact of the proposal is the potential it has to elevate the industry. Maturity and legitimacy is desperately needed in order to create cybersecurity’s own version of generally accepted practices. In the same way that accounting has GAAP, Yaron hopes this SEC proposal is a sign of the cyber industry growing up, coming into its own, and creating more secure processes in risk assessment. 
“These proposals are part of our maturity progression and are part of our growing up as an industry and as a practice. This is something that we have to evolve into. We can probably look at other industries and figure out what we can learn and leverage from them.”
-------------
Links:
Keep up with Yaron Levi on Twitter and LinkedIn
Follow Allan Alford on LinkedIn and Twitter
Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store 
Continue this conversation on our Discord
Listen to more from the Hacker Valley Studio and The Cyber Ranch Podcast

Allan Alford, CISO/CTO and host of the Cyber Ranch podcast, resumes his session of AMA, or “ask me anything,” to cover the remaining questions left by curious cybersecurity practitioners on his LinkedIn. Previously, Allan posed two questions: If you could ask a 5-time CISO any question, what would it be? How about a cybersecurity startup CTO? Using the responses he received, Allan continues to walk through every topic under the cybersecurity umbrella and give further insight into what it means to be a CISO.
 
Timecoded Guide:
[00:00] Avoiding FUD (fear, uncertainty, and doubt) in your next cyber risk discussion 
[06:10] Facing stressful ransomware situations without proper preparation
[12:11] Hiring hackers as team members & debating the ethics of black hat hackers
[21:20] Addressing cyber risk in an accessible way for your organization's board
[26:41] Understanding the past, present, & future of cybersecurity insurance
 
Sponsor Links:
Thank you to our sponsor Axonius for bringing this episode to life!
Manual asset inventory just doesn't cut it anymore. That's where Axonious comes in. Take control of security complexities by uncovering gaps in your organization. Sign up for a free walk through of the platform at Axonius.com/Get-A-Tour
 
Are you comfortable turning on the light in a dark room so we can see what we’re really dealing with? [from: Karen Andersen]
There’s a perception (and not a wrong one) that the CISO’s role is to turn on the light in a dark room and show a company what their biggest cybersecurity risks truly are. However true this may be, Allan wants to point out that explaining and socializing team members to the risks has to be done without inspiring FUD. FUD, also known as fear, uncertainty, and doubt, creates panic around the risks an organization faces every day and only succeeds in unnecessarily stressing out practitioners without a solution in sight. 
“It’s very important not to fall into the trap of FUD: fear, uncertainty, and doubt. There’s a difference between socializing what’s wrong, and scaring people with what’s wrong. If you’re going to bring up the risks, at least bring up the beginnings of a solution.”
 
How effective do you think it would be to hire an actual hacker as a team member? [from: Jaden Turner]
With open positions, skills gaps, and labor shortages in cyber, the answer to the industry’s problems might either fall into the category of people outside of the industry or people who were once on the “wrong” side of it. Although Allan has worked with black hats in the past, he explains that hiring former black hat hackers is still a morality question for a lot of c-suite executives. Their work is often highly skillful and impactful, Allan explains, but many still question what it means to hire professionals that have moved from black hat to white hat.
“I think the bad guys probably have honed their skills better than the red team or the white hats, but then, you get into the morality questions. Do I want to support somebody who was once on the wrong side? Do I believe in reform and giving people a second chance?”
 
What’s the most difficult decision that you’ve had to make as a CISO that was not directly security related? [from: Brad Voris]
As Allan has gone through five different positions now as a CISO, he has seen it all on the cybersecurity side and the business side. While the cybersecurity decisions are stressful and high risk, Allan explains that there are very difficult decisions to make from a business point of view. Sometimes, a CISO has to make a choice to do what’s right for the business, even if that means that budget, personnel, or materials will be taken away from their security team.
“As a CISO, treating the business as a separate entity makes no sense to me. You have to be part of the business and actively accept that part of your role. There are business decisions that I've had to make that were right for the business and wrong for the security side, per say.”
 
How do you help other board members make sense of the cyber threat landscape? Why is addressing cyber risks crucial to any company? [from: Ulrich Baum]
Although reporting to a board is an often essential responsibility of any CISOs role, Allan explains that making sense of the cyber threat landscape relies on you being flexible— not your board. The board of your company requires a certain level of reporting and often responds best to a specific format. Instead of fearing a change, embrace the current board you have and learn what makes them tick. Addressing cyber risks is crucial to any company, and having the board understand you fully ensure success for your security team.
“There’s a board that was there before you were there, and you need to learn their ways and means. You need to learn what their concepts of risk are and you need to tailor your cyber risks to fit into that model.”
-------------
Links:
Follow Allan Alford on LinkedIn and Twitter
Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store 
Continue this conversation on our Discord
Listen to more from the Hacker Valley Studio and The Cyber Ranch Podcast

Allan Alford, CISO/CTO and host of the Cyber Ranch podcast, changes things up this week with a session of AMA, or “ask me anything”. Instead of hosting a guest, Allan takes center stage. On LinkedIn, Allan posed two questions: If you could ask a 5-time CISO any question, what would it be? How about a cybersecurity startup CTO? Using the responses he received, he walks through every topic under the cybersecurity umbrella and gives further insight into what it means to be a CISO.
 
Timecoded Guide:
[00:00] Seeing the best of the job in the often thankless role of CISO
[06:04] Building teams through learning strengths vs the negative perception of employee poaching
[09:50] Starting out in IT & transitioning to CISO through consistent skill-building
[15:18] Learning from past CISO mistakes & embracing business first, risk second, cyber third
[27:23] Understanding the industry with a technical CISO point of view & a hacker’s mindset
[38:06] Managing the many highs and lows of becoming a CISO
 
Sponsor Links:
Axonius gives his customers a comprehensive, always up-to-date asset inventory, helps uncover security gaps, and automates as much of the manual remediation as you want. Give your team's time back by checking out Axonius at axonius.com/platform/cybersecurity-asset-management 
 
What skills and education level helped you land your first CISO position? [from: John Rosario]
Although he’s taken numerous CISO roles since his first position, Allan is quick to admit that he never applied for his first CISO gig. Instead, he was tapped on the shoulder and asked. Beginning his career in IT, Allan found opportunities when the company he was working for seemed to be lacking in the security space. Diving into product security after his roles in IT, Allan found himself asked by a CIO to combine his backgrounds and become a CISO.
“I was always the guy that played with the security stuff back in those days. I had a good product security background, and ultimately, parlayed those into a combined role when I became a CISO.”
 
Talking to your younger self: What’s the most important thing you would do differently after the knowledge you have from five gigs? [from: Ori Stein]
Compromise is king, even in the C suite, but Allan didn’t understand this as an early-stage CISO. Instead, Allan feels regret in recalling his lack of willingness to see other business concerns beyond security. He feels as if a successful, impactful CISO needs to not only prioritize security as their mission, but also needs to see the bigger picture of why a budget line or resource has to be used for something other than security at certain points in time.
“I think that was probably my single biggest failing as an early CISO: taking the security mission to be the penultimate mission of the company and refusing to acknowledge there were other business pressures and needs, where perhaps security had to take a backseat.”
 
What keeps you going in the field beyond passion for security, amidst the talent shortage, lack of cultural understanding, internal corporate budget challenges, and high stress? [from: Stephan Timler] 
Cybersecurity is already a high-stakes, high-stress industry. However, pressures from staffing shortages, skills gaps, and budgeting challenges (all of which got worse during the pandemic) create an environment that burns out employees, including CISOs. For Allan, keeping himself going relies on a combination of his calling to help others, his love for the industry, and his own hacker-mindset curiosity to find out not only how something works, but also how to make it work in his favor. 
“Number one, for me, is that it truly is a noble calling. I don't think we should ever lose sight of that. We are the good guys doing the right thing for the right players and the right people. It's a noble calling.”
 
What's the best and worst thing about being a CISO? [from: Ofer Shaked] 
There’s a great deal of ups and downs that come from being a CISO, but thankfully, a major positive has been being able to answer the noble calling to help organizations become more secure. When a CISO can look back and see how well an organization has done because of them, Allan describes this feeling as invaluable. On the unfortunate flipside, being a CISO for an organization that doesn’t understand the role and only wants someone to check boxes can be extremely disheartening. Allan warns that he’s yet to meet a CISO that hasn’t encountered that at some point in their career.
“When you can look back on your body of work, and see that it had a meaningful impact; you can look at this organization and know this place is more secure than it was when you walked in the door…that’s probably the best feeling [for a CISO].”
-------------
Links:
Follow Allan Alford on LinkedIn and Twitter
Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store 
Continue this conversation on our Discord
Listen to more from the Hacker Valley Studio and The Cyber Ranch Podcast

Cybersecurity practitioners give back to the community by recording Youtube videos, interviewing in magazines, or creating podcasts— just like this one. However, books remain a fantastic method of delivering info and impacting lives that shouldn’t be forgotten with the rise of social media. Allan tallied it up and thus far, nine of his friends have written books. He has been approached about writing one himself, and he wanted to get the inside track on the process. George Finney, CISO at SMU, and Robert Pace, CISO at Invitation Homes, explain the ups and downs of writing books from a cyber perspective. This interview with George and Robert was recorded LIVE! at the CISO XC 2022 conference.
 
Timecoded Guide:
[00:00] Introducing the cybersecurity and the personal books George and Robert write
[08:28] Overcoming writing challenges in order to help others with your book
[15:16] Understanding the monetary gains and losses of book writing 
[23:59] Being purposeful, intentional, and useful with the book you write
[30:02] Advising potential writers on if they should write their book or not
 
Sponsor Links:
Thank you to our sponsor Axonius for bringing this episode to life!Manual asset inventory just doesn't cut it anymore. That's where Axonious comes in. Take control of security complexities by uncovering gaps in your organization. Sign up for a free walk through of the platform at Axonius.com/Get-A-Tour
 
What made you choose books as your way to give back to the cyber community? 
There’s numerous ways to give back to the cybersecurity community, including more modern methods of online videos and social media posts. However, books offered George and Robert a means of expressing their feelings and beliefs about cyber and about life that felt unique and special to them. For George, writing books fulfills his dream of being a writer, a passion he’s had since he was a kid, and allows him to combine that dream with his passion for bettering the cybersecurity industry.
“My passion is really around cybersecurity. I really wanted to bring these two things (cybersecurity and writing) together in my life, and do something that I think only I can do, from my unique experiences, my unique perspective." — George Finney
 
What were the biggest challenges you faced while writing your book? 
Writing a book takes time and requires vulnerability. George and Robert are very familiar with those challenges. Facing these challenges often involves facing yourself, your wants, and your experiences. Robert especially felt challenged in writing his book because it was a personal story about losing his mother. Stepping out of his comfort zone to write about his personal life felt like a massive leap of faith, but he’s enjoyed impacting others with this story.
“Writing necessarily means that the time you dedicate to it is going to be spent in isolation. If you're spending 10 hours or 20, that's time you're not with your family, that's not time where you're going out, having fun. That's time you're on your own alone.” — George Finney
 
When you look at the time and effort that went into it, was writing a book worth it? 
As Allan shares, podcasting with the Cyber Ranch podcast has offered him an avenue of success, but book writing does not always pay off monetarily. George and Robert have found other ways of seeing the value in their work, but as George especially explains, there are a lot of costs associated with writing a book that many aspiring writers don’t consider. Marketing especially requires a high volume of costs that many don’t expect when writing their first book.
“Mine has not proven to be successful to where I can retire from the job, but there is a feeling of richness that you can get from helping folks along the way. That has been a very fulfilling point.” — Robert Pace
 
If somebody wants to write a book, what's the best piece of advice you have for them?
If you want to write a book, Robert and George genuinely believe you should go for it. A writer doesn’t have to know everything to write a book, but they do need to understand their audience and intentions with the book they want to author. Aspiring authors, according to Robert, need to be especially cautious of how pride can negatively impact the writing process. Don’t be afraid to ask for help, Robert says, but don’t let pride get in the way of accepting that help, especially from editors and other educated writers. 
“I will say when you want to write a book, remove your pride because it will get hurt if you keep it out there. Everyone is not going to like what you write. We're coming from a cyber perspective, we don't write like the guys that have majored in English.” — Robert Pace
-------------
Links:
Learn more about George Finney on LinkedIn and buy George’s books, Well Aware, No More Magic Wands, and Project Zero Trust
Keep up with Robert Pace on LinkedIn and buy Robert’s book, I Understand… You Forgot to Say Goodbye.
Follow Allan Alford on LinkedIn and Twitter
Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store 
Continue this conversation on our Discord
Listen to more from the Hacker Valley Studio and The Cyber Ranch Podcast
 

Drew Simonis, CISO at Juniper Networks, discusses the debate of doing more by doing less. So often in cybersecurity, practitioners think they have to do it all and view themselves as the smartest people in the room. The fact of the matter is that none of us are the smartest in the room and we have to learn to trust each other. Drew believes a collaborative, trusting environment will bring us to a place of doing less and seeing better results because of it. 
Timecoded Guide:
[00:00] Introducing the foundations of Drew’s “do more by doing less” mindset
[07:03] Doing more by doing less, specifically in tech stack and GRC teams
[15:00] Revamping the cybersecurity and IT vendor ecosystem 
[20:43] Understanding consumer and CISO impact on the cyber vendor market
[32:34] Reshaping the command and control security mindset
 
Sponsor Links:
Thank you to our sponsor Axonius for bringing this episode to life!Manual asset inventory just doesn't cut it anymore. That's where Axonious comes in. Take control of security complexities by uncovering gaps in your organization. Sign up for a free walk through of the platform at Axonius.com/Get-A-Tour
How can security teams be more successful by enabling good decision making, versus trying to keep everyone from falling off a cliff?
The cybersecurity industry is stuck in a helicopter parent mindset, where practitioners don’t trust their colleagues in IT and feel the need to do the work for them. Drew explains that this is a low trust environment, where more work is created and no one thrives. If the industry works towards a high trust mindset, individuals are able to do their jobs and make decisions based on their knowledge, and even face normal consequences for their decisions, too. 
“[We think] we're the smartest people in the room. There's always this very dismissive, very condescending approach to our colleagues, who have very important jobs to do on their own. In a low trust culture, you get to the point where you have to be watching over everybody.”
 
How do vendors do more by doing less? How do they fit the trust and parenting model?
The bifurcation of the cybersecurity vendor system into cyber and IT has created more work for everyone involved, and has produced a lot of unideal results. With a lack of integrated solutions, organizations and departments suffer from simply not being able to have products that do everything they need them to do. There’s little cross-functionality and there’s often too many products happening at once to have one vendor making their intended impact.
“Why can't it all just work together? I think the whole notion of security as a buying center, separate from IT, created this opportunity for vendors to pursue a separate budget pot. In my opinion, it disincentivizes them from creating integrated solutions.”
 
What are we doing wrong as consumers that's encouraging this “do less by doing more” system instead of doing more by doing less? 
Sometimes, the only thing that can be done is starting over. The current system thrives off of an “us” vs “them” mindset and a business vs technology mentality, where trust is low and doing more results in actually doing less. Roles need to be rethought and reconsidered in cybersecurity organizations and executive leaders need to step out of the ivory tower of leadership to re-educate themselves and better understand their own roles.
“The whole separation of the cyber technologists from the IT technologists comes back to that trust issue as well. I can't trust IT to do the right things, I can't trust them to patch, so I've got to sit over here over their shoulder and scan.”
 
What's the revenue and business argument for everything we've discussed?
There’s always the pressure of revenue metrics and tangible results, especially if a process or role has to change within a cybersecurity team. How does doing more by doing less show up as a tangible result and outcome? It turns out, that all depends on transparency. Knowing the outcome that’s being looked for allows for a better understanding between practitioners and business leaders when the business argument for doing more by doing less has to be made.
“As CISO, I can't take your problem and try to make it my own and then solve it. I've got to trust you to solve it, and I've got to empower you, with the right tools, the right processes, the right policies, so that you have safe guidelines to solve that problem within.”
-------------
Links:
Learn more about Drew Simonis on LinkedIn
Check out Juniper Networks on LinkedIn and the Juniper Networks website
Follow Allan Alford on LinkedIn and Twitter
Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store 
Continue this conversation on our Discord
Listen to more from the Hacker Valley Studio and The Cyber Ranch Podcast

Sonja Hammond, Vice President & CISO at National Veterinary Associates, brings her love of animals and more importantly her love for security basics down to the Ranch this week. The buzz around new cyber technology and security protocols can easily warp our perspective on what’s most important for CISOs. Sonja spends some time in this episode explaining why cybersecurity organizations instead need to focus on simple tech and strong security processes and training protocols.
 
Timecoded Guide:
[00:00] Breaking down basics of people, process, and technology
[06:59] Where tech stack is failing us and how to keep the vendor community on hold
[10:31] Building a good GRC team with a focus on NIST CSF
[14:13] Training the right way for GRC and cyber professionals
[19:30] Understanding the end user and setting your cyber team up for success
 
Sponsor Links:
Thank you to our sponsor Axonius for bringing this episode to life!Manual asset inventory just doesn't cut it anymore. That's where Axonious comes in. Take control of security complexities by uncovering gaps in your organization. Sign up for a free walk through of the platform at Axonius.com/Get-A-Tour
What does that mean to you, in cyber specifically, getting back to the basics?
Getting back to the basics is a common theme no matter your industry, but Sonja’s focus on it feels especially surprising when so much of the security world isn’t simple at all. Sonja explains throughout the episode that NVA strives for simple yet effective, not for something shocking or eye-catching. Especially considering Sonja’s work contains sensitive client data, she emphasizes that a basics-centric approach keeps the animals in NVA’s care and the people who love these animals safe. Although it may not be flashy, Sonja is proud of the well-oiled machine of her team and the security of their data.
“You have to get rid of your tech debt and bring your environment to current. You want modern, supportable technology. That's really key in order to keep everything secure.”
What's the opposite of your "get back to the basics" vision there?
Cybersecurity technology is often far from simple, but adding unnecessary bells and whistles only succeeds in further complicating things. Sonja’s back to the basics mindset encourages tools that cut out the unnecessary and strive for a streamlined approach. Sonja sees the appeal of a fun product to add to any protocols, but warns that fun rarely means secure. When there’s too much focus on the new and the shiny, that often means that focus is turned away from what’s most important: keeping data safe and preventing vulnerabilities from being exploited. 
“There are groups that are implementing some security tools that are shiny, new, and lots of fun, but they still have those basic security holes, so they get compromised.”
What are we doing right when it comes to the people in our organizations, and what aren’t we doing right?
Sonja is happy to separate NVA from the pack by explaining their focus on involving cybersecurity practitioners in the everyday operations of their organization. Many companies keep these roles separate, letting tech and cyber professionals remain in their own roles without context of what their end user might be experiencing on their end. Instead, NVA strives to put cybersecurity employees in the shoes of their end users and day-to-day employees, giving them further context around the people they impact and the roles they influence, as well as providing them further insight into potential security risks that might be slipping through the cracks of daily operations.
“Get the cybersecurity people exposed to what really happens in the day-to-day, because if they can walk in the end users’ shoes, then they can understand where there are security implications.”
For the people that are checking in the patients and taking them back, how much do they learn about security? 
It’s one thing to train security professionals in the day-to-day of an organization, and another to train other employees about the world of cybersecurity. To combat the often frustrating process of checking security compliance boxes, Sonja tries to change up training tactics with employees by sending playful videos and short informational emails. Keeping things short highly raises your chances of the content actually being read, Sonja explains, and it also limits the monotonous moments in the training process for employees who have very little experience in cyber protocols.
“We try to make it not quite so obvious that [our employees] are always getting training. We certainly do the traditional online CBT type stuff, to check the compliance boxes, but then we try to do some other things, like funny videos…Just simple things to remind them.”
-------------
Links:
Learn more about Sonja Hammond on LinkedIn
Check out National Veterinary Associates on LinkedIn and the NVA website
Follow Allan Alford on LinkedIn and Twitter
Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store 
Continue this conversation on our Discord
Listen to more from the Hacker Valley Studio and The Cyber Ranch Podcast

Adrian Sanabria, Director of Product Management at Tenchi Security, arrives at the Ranch this week to debunk cyber myths and expose industry lies. Using his background running Security Weekly Labs at Cyber Risk Alliance, Adrian explains the lack of cohesive product testing happening in the cyber world, and delves into the research he’s done to get to the bottom of cyber’s most elusive statistics. Do 60% of small businesses go out of business after a breach? Adrian has an answer that just might surprise you. 
 
Timecoded Guide:
[00:00] Introducing Adrian and his journey with Cyber Risk Alliance
[06:47] Buying awards and lying about customers
[13:24] Finding the source of fake cyber statistics
[24:28] The lies of vulnerability management and security awareness training
[30:58] Explaining Adrian’s It’s Time to Kill the Pen Test talk 
[40:41] Creating a money-making concept for debunking cyber myths
 
Sponsor Links:
Thank you to our sponsor Axonius for bringing this episode to life!Manual asset inventory just doesn't cut it anymore. That's where Axonious comes in. Take control of security complexities by uncovering gaps in your organization. Sign up for a free walk through of the platform at Axonius.com/Get-A-Tour
Can you tell me about your product testing lab with Cyber Risk Alliance? 
We often hear the startup motto of “fake it ‘til you make it,” but Adrian wasn’t aware of how pervasive that concept was in cyber until he began his work with 451 Security. After encountering numerous professionals that expressed complaints and confusion with products on the market, Adrian wanted to break into the world of product testing— and the Security Weekly Labs were born. With a focus on external attack surface management and network vulnerability scanners, Adrian sought to find the truth behind the product vendors were selling him— and what he discovered strongly influenced his future. 
“When we talk about myths and lies, it's not just straight up lies, right? At some point, they're faking it till they make it, and they get to a point where it's just too late to turn back. And then, it starts to get a little bit more insidious.” 
 
Are vendors going far enough to fake customers and awards? 
Not only are vendors “faking it” in a startup sense, some vendors have gotten right to the point of lying about the awards they’ve received and the high profile customers they’ve worked with. Adrian explains that buying and lying about awards has become a common practice within the cyber world, where certain businesses have let the marketing of winning an award override the legitimacy of their own success. While some companies may ignorantly feel drawn in by meaningless awards, more insidious industry liars have already mastered pulling out their credit card to buy what they want to win
“You can actually even fill in the name of the category you want to win an award for, you can just make up your own category. You drop a credit card and they send you a trophy. Some of these fake awards even have award ceremonies.”
 
Where do these cybersecurity statistics come from, and how do we validate them?
60% of small businesses go out of business after a breach— but do they really? Adrian’s exposition of cyber lies leaves no stone unturned, even when it comes to mystery statistics. Where did these numbers come from, and why would millions of businesses be more impacted by security breaches than fraud? After interacting with statistics like this with a shocking frequency, Adrian has even taken to Twitter on numerous occasions to call out companies marketing with fake stats and reveal his own research findings. 
“​​There are people that have just hinged their reputations and their careers on some of these myths…And it's not that companies don't get hurt by breaches, but it benefits no one to make up stats, or to push this narrative.”
 
Is it time to kill the pen test? 
There’s a lot of things done in cyber that might not have a place for everyone. Pen testing is near the end of Adrian’s list, but he’s quick to point out that the pen test process needs to change. Unfortunately, the bulk of what any organization is paying for when they run a pen test are vulnerability scans and report paperwork. Explaining a concept he developed with his friend and co-founder Kyle at Savage Security, Adrian explains that the modern-day pen test needs to look more like purple teaming and focus on prioritizing what really needs to be fixed.
“A lot of companies have pen tests, because they don't know what else to do with their security budget. You could apply that more broadly. A lot of people have a security budget, and they buy what they see their peers buy and do what analysts tell them to do.”
-------------
Links:
Learn more about Adrian Sanabria on LinkedIn and Twitter
Check out Tenchi Security on LinkedIn and the Tenchi Security website
Follow Allan Alford on LinkedIn and Twitter
Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store 
Continue this conversation on our Discord
Listen to more from the Hacker Valley Studio and The Cyber Ranch Podcast

Adam Stone, Chief Privacy Officer at TrustMAPP, brings his decades of security and privacy knowledge to the Ranch this week to talk about the disciplines of security and privacy.  Where do they intersect?  What makes security professionals and privacy professionals different? And, maybe most important of all: How can these two disciplines work together within an organization without being perceived as useless regulatory headaches?
Timecoded Guide:
[00:00] Comparing and contrasting security and privacy responsibilities
[08:30] Privacy, GRC, and building trust with stakeholders
[15:28] Coordinated and cooperative efforts of security and privacy teams
[20:57] Security awareness training vs the lack of awareness of privacy
[27:26] Drawing the line with privacy laws for security professionals
Sponsor Links:
Thank you to our sponsor Axonius for bringing this episode to life!
Manual asset inventory just doesn't cut it anymore. That's where Axonious comes in. Take control of security complexities by uncovering gaps in your organization. Sign up for a free walk through of the platform at Axonius.com/Get-A-Tour
Where do privacy and security intersect? Where don’t they intersect?  
Privacy professionals need the security professionals within their organization to make privacy work and implement a certain protocol within a privacy policy. Although each group may want to draw division, there needs to be a healthy and divided dose of both privacy and security within a company, and they cannot just be handled by one person tagged in for both. The main reason this shared responsibility of privacy and security under one roof doesn’t work is the differences in priorities. While Adam points out that both seek to serve stakeholders, security professionals are protecting property with technology and privacy professionals are protecting individuals with processes.
“Information security professionals are in place to protect property. Namely, they are in place to protect the property of their sponsor, usually a corporation…The privacy professional is protecting the individual from the accesses of a corporation, or from a larger entity.”
 
What does an information security professional need to know about privacy?
Within the world of security, privacy regulations and laws are often seen as a headache. However, according to Adam, privacy is misunderstood by many security professionals, who group privacy policies with the same technical protocols they use throughout their work. Privacy is administrative and reliant on how someone behaves within their workplace. Although technology may aid in privacy policies, the steps companies have to go through to maintain privacy for their customers is dependent on individuals and on the ways they are able to enforce strict protective privacy protocols on these individuals.
“What security professionals need to understand about privacy is that many, if not most, of the solutions to privacy problems, are not technological. They are process. They are administrative.”
 
If security awareness training is a norm, why isn't there privacy awareness training? 
There are a lot of perceptions about privacy, and Adam admits that many of them are unfortunately negative. Between the headache of privacy law and the lack of privacy awareness within companies and organizations, what are people supposed to think about privacy? In Adam’s opinion, the perspective on privacy needs to shift and companies need to better understand that privacy is a customer service concern. Caring about how you market to someone, how you sell your wares, and the impact you have on your customers is a way to build trust with them and to provide them a higher quality of customer service, and all of that falls under the umbrella of privacy.
“In my view, [privacy awareness] is awareness of how you are communicating, how you are selling, how you are marketing, that potentially endangers the privacy of the individual.”
 
How do you keep up with the myriad of privacy laws that are constantly coming out and changing? 
Adam has heard from security and privacy professionals alike about the anxiety of changing privacy laws, but his answer to the concern is to point out that someone simply can’t keep up with these privacy law changes on their own. Whether relying on the International Association of Privacy Professionals, or IAPP, or calling in the counsel of a legal team or privacy lawyer, there are numerous resources available for privacy and security professionals to learn about privacy laws, study them, and come to the conclusion of where to draw the lines and what decisions to make about privacy policies.
“There’s a line to be drawn between interpreting and operationalizing statutes and regulations, versus interpreting a given statute or regulation for purposes of defending oneself in court. That is where we really need the expertise and the authority that a lawyer brings to the table.”
-------------
Links:
Learn more about Adam Stone on LinkedIn and the TrustMAPP website.
Follow Allan Alford on LinkedIn and Twitter
Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store 
Continue this conversation on our Discord
Listen to more from the Hacker Valley Studio and The Cyber Ranch Podcast

Jerry Perullo, former CISO of the NYSE, former chairman of the board off the FS-ISAC, founder, professor, and host of the Life After CISO podcast, comes down to the Cyber Ranch to discuss the many roles he’s had throughout his career and the many highly unique opinions he has on the cyber industry. Together, Jerry and Allan break down what’s overrated in cybersecurity, from patching to dark web to vulnerability departments, and every detail and concept in between.
 
Timecoded Guide:
[01:53] Taking on a variety of roles in the cyber industry and breaking down which elements of cybersecurity are overrated
[08:48] Recognizing when encryption is needed and when it is overrated or overemphasized as something you need in cybersecurity
[15:43] Service-level agreement timelines, addressing critical risks, and engaging with the 80/20 rule
[24:17] Understanding when to separate data about different vulnerabilities and attacks, and when to report on them in the same conversation (i.e. board meetings)
[29:58] Other overrated elements of cybersecurity, such as IoCs, dark web, and, of course, what Jerry would change in cyber if he had a magic wand...
Sponsor Links:
Thank you to our sponsor Axonius for bringing this episode to life!
Manual asset inventory just doesn't cut it anymore. That's where Axonius comes in. Take control of security complexities by uncovering gaps in your organization. Sign up for a free walk through of the platform at Axonius.com/Get-A-Tour
Why is patching overrated?
While Jerry acknowledges the importance of patching in certain contexts, he also explains that it’s often overemphasized in its ability to provide cyber solutions. For patching to make an impact, the vulnerability has to be known and understood. In Jerry’s experience, patching doesn’t solve many of the problems in cybersecurity and can instead create a false sense of security, especially in the case of in-house coding errors. Although patching can create a long-term solution, you may only overcome that weakness for a moment and end up coming back to the same issue a few months later.
“When I say it's overrated is, first of all, patching is to address a known vulnerability in a piece of software, right? That means that the vulnerability has to already be out there, has to be profiled, has to be understood, and the manufacturer has to have actually created some kind of fix for it.”
What about encryption? Is that also overrated?
The idea of encryption comes from the idea of keeping information and vulnerabilities out of your enemies’ hands. However, too much focus on encryption blinds us to other issues and other tools that can be used against us. Although certain vulnerabilities around encryption are exploited, Jerry points out that you rarely, if ever, hear about the threats that we’re warned about when we’re sold on the concept and idea of encryption. With so many other ways to be hacked and exploited, Jerry says our focus on encryption keeps us in the dark about what the reality of online safety is. 
“In any event, we spend so much time worrying about encryption and encrypting things, and whether it's encryption at rest, or whether it's in transit, or anything else like that, that I think sometimes we blind ourselves, especially on internal tools.”
Are short SLAs (service level agreements) for addressing critical risk overrated?
In Jerry’s mind, the timeframe of your SLA doesn’t matter if you need a problem fixed immediately. Whether it’s a 48 hour turnaround, a 29 day, or a 364 day window, critical threats need immediate fixes and your service team should understand that. If the response to a necessary and urgent request is for your team to inquire about the SLA, you have a much bigger problem than the time it will take. Instead you have a toxic culture problem, something that cannot be fixed with simple tweaks to your SLA. 
“I always would just preach that you don't want to ever undermine your credibility. You don't want to bring weak sauce. Gotta be able to reproduce everything, have a video, all of that, and if you don't, then yeah, you people are gonna abuse your SLAs and push it to the edge.”
What’s your thoughts on departments with “vulnerability” in their name? 
Although Jerry has had vulnerability departments and teams in previous companies he’s worked with, adding vulnerability to a department name rarely has the impact beyond specifying that they run the vulnerability scanners. Beyond running the scanners, processing these results and reporting them is a completely different beast. Rarely is a vulnerability department able to process and report these results without making data ten times more complicated and time consuming for your board to understand. They’re tool-focused, it’s in their name, but it may not be what you really need when you’re assessing risk. 
“I think it's really important that you just speak about them all collectively, in a tool agnostic fashion. So, I feel the vuln scanner results, the bug bounty results, the attack service management results, the employees raising their hand and volunteering info…they need to be portrayed in parallel in one communication.”
-------------
Links:
Learn more about Jerry Perullo on LinkedIn and listen to his podcast #lifeafterCISO 
Follow Allan Alford on LinkedIn and Twitter
Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store 
Continue this conversation on our Discord
Listen to more from the Hacker Valley Studio and The Cyber Ranch Podcast
 

Tim Silverline, VP of Security at Gluware, joins host Allan Alford on the Ranch this week for a discussion about user awareness training and the latest and greatest (as well as not the greatest) methods around phishing simulations. Tim and Allan get into the nitty gritty of how your company can improve user awareness results through avoiding basic click-through models, considering advanced warning for certain training exercises, and understanding risk quantification when evaluating employee metrics.
 
Timecoded Guide:
[04:30] Running the right phishing simulation for your user base and gauging your results appropriately
[10:08] Pushing boundaries in the tactics used in phishing exercises and making employees pay attention more closely to their everyday emails 
[15:10] Calling out unlikely and unhelpful phishing strategies and simulations, including the harm of impersonating employees without any warning
[21:04] Realizing which methods of user awareness are no longer effective and shifting away from the mindset of just “checking the box” in these training exercises
[25:54] Changing security for the better with increased awareness and a better understanding around the value of risk exposure amongst employees
 
Sponsor Links:
Thank you to our sponsor Axonius for bringing this episode to life!
Manual asset inventory just doesn't cut it anymore. That's where Axonious comes in. Take control of security complexities by uncovering gaps in your organization. Sign up for a free walk through of the platform at Axonius.com/Get-A-Tour
 
What, to you, are the biggest highlights, the high points, the critical bits of user awareness training?
Tim has seen the good and the bad of user awareness training, and has found the best results for his users in interactive training sessions, especially when paired with gamification. Allan compares this method and approach to modern virtual escape room sessions, and Tim agrees that the more interactive and hands-on a training can be, the better the learning experience will be. Instead of framing our user awareness and phishing exercises around checking boxes for cyber insurance companies, we should be striving for active learning engagements that demonstrate the value of security to our users.
“After those trainings, users have come up to me and talked to me about how they weren't aware of this particular risk and hearing about it in a real-world use-case was very effective for them to really understand why it's important and why they should be behaving in a slightly different manner.”
 
If the users never fall prey to attacks, is there a reason to continue performing them? 
Hearing Tim talk about his success, Allan was curious about how he chooses to approach successful user bases. If someone isn’t falling for Tim’s phish, does he still see the need to perform these exercises? The short answer was yes, but Tim explains that user awareness training should be customized to the needs of a user base. Testing new employees is a must, along with refreshing successful users on their skills a few times a year. Additionally, scheduling out different exercises that hone in on different phishing simulations exposes employees to a variety of learning opportunities and encourages them to see this beyond just a yearly test where they might as well “get it over with.”
“If you've tested all your existing employees, and they haven't fallen or been susceptible to it, that doesn't mean that the next employee you hire is also going to be of that same mindset.”
 
What ineffective methods are there in security awareness?
Throughout the episode, Tim and Allan keep coming back to the simple fact that checking boxes no longer works. Having employees read or watch through videos and take “common sense” knowledge tests makes user awareness training a distracting activity that feels more like grunt work than a learning experience. While you never want to disrupt the workflow of your employees, stepping outside of the box with interactive activities that are explained in advance shows the value of these exercises to your users instead of making them feel that you’re yet again wasting their time with another gift card scam.
“I find that there's the typical thing a lot of people do to hit compliance, which is having their users watch videos, and answer questionnaires. My feeling is that most people just try to get that done. Their goal is really to get it completed, so they can check the box and their company stops bothering them to complete it.”
 
You are given a magic wand and you are told you can wave it and change any one thing in cybersecurity you want to change. What do you change?
There’s so much in cybersecurity that Tim and Allan would love to change, especially when we look at cutting edge approaches to user awareness training. However, Tim makes one thing clear: if he could change anything, he would change our mindset. Instead of seeing security as just someone’s job, we should encourage our users to see themselves as an instrumental part of their company’s security. When everyone concerns themselves with following the right protocols and caring about security beyond simulations, companies will find themselves in a much stronger, less vulnerable place.
“I think ultimately, a lot of the weaknesses inside of our organization are our users. If I could just increase the level of carefulness, or the level of interest that everybody has in keeping their own companies secure, I think we would overall improve the posture of all companies.”
-------------
Links:
Learn more about Tim Silverline on LinkedIn and the Gluware website. 
Follow Allan Alford on LinkedIn and Twitter
Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store 
Continue this conversation on our Discord
Listen to more from the Hacker Valley Studio and The Cyber Ranch Podcast

Allan invites a founder and an angel investor to the ranch this week to talk about how founders and angel investors really connect. Meet Sameer Sait, former CISO at Amazon Whole Foods and now founder of BalkanID, and John Stewart, former CISO at Cisco and investor at Talons Ventures. Together, these gentlemen offer a lot about both sides of the investment story, from evaluation to the decision to work together, and what a mutually beneficial founder and angel investor relationship looks like.
 
Timecoded Guide:
[01:23] Exploring John and Sameer’s backgrounds in cyber and how they developed their own unique founder-angel investor connection
[04:53] Understanding the triggering aspects that caused someone like John to become an angel investor in BalkanID and how BalkanID selected their investors
[08:20] Delving into the uniqueness of different founder-investor relationships and how John (vs other BalkanID investors) makes his impact on Sameer’s work as a founder
[13:30] Giving expert advice and explaining lessons learned in founding your first company and in investing in startups 
[22:12] Exploring how other experiences in life, outside of cybersecurity and investing, has informed John and Sameer’s work with BalkanID and with solving cyber issues
 
Sponsor Links:
Thank you to our sponsor Axonius for bringing this episode to life!
Life is complex. But it’s not about avoiding challenges or fearing failure. Just ask Simone Biles — the greatest gymnast of all time. Want to learn more about how Simone controls complexity? Watch her video at axonius.com/simone.
 
What inspired you to become a founder of BalkanID, Sameer?
As the former CISO of Amazon Whole Foods and an investor at numerous cybersecurity companies, Sameer has a great resume to show off. However, his work with BalkanID offered him the opportunity to be a founder, something that Sameer had never done before. When asked what inspired him to be a first-time founder, he tells us that he continuously encountered the same problems over and over again, and wasn’t seeing anyone coming up with the right solution. Continuing to move forward with so much at stake with this issue of entitlements felt like a missed opportunity, and with the right investors and co-founders on his side, BalkanID was born.
“I knew that we could do better, right? And I knew the existing solutions were not scaling. And I think the last inspiration was really finding the right co-founders to go at this with. That was the biggest inspiration of all.” - Sameer Sait
 
John, what were the triggering factors that made you decide to invest in BalkanID? 
Just like Sameer, John has some incredible experience to show off in the tech world and in the investment world. But why BalkanID? A simple answer would be the connection between these two men, having met numerous times throughout their careers, developing a strong working relationship. However, John sees so much potential in BalkanID and in Sameer beyond just their work friendship. John believes that you don’t invest in tech, you invest in people, and the qualities he sees in Sameer as a founder and a leader in the tech world excites him and he felt he could lend his expertise to BalkanID in a beneficial way.
“Sameer is very self-aware. These things matter. He knows what he knows, he knows what he doesn't know, he's comfortable bringing in people that complement his skills and make a stronger team around him. In the end, that's why I say you bet on people, not on tech.” - John Stewart
 
What advice do you have for potential investors looking to get involved in startups, John?
Being an investor isn’t always easy, and John has made some mistakes that taught him the hard way about how to be a good investor. With a hands-on approach and now tons of projects under his belt, John is asked to give some advice to future investors. A hugely important piece of advice from John is to know your founder, know their wants and needs, and to see ahead of what their future holds. You’re an investor, but it is their company, and you have to be aligned in order to produce a mutually beneficial relationship. 
“As an investor, I follow out and look for all of those things. I look at how optionality is, how CEOs think, how many chances they have, what directions could they go. Are they strategically capable of looking beyond today's decision and thinking about what might happen in the future?” - John Stewart
 
Sameer, what advice would you give fellow founders?
Despite his experiences at other companies, BalkanID is Sameer’s first founding experience so far. His biggest lesson to date? Not getting caught up in the buzz and the hype. BalkanID’s approach to their audience and their product has been to focus on their customer and work backwards to find their problem and their ideal solution. This takes time, and it’s easy to fall into the trap of comparing your revenue, launches, products, and marketing tactics of other companies. This only hurts your brand in the long-run because you’ll no longer be focused on your customer’s problem. 
“As an early stage, first-time entrepreneur, a part of me would get nervous. ‘Oh, my God, look what's happening out there. Oh, we're so slow.’ I think of taking a step back and saying, ‘Well, we are on our journey,’ right? We have supporters, we have backers, we have a real problem we're solving. The fact that other people want to solve the same problem is validation that it's a real problem.” - Sameer Sait
-------------
Links:
Stay in touch with Sameer Sait on LinkedIn and the BalkanID website.
Stay in touch with John Stewart on LinkedIn.
Follow Allan Alford on LinkedIn and Twitter
Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store 
Continue this conversation on our Discord
Listen to more from the Hacker Valley Studio and The Cyber Ranch Podcast