The Cyber Ranch Podcast

Adrian Sanabria, Director of Product Management at Tenchi Security, arrives at the Ranch this week to debunk cyber myths and expose industry lies. Using his background running Security Weekly Labs at Cyber Risk Alliance, Adrian explains the lack of cohesive product testing happening in the cyber world, and delves into the research he’s done to get to the bottom of cyber’s most elusive statistics. Do 60% of small businesses go out of business after a breach? Adrian has an answer that just might surprise you. 
 
Timecoded Guide:
[00:00] Introducing Adrian and his journey with Cyber Risk Alliance
[06:47] Buying awards and lying about customers
[13:24] Finding the source of fake cyber statistics
[24:28] The lies of vulnerability management and security awareness training
[30:58] Explaining Adrian’s It’s Time to Kill the Pen Test talk 
[40:41] Creating a money-making concept for debunking cyber myths
 
Sponsor Links:
Thank you to our sponsor Axonius for bringing this episode to life!Manual asset inventory just doesn't cut it anymore. That's where Axonious comes in. Take control of security complexities by uncovering gaps in your organization. Sign up for a free walk through of the platform at Axonius.com/Get-A-Tour
Can you tell me about your product testing lab with Cyber Risk Alliance? 
We often hear the startup motto of “fake it ‘til you make it,” but Adrian wasn’t aware of how pervasive that concept was in cyber until he began his work with 451 Security. After encountering numerous professionals that expressed complaints and confusion with products on the market, Adrian wanted to break into the world of product testing— and the Security Weekly Labs were born. With a focus on external attack surface management and network vulnerability scanners, Adrian sought to find the truth behind the product vendors were selling him— and what he discovered strongly influenced his future. 
“When we talk about myths and lies, it's not just straight up lies, right? At some point, they're faking it till they make it, and they get to a point where it's just too late to turn back. And then, it starts to get a little bit more insidious.” 
 
Are vendors going far enough to fake customers and awards? 
Not only are vendors “faking it” in a startup sense, some vendors have gotten right to the point of lying about the awards they’ve received and the high profile customers they’ve worked with. Adrian explains that buying and lying about awards has become a common practice within the cyber world, where certain businesses have let the marketing of winning an award override the legitimacy of their own success. While some companies may ignorantly feel drawn in by meaningless awards, more insidious industry liars have already mastered pulling out their credit card to buy what they want to win
“You can actually even fill in the name of the category you want to win an award for, you can just make up your own category. You drop a credit card and they send you a trophy. Some of these fake awards even have award ceremonies.”
 
Where do these cybersecurity statistics come from, and how do we validate them?
60% of small businesses go out of business after a breach— but do they really? Adrian’s exposition of cyber lies leaves no stone unturned, even when it comes to mystery statistics. Where did these numbers come from, and why would millions of businesses be more impacted by security breaches than fraud? After interacting with statistics like this with a shocking frequency, Adrian has even taken to Twitter on numerous occasions to call out companies marketing with fake stats and reveal his own research findings. 
“​​There are people that have just hinged their reputations and their careers on some of these myths…And it's not that companies don't get hurt by breaches, but it benefits no one to make up stats, or to push this narrative.”
 
Is it time to kill the pen test? 
There’s a lot of things done in cyber that might not have a place for everyone. Pen testing is near the end of Adrian’s list, but he’s quick to point out that the pen test process needs to change. Unfortunately, the bulk of what any organization is paying for when they run a pen test are vulnerability scans and report paperwork. Explaining a concept he developed with his friend and co-founder Kyle at Savage Security, Adrian explains that the modern-day pen test needs to look more like purple teaming and focus on prioritizing what really needs to be fixed.
“A lot of companies have pen tests, because they don't know what else to do with their security budget. You could apply that more broadly. A lot of people have a security budget, and they buy what they see their peers buy and do what analysts tell them to do.”
-------------
Links:
Learn more about Adrian Sanabria on LinkedIn and Twitter
Check out Tenchi Security on LinkedIn and the Tenchi Security website
Follow Allan Alford on LinkedIn and Twitter
Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store 
Continue this conversation on our Discord
Listen to more from the Hacker Valley Studio and The Cyber Ranch Podcast

Adam Stone, Chief Privacy Officer at TrustMAPP, brings his decades of security and privacy knowledge to the Ranch this week to talk about the disciplines of security and privacy.  Where do they intersect?  What makes security professionals and privacy professionals different? And, maybe most important of all: How can these two disciplines work together within an organization without being perceived as useless regulatory headaches?
Timecoded Guide:
[00:00] Comparing and contrasting security and privacy responsibilities
[08:30] Privacy, GRC, and building trust with stakeholders
[15:28] Coordinated and cooperative efforts of security and privacy teams
[20:57] Security awareness training vs the lack of awareness of privacy
[27:26] Drawing the line with privacy laws for security professionals
Sponsor Links:
Thank you to our sponsor Axonius for bringing this episode to life!
Manual asset inventory just doesn't cut it anymore. That's where Axonious comes in. Take control of security complexities by uncovering gaps in your organization. Sign up for a free walk through of the platform at Axonius.com/Get-A-Tour
Where do privacy and security intersect? Where don’t they intersect?  
Privacy professionals need the security professionals within their organization to make privacy work and implement a certain protocol within a privacy policy. Although each group may want to draw division, there needs to be a healthy and divided dose of both privacy and security within a company, and they cannot just be handled by one person tagged in for both. The main reason this shared responsibility of privacy and security under one roof doesn’t work is the differences in priorities. While Adam points out that both seek to serve stakeholders, security professionals are protecting property with technology and privacy professionals are protecting individuals with processes.
“Information security professionals are in place to protect property. Namely, they are in place to protect the property of their sponsor, usually a corporation…The privacy professional is protecting the individual from the accesses of a corporation, or from a larger entity.”
 
What does an information security professional need to know about privacy?
Within the world of security, privacy regulations and laws are often seen as a headache. However, according to Adam, privacy is misunderstood by many security professionals, who group privacy policies with the same technical protocols they use throughout their work. Privacy is administrative and reliant on how someone behaves within their workplace. Although technology may aid in privacy policies, the steps companies have to go through to maintain privacy for their customers is dependent on individuals and on the ways they are able to enforce strict protective privacy protocols on these individuals.
“What security professionals need to understand about privacy is that many, if not most, of the solutions to privacy problems, are not technological. They are process. They are administrative.”
 
If security awareness training is a norm, why isn't there privacy awareness training? 
There are a lot of perceptions about privacy, and Adam admits that many of them are unfortunately negative. Between the headache of privacy law and the lack of privacy awareness within companies and organizations, what are people supposed to think about privacy? In Adam’s opinion, the perspective on privacy needs to shift and companies need to better understand that privacy is a customer service concern. Caring about how you market to someone, how you sell your wares, and the impact you have on your customers is a way to build trust with them and to provide them a higher quality of customer service, and all of that falls under the umbrella of privacy.
“In my view, [privacy awareness] is awareness of how you are communicating, how you are selling, how you are marketing, that potentially endangers the privacy of the individual.”
 
How do you keep up with the myriad of privacy laws that are constantly coming out and changing? 
Adam has heard from security and privacy professionals alike about the anxiety of changing privacy laws, but his answer to the concern is to point out that someone simply can’t keep up with these privacy law changes on their own. Whether relying on the International Association of Privacy Professionals, or IAPP, or calling in the counsel of a legal team or privacy lawyer, there are numerous resources available for privacy and security professionals to learn about privacy laws, study them, and come to the conclusion of where to draw the lines and what decisions to make about privacy policies.
“There’s a line to be drawn between interpreting and operationalizing statutes and regulations, versus interpreting a given statute or regulation for purposes of defending oneself in court. That is where we really need the expertise and the authority that a lawyer brings to the table.”
-------------
Links:
Learn more about Adam Stone on LinkedIn and the TrustMAPP website.
Follow Allan Alford on LinkedIn and Twitter
Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store 
Continue this conversation on our Discord
Listen to more from the Hacker Valley Studio and The Cyber Ranch Podcast

Jerry Perullo, former CISO of the NYSE, former chairman of the board off the FS-ISAC, founder, professor, and host of the Life After CISO podcast, comes down to the Cyber Ranch to discuss the many roles he’s had throughout his career and the many highly unique opinions he has on the cyber industry. Together, Jerry and Allan break down what’s overrated in cybersecurity, from patching to dark web to vulnerability departments, and every detail and concept in between.
 
Timecoded Guide:
[01:53] Taking on a variety of roles in the cyber industry and breaking down which elements of cybersecurity are overrated
[08:48] Recognizing when encryption is needed and when it is overrated or overemphasized as something you need in cybersecurity
[15:43] Service-level agreement timelines, addressing critical risks, and engaging with the 80/20 rule
[24:17] Understanding when to separate data about different vulnerabilities and attacks, and when to report on them in the same conversation (i.e. board meetings)
[29:58] Other overrated elements of cybersecurity, such as IoCs, dark web, and, of course, what Jerry would change in cyber if he had a magic wand...
Sponsor Links:
Thank you to our sponsor Axonius for bringing this episode to life!
Manual asset inventory just doesn't cut it anymore. That's where Axonius comes in. Take control of security complexities by uncovering gaps in your organization. Sign up for a free walk through of the platform at Axonius.com/Get-A-Tour
Why is patching overrated?
While Jerry acknowledges the importance of patching in certain contexts, he also explains that it’s often overemphasized in its ability to provide cyber solutions. For patching to make an impact, the vulnerability has to be known and understood. In Jerry’s experience, patching doesn’t solve many of the problems in cybersecurity and can instead create a false sense of security, especially in the case of in-house coding errors. Although patching can create a long-term solution, you may only overcome that weakness for a moment and end up coming back to the same issue a few months later.
“When I say it's overrated is, first of all, patching is to address a known vulnerability in a piece of software, right? That means that the vulnerability has to already be out there, has to be profiled, has to be understood, and the manufacturer has to have actually created some kind of fix for it.”
What about encryption? Is that also overrated?
The idea of encryption comes from the idea of keeping information and vulnerabilities out of your enemies’ hands. However, too much focus on encryption blinds us to other issues and other tools that can be used against us. Although certain vulnerabilities around encryption are exploited, Jerry points out that you rarely, if ever, hear about the threats that we’re warned about when we’re sold on the concept and idea of encryption. With so many other ways to be hacked and exploited, Jerry says our focus on encryption keeps us in the dark about what the reality of online safety is. 
“In any event, we spend so much time worrying about encryption and encrypting things, and whether it's encryption at rest, or whether it's in transit, or anything else like that, that I think sometimes we blind ourselves, especially on internal tools.”
Are short SLAs (service level agreements) for addressing critical risk overrated?
In Jerry’s mind, the timeframe of your SLA doesn’t matter if you need a problem fixed immediately. Whether it’s a 48 hour turnaround, a 29 day, or a 364 day window, critical threats need immediate fixes and your service team should understand that. If the response to a necessary and urgent request is for your team to inquire about the SLA, you have a much bigger problem than the time it will take. Instead you have a toxic culture problem, something that cannot be fixed with simple tweaks to your SLA. 
“I always would just preach that you don't want to ever undermine your credibility. You don't want to bring weak sauce. Gotta be able to reproduce everything, have a video, all of that, and if you don't, then yeah, you people are gonna abuse your SLAs and push it to the edge.”
What’s your thoughts on departments with “vulnerability” in their name? 
Although Jerry has had vulnerability departments and teams in previous companies he’s worked with, adding vulnerability to a department name rarely has the impact beyond specifying that they run the vulnerability scanners. Beyond running the scanners, processing these results and reporting them is a completely different beast. Rarely is a vulnerability department able to process and report these results without making data ten times more complicated and time consuming for your board to understand. They’re tool-focused, it’s in their name, but it may not be what you really need when you’re assessing risk. 
“I think it's really important that you just speak about them all collectively, in a tool agnostic fashion. So, I feel the vuln scanner results, the bug bounty results, the attack service management results, the employees raising their hand and volunteering info…they need to be portrayed in parallel in one communication.”
-------------
Links:
Learn more about Jerry Perullo on LinkedIn and listen to his podcast #lifeafterCISO 
Follow Allan Alford on LinkedIn and Twitter
Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store 
Continue this conversation on our Discord
Listen to more from the Hacker Valley Studio and The Cyber Ranch Podcast
 

Tim Silverline, VP of Security at Gluware, joins host Allan Alford on the Ranch this week for a discussion about user awareness training and the latest and greatest (as well as not the greatest) methods around phishing simulations. Tim and Allan get into the nitty gritty of how your company can improve user awareness results through avoiding basic click-through models, considering advanced warning for certain training exercises, and understanding risk quantification when evaluating employee metrics.
 
Timecoded Guide:
[04:30] Running the right phishing simulation for your user base and gauging your results appropriately
[10:08] Pushing boundaries in the tactics used in phishing exercises and making employees pay attention more closely to their everyday emails 
[15:10] Calling out unlikely and unhelpful phishing strategies and simulations, including the harm of impersonating employees without any warning
[21:04] Realizing which methods of user awareness are no longer effective and shifting away from the mindset of just “checking the box” in these training exercises
[25:54] Changing security for the better with increased awareness and a better understanding around the value of risk exposure amongst employees
 
Sponsor Links:
Thank you to our sponsor Axonius for bringing this episode to life!
Manual asset inventory just doesn't cut it anymore. That's where Axonious comes in. Take control of security complexities by uncovering gaps in your organization. Sign up for a free walk through of the platform at Axonius.com/Get-A-Tour
 
What, to you, are the biggest highlights, the high points, the critical bits of user awareness training?
Tim has seen the good and the bad of user awareness training, and has found the best results for his users in interactive training sessions, especially when paired with gamification. Allan compares this method and approach to modern virtual escape room sessions, and Tim agrees that the more interactive and hands-on a training can be, the better the learning experience will be. Instead of framing our user awareness and phishing exercises around checking boxes for cyber insurance companies, we should be striving for active learning engagements that demonstrate the value of security to our users.
“After those trainings, users have come up to me and talked to me about how they weren't aware of this particular risk and hearing about it in a real-world use-case was very effective for them to really understand why it's important and why they should be behaving in a slightly different manner.”
 
If the users never fall prey to attacks, is there a reason to continue performing them? 
Hearing Tim talk about his success, Allan was curious about how he chooses to approach successful user bases. If someone isn’t falling for Tim’s phish, does he still see the need to perform these exercises? The short answer was yes, but Tim explains that user awareness training should be customized to the needs of a user base. Testing new employees is a must, along with refreshing successful users on their skills a few times a year. Additionally, scheduling out different exercises that hone in on different phishing simulations exposes employees to a variety of learning opportunities and encourages them to see this beyond just a yearly test where they might as well “get it over with.”
“If you've tested all your existing employees, and they haven't fallen or been susceptible to it, that doesn't mean that the next employee you hire is also going to be of that same mindset.”
 
What ineffective methods are there in security awareness?
Throughout the episode, Tim and Allan keep coming back to the simple fact that checking boxes no longer works. Having employees read or watch through videos and take “common sense” knowledge tests makes user awareness training a distracting activity that feels more like grunt work than a learning experience. While you never want to disrupt the workflow of your employees, stepping outside of the box with interactive activities that are explained in advance shows the value of these exercises to your users instead of making them feel that you’re yet again wasting their time with another gift card scam.
“I find that there's the typical thing a lot of people do to hit compliance, which is having their users watch videos, and answer questionnaires. My feeling is that most people just try to get that done. Their goal is really to get it completed, so they can check the box and their company stops bothering them to complete it.”
 
You are given a magic wand and you are told you can wave it and change any one thing in cybersecurity you want to change. What do you change?
There’s so much in cybersecurity that Tim and Allan would love to change, especially when we look at cutting edge approaches to user awareness training. However, Tim makes one thing clear: if he could change anything, he would change our mindset. Instead of seeing security as just someone’s job, we should encourage our users to see themselves as an instrumental part of their company’s security. When everyone concerns themselves with following the right protocols and caring about security beyond simulations, companies will find themselves in a much stronger, less vulnerable place.
“I think ultimately, a lot of the weaknesses inside of our organization are our users. If I could just increase the level of carefulness, or the level of interest that everybody has in keeping their own companies secure, I think we would overall improve the posture of all companies.”
-------------
Links:
Learn more about Tim Silverline on LinkedIn and the Gluware website. 
Follow Allan Alford on LinkedIn and Twitter
Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store 
Continue this conversation on our Discord
Listen to more from the Hacker Valley Studio and The Cyber Ranch Podcast

Allan invites a founder and an angel investor to the ranch this week to talk about how founders and angel investors really connect. Meet Sameer Sait, former CISO at Amazon Whole Foods and now founder of BalkanID, and John Stewart, former CISO at Cisco and investor at Talons Ventures. Together, these gentlemen offer a lot about both sides of the investment story, from evaluation to the decision to work together, and what a mutually beneficial founder and angel investor relationship looks like.
 
Timecoded Guide:
[01:23] Exploring John and Sameer’s backgrounds in cyber and how they developed their own unique founder-angel investor connection
[04:53] Understanding the triggering aspects that caused someone like John to become an angel investor in BalkanID and how BalkanID selected their investors
[08:20] Delving into the uniqueness of different founder-investor relationships and how John (vs other BalkanID investors) makes his impact on Sameer’s work as a founder
[13:30] Giving expert advice and explaining lessons learned in founding your first company and in investing in startups 
[22:12] Exploring how other experiences in life, outside of cybersecurity and investing, has informed John and Sameer’s work with BalkanID and with solving cyber issues
 
Sponsor Links:
Thank you to our sponsor Axonius for bringing this episode to life!
Life is complex. But it’s not about avoiding challenges or fearing failure. Just ask Simone Biles — the greatest gymnast of all time. Want to learn more about how Simone controls complexity? Watch her video at axonius.com/simone.
 
What inspired you to become a founder of BalkanID, Sameer?
As the former CISO of Amazon Whole Foods and an investor at numerous cybersecurity companies, Sameer has a great resume to show off. However, his work with BalkanID offered him the opportunity to be a founder, something that Sameer had never done before. When asked what inspired him to be a first-time founder, he tells us that he continuously encountered the same problems over and over again, and wasn’t seeing anyone coming up with the right solution. Continuing to move forward with so much at stake with this issue of entitlements felt like a missed opportunity, and with the right investors and co-founders on his side, BalkanID was born.
“I knew that we could do better, right? And I knew the existing solutions were not scaling. And I think the last inspiration was really finding the right co-founders to go at this with. That was the biggest inspiration of all.” - Sameer Sait
 
John, what were the triggering factors that made you decide to invest in BalkanID? 
Just like Sameer, John has some incredible experience to show off in the tech world and in the investment world. But why BalkanID? A simple answer would be the connection between these two men, having met numerous times throughout their careers, developing a strong working relationship. However, John sees so much potential in BalkanID and in Sameer beyond just their work friendship. John believes that you don’t invest in tech, you invest in people, and the qualities he sees in Sameer as a founder and a leader in the tech world excites him and he felt he could lend his expertise to BalkanID in a beneficial way.
“Sameer is very self-aware. These things matter. He knows what he knows, he knows what he doesn't know, he's comfortable bringing in people that complement his skills and make a stronger team around him. In the end, that's why I say you bet on people, not on tech.” - John Stewart
 
What advice do you have for potential investors looking to get involved in startups, John?
Being an investor isn’t always easy, and John has made some mistakes that taught him the hard way about how to be a good investor. With a hands-on approach and now tons of projects under his belt, John is asked to give some advice to future investors. A hugely important piece of advice from John is to know your founder, know their wants and needs, and to see ahead of what their future holds. You’re an investor, but it is their company, and you have to be aligned in order to produce a mutually beneficial relationship. 
“As an investor, I follow out and look for all of those things. I look at how optionality is, how CEOs think, how many chances they have, what directions could they go. Are they strategically capable of looking beyond today's decision and thinking about what might happen in the future?” - John Stewart
 
Sameer, what advice would you give fellow founders?
Despite his experiences at other companies, BalkanID is Sameer’s first founding experience so far. His biggest lesson to date? Not getting caught up in the buzz and the hype. BalkanID’s approach to their audience and their product has been to focus on their customer and work backwards to find their problem and their ideal solution. This takes time, and it’s easy to fall into the trap of comparing your revenue, launches, products, and marketing tactics of other companies. This only hurts your brand in the long-run because you’ll no longer be focused on your customer’s problem. 
“As an early stage, first-time entrepreneur, a part of me would get nervous. ‘Oh, my God, look what's happening out there. Oh, we're so slow.’ I think of taking a step back and saying, ‘Well, we are on our journey,’ right? We have supporters, we have backers, we have a real problem we're solving. The fact that other people want to solve the same problem is validation that it's a real problem.” - Sameer Sait
-------------
Links:
Stay in touch with Sameer Sait on LinkedIn and the BalkanID website.
Stay in touch with John Stewart on LinkedIn.
Follow Allan Alford on LinkedIn and Twitter
Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store 
Continue this conversation on our Discord
Listen to more from the Hacker Valley Studio and The Cyber Ranch Podcast

“When people come to Security and tell you everything they are doing, that’s a real win.” - James Allan-McLean 
 
Allan is joined by James Allan-McLean, Group CISO at Soletanche Freyssinet and former Information Security Manager within the British military, to talk about his ‘Open Door Security’ method and the benefits of transparent, no-strings-attached approach to security. In this episode, Allan and James take a deep dive into this methodology and address questions such as: 
    -What is Open Door Security?
    -What does a successful Open Door Security program look like?
    -How to go about tackling security implications within your org 
    -The philosophy behind James’ ‘handrail’ metaphor
Sponsor Links: 
Thank you to our sponsor Axonius for bringing this episode to life!
Life is complex. But it’s not about avoiding challenges or fearing failure. Just ask Simone Biles — the greatest gymnast of all time. Want to learn more about how Simone controls complexity? Watch her video at axonius.com/simone
Guest Bio:
James is a highly effective and motivated information security leader with extensive experience in a range of sectors. He is a Group CISO at Soletanche Freyssinet and former Information Security Manager within the British military.
Links:
Stay in touch with James Allan-McLean on LinkedIn
Follow Allan Alford on LinkedIn and Twitter
Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store 
Continue this conversation on our Discord
Listen to more from the Hacker Valley Studio and The Cyber Ranch Podcast

Allan is joined by Chris Hughes, CISO & Co-founder at Aquia and adjunct professor at UMGC, to talk about all things DevSecOps (Development, Security and Operations). They explore the DevSecOps phrase itself, as well as why security should be treated as an integral component and not a separate entity. In this episode, Allan and Chris take a deep dive into the subject and bring clarity to questions, such as:
    -What roles help achieve security in DevOps?
    -What are the cultural barriers to implementing secure DevOps?
    -What are some common mistakes as well as best tips?
Sponsor Links: 
Thank you to our sponsor Axonius for bringing this episode to life!
Life is complex. But it’s not about avoiding challenges or fearing failure. Just ask Simone Biles — the greatest gymnast of all time. Want to learn more about how Simone controls complexity? Watch her video at axonius.com/simone
Guest Bio:
Chris Hughes is a proven Cloud/Cybersecurity leader with nearly 20 years of experience in both the Federal and commercial industries. Chris has a dynamic skill set, with a blend of IT, Cyber/Cloud Security and DevSecOps experience. He enjoys working across interdisciplinary teams to solve complex organizational and industry-wide problems to achieve technological transformation securely. 
Additional Resources:Google SLSA framework: https://slsa.dev/CSCRM – NIST Appendix F : https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-161r1.pdfOpen SSF – OSS Mobilization Plan: https://8112310.fs1.hubspotusercontent-na1.net/hubfs/8112310/OpenSSF/White%20House%20OSS%20Mobilization%20Plan.pdf?hsCtaTracking=3b79d59d-e8d3-4c69-a67b-6b87b325313c%7C7a1a8b01-65ae-4bac-b97c-071dac09a2d8Sounil/Andy Debate: https://www.securityweek.com/video-civil-discourse-sboms
Links:
Stay in touch with Chris Hughes on LinkedIn
Follow Allan Alford on LinkedIn and Twitter
Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store 
Continue this conversation on our Discord
Listen to more from the Hacker Valley Studio and The Cyber Ranch Podcast

Andy Ellis, CISO at Orca Security, is back for part 2 of this series on Board Reporting Metrics. In Episode 1, Andy and host Allan Alford addressed some of the most common questions posed by the board and shared their perspective on what the board needs to know from a cybersecurity standpoint. In this episode, they continue the conversation by fielding questions from LinkedIn on topics such as:
    -Vulnerability and threat hunting metrics
    -Top 3 metrics to report to the board and why
    -Breach reporting implications and much more! 
Check out part 1 of Board Reporting Metrics here
Sponsor Links: 
Thank you to our sponsor Axonius for bringing this episode to life!
Life is complex. But it’s not about avoiding challenges or fearing failure. Just ask Simone Biles — the greatest gymnast of all time. Want to learn more about how Simone controls complexity? Watch her video at axonius.com/simone
Guest Bio:
Andy Ellis is a visionary technology and business executive with deep expertise in security, managing risk, and leading an inclusive culture. A graduate of MIT and former US Air Force officer, Andy designed, built, and brought to market many of Akamai’s security products, leading the Fortune 1000 company from its start as a content delivery network into an industry powerhouse with a billion-dollar dedicated cybersecurity business. In his twenty year tenure, Andy led Akamai’s information security team from a single individual to a 90+ person team, over 40% of whom were women. In running Akamai’s security program, Andy designed systems, governed risk management, implemented policy, and supported go-to-market functions. Widely respected across the cybersecurity industry for his pragmatic approach to aligning security and business needs, Andy regularly speaks and writes on cybersecurity, leadership, diversity & inclusion, and decision making.
Additional Links:
Stay in touch with Andy Ellis on LinkedIn
Follow Allan Alford on LinkedIn and Twitter
Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store 
Continue this conversation on our Discord
Listen to more from the Hacker Valley Studio and The Cyber Ranch Podcast
 

In this episode, Allan is joined by the CISO at Orca Security, Andy Ellis, to share his thoughts on board reporting metrics. What does the board need to know from a cybersecurity perspective? One of the questions is often: “Are we secure?” Is that even the right question? How much should you talk about compliance? Do you speak of IT assets? What about speaking to specific controls? Listen to this episode to hear the common questions posed by the board and how to answer them with metrics. In some cases, it is teaching them to ask different questions. This episode is a master class in board communication in cybersecurity, and the conversation went into such depth that a Part 2 is already being planned.
Check out Andy’s previous episode here
Sponsor Links: 
Thank you to our sponsor Axonius for bringing this episode to life!
Life is complex. But it’s not about avoiding challenges or fearing failure. Just ask Simone Biles — the greatest gymnast of all time. Want to learn more about how Simone controls complexity? Watch her video at axonius.com/simone
Guest Bio:
Andy Ellis is a visionary technology and business executive with deep expertise in security, managing risk, and leading an inclusive culture. A graduate of MIT and former US Air Force officer, Andy designed, built, and brought to market many of Akamai’s security products, leading the Fortune 1000 company from its start as a content delivery network into an industry powerhouse with a billion-dollar dedicated cybersecurity business. In his twenty year tenure, Andy led Akamai’s information security team from a single individual to a 90+ person team, over 40% of whom were women. In running Akamai’s security program, Andy designed systems, governed risk management, implemented policy, and supported go-to-market functions. Widely respected across the cybersecurity industry for his pragmatic approach to aligning security and business needs, Andy regularly speaks and writes on cybersecurity, leadership, diversity & inclusion, and decision making.
Additional Links:
Stay in touch with Andy Ellis on LinkedIn
Follow Allan Alford on LinkedIn and Twitter
Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store 
Continue this conversation on our Discord
Listen to more from the Hacker Valley Studio and The Cyber Ranch Podcast

“Having a seat at the table doesn’t mean getting your way all the time. It means having a seat and I think that is very important to understand.” - Brent Deterding 
In this episode, Allan is joined by the CISO at Afni, Brent Deterding, to explore how CISOs can earn and keep their seat at the executive table. Brent was a fan of the Learned Helplessness episode of The Cyber Ranch Podcast with Steve Mancini, and furthered the conversation as it relates to the often espoused topic of CISOs needing a seat at “the table.” Brent discusses the power of shifting your mindset, how lack of confidence has created a cycle of self sabotaging, and ways we can collectively improve our current standing.
 
Sponsor Links: 
Thank you to our sponsor Axonius for bringing this episode to life!
Life is complex. But it’s not about avoiding challenges or fearing failure. Just ask Simone Biles — the greatest gymnast of all time. Want to learn more about how Simone controls complexity? Watch her video at axonius.com/simone
 
Guest Bio:
Brent is an Executive CISO whose mission is to enable Afni and its global workforce to support their customers securely and confidently. Prior to being a CISO, for over 20 years, he was a security practitioner with a security vendor specializing in threat detection, incident response, and security strategy. His efforts helped hundreds of organizations detect, respond to, and mitigate attacks.
 
Additional Links:
Stay in touch with Brent Deterding on LinkedIn
Follow Allan Alford on LinkedIn and Twitter
Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store 
Continue this conversation on our Discord
Listen to more from the Hacker Valley Studio and The Cyber Ranch Podcast

“Knowing what’s in your software, in your organization, can help you quickly determine if you are impacted by a new vulnerability.” - Chris Castaldo 
In this episode, Allan is joined by author and CISO, Chris Castaldo, to share his knowledge on Software Bills of Materials (SBOMs) and their potential implications and use. Chris explains the concept and purpose of SBOMs, his tips for signing and securing SBOMs in terms of the CI/CD pipeline, and his thoughts on SBOMs being a roadmap for “bad guys.” Lastly, he shares advice on managing and understanding contracts. 
Listen to Chris Castado’s previous Cyber Ranch episode here and be sure to grab a copy of his book! 
 
Guest Bio:
Chris Castaldo is the author of “Start-up Secure: Baking Cybersecurity into your Company from Founding to Exit”. He is an experienced and industry recognized CISO with over 20 years of experience in cybersecurity. Chris is an expert in building cybersecurity programs from the ground up and specializes in applying cybersecurity in start-ups from seed to exit. He is also a Visiting Fellow at the National Security Institute (NSI) at George Mason University's Antonin Scalia Law School.
 
Links:
Sponsored by our good friends at  Axonius
Stay in touch with Chris Castaldo on LinkedIn
Follow Allan Alford on LinkedIn and Twitter
Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store 
Continue this conversation on our Discord
Listen to more from the Hacker Valley Studio and The Cyber Ranch Podcast
 

What would you do if you could build your security program from scratch? 
In this episode, Allan is joined by the Head of Security at Fleet, Guillaume Ross, to talk about his time building out an innovative and out-of-the-box security program and the steps he took to make it all happen. Guillaume walks us through how he developed and maintained a serverless, container based environment, his tips for securing PCs and Macs within a serverless environment, and how to establish department and business buy-in and overall cooperation. Lastly, he details steps to ensure resilience in an ‘everything as code’ security model. 
Some of what he builds might seem obvious – other parts will genuinely surprise you! 
 
Guest Bio:
Guillaume Ross is the Head of Security at Fleet Device Management. He likes securing organizations, clouds, products and more, by refusing to implement the same things that have been tried and failed thousands of times already.
 
Links:
Sponsored by our good friends at  Axonius
Stay in touch with Guillaume Ross on LinkedIn and Twitter
Follow Allan Alford on LinkedIn and Twitter
Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store 
Continue this conversation on our Discord
Listen to more from the Hacker Valley Studio and The Cyber Ranch Podcast
 

What are the security implications of cryptocurrency and NFTs and what do we need to know in order to transact safely? In this episode, Allan is joined by the Chief Security Officer at Kraken, Nick Percoco, to talk about securing the cryptocurrency and NFT spaces. Allan and Nick reflect on the events of the Mt. Gox bitcoin breach of 2013, address some of the most common misconceptions about crypto assets, and explore the biggest security challenges users and retail investors face when navigating the space. Lastly, Nick considers what cybersecurity lessons can be drawn from the security practices within the cryptocurrency ecosystem.
 
Guest Bio:
Nicholas Percoco has more than 25 years of security & technology experience, and is the Chief Security Officer at Kraken - a global digital asset exchange - where he is responsible for Security, IT, Technical Project Management, Operational Resiliency and Engineering.
 
Links:
Stay in touch with Nick Percoco on LinkedIn 
Follow Allan Alford on LinkedIn and Twitter
Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at  Axonius

Allan is joined by the Vice President of Security at Code42, Tommy Todd, to talk about how the tech stack can “play well with others”. In this episode, Tommy takes a deep dive into exploring how APIs and automation can help solve our needs in cybersecurity – from incident response to the tech stack. The two discuss how to evaluate security products during a Proof Of Concept (POC) for integration capabilities and tips on addressing ROI concerns.
 
Guest Bio:
Tommy Todd has over 20 years of cybersecurity experience, primarily focused on data privacy and data protection strategies. Prior to Code42, he served in security roles at Symantec, Ionic Security, and Optiv as well as many other firms. Throughout his career, he has acted as a leader, mentor, engineer, architect, and consultant to solve difficult data protection challenges. 
 
Links:
Stay in touch with Tommy Todd on LinkedIn 
Follow Allan Alford on LinkedIn and Twitter
Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at  Axonius

Allan is joined by the founder and CEO of Living Security, Ashley Rose, to speak about her experiences as a female entrepreneur and leader in a male dominated industry. She details the story behind her non-traditional route into cybersecurity and how she leverages her unique skills and vision to disrupt and transform the community. Ashley shares how she overcomes bias and business challenges in the field as well as the inspiration behind her creative marketing strategies. Lastly, the two highlight the lack of diversity and representation in the space and give advice to young entrepreneurs and females in, and breaking into, cybersecurity. 
 
Guest Bio:
As the CEO of Living Security, Ashley has been the driving force behind the company’s rapid growth. Since its founding in 2017, Living Security has raised more than $20 million for growth and product development and accelerated revenue growth for three consecutive years. Ashley is also continually working to build a diverse and inclusive organization around the belief that the team should reflect the community at large.
 
Links:
Stay in touch with Ashley Rose on LinkedIn 
Follow Allan Alford on LinkedIn and Twitter
Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at  Axonius
 

This episode of the Cyber Ranch Podcast was recorded LIVE on stage at the CISO 360 Conference in New York City, hosted by Pulse Conferences. Nick Vigier, a seasoned CISO and former CIO, joins Allan in addressing the elephant in the room: Why don’t CISOs and CIOs don’t get along?
Nick draws on his experience in both positions to share his unique perspective on the CISO and CIO relationship. In this episode, Allan and Nick highlight the operating differences between the two positions and explore the opposing interests that exist around topics such as budgets and reporting structure. Lastly, Nick shares why engaging in empathetic conversations around metrics, business impact, and risk management is the ultimate key to a more harmonious relationship.
 
Guest Bio:
Nick is a technology and security leader focused on innovation to drive business results. In his 18 years of security leadership, he has focused on building high performance teams to ensure security is a business driver rather than a cost center. His focus on all areas of security ranging from physical security to risk management through to application security, infrastructure security, and operations gives him a unique perspective on how security can positively impact an organization. 
 
Links 
Stay in touch with Nick Vigier on LinkedIn 
Follow Allan Alford on LinkedIn and Twitter
Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at  Axonius

This topic couldn’t be more relevant given recent events in the security community. Allan Alford is joined by Steve Mancini, CISO at Eclypsium, to have a refreshing conversation about the negative messaging, thinking, and tropes in cybersecurity - not just the stuff that the press says about us, or even the stuff we say about each other - but the self-defeating stuff we think and say to ourselves.
Steve addresses the reinforcement of negative catchphrases and how it affects the psyche of the community and explores how burnout is creating a culture of sleepless nights and masochistic badges of honor. Lastly, they emphasize the importance of empathy and support within the community and remind us that humans are our greatest asset, not our weakest links.
Guest Bio:
Steve Mancini is the CISO at Eclypsium, former Deputy CISO at Cylance, and an advisory board member for several cyber companies.
Links:
Stay in touch with Steve Mancini on LinkedIn 
Follow Allan Alford on LinkedIn and Twitter
Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at  Axonius
 

There are numerous personality tests available to help identify personality traits, but many of them have very little scientific validity or reliability.  Such tests often aspire to explain what you are good at and what you are bad at, and miss the mark. In this episode, Allan is joined by his friend and owner of Rising Tide Security, Nick Vigier, to explore CliftonStrengths – a personality measurement that focuses less on ability, and more upon your predilections - what energizes you, and what and drains you - and with a pretty good degree of scientific validity and reliability. Nick and Allan explore what makes CliftonStrengths different from the other personality assessments and how Nick leverages that information to better understand his team and colleagues, and to help folks find the right role in cybersecurity. The two sit down to dissect Allan’s own assessment results to identify his top 5 energizers, as well as his top energy drainers. And lastly, Nick shares why he favors the idea of personality development plans vs professional development plans in the workplace. 
 
Guest Bio:
Nick Vigier is the Owner of Rising Tide Security and former CISO at ID.me, DigitalOcean, and former CIO at Gemini. Nick is a technology and security leader focused on innovation to drive business results. In his 18 years of security leadership, he has focused on building high performance teams to ensure security is a business driver rather than a cost center. His focus on all areas of security ranging from physical security to risk management through to application security, infrastructure security, and operations gives him a unique perspective on how security can positively impact an organization. 
 
Links:
Stay in touch with Nick Vigier on LinkedIn and Twitter. Take the CliftonStrengths assessment here
Follow Allan Alford on LinkedIn and Twitter
Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at  Axonius

In the episode, Allan is joined by the Principal at Teknion Data Solutions, Paola Saibene, to bring clarity to an often misunderstood topic: data governance. Paola helps to distinguish the difference between data governance and data management, examines the intersection between data ethics and cybersecurity, and explores the best methodology for applying risk frameworks. Lastly, she takes time to express the importance of being people focused and “humanizing” cybersecurity.
 
Guest Bio:
Paola Saibene is the Principal at Teknion Data Solutions, Former CISO, CEO, VP of Enterprise Risk Management, Data Privacy Officer, Strategy Officer, CTO, and CIO.  
Links:
Stay in touch with Paola Saibene on LinkedIn  
Follow Allan Alford on LinkedIn and Twitter
Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at  Axonius

With a looming skills/people gap in cybersecurity and retention at an all time low, it begs the question: Where is everyone? In this episode, Allan Alford and guest Jessie Bolton sit down to discuss the elusive “Great Resignation” and how it is affecting the cybersecurity community. Tune in to get the answers to the questions we are all asking ourselves, like: why are people resigning, how has the pandemic shifted our perspectives on work and boundary setting, how is the “great resignation” impacting security organizations, and how can we attempt to solve this issue?
 
Links:
Follow Jessie Bolton on LinkedIn
Follow Allan Alford on LinkedIn and Twitter
Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at  Axonius

In this episode, Allan is joined by the President at National Security Corporation, Navy veteran, and host of the CISO Tradecraft podcast, G. Mark Hardy. This show takes a fascinating dive into the origins of data risk management, measurement, and quantification. G Mark explores the stories and advice given from some of the greatest leaders in this space – whose advice still rings true today. 
 
Key Takeaways:
01:52  G Mark’s bio
06:43  FIPS-65 - the “grandaddy” of risk management
11:34  The ALE method, explained!
14:35  Oldies, but STILL goodies 
18:12  A stroll down risk management memory lane
28:56  Revering “the greats”
37:22  What do you value and what’s your currency? 
 
Links:
Stay in touch with G. Mark Hardy on LinkedIn  
Follow Allan Alford on LinkedIn and Twitter
Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at  Axonius

In this episode of The Cyber Ranch Podcast, Allan is joined by the CISO at Real Time Resolutions, Randy Potts. The two sit down to have a refreshing and raw conversation about the caretaking, responsibility, and code of ethics for CISOs - or lack thereof, and how to get back in touch with our “why” and mission. 
 
Disclaimer: This episode briefly mentions pornography and gambling within an important and relevant context, and has therefore been categorized as explicit. 
 
Key Takeaways:
01:43  Randy’s bio
03:08  Caring for “the people”
09:08  Stewards and custodians of data
14:10  Servant leadership
16:57  CISOs as caretakers
18:53  Doing the right thing
21:18  CISO code of conduct - or lack thereof
24:55  How do we fix this? 
29:06  It’s nice to be nice
 
Links:
Stay in touch with Randy Potts on LinkedIn  
Follow Allan Alford on LinkedIn and Twitter
Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at Axonis

In this episode, Allan is joined by David Belanger, CISO at Maxor National Pharmacy, to talk about the challenges of breaking into cybersecurity. David discusses the importance of establishing mentor/mentee relationships in the community, why building a personal brand and expanding your network is a must when finding work, and tips for newcomers looking to break into the field. Lastly, the two touch on the power of visualization and staying humble throughout your career journey.
 
Key Takeaways: 
01:27  Bio & CISO life
02:57  Let’s define Mentor/Mentee
04:21  What makes cybersecurity mentorship unique?
07:10  Developing a long & short-term strategy 
13:16  Mentors are essential
18:05  Formal vs. organic mentorships
22:10  Get out of your comfort zone
25:55  Advice for newcomers
30:15  Visualizing your success
32:00  Staying humble
 
Links: 
Stay in touch with David Belanger on LinkedIn  
Follow Allan Alford on LinkedIn and Twitter
Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at Axonius

In this episode, Allan invites Mark Butler, an Advisory CISO at TRACE3, to talk about tech stack rationalization and how to get the most out of your technology investment. Mark shares advice on everything from how to properly analyze, identify, and consolidate your tools, both in the stack and cloud environment, to coaching your application specialists on embracing change. 
 
Key Takeaways
01:10  Bio
02:36  What is tech stack rationalization?
03:46  Where to get started
06:20  Evaluation - a 3 prong approach
08:08  The security architecture alignment
10:51  What about contractual obligations?
13:18  The “best of breed” strategy 
17:37  Rationalizing the cloud 
21:00  Data analysis - tooling, extraction, metrics
25:24  The 3rd party tool conundrum 
27:50  The future of cloud rationalization 
29:40  How to resolve tech overlap?
32:19  Embracing change
34:37  Mark’s advice on emotional intelligence
 
 
Stay in touch with Mark Butler on LinkedIn  
Follow Allan Alford on LinkedIn and Twitter
Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at Axonius

In this episode, Allan is joined LIVE on stage at FutureCon Dallas 2022 by U.S Bank Senior Cloud Penetration Tester, co-author of The Pen Tester Blueprint, podcast host, and college instructor, Phillip Wylie. Phillip journeys into his past to share how he went from pro wrestler to pentester, gives writing advice to future authors in the field, explores the art of pentesting, and the best starter certifications for pentesters. Lastly, Phillip explores the best advice he’s ever received and the dangers of burnout. 
 
Key takeaways: 
01:27  Phillip's origin story - wrestling men and bears
03:04  The Pwn School Project
04:47  The Hacker Factory Podcast
06:55  Always a way to cyber
10:18  An opportunity to write
14:08  The Art of Pentesting
17:19  Getting square on terminology
24:42  The limitless child
27:25  The skinny on certs
30:23  Mentors
35:06  Back in the pentesting lab
37:14  When does threat modeling factor?
43:50  Coloring in purple
 
Follow Phillip Wylie on LinkedIn and Twitter
Follow Allan Alford on LinkedIn and Twitter
Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at Axonius