The Cyber Ranch Podcast

“When people come to Security and tell you everything they are doing, that’s a real win.” - James Allan-McLean 
 
Allan is joined by James Allan-McLean, Group CISO at Soletanche Freyssinet and former Information Security Manager within the British military, to talk about his ‘Open Door Security’ method and the benefits of transparent, no-strings-attached approach to security. In this episode, Allan and James take a deep dive into this methodology and address questions such as: 
    -What is Open Door Security?
    -What does a successful Open Door Security program look like?
    -How to go about tackling security implications within your org 
    -The philosophy behind James’ ‘handrail’ metaphor
Sponsor Links: 
Thank you to our sponsor Axonius for bringing this episode to life!
Life is complex. But it’s not about avoiding challenges or fearing failure. Just ask Simone Biles — the greatest gymnast of all time. Want to learn more about how Simone controls complexity? Watch her video at axonius.com/simone
Guest Bio:
James is a highly effective and motivated information security leader with extensive experience in a range of sectors. He is a Group CISO at Soletanche Freyssinet and former Information Security Manager within the British military.
Links:
Stay in touch with James Allan-McLean on LinkedIn
Follow Allan Alford on LinkedIn and Twitter
Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store 
Continue this conversation on our Discord
Listen to more from the Hacker Valley Studio and The Cyber Ranch Podcast

Allan is joined by Chris Hughes, CISO & Co-founder at Aquia and adjunct professor at UMGC, to talk about all things DevSecOps (Development, Security and Operations). They explore the DevSecOps phrase itself, as well as why security should be treated as an integral component and not a separate entity. In this episode, Allan and Chris take a deep dive into the subject and bring clarity to questions, such as:
    -What roles help achieve security in DevOps?
    -What are the cultural barriers to implementing secure DevOps?
    -What are some common mistakes as well as best tips?
Sponsor Links: 
Thank you to our sponsor Axonius for bringing this episode to life!
Life is complex. But it’s not about avoiding challenges or fearing failure. Just ask Simone Biles — the greatest gymnast of all time. Want to learn more about how Simone controls complexity? Watch her video at axonius.com/simone
Guest Bio:
Chris Hughes is a proven Cloud/Cybersecurity leader with nearly 20 years of experience in both the Federal and commercial industries. Chris has a dynamic skill set, with a blend of IT, Cyber/Cloud Security and DevSecOps experience. He enjoys working across interdisciplinary teams to solve complex organizational and industry-wide problems to achieve technological transformation securely. 
Additional Resources:Google SLSA framework: https://slsa.dev/CSCRM – NIST Appendix F : https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-161r1.pdfOpen SSF – OSS Mobilization Plan: https://8112310.fs1.hubspotusercontent-na1.net/hubfs/8112310/OpenSSF/White%20House%20OSS%20Mobilization%20Plan.pdf?hsCtaTracking=3b79d59d-e8d3-4c69-a67b-6b87b325313c%7C7a1a8b01-65ae-4bac-b97c-071dac09a2d8Sounil/Andy Debate: https://www.securityweek.com/video-civil-discourse-sboms
Links:
Stay in touch with Chris Hughes on LinkedIn
Follow Allan Alford on LinkedIn and Twitter
Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store 
Continue this conversation on our Discord
Listen to more from the Hacker Valley Studio and The Cyber Ranch Podcast

Andy Ellis, CISO at Orca Security, is back for part 2 of this series on Board Reporting Metrics. In Episode 1, Andy and host Allan Alford addressed some of the most common questions posed by the board and shared their perspective on what the board needs to know from a cybersecurity standpoint. In this episode, they continue the conversation by fielding questions from LinkedIn on topics such as:
    -Vulnerability and threat hunting metrics
    -Top 3 metrics to report to the board and why
    -Breach reporting implications and much more! 
Check out part 1 of Board Reporting Metrics here
Sponsor Links: 
Thank you to our sponsor Axonius for bringing this episode to life!
Life is complex. But it’s not about avoiding challenges or fearing failure. Just ask Simone Biles — the greatest gymnast of all time. Want to learn more about how Simone controls complexity? Watch her video at axonius.com/simone
Guest Bio:
Andy Ellis is a visionary technology and business executive with deep expertise in security, managing risk, and leading an inclusive culture. A graduate of MIT and former US Air Force officer, Andy designed, built, and brought to market many of Akamai’s security products, leading the Fortune 1000 company from its start as a content delivery network into an industry powerhouse with a billion-dollar dedicated cybersecurity business. In his twenty year tenure, Andy led Akamai’s information security team from a single individual to a 90+ person team, over 40% of whom were women. In running Akamai’s security program, Andy designed systems, governed risk management, implemented policy, and supported go-to-market functions. Widely respected across the cybersecurity industry for his pragmatic approach to aligning security and business needs, Andy regularly speaks and writes on cybersecurity, leadership, diversity & inclusion, and decision making.
Additional Links:
Stay in touch with Andy Ellis on LinkedIn
Follow Allan Alford on LinkedIn and Twitter
Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store 
Continue this conversation on our Discord
Listen to more from the Hacker Valley Studio and The Cyber Ranch Podcast
 

In this episode, Allan is joined by the CISO at Orca Security, Andy Ellis, to share his thoughts on board reporting metrics. What does the board need to know from a cybersecurity perspective? One of the questions is often: “Are we secure?” Is that even the right question? How much should you talk about compliance? Do you speak of IT assets? What about speaking to specific controls? Listen to this episode to hear the common questions posed by the board and how to answer them with metrics. In some cases, it is teaching them to ask different questions. This episode is a master class in board communication in cybersecurity, and the conversation went into such depth that a Part 2 is already being planned.
Check out Andy’s previous episode here
Sponsor Links: 
Thank you to our sponsor Axonius for bringing this episode to life!
Life is complex. But it’s not about avoiding challenges or fearing failure. Just ask Simone Biles — the greatest gymnast of all time. Want to learn more about how Simone controls complexity? Watch her video at axonius.com/simone
Guest Bio:
Andy Ellis is a visionary technology and business executive with deep expertise in security, managing risk, and leading an inclusive culture. A graduate of MIT and former US Air Force officer, Andy designed, built, and brought to market many of Akamai’s security products, leading the Fortune 1000 company from its start as a content delivery network into an industry powerhouse with a billion-dollar dedicated cybersecurity business. In his twenty year tenure, Andy led Akamai’s information security team from a single individual to a 90+ person team, over 40% of whom were women. In running Akamai’s security program, Andy designed systems, governed risk management, implemented policy, and supported go-to-market functions. Widely respected across the cybersecurity industry for his pragmatic approach to aligning security and business needs, Andy regularly speaks and writes on cybersecurity, leadership, diversity & inclusion, and decision making.
Additional Links:
Stay in touch with Andy Ellis on LinkedIn
Follow Allan Alford on LinkedIn and Twitter
Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store 
Continue this conversation on our Discord
Listen to more from the Hacker Valley Studio and The Cyber Ranch Podcast

“Having a seat at the table doesn’t mean getting your way all the time. It means having a seat and I think that is very important to understand.” - Brent Deterding 
In this episode, Allan is joined by the CISO at Afni, Brent Deterding, to explore how CISOs can earn and keep their seat at the executive table. Brent was a fan of the Learned Helplessness episode of The Cyber Ranch Podcast with Steve Mancini, and furthered the conversation as it relates to the often espoused topic of CISOs needing a seat at “the table.” Brent discusses the power of shifting your mindset, how lack of confidence has created a cycle of self sabotaging, and ways we can collectively improve our current standing.
 
Sponsor Links: 
Thank you to our sponsor Axonius for bringing this episode to life!
Life is complex. But it’s not about avoiding challenges or fearing failure. Just ask Simone Biles — the greatest gymnast of all time. Want to learn more about how Simone controls complexity? Watch her video at axonius.com/simone
 
Guest Bio:
Brent is an Executive CISO whose mission is to enable Afni and its global workforce to support their customers securely and confidently. Prior to being a CISO, for over 20 years, he was a security practitioner with a security vendor specializing in threat detection, incident response, and security strategy. His efforts helped hundreds of organizations detect, respond to, and mitigate attacks.
 
Additional Links:
Stay in touch with Brent Deterding on LinkedIn
Follow Allan Alford on LinkedIn and Twitter
Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store 
Continue this conversation on our Discord
Listen to more from the Hacker Valley Studio and The Cyber Ranch Podcast

“Knowing what’s in your software, in your organization, can help you quickly determine if you are impacted by a new vulnerability.” - Chris Castaldo 
In this episode, Allan is joined by author and CISO, Chris Castaldo, to share his knowledge on Software Bills of Materials (SBOMs) and their potential implications and use. Chris explains the concept and purpose of SBOMs, his tips for signing and securing SBOMs in terms of the CI/CD pipeline, and his thoughts on SBOMs being a roadmap for “bad guys.” Lastly, he shares advice on managing and understanding contracts. 
Listen to Chris Castado’s previous Cyber Ranch episode here and be sure to grab a copy of his book! 
 
Guest Bio:
Chris Castaldo is the author of “Start-up Secure: Baking Cybersecurity into your Company from Founding to Exit”. He is an experienced and industry recognized CISO with over 20 years of experience in cybersecurity. Chris is an expert in building cybersecurity programs from the ground up and specializes in applying cybersecurity in start-ups from seed to exit. He is also a Visiting Fellow at the National Security Institute (NSI) at George Mason University's Antonin Scalia Law School.
 
Links:
Sponsored by our good friends at  Axonius
Stay in touch with Chris Castaldo on LinkedIn
Follow Allan Alford on LinkedIn and Twitter
Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store 
Continue this conversation on our Discord
Listen to more from the Hacker Valley Studio and The Cyber Ranch Podcast
 

What would you do if you could build your security program from scratch? 
In this episode, Allan is joined by the Head of Security at Fleet, Guillaume Ross, to talk about his time building out an innovative and out-of-the-box security program and the steps he took to make it all happen. Guillaume walks us through how he developed and maintained a serverless, container based environment, his tips for securing PCs and Macs within a serverless environment, and how to establish department and business buy-in and overall cooperation. Lastly, he details steps to ensure resilience in an ‘everything as code’ security model. 
Some of what he builds might seem obvious – other parts will genuinely surprise you! 
 
Guest Bio:
Guillaume Ross is the Head of Security at Fleet Device Management. He likes securing organizations, clouds, products and more, by refusing to implement the same things that have been tried and failed thousands of times already.
 
Links:
Sponsored by our good friends at  Axonius
Stay in touch with Guillaume Ross on LinkedIn and Twitter
Follow Allan Alford on LinkedIn and Twitter
Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store 
Continue this conversation on our Discord
Listen to more from the Hacker Valley Studio and The Cyber Ranch Podcast
 

What are the security implications of cryptocurrency and NFTs and what do we need to know in order to transact safely? In this episode, Allan is joined by the Chief Security Officer at Kraken, Nick Percoco, to talk about securing the cryptocurrency and NFT spaces. Allan and Nick reflect on the events of the Mt. Gox bitcoin breach of 2013, address some of the most common misconceptions about crypto assets, and explore the biggest security challenges users and retail investors face when navigating the space. Lastly, Nick considers what cybersecurity lessons can be drawn from the security practices within the cryptocurrency ecosystem.
 
Guest Bio:
Nicholas Percoco has more than 25 years of security & technology experience, and is the Chief Security Officer at Kraken - a global digital asset exchange - where he is responsible for Security, IT, Technical Project Management, Operational Resiliency and Engineering.
 
Links:
Stay in touch with Nick Percoco on LinkedIn 
Follow Allan Alford on LinkedIn and Twitter
Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at  Axonius

Allan is joined by the Vice President of Security at Code42, Tommy Todd, to talk about how the tech stack can “play well with others”. In this episode, Tommy takes a deep dive into exploring how APIs and automation can help solve our needs in cybersecurity – from incident response to the tech stack. The two discuss how to evaluate security products during a Proof Of Concept (POC) for integration capabilities and tips on addressing ROI concerns.
 
Guest Bio:
Tommy Todd has over 20 years of cybersecurity experience, primarily focused on data privacy and data protection strategies. Prior to Code42, he served in security roles at Symantec, Ionic Security, and Optiv as well as many other firms. Throughout his career, he has acted as a leader, mentor, engineer, architect, and consultant to solve difficult data protection challenges. 
 
Links:
Stay in touch with Tommy Todd on LinkedIn 
Follow Allan Alford on LinkedIn and Twitter
Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at  Axonius

Allan is joined by the founder and CEO of Living Security, Ashley Rose, to speak about her experiences as a female entrepreneur and leader in a male dominated industry. She details the story behind her non-traditional route into cybersecurity and how she leverages her unique skills and vision to disrupt and transform the community. Ashley shares how she overcomes bias and business challenges in the field as well as the inspiration behind her creative marketing strategies. Lastly, the two highlight the lack of diversity and representation in the space and give advice to young entrepreneurs and females in, and breaking into, cybersecurity. 
 
Guest Bio:
As the CEO of Living Security, Ashley has been the driving force behind the company’s rapid growth. Since its founding in 2017, Living Security has raised more than $20 million for growth and product development and accelerated revenue growth for three consecutive years. Ashley is also continually working to build a diverse and inclusive organization around the belief that the team should reflect the community at large.
 
Links:
Stay in touch with Ashley Rose on LinkedIn 
Follow Allan Alford on LinkedIn and Twitter
Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at  Axonius
 

This episode of the Cyber Ranch Podcast was recorded LIVE on stage at the CISO 360 Conference in New York City, hosted by Pulse Conferences. Nick Vigier, a seasoned CISO and former CIO, joins Allan in addressing the elephant in the room: Why don’t CISOs and CIOs don’t get along?
Nick draws on his experience in both positions to share his unique perspective on the CISO and CIO relationship. In this episode, Allan and Nick highlight the operating differences between the two positions and explore the opposing interests that exist around topics such as budgets and reporting structure. Lastly, Nick shares why engaging in empathetic conversations around metrics, business impact, and risk management is the ultimate key to a more harmonious relationship.
 
Guest Bio:
Nick is a technology and security leader focused on innovation to drive business results. In his 18 years of security leadership, he has focused on building high performance teams to ensure security is a business driver rather than a cost center. His focus on all areas of security ranging from physical security to risk management through to application security, infrastructure security, and operations gives him a unique perspective on how security can positively impact an organization. 
 
Links 
Stay in touch with Nick Vigier on LinkedIn 
Follow Allan Alford on LinkedIn and Twitter
Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at  Axonius

This topic couldn’t be more relevant given recent events in the security community. Allan Alford is joined by Steve Mancini, CISO at Eclypsium, to have a refreshing conversation about the negative messaging, thinking, and tropes in cybersecurity - not just the stuff that the press says about us, or even the stuff we say about each other - but the self-defeating stuff we think and say to ourselves.
Steve addresses the reinforcement of negative catchphrases and how it affects the psyche of the community and explores how burnout is creating a culture of sleepless nights and masochistic badges of honor. Lastly, they emphasize the importance of empathy and support within the community and remind us that humans are our greatest asset, not our weakest links.
Guest Bio:
Steve Mancini is the CISO at Eclypsium, former Deputy CISO at Cylance, and an advisory board member for several cyber companies.
Links:
Stay in touch with Steve Mancini on LinkedIn 
Follow Allan Alford on LinkedIn and Twitter
Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at  Axonius
 

There are numerous personality tests available to help identify personality traits, but many of them have very little scientific validity or reliability.  Such tests often aspire to explain what you are good at and what you are bad at, and miss the mark. In this episode, Allan is joined by his friend and owner of Rising Tide Security, Nick Vigier, to explore CliftonStrengths – a personality measurement that focuses less on ability, and more upon your predilections - what energizes you, and what and drains you - and with a pretty good degree of scientific validity and reliability. Nick and Allan explore what makes CliftonStrengths different from the other personality assessments and how Nick leverages that information to better understand his team and colleagues, and to help folks find the right role in cybersecurity. The two sit down to dissect Allan’s own assessment results to identify his top 5 energizers, as well as his top energy drainers. And lastly, Nick shares why he favors the idea of personality development plans vs professional development plans in the workplace. 
 
Guest Bio:
Nick Vigier is the Owner of Rising Tide Security and former CISO at ID.me, DigitalOcean, and former CIO at Gemini. Nick is a technology and security leader focused on innovation to drive business results. In his 18 years of security leadership, he has focused on building high performance teams to ensure security is a business driver rather than a cost center. His focus on all areas of security ranging from physical security to risk management through to application security, infrastructure security, and operations gives him a unique perspective on how security can positively impact an organization. 
 
Links:
Stay in touch with Nick Vigier on LinkedIn and Twitter. Take the CliftonStrengths assessment here
Follow Allan Alford on LinkedIn and Twitter
Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at  Axonius

In the episode, Allan is joined by the Principal at Teknion Data Solutions, Paola Saibene, to bring clarity to an often misunderstood topic: data governance. Paola helps to distinguish the difference between data governance and data management, examines the intersection between data ethics and cybersecurity, and explores the best methodology for applying risk frameworks. Lastly, she takes time to express the importance of being people focused and “humanizing” cybersecurity.
 
Guest Bio:
Paola Saibene is the Principal at Teknion Data Solutions, Former CISO, CEO, VP of Enterprise Risk Management, Data Privacy Officer, Strategy Officer, CTO, and CIO.  
Links:
Stay in touch with Paola Saibene on LinkedIn  
Follow Allan Alford on LinkedIn and Twitter
Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at  Axonius

With a looming skills/people gap in cybersecurity and retention at an all time low, it begs the question: Where is everyone? In this episode, Allan Alford and guest Jessie Bolton sit down to discuss the elusive “Great Resignation” and how it is affecting the cybersecurity community. Tune in to get the answers to the questions we are all asking ourselves, like: why are people resigning, how has the pandemic shifted our perspectives on work and boundary setting, how is the “great resignation” impacting security organizations, and how can we attempt to solve this issue?
 
Links:
Follow Jessie Bolton on LinkedIn
Follow Allan Alford on LinkedIn and Twitter
Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at  Axonius

In this episode, Allan is joined by the President at National Security Corporation, Navy veteran, and host of the CISO Tradecraft podcast, G. Mark Hardy. This show takes a fascinating dive into the origins of data risk management, measurement, and quantification. G Mark explores the stories and advice given from some of the greatest leaders in this space – whose advice still rings true today. 
 
Key Takeaways:
01:52  G Mark’s bio
06:43  FIPS-65 - the “grandaddy” of risk management
11:34  The ALE method, explained!
14:35  Oldies, but STILL goodies 
18:12  A stroll down risk management memory lane
28:56  Revering “the greats”
37:22  What do you value and what’s your currency? 
 
Links:
Stay in touch with G. Mark Hardy on LinkedIn  
Follow Allan Alford on LinkedIn and Twitter
Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at  Axonius

In this episode of The Cyber Ranch Podcast, Allan is joined by the CISO at Real Time Resolutions, Randy Potts. The two sit down to have a refreshing and raw conversation about the caretaking, responsibility, and code of ethics for CISOs - or lack thereof, and how to get back in touch with our “why” and mission. 
 
Disclaimer: This episode briefly mentions pornography and gambling within an important and relevant context, and has therefore been categorized as explicit. 
 
Key Takeaways:
01:43  Randy’s bio
03:08  Caring for “the people”
09:08  Stewards and custodians of data
14:10  Servant leadership
16:57  CISOs as caretakers
18:53  Doing the right thing
21:18  CISO code of conduct - or lack thereof
24:55  How do we fix this? 
29:06  It’s nice to be nice
 
Links:
Stay in touch with Randy Potts on LinkedIn  
Follow Allan Alford on LinkedIn and Twitter
Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at Axonis

In this episode, Allan is joined by David Belanger, CISO at Maxor National Pharmacy, to talk about the challenges of breaking into cybersecurity. David discusses the importance of establishing mentor/mentee relationships in the community, why building a personal brand and expanding your network is a must when finding work, and tips for newcomers looking to break into the field. Lastly, the two touch on the power of visualization and staying humble throughout your career journey.
 
Key Takeaways: 
01:27  Bio & CISO life
02:57  Let’s define Mentor/Mentee
04:21  What makes cybersecurity mentorship unique?
07:10  Developing a long & short-term strategy 
13:16  Mentors are essential
18:05  Formal vs. organic mentorships
22:10  Get out of your comfort zone
25:55  Advice for newcomers
30:15  Visualizing your success
32:00  Staying humble
 
Links: 
Stay in touch with David Belanger on LinkedIn  
Follow Allan Alford on LinkedIn and Twitter
Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at Axonius

In this episode, Allan invites Mark Butler, an Advisory CISO at TRACE3, to talk about tech stack rationalization and how to get the most out of your technology investment. Mark shares advice on everything from how to properly analyze, identify, and consolidate your tools, both in the stack and cloud environment, to coaching your application specialists on embracing change. 
 
Key Takeaways
01:10  Bio
02:36  What is tech stack rationalization?
03:46  Where to get started
06:20  Evaluation - a 3 prong approach
08:08  The security architecture alignment
10:51  What about contractual obligations?
13:18  The “best of breed” strategy 
17:37  Rationalizing the cloud 
21:00  Data analysis - tooling, extraction, metrics
25:24  The 3rd party tool conundrum 
27:50  The future of cloud rationalization 
29:40  How to resolve tech overlap?
32:19  Embracing change
34:37  Mark’s advice on emotional intelligence
 
 
Stay in touch with Mark Butler on LinkedIn  
Follow Allan Alford on LinkedIn and Twitter
Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at Axonius

In this episode, Allan is joined LIVE on stage at FutureCon Dallas 2022 by U.S Bank Senior Cloud Penetration Tester, co-author of The Pen Tester Blueprint, podcast host, and college instructor, Phillip Wylie. Phillip journeys into his past to share how he went from pro wrestler to pentester, gives writing advice to future authors in the field, explores the art of pentesting, and the best starter certifications for pentesters. Lastly, Phillip explores the best advice he’s ever received and the dangers of burnout. 
 
Key takeaways: 
01:27  Phillip's origin story - wrestling men and bears
03:04  The Pwn School Project
04:47  The Hacker Factory Podcast
06:55  Always a way to cyber
10:18  An opportunity to write
14:08  The Art of Pentesting
17:19  Getting square on terminology
24:42  The limitless child
27:25  The skinny on certs
30:23  Mentors
35:06  Back in the pentesting lab
37:14  When does threat modeling factor?
43:50  Coloring in purple
 
Follow Phillip Wylie on LinkedIn and Twitter
Follow Allan Alford on LinkedIn and Twitter
Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at Axonius
 

Allan is joined by Yaron Levi, CISO at Dolby, to talk about the SOC and why we are going about it all wrong. Allan and Yaron identify and examine the three main areas of concern: the data, the analyst, the analysis – and how to improve upon them. Lastly, Yaron shares his thoughts on what steps and approaches need to be taken in order to successfully accomplish the SOC’s goal.  
 
Key Takeaways:
01:35  Bio
02:36  What are we doing wrong in the SOC?
06:54  Hypothesizing
11:22  How much gets left out when we make a hypothesis?
13:42  Anti-fragility & business outcomes
16:30  Business objective + threat model example
21:09  Lead with the why/ downstream applications
27:06  What outside influence has helped you inside cyber?
 
Learn more about Yaron on Twitter and  LinkedIn
Follow Allan Alford on LinkedIn and Twitter
Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at Axonius 

Allan is joined by Rafal Los, industry innovator, strategist, and personality. His career spans 20+ years while working inside companies from the Fortune 10 to a firm of less than 10. Additionally, Rafal is a founder and host of the Down the Security Rabbithole Podcast - an industry podcast delivering a weekly take on cybersecurity since 2011. Join Allan and Rafal as they discuss cyber security centers of excellence, metrics, marketing and acceptance in this conversation between two friends.
 
Key Takeaways:
01:56 Bio
04:27 Goals for Cybersecurity Center of Excellence (CoE)
06:44 How do you birth a Cybersecurity CoE?
09:45 Selling your service
15:18 Cost - who pays in the end and how?
17:10 Getting management on board
24:22 It’s not all about cost – but it is.
26:37 Metrics
31:05 Quality metrics
34:33 Your mess for less
38:02 What is something outside cyber that helps on the inside?
 
Links:
Follow Allan on LinkedIn and Twitter
Follow Rafal Los on LinkedIn and Twitter
Check out his podcast
Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at Axonius

Join Allan as he discusses investing in cybersecurity startups with the perfect guest for the subject: Kathy Wang, CISO at Very Good Security, investor at Silicon Valley CISO Investments, investor at Firebolt Ventures, and former founder as well!
Allan and Kathy talk about investment goals, the process from start to finish, how to get started, the buy-in costs, returns, what to expect, partnering, etc.
Join them as they dive into this fascinating topic:
DISCLAIMER: NOBODY ON THIS SHOW IS A FINANCIAL ADVISOR OR PLANNER, AND NOTHING SAID ON THIS SHOW CONSTITUTES FINANCIAL ADVICE. OPINIONS EXPRESSED ON THIS SHOW ARE JUST THAT – OPINIONS – AND YOU SHOULD NOT USE THEM TO CONDUCT YOUR FINANCIAL AFFAIRS. CONSULT A LICENSED EXPERT INSTEAD OF US!
 
Key Takeaways:
02:14 Bio
02:54 Getting into cyber security investing
05:28 Spotting good investments
09:13 What’s the process?
15:15 Ranging investments | partnerships
22:35 29 no's and 1 yes – is that reality?
26:20 Seeking investment? Start here.
29:31 Be willing to work with other people
30:57 What is something from outside of infosec that helped you in infosec?
 
Links:
Follow Kathy Wang on LinkedIn
Follow Allan Alford on LinkedIn and Twitter
Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at Axonius

In this special episode, Allan invites a few familiar voices back to the show, conducts a countdown of his Top 5 most popular shows, and reviews some of the most common guest responses. Lastly, Allan issues some important thank you's and shares a few comments and feedback from the listeners.
 
Highlights:
Top 3 guest answers to "What keeps you going in cybersecurity?"
Top 3 guest answers to "What surprises you the most in cybersecurity?"
Top 5 shows by download
 
Visits from:
Tim Rohrbaugh, CISO - Jet Blue
Chris Cochran & Ron Eddings - Hacker Valley Media
Drew Brown, who has held many security leadership roles and who is an avid user of the FAIR methodology of risk measurement
Richard Seiersen, former CISO, famed champion of measuring risk, and author of "The Metrics Manifesto: Confronting Security with Data"
Accidental CISO of Twitter fame
 
THANK YOU to all of our listeners, Hacker Valley Media, our fantastic guests, and to everyone who helped get us to 50 shows!!!
 
Links:
Follow Allan Alford on LinkedIn and Twitter
Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at Axonius
 

Allan hosts a live podcast at the August, 2021 CISO XC event in the Dallas-Forth Worth area. He is joined by Chris Roberts, chief geek at Hillbilly Hit Squad, and Cecil Pineda, then head of the vICSO and GRC programs at Critical Start. The topic is Minimum Viable security, tactical frameworks, the challenges with large frameworks, and the challenges of competing frameworks.
This show was recorded after happy hour and the audience and participants both imbibed.  It's a rowdy show and features some explicit content.
 
Key Takeaways:
0:00 Allan’s holiday greeting
0:39 Allan introduces the live show, guests and issues a disclaimer about naughty language
2:02 Chris Roberts on Minimum Viable Security
2:42 Cecil on his love/hate relationship with compliance and the need for weighting controls
4:25 Allan proposes “tactical frameworks”
5:38 Chris challenges the crowd on their asset management successes
7:43 Allan introduces “See it, manage it, secure it.” (Which he flagrantly stole from Steve Williams @ NTT DATA Services)
8:53 Cecil says: data discovery comes before DLP
10:17 Chris challenges Allan’s idea that MFA should “just happen” in order to capture at least 90% of ransomware threats
12:07 Cecil proposes a compromise – 30% of controls meet a higher CMMI requirement than the 70%
13:48 Chris says even the 30% are not even being met in most environments
14:56 Allan’s full proposal on a tactical framework (that includes Chris’ emphasis on asset management)
16:07 Chris states that we have to agree on the subset frameworks in order to achieve success.  Diverse frameworks actually harm the industry.
17:56 Chris challenges the crowd to hire interns and those new to the industry
20:02 Allan misattributes the total control count in NIST CSF.  We mentioned whiskey, right?
21:35 Barring regulated environments, Allan doubles down on his tactical framework idea
22:13 Chris says we must challenge the authors of all these frameworks
22:50 Allan points out that frameworks are implicitly behind the fast pace of the industry after going through committee
23:53 Chris criticizes the notion that compliance = security
24:57 Insurance carriers insist now upon framework compliance and are getting smarter
26:53 Chris says full compliance with a framework even still is useful only as a point in time exercise
28:22 We have to simplify compliance
28:59 Allan proposes SBOM, CMMC-like maturity awareness, and the shared responsibility model as the solution to the compliance problem
30:57 Chris says that will take ten years to sort out
31:49 Chris says “take the money out of compliance”
35:37 Cecil talks about self-attestation and standards that are needed on auditing processes
 36:41 Allan says frameworks exist in the first place with the goal of getting secure
37:14 Chris disagrees and states (using naughty metaphors) that frameworks compete out of hubris
38:26 An audience member suggests “trust but verify” as the reason frameworks exist in the first place
41:24 Cecil deconstructs the practicality of shared responsibility, extending it into the business
43:28 Chris proposes working with insurance companies to create a consolidated or tactical framework
 
Links:
Chris Roberts - LinkedIn
Cecil Pineda - LinkedIn
Follow Allan Alford on LinkedIn and Twitter
Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
 
Sponsored by our good friends at AttackIQ