The Cyber Ranch Podcast

In this episode, Allan is joined by Marnie Wilking, CISO at Wayfair. Marnie has directed Information Security and multi-discipline Risk Management Programs for more than 15 years --  providing a unique set of skills and experience to manage operational risks and improve risk management among diverse businesses. Join Allan and Marnie as they define organizational resilience, discuss its goals and enablers, and analyze the COVID pandemic through its lens.
 
Key Takeaways:
01:26  Bio
03:42  Organizational resilience
06:40  COVID benefits; business enabling?
09:47  Building hybrid work environments
11:11  Virtual offices and home fatigue
17:14  Bullets dodged in organizational resilience
20:51  Tabletop exercises
27:16  Office conflicts and mailing troubles
30:38  Communication in resilience
32:29  What surprises Marnie in cyber security?
 
Links:
Learn more about Marnie on LinkedIn and Crunchbase
Follow Allan Alford on LinkedIn and Twitter
Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at AttackIQ

Welcome to another live show of the Cyber Ranch! Allan is joined by Dan Doggendorf, a creative cybersecurity leader with a passion for simplicity, efficiency, accountability, common sense, and honesty. The duo discusses the ins and outs of being a VCISO, how one walks the path and what the industry can do to make this role better. This show was conducted at the Cybersecurity Conference 9 (CSC 9) conducted by the North Texas Chapter of ISSA. All proceeds from the event went directly to scholarships for the Collin College cybersecurity program.
 
Key Takeaways:
 
01:47 - Bio
02:33 - vCISO life
04:18 - The path to an independent contractor
07:46 - Should you specialize?
10:46 - Strategizing experience in cyber security
14:26 - Challenges of being a CISO & vCISO
19:04 - Staying connected as a vCISO
23:17 - Victories as a vCISO                       
27:06 - The bad times and mistakes made as a vCISO
29:52 - What should change for vCISOs?
30:51 - Advice for future vCISOs
34:09 - What surprises Dan in cyber security?
 
Links:
Learn more about Dan on Zintro and LInkedIn
Follow Allan Alford on LinkedIn and Twitter
Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at AttackIQ

This week, Allan is joined by Frederick Lee aka “Flee”, Chief Security Officer and Head of IT at Gusto, Jeff Man, host of Security & Compliance Weekly, and notorious infosec curmudgeon, and by Kat Valentine, Security and Compliance Weekly co-host.  A few weeks ago Allan appeared on their show to discuss “GRC: ‘What?’ and ‘So What?’.  In that episode, found here, they take a deep dive into GRC in terms of understanding is purpose and value.
In this crossover episode, the group continues the conversation to talk about “GRC: ‘Now what?’ (The cultural impact and implementation, risk register, achieving actionable results and much more).
Join Allan and the Security & Compliance Weekly team as they dive into overcoming cultural barriers, a continued conversation on the order of priority (“RGC” vs. “GRC”, for example), and enlisting allies in the business.
 
Key Takeaways:
2:20 Implementing GRC culturally – Flee's take
4:13 Jeff’s take
6:16 Kat’s take
10:43 The CISO – Turning compliance data into actionable results – Jeff’s take as an assessor
13:56 Kat’s take as an assessor
15:41 Flee’s take as a CISO
21:13 Understanding perspectives from all parties
28:10 Sharing problems upstream/Audits vs. Assessments
34:48 Flee’s take on “governance vs. doctrine”
37:43 Risk register – training for self sufficiency
42:40 Get in touch!
 
Links:
Check out Security and Compliance Weekly!
Follow Flee on LinkedIn and Twitter
Follow Jeff Man on LinkedIn and Twitter
Follow Kat Valentine on LinkedIn
Follow Allan Alford on LinkedIn and Twitter
Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at AttackIQ

CISOs complain on social media about bad marketing – when they are targeted inappropriately, or with messages that don’t resonate, or with messages that outright lie. This week Allan Alford decides to hear from the other side, and invites his two favorite CMOs to the show. Julie O’Brien, CMO at AttackIQ, and Nathan Burke, CMO at Axonious, sit down with Allan to send a message to cyber security professionals about the vital role marketing plays in the industry, what is good marketing and bad marking, and how marketing affects all of our careers more than we know. Hear different perspective on topics like buzzwords, cold calls, and the difference between good and bad marketing practices. Backed up with proven experience, this episode is packed with useful info for all cyber practitioners and aspiring practitioners.
 
 Key Takeaways:
02:00 Julie Bio
03:13 Nathan Bio        
04:00 Standing out as a marketer
10:15 Emphasizing what you don’t do as a company, rather than what you do
15:56 A message to CISO’s - Julie
23:00 Nathan’s message to CISO’s
25:55 Allan touches on why innovation occurs on the vendor side
27:45 Buzzwords
33:50 What surprises Nathan and Julie in cyber security?
Links:
Learn more about Nathan on LinkedIn and Twitter
Check out Julie on LinkedIn and Twitter
Follow Allan Alford on LinkedIn and Twitter
Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at AttackIQ

Brian Castagna (CISO at Seven Bridges - a genomics company) is a CISO with a proven track record of successfully building information security programs at cloud technology companies. He is on a mission to humanize the new work environment - our own home. Join Allan and Brian as they touch on transitioning from an office environment, both mentally and physically, hiring remotely, work/life balance and much more.
 
Key Takeaways:
01:33 Bio
02:22 Remote work
03:00 Hiring a remote workforce
10:50 What’s the human side of working from home?
17:38 Transitioning from work to home
19:54 Mental transitioning
21:00 Collaboration & strategy
24:30 Layering the human back in
27:19 What surprises you in cyber?
 
Learn more about Brian on LinkedIn
Follow Allan Alford on LinkedIn and Twitter
Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at AttackIQ

This week, Allan is joined by some serious heavy hitters in cyber. Richard Struse (Director for the Center for Threat-Informed Defense at MITRE Engenuity), Jonathan Baker (Director of Research & Development, Center for Threat-Informed Defense at MITRE Enginuity), and Jonathan Reiber (Sr. Director for Cybersecurity Strategy and Policy @ AttackIQ). The four are here to have a conversation about CISA's new BOD that outlines 290 key vulnerabilities that require focus, the coincidental mapping of the CVE database to MITRE ATT&ACK, and the implications for all of us.  Of special note is the fact that ATT&CK is already mapped to NIST SP 800-53, meaning that we now have an opportunity to move bi-directionally from a threat-informed defense or to start with a framework and back into vulnerabilities. The implications for our industry are huge.
They also discuss briefly an overview of the bi-partisan work in both the Executive and Legislative branches to further cybersecurity interests and the release of CMMC v 2.0. This show is packed.
 
Key Takeaways:
01:58 Backgrounds
04:02 CISA – BOD 22-01, highlighting the key 290 known vulnerabilities
07:45 Helping organizations prioritize vulnerabilities
11:31 Starting with either framework or threats: Which is better?
14:18 Seeing through the politics - What is actually happening behind the scenes?
19:07 Developing the mapping
23:54 Since the invention of CVE
26:14 CMMC v 2.0
29:37 How do we change the game?
31:09 Getting a large organization to agree with vulnerability prioritization
 
Links:
Follow Richard Struse on LinkedIn
Keep up with Jon Baker on LinkedIn
Follow Jonathan Reiber on LinkedIn & his website
Follow Allan Alford on LinkedIn and Twitter
Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at Attack IQ

Mustapha Kebbeh, CISO at Brinks and heavy-hitter in the Dallas/Fort Worth Cyber community, joins Allan again this week as they cover a topic Mustapha noted was absent so far in the series…  Namely, “What is a day in the life of a CISO?” Mustapha and Allan get into details of what they do and don’t do, what their teams do and don’t do, what bits are boring, what bits are surprising, and what bits are the most fun. Join them as they talk about real situations and practical solutions while describing the very best and worst parts of the job.
Key Takeaways:
01:41                     Bio
03:00                     A day in the life of a CISO - examples from the last 3 weeks
07:30                     Being a CISO in a company that knows its risk appetite
11:49                     Product Security
13:53                     The most surprising part about being a CISO
15:33                     The most boring part
22:30                     The most fun part
26:08                     What do you wish you could do as a CISO?
29:42                     Mustapha shares what surprises him the most in cyber security
 
Links:
Learn more about Mustapha on LinkedIn
Follow Allan Alford on LinkedIn and Twitter
Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at Uptycs

Omar Khawaja is an experienced CISO with a strong technical background, who managed to find some very creative ways to manage his security program that go against his engineering instincts. Join Allan and Omar as they discuss why trust-based security is the more suitable option to have a fundamentally better security program and team.  Hear why Omar and Allan believe that investing in people will pay far more dividends than the latest tech tool.  And more importantly, gain some very practical and concrete tips for managing and measuring your security program.
 
Key Takeaways:
01:19                     Bio
03:26                     What is wrong with tech-centric security?
06:00                     Using tech tools as nothing more, and using them appropriately
12:22                     Trust, then risk, then control
14:30                     Customer first, always
19:02                     Helping foster a trust-centric culture
28:40                     Culture = mindset = best measurable quality
29:33                     What surprises Omar in cyber security?
32:50                     The “change agent network”
 
Links:
Learn more about Omar on Twitter and LInkedIn
Follow Allan Alford on LinkedIn and Twitter
Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at Uptycs

Allan is joined this week by Emilio Escobar, CISO at Data Dog and former VP of Information Security at Hulu. He is also a long-term developer of Ettercap, a comprehensive suite for man-in-the-middle attacks.
Like many of us, Emilio started his journey in infosec as a hacker kid, exploring the world through modems and BBSs. Emilio is not a security vendor CISO, but is a CISO for a company that is in the supply chain for many other companies. He has to balance internal and external duties as a result.
Come listen as Allan and Emilio discuss the B2B CISO life, the skills required, business alignment, facing customers, and how all of these skills just might define "the modern CISO".
And, yes, they even tackle the age-old question, "How technical should a CISO be?"
 
Key Takeaways:
01:27 Bio
03:10 Security questionnaires and interactions
05:49 Is there a fix to solving vendor risk?
07:17 Utilizing machines for questionnaires
09:33 Leveraging skills
12:50 How technical should a CISO be?
18:01 Understanding other roles in the business
23:48 Balancing internal and external customers
28:17 What surprises you the most in cybersecurity?
 
Links:
Learn more about Emilio on LinkedIn, and Twitter, and learn about Ettercap
Follow Allan Alford on LinkedIn and Twitter
Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at Uptycs

Allan is joined by Sounil Yu, one of cybersecurity's most well-known contributors. Sounil has a long history in cybersecurity, and is also the inventor of The Cyber Defense Matrix and the DIE Triad.
Sounil and Allan discuss cyber resilience and contrast it with "antifragility", a notion introduced by Nassim Nicholas Taleb. Sounil argues that in cybersecurity, antifragility should be the goal, and not resilience.
Antifragility allows for stronger data protection, as it does not just survive stresses and attacks, but actually encourages them. Sounil explains how antifragility also neatly dovetails with his DIE (Distributed, Immutable, Ephermeral) Triad of data protection, which he contrasts with the CIA (Confidentiality, Intregrity, Avaiability) Triad in the context of the "pets vs. cattle" model.
Join Allan as he learns a great deal in a short amount of time from Sounil...
 
Key Takeaways:
01:23 Bio
02:20 Cyber Defense Matrix
03:10 Is cyber resilience the wrong idea?
04:17 Backups do not equal resilience
05:58 What is antifragility?
09:31 The DIE Triad
14:32 Pets vs. Cattle
18:12 Practical implementation?
20:40 Focusing on recovery
24:28 The Barbell Strategy
27:58 What surprises you in cyber security?
Links:
Learn more about Sounil on LinkedIn, and Twitter, and learn about the Cyber Defense Matrix
Follow Allan Alford on LinkedIn and Twitter
Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at Uptycs

Allan's guest this week is Erik Bloch. Erik Bloch is a cyber security leader, influencer, and pioneer. He currently sits as Senior Director of Detection and Response at Sprinklr, but has held many rolls in cybersecurity, including being a product manager for SIEM products more than once. This last point is relevant, because it makes it even more surprising that Erik is convinced that the SOC's utility has passed... Join Allan and Erik as they dive deep into why he thinks SOC is failing, the alternatives, what it takes to make an impactful change in incident response, and who to aim it towards. This conversation began when Allan read Erik's article on LinkedIn, “RIP SOC. Hello D-IR". Key Takeaways: 01:16 Bio 02:18 Erik’s article: why is SOC failing? 05:01 What is the alternative? 07:29 Implementing fundamentals where it counts 10:15 Cloud Integration 17:45 Cloud agnostic tooling solution 23:27 The inevitability of a one-stop solution 27:20 Targeting the right audience 28:17 What surprises Erik in cyber security? 30:24 Letting go is not easy Links: Learn more about Erik on LinkedIn, and Twitter, and read his LinkedIn articleFollow Allan Alford on LinkedIn and TwitterPurchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley StoreLearn more about Hacker Valley Studio and The Cyber Ranch PodcastSponsored by our good friends at Uptycs

Allan's guest is Samara Williams, Manager of Threat Operations at Cardinal Health, speaker, advocate and passionate member of the threat intelligence community.
Samara broke into cyber via a rotational program, sampling many cyber jobs at many cyber companies in a short order - a fantastic start in cyber that turbocharged her maturity and experience. She quickly developed a passion for threat intelligence, and has worked in that space ever since.
Join Samara and Allan for a deep dive into threat intel, its pros and cons, its value, and its potential...
Key Takeaways:
01:28 Bio
02:56 The love/hate relationship with threat intel: yay or nay?
06:07 The steps to threat intel – breaking it dow
15:14 How threat intel can help bridge tactical & operational Practices
19:57 Having a successful SOC program
22:18 Managing the unknown and practicing the fundamentals
26:17 Making a case for prioritizing threat intel
27:55 What surprises Samara in cyber security?
Links:
Learn more about Samara on LinkedIn, and check out her TedX talk
Follow Allan Alford on LinkedIn and Twitter
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at Uptycs

This week, Allan is joined by Bryan Hurd. Bryan is a multi-talented cyber security professional who has founded and operated programs dating back to the early nineties. Currently Chief of Office for Stroz Friedberg (AON Cyber), he started his career in NCIS, founding the Navy’s first ever cyber counterintelligence program in 1993.
Join Bryan and Allan for a masterclass on ransomware, incident response, and preparedness. Having both consulted on ransomware situations many times, they offer a wealth of practical tips, do’s, don’ts, and gotchas. You can also hear their perspectives on the roles and processes in taking appropriate action when crisis hits.
This is a longer than usual episode, but that is because it is filled with practical advice based on a great deal of experience.
Key Takeaways:
01:20 Bio
02:58 Is ransomware still the #1 threat to an organization?
07:30 Having your incident response team ready and prepared
12:16 The roles, processes, and fundamentals of incident response
22:57 Modern ransomware extortion components
25:01 Encryption & decryption – dealing both strategically
27:10 Using software provided by attackers
30:18 Response as an executive – being transparent
35:02 Public communications
38:41 What surprises Bryan in cyber security?
Links:
Learn more about Bryan on LinkedIn and on Twitter
Follow Allan Alford on LinkedIn and Twitter
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at Uptycs

In this episode Allan interviews his friend Sameer Sait, former CISO at Amazon, Forcepoint and Arrow Electronics, who joins Allan for a discussion about WHY we measure risk.
It is about more than just asking for money. (And who are you actually asking money from? Hint: It is not the Board).
How does risk measurement change in the beginning of the CISO’s journey vs. later when the program is more mature?
What is the goal of good risk metrics? What is the role of cyber insurance in all this? What about business traction and cooperation with other department’s goals and objectives?
And finally, how does measuring risk affect disposition or risk?
Key Takeaways:
01:20 Sammer's bio
02:30 Asking for money - it's not from the Board
05:58 Measuring risk: inside-out vs. outside-in
11:20 Approaching management with an objective, not a story
12:38 Working with your team, as a team
14:12 The effects of measuring risk
18:36 Analyzing the priorities and their consequences
24:36 Good governance vs. good management
26:22 Transference, remediation, and acceptance
30:57 What surprise Sameer in cybersecurity?
Links:
Learn more about Sameer on LinkedIn
Follow Allan Alford on LinkedIn and Twitter
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at Uptycs

Host Allan Alford interviews his friend Helen Patton, advisory CISO at Cisco, and former CISO at Ohio State University. Helen and Allan discuss the career path of the CISO – specifically what comes after the CISO role has been fulfilled - and how there is not a clear path defined for the post-CISO career.
Allan and Helen discuss several models for post-CISO life that they themselves have explored, and that other CISO friends have as well, such as: shifting back and forth from CISO to vendor, shifting back and forth between CISO and advisory CISO roles at VC’s and other entities, becoming CIOs or CTOs, etc.
Helen explains how there is no clearly defined path for a post-CISO life, how no mentors are available to aid with that transition, but also how CISOs can decide to simply change their roles as a CISO. She explains a little bit more about her advisory CISO life and the internal and emotional differences between it and a conventional practitioner CISO role.
Key Takeaways:
0:26 – Intro
1:12 – Helen briefly explains about her background in cyber and about her day job.
2:55 – Helen explains what is the post-CISO life?
5:54 – What are Helen’s thoughts on the different roles of CISOS?
9:21 – How many people are changing from CISO to a consultancy role?
11:04 – Has Helen seen anyone making such transitions and being successful over time?
12:48 – Hypothetically what would happen if there was a major technology shift, but a CISO wasn’t there to supervise it due to being in a non-practitioner role at the time. Would she be missing out on it on critical CISO skills?
15:12 – Helen explains a little bit more about her advisory CISO life.
18:07 – What happens when Helen gets approached by startups who want feedback? Does she see them as competition? Are they up for having conversations with her?
20:47 – Can a CISO become a CEO?
22:37 – Who should the CISO be reporting to and why?
25:34 – What other post-CISO activities are there for CISOS that may not be a fulltime role, such as boards, teaching, writing, speaking?
28:32 – What surprises Helen the most in cyber security?
Links:
Learn more about Helen on LinkedIn and Twitter
Follow Allan Alford on LinkedIn and Twitter
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at Uptycs

Allan is joined by George Finney, CSO at Southern Methodist University and author of the book Well Aware: Master the Nine Cybersecurity Habits to Protect Your Future.
George’s mission is clear: unite the cybersecurity community through proven strategy, and help preserve and leverage the humanity within cybersecurity.
He believes that the community as a whole under-plays the human role, and he and Allan discuss potential changes to the way we view security awareness training and the role of users in general.
Key Takeaways:
00:18 Intro/Bio
01:25 George’s story
04:27 Humans are not the weakest link in cybersecurity
07:17 How habits affect security awareness
08:30 The 9 habits and forming your cybersecurity personality
14:05 How secret keepers build a community
17:30 Potential improvements to security awareness training
22:22 The origin of the nine habits
26:50 What surprises George about cybersecurity still?
Links:
Learn more about George on LinkedIn and on Twitter and buy his book!
Follow Allan Alford on LinkedIn and Twitter
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at Uptycs

Host Allan Alford interviews Benjamin Corll, VP of Cybersecurity and Privacy at Coats, about security orchestration, automation, and response (SOAR).
Bejamin and Allan critique SOAR's promises and premises, what else it could be doing, its pricing and overhead, and lack of standards as well.
But it is not all negative - Benjamin does share stories as well of SOAR's successes in his shop, and of the things it does do well...
Come on down the ranch and give this show a listen!
Key Takeaways:
0:09 – Intro
0:55 – Benjamin's background and day job
3:46 – The premise and the promises of SOAR
6:32 – What else could be automated?
9:25 – Benjamin explains about the trouble ticket system and the change management system
11:57 – The standards for SOAR today
17:19 – How do we improve the cyber posture of all our organizations, making them more secure?
19:34 – Has SOAR managed to stay affordable for those who need it?
22:54 – What SOAR does well, the benefits and the value
26:35 – What has surprised Benjamin the most in information security
Links:
Learn more about Benjamin Corll on LinkedIn
Follow Allan Alford on LinkedIn and Twitter
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at Uptycs

Host Allan Alford interviews guest James Azar, host of the CyberHub CISO Talk Podcast, and CISO in the financial services space. James and Allan discuss the techniques and approaches of the modern CISO, and contrast this with some of the older approaches of the job. James defines the cultural shift between the old and new as having taken place since September, 2017 (the Equifax breach).
James and Allan discuss the impact on the team, business, clients, customers, and shares their thoughts and experience on how to stay modern. “What keeps you going in cybersecurity?” as the signature final question for each guest has been replaced with “What surprises you the most in cybersecurity?” James is the first guest to answer that question, and his answer is a bit of surprise itself…
Key Takeaways:
0:16 – Intro
1:04 – Bio
2:00 – The modern CISO contrasted with the older CISO
4:46 – What does the modern CISO mean to the team, business, clients and customers?
7:10 – How to interact with the business: building relationships, teams, meetings…
11:18 – How James Azar puts forward a message of security for the company
11:52 – Security Questionnaires and what is wrong with them
12:20 – Picking on SOC 2
12:39 – Operationalizing security within a client customer relationship
14:11 – Shared responsibility model (cloud) and CMMC replacing SOC 2 and SIG and other older standards: 5 or 6 questions
17:50 – How the word “no” keeps the business and team from moving forward
18:06 – CISO choosing business over security and ignoring the subsequent notions of career risk
19:40 – Automation on the technology front and how it changes the modern CISO’s perspective
20:30 - COVID-mandated lockdown and the implications for workers in countries around the world
23:19 - Automating all entry-level positions and bringing entry-level people up
25:45 – What surprises James Azar the most about cyber security
Links:
Learn more about James Azar on LinkedIn
Follow Allan Alford on LinkedIn and Twitter
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at Uptycs

In this, the very first LIVE episode, Allan Alford interviews guests Derly Gutierrez, Head of Information Security at 1010Data, Patrick Benoit, BISO at CBRE, and Mustapha Kebbeh, CISO at Brinks, as they discuss the use of security frameworks in general and over time.
Regarding framework compliance, do we choose one or do we choose many? Do we embrace them fully or partially? What changes our approach to frameworks over time?
Security strategies are explained throughout the episode, along with the notions of business adaptation and adoption, regulation and other requirements, and "minimum viable security" approaches that don't require frameworks at all.
Key Takeaways:
0:43 – Intro
1:53 – Question to Mustapha: pick and choose from a framework or embrace a framework all in one go?
2:47 – Patrick discusses his own approach to Mustapha’s statement
3:26 – The evolution of CFS adoption briefly discussed and the importance of protection
6:59 – Discussion of a possible "least viable security" approach that doesn’t depend on the frameworks at all
9:50 – Maturity models
13:32 – Security strategies
19:56 – The guests answer: What were the toughest challenges working with a framework?
21:56 – The guests share their best success story with frameworks
23:51 – The guests share their journey on business integration
27:56 – The influence of regulation and other requirements
Links:
Learn more about Derly on LinkedIn and Twitter
Learn more about Mustapha on LinkedIn
Learn more about Patrick on LinkedIn
Follow Allan Alford on LinkedIn and Twitter
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at Uptycs

On this episode, Allan invites Marilise de Villiers, Founder and CEO at ROAR! Coaching & Consulting, to come on down to the ranch and discuss how to deal with toxic situations, how to overcome obstacles in the workplace, how to avoid burnout, and how to spot our own negative behaviors that interfere with our success.
Marilise and Allan cover toxic workplaces and bosses, share personal stories, and discuss the internal mechanisms which allow external toxicity to harm us, as well as the internal behaviors to prevent that.
They discuss obstacles, and how big obstacles should be embraced. They also talk about "exercising the resilience muscle".
This is a fantastic show with some open and vulnerable moments, as well as with some very practical advice for avoiding burnout and dealing with problems most of us have faced or will face in our information security careers.
Key Takeaways:
1:11 How Marilise got into information security
2:29 About her coaching and consulting practice for information security professionals
3:53 Avoiding CISO burnout despite our intrinsic challenges
5:08 External forces but also our own self-defeating behaviors
7:01 Clarity on who you are and why you are here
9:31 "I am" is the first negative step towards internalizing toxicity around us (neuro plasticity)
11:03 Allan's former toxic boss who "showed him a carnival house mirror" and led to negative internalization
12:21 Marilise has a similar story
14:29 Facing futility and hopelessness in information security
15:19 Caring too much vs. business problems as a control and communication problem
18:23 How to perceive our biggest obstacles
19:28 Get professional help to strengthen your resilience muscle
20:17 Shout-out to Chris Cochran of Hacker Valley Studio and his 'find your super powers' coaching (and other trusted coaches)
21:49 Your best life is on the other side of your biggest obstacle
21:59 There is always another obstacle
23:22 Living your best life TODAY
24:15 The value of resilience and embracing big obstacles
24:57 Marilise's reason for being in cybersecurity
Links:
Learn more about Marilise on LinkedIn and on Twitter
Follow Allan Alford on LinkedIn and Twitter
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at Uptycs

In this episode, Allan interviews Greg Rogers, CISO at Legal & General America, about migrating legacy, monolithic, internally facing, manually tested, waterfall applications to Cloud, CI/CD with automation, customer-facing applications, all with modern development languages and environments.
Greg migrated just about everything legacy to just about everything modern across a series of monolithic applications. In this episode he gives tips on the technical aspects of his journey, tools and techniqes for overcoming cultural barriers as well.
Greg outlines what he did in-house, and what he leveraged from out-of-house - from code to services.
Ultimately, Greg was able to pull of this transition piece by piece, and he shares how he was able to do it.
Lastly, Greg closes with what keeps him going in cybersecurity...
Key Takeaways:
1:19 How Greg got into cyber
4:12 An overview of the challenge
6:39 Greg's biggest security challenges with the project, both cultural and techincal
8:06 The value of engagement and relationship building
8:41 Targeted security awareness training
9:10 Make security fit with what they are already doing for their day jobs
9:25 Regulation as a driver for change
11:32 The challenges posed by regulation
12:06 The challenges of remote access
13:50 How to eat the elephant one bite at a time
14:11 VDI to migrate portions to the cloud
15:29 Identity & Access Management, CASB, SASE, etc.
16:53 Leveraging outside help
18:13 Selecting and settling on a good MSSP
20:21 In-house development vs. off-the-shelf and leveraging external developers
22:43 What the CISO provides in this scenario
24:02 Focusing on the 'gray' areas of security over the black and white
25:25 Improving the security culture and CISO relationships
26:49 What keeps Greg going in cybersecurity
Links:
Learn more about Greg on LinkedIn
Follow Allan Alford on LinkedIn and Twitter
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at Uptycs

In this episode, Allan's friend Dr. Sam Small, CISO of Zero Fox, joins us to chat about credential stuffing, its implications and the defenses against it.
Several statistics are given from a few industry reports on credential stuffing, including the Verizon DBIR and F5's report.
Several techniques to foil credential stuffing are explored, as well as common traps when combatting credential stuffing. OWASP provides some guidance in this area.
The criminal's abilities vis a vis breach sharing and botnet as a service are discussed as well.
Finally, Sam explains what keeps him going in cybersecurity...
Key Takeaways:
1:08 Sam's background and education in cyber
2:41 Sam defines credential stuffing and explains why we should care about it
4:17 The origins of the term 'credential stuffing' vs. its history
4:39 Is ransomware the end goal of every single kind of cyber attack?
5:22 Botnets as a service to drive credential stuffing attacks
6:33 Allan cites statistics from the Verizon Data Breach Incident Report
7:23 The DDoS aspects and related cloud costs of credential stuffing
8:48 Sam's theory about F5 report statistics on credential stuffing being interestingly somewhat contradictory
10:43 Anecdotally anyway, password reuse appears to be a huge problem still
11:51 Comabating credential stuffing and common traps in doing so
13:23 Credential stuffing and data breaches are not the same thing
14:17 Getting credential stuffers shut down by way of their service providers
15:25 Practical tips from OWASP for preventing credential stuffing in your environment
19:10 The difference between a comprehensive defense and not
20:32 Are obscure usernames useful in the fight?
22:06 Proposal for user-centric federation to monitor account usage everywhere
23:06 Obligations of those who suffered a breach of credentials
25:14 Criminals share data on their side
26:09 What keeps Sam going in cybersecurity
Links:
Learn more about Sam on LinkedIn
Follow Allan Alford on LinkedIn and Twitter
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at Uptycs

On today’s episode with Allan, we talk “Ugly Exits” with Naomi Buckwalter, Director of Information Security. Of course, to start the episode, Naomi answers Allan’s question of how she got started in cyber.
They circle back to the topic at hand, “Ugly Exits”. Under this umbrella are: being fired, laid off, "burning bridges", or being encouraged to leave in a "voluntary" manner. Allan shares statistics for some of these categories, including a substantial statistic on those who have been outright fired.
When it comes to burning bridges, so many people walk away from a company that is behaving in an unethical manner and putting their employees in unethical situations. To Naomi, this is a frightening common thread. It’s scary how many unethical employers are out there.
Naomi shared a personal story of her ugly exit, and the fact that it was deserved to some extent. She has owned that experience, has learned from it, and has grown as a result.
Allan shares his personal “burned bridge” story which continues to follow him through the industry here and there. He feels his reputation is sullied with a certain small segment of the industry, and that it most likely won’t ever change. But he also takes ownership for how he mishandled the situation.
Rounding out the show, Naomi and Allan talk about earning their stripes and realizing it is all about growth, resiliency and grit. In fact, as humans, they feel sometimes we don’t appreciate the bad things that happen to us, so we can appreciate the grown and the improvements we have made throughout our lives. Reflect back and think about all that you have survived in your past. Out that self-awareness comes the opportunity to improve.
A large portion of growth, whether personal or work, comes from self-reflection. One can learn from it, grow from it and figure out how to navigate the situation should it arise again. Could it be that thinking we are the hero of our own stories is hurting us?
Key Takeaways
1:25 Getting into Cyber
3:22 Burning Bridges
8:56 Mismatches
14:18 Reflecting
19:43 Humanity
23:28 The Firing and One’s Value
28:45 What Keeps You Going
Links:
Learn more about Naomi on LinkedIn and on Twitter
Follow Allan Alford on LinkedIn and Twitter
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at Uptycs

On today’s episode with Allan, we have Tim Rohrbaugh, CISO at JetBlue, here to talk about Agile methodology and how it can be applied to an entire security program.
Tim got into cyber through the military. From the military he went into consulting and ended up at JetBlue. At JetBlue that he is always trying to find ways to invest dollars in security programs to balance what is going on. Along with that, he strives to keep his team motivated and moving forward.
Agile is a software programming methodology, and it replaced Waterfall. Waterfall was the traditional model of development, where large chunks of code had to flow from developers to QA, back to developers several times, and finally to release.
Agile, on the other hand, works off user-centric stories, which roll up to bigger stories called epics. Stories are small, discrete goals, met with smaller, discrete chunks of code released in what are called 'sprints'. QA is very rapid as well, leading to rapid release. Agile is characterized by daily 'standup meetings' where literally nobody sits in an effort to keep the meetings as short as possible.
In Agile, product owners come up with ideas and thread those through marketing and development. In appplying this paradigm to running a security teamm, Tim replaces product owners with threat intelligence folks.
This unique approach towards managing a security program means that all decisions are threat-informed, and that small incremental wins are a constant.
But Tim does not stop there. Anyone on the team can create and manage a story to address any specific and immediate security need...
Key Takeaways
1:10 Tim’s background and day job
2:08 JetBlue
2:39 Introduction of Agile
3:57 Tim’s approach
6:15 How Agile is used
8:31 Threats addressed
9:46 Story sourcing
11:03 Creating the story
12:48 Narrative skill
14:08 Metrics
15:53 Risk management aspect
19:00 Not using risk
21:38 Positives
23:20 What keeps Tim going in cyber
24:42 What Tim is looking forward to in cyber
Links:
Learn more about Tim on LinkedIn
Follow Allan Alford on LinkedIn and Twitter
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at AttackIQ

With us today is Christina Richmond program Vice President at IDC. She's an industry analyst, and she's here to talk to us all about the analyst lifestyle.
Allan starts the episode asking Christina to share all about how she got into cyber and what her day job is like. Christina actually began by working in the storage space, and discovered security. To her it was like a drug. What does she do throughout her days? Partakes in hundreds and hundreds of calls with companies who need help with launches and marketing, specifically in growing areas of cybersecurity. In essence, there is a lot to being an analyst. But to be successful, you have to be curious!
The best way to put Christina’s job in words, is “learning the whole from the parts.” She talks with individual players, studies market trends, and then circles around again to piece it together. One big feedback loop.
On a side note, Christina would like everyone to know she is looking to hire at the director level! If you know anyone, send them her way. There are certain aspects necessary, and they are: First, understanding the technology. Next, either having been an analyst before or being in market research of some kind. Finally, the soft skills or executive presence.
Christina admits she is not a technologist, but she also says there's a benefit to having a non-technologist covering this space. She thinks it's important to know that analysts take all shapes and sizes, and there is a benefit from bringing in somebody who thinks about the market differently.
In one word, she describes the plight of the analyst as “overwhelmed”. There aren’t enough people, and some people just don’t have enough skills. The skills gap is real. One of the top skills that is missing for practitioners is cloud security, and that is true for analysts as well.
The bottom line for Christina is helping; it is her favorite thing to do. When it comes to changing things, Christina wouldn't throw anything out but would have more people doing more of the work. Because really, there is a resource shortage in the analyst realm.
Finally, Allan as the one question he asks of all his guests, “What keeps you going in cyber, why do you hop out of bed in the morning, jump in your shoes and say, all right, another day of cyber.”
Christina responds, “Every day, there's a new breach, every day someone is suffering because a Florida Water system was poisoned or because the oil the gas pipeline has been interrupted, and we're not going to have gas at our gas stations or because you name it. There are so many reasons to get up every morning. And, I think every cyber security person needs a mission. I'm here to help, I'm the one helping make sure the message gets out. And that's really important to me.”
Key Takeaways
1:17 Christina’s background
3:02 An analyst’s day job
6:02 Learning the whole from the parts
7:46 We’re hiring
11:02 Staying informed and in the game
13:05 Non-technologist
14:22 Plight of the analyst
16:38 Favorite part of the job
18:44 What would Christina change
19:35 How to get the best engagement
23:11 Storytime
25:55 What keeps Christina going
Links:
Learn more about Christina on LinkedIn and Twitter
Follow Allan Alford on LinkedIn and Twitter
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at Axonius