The Cyber Ranch Podcast

With us today is Derly Gutierrez, Head of Security at 1010 Data, and veteran. Derly is here with us today to talk about the journey to passwordless authentication and the flaws and strenghts of today's authentication methoods.
Allan and Derly refer to studies and surveys about the problems with passwords and the challenges of implementing passwordless approaches.
Derly emphasizes the need for other complementary technologies such as Role-Based Access Control (RBAC), Privileged Access Management (PAM), and system-to-system communications.
The two discuss corporate and personal use of passwordless solutions, talk about legal precedence and the future of passwordless approaches.
Key Takeaways
1:14 How Derly got into cyber
1:58 About Derly's day job as Head of Security
2:34 Allan quotes the 2017 Verizon DBIR on how many breaches involve weak or stolen passwords
3:35 Allan cites NIST 800-63b
4:15 Derly talks about CAC cards in the US DoD
4:50 Derly sides with vendor innovations over NIST guidance
5:56 Allan clarifies the distinction between PINs and passwords
6:52 Derly points out the flaws with biometrics in terms of reliability and assurance
9:09 Allan cites a survey regarding WHY organizations choose passwordless
9:52 How many 'passwordless' solutions still include shared secrets
10:38 Derly talks about corporate vs. personal passwordless solutions and shared secrets as backup for reliability issues
11:37 Derly emphasizes a lack of RBAC and PAM foiling all authentication approaches
13:06 Allan points out the value of Identity and Access Management solutions
13:44 Allan references three vendor approaches towards passwordless for legacy systems such as RADIUS
14:50 Derly takes these methods apart
16:05 Many companies are not doing Role-Based Acces Control, system-to-system communication and Privileged Access Management correctly
17:02 Allan brings up the presence of push attacks
17:38 Allan's definiton of true passwordless authentication
17:56 Derly's definition of true passwordless authentication
21:29 For personal use of biometrics, Allan brings up a disturbing precedent of law enforcement accessing an individual's phone with forced facial recognition
23:17 Derly emphasizes that applications on your phone should have a different authentication factor than access to the phone itself
23:47 "Your home is your castle" has become "Your phone is your castle"
25:06 Allan cites one last survey as to how many of us really are passwordless
26:02 How long before we got to passwordless?
28:06 What keeps Derly going in cyber
Links:
Learn more about Derly on LinkedIn and Twitter
Follow Allan Alford on LinkedIn and Twitter
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at Axonius

With us today is Taylor Lehmann, former ciso several times over in the healthcare sector, and currently Americas leader for security, networking, identity, and compliance solution architecture at AWS.
Taylor and Allan talk about application security: why it's important, who are the personas, the value of threat modeling, infrastructure as code, how to get started, and relationships with developers.
Taylor, a Boston boy, starts the show trying to say, "Howdy!" correctly. Taylor started at PWC and grew into a healthcare CISO. He has now transitioned to AWS.
Key Takeaways
1:40 How Taylor got into Cyber
2:58 Taylor’s day job
4:30 Appsec Defined
5:49 Taylor's favorite appsec frameworks
7:48 Why appsec is important
8:55 The personas and roles
11:22 Security training in appsec
12:27 Threat modeling
15:11 Infrastructure as code
20:46 How to get started in appsec
24:12 Devs already know and care about security
25:38 Where does the trope come from that devs don't care?
26:52 Why "DevSecOps" is a bad term
28:00 What keeps Taylor going in cybersecurity
Links:
Learn more about Taylor on LinkedIn and Twitter
Follow Allan Alford on LinkedIn and Twitter
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at Axonius

With us today is Ian Thornton-Trump, Chief Information Security Officer at Cyjax and an ITIL-certified IT professional with 25 years of experience in IT security and information technology.
Ian shares his background which started back in the Canadian military. During those times, "IT" was called "automated data processing", and it is quite clear how far this has advanced. He joined the Royal Canadian Mounted Police and spent a year working on criminal intelligence. Soon after he became a consultant and made his way to the UK in 2015.
Oftentimes organizations have not planned or prepared for risk, and that includes cyber. In that sense, cyber can be compared to the environmental landscapes and infrastructure, which Ian finds eerily similar. A lot of problems created in cyber mimic a lot of the environment problems we face in today’s world. One example is the recent failure of the Texas power grid during a very harsh winter. Investment in cybersecurity is critical.
Allan feels there are a lot of environmental laws, but there are also already some pretty strict cyber laws as well. However, they seem more aimed at the anonymous or extrajurisdictional perpetrators and end up useless when their anonymity is involved. And some cyber laws seem to punish the victim as well - after suffering ransomware you are now penalized for not being prepared for it in the first place? How can we get laws in place that are helping the situation and not blaming the victim?
Ian suggest that positive incentives are the answer. If we can just get companies to do a bare minimum cyber hygiene, by incentivizing them through tax breaks, Ian thinks we could move the ball up more forward, without making it too onerous, to meet some sort of regulatory standard. How do we possibly extend our stretch? Because at the end of the day, the root cause is the “bad guys”, so how do we get to them? America is already doing a lot, but other countries need to put their money where their mouth is.
Ian and Allan discuss President Biden's Executive Order on Cybersecurity. This can enforce behavior in the government, but only suggest behavior in the private sector. To sum up, we're nowhere, and we need to get somewhere because what we've done, at the federal and state level in the United States, is taken a lot of dollars, put them in parking lots, and set fire to them. And then after we finished that exercise, we asked for more dollars. We have to change the entire system from the ground up. And we have to incentivize cyber security.
Key Takeaways
1:10 How Ian got into Cyber
2:21 Ian’s day job
4:18 Issues with infrastructure and environment
7:38 Meaningful laws
12:47 Getting to the bad guys
16:35 Catching “Fred Smith” or someone like him
17:43 Rewards
21:17 Preparedness and helplessness
23:43 Einstein program
26:24 What keeps Ian going
Links:
Learn more about Ian Thorton-Trump on LinkedIn and Twitter
Follow Allan Alford on LinkedIn and Twitter
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at Axonius

With us today is Drew Brown, IT Security Manager at the Commonwealth of Pennsylvania. Drew is here to talk about FAIR and his real-world usage of it and testing it in the trenches.
Drew shares a little bit about his background in cyber, and a little bit about his day job. He spent 15 years in IT. That opened the door then for him to be the CISO for one of the state agencies. Now his title is IT Security Manager but essentially he is responsible for communicating security and risks and working within a law enforcment agency to make sure that what is implemented is secure, it's compliant, and it meets all of the agency objectives.
With FAIR, you start by asking some very basic questions: What is the asset? What is the thing of value that you're trying to protect? Once you understand what that is, you then ask who is going to come after that asset: cyber criminals, nation state, some kind of industrial espionage, hacktivist, or whatever. Or maybe it's Doris in accounting. Either way, you start to work through who might come after that information.
The probability of a guy sitting in his basement, ordering pizzas on your credit card is a different probability than a nation state. On the impact side, we look at six different categories of risk, there's loss to productivity, there's losses in terms of response, how much money are we going to spend? Or do we have to spend to resolve that loss event that incident?
The six forms of loss are productivity, response, replacement, fines and judgments, competitive advantage and reputation. We start looking at what those dollar amounts actually are. But we want to concern ourselves with the most likely and what's the loss magnitude at that most likely value? Now we can go to that executive and say, “Okay, do you want to build a new parking lot? Or do you want to resolve this risk?” Then we can have a business conversation about it.
Allan asks, “What drove you to FAIR?” Drew states that one of the biggest arguments against FAIR that he always hears is, “We don't have enough data points to do this." Drew decided FAIR can help make better decisions about risk. And that is the goal of FAIR anyway - to make better business decisions, better risk decisions.
Digging a little deeper, Allan asks, “Are you confident that it achieved the goals you set out to achieve with it?” In short, the answer is absolutely!
Where FAIR falls shorts comes up. After reflecting, Drew says that it is in the controls analysis piece.
Allan asks Drew what keeps him going in cyber. With a laugh, Drew gives a quick answer of "coffee" and then follows with, “I enjoy that a relationship with my counterparts and then also establishing those relationships with the business and seeing the problems solved.”
What’s coming over the horizon? According to Drew, it’s seeing the normalizing of cybersecurity and making it less of a burden to hire new and diverse talent.
Key Takeaways
1:15 Drew shares his background and day job
2:20 FAIR model
2:56 How FAIR works
5:13 Probability
8:45 What drove you to FAIR
11:42 Goal of FAIR
13:30 Selling to the board
18:16 The honest hat
22:17 RSA announcement
23:32 What keeps Drew going
24:49 What Drew looks forward to
Links:
Learn more about Drew Brown on LinkedIn
Follow Allan Alford on LinkedIn and Twitter
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at AttackIQ

With us today is Andy Ellis, operating partner at YL Ventures, former Akamai CSO and newly inducted member of the CSO Hall of Fame. We're here to talk about nonstandard hiring practices and how Andy has built an amazing team using nonstandard approaches.
Andy began his career in cyber ("I remember back then, you know, we didn't call it cyber, but I think we've all given up and, and that's now the name for our career field.") as an Air Force ROTC cadet, spent 20 years at Akamai, and joined an advisor program at YL Ventures.
Andy found a solution that addresses hiring needs and the talent shortage, while also building a very clever and very innovative team.
For new roles, look and see if you have somebody who's almost senior that you can promote to do that job. And backfill the almost senior person instead. Try not to hire senior people, try to hire the most junior person you can get away with and promote everybody up the chain. The real trick is to figure out how your HR and finance teams are going to operate and play them off against each other.
Now that we have covered your promotion from within strategy, let's talk about hiring some folks for certain roles on the team that at a glance would make no sense at all for a CSO. And yet is really, really effective and repeatable.
Andy’s flagship is hiring librarians. There is an entire career field dedicated to managing libraries and learning technical language to be able to do that.
Everyone is in the business of publishing a report about their data, right? This is just taking technical data and technical jargon and making it consumable to people who've never seen this data before. There's an entire industry that does that. We call it journalism. So, we hire journalists to come in and be those storytellers.
Hire teachers. Put a teacher in a position and to learn how deep do they need to go on a daily basis, and then make sure they get one level deeper. Because you're always going to have problems if you teach exactly to your domain knowledge. So, make sure your domain knowledge is always little bit deeper than whatever your job requires which is usually going to be sufficient to keep you out of trouble.
To wrap the show up, Allan asks, “Why aren't the rest of us catching on because this is some amazing stuff that every single hiring manager in cyber could benefit from.”
According to Andy, the simple answer is it's expensive, and it takes a lot of time to do right.
Allan asks, “What keeps you going in cyber?” Andy answers, “I've always seen myself as improving the systems that I walk through, that when I encounter a system, I want to tweak it and figure out what makes it work and make it work better."
Key Takeaways
1:24 Andy shares his background and how he got to cyber
3:12 Working for a venture capital firm
7:12 Hiring and building a team
12:26 The abnormal hires that just make sense
15:46 Clever role adjustments
17:10 More nonstandard hires
19:03 Confused? Whose confusion is it?
21:02 The academy
24:42 Putting a teacher in
25:21 Budget technique
27:09 Why isn’t everyone hiring this way?
28:30 What keeps you going in cyber?
Links:
Learn more about Andy Ellis on LinkedIn and Twitter
Follow Allan Alford on LinkedIn and Twitter
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at Axonius

Today we talk with Richard Seiersen, co-author of “How to Measure Anything in Cybersecurity Risk”.
Richard shared that at his first CISO position, he was challenged with addressing prioritization of risk, which led to his authoring a book with Doug Hubbard.
What can cyber learn from older risk disciplines? The life table used broadly to measure time-to-event data goes back 500 years.
Businesses keep falling back to the classic 5x5 "likelihood and impact" matrix which is an inconsistent, non-math-based method.
Without math it is really just casting spells in the board room. There are no ratios or explanation of differences, for example.
CISOs are called upon to make a bet about something. We will use subject matter expert opinions, and can make them measurably better. Consistency is key.
Wild guesses can still help constrain the forecast. There are existing models in cyber such as FAIR that provide a more mathematically applied approach.
Statistics came about because people needed to make bets with limited data. Dirty data can be worked with.
Embracing uncertainty is okay. Executives are actually very used to uncertainty.
Cybersecurity as a practice is in its adolescence with a high mortality risk. We need to adopt the grammar of science.
Key Takeaways
0:25 Richard is introduced
1:20 Richard talks about his cyber journey and his day job
3:02 Book talk
5:19 What can cyber learn from older style risk tactics
8:04 5x5 risk matrix
10:05 Improving accuracy
17:00 Gathering an accurate view
19:20 Monte Carlo simulations
22:04 The belief
25:17 Board-ready presentations
26:58 What keeps Richard going in cyber security
28:09 Why statistics were invented
Links:
Learn more about Richard Seiersen on LinkedIn and Twitter
Follow Allan Alford on LinkedIn and Twitter
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at Axonius

With us today, is a very special guest, Accidental CISO, of Twitter fame. His anonymity on Twitter, allows him to be a little more “truthy” about the CISO game than a lot of us can afford to be on social media. We have distorted his voice a bit to protect that anonymity.
“Accidental” shares how he got into cyber, and that is a culmination of being in a career where he had to fill “all” the hats. He stepped away from his CISO role a few years ago and is now in consulting where he has the opportunity to help other people realize they need to build security programs when they have never done it or know how.
How did he become the “Accidental CISO”? Simply by trying to help during the course of going through an audit. They had to identify who was the CISO, and he made the mistake of asking who the security officer was for the company. The answer was, “That’s you.”
Accidental CISO doesn’t think becoming a CISO accidentally is all that uncommon. When going through audits, etc., someone has to be named, someone ends up drawing the short straw.
The role is different than what people think. You can draw on your technical background, but you have to be able to focus on the “why” for the business and all the nuts and bolts that come with it. One must understand this is not a technical role.
Allan shares his pivotal moment in becoming a CISO and realized all he had to do was recognize the business as the system he was hacking.
When Allan asked Accidental CISO about guidance for building a team and getting started, Accidental had one word, “Pray.” In reality, you need to know the skills you need.
Allan and Accidental CISO discuss “selling the functions”. It is tied to the business objectives in so many ways, and companies need a human to seal the endpoints. As they close this discussion loop, Accidental shares how to get the practice off the ground and the importance of relationships.
Sometimes, believe it or not, not having all the knowledge and knowing all the details is a benefit. In addition, being the first CISO for a company is all about educating, communicating and painting a picture.
And of course, Accidental CISO answers Allan’s final question, “Why are you motivated to get out of bed and do more of it?”
Key Takeaways
0:30 Introduction of Accidental CISO of Twitter fame
1:37 How Accidental CISO got into cyber
2:14 Accidental CISO talks about his day job
3:33 The background of Accidental CISO
4:49 The security tool Accidental CISO embraces
5:20 Accidental CISO is not an uncommon “thing”
6:37 Advice to becoming a CISO
9:28 Allan shares a pivotal moment
10:15 Guidance on building and getting a team started
13:58 Selling the functions
16:55 Getting the practice off the ground
20:13 Importance of relationships and letting go
22:24 Being “their” first CISO
26:47 Building a security council
27:49 Why Accidental CISO is motivated to get out of bed each day and do more of it
Links:
Learn more about Accidental CISO on Twitter
Follow Allan Alford on LinkedIn and Twitter
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at Axonius

Today we talk with Marlys Rodgers, who has been in cyber for over 20 years. She currently is CISO for CSAA Insurance Group and is running security for the company as well as running governance risk and compliance for technology. She shares that it feels like she is constantly balancing assessing with preventing.
Allan brings up breach and attack simulation (BAS), and when it is most appropriate to implement in the context of the maturity of a security program. Marlys feels BAS is most effective when some, or most, of the intended controls are in place so you can focus on areas you need to strengthen. For her company, she was glad they did it earlier rather than later. They had a pretty good lead time to get systems to integrate.
The way you use BAS, especially along with threat intelligence, is really important. If you don’t have a purple team, or a red and blue team how does one start or how do you reorganize? Hear how Marlys did just that. Tag-teaming works best!
How has BAS helped in conversations with the audit team as well as the GRC team? More data gets shared with Audit and they become strong allies. Everyone is happy when fed real-world, real-time information.
BAS is truly changing mindsets, and will ultimately alter prioritization and enhancing and inter-team communications as well.
To wrap up the show, Marlys shares what about her job keeps her getting up in the morning and what she is looking forward to in cyber.
Key Takeaways
0:21 Welcome Marlys
1:13 Short comical discussion on how one should pronounce BAS
1:29 Marlys shares her background and day job
3:35 When BAS comes into the picture
5:00 The trick
6:05 Allan asks Marlys how she stays up with it
8:52 Marlys explains why more time should be spent on extending capabilities
9:38 Suggestions are shared to roll out BAS
12:21 Importance of human elements
13:45 If you don’t have teams, what happens?
16:18 How BAS affects conversations with teams
20:00 Importance of transparency
21:27 Changing people, process and technology with BAS
25:00 Marlys shares the reason she is motivated to stay in cyber
26:01 Marlys shares when she is looking forward to in cyber
Links:
Learn more about Marlys on LinkedIn
Follow Allan Alford on LinkedIn and Twitter
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at AttackIQ

With us today is John Petrie, Counselor to the NTT Global CISO. He is responsible for managing the growing internal security challenges for the NTT operating companies across the globe.
Retired in 1996 from the Marines John began his career in multiple security positions. He shares that his major responsibility of today is creating the enterprise security architecture (“ESA”) for NTT.
Allan used to work for NTT DATA Services, and shares that John is working for the ultimate parent company of the NTT global conglomerate – a full 3 companies of inheritance between John’s company and Allan’s former company. John shares just how big NTT really is throughout 180 countries. Altogether there are 986 companies worldwide, generating over $110 billion in revenue each year. NTT is #62 on the Global Fortune 500.
John shares the full gamut of what an enterprise security architecture really is, how important it is and what it does. There are nine principles to building his ESA, and John outlines them while acknowledging that it is different for every company. Nowadays, the systems designed are for mobility, usability, management, and innovation around the core. Simplicity and resilience are a must!
Further on down the show, Allan and John discuss the 3-year cycle of both technology and business planning, and that not everything is a “one size fits all”. In addition, they talk about mixing and matching popular ESA models, and what that means to the framework.
There is a bit of discussion surrounding what it means to “have a seat at the table” as an information security executive. Everyone needs to be on the same page, to have business buy-in and to create strong business relationships. Security is one of those business voices, and everyone is in it together.
In closing, Allan and John talk about how the focus is not only on technology but on governance and training to get ready for implementation. Along with this, there are fundamental strategic decisions to be made, but ultimately on the large scale it is all about execution and governance.
Key Takeaways:
0:24 Introduction of John Petrie
1:27 How John broke into cyber and how his job looks today
3:08 We get the lo-down on how big NTT really is
4:55 Everything you need to know about ESA
6:46 John shares the 9 principles that provide a foundation for his ESA
6:55 “Aligned Independence”
7:44 “Standards-Based”
7:53 “Manage the Risk”
8:15 “Platform-Based Architecture”
9:49 “Design for Mobility and Usability”
10:00 “Innovate Around ‘The Core’”
10:32 “Simplicity and Resilience”
10:36 Global Remote Work at nearly 100%
11:30 “Supporting Digital Transformation & Strategic Plan”
13:04 Allan and John discuss 1-, 3-, and 5-year cycles
14:40 Not everything is one size fits all
17:02 Length of the process John is currently in
19:15 What occurs during this process
20:44 John shares the plan goal
22:33 The one directive from their CEO
24:16 Fundamental strategic decision
26:41 The large scale
27:31 The key takeaway from this entire discussion according to John
Links:
Learn more about John on LinkedIn
Follow Allan Alford on LinkedIn and Twitter
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at Axonius

With us today are Lynn Dohm, Executive Director of Women in Cybersecurty (WiCyS) and Martha Laughman, Veterans Iniative Lead at WiCyS and Director of Workforce Development at Smoothstack. Lynn and Martha are here to talk about the amazing programs for women and women veterans at WiCyS.
WiCyS is so much more than a conference for women in cybersecurity. Its presence spans the globe and its programs are myriad. Mentorship, student scholarships, training, special interest groups, job boards, veterans' assistance, and apprenticeships are all available.
Smoothstack is a partner of WiCyS, and has created a program for women veteran apprenticeships designed to benefit all parties involved.
The program is based on attitude, aptitude and intitial assessments, but requires no cybersecurity knowledge at the start. Apprentices are paid, trained, and qualified when they come out, working for employers on a two-year contract at a minimum. The program addresses employers' fears over being the first ones to hire and train new talent only to lose them.
WiCyS is a phenomenal organization, and there are ample opporutnities for allies - not just women - to join.
Key Takeaways
0:24 Allan Introducs Lynn and Martha
1:18 Lynn gives an overview of WiCyS' origins
2:06 Lynn explains the many WiCyS worldwide programs outside of the conference itself
6:45 Lynn introduces the veterans' assistance program
7:33 Lynn explains the origins of the veterans' apprenticeship program
8:54 Lynn explains why WiCyS chose Smoothstack and its program for women veterans' apprenticeships
10:14 Lynn explains the specific challenges and needs of women veterans
11:51 Martha shares a bit about her past, and her personal motivations
15:05 Martha elaborates on the program at Smoothstack with a very human story
17:14 Martha outlines the full process of the apprenticeship program
18:10 Martha outlines the tests for entry into the program
20:44 Martha states that employers hiring new talent suffer training overhead followed by attrition
21:40 The Smoothstack/WiCyS program pays candidates to get trained to readiness and guarantees employers two years minimum
23:40 Martha explains that cybersecurity has become a sellers' market and that jobs remain open because employers cannot pay enough
26:20 Lynn explains her motivation and drive to build such programs
27:23 Martha asks our listeners to join WiCyS, noting that membership is very affordable
28:23 Lynn echoes Martha's advice and recommends browsing the WiCyS website
28:47 Allan asks listeners to dontate to WiCyS
Links:
Learn more about WiCyS at www.wicys.org and on Twitter and on LinkedIn
Learn more about Smoothstack at smoothstack.com
Learn more about Lynn Dohm on LinkedIn and on Twitter
Learn more about Martha Laughman on LinkedIn and on Twitter
Follow Allan Alford on LinkedIn and Twitter
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at Axonius

Howdy, y’all, and welcome to The Cyber Ranch Podcast! With us today is Patrick Benoit, Global Head of Cyber GRC, and BISO at CBRE. Patrick is here to talk about Data Risk Governance, a slightly new twist on an old problem. Like our host, Patrick is also from the Dallas-Fort Worth area of Texas.
To start the conversation, Allan asks Patrick to share a little about himself, his background in information security and what he does at his day job. Patrick began his career in the military, eventually coming over to consulting and enterprise. He has built out more than one BISO program, and has run multiple GRC programs as well. Patrick has a customer-facing security role and believes that all security leaders are also, to some degree, sales leaders.
Allan and Patrick walk through a very practical approach to Data Risk Governance, starting with 'big chunks' and working towards the future with data tagging.
They discuss briefly various rules for dealing with older data and various means of risk measurement.
Ultimately their model is designed to work over a three-year or five-year period, encompassing all data in the organiztion by that time.
Key Takeaways
0:23 Allan introduces Patrck
1:36 Patrick shares his cyber background and his jay job
4:10 Patrick introduces his model of Data Risk Governance, which began as a sales/marketing tool and evolved into a "real" practice
5:59 Patrick introduces the precursors to setting up a proper Data Risk Governance program, which includes data classification among others
8:01 Allan explains how data disocvery and classification can be expensive and yet still only partially succesful
9:12 Patrick advocates his 'one bite at a time' method based at first on broad strokes of known valuable/risky data
10:45 Allan describes multiple data loss stories from his past
12:10 Patrick delineates in more detail the 'big chunks of data' method and his firewall analogy of allow/deny
13:23 Patrick notes that classification followed by tagging is a great approach
13:57 Allan proposes a new-data-only go-forward plan and Patrick agrees
15:56 Patrick talks about how the legal department owns data retention rules
17:30 Talks about how chat messages should be volatile
19:00 Allan proposes usese tagging to manage destruction and retention
21:00 Patrick notes that reducing risk by tagging some of your data is better than tagging none of it
23:30 Patrick discusses his model for quantifying risk vs investment as an 'orders of magnitude' problem with dollars as unit of measure
25:17 Allan proposes the car insurance model to counter Patrick's life insurance model
26:00 Allan talks about accurizing risk measurement and discusses briefly models like FAIR and Bayesian math vs. Patrick's orders of magnitude method
27:09 Patrick uses the 5x5 method not as a specific measurement but more as a visual aid and heatmap
29:11 Patrick explains what keeps him going in information security
Links:
Learn more about Patrick Benoit on LinkedIn and on Twitter
Follow Allan Alford on LinkedIn and Twitter
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at Axonius

Welcome to The Cyber Ranch Podcast, recorded under the big blue skies of Texas, where one CISO explores the cybersecurity landscape with the help of friends and experts! Today, host and CISO Allan Alford interviews Mike Manrod, CISO at Grand Canyon Education. Mike has done quite a bit of research on vishing, smishing and the upcoming STIR/SHAKEN legislation meant to combat those two.
To start the conversation, Allan asks Mike to share a little about himself, his background in information security and what he does at his day job. Mike started as an IT technologist who orginally resented the security team for slowing down technology projects. Then a friend took him to a security conference, and the rest is history.
Mike explains what vishing and smishing are, contrasting them to traditional phishing. Mike and Allan discuss personally targeted vishing and smishing vs. attacks targeted at organizations.
Allan and Mike cover the new STIR/SHAKEN legislation and related RFCs, along with the technical limitations inherent in the approach.
Finally, Allan asks Mike what keeps him going in cybersecurity, including technical challenges and a strong infosec community.
Key Takeaways
0:24 Allan introduces Mike
1:05 Mike explains how he got into cybersecurity and what his daily CISO life is like.
2:48 Mike explains what vishing and smishing are.
3:32 Mike explains the unethical vishing vs. truly illegal vishing and how they might target an organization vs. an individual.
7:18 Mike explains how most smishing is targeted at individuals. SIM swapping and other techniques are generally what is used against enterprises.
8:00 Mike says that smishing is most often used to introduce malware or harvesting user credentials.
9:31 Mike says that smishing, vishing and robocalling definitely mimic the ransomware world where lower-level, even non-technical criminals run the front line of attack.
11:34 Mike compares STIR/SHAKEN to the anti-phishing technologies DKIM, DMARC and SPF.
11:49 Allan explains that those email technologies are opt-in and only effective if all parties choose to opt in.
12:31 Mike explains what STIR/SHAKEN stand for and how they work - they are based on a series of RFCs.
13:43 Mike explains the FCC June 30, 2021 deadline for IP-based carriers to adhere to STIR/SHAKEN. TDM and Cellular networks are asked to implement in good faith.
15:48 Mike says that STIR/SHAKEN is a great step in the right direction. The nature of the problem is that the 'from' value is user-controlled in telco communications.
17:29 Mike sas that an enforced heirachy of tokens will solve the problem ultimately.
18:15 Mike recommend RFC 7340 as the best definition of the problem statement for the telephony challenged end-to-end.
18:45 Mike explains how STIR/SHAKEN also impacts smishing - noting that iMessage and other SMS-derived technologies already offer better security than voice technologies.
19:29 Mike states that a paradigm with certificates bound to number ranges or account ranges is the real solution to the problem.
21:01 Mike explains that fun technical challenges are why he stays in information security - a lack of bordeom.
21:58 Mike also names community as another reason he stays in infosec.
Links:
Learn more about Mike Manrod on LinkedIn
Follow Allan Alford on LinkedIn and Twitter
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at Axonius

Welcome to The Cyber Ranch Podcast, recorded under the big blue skies of Texas, where one CISO explores the cybersecurity landscape with the help of friends and experts! Today, host and CISO Allan Alford interviews Gabe Lawerence, General Manager of Cyber Security Protection at Toyota Motor North America. Gabe has seen the good and bad of purple teaming, and we’re here today to discuss what a mature purple teaming organization looks like.
To start the conversation, Allan asks Gabe to share a little about himself, his background in information security and what he does at his day job. His path to security hasn’t been linear - he has been a developer, an entrepreneur and a startup owner, slowly making his way to different levels of management in the security space. Gabe runs Enterprise Security at Toyota North America and is responsible for the technical side of the business and manufacturing environment.
When discussing what successful purple teaming looks like, Gabe points to the heightened alert of fidelity being among its greatest benefits. Rather than a red versus blue mindset, purple teaming encourages community and collaboration. Then, Allan asks Gabe to share a specific time he found unexpected success in purple teaming. Gabe gives an example reiterating the advantage of having a red and blue team working collaboratively.
In managing an enterprise, Gabe says there is always something changing. Validating your controls, alerts and responses are just a few of many tasks best tackled in smaller chunks. Embedding the automation from purple teaming as the ongoing environment keeps things in a high functioning state and serves as a persistent health check. Gabe explains how a buffer overflow isn’t exactly instantaneous and combatting lingering attacks.
Though purple teaming has many great benefits, it requires a bit of maturity. Having different teams interact together as they mature ensures they understand each other's roles and can effectively work together. Gabe urges people in the industry to think of themselves not only as part of a specific team, but as a part of a broader collective. In the hiring process, he describes seeking candidates with experience in software development and scripting. Additionally, it’s crucial to be willing and excited to learn and have keen problem solving abilities. In closing, Gabe looks forward to working in server-less spaces like the Cloud in the future and says his favorite thing about his career field is that it never fails to offer something new.
Key Takeaways
0:21 - Host Allan Alford welcomes listeners to the show and introduces Gabe Lawerence.
1:12 - Allan asks Gabe to share about his background and day job.
2:40 - What is successful purple teaming?
4:30 - Gabe shares both positive and negative personal experiences in purple teaming.
9:42 - How do you automate purple teaming?
14:11 - Fine tuning the deployment of the controls.
19:20 - How Gabe designs and hires for his team.
26:20 - What keeps Gabe in Information Security?Links:
Learn more about Gabe Lawrence on LinkedIn
Follow Allan Alford on LinkedIn and Twitter
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at AttackIQ

In this episode, host and CISO Allan Alford interviews his friend Dutch Schwartz, Principal Security Specialist at Amazon Web Services. Dutch is a vendor, but do not press 'stop' just yet! Dutch is an empathetic outsider, an observor, and a constant learner and researcher. He brings some unique insights to our practice.
Dutch talks about his encounters with CISOs and their direc staffs, and opines on the debate as to how technical a CISO should be (versus business-oriented).
Allan and Dutch discuss healthy vs. unhealthy (Dutch prefers the term 'challenging') security cultures.
Dutch talks about all security efforst aligning with business initiatives, and Allan espouses his theory that all CISO actions should ties to business initiatives, risk reduction, and maturity improvement.
Dutch remains enthused about cybersecurity because of conversations like this very interview.
Key Takeaways
1:32 - Dutch shares his cyber origin story - stumbling into cyber after a militiary career as an officer, and working an integrator for a VAR.
4:54 - Today Dutch works at AWS and supports the largest customers as a cloud security strategist, working with CISOs and their staffs.
5:47 - With Dutch's Fortune 50 customers, he meets wit the CISO on a monthly or bi-monthly basis, depending upon how hands-on the CISOs are. Daily he meets with the CISOs direct reports.
7:04 - Dutch explains that over the years the CISOs' have changed from a more technical bent to a more business and risk-management orientation. Some struggle with this growth.
12:15 - Allan describes his CISOs communication philosophy of "Business Terms First, Risk Terms Second, Technology Terms Third".
13:23 - Allan talks about CISOs asking each other whether they are more technical or business/softskills-oriented.
15:00 - Dutch says that how technical a CISO is depends partially upon risk tolerance.
18:02 - Dutch elaborates that a bad security culture results in more breaches.
19:18 - Dutch explains how a company's culture can be measured.
19:54 - Dutch says culture is not what the leadership preaches, but rather what the factory worker in a remote location believes it to be.
20:16 - Dutch says challenging cultures are the ones where leadership is not aligned.
21:53 - Dutch starts his conversations with his clients by talking first and foremost about business initiatives.
23:40 - Dutch often compares security to quality when getting his clients to understand the overarching perspective.
26:50 - Allan says all CISO initiatives should be tied to business objectives, reduction of known risks, and how his actions might improve maturity.
29:29 - Conversations like this one are what keeps Duth in information security.Links:
Learn more about Dutch Schwartz on LinkedIn and Twitter.
Follow Allan Alford on LinkedIn and Twitter
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at Axonius

In this episode, host and CISO Allan Alford interviews his friend Chris Foulon, Sr. Manager of Cybersecurity at a leading fintech compnay, and co-host of the "Breaking into Cybersecurity" podcast.
Chris has 15 years in information security, having started at the helpdesk years ago. His biggest desire in infosec is helping others. In his day job Chris gets to work with every part of the business.
On the subject of the personnel shortage in cybersecurity, Chris believes that there is no shortage. Rather, he suggests that hiring managers limit their choices by holding out for too high an experience level, and by neglecting diversity and inclusion.
His advice for those who are entering the profession is to combine experience, certifications and education as suited to themselves and the roles they are applying for. He suggests reserach and listening to podcasts like this one. Chris suggests finding a mentor has well.
Chris and Allan discuss diversity, inclusion and allyship at length, going into such details as how job descriptions can discourage diverse candidates.
Chris' motivation in cybersecurity is the fact that the industry is ever-evolving and always presents opportunities for creative problem solving.
Key Takeaways
1:18 - Chris shares his history with cybersecurity
3:20 - Chris describes why he thinks there is no infosec personnel shortage
4:43 - Chris describes how to write a job description to generate more candidates
6:28 - Chris tells people with other backgrounds not to start over in cyber but to move in laterally and learnd the tech
8:02 - Chris explains how to get experience and subject matter expertise before you start you first job
12:35 - Chris talks about certifications
16:11 - Chris talks about including neurodiverse candidates
17:52 - Chris describes how hiring managers can clean their job descriptions to encourage diverse candidates
24:24 - Chris describes the benefits of mentoring
25:24 - Chris describes what motivates him in infosec
26:24 - Chris describes what he is looking forward to in infosecLinks:
Learn more about Chris Foulon on LinkedIn and Twitter.
Chris' coaching site is CPF Coaching
Follow Allan Alford on LinkedIn and Twitter
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at Axonius

Today, host and CISO Allan Alford interviews friend and fellow CISO Gary Hayslip. Besides being a brilliant business leader, Gary is an author, mentor, and one of the best all-around humans Allan knows!
To start the conversation, Allan asks Gary to share about himself and his background in cybersecurity. While he had a natural interest in computers and technology more generally, Gary’s formal entrance to the cybersecurity field came during his time in the military. He developed a love for security, and as he’s climbed within the industry in the years after his military service, he’s also developed a strong network as a colleague and mentor. Allan tapped into this shared community through one of its most-used platforms, LinkedIn, to find out what others in the field would most like to learn from Gary.
The first questions deal with topics of leadership and training, and Gary explains his own practices of educating himself and his team. In his own life, he is committed to maintaining up-to-date knowledge of his rapidly changing field through research and reading; such knowledge is necessary if Gary is to lead as effectively as he can. Gary also provides opportunities for his staff to receive continuing education, and he does not worry that he might train employees beyond their roles. Rather, he embraces the privilege of partnering with his staff to see them succeed on their career paths.
There is a lot that goes into Gary’s practice of crafting and leading a team, and the COVID-19 pandemic has caused him to make some coaching changes. One-on-one meetings and conversations about family are more frequent, but the emphasis on building team trust and leading team members to own the business strategy remain constant. Gary assigns team members to take the lead on and complete briefings for different aspects of the strategy, and also expects them to back each other up.
This practice not only fosters ownership of business processes and development of employee skills, but also shapes the kind of culture Gary insists his team have. He requires team members to possess certain soft skills, be people of honesty who take personal responsibility, and be comfortable in team and group contexts. Gary tries to care for his workers by taking harder hours on himself than he expects them to work, but as the conversation wraps up, he explains that he is mainly motivated in his work by love for the community and people in the field!
Key Takeaways
0:21 - Host Allan Alford welcomes listeners to the show and introduces Gary Hayslip.
1:08 - Allan asks Gary to share about his background.
2:08 - The first questions deal with continuing education for Gary and his team.
6:58 - How has Gary’s coaching changed because of COVID-19?
10:54 - What are Gary’s methods for helping his team take on pieces of his strategy?
17:55 - COVID-19 also raises new questions about work-life balance.
21:45 - The next question deals with how Gary develops team culture.
25:39 - What keeps Gary going in cybersecurity?
Links:
Learn more about Gary Hayslip on LinkedIn.
Follow Allan Alford on LinkedIn and Twitter
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at Axonius

In this show, host Allan Alford interviews Dr. Rebecca Wynn about information security decisions made during COVID and what the 2021 "reckoning" might look like. Dr. Wynn is a well-recognized CISO and Chief Privacy Officer, who faced some large-scale challenges during 2020. Allan welcomes Dr. Wynn to the cyber ranch!
The show starts with Allan asking Dr. Wynn to introduce herself and to tell the listeners a bit about her background. Dr. Wynn has received quite a lot of recognition in the field.
Allan and Rebecca Wynn share a wealth of connections in the CISO community, and both have consulted with numerous companies over 2020. This positions them to be able to talk to the broad spectrum of COVID-related actions and reactions taken during 2020.
Moving workers to home all over the world resulted in an increased attack surface and increased privacy concerns as well. Security quesionnaires were on the rise, as were deeper investigations into PCI, SOC2, etc. report. COVID, in other words, really emphasized the supply chain risk posture.
Allan and Dr. Wynn discuss the challenges and variety of preparedness for Zero Trust architectures - VPN, VDI, cellular dongles, taking desktop computers home, etc.
Allan and Dr. Wynn talk about supply chain risk, contracts, penalties, and other facets of post-COVID third-party risk.
To close the podcast, Dr. Wynn shares that she loves information security because of great companies out there who are forward-looking and paying real attention to security.
Key Takeaways:
1:18 - Dr. Wynn tells the audience about her information security background and recognitions.
2:43 - Dr. Wynn had to move 10,000 people to work-from-home for COVID.
4:31 - Dr. Wynn tells her clients to check the PCI, SOC2, etc. reports in detail for their supply chain.
5:37 - Allan points out that supply chain questionnaires were on the rise due to COVID.
6:45 - Dr. Wynn elaborates on Zero Trust architectures deployed during COVID and states that Zero Trust is not "one and done".
8:20 - Dr. Wynn encourages her clients to really dig into the risk associated with the supply chain.
9:12 - Allan points out that the Solarwinds breach was really a post-COVID phenomenon in terms of its impact and how folks responded.
10:40 - Allan shares that some companies were not ready for Zero Trust at all vs. those who were so well prepared.
12:49 - Dr. Wynn encourages auditors to go back and visit their 3rd-party risk.
14:34 - Dr. Wynn points and Allan talk about the strength and significance of contracts in the cultures of various companies.
16:50 - Dr. Wynn tells her clients to attach assessments to the contract and asks for transparency.
19:40 - Dr. Wynn encourages her clients to ask their supply chain about end-of-life and end-of-service posture for the technical estate.
23:05 - Allan advocates that vendors have honest conversations with their customers to be transparent about what new risks COVID onboarded.
25:08 - Dr. Wynn predicts that 2021 will be the reckoning for companies who took shortcuts during COVID.
25:42 - Dr. Wynn loves working for forward-looking companies and loves working for the greater good.
26:48 - In Information Security, Dr. Wynn predicts growth and evolution and hopes for a real investment.
Links:
Follow Allan Alford on LinkedIn and Twitter
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Learn more about Dr. Rebecca Wynn on LinkedIn.
Sponsored by our good friends at Axonius

In this show, host Allan Alford interviews his friend Chris Castaldo about how to align information security with the business. Chris is the CISO at Crossbeam, and is also the author of the book "Start-Up Secure: Baking Cybersecurity into Your Company from Founding to Exit", available for pre-order at Amazon. Chris, like Allan, views himself as a very business-oriented CISO. Allan welcomes Chris down to the ranch to discuss business orientation and alignment of information security in detail.
The show starts with Allan asking Chris to introduce himself and to tell the listeners a bit of his background. Chris's book fills the void in books for founders that seemed to utterly lack any reference to cybersecurity. Allan recommends the book, as he was one of the lucky few to review the book before its release.
But that is not what they are here to chat about today... Allan asks Chris what it means to be a business-oriented CISO - and what does it look like to NOT be a business-oriented CISO?
Allan asks Chris how a CISO can affect both the bottom line and the top line as well. Allan and Chris discuss the nuances of that conversation in the context of business-to-consumer ("B2C") businesses vs. business-to-business ("B2B") businesses.
Allan and Chris discuss the challenges of striking the balance between meeting the business' security needs and being agile enough to quickly respond to the dynamic and ever-changing nature of the business.
To close the podcast, Chris shares that he loves information security because of its always offering something new, and because of it evolving towards a user-centric approach.
Key Takeaways:
0:36 - Chris tells the audience about his security book for founders.
2:19 - Chris talks about his day job as CISO at Crossbeam.
3:08 - Chris talks about what it means to be a business-oriented CISO - it's mostly about understanding the rest of the business.
6:05 - Chris walks through how a CISO's impact to the top and bottom line varies for startups vs. mature businesses.
7:16 - Chris compares security aspects of a non-security offering to airbags in a car.
9:02 - Allan shares his past as a product security professional and how business-aligned product security in tech companies is.
12:00 - Chris compares B2C to B2B and how business-alignment for the CISO varies across the two.
14:41 - Allan talks about expectations of security vs. liability caps for failing to deliver it: B2B vs. B2C.
18:24 - Chris discusses how to enable security without putting the brakes on the business.
22:40 - Allan explains how some of his basic security controls that also accelerate the business.
25:17 - Chris explains why he loves working in information security.
26:21 - Chris is looking forward to user-oriented cyber security.
Links:
Follow Allan Alford on LinkedIn and Twitter
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Learn more about Chris Castaldo on LinkedIn.
Sponsored by our good friends at AttackIQ

Today, host and CISO Allan Alford interviews Omkhar Arasaratnam, a veteran of the cybersecurity industry, on the topic of supply chain security. With a career in security going all the way back to 2004, and with experience working for IBM and several financial institutions before becoming an Engineering Director at Google, Omkhar brings much hard-earned insight to the table!
Looking to tap into that insight, Allan poses two questions for Omkhar. First, how would he characterize or define supply chain security and its implications? And second, how would he explain the SolarWinds breach and its fallout? Omkhar centers his thoughts on the SolarWinds situation, a costly breach in which hackers manipulated a code base and used it as a leverage point to gain access to high-worth targets. This attack required precision and focus, and is of the first public breaches; however, Allan and Omkhar imagine that there will be copycat attacks to come, and that the attack is a wake up call for all those with access to client data to step up their supply chain security.
Both providers and consumers with a hand in supply chain security have a responsibility to tighten their controls. Supplier checks should be more frequent, software suppliers need to be very buttoned-down in how they control their entire build architecture, and those overseeing supply chain security need to carefully navigate the available vehicles for managing supply chain risk. These vehicles, including questionnaires, right to audit, open source/credit-check style tools, and GRC tools, all have benefits and drawbacks, and no company manages supply chain security perfectly.
With a lot of sympathy for SolarWinds, though, Allan and Omkhar think that further work needs to be done in the cybersecurity space to bolster supply chain security measures. Omkar details his own “black box” idea, which he imagines would be a strong component of a more comprehensive security protocol. Allan explains how this comprehensive protocol could function, and while making such a system an international standard is far off, Omkar and Allan agree that there are tools in place for cybersecurity professionals to move toward a better system. There are issues of risk to weigh, myriad solutions to compare, and precursor tasks to address, but it’s time to get a conversation going that will ideally lead to change!
Key Takeaways:
1:10 - Allan asks Omkhar to share about his background before jumping into the main topic.
1:53 - Allan has two questions for Omkhar.
5:09 - Consumers and providers have a responsibility to step up their game.
7:41 - The conversation shifts toward the vehicles for managing supply chain risk.
9:05 - What’s Omkhar’s take on the open source/credit score-style check?
11:55 - Allan and Omkhar turn to Omkhar’s black box idea.
17:22 - Omkhar thinks highly of Allan’s comprehensive approach, but there are obstacles.
21:50 - What are these obstacles, and what is the needed precursor work?
26:20 - As the conversation ends, Allan asks about Omkhar’s motivation and passion.
Links:
Follow Allan Alford on LinkedIn and Twitter
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Learn more about Omkhar Arasaratnam on LinkedIn.
Sponsored by our good friends at AttackIQ

In this show, host Allan Alford interviews his friend Will Lin about startups and venture capital. Will Lin is a venture capitalist with ForgePoint Capital, focusing exclusively on the information security space. First and foremost, Will views his current role as a way to help others. Allan welcomes Will on to the show to help his listeners learn more about the startup world, the venture capital world, and how those two intersect.
The show starts with Allan asking Will why he thinks startups are such a prevalent force in the cyber security world. Will is not sure, but his hypothesis is that this is in large part due to the ever-changing nature of cyber security. Since needs are constantly changing and each organization has unique needs, startups have popped up to address those specialties and change based on the different needs that arise. His second hypothesis is that there always need to be organizations prepared to address new and emerging threats to security.
For VCs, Will shares that companies and startups go through very natural progression in terms of maturity depending on their framework. Regardless, what it all boils down to is where in their life cycle any organization finds itself. Once the VC is able to identify where the company is in their life cycle, then they can begin to make informed decisions about the company. This will determine the type of funding that VCs will decide to provide. For example, usually when a company is around 10-20 members, they will be looking for series A funding. Typically, series A funding is around 10-25 million dollars, series B is 20-40 million and series C is 50 million and above. By evaluating the total of the investment, observers can estimate the valuation of the company.
While most companies only do a few rounds of fundraising, some companies will experience several late rounds of fundraising and Will advises that this is typically a good thing. The best indicator of health is the number of employees. If the number of employees is going down, that is one of the clearest indicators of regression. Once a VC comes in, though, that is where they are able to lend their experience to help with advising the business, which is Will’s favorite part of his job.
To close the podcast, Will shares that being able to help people and add value to their companies is the thing that keeps him energized and engaged in his position.
Key Takeaways:
0:24 - Listeners are introduced to Allan Alford and his guest, Will Lin.
1:27 - Why do so many people in the security industry rely on startups?
3:29 - What does Will do in his job and how has his background led to his current role?
5:36 - From Will’s perspective, what is the critical split between the first round of angel funding
9:33 - What is the expectation for funding in each different series of investments?
15:19 - What does the VC ownership look like from the perspective of the company?
21:22 - Does Will offer specific advice to the startups that he works with?
24:00 - What is Will’s opinion on startups that grow without any assistance from VCs?
25:48 - What keeps Will energized in his job?
Links:
Follow Allan Alford on LinkedIn and Twitter
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Learn more about Will Lin on LinkedIn.
Sponsored by our good friends at Axonius

On this episode of The Cyber Ranch Podcast, host Allan Alford is joined by Ron Eddings and Chris Cochran from Hacker Valley Studio. The episode begins with Ron and Chris sharing how they came to cyber security and the roles they’ve held in the space.
While they came up in the cyber security space through different channels, they now work together at Marqeta, Ron as a Security Architect Leader and Chris as the Director of Security Engineering. Additionally, together they host the Hacker Valley Podcast. Allan is curious how the podcast affects their day jobs and their day jobs influence the podcast. Ron and Chris explain that it has given them wider contacts with people in the security industry and the opportunity to speak with them about their interests and expertise.
Allan asks Ron and Chris how they stay passionate about their work. Chris says both he and Ron believe in getting better everyday, even if it’s in small increments. Reading books, taking classes, speaking to mentors are all ways that he improves himself and makes sure he stays sharp. Ron shares that he is a collector, and it has led him to collecting experiences. Through these experiences, he is also able to continue getting better and improving himself.
They both share that through the podcast and their jobs, they need to continue learning and working. They’ve taken voice coaching and storytelling lessons to keep on the cutting edge of podcasting. Everyone has a story and the ability to share your own and help others share theirs is essential not only to impeccable podcasting but also being an empathetic and engaged human. In threat intelligence and user awareness training along with other technical skills storytelling is integral to meeting people where they’re at.
As the episode ends, Allan asks Ron and Chris about the future for them and their podcast.
Key Ideas:
:22 - Chris and Ron are introduced.
4:46 - How the podcast influences their day jobs and vice versa.
12:08 - Allan asks Chris and Ron about infusing passion in their work.
16:39 - The importance of storytelling in podcasting.
24:00 - What does the future look for Ron, Chris, and the podcast?
Links:
Follow Allan Alford on LinkedIn and Twitter
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Follow Chris Cochran on LinkedIn and Twitter
Follow Ron Eddings on LinkedIn and Twitter
Support Hacker Valley Studio on Patreon.
Sponsored by our good friends at Axonius

Allan Alford interviews Anne Marie Zettlemoyer about the topic of vulnerability management. Anne Marie is a visiting fellow with the National Security Institute at George Mason University, and one of the all-around sharpest minds Allan knows in information security!
Anne Marie is deeply entrenched in the world of information security, and she loves her work. She began her career in accounting and finance, but by serendipity was introduced to security through a position updating a company’s payment system. From there, she was recruited into the Secret Service, where she developed a passion for the information security field - a field she hasn’t left since! Anne Marie is driven by the energy and nobility of her profession, and she values work as a protector and defender. At the same time, she feels a high level of responsibility to her company and her customers to navigate information security well.
The baseline for security work, Anne Marie says, is the fundamentals. The first line of a security officer’s responsibility is to maintain this sort of system hygiene; this is why Anne Marie is passionate about vulnerability management. In a changing threat landscape, vulnerability management is a basic necessity to keep products and clients safe. Of course, this does not make vulnerability management an easy task.
Practitioners of vulnerability management must also attend to a variety of factors, from issues of regulation and compliance, to CVSS scores and tooling for contextualization, to determining the way in which vulnerability management should be situated within their broader security program (often as a key driver). Within the world of information security, vulnerability management is one of many complex pieces to juggle together, and people like Anne Marie stand at the center of the balancing act. Anne Marie leaves listeners with an idea of how best to approach information security today, but she also leaves them with the prospect of exciting changes on the horizon in the areas of data governance and bridging the gap between speed and security.
Key Takeaways
0:17 - Listeners are introduced to Allan Alford and his guest, Anne Marie Zettlemoyer.
1:12 - Allan asks Anne Marie to walk through her day job.
1:56 - Why is vulnerability management important to Anne Marie?
4:13 - Allan shifts to the subject of motivating people to fix vulnerabilities.
6:26 - Anne Marie’s broad experience gives her a unique experience.
8:41 - Remediations must be obtainable.
10:27 - Overall, fundamentals, partnership, and understanding are needed.
11:27 - Allan and Anne Marie turn to metrics, tooling, and context.
14:38 - Within the security program, where does vulnerability management fit?
18:00 - How did Anne Marie get into vulnerability management?
20:15 - Her job and its responsibilities require certain things.
20:56 - What keeps Anne Marie in the game?
22:20 - What is she looking forward to in the field?
Learn more about Anne Marie Zettlemoyer and connect with her on Twitter and LinkedIn.
Learn more about Allan Alford and connect with him on Twitter and LinkedIn.
Learn more about The Cyber Ranch Podcast, part of the Hacker Valley Studio family.
Learn more about podcast sponsor Axonius.
Support Hacker Valley Studio on Patreon.
Follow Hacker Valley Studio on Twitter.

Behavioral Economics has altered our perceptions of what actually motivates human beings. How do these theories about our more primitive behaviors as well as our intellectual biases apply to information security? Allan Alford & Kelly Shortridge discuss in the context of infosec programs and events in a whirlwind of conversation. Sponsored by our friends at AttackIQ
Podcast: The Cyber Ranch Podcast
Episode 2: Behavioral Economics and InfoSec with Kelly Shortridge
On this episode of The Cyber Ranch Podcast, host Allan Alford is joined by Kelly Shortridge, VP of Product Management at Capsule8. Their conversation begins with Kelly introducing herself and her work. She works in products for a security vendor, and she’s done research into applying behavioral economics to security. Kelly says she grew up with a love of computers, but was mostly about building gaming rigs side of things. Her career in information security began in the investment banking industry, which led her to fall in love with security.
Next, Allan asks Kelly about her work in behavioral economics. Economics is the study of choice, behavioral economics looks at the way humans actually behave by conducting experiments and observing natural occurrences. Humans don’t always behave in the rational, textbook way, but Kelly explains that often their choices are rational when you factor in competing priorities. In information security, this shows up when folks find themselves reacting to threats that have the most attention, rather than those that are proven to be the most pressing. Information security is also affected by hindsight and outcome biases. Kelly explains how our brains try to trick us into blaming a single factor in a crisis, but that is not how the real world or cyber attacks work.
Now that behavioral economics has clued us in to the biases formed by what Kelly affectionately refers to as our “lizard brains,” Allan wonders if we should be optimistic about how we may think and prevent attacks in the future. Kelly isn’t so sure. She explains that changing some systems to be more compatible with our lizard brain has been effective, however knowing how we think doesn’t help people think differently. In InfoSec, there are opportunities to continue making the secure way the easiest way, and circumvent the lizard brain. Other industries have been designing systems and workloads based on the way people behave; Kelly says InfoSec is just behind the curve.
As the episode ends, Allan asks Kelly what keeps her still in InfoSec. Kelly says it is spite. There are still inefficiencies and an industry that pats itself on the back for doing little, that makes her spiteful she says. She wants to be an industry member that adds value to organizations and highlights the user.
Follow Kelly on Twitter as @swagitda_ or on LinkedIn at Kelly Shortridge
Learn more about Allan and the Cyber Ranch Podcast at Hacker Valley Studio
Sponsored by our good friends at AttackIQ

A one minute introduction to the show and its format