The Cyber Ranch Podcast

Every trail ride ends at the, well, end of the trail. This is the end of the trail for The Cyber Ranch Podcast. Drew and Allan offer final parting thoughts and conduct brief interviews with 3 folks whose presence was vital to the show:  Chris Cochran, Ron Eddings, and Rich Salim. It's been an amazing journey and we thank ALL of you who ever listened to even just one snippet of one episode. Y'all stay good now!

Howdy, y'all, and welcome to The Cyber Ranch Podcast.  Today we tackle WHY?  Why do we have this show?  Why do we ask the questions we ask and host the guests we host?  Why does any of this matter? More importantly, WHY do we all keep doing the same things over and over, saying the same things over and over, and expecting better results? WHAT  can we change? Join Allan Alford, many times CISO, and cybersecurity podcaster of many years now.  Joining Allan is Drew Simonis, who has been co-hosting the show now for 21 episodes, and a guest a few times before that. This show is a chance to understand the premise of the show better, to understand Drew better, and to find out why we're all here.  Drew's bonafides: CISO @ Juniper Networks Former CISO and Deputy CISO @ HPE CISO @ Willis And various other roles including an industry role at Symantec Drew joined as co-host because he's a deep thinker, and because he applies that deep thinking to challenging the status quo.   Allan's WHY? Is very simple.  We've not grown or progressed as an industry in years now.  Which means we are clearly doing something wrong.  Mostly, IMHO, resting on our laurels, making the same assumptions, trying the same techniques, and not questioning any of it. Drew offers a more nuanced take on the idea of "speaking the language of the business".  It's a great show.  Y'all be good now!

We have all had a vague sense that our world is being manipulated, informed and fed by various conscious manipulation tactics - influence on political campaigns on social media, culture wars, class wars, etc.  But we can glean out the facts and figure out who is telling what story if we embrace a new discipline - Narrative Intelligence. Our guest this week is Joe Stradinger, Founder and CEO of EdgeTheory, who are out to understand and leverage the conversations that shape our world.  Specifically, social media campaigns and presences.  Think threat intelligence but at a global/sociopolitical level.  Joe has been an investor, he has worked in DC, and he has a lot of academic ties as well.  His knowledge in this space is immense, and we are tickled pink to have him here at the ‘Ranch. We ask Joe: What are the goals of a robust threat intelligence program? What is narrative intelligence and why does it matter? Compare and contrast this to traditional threat intelligence? How do adversaries influence the narratives?  Is this the realm of bots and deepfakes? Does narrative intelligence replace, complement, or improve on traditional approaches? How can narrative intelligence enable you to get in front of problems? It's an excellent conversation, well worth a listen. Y'all be good now!

Howdy, y'all, and welcome to The Cyber Ranch Podcast!  That's Jon Green, an experienced CISO but also an experienced CTO.  Jon is currently the CSO and CTO at HPE's Aruba.  He's also a DefCon goon and a Team8 Villager.  He's done the marketing engineer side, the network engineer side…  Quite a storied past.  We are thrilled to be talking with him about the differences between CSO/CISO and CTO.  Jon, thank you so much for joining us at the ‘Ranch! Tell us about your early career, did you start in security or as a technologist? What are the key priorities for someone with a CTO title?  As someone who has held both CTO and CSO titles, how does the pressure to deliver revenue impacting products differ from the pressure cyber leaders face? What does it feel like to be on the receiving end of security requirements which are often developed in the abstract or for the general case? When you are assessing future trends and technology shifts, what are the different lenses you use to make the security evaluation vs the more functional and integration-oriented evaluation? What is something you have learned which surprised you?  What do you wish other CSOs understood better?  What is a piece of advice… You've been involved in Defcon and other cyber events for many years, what changes have you seen during that time? Y'all be good now!

Howdy, y'all, and welcome to The Cyber Ranch Podcast!  Our guest is Thomas Krane, Managing Director at Insight Partners.  If you go to Thomas' LinkedIn page, you will also see that he works with a number of cybersecurity scaleups (we'll define that term).  As such, Thomas is uniquely qualified to speak to some trends in the industry.  Drew asked Thomas to join us here at the ‘Ranch to discuss quite a few facets of the industry.  Thomas, thank you for coming on down to the ‘Ranch! We see consolidation and platform creation, but also continued development and evolution of point products. Are we better to view cyber as a single market or is this a combination of several related but distinct markets? It looks like money is flowing into startups again, is that so? If so, what factors are driving the renewed interest in cyber products? And what is the difference between a startup and a scaleup Is VC money leading the development of new solutions or is it in a phase of fast following? Aside from AI, what types of solutions are heating up and where is it seeing more stable maturity? Any areas that have fallen off the map? Speaking of AI, are you seeing predominately new solutions or reframing of existing solutions to fit the new challenges that AI poses? Two ends of a spectrum, security using AI and securing AI. Which is most interesting? Which is more likely to produce a big breakthrough? Which is a more solvable problem? Y'all be good now!

This week Allan attended the HIP Global conference in New Orleans, which happens to be Allan's favorite city in America. The conference was outstanding - no sales pitches, no nonsense, just many experts speaking on the topic of securing identity.  Entra ID, Okta, AD folks all were present, and it was amazing. Allan got to interview some AMAZING guests from all walks of identity life, including one gentleman whose pedigree includes a rather critical national role right out the White House... Listen in as Allan asks the following questions (one of which Drew answers too!) Why does identity matter? How do we protect the intersection of identity and data? How do you protect uptime (availability) of identity? What should be the single source of truth in identity? Who should own identity?  CISO?  CIO?  CTO? What is the role of cybersecurity in identity? What is the best directory services of all time? How do you manage identity sprawl? Y'all be good now!

In this episode Allan and Drew consult Tim Rohrbaugh, who has done quite a lot of research and work on the practical applications, deployment, use cases and limits of GenAI and LLM. Flavors and incarnations of AI - GenAI, Expert Systems, ML... Biomimicry and Allan's weird sea cucumber references Practical LLM deployment - Tim's maxims Offline or online?  Open or proprietary models? Precision, accuracy, asking the right questions in the first place Your smartest employee as your limiting factor Probabilistic vs. deterministic outcomes Hallucinations - not necessarily a negative term How long before we get the person out of the loop? The actual skills required to be a "GenAI engineer" Getting started at home - hardware and models Fabric AI and patterns It's a great show and you will most definitely learn a lot!  Thank you Tim, thank you, listeners!  Y'all be good now!

Howdy, y'all!  With American presidential elections already under way, Allan and Drew decided that scrambling to get Kirsten Davies on the show for this week's show (the last one before formal Election Day) was paramount.  Kirsten has been on our potential guest list for years now, as she is a multiple-times Fortune 500 CISO. But now Kirsten is CEO and Founder of The Institute for Cyber Civics, a non-partisan non-profit aimed at empowering poll workers and poll volunteers to recognize and deal with cyber attacks on the voting process. Hear about Kirsten's charter, mission, vision, goals and capabilities in this SPECIAL EDITION! episode! Y'all be good now!

Our guest today is Babbette Jackson, aka Technically__Rose of YouTube and Instagram fame! Babbette is in DLP and Insider threat analysis.  She has worked in places as far flung as Edward Jones, Juniper Networks, and Bank of America.  More importantly, Babbette is quite involved in the intersection of social media and community engagement. How do we use social media to engage others across generations and to and encourage community participation? Allan, Drew and Babbette discuss: We've been talking to others about how they arrived in and either struggled or flourished in Cyber.  What is your story? What inspired you to embrace social media as you have?  What kind of results are you seeing from this engagement? We've seen your content on LinkedIn and on Instagram, it's very creative but also very relatable.  How do you decide what topics to cover, how to frame them for the right audience, come up with the structure of your messages, etc.?  How many times do you re-do them? You've mentioned social capital.  Tell us about that concept, how you build it, how and when you use it, etc.   What is something established leadership in the field should understand about dealing cross generationally that we often get wrong? It is a wonderful show, and Babbette is a wonderful guest who is willing to share the insights behind her success.  Y'all be good now!

Who and what you are, your personality, your style, your thoughts...  That's all about to change.  For one thing you are already a product on “free to use” social media.  You don't really own things you think you own (We're looking at you, Steam!)  Even your intellectual property is up for grabs now in ways you can't see coming.  Hollywood actors are selling the rights to their digital likenesses, and meanwhile, others are stealing such rights via technological loopholes.  All media exists, according to Drew, to draw you towards the advertisements…  And your deepfake could be used to do just that to others.  Some of these fakes are good enough to fool yourself even. Join Allan and Drew as they interview Sam Rad, a premier futurist and humanist, who freely admits that there is now an inherent tension between those two philosophies. The conversations about the governance, ethics, and security of all this new media and technology are woefully behind the curve. Many members of the TikTok generation has a 4-second attention span and require multiple simultaneous input streams at any given time to feel satisfied.  Is this a deliberate attack on the Western human nervous system?  Cyberattacks are certainly killing people already, why not go straight for their brains? Are the peasants coming with pitchforks and torches to destroy Frankenstein's newest monster?  How about the striking dockworkers?  The terrorists destroying 5G towers?  Do peasants with pitchforks ever win?  Ned (mistakenly called “Jason” by Allan)  Ludd and the Luddites failed in a big way to stop technology from replacing their jobs in the late 1700s (mistakenly referred to as the having happened in the Victorian era by Allan) This show is peppered with others such historical and cultural references such as the cultures and economies in Second Life, Picasso's mass production of his own paintings, Rousseau's evolving concepts of property, Mary Shelly and her Frankenstein's monster, Hegel's model of “thesis, antithesis, synthesis”, the Butlerian Jihad from the “Dune” series, and William Gibson's maxim that, “The street finds its uses for things”. We're not even coping with all of this, and now we have the AI conversation thrust upon us as well…  Your content is training data, and can be mimicked with uncanny accuracy as well. Check out Sam's book, “Radical Next” and her docuseries “Illicit Economies of the Shadowverse” to learn more about the positives and negatives of all of these trends in humanity. Good luck out there.  Stay safe.  Who you are and what you own is irretrievably altered at this point.  Cybersecurity is really just “security” now.  But hopefully all this mess will create the next cultural and creative Renaissance. Y'all be safe now...  

Jason Shockey, CISO of Cenlar FSB, and 25 year veteran of cybersecurity, has a formula for running an excellent cybersecurity program. He studied a great deal in his various cybersecurity roles before leaping into a CISO role, and the studying paid off! Jason and Allan and Drew discuss the following: Identifying Common Pitfalls Promoting Team Well-Being and Efficiency Engaging and Education the Board Strategies for Effective Program Design ALL in the span of one rapid-fire show!  Do give it a listen, as you will learn about many valuable approaches and resources to help your program succeed. Y'all be good now!  

Cyber as precursor to kinetic warfare?  What about cyber AS warfare?  And social media infiltration and propaganda?  Join Allan and Drew as they invite Dave Schroeder, a renowned expert in this field, to discuss the active use of cybersecurity and social media as warfare between the Western World and China, Iraq, Russia and North Korea.  They cover: Insertion of fake IT employees into key companies Political influence operations (divide and conquer) Precursors to kinetic war being the smallest tip of the iceberg Philosophical differences between nations and governments serving themselves Cultures of trust in the West, and how those are not so self-serving This one is very sobering and perhaps the most important show of the year... Y'all be good now!    

Howdy, y'all, and welcome to The Cyber Ranch Podcast!  Our guest today is Tim Brown.  If you don't' know who Tim Brown is, he is the CISO at SolarWinds, and as such, is one of us. Or maybe in a way, he is all of us, really.  Tim advises and has held various other roles in the past, including product roles, which our listeners know are well-respected skills down at the 'Ranch. The topic today is cyber regulation.  It can range from self-regulation to associations, principles, practices, lobbying – all the way up to full government regulation.  What works?  What's required? Topics covered: What is the case for regulation? What are the basics rules to provide us coverage and clarity? Not knowing the rules makes people nervous and afraid... Document your own processes, procedures, JDs, what you do, what you don't do. Make it clear! Rigorous banking industry regulations exist already.  How onerous are they?  How badly would they fit the rest of us? Perhaps a GAAP (generally accepted accounting principles) equivalent is desired? Process/procedure vs. 'Thou shalt never have a vulnerability!' Heavy-handed governmental oversight - defining standard of care and turning that into something people can stand behind? Remember that Sarbanes and Oxley were people.  Real people. Is regulation required to create a more positive environment in the way SOX does? What does the public-private partnership need so that the rules created are good and realistic and improve cybersecurity for the world? REGULATION IS COMING!  THE CISO COMMUNITY MUST BE A PART OF THAT REGULATION! Have we had a cyber Enron, and do we need one?  That was the real catastrophe that launched SOX... Regarding GAAP, accounting is deterministic vs. dynamic - Can a cyber GAPP ever exist given how dynamic we are? The compliance world: principles based vs. rules based regulation - a more practical model. It may not move the bar enough, but it's a good starting point. Should a whole field of security auditors existing like accounting auditors do? We are youngsters in this craft still... Is the accounting world really the best metaphor?  Auditors, forensic accountants, etc.? Another model is the medical world - malpractice, specific rules and regulations on specific surgical practices? What about a national CISO board or association like the NACD or the American Psychological Association? What about boards like medical review boards that approve specialties? Lobbying How to fund this? Who should be doing the doing?  Inclusivity vs. sound gatekeeping. A barber has to be licensed to cut hair - should we get licensed? This conversation was around with software engineers long before it was with cyber folks.  We learned that self-policing did not really work... The challenge is one of not shackling the business, or at least not appearing to, and the subsequent pushback. The call to action is ultimately this: If you don't have a seat at the table, folks will do things to you rather than with you.  So get involved! Y'all be good now!

What can we established cybersecurity practitioners ACTUALLY do to help those new in the field besides blathering back and forth about the problem in the echo chamber that is LinkedIn? Drew got the clever idea of inviting three folks who are brand new to the field or barely started on their cyber journey, and, get this: ASKING them what they're experiencing and what they need! Clever, huh? It's an eye-opening show for a CISO. We are join on this week's episode by Amé Venter, May Ferreira, and Bryce Hill, who share their perspectives from their early stages in this field. It's a sobering perspective. To a certain extent, they've all been lied to and led on, and that's all of our faults. Key takeaways: Prodsec/Appsec might get you out of being a cost center in cybersecurity, but no intro programs seem to show folks how to get there. Certs aren't enough. Education is not enough. It is HARD to get started. Internships sound great, but even after you have secured one or two of them, entry-level positions remain elusive. Especially "entry-level" positions that require experience. Innovative programs like the one Bobby Ford is doing over at Hewlett Packard Enterprise are a huge leg up, but such programs are few and far between. There are a lot of folks standing outside the doors to our industry who were told this was the promised land. But there they are, still standing and peering in, waiting for an invitiation. CISOs, please listen to this show. Please re-think your hiring strategies! Y'all be good now!

Howdy, y'all!  Our guest today is Wade Baker, cybersecurity researcher, entrepreneur, professor…  Wade is a Board of Directors member of the FAIR Institute, was an Advisory Board Member at the RSA Conference, was VP of Strategy & Risk Analytics at ThreatConnect, and is now Co-Founder of Cyentia Institute, which aims to advance cybersecurity knowledge and practice through data-driven research.  Wade joins Drew and Allan to talk about (go figure!) data-driven cybersecurity.  The three smash through a lot of assumptions and get to the heart of what is really going on in cybersecurity. Questions covered: What is the Information Risk Insights Study (IRIS)? (cyentia.com/iris/) What is a good summary of the IRIS Ransomware report? How organizations out there can be more data-driven? Analyst whitepapers vs. real data research – what are the differences? Who else can mine data like this? What truths do people resist or what do they fail to embrace? What are the sacred cows and the “inflatable cows”? Is the cyber job shortage a real, data-backed problem? The desire for “flat math” vs. curves (the 5x5 grid) … Measuring the problem side vs the solution side… Actual best practices vs. common practices… Insurance industry data and why they don't share it… Much of what we do does not affect the realities of our cyber risk. Stepping back from all of this, what is the value in data-driven industry analysis of this sort? How does one sponsor IRIS publications? Y'all be good now!

Howdy, y'all, and welcome to The Cyber Ranch Podcast!  Our guest is Michael Santarcangelo, Founder and President at Security Catalyst.  He's a former podcaster – co-creator of Business Security Weekly, he even did a stint on Down the Security Rabbit Hole with Raf and James.  True fact, hearing Santa (as his friends call him) and Paul Asadoorian on Business Security Weekly is what inspired Allan to become a podcaster in the first place!  But "Santa" (as his friends call him) has done the practitioner and the leader things as well, and got his start way back on the Global Security Team at Andersen Consulting… Santa joins Drew and Allan to discuss effective communication… The communication problem we're trying to solve is not the one we think it is! “Communicating the value of cybersecurity” - What doe that mean really? Clarity vs. Communication, Message received and understood...  It's clarity of thinking, action, and outcomes that create the ability to communicate effectively. If that is the case, then what matters is how do OTHERS measure our success and how is that aligned or not with our own perceptions? How do we measure success in communication?   Is is how they measure it? What is the goal of communication? (And why do we say that instead of ‘the goal of good communication'? How do we get perspectives?  (We ask). Y'all be good now!  

Your organization runs on commercial software far more than it does open source.  But all you are delivered is binaries.  What is your technical control to ensure that you are safe from this software? Such software is composed of: Open source libraries Proprietary code 3rd-party proprietary libraries You need to be able to see it, understand it, probe it for malware, backdoors, corruption, CVEs, KEVs, etc.  Well now you can.  SBOMs are just the beginning... Allan and Drew are joined by Sasa Zdjelar, Chief Trust Officer at ReversingLabs, who have spent 15 years solving this highly specific and highly challenging problem in cybersecurity. The show is not sponsored by ReversingLabs.  Allan and Drew wanted the world to know that they exist, and that this capability is now in-hand... Y'all be good now!

This is our third and final episode of this miniseries.  In this episode we are joined by Ross Young, a well-established member of the cybersecurity community with a storied background and penchant for giving back via various means.  Ross joins Allan and Drew in exploring the role of technology in the People, Process and Technology triad. Questions covered: The traditional triad of people, process, technology has been with us since 1964, from an era when digital systems were in their infancy and computing as we know it today was science fiction.  Is PPT still the right way to look at business problems? Has technology taken its place as "first amongst equals", or are we still right to say "cyber isn't a technology problem"? Given the evolution of technology and even more so with what is on the horizon with AI and other autonomous systems, are we moving past "technology enables humans" to "technology replaces humans" for some parts of the cyber challenge? How do you see the technology portfolio developing over the next 5 years? What is the future of data science? Thanks as always for listening.  Y'all be good now!

Howdy, y'all!  In part two of our three-part miniseries, we tackle Process with Malcolm Harkins.  Malcolm is former CISO at Intel, a good friend of Allan's, former Cylance Chief Trust and Security Officer, member of the board of director over at TrustMAPP (where Allan used to be COO), and is now at Hidden Layer, working to secure AI.  Hidden Layer did not sponsor this show. Allan, Drew and Malcolm discuss the following: People, process technology – what is the role of process in that triad? How do we craft good process?  What part of process definition is capturing the as-is state vs. being aspirational? How do we ensure good process is followed? When should technology drive process vs process drive technology?  Where does process traditionally fall short? What would you improve about process in general? Tell us a bit about Hidden Layer, as this is some very new technology... Thank you for listening!  Y'all be good now!

Thanks for listening, y'all!  Our next show is all about Process (we already did a show on People) and after that comes Technology. Y'all be good now!

Jeremiah Roe has held many roles in cybersecurity:  Field CISO, Red Teamer, Advisor, Consultant, Etc.  He currently advises for OffSec, who provide quality cybersecurity training.  Drew Simonis and Allan Alford determined that Jeremiah would be a great guest for launching a 3-part mini series - each of the three shows exploring People, Process and Technology respectively. The three cover the following topics in a lively conversation that journeys into several aspects of People as they relate to cybersecurity: People, Process, and Technology - Which is most important? If they knew what we knew about cybersecurity, would they behave differently? How to leverage training budges for a win-win-win. People gonna peop, businesses gonna biz. Incentivization, Positive Reinforcement and Deputization Enabling camaraderie - not just good culture Groupthink and Tribalism Join the three as they ride the cyber trails of "People" in the PPT triad! Y'all be good now!

Drew and Allan were skeptical about SABSA, as it is a model one CISO friend described as being "only good for a graduate student writing a paper!"  Another CISO pointed out that SABSA was designed long before modern engineering practices. Andrew Townley, a long-term SABSA consultant, on the other hand, gets straight to the practicality of it.  There is indeed an academic and theoretical foundation behind SABSA, but it is most definitely leveraged for one purpose -  to achieve desirable business outcomes. Drew and Allan ask: What is SABSA's purpose? Is Andrew's specific practically applied methodology a deviation from the official SABSA cannon? How can prove its effectiveness?  What are the practical business outcomes? Both Allan and Drew walk away with enough curiosity to dig into SABSA more. Note that Andrew several times also cites the work of Russell Ackoff, another academician who enjoyed a rather brilliant career as a business consultant - grounding his systems theory into meaningful business practicality. More on Russell Ackoff here: https://en.wikipedia.org/wiki/Russell_L._Ackoff  

Hang on to your saddle for this one!  Drew Simonis joins Allan as his new co-host in a show where the two of them explore alternative models for selling and funding the cyber mission! You probably know about corporate social responsibility initiatives. Did you know that it's not a a new idea in the history of capitalism, but rather a throwback? Before shareholder capitalism, there was stakeholder capitalism: Stakeholder capitalism proposes that corporations should serve the interests of all their stakeholders, and not just shareholders. Stakeholders can include investors, owners, employees, vendors, customers, and the general public at large. The focus is on long-term value creation, not merely enhancing shareholder value. Drew walks Allan through some very compelling arguments in favor of this model, and Drew and Allan together tie it to how CISOs can implement and fund cybersecurity... Random highlights: 1. The short-sightedness of quarter-over-quarter thinking 2. Comparison to the Chinese Communist Party, who gets a big thumbs down from both Drew and Allan, but who do get credit for being able to enact truly long-term plans. 3. Jack Welch and other prominent CEOs advocating for aspects of stakeholder capitalism 4. Random tie-ins to cybersecurity all throughout. Allan is stoked to have Drew join him as co-host, and this show is most definitely one of the more philosophical episodes, while still grounding itself in the practicalities of running cybersecurity programs. Y'all be good now!

Howdy, y'all, and welcome to The Cyber Ranch Podcast!  Our guest toda is Tomer Schwartz, co-founder and CTO over at Dazz  Yup!  He's a vendor!  And OMG he's a sponsoring vendor too! Whatever will we do?  But wait, y'all know Allan's rule:  Vendors are allowed on the show if and when they can add more value on a given subject vs. any practitioners in The Cyber Ranch network.  Tomer fits that bill perfectly!  Tomer has worked in the Microsoft Security Response Center, he's the former Armis co-founder & CTO, current co-founder & CTO at Dazz, who is a leader in the Application Security Posture Management space.  Tomer is also a coffee aficionado.  Now what does Dazz do and why did we ask Tomer to be on the show?  Dazz is in the Application Security Posture Management space, which is relatively new around here, but they also collate and track threat exposure realtime, and also secure the SDLC in a DevOps'y way...   Questions   The elephant in the room is Gartner's newest category in this space. Some say ASPM fits into: CTEM, which is Continuous Threat Exposure Management for those behind on eating their alphabet soup.  Tomer, what's your perspective on that? Let's talk about the problem in the ASPM/CTEM space: noise / too much data, no context, limited visibility from code to cloud and everything in between. For real, most solutions suck, as their single pane of glass is a very, very dirty pane of glass, and no amount of Windex is going to help.  And our listeners know we believe in 3-4 “single” panes anyway.   Is there such a thing as a single pane of glass in the ASPM space?  Do we want a single pane?  How does it play nicely with my “single” panes from other spaces? Here comes the can of worms: Can AI help with this? Gartner says by 2026 40% of enterprises will have an ASPM solution - do you agree? And then there's good ol' UVM - Unified Vulnerability Management. Feels like a past promise that didn't deliver.  And it hasn't addressed DevOps or even Dev very well at all IMHO.  What's your take? How should CISOs be thinking about all of these technologies and practices? It can get very complicated very fast and if it's not done right the devs will run screaming. Where is this all headed? What's the ideal future state in this space? Here's your chance to tell thousands of CISOs and other high-level practitioners what you want them to know. What do you want them to know?

If leadership exists in good and bad forms, so must followership. Leadership can exist both by designation, and dynamically, as manifested by folks who may not have an official leader title. And yet we don't measure followership, and our measurements of leadership leave something to be desired... Join Allan Alford as he flies solo this week exploring these topics and suggesting a better way forward. Y'all be good now!

Howdy, y'all, and welcome to The Cyber Ranch Podcast!  Our guest is Nathan Case, who is a previous guest from a multi-guest show.  Nate has been a CISO, CTO, Strategist, consultant, CEO, and all kinds of other things.  His career is as colorful and varied as Allan's – maybe even more so.  Nat's chosen topic is “There is no such thing as security!”  So without further ado, let's dive in! What do you mean when you say “There is no such thing as security!”? Nate outlines declares it as way to judge risk If security is a way to judge risk, then what about the judging? There are metrics there, and some kind of end state, yes? So you're saying our feelings about managing the unmanageable is really where the sense of security comes from? That ‘security' = ‘feelings about risk management results'? How do I know what I don't know? How does that relate to this definition of security? Let's get concrete – What changes are needed for tools and tech to get past this false sense of security? If security is a description of a thing, or a specific action, where does this leave us?

In this show, Allan interviews seven guests and asks them questions from a list of 21: Omkhar Arasaratnam “How do we leverage LLMs for our own use in cybersecurity?” "How do you challenge your own precepts and assumptions to stay current in your role?" Ofer Klein “How do you describe what you do in cybersecurity to someone at a cocktail party who knows nothing about cyber?" "How do you explain to the business the value you bring and the risks you solve?" Rick Doten "What message do you have for your fellow CISOs?" "In this cybersecurity community there is hostility between vendors and practitioners.  What is your best moment with a vendor?" Sahil Agarwal “How do you measure and articulate the risk that AI represents to the business?" "Governance, Risk Management and Compliance - Where should the priority be?" Roger Brotz "What would you like your fellows CISOs to know?" "What are we still getting wrong in cybersecurity?" Tyson Martin "How do we take on more accountability as business leaders?" "How do we overcome our defaults, precepts and assumptions?  How do you get past your own biases and blind spots?" Sponsored by our good friends at Semperis. It's a great series of a guests, and a great series of answers.  Y'all be good now!

In this show, Allan interviews seven guests and asks them questions from a list of 21:   Chris "Cpat" Patteson “Why do so many CISOs think cybersecurity insurance is snake oil?”   Johann Balaguer “People, process, technology - Which is the most important and why?” "What do you want your fellow community of CISOs to know?"   Lee Krause “What are we still doing wrong in cybersecurity?"   Ken Foster “What are we still doing wrong in cybersecurity?" "How do we articulate risk to the business?"   Marty Momdjian "Walk me through how to solvie the nightmare of repeat incidents?"   Michael Calderin “IA&M: Who should own it, and why?  CIO?  CISO?” "What is the definition of progress in cybersecurity?  Is there an end state?"   Mike Britton "People, Process, Technology: Which is the most important?" "I&AM: Who should own it?  CISO or CIO?" "What's your favorite part of the RSA conference?"   Sponsored by our good friends at Semperis.   It's a great series of a guests, and a great series of answers.  Y'all be good now!

In this show, Allan interviews nine guests and asks them questions from a list of 21:   Dr. Deanna Caputo “How do you measure and articulate risk to the business?” “People, process or technology?”   Carlos Guerrero “How do we foster community in cybersecurity?”   Elliott Franklin “Governance, Risk Management, and Compliance – Which of the three is most important?” “What does progress look like in cybersecurity?”   Corey Bodzin “With regards to AI & LLM, what is the impact to infrastructure?”   Evgeniy Kharam “How integral is Identity & Access Management to the cybersecurity mission?” “How well is traditional DLP technology meeting its mission and what else can we do?”   Gary Hayslip “What does RSA mean to you?”   Kelly Shortridge “What does progress mean to you in cybersecurity?” “What is the end goal of cybersecurity?”   George Kamide & George Al-Koura “What are you getting out of RSA?”   Kevin Jackson “What are we doing wrong in cybersecurity?”   It's a great series of a guests, and a great series of answers.  Y'all be good now!

Howdy, y'all, and welcome to The Cyber Ranch Podcast… AND The Audience 1st Podcast!  What you are about to hear was recorded LIVE! at the CISO XC conference in Dallas-Fort Worth, Texas (my very favorite conference!)  I am your host, Allan Alford, CEO of Alford & Adams Consulting.  I have co-host on this episode, Dani Woolf, of the Audience 1st podcast!    On her show, Dani interviews security buyers so vendors can more efficiently market and sell to them without ruffling their feathers (or piss them off).  What we're doing on this joint endeavor is interviewing various CISOs and other folks about their roles in cyber.  This week's show focuses on the pros of cybersecurity – we covered the negatives last week, and this week we cover the positives.  My listeners should know by now that I like to end on a positive note…   WARNING: Some naughty language

Howdy, y'all, and welcome to The Cyber Ranch Podcast… AND The Audience 1st Podcast!  What you are about to hear was recorded LIVE! at the CISO XC conference in Dallas-Fort Worth, Texas (my very favorite conference!)  I am your host, Allan Alford, CEO of Alford & Adams Consulting.  I have co-host on this episode, Dani Woolf, of the Audience 1st podcast!  On her show, Dani interviews security buyers so vendors can more efficiently market and sell to them without ruffling their feathers (or piss them off).  What we're doing on this joint endeavor is interviewing various CISOs and other folks about their roles in cyber.  This week's show focuses on the cons of cybersecurity – the beefs, gripes, grumps, complaints and fears about cybersecurity.  Next week we'll end on a positive note, but this show as an opportunity for CISOs to scream into the void.  Without further ado, here we go…   WARNING:  Some naughty language this episode.

Howdy, y'all, and welcome to The Cyber Ranch Podcast!  That's Drew Simonis, CISO @ Juniper Networks, former CSO @ Hewlett Packard Enterprise, former CISO at Willis – you get the idea.  Drew's posts on LinkedIn are pure fire – not in the hot takes way, but because of the quality of the thinking behind them.  Drew has also been on the show a couple of times now, and we keep inviting him back because he's always worth hearing from.  Drew and Allan were chatting this afternoon about the idea that oftentimes cybersecurity does not matter – and that that's okay!  So we decided to record a show on that topic.   Drew and Allan share some real-world stories where they put security on hold for the benefit of the business: VP of R&D had been told he had to get a new product off the ground that was only quasi-planned for. He had properly allocated headcount, but realized his cloud costs were going to rise dramatically.  At the time Allan had a big security initiative he was pushing for out-of-bandwidth.  They met and talked.  His out-of-bandwidth need was stronger than Allan's in terms of benefits to the business.  Allan backed him AND also made sure that his extra cloud spend included a few more security features in AWS.  Win-win.  Drew has a similar tale. Flat-out, Top line was declining and we could not figure out specifically why. New competitor explained some of it, but not all of it.  Market fatigue?  But that was not all of it.  CRO wanted more sales folks to throw at the problem.  CISO backed him and agave away project budget to support him. Company had a mismanaged an expansion. Building was paid for, but nobody had thought about the IT costs and headcount.  CIO was trying to figure out where to get bodies to populate the new site.  Allan gave up 2 headcount for 2 more quarters. Startup: CISO took on Marketing department temporarily when head of Marketing left. Slowed down the security focus, but Marketing needed some hands-on attention beyond what the CEO could give.  It paid off for the business. CISO Joined forces with head of Pro Services to push through a security initiative that benefited key customers for him (contracts he could now secure), but also gave me some more generalized security comfort. Spent huge amount of what could have been security operations time training sales teams on security as differentiator in the market. Benefited top line. Drew and Allan share many more stories and break down why in each of these cases, deprioritizing daily security operations was the right thing to do! Y'all be good now!

Howdy, y'all, and welcome to The Cyber Ranch Podcast!  Our guest today is Ankur Ahuja, 2x CISO, Ted-X Speaker, Startup Investor, Board Advisor, etc. etc.  Ankur is currently SVP and CISO at Billtrust, and he's got some Big 4 in his DNA too (ten years, in fact!).  Ankur wanted to chat about how CISOs can drive business growth, so I asked him to come on down to the ‘Ranch and have a chat with me.   It's more than attending sales calls. It's more than security questionnaires   Listen for some clever new tips on driving business growth!  

Melanie Ensign is a communications strategist and corporate anthropologist for cybersecurity, privacy, and risk organizations.  She is founder and CEO of Discernible, a multi-disciplinary Center of Excellence for security, privacy, & risk teams. Her team includes experts in communications, product development and management, compliance, security and privacy engineering, and behavioral science. Melanie is here at the 'Ranch to talk specifically about the fact that so many CISOs feel they are in organizations that simply don't care about cybersecurity.  She's got some good insights into this one, and it's the perfect topic for her expertise. Allan asks Melanie: Allan put up a LinkedIn poll asking folks “Do you feel organizations properly prioritize cybersecurity?” The results were pretty sobering.  What are your thoughts? Is the problem really the organization or is it us? Probably a mix of the two, or maybe one or the other depending upon the environment and the individual CISO? Assuming it's the organization, how can a CISO avoid such organizations in the first place? How do you vet a company for its commitment to cybersecurity? If you find yourself in a company that does not seem to care about cybersecurity, what should be your next steps? Allan has emphasized over the years that all CISOs are salespeople times two. We sell the problem, then we sell the solution.  Is that a fair perspective in your mind?  How many other leaders have to sell their mission in general?  I think we all end up selling specifics… What communication skills can improve the situation for CISOs?

In this episode, Allan tackles the idea of selling the CISO mission. He deconstructs the types of CISOs and the "selling" they must do.  Sometimes you really are selling, but most of the time you should be solving business problems. Allan speaks to: Business objectives met Business risks reduced Maturity And also deconstructs the art of selling itself. Hint: Business Impact Analysis is a valuable tool in this whole process. Special thanks to Helen Patton and Melanie Ensign for prompting this exploration. Y'all be good now!

Our guest this week is Jonathan Rau, VP and Distinguished Engineer over at Query, and a proponent of what he calls "SecDataOps".  Jonathan is quite active on LinkedIn and his takes, though often spicy, tend to be spot-on.  Allan has come to enjoy following Jonathan's posts, and he was excited to have Jonathan come on the show and share his insights. Allan asks Jonathan, in a VERY lively conversation: What is SecDataOps? What is its focal point? Who should be in charge? What skills are required to participate? Who has those skills? What about the trifecta of people/process/technology? What is wrong in the community with our approach? Y'all be good now!

This is part two in our neurodiversity series.  Our guest roster this time also includes Dr. Ursula Alford, a psychologist who routinely works with the neurodiverse populace. The lineup of guests covers ADHD, Autism, challenges unique to women with neurodiversity, how leaders should manage neurodivergent team members and more. Y'all be good now!

Geoff Hancock is Deputy CEO and CISO for Access Point Consulting, Former Global Director and CISO over at World Wide Technology.  He's also a Senior Fellow and Adjunct Professor at George Washington University and has held various C-suite and executive roles at Verizon, CGI Federal Advanced Technology, Microsoft, and Advanced Cybersecurity Group.  He is back at the 'Ranch this week to talk about CISO Communications. Allan asks Geoff: You say the first step is prioritizing clarity in communication. What does that mean to you? Your next step is developing strategic storytelling. Can you elaborate on that one? How do we enhance crisis communication? How do we engage stakeholders proactively? What about data? How do we leverage it in decision making? How does one bolster their leadership presence? How do you implement a feedback loop? What practical tools and strategies can be utilized for effective communication? It's a fantastic show full of great insights, and you will thoroughly enjoy listening to it. Y'all be good now!

Join Allan LIVE! at Zero Trust World in Orlando as he asks 12 guests "What does Zero Trust Mean to You?" and a wide variety of other questions. Conference highlights are discussed as well, including hacker activities, hacker demonstrations, incredible talks, etc. Allan also learns all about The Tech Degenerates, and organization furthering partnership and comradery amongst cybersecurity vendors, MSPs, MSSPs, CISOs, etc. (Allan has since joined their Discord group!) Another great highlight is a chat with Carlos Rodriguez about the vCISO life. This show is sponsored by our good friends at ThreatLocker - visit https://threatlocker.com and tell them you heard about them down here at the 'Ranch! Y'all be good now!

How does cybersecurity relate to the four horsemen of the apocalypse?  Famine, Pestilence, War, and Death?  In this episode, Dr. Chase Cunningham, renowned Zero Trust expert, author, instructor, Chief Strategy Officer, advisor, etc., examines the 4 conditions on our planet represented by the four horsemen, ties it all to cybersecurity, and then solves it all with Zero Trust.  It's quite a ride and an adventure you should listen to! Allan tries to keep up in this episode that jumps from topic to topic, but all with a zero trust underpinning. It's another LIVE! episode recorded at Zero Trust World 2024 in Orlando. Sponsored by our good friends at ThreatLocker. Y'all be good now!

Howdy, y'all!  Allan went down to Orlando, Florida and recorded three LIVE! shows at Zero Trust World, a conference sponsored by ThreatLocker.  This is the first of those three shows.   James Keeler of LMT Technology Solutions has a steady hand on the incident response wheel and a lot of experience under his belt as well.  After seeing James speak on a panel at Zero Trust World, Allan asked him to be on the show.   Join Allan as he asks James to walk us through his philosophy of incident response, the underpinnings, the steps and just about everything else about Incident Response as well.   This show is sponsored by our good friends at ThreatLocker - visit https://threatlocker.com and tell them you heard about them down here at the 'Ranch!  

This week Allan is joined by Leigh Honeywell (CEO of Tall Poppy) Nathan Case (Federal CISO at Snyk), and Ryan Macababbad (Currently looking.  HIRE HER!), three cybersecurity professionals with broad backgrounds in cyber, and all three of whom are neurodivergent.   Allan in fact, has been recently diagnosed as being on the autism spectrum, albeit 'high functioning' (as the diagnosis indicates) or 'low support needed' (as the autism community prefers to call it).   With his recent diagnosis, Allan decided to reach out to friends in the neurodiverse community to discuss: The positives of neurodivergence Neurotypical responses and stereotypes about the ND community Cybersecurity-specific benefits to being ND Tips/Advice/Support for those who suspect or know that that they are ND  

Fun fact:  There are more vulnerabilities and exploits below the OS layer than above it! CPUs, BIOS, Firmware, embedded Linux, FPGAs, UEFI, PXE...  The list goes on an on.  What are we supposed to do about that? Allan asked Yuriy to come down to the 'Ranch to discuss this issue with him.  Yuriy is CEO at Eclypsium, member of the Forbes Technology Counsel, Founder of the open source CHIPSEC project, former head of Threat Research at McAfee, form Senior Principle Engineer at Intel…  He is uniquely qualified to discuss these issues. Full DISCLAIMER: Allan is CISO at Eclypsium.  Note that he asked Yuriy to come on the show, not the other way around.  Nobody knows this space like Yuriy and his team. Allan asks Yuriy about: The history of CPU exploits Unauthorized code in chips in network gear The various hacks available at this layer The role of SBOM in all this The open source CHIPSEC project It's an eye-opening show to say the least. Y'all be good now!

In this episode, Allan flies solo, as he is finally willing to speak on an issue he has been mulling and fussing over for some time:  the two-fold CISO laments of: "We have all the accountability and none of the authority!" "We don't own the risk - we advise the business" Allan is refuting both of these claims. Allan calls up examples such as project managers, contract lawyers, CFOs in his argument. He also demonstrates that we have far more authority than we think, and also that we can earn even more. As to advising the business, and the business owning the risk, we have here two contradictions to one of the show's mantras: "BE the business!" You will hopefully come away from this show with some different perspectives on these two claims. Y'all be good now! 

We declared a while back that 'not having a seat at the table' was a tired CISO topic.  So we decided to solution the complaint. Hopefully we pulled it off. Join Allan and Jim McConnell, Principal at Ask McConnell, LLC and former Fellow in Corporate Security Protection Operations at Verizon, as they take on the challenge of solving this common lament. There is a fierce round of "answer pong" as they throw out suggestions on how to earn that seat, but they also cover: What does it mean to have a seat at the table? Ownership vs. advising Bridging the chasm between the two Supplier/Vendor to the business - is that a good model? BE the business (yes, that always comes up!) How to become a business expert And of course, the aforementioned game of Answer Pong as to how to earn that seat. Y'all enjoy the show, and y'all be good now!

Pat Benoit, CISO at Brinks, returns to the 'Ranch to visit Allan and to chat about his newest achievement - Pat got a NACD Directorship Certification! Allan has often thought about doing this as well, so he got Pat on the mic to talk about his whole experience: Why did you do it? How hard was it? What was involved? What do you hope to get out of it? Did you farm around for alternatives? Is there more you plan to do? As topics for shows go, this one is short and sweet.  But Pat, as always, spins a very human tale that will keep you engaged. Y'all be good now!

Howdy, y'all, and welcome to The Cyber Ranch Podcast!  Our guest is Ayman Elsawah, who, like Allan these days, is a fractional CISO and founder of his own security company.  He has done the fractional CISO thing many times.  He has also been a professor, a security consultant, and a cloud-specific security consultant.  His tenure includes eBay, NCC Group, Justworks and Masterclass.  Ayman and Allan are talking about how cybersecurity teams can integrate themselves with the rest of the business. So we talk about the role of the CISO in business enablement all the time. Allan argues, based on the wise words of Scott McCool, a friend and mentor, that we are not here to enable the business.  Rather we are here to BE the business.  The distinction is that enablement still puts the CISO off to the side of the goings on.  Being the business means that the CISO is part of the process, in there with sleeves rolled up alongside CRO, CMO, CFO, CEO, COO, etc.  So let's ask the question twice: In a B2B context, what are three things a CISO can do to enable the business? In a B2B context what are three things a CISO can do to BE the business? Presumably one of these involves being part of the sales cycle? Let's drill in on the company's products/services. Not talking about sales, but rather the products and services themselves, how can we as security practitioners be an integral part of products and/or services?  What are three ways we can be the business there? What about the relationships? How do we strengthen being the business with regards to relationships with our peers? What about customer-facing activities beyond sales? How do we be the business with regards to our customers? Challenge round, what about B2C? Melanie Ensign in a panel she was part of said that one way Cybersecurity can help B2C is by reducing support tickets.  This is pure genius.  Any other B2C tips? You have your own podcast, and a newsletter, book…. Tell our listeners all about what you offer the cybersecurity world... Y'all be good now!

This one was recorded LIVE! in Podcast Alley at the CyberMarketingCon 2023 put on by the Cybersecurity Marketing Society in Austin, Texas.   Marketing!?!!?  Say what!?!?   Yup!  Allan went down to Austin to catch up with industry players and to participate in the conference as a "creator", i.e., podcaster. While there Allan ran into his friend Tom LeDuc, CMO at Semperis, and he got Tom to hop on the mic with him to discuss leadership challenges such as conflict, territorialism, jurisdictional disputes, startup mindset vs. bigger mindset...  The two of them cover quite a lot of territory. Some of Tom's story is obviously CMO-specific, but Allan and Tom both universalize the topics and get to the heart of what matters for all leaders. This show is not sponsored by Semperis, but Allan wants to clarify and be transparent about the fact that he is an advisor to Semperis.   Allan says: "Tom is just a great guy and is fun on the mic!" Y'all be good now!  

Howdy, y'all, and welcome to The Cyber Ranch Podcast!  Our guest is Andrew Wilder, Retained CISO at Community Veterinary Partners, Member of the Board of Directors at Washington University in St. Louis, Advisory Board Member, former Global CISO, former Regional CISO... He's got a real history in this game.  What we're talking about today is retained, fractional, virtual, and part-time CISOing...   Topics addressed:   Challenge of vCISO - do i have a job 6 months from now? Marketing and sales - building pipeline OR work for someone else - they get a big cut? Life insurance in the US is normally employment-based, and paid time off is a thing.  Allan's cancer scare brought all of those risks to light. Tax benefits to 1099 Work/Life balance - or should that be life/work balance? Two fulltime vCISO roles at the same time?  Possible... Fractional, one-offs, consultations SEC and SolarWinds - a vCISO is not an officer of the company Andrew calls himself 'retained CISO' - he got that term from our friend Steve Zelewski Fractional vs. virtual vs. retainers - everyone says retainer is the path to victory, but how does that really work?    

Howdy, y'all, and welcome to The Cyber Ranch Podcast! Our guest this week is John Checco, aka "Checco", who is overdue for being on the show we freely admit!  John is a presence on LinkedIn and in our industry.  He's the author of “Zero Trust: From Aspirational to Overdue”.  He's also involved, as you can imagine, in many other things – various advisory roles, ISSA roles, Infraguard roles…  He's been resident CISO at Proofpoint, for example.  He's also a fire instructor!  But we asked John to the show specifically to talk about what he calls “The Misfits of Zero Trust”.  John, thank you so much for coming on down to the ‘Ranch! Questions Allan asks John: Without revealing any secrets, what was your experience investigating the Zero Trust model for such a large organization? What are the misfits of Zero Trust? What's are some examples of what you have dubbed as “2nd world affectations”? What's are some examples of what you call “3rd world affectations”? Where do we go from here? Where would you suggest highest priorities? Is Zero Trust here to stay? What comes next? Thank you, listeners, for dropping by the 'Ranch!  Y'all be good now!

Howdy, y'all, and welcome to The Cyber Ranch Podcast!  Our guest is Luke Jennings, VP of Research & Development at Push Security, former Chief Researcher at Countercept, Principle Security Consultant at MWR…  He's been around the industry.  Luke is passionate about tracking the evolution of attacks – how are the bad guys morphing and changing their game in response to our new defenses, and more importantly, new technologies that we use in the first place.  Luke, thank you so much for coming on down to the ‘Ranch! Questions Allan asks Luke: What is the difference between traditional attacks and the new SaaS cyber kill chain? Where is the new perimeter in a fully SaaS/remote company? Is it cloud identities? What is it we're actually protecting in a fully SaaS/remote company? The data landscape is very distributed now… You've mentioned that certain protective technologies are so good that they have inspired new methods of attack. This is the classic arms race metaphor.  What drove the bad guys into attacking SaaS-native companies? Walk me through the modern kill chain in a SaaS-native company. I'm thinking in terms of recon, access, lateral, escalation – the old model has changed, has it not? Let's pick specific attacks from the matrix and review them Sponsored by our good friends at Push Security. Check then out at: https://pushsecurity.com/ranch