Podcast appearances and mentions of allan alford

In this time of constant cyber-attacks and increased cybersecurity reporting requirements, a CISO's job is no easy task and typically has a short Tenure. In this episode, Sean sits down with Allan Alford, 5 time CISO to talk about his experience as a CISO across several prominent organizations and how identity is always at the center of a CISOs responsibility.

George K and George A are out this week to keynote SecureWorld Toronto and host the Cyber Pitch Battle Royale. Catch up on interviews you may have missed with: Stacey Lokey-Day on collecting experiences to build your career Candace Williams on the keys to networking Allan Alford on the best ways vendors can engage with CISOs and ensure they stay in good graces Jessica Andree on how to build loyalty and performance through better talent acquisition Kate Wood on the top 3 pieces of advice for advancing your career———

This week we talk to Allan Alford talking about his 25 years journey from CISO to startups to consulting and now his return back to corporate America!George K and George A talk to Allan about: His wild career journey - and what motivated his most recent career decision His new gig at NTT Global Data Centers, and why data centers are the next hot thing in security The truly global scope of his new gig Why people and process beat technology EVERY time - even in tech companies!Allan also drops some straight FIRE about vendor relationships - including the sobering fact that in 25 YEARS, cold outreach has matched his actual needs exactly ONCE. Vendors, there's a lot of learn here about how to stand out before and after the contract is signed.-——

Jeremiah Roe has held many roles in cybersecurity:  Field CISO, Red Teamer, Advisor, Consultant, Etc.  He currently advises for OffSec, who provide quality cybersecurity training.  Drew Simonis and Allan Alford determined that Jeremiah would be a great guest for launching a 3-part mini series - each of the three shows exploring People, Process and Technology respectively. The three cover the following topics in a lively conversation that journeys into several aspects of People as they relate to cybersecurity: People, Process, and Technology - Which is most important? If they knew what we knew about cybersecurity, would they behave differently? How to leverage training budges for a win-win-win. People gonna peop, businesses gonna biz. Incentivization, Positive Reinforcement and Deputization Enabling camaraderie - not just good culture Groupthink and Tribalism Join the three as they ride the cyber trails of "People" in the PPT triad! Y'all be good now!

The CISO role has been evolving for 20 years, but the last 2 years have accelerated that evolution. Some might say it's evolving into extinction. What are the factors driving this evolution? Allan Alford, CEO at Alford and Adams Consulting and host of The Cyber Ranch Podcast, joins Business Security Weekly to discuss this evolution and some of the factors driving these trends. In this interview, Allan will share his insights: Migratory Trends of the CISO CISO Skill Sets: Technical or Business? The Language of the CISO Show Notes: https://securityweekly.com/bsw-358

The CISO role has been evolving for 20 years, but the last 2 years have accelerated that evolution. Some might say it's evolving into extinction. What are the factors driving this evolution? Allan Alford, CEO at Alford and Adams Consulting and host of The Cyber Ranch Podcast, joins Business Security Weekly to discuss this evolution and some of the factors driving these trends. In this interview, Allan will share his insights: Migratory Trends of the CISO CISO Skill Sets: Technical or Business? The Language of the CISO Show Notes: https://securityweekly.com/bsw-358

Identity, the security threat that keeps on giving. For the 17th year in a row, identity is one of the top threats identified in the Verizon DBIR. Why? Dor Fledel, Senior Director of Product Management at Okta and Co-Founder of Spera, joins Business Security Weekly to discuss the challenges of identity and how to solve them. From numerous disparate identity systems to a proliferation is SaaS application usage, Dor explains why Identity SecurityPosture Management is critical component to identify vulnerabilities, prioritize risks, and streamline remediation. If you're struggling with securing your identities, don't miss this interview. Segment Resources: https://www.okta.com/products/identity-security-posture-management/ https://www.okta.com/secure-identity-commitment/ This segment is sponsored by Okta. Visit https://www.securityweekly.com/okta to learn more about them! The CISO role has been evolving for 20 years, but the last 2 years have accelerated that evolution. Some might say it's evolving into extinction. What are the factors driving this evolution? Allan Alford, CEO at Alford and Adams Consulting and host of The Cyber Ranch Podcast, joins Business Security Weekly to discuss this evolution and some of the factors driving these trends. In this interview, Allan will share his insights: Migratory Trends of the CISO CISO Skill Sets: Technical or Business? The Language of the CISO Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw-358

Identity, the security threat that keeps on giving. For the 17th year in a row, identity is one of the top threats identified in the Verizon DBIR. Why? Dor Fledel, Senior Director of Product Management at Okta and Co-Founder of Spera, joins Business Security Weekly to discuss the challenges of identity and how to solve them. From numerous disparate identity systems to a proliferation is SaaS application usage, Dor explains why Identity SecurityPosture Management is critical component to identify vulnerabilities, prioritize risks, and streamline remediation. If you're struggling with securing your identities, don't miss this interview. Segment Resources: https://www.okta.com/products/identity-security-posture-management/ https://www.okta.com/secure-identity-commitment/ This segment is sponsored by Okta. Visit https://www.securityweekly.com/okta to learn more about them! The CISO role has been evolving for 20 years, but the last 2 years have accelerated that evolution. Some might say it's evolving into extinction. What are the factors driving this evolution? Allan Alford, CEO at Alford and Adams Consulting and host of The Cyber Ranch Podcast, joins Business Security Weekly to discuss this evolution and some of the factors driving these trends. In this interview, Allan will share his insights: Migratory Trends of the CISO CISO Skill Sets: Technical or Business? The Language of the CISO Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw-358

All links and images for this episode can be found on CISO Series. This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson, CISO, Rivian. Joining us is our sponsored guest, Allan Alford, CISO, Eclypsium. In this episode: Evolving public-private partnerships New technology, but not a new challenge Securing the hidden layers of the supply chain Balancing usability and control Thanks to our podcast sponsor, Eclypsium Eclypsium is helping enterprises and government agencies mitigate risks to their infrastructure from complex technology supply chains. Our cloud-based and on-premises platform provides digital supply chain security for software, firmware and hardware in enterprise infrastructure. Get started today at eclypsium.com/spark.

In this live episode from the CISO XC Conference in Dallas Fort Worth, Texas, cybersecurity professionals engage in a candid discussion on the challenges, frustrations, and human aspects of the cybersecurity industry. Dani Woolf, Host of Audience 1st Podcast, and Allan Alford, Host of The Cyber Ranch Podcast, uncover the top aspects of cybersecurity that has CISOs hopeful, among them: Increased Diversity of Thought and Background: One CISO expresses hope for the future of cybersecurity due to the increasing diversity of thought and background in the industry, which leads to a richer and more effective approach to security. Passionate and AI-Equipped Generation: Another CISO is hopeful about the passionate and AI-equipped younger generation entering the field, highlighting their willingness to serve and collaborate. Continuous Learning and Collaboration: The emphasis on continual learning and collaboration within the industry is a significant source of hope, as it fosters innovation and resilience. Purpose and Fulfillment in Making a Difference: The fulfillment and noble purpose of making a difference and affecting change in the security industry drive many CISOs to stay hopeful and passionate about their roles. Advancements in AI: While there are concerns, the advancements in AI are seen as a force multiplier that can significantly enhance cybersecurity capabilities when adopted effectively. Join Audience 1st Newsletter Today Join 1700+ cybersecurity marketers and sellers mastering security buyer research to better understand their audience and turn them into loyal customers: https://www.audience1st.fm/newsletter

Howdy, y'all, and welcome to The Cyber Ranch Podcast… AND The Audience 1st Podcast!  What you are about to hear was recorded LIVE! at the CISO XC conference in Dallas-Fort Worth, Texas (my very favorite conference!)  I am your host, Allan Alford, CEO of Alford & Adams Consulting.  I have co-host on this episode, Dani Woolf, of the Audience 1st podcast!    On her show, Dani interviews security buyers so vendors can more efficiently market and sell to them without ruffling their feathers (or piss them off).  What we're doing on this joint endeavor is interviewing various CISOs and other folks about their roles in cyber.  This week's show focuses on the pros of cybersecurity – we covered the negatives last week, and this week we cover the positives.  My listeners should know by now that I like to end on a positive note…   WARNING: Some naughty language

In this live episode from the CISO XC Conference in Dallas Fort Worth, Texas, cybersecurity professionals engage in a candid discussion on the challenges, frustrations, and human aspects of the cybersecurity industry. Dani Woolf, Host of Audience 1st Podcast, and Allan Alford, Host of The Cyber Ranch Podcast, uncover the top frustrations of CISOs, among them: The Need to Balance Empathy: Emphasize human connection, empathy, and treating employees like family to effectively engage in cybersecurity efforts. Risk Acceptance: Encourage taking calculated risks with cutting-edge technologies rather than strictly adhering to outdated regulatory frameworks. Authorizing Advanced Tech: Streamline technology authorization processes in defense sectors to keep pace with adversaries' advancements. Sole Focus Marketing Tech Making Business Cases: Avoid focusing solely on technological capabilities, instead align purchases with organization-wide security strategies. Expensive Dinners Over Transparent Communication and Relationship Building: Promote transparency and open conversations over incentivizing through expensive dinners, fostering genuine vendor-client relationships.  Lack of Industry Collaboration: Highlight the importance of collaborative events for rapid maturity of cybersecurity practices and fostering a sense of community. Negative Vendor Relations: Practice reciprocation and appreciation with vendors to cultivate strong support without manipulation. Investment in Costly Sales Tools at the Expense of Security Tools: Advocate for a balanced financial approach where affordable cybersecurity investments are prioritized over costly sales tools. Echo Chambers Over Open Discussions: Encourage CISOs to share both successes and failures openly for collective improvement and robust decision-making. Join Audience 1st Newsletter Today Join 1700+ cybersecurity marketers and sellers mastering security buyer research to better understand their audience and turn them into loyal customers: https://www.audience1st.fm/newsletter

Howdy, y'all, and welcome to The Cyber Ranch Podcast… AND The Audience 1st Podcast!  What you are about to hear was recorded LIVE! at the CISO XC conference in Dallas-Fort Worth, Texas (my very favorite conference!)  I am your host, Allan Alford, CEO of Alford & Adams Consulting.  I have co-host on this episode, Dani Woolf, of the Audience 1st podcast!  On her show, Dani interviews security buyers so vendors can more efficiently market and sell to them without ruffling their feathers (or piss them off).  What we're doing on this joint endeavor is interviewing various CISOs and other folks about their roles in cyber.  This week's show focuses on the cons of cybersecurity – the beefs, gripes, grumps, complaints and fears about cybersecurity.  Next week we'll end on a positive note, but this show as an opportunity for CISOs to scream into the void.  Without further ado, here we go…   WARNING:  Some naughty language this episode.

This is a special episode, recorded live at the Mind Over Cyber Networking Breakfast and Mindfulness Workshop at RSA Conference 2024. George A was called away for CISO things, but I had a chance to sit down with three guests who wanted to share their stories of resilience: challenges to their mental wellbeing and also the strategies and frameworks they use on the regular to navigate those challenges.You are not alone. Our hope in sharing these stories is to help others understand many of your peers are going through the same stuff, but more importantly, share the ways they've learned to work with and through stress rather than try to block it all out or push it away.I spoke with Allan Alford, Kade Hennings, and Amanda Berlin. We're grateful for their time.WARNING: There is a mention of suicide in my last conversation, with Amanda. It's in the general, abstract sense, nothing specific or graphic, but a warning all the same.

Chris Tillett is a well-known figure in our industry.  He is in product management and R&D at Palo Alto Networks.  He is also a great guy, funny, and can wield the snark quite well.  He is the perfect foil for Allan Alford as the two of them take the gloves off, pick on one another, and tear apart bad vendor and bad CISO behaviors.  LIVE!  At Black Hat!   The two tackle some of the most sensitive pain points on both sides of the fence, and get into solutioning some of the most common CISO/vendor problems.  All while donating to Black Girls Code whenever a buzzword gets used.   Their ultimate conclusion?  We'd better figure out how to lock arms, as the bad guys have no problems coordinating with each other.   Come together.  Right now.  Over The Cyber Ranch Podcast.   Sponsored by Palo Alto Networks XSIAM. Find out more at a workshop near you!

In this exciting episode of Dark Mode Podcast,

All links and images for this episode can be found on CISO Series. When cybersecurity needs to cut budget, first move is to look where you have redundancy. That way you're not actually reducing the security effort. But after that, the CFO needs to know what are the most important areas of the business to protect. Where will they be willing to take on more risk? Because, with less security, the chances of failure increase. This show was recorded in front of a live audience in New Orleans as part of the BSidesNOLA 2023 reboot conference. The episode features me, David Spark (@dspark), host and producer of CISO Series. My guest co-host is my former co-host, Allan Alford (@allanalfordintx), CISO for Precedent and host of The Cyber Ranch Podcast. Our guest is Mike Woods, corporate CISO for GE. Thanks to our podcast sponsors: Conveyor, Nightfall AI, Rapid7 Love security questionnaires? Then you're going to hate Conveyor: the end-to-end trust platform built to eliminate questionnaires. Infosec teams reduce the volume of questionnaires with a customer-facing trust portal and for any remaining questionnaires, our GPT-Questionnaire Eliminator response tool or white-glove questionnaire completion service will knock them off your to-do list. www.conveyor.com Nightfall is the leader in cloud data leak prevention. Integrate in minutes with cloud apps such as Slack and Jira to instantly protect data (PII, PHI, Secrets and Keys, PCI) and prevent breaches. Stay compliant with frameworks such as ISO 27001 and more — all powered by Nightfall's industry-leading ML detection. Rapid7 is the only connected, cloud to on-prem cybersecurity partner with unlimited incident response, unlimited automated workflows, unlimited vulnerability management, unlimited app security, you get the idea. Add it up – with Rapid7's decades of practitioner-first problem solving – and there's unlimited opportunity for you. See for yourself at Rapid7.com/ciso-series. In this episode:  We always say, “trust but verify,” but how do you actually verify? When it comes to cut budget, make sure you're already in the mind of the CFO. What's the difference between a good cybersecurity professional and a great one?

In this episode, we have a very special guest joining us to discuss the essentials of building a cybersecurity program from scratch.Allan Alford, the founder of Allan Alford Consulting, brings a wealth of experience and a unique perspective to the table. Since launching his boutique cybersecurity consulting practice at the end of 2019, Allan has been dedicated to helping organizations efficiently implement and manage security programs and projects. With a focus on long-term relationships and custom solutions, Allan's approach ensures that each client's unique needs are met with the highest level of expertise.But that's not all! Allan Alford Consulting also offers coaching services for aspiring and new CISOs, helping them navigate the ever-changing landscape of cybersecurity leadership.In today's episode, Allan will share his insights on the fundamentals of building a robust cybersecurity program, the importance of understanding an organization's unique needs, and how to forge strong partnerships with business leaders.Josh Bruyning, Sr. Solutions Engineer @TrustMAPP and Chad Boeckmann, Founder/CEO @TrustMAPPSponsor:TrustMAPP (https://trustmapp.com)

Do you want to be a CISO one day?  Are you a CISO today who wants to strengthen your ties into the rest of the business?  The Business Information Security Officer (BISO) role is one you should explore. The role can vary quite a bit, as you will hear on this episode with not one, not two, but three BISOs joining Allan Alford to discuss the role and its nuances:  where it fits, what is required, how it is best positioned and managed. Allan has been a BISO himself and has managed BISOs as well, so the conversation is rapid and productive. Join Allan along with Ann Hines (BISO @ USAA), James Binford (BISO @ Humana) and Matt Winkeler (BISO @ Equifax) as the explore the BISO role. Sponsor Links: Thank you to our sponsor TrustMAPP for bringing this episode to life! The TrustMAPP solution gets you out of spreadsheets and slide decks and into managing, measuring and reporting on your cybersecurity with an all-in-one solution that combines cybersecurity frameworks, maturity, risk and business objectives and cross-references them to remediation costs.  Find out more at https://trustmapp.com

This episode is jam-packed with wisdom that is delivered at a rapid pace.  Some folks will find themselves rewinding and taking notes.  Luis Valenzuela, Director of Data Loss Prevention and Data Governance at InComm Payments, joins Allan Alford to talk about managing careers - how to manage your own, and, for leaders, how to help your team manage theirs.  Topics include: - Pivotal career transitions - Is a plan _really_ required? - Principles, foundations, and successful behaviors - Practical steps and resources - Is the power of envisioning enough? - Tactical and other tips   Y'all enjoy this one, now!

This is another "'E' for explicit" show as this one is another LIVE! show from the CISO XC conference in Dallas-Fort Worth. Why the 'E'?  Because halfway through Allan Alford's conversation with Andy Ellis (CISO at Orca, Operating Partner at YL Ventures, former CISO at Akamai), Chris Roberts (CISO at Boom Supersonic) joins the stage with some fine whisky and his own clever takes on measuring risk. Join Allan, Andy, and Chris as they deconstruct risk, extolling its virtues, and hopefully change the way you think about risk altogether. Is likelihood times impact valid? Is the 5x5 grid valid? What is plausibility vs. probability? Find out on this great LIVE! episode! Sponsor Links: Thank you to our sponsor Axonius for bringing this episode to life! The Axonius solution correlates asset data from existing solutions to provide an always up-to-date inventory, uncover gaps, and automate action — giving IT and security teams the confidence to control complexity. Learn more at axonius.com/hackervalley  

In this episode, Allan Alford plays Devil's advocate - challenging the practitioner community to refute the idea that we should quit trying to make the organization care and simply make suggestions and accept the organization's level of risk tolerance. Allan posted this topic on LinkedIn and it created quite a buzz. The show features quotes from Simon Goldsmith, Kevin Pope, Malcolm Harkins, and others. Listen to hear a deconstruction of this position, and hear some great arguments both for and against it. We'll give away the ending - the argument is ultimately refuted - but it is a great thought exercise and a wonderful journey getting to that conclusion. Hint: The show's ending is more apt than ever: "Ya'll be good now!" Sponsor Links: Thank you to our sponsor Axonius for bringing this episode to life! The Axonius solution correlates asset data from existing solutions to provide an always up-to-date inventory, uncover gaps, and automate action — giving IT and security teams the confidence to control complexity. Learn more at axonius.com/hackervalley  

Dan Holden, a 20+ year industry veteran, former vendor, and current CISO at Big Commerce joins Allan Alford at the ranch to talk about the BIG picture.  Join them on this wild trail ride that goes as far back as the Monroe Doctrine of 1823, the pre-cursors to WWI, Regan-era cyber doctrine, cyber and modern warfare, lessons learned from the COVID economy (hint: GDP is now part of critical infrastructure), famous APT heists, modern global imperialism... This show ties these threads together into a forward-looking vision for cybersecurity that includes shifts in global prioritization of cybersecurity, federal regulations, and changes to the VC investment landscape.  Saddle up and get ready for a wild ride!   Sponsor Links: Thank you to our sponsor Axonius for bringing this episode to life! The Axonius solution correlates asset data from existing solutions to provide an always up-to-date inventory, uncover gaps, and automate action — giving IT and security teams the confidence to control complexity. Learn more at axonius.com/hackervalley  

This week Allan Alford is joined by Duane Gran, Director of Information Security at Converge Technology Solutions to discuss three different aspects of the CISO craft -- and to offer practical, concrete guidance on how to achieve the right outcomes: Eliminating the culture of "No!" Managing Third-Party Risk Building a "No Blame" Culture The common thread behind all of these themes is relationship building and goodwill - but the details are well worth the listen! Sponsor Links: Thank you to our sponsor Axonius for bringing this episode to life! The Axonius solution correlates asset data from existing solutions to provide an always up-to-date inventory, uncover gaps, and automate action — giving IT and security teams the confidence to control complexity. Learn more at axonius.com/hackervalley  

In every episode I record with my guests, I ask them one crucial question: "What do you hate most about the cybersecurity industry?" In this episode, I curated the top answers for you. What's more, you'll get an understanding of what security practitioners, go-to-market teams, and cybersecurity vendors can do to alleviate some of these problems in the industry. Who will you hear from? [00:45] Joshua Marpet [01:39] Limor Kessem [03:43] Nick Ryan [04:43] Tal Arad [05:42] Leo Cruz [06:39] Gary Hayslip [08:05] Dmitriy Sokolovskiy [09:29] Allan Alford [12:39] Ryan Cloutier [15:43] Joseph Carson [17:09] Evan Francen [21:19] Malia Mason [24:08] Jenny Botton [25:23] Ferd Hagethorn [26:50] Chris Roberts Join Audience 1st Today Join 550+ cybersecurity marketers and sellers mastering security buyer research to better understand their audience and turn them into loyal customers: https://www.audience1st.fm/

Allan Alford, CISO/CTO and host of the Cyber Ranch podcast, resumes his session of AMA, or “ask me anything,” to cover the remaining questions left by curious cybersecurity practitioners on his LinkedIn. Previously, Allan posed two questions: If you could ask a 5-time CISO any question, what would it be? How about a cybersecurity startup CTO? Using the responses he received, Allan continues to walk through every topic under the cybersecurity umbrella and give further insight into what it means to be a CISO.   Timecoded Guide: [00:00] Avoiding FUD (fear, uncertainty, and doubt) in your next cyber risk discussion  [06:10] Facing stressful ransomware situations without proper preparation [12:11] Hiring hackers as team members & debating the ethics of black hat hackers [21:20] Addressing cyber risk in an accessible way for your organization's board [26:41] Understanding the past, present, & future of cybersecurity insurance   Sponsor Links: Thank you to our sponsor Axonius for bringing this episode to life! Manual asset inventory just doesn't cut it anymore. That's where Axonious comes in. Take control of security complexities by uncovering gaps in your organization. Sign up for a free walk through of the platform at Axonius.com/Get-A-Tour   Are you comfortable turning on the light in a dark room so we can see what we're really dealing with? [from: Karen Andersen] There's a perception (and not a wrong one) that the CISO's role is to turn on the light in a dark room and show a company what their biggest cybersecurity risks truly are. However true this may be, Allan wants to point out that explaining and socializing team members to the risks has to be done without inspiring FUD. FUD, also known as fear, uncertainty, and doubt, creates panic around the risks an organization faces every day and only succeeds in unnecessarily stressing out practitioners without a solution in sight.  “It's very important not to fall into the trap of FUD: fear, uncertainty, and doubt. There's a difference between socializing what's wrong, and scaring people with what's wrong. If you're going to bring up the risks, at least bring up the beginnings of a solution.”   How effective do you think it would be to hire an actual hacker as a team member? [from: Jaden Turner] With open positions, skills gaps, and labor shortages in cyber, the answer to the industry's problems might either fall into the category of people outside of the industry or people who were once on the “wrong” side of it. Although Allan has worked with black hats in the past, he explains that hiring former black hat hackers is still a morality question for a lot of c-suite executives. Their work is often highly skillful and impactful, Allan explains, but many still question what it means to hire professionals that have moved from black hat to white hat. “I think the bad guys probably have honed their skills better than the red team or the white hats, but then, you get into the morality questions. Do I want to support somebody who was once on the wrong side? Do I believe in reform and giving people a second chance?”   What's the most difficult decision that you've had to make as a CISO that was not directly security related? [from: Brad Voris] As Allan has gone through five different positions now as a CISO, he has seen it all on the cybersecurity side and the business side. While the cybersecurity decisions are stressful and high risk, Allan explains that there are very difficult decisions to make from a business point of view. Sometimes, a CISO has to make a choice to do what's right for the business, even if that means that budget, personnel, or materials will be taken away from their security team. “As a CISO, treating the business as a separate entity makes no sense to me. You have to be part of the business and actively accept that part of your role. There are business decisions that I've had to make that were right for the business and wrong for the security side, per say.”   How do you help other board members make sense of the cyber threat landscape? Why is addressing cyber risks crucial to any company? [from: Ulrich Baum] Although reporting to a board is an often essential responsibility of any CISOs role, Allan explains that making sense of the cyber threat landscape relies on you being flexible— not your board. The board of your company requires a certain level of reporting and often responds best to a specific format. Instead of fearing a change, embrace the current board you have and learn what makes them tick. Addressing cyber risks is crucial to any company, and having the board understand you fully ensure success for your security team. “There's a board that was there before you were there, and you need to learn their ways and means. You need to learn what their concepts of risk are and you need to tailor your cyber risks to fit into that model.” ------------- Links: Follow Allan Alford on LinkedIn and Twitter Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store  Continue this conversation on our Discord Listen to more from the Hacker Valley Studio and The Cyber Ranch Podcast

Allan Alford, CISO/CTO and host of the Cyber Ranch podcast, changes things up this week with a session of AMA, or “ask me anything”. Instead of hosting a guest, Allan takes center stage. On LinkedIn, Allan posed two questions: If you could ask a 5-time CISO any question, what would it be? How about a cybersecurity startup CTO? Using the responses he received, he walks through every topic under the cybersecurity umbrella and gives further insight into what it means to be a CISO.   Timecoded Guide: [00:00] Seeing the best of the job in the often thankless role of CISO [06:04] Building teams through learning strengths vs the negative perception of employee poaching [09:50] Starting out in IT & transitioning to CISO through consistent skill-building [15:18] Learning from past CISO mistakes & embracing business first, risk second, cyber third [27:23] Understanding the industry with a technical CISO point of view & a hacker's mindset [38:06] Managing the many highs and lows of becoming a CISO   Sponsor Links: Axonius gives his customers a comprehensive, always up-to-date asset inventory, helps uncover security gaps, and automates as much of the manual remediation as you want. Give your team's time back by checking out Axonius at axonius.com/platform/cybersecurity-asset-management    What skills and education level helped you land your first CISO position? [from: John Rosario] Although he's taken numerous CISO roles since his first position, Allan is quick to admit that he never applied for his first CISO gig. Instead, he was tapped on the shoulder and asked. Beginning his career in IT, Allan found opportunities when the company he was working for seemed to be lacking in the security space. Diving into product security after his roles in IT, Allan found himself asked by a CIO to combine his backgrounds and become a CISO. “I was always the guy that played with the security stuff back in those days. I had a good product security background, and ultimately, parlayed those into a combined role when I became a CISO.”   Talking to your younger self: What's the most important thing you would do differently after the knowledge you have from five gigs? [from: Ori Stein] Compromise is king, even in the C suite, but Allan didn't understand this as an early-stage CISO. Instead, Allan feels regret in recalling his lack of willingness to see other business concerns beyond security. He feels as if a successful, impactful CISO needs to not only prioritize security as their mission, but also needs to see the bigger picture of why a budget line or resource has to be used for something other than security at certain points in time. “I think that was probably my single biggest failing as an early CISO: taking the security mission to be the penultimate mission of the company and refusing to acknowledge there were other business pressures and needs, where perhaps security had to take a backseat.”   What keeps you going in the field beyond passion for security, amidst the talent shortage, lack of cultural understanding, internal corporate budget challenges, and high stress? [from: Stephan Timler]  Cybersecurity is already a high-stakes, high-stress industry. However, pressures from staffing shortages, skills gaps, and budgeting challenges (all of which got worse during the pandemic) create an environment that burns out employees, including CISOs. For Allan, keeping himself going relies on a combination of his calling to help others, his love for the industry, and his own hacker-mindset curiosity to find out not only how something works, but also how to make it work in his favor.  “Number one, for me, is that it truly is a noble calling. I don't think we should ever lose sight of that. We are the good guys doing the right thing for the right players and the right people. It's a noble calling.”   What's the best and worst thing about being a CISO? [from: Ofer Shaked]  There's a great deal of ups and downs that come from being a CISO, but thankfully, a major positive has been being able to answer the noble calling to help organizations become more secure. When a CISO can look back and see how well an organization has done because of them, Allan describes this feeling as invaluable. On the unfortunate flipside, being a CISO for an organization that doesn't understand the role and only wants someone to check boxes can be extremely disheartening. Allan warns that he's yet to meet a CISO that hasn't encountered that at some point in their career. “When you can look back on your body of work, and see that it had a meaningful impact; you can look at this organization and know this place is more secure than it was when you walked in the door…that's probably the best feeling [for a CISO].” ------------- Links: Follow Allan Alford on LinkedIn and Twitter Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store  Continue this conversation on our Discord Listen to more from the Hacker Valley Studio and The Cyber Ranch Podcast

What do cybersecurity and ranching have in common? A bit of wrangling, a lot of bull and CISO Allan Alford, host of the Cyber Ranch podcast.Allan's 20-year cybersecurity journey includes serving as CISO four different times in three industries and working with companies from 5 to 50,000 employees. He's currently focused on getting ACTUAL value from your tech stack and adding a human perspective to cybersecurity.So, saddle up and settle in. In this episode of Cybersecurity Simplified, we'll ride the cyber trails wherever Allan's experience takes us.

Tim Silverline, VP of Security at Gluware, joins host Allan Alford on the Ranch this week for a discussion about user awareness training and the latest and greatest (as well as not the greatest) methods around phishing simulations. Tim and Allan get into the nitty gritty of how your company can improve user awareness results through avoiding basic click-through models, considering advanced warning for certain training exercises, and understanding risk quantification when evaluating employee metrics.   Timecoded Guide: [04:30] Running the right phishing simulation for your user base and gauging your results appropriately [10:08] Pushing boundaries in the tactics used in phishing exercises and making employees pay attention more closely to their everyday emails  [15:10] Calling out unlikely and unhelpful phishing strategies and simulations, including the harm of impersonating employees without any warning [21:04] Realizing which methods of user awareness are no longer effective and shifting away from the mindset of just “checking the box” in these training exercises [25:54] Changing security for the better with increased awareness and a better understanding around the value of risk exposure amongst employees   Sponsor Links: Thank you to our sponsor Axonius for bringing this episode to life! Manual asset inventory just doesn't cut it anymore. That's where Axonious comes in. Take control of security complexities by uncovering gaps in your organization. Sign up for a free walk through of the platform at Axonius.com/Get-A-Tour   What, to you, are the biggest highlights, the high points, the critical bits of user awareness training? Tim has seen the good and the bad of user awareness training, and has found the best results for his users in interactive training sessions, especially when paired with gamification. Allan compares this method and approach to modern virtual escape room sessions, and Tim agrees that the more interactive and hands-on a training can be, the better the learning experience will be. Instead of framing our user awareness and phishing exercises around checking boxes for cyber insurance companies, we should be striving for active learning engagements that demonstrate the value of security to our users. “After those trainings, users have come up to me and talked to me about how they weren't aware of this particular risk and hearing about it in a real-world use-case was very effective for them to really understand why it's important and why they should be behaving in a slightly different manner.”   If the users never fall prey to attacks, is there a reason to continue performing them?  Hearing Tim talk about his success, Allan was curious about how he chooses to approach successful user bases. If someone isn't falling for Tim's phish, does he still see the need to perform these exercises? The short answer was yes, but Tim explains that user awareness training should be customized to the needs of a user base. Testing new employees is a must, along with refreshing successful users on their skills a few times a year. Additionally, scheduling out different exercises that hone in on different phishing simulations exposes employees to a variety of learning opportunities and encourages them to see this beyond just a yearly test where they might as well “get it over with.” “If you've tested all your existing employees, and they haven't fallen or been susceptible to it, that doesn't mean that the next employee you hire is also going to be of that same mindset.”   What ineffective methods are there in security awareness? Throughout the episode, Tim and Allan keep coming back to the simple fact that checking boxes no longer works. Having employees read or watch through videos and take “common sense” knowledge tests makes user awareness training a distracting activity that feels more like grunt work than a learning experience. While you never want to disrupt the workflow of your employees, stepping outside of the box with interactive activities that are explained in advance shows the value of these exercises to your users instead of making them feel that you're yet again wasting their time with another gift card scam. “I find that there's the typical thing a lot of people do to hit compliance, which is having their users watch videos, and answer questionnaires. My feeling is that most people just try to get that done. Their goal is really to get it completed, so they can check the box and their company stops bothering them to complete it.”   You are given a magic wand and you are told you can wave it and change any one thing in cybersecurity you want to change. What do you change? There's so much in cybersecurity that Tim and Allan would love to change, especially when we look at cutting edge approaches to user awareness training. However, Tim makes one thing clear: if he could change anything, he would change our mindset. Instead of seeing security as just someone's job, we should encourage our users to see themselves as an instrumental part of their company's security. When everyone concerns themselves with following the right protocols and caring about security beyond simulations, companies will find themselves in a much stronger, less vulnerable place. “I think ultimately, a lot of the weaknesses inside of our organization are our users. If I could just increase the level of carefulness, or the level of interest that everybody has in keeping their own companies secure, I think we would overall improve the posture of all companies.” ------------- Links: Learn more about Tim Silverline on LinkedIn and the Gluware website.  Follow Allan Alford on LinkedIn and Twitter Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store  Continue this conversation on our Discord Listen to more from the Hacker Valley Studio and The Cyber Ranch Podcast

Andy Ellis, CISO at Orca Security, is back for part 2 of this series on Board Reporting Metrics. In Episode 1, Andy and host Allan Alford addressed some of the most common questions posed by the board and shared their perspective on what the board needs to know from a cybersecurity standpoint. In this episode, they continue the conversation by fielding questions from LinkedIn on topics such as:     -Vulnerability and threat hunting metrics     -Top 3 metrics to report to the board and why     -Breach reporting implications and much more!  Check out part 1 of Board Reporting Metrics here Sponsor Links:  Thank you to our sponsor Axonius for bringing this episode to life! Life is complex. But it's not about avoiding challenges or fearing failure. Just ask Simone Biles — the greatest gymnast of all time. Want to learn more about how Simone controls complexity? Watch her video at axonius.com/simone Guest Bio: Andy Ellis is a visionary technology and business executive with deep expertise in security, managing risk, and leading an inclusive culture. A graduate of MIT and former US Air Force officer, Andy designed, built, and brought to market many of Akamai's security products, leading the Fortune 1000 company from its start as a content delivery network into an industry powerhouse with a billion-dollar dedicated cybersecurity business. In his twenty year tenure, Andy led Akamai's information security team from a single individual to a 90+ person team, over 40% of whom were women. In running Akamai's security program, Andy designed systems, governed risk management, implemented policy, and supported go-to-market functions. Widely respected across the cybersecurity industry for his pragmatic approach to aligning security and business needs, Andy regularly speaks and writes on cybersecurity, leadership, diversity & inclusion, and decision making. Additional Links: Stay in touch with Andy Ellis on LinkedIn Follow Allan Alford on LinkedIn and Twitter Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store  Continue this conversation on our Discord Listen to more from the Hacker Valley Studio and The Cyber Ranch Podcast  

“Marketing is too often sidelined from the bad news about the product and from the good news about the competitors. What we do is cool, but we don't do everything and that is okay!”- Allan Alford  No one knows how to get product marketing in front of a CISO better than, well, a CISO! In this episode, Gianna and Maria are joined by Allan Alford, CISO and CTO at TrustMAPP, to talk about his biggest takeaways from his time spent as a CMO. Allan shares his tips on bringing more personality into cybersecurity marketing, why building your personal brand is just as important as building the company's, and the best ways to position your marketing to the CISO community. Lastly, Allan shares his philosophy on meeting customers where their challenges are and acknowledging your competition.  If you enjoyed our guest as much as we did, be sure to check out his show, The Cyber Ranch Podcast   Guest Bio: With 20+ years in information security, Allan Alford has served as CISO four times in three industries. Alford parlayed an IT career into a product security career and then ultimately fused the two disciplines. Alford gives back to the security community via The Cyber Ranch Podcast and by authoring articles and speaking at conferences.   Links Follow Allan Alford on LinkedIn and Twitter Connect with Gianna on LinkedIn Connect with Maria on LinkedIn  Follow the Cybersecurity Marketing Society on Twitter or learn more at the Cybersecurity Marketing Society website Check out  Hacker Valley Media and the Breaking Through in Cybersecurity Marketing Podcast

In this episode, we unpack and critique the handling of the Okta breach communications effort and why it matters, especially for all of us on the sidelines passing judgment without all the facts. Allan Alford is the CISO/CTO at TrustMAPP & Host of The Cyber Ranch Podcast Show Links Connect with Allan on LinkedIn  Follow IRONSCALES on LinkedIn or Twitter Connect with Brendon Rod on LinkedIn   We're stronger together. CyberSecurity Heroes is brought to you by IRONSCALES. An email security platform powered by AI, enhanced by thousands of customer security teams and built around detecting and removing threats in the inbox.

This topic couldn't be more relevant given recent events in the security community. Allan Alford is joined by Steve Mancini, CISO at Eclypsium, to have a refreshing conversation about the negative messaging, thinking, and tropes in cybersecurity - not just the stuff that the press says about us, or even the stuff we say about each other - but the self-defeating stuff we think and say to ourselves. Steve addresses the reinforcement of negative catchphrases and how it affects the psyche of the community and explores how burnout is creating a culture of sleepless nights and masochistic badges of honor. Lastly, they emphasize the importance of empathy and support within the community and remind us that humans are our greatest asset, not our weakest links. Guest Bio: Steve Mancini is the CISO at Eclypsium, former Deputy CISO at Cylance, and an advisory board member for several cyber companies. Links: Stay in touch with Steve Mancini on LinkedIn  Follow Allan Alford on LinkedIn and Twitter Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store Learn more about Hacker Valley Studio and The Cyber Ranch Podcast Sponsored by our good friends at  Axonius  

It's okay to have a positive, crisp, and clean association with negative press. But it's best to steer clear of it altogether. When's the last time you've heard, ‘simple is more'? Or, ‘keep it basic'? If it's been a while, this episode will be a good refresher for you. When approaching your marketing strategies and tactics in the cybersecurity industry, particularly your messaging, it's best to just stick with the basics and the fundamentals. There is this constant need to overcomplicate with so many terms to stand out against the competitor, using negative press and ambulance-chasing to get the attention of the security practitioner. According to Allan Alford, CISO of TrustMAPP, “it should really be a conversation with your audience.” In this episode, I had a brutally honest conversation with Allan on what motivates him, what his challenges are, what vendors do that piss him off, and the alternatives. Join Audience 1st Today Join 300+ cybersecurity marketers and sellers mastering security buyer research to better understand their audience and turn them into loyal customers: https://www.audience1st.fm/

With a looming skills/people gap in cybersecurity and retention at an all time low, it begs the question: Where is everyone? In this episode, Allan Alford and guest Jessie Bolton sit down to discuss the elusive “Great Resignation” and how it is affecting the cybersecurity community. Tune in to get the answers to the questions we are all asking ourselves, like: why are people resigning, how has the pandemic shifted our perspectives on work and boundary setting, how is the “great resignation” impacting security organizations, and how can we attempt to solve this issue?   Links: Follow Jessie Bolton on LinkedIn Follow Allan Alford on LinkedIn and Twitter Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store Learn more about Hacker Valley Studio and The Cyber Ranch Podcast Sponsored by our good friends at  Axonius

On this episode of CISO Tradecraft, we feature Allan Alford from The Cyber Ranch Podcast.  Allan brings a wealth of knowledge as a CISO and shares the three things every CISO needs to bring to the table: Use a Cyber Maturity Model such as CMMI to identify the current situation and build a roadmap of where the organization is headed  Quantify Known Risks through a Risk Register which gets routinely briefed to Executives Align Cyber to Business Objectives to enable the business If you enjoy listening to Allan Alford, then please subscribe to The Cyber Ranch Podcast for more great content.

In this episode, our host's Sandra Patel Stewart, CEO of Transition Partners, and Elly Nettleton, Managing Director, are joined by CISO/CTO at TrustMAPP and The Tech Cyber Ranch podcaster Allan Alford. 

CISOs complain on social media about bad marketing – when they are targeted inappropriately, or with messages that don't resonate, or with messages that outright lie. This week Allan Alford decides to hear from the other side, and invites his two favorite CMOs to the show. Julie O'Brien, CMO at AttackIQ, and Nathan Burke, CMO at Axonious, sit down with Allan to send a message to cyber security professionals about the vital role marketing plays in the industry, what is good marketing and bad marking, and how marketing affects all of our careers more than we know. Hear different perspective on topics like buzzwords, cold calls, and the difference between good and bad marketing practices. Backed up with proven experience, this episode is packed with useful info for all cyber practitioners and aspiring practitioners.    Key Takeaways: 02:00 Julie Bio 03:13 Nathan Bio         04:00 Standing out as a marketer 10:15 Emphasizing what you don't do as a company, rather than what you do 15:56 A message to CISO's - Julie 23:00 Nathan's message to CISO's 25:55 Allan touches on why innovation occurs on the vendor side 27:45 Buzzwords 33:50 What surprises Nathan and Julie in cyber security? Links: Learn more about Nathan on LinkedIn and Twitter Check out Julie on LinkedIn and Twitter Follow Allan Alford on LinkedIn and Twitter Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store Learn more about Hacker Valley Studio and The Cyber Ranch Podcast Sponsored by our good friends at AttackIQ

Join us on this episode of SCW for a general discussion about how to do this whole security/compliance thing better; how compliance really needs to come first; how it's all risk-based or should be RGC not GRC; legal and privacy issues/focus - and how they help or hinder the cause; other factors like burnout/gatekeeping/etc. that all contribute to our industry being overly focused/reliant on technology and don't handle the people/process part very well.   Visit https://www.securityweekly.com/scw for all the latest episodes! Show Notes: https://securityweekly.com/scw94

Join us on this episode of SCW for a general discussion about how to do this whole security/compliance thing better; how compliance really needs to come first; how it's all risk-based or should be RGC not GRC; legal and privacy issues/focus - and how they help or hinder the cause; other factors like burnout/gatekeeping/etc. that all contribute to our industry being overly focused/reliant on technology and don't handle the people/process part very well.   Visit https://www.securityweekly.com/scw for all the latest episodes! Show Notes: https://securityweekly.com/scw94

Every Friday CISOTalk is live on Linkedin, YouTube and Facebook with an awesome guest. This past Friday James Azar was joined by Allan Alford as they discussed the White House Tech Summit on cybersecurity and so much more... Tune in to listen to the latest and join us Friday live!    CISO Talk is supported by these great partners please make sure to check them out: KnowBe4: https://info.knowbe4.com/phishing-security-test-cyberhub  Attivo Networks: www.attivonetworks.com **** Find James Azar Host of CyberHub Podcast, CISO Talk, Goodbye Privacy, Tech Town Square, and Other Side of Cyber James on Linkedin: https://www.linkedin.com/in/james-j-azar/ James on Parler: @realjamesazar Telegram: CyberHub Podcast Locals: https://cyberhubpodcast.locals.com ****** Sign up for our newsletter with the best of CyberHub Podcast delivered to your inbox once a month: http://bit.ly/cyberhubengage-newsletter ****** Website: https://www.cyberhubpodcast.com Youtube: https://www.youtube.com/channel/UCPoU8iZfKFIsJ1gk0UrvGFw Facebook: https://www.facebook.com/CyberHubpodcast/ Linkedin: https://www.linkedin.com/company/cyberhubpodcast/ Twitter: https://twitter.com/cyberhubpodcast Instagram: https://www.instagram.com/cyberhubpodcast Listen Here: https://linktr.ee/CISOtalk   The Hub of the Infosec Community. Our mission is to provide substantive and quality content that's more than headlines or sales pitches. We want to be a valuable source to assist those cybersecurity practitioners in their mission to keep their organizations secure.

In this, the very first LIVE episode, Allan Alford interviews guests Derly Gutierrez, Head of Information Security at 1010Data, Patrick Benoit, BISO at CBRE, and Mustapha Kebbeh, CISO at Brinks, as they discuss the use of security frameworks in general and over time. Regarding framework compliance, do we choose one or do we choose many? Do we embrace them fully or partially? What changes our approach to frameworks over time? Security strategies are explained throughout the episode, along with the notions of business adaptation and adoption, regulation and other requirements, and "minimum viable security" approaches that don't require frameworks at all. Key Takeaways: 0:43 – Intro 1:53 – Question to Mustapha: pick and choose from a framework or embrace a framework all in one go? 2:47 – Patrick discusses his own approach to Mustapha's statement 3:26 – The evolution of CFS adoption briefly discussed and the importance of protection 6:59 – Discussion of a possible "least viable security" approach that doesn't depend on the frameworks at all 9:50 – Maturity models 13:32 – Security strategies 19:56 – The guests answer: What were the toughest challenges working with a framework? 21:56 – The guests share their best success story with frameworks 23:51 – The guests share their journey on business integration 27:56 – The influence of regulation and other requirements Links: Learn more about Derly on LinkedIn and Twitter Learn more about Mustapha on LinkedIn Learn more about Patrick on LinkedIn Follow Allan Alford on LinkedIn and Twitter Learn more about Hacker Valley Studio and The Cyber Ranch Podcast Sponsored by our good friends at Uptycs

Bonus episode for the CISOTalk Crowd. Allan Alford joins me for live #AMA session as we discuss Patching, CISo Top of Mind and so much more...      CISO Talk is supported by these great partners please make sure to check them out: KnowBe4: https://info.knowbe4.com/phishing-security-test-cyberhub  Attivo Networks: www.attivonetworks.com **** Find James Azar Host of CyberHub Podcast, CISO Talk, Goodbye Privacy, Tech Town Square, and Other Side of Cyber James on Linkedin: https://www.linkedin.com/in/james-j-azar/ James on Parler: @realjamesazar Telegram: CyberHub Podcast   ****** Sign up for our newsletter with the best of CyberHub Podcast delivered to your inbox once a month: http://bit.ly/cyberhubengage-newsletter   ****** Website: https://www.cyberhubpodcast.com Youtube: https://www.youtube.com/channel/UCPoU8iZfKFIsJ1gk0UrvGFw Facebook: https://www.facebook.com/CyberHubpodcast/ Linkedin: https://www.linkedin.com/company/cyberhubpodcast/ Twitter: https://twitter.com/cyberhubpodcast Instagram: https://www.instagram.com/cyberhubpodcast Listen Here: https://linktr.ee/CISOtalk   The Hub of the Infosec Community. Our mission is to provide substantive and quality content that's more than headlines or sales pitches. We want to be a valuable source to assist those cybersecurity practitioners in their mission to keep their organizations secure.

In this show, host Allan Alford interviews Dr. Rebecca Wynn about information security decisions made during COVID and what the 2021 "reckoning" might look like. Dr. Wynn is a well-recognized CISO and Chief Privacy Officer, who faced some large-scale challenges during 2020. Allan welcomes Dr. Wynn to the cyber ranch! The show starts with Allan asking Dr. Wynn to introduce herself and to tell the listeners a bit about her background. Dr. Wynn has received quite a lot of recognition in the field. Allan and Rebecca Wynn share a wealth of connections in the CISO community, and both have consulted with numerous companies over 2020. This positions them to be able to talk to the broad spectrum of COVID-related actions and reactions taken during 2020. Moving workers to home all over the world resulted in an increased attack surface and increased privacy concerns as well. Security quesionnaires were on the rise, as were deeper investigations into PCI, SOC2, etc. report. COVID, in other words, really emphasized the supply chain risk posture. Allan and Dr. Wynn discuss the challenges and variety of preparedness for Zero Trust architectures - VPN, VDI, cellular dongles, taking desktop computers home, etc. Allan and Dr. Wynn talk about supply chain risk, contracts, penalties, and other facets of post-COVID third-party risk. To close the podcast, Dr. Wynn shares that she loves information security because of great companies out there who are forward-looking and paying real attention to security. Key Takeaways: 1:18 - Dr. Wynn tells the audience about her information security background and recognitions. 2:43 - Dr. Wynn had to move 10,000 people to work-from-home for COVID. 4:31 - Dr. Wynn tells her clients to check the PCI, SOC2, etc. reports in detail for their supply chain. 5:37 - Allan points out that supply chain questionnaires were on the rise due to COVID. 6:45 - Dr. Wynn elaborates on Zero Trust architectures deployed during COVID and states that Zero Trust is not "one and done". 8:20 - Dr. Wynn encourages her clients to really dig into the risk associated with the supply chain. 9:12 - Allan points out that the Solarwinds breach was really a post-COVID phenomenon in terms of its impact and how folks responded. 10:40 - Allan shares that some companies were not ready for Zero Trust at all vs. those who were so well prepared. 12:49 - Dr. Wynn encourages auditors to go back and visit their 3rd-party risk. 14:34 - Dr. Wynn points and Allan talk about the strength and significance of contracts in the cultures of various companies. 16:50 - Dr. Wynn tells her clients to attach assessments to the contract and asks for transparency. 19:40 - Dr. Wynn encourages her clients to ask their supply chain about end-of-life and end-of-service posture for the technical estate. 23:05 - Allan advocates that vendors have honest conversations with their customers to be transparent about what new risks COVID onboarded. 25:08 - Dr. Wynn predicts that 2021 will be the reckoning for companies who took shortcuts during COVID. 25:42 - Dr. Wynn loves working for forward-looking companies and loves working for the greater good. 26:48 - In Information Security, Dr. Wynn predicts growth and evolution and hopes for a real investment. Links: Follow Allan Alford on LinkedIn and Twitter Learn more about Hacker Valley Studio and The Cyber Ranch Podcast Learn more about Dr. Rebecca Wynn on LinkedIn. Sponsored by our good friends at Axonius

In this show, host Allan Alford interviews his friend Chris Castaldo about how to align information security with the business. Chris is the CISO at Crossbeam, and is also the author of the book "Start-Up Secure: Baking Cybersecurity into Your Company from Founding to Exit", available for pre-order at Amazon. Chris, like Allan, views himself as a very business-oriented CISO. Allan welcomes Chris down to the ranch to discuss business orientation and alignment of information security in detail. The show starts with Allan asking Chris to introduce himself and to tell the listeners a bit of his background. Chris's book fills the void in books for founders that seemed to utterly lack any reference to cybersecurity. Allan recommends the book, as he was one of the lucky few to review the book before its release. But that is not what they are here to chat about today... Allan asks Chris what it means to be a business-oriented CISO - and what does it look like to NOT be a business-oriented CISO? Allan asks Chris how a CISO can affect both the bottom line and the top line as well. Allan and Chris discuss the nuances of that conversation in the context of business-to-consumer ("B2C") businesses vs. business-to-business ("B2B") businesses. Allan and Chris discuss the challenges of striking the balance between meeting the business' security needs and being agile enough to quickly respond to the dynamic and ever-changing nature of the business. To close the podcast, Chris shares that he loves information security because of its always offering something new, and because of it evolving towards a user-centric approach. Key Takeaways: 0:36 - Chris tells the audience about his security book for founders. 2:19 - Chris talks about his day job as CISO at Crossbeam. 3:08 - Chris talks about what it means to be a business-oriented CISO - it's mostly about understanding the rest of the business. 6:05 - Chris walks through how a CISO's impact to the top and bottom line varies for startups vs. mature businesses. 7:16 - Chris compares security aspects of a non-security offering to airbags in a car. 9:02 - Allan shares his past as a product security professional and how business-aligned product security in tech companies is. 12:00 - Chris compares B2C to B2B and how business-alignment for the CISO varies across the two. 14:41 - Allan talks about expectations of security vs. liability caps for failing to deliver it: B2B vs. B2C. 18:24 - Chris discusses how to enable security without putting the brakes on the business. 22:40 - Allan explains how some of his basic security controls that also accelerate the business. 25:17 - Chris explains why he loves working in information security. 26:21 - Chris is looking forward to user-oriented cyber security. Links: Follow Allan Alford on LinkedIn and Twitter Learn more about Hacker Valley Studio and The Cyber Ranch Podcast Learn more about Chris Castaldo on LinkedIn. Sponsored by our good friends at AttackIQ

In this show, host Allan Alford interviews his friend Will Lin about startups and venture capital. Will Lin is a venture capitalist with ForgePoint Capital, focusing exclusively on the information security space. First and foremost, Will views his current role as a way to help others. Allan welcomes Will on to the show to help his listeners learn more about the startup world, the venture capital world, and how those two intersect. The show starts with Allan asking Will why he thinks startups are such a prevalent force in the cyber security world. Will is not sure, but his hypothesis is that this is in large part due to the ever-changing nature of cyber security. Since needs are constantly changing and each organization has unique needs, startups have popped up to address those specialties and change based on the different needs that arise. His second hypothesis is that there always need to be organizations prepared to address new and emerging threats to security. For VCs, Will shares that companies and startups go through very natural progression in terms of maturity depending on their framework. Regardless, what it all boils down to is where in their life cycle any organization finds itself. Once the VC is able to identify where the company is in their life cycle, then they can begin to make informed decisions about the company. This will determine the type of funding that VCs will decide to provide. For example, usually when a company is around 10-20 members, they will be looking for series A funding. Typically, series A funding is around 10-25 million dollars, series B is 20-40 million and series C is 50 million and above. By evaluating the total of the investment, observers can estimate the valuation of the company. While most companies only do a few rounds of fundraising, some companies will experience several late rounds of fundraising and Will advises that this is typically a good thing. The best indicator of health is the number of employees. If the number of employees is going down, that is one of the clearest indicators of regression. Once a VC comes in, though, that is where they are able to lend their experience to help with advising the business, which is Will's favorite part of his job. To close the podcast, Will shares that being able to help people and add value to their companies is the thing that keeps him energized and engaged in his position. Key Takeaways: 0:24 - Listeners are introduced to Allan Alford and his guest, Will Lin. 1:27 - Why do so many people in the security industry rely on startups? 3:29 - What does Will do in his job and how has his background led to his current role? 5:36 - From Will's perspective, what is the critical split between the first round of angel funding 9:33 - What is the expectation for funding in each different series of investments? 15:19 - What does the VC ownership look like from the perspective of the company? 21:22 - Does Will offer specific advice to the startups that he works with? 24:00 - What is Will's opinion on startups that grow without any assistance from VCs? 25:48 - What keeps Will energized in his job? Links: Follow Allan Alford on LinkedIn and Twitter Learn more about Hacker Valley Studio and The Cyber Ranch Podcast Learn more about Will Lin on LinkedIn. Sponsored by our good friends at Axonius

On this episode of The Cyber Ranch Podcast, host Allan Alford is joined by Ron Eddings and Chris Cochran from Hacker Valley Studio. The episode begins with Ron and Chris sharing how they came to cyber security and the roles they've held in the space. While they came up in the cyber security space through different channels, they now work together at Marqeta, Ron as a Security Architect Leader and Chris as the Director of Security Engineering. Additionally, together they host the Hacker Valley Podcast. Allan is curious how the podcast affects their day jobs and their day jobs influence the podcast. Ron and Chris explain that it has given them wider contacts with people in the security industry and the opportunity to speak with them about their interests and expertise. Allan asks Ron and Chris how they stay passionate about their work. Chris says both he and Ron believe in getting better everyday, even if it's in small increments. Reading books, taking classes, speaking to mentors are all ways that he improves himself and makes sure he stays sharp. Ron shares that he is a collector, and it has led him to collecting experiences. Through these experiences, he is also able to continue getting better and improving himself. They both share that through the podcast and their jobs, they need to continue learning and working. They've taken voice coaching and storytelling lessons to keep on the cutting edge of podcasting. Everyone has a story and the ability to share your own and help others share theirs is essential not only to impeccable podcasting but also being an empathetic and engaged human. In threat intelligence and user awareness training along with other technical skills storytelling is integral to meeting people where they're at. As the episode ends, Allan asks Ron and Chris about the future for them and their podcast. Key Ideas: :22 - Chris and Ron are introduced. 4:46 - How the podcast influences their day jobs and vice versa. 12:08 - Allan asks Chris and Ron about infusing passion in their work. 16:39 - The importance of storytelling in podcasting. 24:00 - What does the future look for Ron, Chris, and the podcast? Links: Follow Allan Alford on LinkedIn and Twitter Learn more about Hacker Valley Studio and The Cyber Ranch Podcast Follow Chris Cochran on LinkedIn and Twitter Follow Ron Eddings on LinkedIn and Twitter Support Hacker Valley Studio on Patreon. Sponsored by our good friends at Axonius

Allan Alford interviews Anne Marie Zettlemoyer about the topic of vulnerability management. Anne Marie is a visiting fellow with the National Security Institute at George Mason University, and one of the all-around sharpest minds Allan knows in information security! Anne Marie is deeply entrenched in the world of information security, and she loves her work. She began her career in accounting and finance, but by serendipity was introduced to security through a position updating a company's payment system. From there, she was recruited into the Secret Service, where she developed a passion for the information security field - a field she hasn't left since! Anne Marie is driven by the energy and nobility of her profession, and she values work as a protector and defender. At the same time, she feels a high level of responsibility to her company and her customers to navigate information security well. The baseline for security work, Anne Marie says, is the fundamentals. The first line of a security officer's responsibility is to maintain this sort of system hygiene; this is why Anne Marie is passionate about vulnerability management. In a changing threat landscape, vulnerability management is a basic necessity to keep products and clients safe. Of course, this does not make vulnerability management an easy task. Practitioners of vulnerability management must also attend to a variety of factors, from issues of regulation and compliance, to CVSS scores and tooling for contextualization, to determining the way in which vulnerability management should be situated within their broader security program (often as a key driver). Within the world of information security, vulnerability management is one of many complex pieces to juggle together, and people like Anne Marie stand at the center of the balancing act. Anne Marie leaves listeners with an idea of how best to approach information security today, but she also leaves them with the prospect of exciting changes on the horizon in the areas of data governance and bridging the gap between speed and security. Key Takeaways 0:17 - Listeners are introduced to Allan Alford and his guest, Anne Marie Zettlemoyer. 1:12 - Allan asks Anne Marie to walk through her day job. 1:56 - Why is vulnerability management important to Anne Marie? 4:13 - Allan shifts to the subject of motivating people to fix vulnerabilities. 6:26 - Anne Marie's broad experience gives her a unique experience. 8:41 - Remediations must be obtainable. 10:27 - Overall, fundamentals, partnership, and understanding are needed. 11:27 - Allan and Anne Marie turn to metrics, tooling, and context. 14:38 - Within the security program, where does vulnerability management fit? 18:00 - How did Anne Marie get into vulnerability management? 20:15 - Her job and its responsibilities require certain things. 20:56 - What keeps Anne Marie in the game? 22:20 - What is she looking forward to in the field? Learn more about Anne Marie Zettlemoyer and connect with her on Twitter and LinkedIn. Learn more about Allan Alford and connect with him on Twitter and LinkedIn. Learn more about The Cyber Ranch Podcast, part of the Hacker Valley Studio family. Learn more about podcast sponsor Axonius. Support Hacker Valley Studio on Patreon. Follow Hacker Valley Studio on Twitter.

Behavioral Economics has altered our perceptions of what actually motivates human beings. How do these theories about our more primitive behaviors as well as our intellectual biases apply to information security? Allan Alford & Kelly Shortridge discuss in the context of infosec programs and events in a whirlwind of conversation. Sponsored by our friends at AttackIQ Podcast: The Cyber Ranch Podcast Episode 2: Behavioral Economics and InfoSec with Kelly Shortridge On this episode of The Cyber Ranch Podcast, host Allan Alford is joined by Kelly Shortridge, VP of Product Management at Capsule8. Their conversation begins with Kelly introducing herself and her work. She works in products for a security vendor, and she's done research into applying behavioral economics to security. Kelly says she grew up with a love of computers, but was mostly about building gaming rigs side of things. Her career in information security began in the investment banking industry, which led her to fall in love with security. Next, Allan asks Kelly about her work in behavioral economics. Economics is the study of choice, behavioral economics looks at the way humans actually behave by conducting experiments and observing natural occurrences. Humans don't always behave in the rational, textbook way, but Kelly explains that often their choices are rational when you factor in competing priorities. In information security, this shows up when folks find themselves reacting to threats that have the most attention, rather than those that are proven to be the most pressing. Information security is also affected by hindsight and outcome biases. Kelly explains how our brains try to trick us into blaming a single factor in a crisis, but that is not how the real world or cyber attacks work. Now that behavioral economics has clued us in to the biases formed by what Kelly affectionately refers to as our “lizard brains,” Allan wonders if we should be optimistic about how we may think and prevent attacks in the future. Kelly isn't so sure. She explains that changing some systems to be more compatible with our lizard brain has been effective, however knowing how we think doesn't help people think differently. In InfoSec, there are opportunities to continue making the secure way the easiest way, and circumvent the lizard brain. Other industries have been designing systems and workloads based on the way people behave; Kelly says InfoSec is just behind the curve. As the episode ends, Allan asks Kelly what keeps her still in InfoSec. Kelly says it is spite. There are still inefficiencies and an industry that pats itself on the back for doing little, that makes her spiteful she says. She wants to be an industry member that adds value to organizations and highlights the user. Follow Kelly on Twitter as @swagitda_ or on LinkedIn at Kelly Shortridge Learn more about Allan and the Cyber Ranch Podcast at Hacker Valley Studio Sponsored by our good friends at AttackIQ