Jason Shockey, CISO of Cenlar FSB, and 25 year veteran of cybersecurity, has a formula for running an excellent cybersecurity program. He studied a great deal in his various cybersecurity roles before leaping into a CISO role, and the studying paid off! Jason and Allan and Drew discuss the following: Identifying Common Pitfalls Promoting Team Well-Being and Efficiency Engaging and Education the Board Strategies for Effective Program Design ALL in the span of one rapid-fire show!  Do give it a listen, as you will learn about many valuable approaches and resources to help your program succeed. Y'all be good now!  

Cyber as precursor to kinetic warfare?  What about cyber AS warfare?  And social media infiltration and propaganda?  Join Allan and Drew as they invite Dave Schroeder, a renowned expert in this field, to discuss the active use of cybersecurity and social media as warfare between the Western World and China, Iraq, Russia and North Korea.  They cover: Insertion of fake IT employees into key companies Political influence operations (divide and conquer) Precursors to kinetic war being the smallest tip of the iceberg Philosophical differences between nations and governments serving themselves Cultures of trust in the West, and how those are not so self-serving This one is very sobering and perhaps the most important show of the year... Y'all be good now!    

Howdy, y’all, and welcome to The Cyber Ranch Podcast!  Our guest today is Tim Brown.  If you don’t’ know who Tim Brown is, he is the CISO at SolarWinds, and as such, is one of us. Or maybe in a way, he is all of us, really.  Tim advises and has held various other roles in the past, including product roles, which our listeners know are well-respected skills down at the 'Ranch. The topic today is cyber regulation.  It can range from self-regulation to associations, principles, practices, lobbying – all the way up to full government regulation.  What works?  What’s required? Topics covered: What is the case for regulation? What are the basics rules to provide us coverage and clarity? Not knowing the rules makes people nervous and afraid... Document your own processes, procedures, JDs, what you do, what you don't do. Make it clear! Rigorous banking industry regulations exist already.  How onerous are they?  How badly would they fit the rest of us? Perhaps a GAAP (generally accepted accounting principles) equivalent is desired? Process/procedure vs. 'Thou shalt never have a vulnerability!' Heavy-handed governmental oversight - defining standard of care and turning that into something people can stand behind? Remember that Sarbanes and Oxley were people.  Real people. Is regulation required to create a more positive environment in the way SOX does? What does the public-private partnership need so that the rules created are good and realistic and improve cybersecurity for the world? REGULATION IS COMING!  THE CISO COMMUNITY MUST BE A PART OF THAT REGULATION! Have we had a cyber Enron, and do we need one?  That was the real catastrophe that launched SOX... Regarding GAAP, accounting is deterministic vs. dynamic - Can a cyber GAPP ever exist given how dynamic we are? The compliance world: principles based vs. rules based regulation - a more practical model. It may not move the bar enough, but it's a good starting point. Should a whole field of security auditors existing like accounting auditors do? We are youngsters in this craft still... Is the accounting world really the best metaphor?  Auditors, forensic accountants, etc.? Another model is the medical world - malpractice, specific rules and regulations on specific surgical practices? What about a national CISO board or association like the NACD or the American Psychological Association? What about boards like medical review boards that approve specialties? Lobbying How to fund this? Who should be doing the doing?  Inclusivity vs. sound gatekeeping. A barber has to be licensed to cut hair - should we get licensed? This conversation was around with software engineers long before it was with cyber folks.  We learned that self-policing did not really work... The challenge is one of not shackling the business, or at least not appearing to, and the subsequent pushback. The call to action is ultimately this: If you don't have a seat at the table, folks will do things to you rather than with you.  So get involved! Y'all be good now!

What can we established cybersecurity practitioners ACTUALLY do to help those new in the field besides blathering back and forth about the problem in the echo chamber that is LinkedIn? Drew got the clever idea of inviting three folks who are brand new to the field or barely started on their cyber journey, and, get this: ASKING them what they're experiencing and what they need! Clever, huh? It's an eye-opening show for a CISO. We are join on this week's episode by Amé Venter, May Ferreira, and Bryce Hill, who share their perspectives from their early stages in this field. It's a sobering perspective. To a certain extent, they've all been lied to and led on, and that's all of our faults. Key takeaways: Prodsec/Appsec might get you out of being a cost center in cybersecurity, but no intro programs seem to show folks how to get there. Certs aren't enough. Education is not enough. It is HARD to get started. Internships sound great, but even after you have secured one or two of them, entry-level positions remain elusive. Especially "entry-level" positions that require experience. Innovative programs like the one Bobby Ford is doing over at Hewlett Packard Enterprise are a huge leg up, but such programs are few and far between. There are a lot of folks standing outside the doors to our industry who were told this was the promised land. But there they are, still standing and peering in, waiting for an invitiation. CISOs, please listen to this show. Please re-think your hiring strategies! Y'all be good now!

Howdy, y’all!  Our guest today is Wade Baker, cybersecurity researcher, entrepreneur, professor…  Wade is a Board of Directors member of the FAIR Institute, was an Advisory Board Member at the RSA Conference, was VP of Strategy & Risk Analytics at ThreatConnect, and is now Co-Founder of Cyentia Institute, which aims to advance cybersecurity knowledge and practice through data-driven research.  Wade joins Drew and Allan to talk about (go figure!) data-driven cybersecurity.  The three smash through a lot of assumptions and get to the heart of what is really going on in cybersecurity. Questions covered: What is the Information Risk Insights Study (IRIS)? (cyentia.com/iris/) What is a good summary of the IRIS Ransomware report? How organizations out there can be more data-driven? Analyst whitepapers vs. real data research – what are the differences? Who else can mine data like this? What truths do people resist or what do they fail to embrace? What are the sacred cows and the “inflatable cows”? Is the cyber job shortage a real, data-backed problem? The desire for “flat math” vs. curves (the 5x5 grid) … Measuring the problem side vs the solution side… Actual best practices vs. common practices… Insurance industry data and why they don’t share it… Much of what we do does not affect the realities of our cyber risk. Stepping back from all of this, what is the value in data-driven industry analysis of this sort? How does one sponsor IRIS publications? Y’all be good now!

Howdy, y’all, and welcome to The Cyber Ranch Podcast!  Our guest is Michael Santarcangelo, Founder and President at Security Catalyst.  He’s a former podcaster – co-creator of Business Security Weekly, he even did a stint on Down the Security Rabbit Hole with Raf and James.  True fact, hearing Santa (as his friends call him) and Paul Asadoorian on Business Security Weekly is what inspired Allan to become a podcaster in the first place!  But "Santa" (as his friends call him) has done the practitioner and the leader things as well, and got his start way back on the Global Security Team at Andersen Consulting… Santa joins Drew and Allan to discuss effective communication… The communication problem we’re trying to solve is not the one we think it is! “Communicating the value of cybersecurity” - What doe that mean really? Clarity vs. Communication, Message received and understood...  It’s clarity of thinking, action, and outcomes that create the ability to communicate effectively. If that is the case, then what matters is how do OTHERS measure our success and how is that aligned or not with our own perceptions? How do we measure success in communication?   Is is how they measure it? What is the goal of communication? (And why do we say that instead of ‘the goal of good communication’? How do we get perspectives?  (We ask). Y'all be good now!  

Your organization runs on commercial software far more than it does open source.  But all you are delivered is binaries.  What is your technical control to ensure that you are safe from this software? Such software is composed of: Open source libraries Proprietary code 3rd-party proprietary libraries You need to be able to see it, understand it, probe it for malware, backdoors, corruption, CVEs, KEVs, etc.  Well now you can.  SBOMs are just the beginning... Allan and Drew are joined by Sasa Zdjelar, Chief Trust Officer at ReversingLabs, who have spent 15 years solving this highly specific and highly challenging problem in cybersecurity. The show is not sponsored by ReversingLabs.  Allan and Drew wanted the world to know that they exist, and that this capability is now in-hand... Y'all be good now!

In this engaging discussion, Ross Young, a prominent figure in cybersecurity known for his community contributions, delves into the evolving triad of people, process, and technology. He questions whether this traditional framework still holds in a rapidly changing landscape. The conversation shifts to AI's role in potentially replacing human jobs in cybersecurity, alongside the critical need for swift responses. Young also examines the future of data science shaped by large language models, emphasizing the importance of adaptability and accountability in this tech-driven world.

Howdy, y'all!  In part two of our three-part miniseries, we tackle Process with Malcolm Harkins.  Malcolm is former CISO at Intel, a good friend of Allan's, former Cylance Chief Trust and Security Officer, member of the board of director over at TrustMAPP (where Allan used to be COO), and is now at Hidden Layer, working to secure AI.  Hidden Layer did not sponsor this show. Allan, Drew and Malcolm discuss the following: People, process technology – what is the role of process in that triad? How do we craft good process?  What part of process definition is capturing the as-is state vs. being aspirational? How do we ensure good process is followed? When should technology drive process vs process drive technology?  Where does process traditionally fall short? What would you improve about process in general? Tell us a bit about Hidden Layer, as this is some very new technology... Thank you for listening!  Y'all be good now!

Thanks for listening, y'all!  Our next show is all about Process (we already did a show on People) and after that comes Technology. Y'all be good now!