The Cyber Ranch Podcast

Allan is joined by George Finney, CSO at Southern Methodist University and author of the book Well Aware: Master the Nine Cybersecurity Habits to Protect Your Future. George’s mission is clear: unite the cybersecurity community through proven strategy, and help preserve and leverage the humanity within cybersecurity. He believes that the community as a whole under-plays the human role, and he and Allan discuss potential changes to the way we view security awareness training and the role of users in general. Key Takeaways: 00:18 Intro/Bio 01:25 George’s story 04:27 Humans are not the weakest link in cybersecurity 07:17 How habits affect security awareness 08:30 The 9 habits and forming your cybersecurity personality 14:05 How secret keepers build a community 17:30 Potential improvements to security awareness training 22:22 The origin of the nine habits 26:50 What surprises George about cybersecurity still? Links: Learn more about George on LinkedIn and on Twitter and buy his book! Follow Allan Alford on LinkedIn and Twitter Learn more about Hacker Valley Studio and The Cyber Ranch Podcast Sponsored by our good friends at Uptycs

Host Allan Alford interviews Benjamin Corll, VP of Cybersecurity and Privacy at Coats, about security orchestration, automation, and response (SOAR). Bejamin and Allan critique SOAR's promises and premises, what else it could be doing, its pricing and overhead, and lack of standards as well. But it is not all negative - Benjamin does share stories as well of SOAR's successes in his shop, and of the things it does do well... Come on down the ranch and give this show a listen! Key Takeaways: 0:09 – Intro 0:55 – Benjamin's background and day job 3:46 – The premise and the promises of SOAR 6:32 – What else could be automated? 9:25 – Benjamin explains about the trouble ticket system and the change management system 11:57 – The standards for SOAR today 17:19 – How do we improve the cyber posture of all our organizations, making them more secure? 19:34 – Has SOAR managed to stay affordable for those who need it? 22:54 – What SOAR does well, the benefits and the value 26:35 – What has surprised Benjamin the most in information security Links: Learn more about Benjamin Corll on LinkedIn Follow Allan Alford on LinkedIn and Twitter Learn more about Hacker Valley Studio and The Cyber Ranch Podcast Sponsored by our good friends at Uptycs

Host Allan Alford interviews guest James Azar, host of the CyberHub CISO Talk Podcast, and CISO in the financial services space. James and Allan discuss the techniques and approaches of the modern CISO, and contrast this with some of the older approaches of the job. James defines the cultural shift between the old and new as having taken place since September, 2017 (the Equifax breach). James and Allan discuss the impact on the team, business, clients, customers, and shares their thoughts and experience on how to stay modern. “What keeps you going in cybersecurity?” as the signature final question for each guest has been replaced with “What surprises you the most in cybersecurity?” James is the first guest to answer that question, and his answer is a bit of surprise itself… Key Takeaways: 0:16 – Intro 1:04 – Bio 2:00 – The modern CISO contrasted with the older CISO 4:46 – What does the modern CISO mean to the team, business, clients and customers? 7:10 – How to interact with the business: building relationships, teams, meetings… 11:18 – How James Azar puts forward a message of security for the company 11:52 – Security Questionnaires and what is wrong with them 12:20 – Picking on SOC 2 12:39 – Operationalizing security within a client customer relationship 14:11 – Shared responsibility model (cloud) and CMMC replacing SOC 2 and SIG and other older standards: 5 or 6 questions 17:50 – How the word “no” keeps the business and team from moving forward 18:06 – CISO choosing business over security and ignoring the subsequent notions of career risk 19:40 – Automation on the technology front and how it changes the modern CISO’s perspective 20:30 - COVID-mandated lockdown and the implications for workers in countries around the world 23:19 - Automating all entry-level positions and bringing entry-level people up 25:45 – What surprises James Azar the most about cyber security Links: Learn more about James Azar on LinkedIn Follow Allan Alford on LinkedIn and Twitter Learn more about Hacker Valley Studio and The Cyber Ranch Podcast Sponsored by our good friends at Uptycs

In this, the very first LIVE episode, Allan Alford interviews guests Derly Gutierrez, Head of Information Security at 1010Data, Patrick Benoit, BISO at CBRE, and Mustapha Kebbeh, CISO at Brinks, as they discuss the use of security frameworks in general and over time. Regarding framework compliance, do we choose one or do we choose many? Do we embrace them fully or partially? What changes our approach to frameworks over time? Security strategies are explained throughout the episode, along with the notions of business adaptation and adoption, regulation and other requirements, and "minimum viable security" approaches that don't require frameworks at all. Key Takeaways: 0:43 – Intro 1:53 – Question to Mustapha: pick and choose from a framework or embrace a framework all in one go? 2:47 – Patrick discusses his own approach to Mustapha’s statement 3:26 – The evolution of CFS adoption briefly discussed and the importance of protection 6:59 – Discussion of a possible "least viable security" approach that doesn’t depend on the frameworks at all 9:50 – Maturity models 13:32 – Security strategies 19:56 – The guests answer: What were the toughest challenges working with a framework? 21:56 – The guests share their best success story with frameworks 23:51 – The guests share their journey on business integration 27:56 – The influence of regulation and other requirements Links: Learn more about Derly on LinkedIn and Twitter Learn more about Mustapha on LinkedIn Learn more about Patrick on LinkedIn Follow Allan Alford on LinkedIn and Twitter Learn more about Hacker Valley Studio and The Cyber Ranch Podcast Sponsored by our good friends at Uptycs

On this episode, Allan invites Marilise de Villiers, Founder and CEO at ROAR! Coaching & Consulting, to come on down to the ranch and discuss how to deal with toxic situations, how to overcome obstacles in the workplace, how to avoid burnout, and how to spot our own negative behaviors that interfere with our success. Marilise and Allan cover toxic workplaces and bosses, share personal stories, and discuss the internal mechanisms which allow external toxicity to harm us, as well as the internal behaviors to prevent that. They discuss obstacles, and how big obstacles should be embraced. They also talk about "exercising the resilience muscle". This is a fantastic show with some open and vulnerable moments, as well as with some very practical advice for avoiding burnout and dealing with problems most of us have faced or will face in our information security careers. Key Takeaways: 1:11 How Marilise got into information security 2:29 About her coaching and consulting practice for information security professionals 3:53 Avoiding CISO burnout despite our intrinsic challenges 5:08 External forces but also our own self-defeating behaviors 7:01 Clarity on who you are and why you are here 9:31 "I am" is the first negative step towards internalizing toxicity around us (neuro plasticity) 11:03 Allan's former toxic boss who "showed him a carnival house mirror" and led to negative internalization 12:21 Marilise has a similar story 14:29 Facing futility and hopelessness in information security 15:19 Caring too much vs. business problems as a control and communication problem 18:23 How to perceive our biggest obstacles 19:28 Get professional help to strengthen your resilience muscle 20:17 Shout-out to Chris Cochran of Hacker Valley Studio and his 'find your super powers' coaching (and other trusted coaches) 21:49 Your best life is on the other side of your biggest obstacle 21:59 There is always another obstacle 23:22 Living your best life TODAY 24:15 The value of resilience and embracing big obstacles 24:57 Marilise's reason for being in cybersecurity Links: Learn more about Marilise on LinkedIn and on Twitter Follow Allan Alford on LinkedIn and Twitter Learn more about Hacker Valley Studio and The Cyber Ranch Podcast Sponsored by our good friends at Uptycs

In this episode, Allan interviews Greg Rogers, CISO at Legal & General America, about migrating legacy, monolithic, internally facing, manually tested, waterfall applications to Cloud, CI/CD with automation, customer-facing applications, all with modern development languages and environments. Greg migrated just about everything legacy to just about everything modern across a series of monolithic applications. In this episode he gives tips on the technical aspects of his journey, tools and techniqes for overcoming cultural barriers as well. Greg outlines what he did in-house, and what he leveraged from out-of-house - from code to services. Ultimately, Greg was able to pull of this transition piece by piece, and he shares how he was able to do it. Lastly, Greg closes with what keeps him going in cybersecurity... Key Takeaways: 1:19 How Greg got into cyber 4:12 An overview of the challenge 6:39 Greg's biggest security challenges with the project, both cultural and techincal 8:06 The value of engagement and relationship building 8:41 Targeted security awareness training 9:10 Make security fit with what they are already doing for their day jobs 9:25 Regulation as a driver for change 11:32 The challenges posed by regulation 12:06 The challenges of remote access 13:50 How to eat the elephant one bite at a time 14:11 VDI to migrate portions to the cloud 15:29 Identity & Access Management, CASB, SASE, etc. 16:53 Leveraging outside help 18:13 Selecting and settling on a good MSSP 20:21 In-house development vs. off-the-shelf and leveraging external developers 22:43 What the CISO provides in this scenario 24:02 Focusing on the 'gray' areas of security over the black and white 25:25 Improving the security culture and CISO relationships 26:49 What keeps Greg going in cybersecurity Links: Learn more about Greg on LinkedIn Follow Allan Alford on LinkedIn and Twitter Learn more about Hacker Valley Studio and The Cyber Ranch Podcast Sponsored by our good friends at Uptycs

In this episode, Allan's friend Dr. Sam Small, CISO of Zero Fox, joins us to chat about credential stuffing, its implications and the defenses against it. Several statistics are given from a few industry reports on credential stuffing, including the Verizon DBIR and F5's report. Several techniques to foil credential stuffing are explored, as well as common traps when combatting credential stuffing. OWASP provides some guidance in this area. The criminal's abilities vis a vis breach sharing and botnet as a service are discussed as well. Finally, Sam explains what keeps him going in cybersecurity... Key Takeaways: 1:08 Sam's background and education in cyber 2:41 Sam defines credential stuffing and explains why we should care about it 4:17 The origins of the term 'credential stuffing' vs. its history 4:39 Is ransomware the end goal of every single kind of cyber attack? 5:22 Botnets as a service to drive credential stuffing attacks 6:33 Allan cites statistics from the Verizon Data Breach Incident Report 7:23 The DDoS aspects and related cloud costs of credential stuffing 8:48 Sam's theory about F5 report statistics on credential stuffing being interestingly somewhat contradictory 10:43 Anecdotally anyway, password reuse appears to be a huge problem still 11:51 Comabating credential stuffing and common traps in doing so 13:23 Credential stuffing and data breaches are not the same thing 14:17 Getting credential stuffers shut down by way of their service providers 15:25 Practical tips from OWASP for preventing credential stuffing in your environment 19:10 The difference between a comprehensive defense and not 20:32 Are obscure usernames useful in the fight? 22:06 Proposal for user-centric federation to monitor account usage everywhere 23:06 Obligations of those who suffered a breach of credentials 25:14 Criminals share data on their side 26:09 What keeps Sam going in cybersecurity Links: Learn more about Sam on LinkedIn Follow Allan Alford on LinkedIn and Twitter Learn more about Hacker Valley Studio and The Cyber Ranch Podcast Sponsored by our good friends at Uptycs

On today’s episode with Allan, we talk “Ugly Exits” with Naomi Buckwalter, Director of Information Security. Of course, to start the episode, Naomi answers Allan’s question of how she got started in cyber. They circle back to the topic at hand, “Ugly Exits”. Under this umbrella are: being fired, laid off, "burning bridges", or being encouraged to leave in a "voluntary" manner. Allan shares statistics for some of these categories, including a substantial statistic on those who have been outright fired. When it comes to burning bridges, so many people walk away from a company that is behaving in an unethical manner and putting their employees in unethical situations. To Naomi, this is a frightening common thread. It’s scary how many unethical employers are out there. Naomi shared a personal story of her ugly exit, and the fact that it was deserved to some extent. She has owned that experience, has learned from it, and has grown as a result. Allan shares his personal “burned bridge” story which continues to follow him through the industry here and there. He feels his reputation is sullied with a certain small segment of the industry, and that it most likely won’t ever change. But he also takes ownership for how he mishandled the situation. Rounding out the show, Naomi and Allan talk about earning their stripes and realizing it is all about growth, resiliency and grit. In fact, as humans, they feel sometimes we don’t appreciate the bad things that happen to us, so we can appreciate the grown and the improvements we have made throughout our lives. Reflect back and think about all that you have survived in your past. Out that self-awareness comes the opportunity to improve. A large portion of growth, whether personal or work, comes from self-reflection. One can learn from it, grow from it and figure out how to navigate the situation should it arise again. Could it be that thinking we are the hero of our own stories is hurting us? Key Takeaways 1:25 Getting into Cyber 3:22 Burning Bridges 8:56 Mismatches 14:18 Reflecting 19:43 Humanity 23:28 The Firing and One’s Value 28:45 What Keeps You Going Links: Learn more about Naomi on LinkedIn and on Twitter Follow Allan Alford on LinkedIn and Twitter Learn more about Hacker Valley Studio and The Cyber Ranch Podcast Sponsored by our good friends at Uptycs

On today’s episode with Allan, we have Tim Rohrbaugh, CISO at JetBlue, here to talk about Agile methodology and how it can be applied to an entire security program. Tim got into cyber through the military. From the military he went into consulting and ended up at JetBlue. At JetBlue that he is always trying to find ways to invest dollars in security programs to balance what is going on. Along with that, he strives to keep his team motivated and moving forward. Agile is a software programming methodology, and it replaced Waterfall. Waterfall was the traditional model of development, where large chunks of code had to flow from developers to QA, back to developers several times, and finally to release. Agile, on the other hand, works off user-centric stories, which roll up to bigger stories called epics. Stories are small, discrete goals, met with smaller, discrete chunks of code released in what are called 'sprints'. QA is very rapid as well, leading to rapid release. Agile is characterized by daily 'standup meetings' where literally nobody sits in an effort to keep the meetings as short as possible. In Agile, product owners come up with ideas and thread those through marketing and development. In appplying this paradigm to running a security teamm, Tim replaces product owners with threat intelligence folks. This unique approach towards managing a security program means that all decisions are threat-informed, and that small incremental wins are a constant. But Tim does not stop there. Anyone on the team can create and manage a story to address any specific and immediate security need... Key Takeaways 1:10 Tim’s background and day job 2:08 JetBlue 2:39 Introduction of Agile 3:57 Tim’s approach 6:15 How Agile is used 8:31 Threats addressed 9:46 Story sourcing 11:03 Creating the story 12:48 Narrative skill 14:08 Metrics 15:53 Risk management aspect 19:00 Not using risk 21:38 Positives 23:20 What keeps Tim going in cyber 24:42 What Tim is looking forward to in cyber Links: Learn more about Tim on LinkedIn Follow Allan Alford on LinkedIn and Twitter Learn more about Hacker Valley Studio and The Cyber Ranch Podcast Sponsored by our good friends at AttackIQ

With us today is Christina Richmond program Vice President at IDC. She's an industry analyst, and she's here to talk to us all about the analyst lifestyle. Allan starts the episode asking Christina to share all about how she got into cyber and what her day job is like. Christina actually began by working in the storage space, and discovered security. To her it was like a drug. What does she do throughout her days? Partakes in hundreds and hundreds of calls with companies who need help with launches and marketing, specifically in growing areas of cybersecurity. In essence, there is a lot to being an analyst. But to be successful, you have to be curious! The best way to put Christina’s job in words, is “learning the whole from the parts.” She talks with individual players, studies market trends, and then circles around again to piece it together. One big feedback loop. On a side note, Christina would like everyone to know she is looking to hire at the director level! If you know anyone, send them her way. There are certain aspects necessary, and they are: First, understanding the technology. Next, either having been an analyst before or being in market research of some kind. Finally, the soft skills or executive presence. Christina admits she is not a technologist, but she also says there's a benefit to having a non-technologist covering this space. She thinks it's important to know that analysts take all shapes and sizes, and there is a benefit from bringing in somebody who thinks about the market differently. In one word, she describes the plight of the analyst as “overwhelmed”. There aren’t enough people, and some people just don’t have enough skills. The skills gap is real. One of the top skills that is missing for practitioners is cloud security, and that is true for analysts as well. The bottom line for Christina is helping; it is her favorite thing to do. When it comes to changing things, Christina wouldn't throw anything out but would have more people doing more of the work. Because really, there is a resource shortage in the analyst realm. Finally, Allan as the one question he asks of all his guests, “What keeps you going in cyber, why do you hop out of bed in the morning, jump in your shoes and say, all right, another day of cyber.” Christina responds, “Every day, there's a new breach, every day someone is suffering because a Florida Water system was poisoned or because the oil the gas pipeline has been interrupted, and we're not going to have gas at our gas stations or because you name it. There are so many reasons to get up every morning. And, I think every cyber security person needs a mission. I'm here to help, I'm the one helping make sure the message gets out. And that's really important to me.” Key Takeaways 1:17 Christina’s background 3:02 An analyst’s day job 6:02 Learning the whole from the parts 7:46 We’re hiring 11:02 Staying informed and in the game 13:05 Non-technologist 14:22 Plight of the analyst 16:38 Favorite part of the job 18:44 What would Christina change 19:35 How to get the best engagement 23:11 Storytime 25:55 What keeps Christina going Links: Learn more about Christina on LinkedIn and Twitter Follow Allan Alford on LinkedIn and Twitter Learn more about Hacker Valley Studio and The Cyber Ranch Podcast Sponsored by our good friends at Axonius