With us today is Derly Gutierrez, Head of Security at 1010 Data, and veteran. Derly is here with us today to talk about the journey to passwordless authentication and the flaws and strenghts of today's authentication methoods. Allan and Derly refer to studies and surveys about the problems with passwords and the challenges of implementing passwordless approaches. Derly emphasizes the need for other complementary technologies such as Role-Based Access Control (RBAC), Privileged Access Management (PAM), and system-to-system communications. The two discuss corporate and personal use of passwordless solutions, talk about legal precedence and the future of passwordless approaches. Key Takeaways 1:14 How Derly got into cyber 1:58 About Derly's day job as Head of Security 2:34 Allan quotes the 2017 Verizon DBIR on how many breaches involve weak or stolen passwords 3:35 Allan cites NIST 800-63b 4:15 Derly talks about CAC cards in the US DoD 4:50 Derly sides with vendor innovations over NIST guidance 5:56 Allan clarifies the distinction between PINs and passwords 6:52 Derly points out the flaws with biometrics in terms of reliability and assurance 9:09 Allan cites a survey regarding WHY organizations choose passwordless 9:52 How many 'passwordless' solutions still include shared secrets 10:38 Derly talks about corporate vs. personal passwordless solutions and shared secrets as backup for reliability issues 11:37 Derly emphasizes a lack of RBAC and PAM foiling all authentication approaches 13:06 Allan points out the value of Identity and Access Management solutions 13:44 Allan references three vendor approaches towards passwordless for legacy systems such as RADIUS 14:50 Derly takes these methods apart 16:05 Many companies are not doing Role-Based Acces Control, system-to-system communication and Privileged Access Management correctly 17:02 Allan brings up the presence of push attacks 17:38 Allan's definiton of true passwordless authentication 17:56 Derly's definition of true passwordless authentication 21:29 For personal use of biometrics, Allan brings up a disturbing precedent of law enforcement accessing an individual's phone with forced facial recognition 23:17 Derly emphasizes that applications on your phone should have a different authentication factor than access to the phone itself 23:47 "Your home is your castle" has become "Your phone is your castle" 25:06 Allan cites one last survey as to how many of us really are passwordless 26:02 How long before we got to passwordless? 28:06 What keeps Derly going in cyber Links: Learn more about Derly on LinkedIn and Twitter Follow Allan Alford on LinkedIn and Twitter Learn more about Hacker Valley Studio and The Cyber Ranch Podcast Sponsored by our good friends at Axonius

With us today is Taylor Lehmann, former ciso several times over in the healthcare sector, and currently Americas leader for security, networking, identity, and compliance solution architecture at AWS. Taylor and Allan talk about application security: why it's important, who are the personas, the value of threat modeling, infrastructure as code, how to get started, and relationships with developers. Taylor, a Boston boy, starts the show trying to say, "Howdy!" correctly. Taylor started at PWC and grew into a healthcare CISO. He has now transitioned to AWS. Key Takeaways 1:40 How Taylor got into Cyber 2:58 Taylor’s day job 4:30 Appsec Defined 5:49 Taylor's favorite appsec frameworks 7:48 Why appsec is important 8:55 The personas and roles 11:22 Security training in appsec 12:27 Threat modeling 15:11 Infrastructure as code 20:46 How to get started in appsec 24:12 Devs already know and care about security 25:38 Where does the trope come from that devs don't care? 26:52 Why "DevSecOps" is a bad term 28:00 What keeps Taylor going in cybersecurity Links: Learn more about Taylor on LinkedIn and Twitter Follow Allan Alford on LinkedIn and Twitter Learn more about Hacker Valley Studio and The Cyber Ranch Podcast Sponsored by our good friends at Axonius

With us today is Ian Thornton-Trump, Chief Information Security Officer at Cyjax and an ITIL-certified IT professional with 25 years of experience in IT security and information technology. Ian shares his background which started back in the Canadian military. During those times, "IT" was called "automated data processing", and it is quite clear how far this has advanced. He joined the Royal Canadian Mounted Police and spent a year working on criminal intelligence. Soon after he became a consultant and made his way to the UK in 2015. Oftentimes organizations have not planned or prepared for risk, and that includes cyber. In that sense, cyber can be compared to the environmental landscapes and infrastructure, which Ian finds eerily similar. A lot of problems created in cyber mimic a lot of the environment problems we face in today’s world. One example is the recent failure of the Texas power grid during a very harsh winter. Investment in cybersecurity is critical. Allan feels there are a lot of environmental laws, but there are also already some pretty strict cyber laws as well. However, they seem more aimed at the anonymous or extrajurisdictional perpetrators and end up useless when their anonymity is involved. And some cyber laws seem to punish the victim as well - after suffering ransomware you are now penalized for not being prepared for it in the first place? How can we get laws in place that are helping the situation and not blaming the victim? Ian suggest that positive incentives are the answer. If we can just get companies to do a bare minimum cyber hygiene, by incentivizing them through tax breaks, Ian thinks we could move the ball up more forward, without making it too onerous, to meet some sort of regulatory standard. How do we possibly extend our stretch? Because at the end of the day, the root cause is the “bad guys”, so how do we get to them? America is already doing a lot, but other countries need to put their money where their mouth is. Ian and Allan discuss President Biden's Executive Order on Cybersecurity. This can enforce behavior in the government, but only suggest behavior in the private sector. To sum up, we're nowhere, and we need to get somewhere because what we've done, at the federal and state level in the United States, is taken a lot of dollars, put them in parking lots, and set fire to them. And then after we finished that exercise, we asked for more dollars. We have to change the entire system from the ground up. And we have to incentivize cyber security. Key Takeaways 1:10 How Ian got into Cyber 2:21 Ian’s day job 4:18 Issues with infrastructure and environment 7:38 Meaningful laws 12:47 Getting to the bad guys 16:35 Catching “Fred Smith” or someone like him 17:43 Rewards 21:17 Preparedness and helplessness 23:43 Einstein program 26:24 What keeps Ian going Links: Learn more about Ian Thorton-Trump on LinkedIn and Twitter Follow Allan Alford on LinkedIn and Twitter Learn more about Hacker Valley Studio and The Cyber Ranch Podcast Sponsored by our good friends at Axonius

With us today is Drew Brown, IT Security Manager at the Commonwealth of Pennsylvania. Drew is here to talk about FAIR and his real-world usage of it and testing it in the trenches. Drew shares a little bit about his background in cyber, and a little bit about his day job. He spent 15 years in IT. That opened the door then for him to be the CISO for one of the state agencies. Now his title is IT Security Manager but essentially he is responsible for communicating security and risks and working within a law enforcment agency to make sure that what is implemented is secure, it's compliant, and it meets all of the agency objectives. With FAIR, you start by asking some very basic questions: What is the asset? What is the thing of value that you're trying to protect? Once you understand what that is, you then ask who is going to come after that asset: cyber criminals, nation state, some kind of industrial espionage, hacktivist, or whatever. Or maybe it's Doris in accounting. Either way, you start to work through who might come after that information. The probability of a guy sitting in his basement, ordering pizzas on your credit card is a different probability than a nation state. On the impact side, we look at six different categories of risk, there's loss to productivity, there's losses in terms of response, how much money are we going to spend? Or do we have to spend to resolve that loss event that incident? The six forms of loss are productivity, response, replacement, fines and judgments, competitive advantage and reputation. We start looking at what those dollar amounts actually are. But we want to concern ourselves with the most likely and what's the loss magnitude at that most likely value? Now we can go to that executive and say, “Okay, do you want to build a new parking lot? Or do you want to resolve this risk?” Then we can have a business conversation about it. Allan asks, “What drove you to FAIR?” Drew states that one of the biggest arguments against FAIR that he always hears is, “We don't have enough data points to do this." Drew decided FAIR can help make better decisions about risk. And that is the goal of FAIR anyway - to make better business decisions, better risk decisions. Digging a little deeper, Allan asks, “Are you confident that it achieved the goals you set out to achieve with it?” In short, the answer is absolutely! Where FAIR falls shorts comes up. After reflecting, Drew says that it is in the controls analysis piece. Allan asks Drew what keeps him going in cyber. With a laugh, Drew gives a quick answer of "coffee" and then follows with, “I enjoy that a relationship with my counterparts and then also establishing those relationships with the business and seeing the problems solved.” What’s coming over the horizon? According to Drew, it’s seeing the normalizing of cybersecurity and making it less of a burden to hire new and diverse talent. Key Takeaways 1:15 Drew shares his background and day job 2:20 FAIR model 2:56 How FAIR works 5:13 Probability 8:45 What drove you to FAIR 11:42 Goal of FAIR 13:30 Selling to the board 18:16 The honest hat 22:17 RSA announcement 23:32 What keeps Drew going 24:49 What Drew looks forward to Links: Learn more about Drew Brown on LinkedIn Follow Allan Alford on LinkedIn and Twitter Learn more about Hacker Valley Studio and The Cyber Ranch Podcast Sponsored by our good friends at AttackIQ

With us today is Andy Ellis, operating partner at YL Ventures, former Akamai CSO and newly inducted member of the CSO Hall of Fame. We're here to talk about nonstandard hiring practices and how Andy has built an amazing team using nonstandard approaches. Andy began his career in cyber ("I remember back then, you know, we didn't call it cyber, but I think we've all given up and, and that's now the name for our career field.") as an Air Force ROTC cadet, spent 20 years at Akamai, and joined an advisor program at YL Ventures. Andy found a solution that addresses hiring needs and the talent shortage, while also building a very clever and very innovative team. For new roles, look and see if you have somebody who's almost senior that you can promote to do that job. And backfill the almost senior person instead. Try not to hire senior people, try to hire the most junior person you can get away with and promote everybody up the chain. The real trick is to figure out how your HR and finance teams are going to operate and play them off against each other. Now that we have covered your promotion from within strategy, let's talk about hiring some folks for certain roles on the team that at a glance would make no sense at all for a CSO. And yet is really, really effective and repeatable. Andy’s flagship is hiring librarians. There is an entire career field dedicated to managing libraries and learning technical language to be able to do that. Everyone is in the business of publishing a report about their data, right? This is just taking technical data and technical jargon and making it consumable to people who've never seen this data before. There's an entire industry that does that. We call it journalism. So, we hire journalists to come in and be those storytellers. Hire teachers. Put a teacher in a position and to learn how deep do they need to go on a daily basis, and then make sure they get one level deeper. Because you're always going to have problems if you teach exactly to your domain knowledge. So, make sure your domain knowledge is always little bit deeper than whatever your job requires which is usually going to be sufficient to keep you out of trouble. To wrap the show up, Allan asks, “Why aren't the rest of us catching on because this is some amazing stuff that every single hiring manager in cyber could benefit from.” According to Andy, the simple answer is it's expensive, and it takes a lot of time to do right. Allan asks, “What keeps you going in cyber?” Andy answers, “I've always seen myself as improving the systems that I walk through, that when I encounter a system, I want to tweak it and figure out what makes it work and make it work better." Key Takeaways 1:24 Andy shares his background and how he got to cyber 3:12 Working for a venture capital firm 7:12 Hiring and building a team 12:26 The abnormal hires that just make sense 15:46 Clever role adjustments 17:10 More nonstandard hires 19:03 Confused? Whose confusion is it? 21:02 The academy 24:42 Putting a teacher in 25:21 Budget technique 27:09 Why isn’t everyone hiring this way? 28:30 What keeps you going in cyber? Links: Learn more about Andy Ellis on LinkedIn and Twitter Follow Allan Alford on LinkedIn and Twitter Learn more about Hacker Valley Studio and The Cyber Ranch Podcast Sponsored by our good friends at Axonius

Today we talk with Richard Seiersen, co-author of “How to Measure Anything in Cybersecurity Risk”. Richard shared that at his first CISO position, he was challenged with addressing prioritization of risk, which led to his authoring a book with Doug Hubbard. What can cyber learn from older risk disciplines? The life table used broadly to measure time-to-event data goes back 500 years. Businesses keep falling back to the classic 5x5 "likelihood and impact" matrix which is an inconsistent, non-math-based method. Without math it is really just casting spells in the board room. There are no ratios or explanation of differences, for example. CISOs are called upon to make a bet about something. We will use subject matter expert opinions, and can make them measurably better. Consistency is key. Wild guesses can still help constrain the forecast. There are existing models in cyber such as FAIR that provide a more mathematically applied approach. Statistics came about because people needed to make bets with limited data. Dirty data can be worked with. Embracing uncertainty is okay. Executives are actually very used to uncertainty. Cybersecurity as a practice is in its adolescence with a high mortality risk. We need to adopt the grammar of science. Key Takeaways 0:25 Richard is introduced 1:20 Richard talks about his cyber journey and his day job 3:02 Book talk 5:19 What can cyber learn from older style risk tactics 8:04 5x5 risk matrix 10:05 Improving accuracy 17:00 Gathering an accurate view 19:20 Monte Carlo simulations 22:04 The belief 25:17 Board-ready presentations 26:58 What keeps Richard going in cyber security 28:09 Why statistics were invented Links: Learn more about Richard Seiersen on LinkedIn and Twitter Follow Allan Alford on LinkedIn and Twitter Learn more about Hacker Valley Studio and The Cyber Ranch Podcast Sponsored by our good friends at Axonius

With us today, is a very special guest, Accidental CISO, of Twitter fame. His anonymity on Twitter, allows him to be a little more “truthy” about the CISO game than a lot of us can afford to be on social media. We have distorted his voice a bit to protect that anonymity. “Accidental” shares how he got into cyber, and that is a culmination of being in a career where he had to fill “all” the hats. He stepped away from his CISO role a few years ago and is now in consulting where he has the opportunity to help other people realize they need to build security programs when they have never done it or know how. How did he become the “Accidental CISO”? Simply by trying to help during the course of going through an audit. They had to identify who was the CISO, and he made the mistake of asking who the security officer was for the company. The answer was, “That’s you.” Accidental CISO doesn’t think becoming a CISO accidentally is all that uncommon. When going through audits, etc., someone has to be named, someone ends up drawing the short straw. The role is different than what people think. You can draw on your technical background, but you have to be able to focus on the “why” for the business and all the nuts and bolts that come with it. One must understand this is not a technical role. Allan shares his pivotal moment in becoming a CISO and realized all he had to do was recognize the business as the system he was hacking. When Allan asked Accidental CISO about guidance for building a team and getting started, Accidental had one word, “Pray.” In reality, you need to know the skills you need. Allan and Accidental CISO discuss “selling the functions”. It is tied to the business objectives in so many ways, and companies need a human to seal the endpoints. As they close this discussion loop, Accidental shares how to get the practice off the ground and the importance of relationships. Sometimes, believe it or not, not having all the knowledge and knowing all the details is a benefit. In addition, being the first CISO for a company is all about educating, communicating and painting a picture. And of course, Accidental CISO answers Allan’s final question, “Why are you motivated to get out of bed and do more of it?” Key Takeaways 0:30 Introduction of Accidental CISO of Twitter fame 1:37 How Accidental CISO got into cyber 2:14 Accidental CISO talks about his day job 3:33 The background of Accidental CISO 4:49 The security tool Accidental CISO embraces 5:20 Accidental CISO is not an uncommon “thing” 6:37 Advice to becoming a CISO 9:28 Allan shares a pivotal moment 10:15 Guidance on building and getting a team started 13:58 Selling the functions 16:55 Getting the practice off the ground 20:13 Importance of relationships and letting go 22:24 Being “their” first CISO 26:47 Building a security council 27:49 Why Accidental CISO is motivated to get out of bed each day and do more of it Links: Learn more about Accidental CISO on Twitter Follow Allan Alford on LinkedIn and Twitter Learn more about Hacker Valley Studio and The Cyber Ranch Podcast Sponsored by our good friends at Axonius

Today we talk with Marlys Rodgers, who has been in cyber for over 20 years. She currently is CISO for CSAA Insurance Group and is running security for the company as well as running governance risk and compliance for technology. She shares that it feels like she is constantly balancing assessing with preventing. Allan brings up breach and attack simulation (BAS), and when it is most appropriate to implement in the context of the maturity of a security program. Marlys feels BAS is most effective when some, or most, of the intended controls are in place so you can focus on areas you need to strengthen. For her company, she was glad they did it earlier rather than later. They had a pretty good lead time to get systems to integrate. The way you use BAS, especially along with threat intelligence, is really important. If you don’t have a purple team, or a red and blue team how does one start or how do you reorganize? Hear how Marlys did just that. Tag-teaming works best! How has BAS helped in conversations with the audit team as well as the GRC team? More data gets shared with Audit and they become strong allies. Everyone is happy when fed real-world, real-time information. BAS is truly changing mindsets, and will ultimately alter prioritization and enhancing and inter-team communications as well. To wrap up the show, Marlys shares what about her job keeps her getting up in the morning and what she is looking forward to in cyber. Key Takeaways 0:21 Welcome Marlys 1:13 Short comical discussion on how one should pronounce BAS 1:29 Marlys shares her background and day job 3:35 When BAS comes into the picture 5:00 The trick 6:05 Allan asks Marlys how she stays up with it 8:52 Marlys explains why more time should be spent on extending capabilities 9:38 Suggestions are shared to roll out BAS 12:21 Importance of human elements 13:45 If you don’t have teams, what happens? 16:18 How BAS affects conversations with teams 20:00 Importance of transparency 21:27 Changing people, process and technology with BAS 25:00 Marlys shares the reason she is motivated to stay in cyber 26:01 Marlys shares when she is looking forward to in cyber Links: Learn more about Marlys on LinkedIn Follow Allan Alford on LinkedIn and Twitter Learn more about Hacker Valley Studio and The Cyber Ranch Podcast Sponsored by our good friends at AttackIQ

With us today is John Petrie, Counselor to the NTT Global CISO. He is responsible for managing the growing internal security challenges for the NTT operating companies across the globe. Retired in 1996 from the Marines John began his career in multiple security positions. He shares that his major responsibility of today is creating the enterprise security architecture (“ESA”) for NTT. Allan used to work for NTT DATA Services, and shares that John is working for the ultimate parent company of the NTT global conglomerate – a full 3 companies of inheritance between John’s company and Allan’s former company. John shares just how big NTT really is throughout 180 countries. Altogether there are 986 companies worldwide, generating over $110 billion in revenue each year. NTT is #62 on the Global Fortune 500. John shares the full gamut of what an enterprise security architecture really is, how important it is and what it does. There are nine principles to building his ESA, and John outlines them while acknowledging that it is different for every company. Nowadays, the systems designed are for mobility, usability, management, and innovation around the core. Simplicity and resilience are a must! Further on down the show, Allan and John discuss the 3-year cycle of both technology and business planning, and that not everything is a “one size fits all”. In addition, they talk about mixing and matching popular ESA models, and what that means to the framework. There is a bit of discussion surrounding what it means to “have a seat at the table” as an information security executive. Everyone needs to be on the same page, to have business buy-in and to create strong business relationships. Security is one of those business voices, and everyone is in it together. In closing, Allan and John talk about how the focus is not only on technology but on governance and training to get ready for implementation. Along with this, there are fundamental strategic decisions to be made, but ultimately on the large scale it is all about execution and governance. Key Takeaways: 0:24 Introduction of John Petrie 1:27 How John broke into cyber and how his job looks today 3:08 We get the lo-down on how big NTT really is 4:55 Everything you need to know about ESA 6:46 John shares the 9 principles that provide a foundation for his ESA 6:55 “Aligned Independence” 7:44 “Standards-Based” 7:53 “Manage the Risk” 8:15 “Platform-Based Architecture” 9:49 “Design for Mobility and Usability” 10:00 “Innovate Around ‘The Core’” 10:32 “Simplicity and Resilience” 10:36 Global Remote Work at nearly 100% 11:30 “Supporting Digital Transformation & Strategic Plan” 13:04 Allan and John discuss 1-, 3-, and 5-year cycles 14:40 Not everything is one size fits all 17:02 Length of the process John is currently in 19:15 What occurs during this process 20:44 John shares the plan goal 22:33 The one directive from their CEO 24:16 Fundamental strategic decision 26:41 The large scale 27:31 The key takeaway from this entire discussion according to John Links: Learn more about John on LinkedIn Follow Allan Alford on LinkedIn and Twitter Learn more about Hacker Valley Studio and The Cyber Ranch Podcast Sponsored by our good friends at Axonius

With us today are Lynn Dohm, Executive Director of Women in Cybersecurty (WiCyS) and Martha Laughman, Veterans Iniative Lead at WiCyS and Director of Workforce Development at Smoothstack. Lynn and Martha are here to talk about the amazing programs for women and women veterans at WiCyS. WiCyS is so much more than a conference for women in cybersecurity. Its presence spans the globe and its programs are myriad. Mentorship, student scholarships, training, special interest groups, job boards, veterans' assistance, and apprenticeships are all available. Smoothstack is a partner of WiCyS, and has created a program for women veteran apprenticeships designed to benefit all parties involved. The program is based on attitude, aptitude and intitial assessments, but requires no cybersecurity knowledge at the start. Apprentices are paid, trained, and qualified when they come out, working for employers on a two-year contract at a minimum. The program addresses employers' fears over being the first ones to hire and train new talent only to lose them. WiCyS is a phenomenal organization, and there are ample opporutnities for allies - not just women - to join. Key Takeaways 0:24 Allan Introducs Lynn and Martha 1:18 Lynn gives an overview of WiCyS' origins 2:06 Lynn explains the many WiCyS worldwide programs outside of the conference itself 6:45 Lynn introduces the veterans' assistance program 7:33 Lynn explains the origins of the veterans' apprenticeship program 8:54 Lynn explains why WiCyS chose Smoothstack and its program for women veterans' apprenticeships 10:14 Lynn explains the specific challenges and needs of women veterans 11:51 Martha shares a bit about her past, and her personal motivations 15:05 Martha elaborates on the program at Smoothstack with a very human story 17:14 Martha outlines the full process of the apprenticeship program 18:10 Martha outlines the tests for entry into the program 20:44 Martha states that employers hiring new talent suffer training overhead followed by attrition 21:40 The Smoothstack/WiCyS program pays candidates to get trained to readiness and guarantees employers two years minimum 23:40 Martha explains that cybersecurity has become a sellers' market and that jobs remain open because employers cannot pay enough 26:20 Lynn explains her motivation and drive to build such programs 27:23 Martha asks our listeners to join WiCyS, noting that membership is very affordable 28:23 Lynn echoes Martha's advice and recommends browsing the WiCyS website 28:47 Allan asks listeners to dontate to WiCyS Links: Learn more about WiCyS at www.wicys.org and on Twitter and on LinkedIn Learn more about Smoothstack at smoothstack.com Learn more about Lynn Dohm on LinkedIn and on Twitter Learn more about Martha Laughman on LinkedIn and on Twitter Follow Allan Alford on LinkedIn and Twitter Learn more about Hacker Valley Studio and The Cyber Ranch Podcast Sponsored by our good friends at Axonius