Jeremiah Roe has held many roles in cybersecurity:  Field CISO, Red Teamer, Advisor, Consultant, Etc.  He currently advises for OffSec, who provide quality cybersecurity training.  Drew Simonis and Allan Alford determined that Jeremiah would be a great guest for launching a 3-part mini series - each of the three shows exploring People, Process and Technology respectively. The three cover the following topics in a lively conversation that journeys into several aspects of People as they relate to cybersecurity: People, Process, and Technology - Which is most important? If they knew what we knew about cybersecurity, would they behave differently? How to leverage training budges for a win-win-win. People gonna peop, businesses gonna biz. Incentivization, Positive Reinforcement and Deputization Enabling camaraderie - not just good culture Groupthink and Tribalism Join the three as they ride the cyber trails of "People" in the PPT triad! Y'all be good now!

In a captivating discussion, Andrew Townley, a seasoned SABSA consultant, clarifies the practical implications of the SABSA framework despite initial skepticism from hosts Drew and Allan. He argues that SABSA transcends academic theory, focusing on achieving tangible business outcomes. The conversation explores its relevance to modern engineering practices, the challenges of adoption, and the integration of risk management. Andrew also highlights the influence of Russell Ackoff, linking systems theory to practical business solutions, leaving the hosts eager to learn more about SABSA.

Hang on to your saddle for this one!  Drew Simonis joins Allan as his new co-host in a show where the two of them explore alternative models for selling and funding the cyber mission! You probably know about corporate social responsibility initiatives. Did you know that it's not a a new idea in the history of capitalism, but rather a throwback? Before shareholder capitalism, there was stakeholder capitalism: Stakeholder capitalism proposes that corporations should serve the interests of all their stakeholders, and not just shareholders. Stakeholders can include investors, owners, employees, vendors, customers, and the general public at large. The focus is on long-term value creation, not merely enhancing shareholder value. Drew walks Allan through some very compelling arguments in favor of this model, and Drew and Allan together tie it to how CISOs can implement and fund cybersecurity... Random highlights: 1. The short-sightedness of quarter-over-quarter thinking 2. Comparison to the Chinese Communist Party, who gets a big thumbs down from both Drew and Allan, but who do get credit for being able to enact truly long-term plans. 3. Jack Welch and other prominent CEOs advocating for aspects of stakeholder capitalism 4. Random tie-ins to cybersecurity all throughout. Allan is stoked to have Drew join him as co-host, and this show is most definitely one of the more philosophical episodes, while still grounding itself in the practicalities of running cybersecurity programs. Y'all be good now!

Howdy, y’all, and welcome to The Cyber Ranch Podcast!  Our guest toda is Tomer Schwartz, co-founder and CTO over at Dazz  Yup!  He’s a vendor!  And OMG he’s a sponsoring vendor too! Whatever will we do?  But wait, y’all know Allan's rule:  Vendors are allowed on the show if and when they can add more value on a given subject vs. any practitioners in The Cyber Ranch network.  Tomer fits that bill perfectly!  Tomer has worked in the Microsoft Security Response Center, he’s the former Armis co-founder & CTO, current co-founder & CTO at Dazz, who is a leader in the Application Security Posture Management space.  Tomer is also a coffee aficionado.  Now what does Dazz do and why did we ask Tomer to be on the show?  Dazz is in the Application Security Posture Management space, which is relatively new around here, but they also collate and track threat exposure realtime, and also secure the SDLC in a DevOps’y way...   Questions   The elephant in the room is Gartner’s newest category in this space. Some say ASPM fits into: CTEM, which is Continuous Threat Exposure Management for those behind on eating their alphabet soup.  Tomer, what’s your perspective on that? Let’s talk about the problem in the ASPM/CTEM space: noise / too much data, no context, limited visibility from code to cloud and everything in between. For real, most solutions suck, as their single pane of glass is a very, very dirty pane of glass, and no amount of Windex is going to help.  And our listeners know we believe in 3-4 “single” panes anyway.   Is there such a thing as a single pane of glass in the ASPM space?  Do we want a single pane?  How does it play nicely with my “single” panes from other spaces? Here comes the can of worms: Can AI help with this? Gartner says by 2026 40% of enterprises will have an ASPM solution - do you agree? And then there’s good ol’ UVM - Unified Vulnerability Management. Feels like a past promise that didn’t deliver.  And it hasn’t addressed DevOps or even Dev very well at all IMHO.  What’s your take? How should CISOs be thinking about all of these technologies and practices? It can get very complicated very fast and if it’s not done right the devs will run screaming. Where is this all headed? What’s the ideal future state in this space? Here’s your chance to tell thousands of CISOs and other high-level practitioners what you want them to know. What do you want them to know? Check out Dazz at https://dazz.io

Discussing the nuances of leadership and followership, the podcast explores the importance of measuring both aspects. It highlights the need for evaluating leadership based on behaviors and results, rather than just titles. The episode delves into the role of followers in effective leadership, emphasizing qualities like selflessness and constructive criticism. Overall, it suggests a more holistic approach to evaluating leadership and followership.

Howdy, y’all, and welcome to The Cyber Ranch Podcast!  Our guest is Nathan Case, who is a previous guest from a multi-guest show.  Nate has been a CISO, CTO, Strategist, consultant, CEO, and all kinds of other things.  His career is as colorful and varied as Allan's – maybe even more so.  Nat's chosen topic is “There is no such thing as security!”  So without further ado, let’s dive in! What do you mean when you say “There is no such thing as security!”? Nate outlines declares it as way to judge risk If security is a way to judge risk, then what about the judging? There are metrics there, and some kind of end state, yes? So you’re saying our feelings about managing the unmanageable is really where the sense of security comes from? That ‘security’ = ‘feelings about risk management results’? How do I know what I don’t know? How does that relate to this definition of security? Let’s get concrete – What changes are needed for tools and tech to get past this false sense of security? If security is a description of a thing, or a specific action, where does this leave us?

In this show, Allan interviews seven guests and asks them questions from a list of 21: Omkhar Arasaratnam “How do we leverage LLMs for our own use in cybersecurity?” "How do you challenge your own precepts and assumptions to stay current in your role?" Ofer Klein “How do you describe what you do in cybersecurity to someone at a cocktail party who knows nothing about cyber?" "How do you explain to the business the value you bring and the risks you solve?" Rick Doten "What message do you have for your fellow CISOs?" "In this cybersecurity community there is hostility between vendors and practitioners.  What is your best moment with a vendor?" Sahil Agarwal “How do you measure and articulate the risk that AI represents to the business?" "Governance, Risk Management and Compliance - Where should the priority be?" Roger Brotz "What would you like your fellows CISOs to know?" "What are we still getting wrong in cybersecurity?" Tyson Martin "How do we take on more accountability as business leaders?" "How do we overcome our defaults, precepts and assumptions?  How do you get past your own biases and blind spots?" Sponsored by our good friends at Semperis. It's a great series of a guests, and a great series of answers.  Y'all be good now!

In this show, Allan interviews seven guests and asks them questions from a list of 21:   Chris "Cpat" Patteson “Why do so many CISOs think cybersecurity insurance is snake oil?”   Johann Balaguer “People, process, technology - Which is the most important and why?” "What do you want your fellow community of CISOs to know?"   Lee Krause “What are we still doing wrong in cybersecurity?"   Ken Foster “What are we still doing wrong in cybersecurity?" "How do we articulate risk to the business?"   Marty Momdjian "Walk me through how to solvie the nightmare of repeat incidents?"   Michael Calderin “IA&M: Who should own it, and why?  CIO?  CISO?” "What is the definition of progress in cybersecurity?  Is there an end state?"   Mike Britton "People, Process, Technology: Which is the most important?" "I&AM: Who should own it?  CISO or CIO?" "What's your favorite part of the RSA conference?"   Sponsored by our good friends at Semperis.   It's a great series of a guests, and a great series of answers.  Y'all be good now!

In this show, Allan interviews nine guests and asks them questions from a list of 21:   Dr. Deanna Caputo “How do you measure and articulate risk to the business?” “People, process or technology?”   Carlos Guerrero “How do we foster community in cybersecurity?”   Elliott Franklin “Governance, Risk Management, and Compliance – Which of the three is most important?” “What does progress look like in cybersecurity?”   Corey Bodzin “With regards to AI & LLM, what is the impact to infrastructure?”   Evgeniy Kharam “How integral is Identity & Access Management to the cybersecurity mission?” “How well is traditional DLP technology meeting its mission and what else can we do?”   Gary Hayslip “What does RSA mean to you?”   Kelly Shortridge “What does progress mean to you in cybersecurity?” “What is the end goal of cybersecurity?”   George Kamide & George Al-Koura “What are you getting out of RSA?”   Kevin Jackson “What are we doing wrong in cybersecurity?”   Sponsored by our good friends at Semperis.   It's a great series of a guests, and a great series of answers.  Y'all be good now!

Howdy, y’all, and welcome to The Cyber Ranch Podcast… AND The Audience 1st Podcast!  What you are about to hear was recorded LIVE! at the CISO XC conference in Dallas-Fort Worth, Texas (my very favorite conference!)  I am your host, Allan Alford, CEO of Alford & Adams Consulting.  I have co-host on this episode, Dani Woolf, of the Audience 1st podcast!    On her show, Dani interviews security buyers so vendors can more efficiently market and sell to them without ruffling their feathers (or piss them off).  What we’re doing on this joint endeavor is interviewing various CISOs and other folks about their roles in cyber.  This week’s show focuses on the pros of cybersecurity – we covered the negatives last week, and this week we cover the positives.  My listeners should know by now that I like to end on a positive note…   WARNING: Some naughty language