Howdy, y’all, and welcome to The Cyber Ranch Podcast!  That’s Kymberlee Price, strategic security consultant, Black Hat content review board member, former Sr. Director of Product Security at New Relic, former Principal Security Manager at Microsoft – Kym has held a variety of roles in our industry, but with one common theme: Kym is an outstanding team builder.  She has moved around the various facets of cybersecurity over her career, but always with an eye towards turnarounds, creating new teams, and most importantly, integrating those teams with the rest of the business.  Kym is the sort of professional whom companies design job roles for, as what she does is both amazing and necessary.  Kym, thank you so much for coming on down the ‘The Ranch! What are the hallmarks of an excellent team? How do you measure results?

Chris Tillett is a well-known figure in our industry.  He is in product management and R&D at Palo Alto Networks.  He is also a great guy, funny, and can wield the snark quite well.  He is the perfect foil for Allan Alford as the two of them take the gloves off, pick on one another, and tear apart bad vendor and bad CISO behaviors.  LIVE!  At Black Hat!   The two tackle some of the most sensitive pain points on both sides of the fence, and get into solutioning some of the most common CISO/vendor problems.  All while donating to Black Girls Code whenever a buzzword gets used.   Their ultimate conclusion?  We'd better figure out how to lock arms, as the bad guys have no problems coordinating with each other.   Come together.  Right now.  Over The Cyber Ranch Podcast.   Sponsored by Palo Alto Networks XSIAM. Find out more at a workshop near you!

Howdy, y’all, and welcome to The Cyber Ranch Podcast!  Joining Allan this week is Ron Nissim, CEO @ Entitle.  Yes, this is one of our rare shows with a vendor as a guest.  Why?  Because in this case, the vendor was more highly informed than any of Allan’s practitioner friends he was able to query about the subject.  And what is that subject? Permissions Management.  One that we’ve never done a deep dive into on this show, and one that’s overdue.  So without further ado, enjoy hearing Ron chat with Allan. What are the fundamental tenants of proper permissions management? What are the goals? What does the tech stack look like? different categories you're going to pursue? What are the differences between mid-market and enterprise when it comes to permissions management? What is missing still in permissions management? What does next 3-5 years look like? How does permissions lifecycle tie into identity lifecycle? What is broken with RBAC?

Allan is joined by AJ Grotto: William J. Perry International Security Fellow and Founding Director of the Program on Geopolitics, Technology and Governance at Stanford University.  He also serves as the faculty lead for the cyber policy specialization that the university offers through its master's in international policy program .  He’s also a visiting fellow at the Hoover Institution.  He’s talking with me today about Cybersecurity spend vs. cybersecurity efficacy.  AJ, thanks so much for coming on down to ‘The Ranch! The below points are mostly followed, but the pair also get into CISOs embracing risk, CISOs owning risk, and buying 'lemons' in the cybersecurity market: So Cybersecurity Ventures says 2023 spending is growing 15% year over year. Between awareness training and tech stack, they are estimating $198+ billion in spend this year on cybersecurity.  Techcrunch analyzed the estimated shrinkage of budgets this year based on economic conditions:  45% of budgets remain unchanged or even increased.  3% of budgets were cut by an average of 21.2%.  So these figures hold close to steady despite the economic downturn.   We spend more and more on cybersecurity every year.  When does this end? Conversely, InfoSecurity Magazine says ransomware attacks surged by 74% in 2023. Wired reports an increase for 2023 as well.  We can dig into Verizon and IBM annual reports to see generally trends of year-over-year increases as well.  Verizon shows 13% increase with a curve that’s trending upward more quickly each year.  What gives? How do we solve this? How do we bridge this gap? Tactically, we have tech stacks and awareness training and GRC. What is our spend story there vs. this looming threat landscape? Is the solution to spend less, but more intelligently? In other words, crafty rationalization where we still get full coverage, but spend less? If we can never close the gap between spend and threat, what are we to do? Sponsored by our good friends at Seraphic Security. Seraphic helps you defend your digital workplace with security and DLP for every browser and essential desktop apps like Microsoft Teams, Slack, Asana, and Notion. Protect against compromise and prevent data loss via the web with Seraphic.

Warning: Some naughty language in this show, but well placed naughty language! Challenge issued!!!! Allan has teamed up with TWO other podcasts to take on the insufferable marketing that floods the cybersecurity industry in the month of October! Who among you will win??? Win? That's right!  Allan, along with George  K and George A from Bare Knuckles & Brass Tacks joins forces with Aaron Pritz and Cody Rivers of Simply Solving Cyber! Together, this trifecta weighs in on the October bonanza that is Cybersecurity Awareness Month. While the month started to raise awareness for the general public, it’s now become an excuse for vendors to inundate infosec professionals' inboxes with inane messaging. Introducing: The Cyber Community Month challenge! Vendors: we’re challenging you to come up with campaigns that give back to the customer community rather than sending awareness spam. Client-side practitioners: Show us how you engage local communities, volunteer at schools, help nonprofits, etc. to spread cyber knowledge! We’re awarding prizes in November. Share your efforts on social media with the hashtag #CyberCommunityChallenge Sponsored by our good friends at Entitle. Entitle is how cloud-forward companies provide employees with granular and just-in-time access within their cloud infrastructure and SaaS applications.  Whether it's providing access to production for on-cal engineers or granting access to customer data when a support ticket is opened, Entitle easily integrates with your stack, offering self-serve access requests, instant visibility into your cloud entitlements and making user access reviews a breeze.  Learn more at entitle.io    

Georges Merchak, cybersecurity expert, discusses the lack of cybersecurity measures in small organizations. The podcast addresses challenges and benefits for small businesses, the importance of educating them, and practical steps to improve cybersecurity. It also emphasizes the role of Managed Service Providers and the need for collaboration between small businesses and MSSPs.

You know you're being watched, right? Imagine for some reason you needed to bury a treasure where nobody would ever find it.  In today's society, how could you even do that?  How can you get from Point A to Point B without being observed or tracked in some way? Did you know that you can be listened to through smart lightbulbs? This episode features the infamous and always gracious Chris Roberts, back again on the 'Ranch during this LIVE! recording from the HIP Global 2023 conference in NYC. Chris and Allan talk about these subjects and more in an eye-opening show about just how much folks can see you and hear you. Join in and become just a little more paranoid... Sponsored by our good friends at Seraphic Security. Seraphic helps you defend your digital workplace with security and DLP for every browser and essential desktop apps like Microsoft Teams, Slack, Asana, and Notion. Protect against compromise and prevent data loss via the web with Seraphic.

In this LIVE! show at Black Hat, Allan and his friend George Finney (recurring guest, CISO @ SMU, multi-times author and CEO of Well Aware Security) discuss cybersecurity in popular culture.  They talk about the impact on real-world cybersecurity practices of such non-fiction gems as Clifford Stoll's book The Cuckoo's Egg and such cheesy fictional accounts as the movie Swordfish. It might have made you grown, but it might have inspired you and others. It might have represented what we do well enough that you can refer people to it who ask after our craft.  Or maybe the portrayal was so bad it was laughable. Join Allan and George LIVE! at Black Hat as they pick apart their favorites and take suggestions from the audience as well... Hack the Planet! Sponsored by our good friends at Seraphic Security. Seraphic helps you defend your digital workplace with security and DLP for every browser and essential desktop apps like Microsoft Teams, Slack, Asana, and Notion. Protect against compromise and prevent data loss via the web with Seraphic.

Did you miss Black Hat this year?  Well you won't miss the great conversations that were had, as Allan captured so many good ones for this special Black Hat retrospective episode.   Did you get to attend Black Hat this year?  See if your experience was as amazing as Allan's!  This show is LIVE and untarnished.  It's the real Black Hat experience!   In this episode, Allan talks to (in alphabetical order, with timestamps):   1:02 - Dani Woolf, Founder & CEO at Audience 1st 3:06 - Daniel Blackford, Manager of Threat Research @ Proofpoint 6:48 - Dean Sysman, CEO @ Axonius 8:19 - Deepen Desai, Global CISO & Head of Security Research @ ZScaler 15:39 - G. Mark Hardy, host of the CISO Tradecraft Podcast 18:42 - Glen Pendley, CTO @ Tenable 23:54 - Kayne McGladrey, Field CISO @ Hyperproof 24:52 - Leigh Honeywell, CEO @ Tall Poppy 25:52 - Masha Sedova, CEO @ Elevate Security 28:47 - Nate Warfield, Director of Research @ Eclypsium 31:43 - Rich Berthao, Cybersecurity Leader, Planner, and Innovator 32:41 - Rob Labbé, CEO and CISO in Residence for the Mining and Metals ISAC This show captures an amazing week! Sponsored by our good friends at Seraphic Security. Seraphic helps you defend your digital workplace with security and DLP for every browser and essential desktop apps like Microsoft Teams, Slack, Asana, and Notion. Protect against compromise and prevent data loss via the web with Seraphic.

A brief thank you to our listeners and a request for feedback on the show. We'll catch y'all next week!