The OpenSSF is doing invaulable work for the cybersecurity community.  And their new managing director happens to be Omkhar Arasaratnam, whose appearance on the show a while back created one of our most popular episodes ever!  Omkhar is back to talk about the OpenSSF: What is the OpenSSF and how does it relate to the Linux Foundation? What is the organization's mission? What is the organization's vision? What exciting projects are taking place (and a sneak peek about some upcoming announcements at Black Hat!) What mark do you want to leave on the OpenSSF as Managing Director? Omkhar is an expert in DevOps and CI/CD.  He is an expert in security.  His passion is supply chain security.  You can see where all of this can come together in his new role and make amazing things happen for your industry.  Y'all enjoy, and y'all be good now!

Cloud security remediation can be a daunting task that impacts Dev, Sec and Ops teams all.  And it can be a huge, manual, pain in the...  You get the idea.  But there are techniques to navigate it and to overcome many of the common traps and hurdles. Tunde Oni-Daniel is a grizzled veteran in our industry who has managed to maintain his enthusiasm, passion and energy for the job.  Tunde is an expert on cloud remediation and together he and Allan discuss: Cloud lifecycle Challenges when findings happen Drift management Bugs vs vulnerabilities Sec/Dev/Ops relationships with regards to remediation What works, what's fast? The next 3-5 years of cloud remediation This one is a phenomenal show packed full of practical tips and high energy. Sponsored by our good friends at Dazz: Dazz takes the pain out of the cloud remediation process using automation and intelligence to discover, reduce, and fix security issues—lightning fast. Visit Dazz.io/demo and see for yourself.

In this episode, Allan and Drew tackle and interesting subject that was suggested by Drew and that Allan posted for the LinkedIn community to gather around: things we believe in cybersecurity that we cannot prove. The LinkedIn conversation was phenomenal, and Drew and Allan do a great job of summarizing it and calling out the underpinnings behind much of what we believe in this industry. Questions Allan asks Drew: What inspired this topic? What were some of your favorites from the LinkedIn thread? What are the underlying themes here? Is BYOD security really a thing? Are third-party risk assessments useful? Special thanks to LinkedIn posters: Peter Schawacker John Prokap Duane Gran Brian Campbell Matthew Dimmick Graham Lewendon Marcus W. Dmitriy Sokolovskiy And everyone who participated in a very lively thread... Sponsored by our good friends at Dazz: Dazz takes the pain out of the cloud remediation process using automation and intelligence to discover, reduce, and fix security issues—lightning fast. Visit Dazz.io/demo and see for yourself.

Kate is a legend in our industry, is a multiple times board member herself as well as having reported to boards in a wide variety of roles.  She is currently Chief Trust Officer at Aon.  Allan and Kate have intended to get her down to The Cyber Ranch for some time, but the stars finally aligned in this fantastic episode jam-packed with great advice.   Do please forgive the sound quality on this one.  It was recorded on the road, and the conversation was too amazing to re-record despite the quality issues.   Kate and Allan cover: Best human approaches in board communicating – everything but the presentation itself How to get to know your board both individually and collectively What to present What not to present Best tips and tricks overall Sponsored by our good friends at Dazz: Dazz takes the pain out of the cloud remediation process using automation and intelligence to discover, reduce, and fix security issues—lightning fast. Visit Dazz.io/demo and see for yourself.

This week Allan flies solo and tackles a variety of questions that came in from LinkedIn - including his origin story. Allan tackles the following questions: How does a CISO protect themselves from prosecution? How does one get value from a cybersecurity assessment? How should one pick a cybersecurity solution or company? How do you "disconnect" from cybersecurity? How to start and sustain a cybersecurity podcast - why and why not? Allan's orgin story Allan argues with himself over two issues NOTE: Allan states: "I have no idea why anyone would want to hear my origin story, but here it is.  You can skip it if you like.  It runs from roughly 19 minutes to 24 minutes." Sponsored by our good friends at Dazz: Dazz takes the pain out of the cloud remediation process using automation and intelligence to discover, reduce, and fix security issues—lightning fast. Visit Dazz.io/demo and see for yourself.

The MOVEit breach has been top of mind, especially with Solar Winds and Colonial Pipeline and log4j and all the others having been so recent.  It is easy to blame the victims.  It is easy to make excuses that nobody can defend against a Zero Day.  There are a lot of easy responses to these kinds of affairs. But what Allan and Anne Marie Zettlemoyer get into in this episode is a variety of questions around the assumptions: Start with a quick summary of the MOVEit exploit and Clop.  How does this attack compare to SolarWinds? What can we do to prepare for zero-day exploits? Is society (and the business world) getting jaded to ransomware attacks and breaches? Is this affecting their investments in cyber? Is a post-breach CISO really rolling in the assets and resources the way so many assume? What are the long-term implications for a business, its stock prices, and its CISO investment? This is another episode that strives to get deeper than the surface.  We hope you learn something from it, and we hope you enjoy it as well.  Y'all be good now! Sponsored by our good friends at Dazz: Dazz takes the pain out of the cloud remediation process using automation and intelligence to discover, reduce, and fix security issues—lightning fast. Visit Dazz.io/demo and see for yourself.

This episode was recorded LIVE at the 2023 Symmetry Systems Unconference on Zero Trust, adjunct to RSAC 2023. Allan is joined by his friend Claude Mandy, former CISO, former analyst, and now Chief Evangelist at Symmetry Systems.  Like Allan, Claude is a Zero Trust enthusiast.  The podcast was the capstone to a long day of Zero Trust presentations, panels, book reviews and other great topics and conversations. Join Allan and Claude at this live recording that covers: - How does DSPM fit into Zero Trust? - Allan's victory at a recent Digital Fight Club event where he championed Zero Trust - Overcoming Zero Trust marketing hype - Is Zero Trust a framework, an architecture, or something else?  Hint: Claude says it's something else. - What are the biggest challenges in implementing Zero Trust? - What are the benefits to the business of Zero Trust? - Security is about the intersection of Data & Entities - not about Assets - What are the most exciting aspects of RSAC 2023 for Claude and Allan?

Money is the hardest thing for a CISO to acquire.  As with last week's show on Time, Money has to be spent wisely as well.  Perhaps the tricks to spend it wisely directly relate to how we can acquire more the next cycle to achieve the mission we know we need to achieve.  In this episode we cover: - What are the best methods for securing a budget? - How do you structure your budget to align with business costs (COGS, R&D, CAC...)? - What are some good ways to save money as a CISO? - How do you best lower vendor costs for the long term? - How can a CISO help make money for the business? Sponsored by our good friends at Dazz: Dazz takes the pain out of the cloud remediation process using automation and intelligence to discover, reduce, and fix security issues—lightning fast. Visit Dazz.io/demo and see for yourself.

Time is one of our most precious commodities as security practitioners.  And yet we have traditional time sinkholes where we waste time, lose time, and spend time.  Join Allan and Paul Robinson, Founder and Managing Director at Tempus Network, as they explore several of these areas and give concrete tips on how to save time as security practitioners: - Keeping up with industry trends - Managing cyber incidents - Third-party questionnaires (both directions!) - Vendor onboarding - Work from home vs. going into the office Sponsored by our good friends at Dazz: Dazz takes the pain out of the cloud remediation process using automation and intelligence to discover, reduce, and fix security issues—lightning fast. Visit Dazz.io/demo and see for yourself.

Join Allan and his guest Jay Adams, CISO @ Enchoice and former security architect for several large private and public sector efforts - from M&A activities to massive public portals. Jay is going through TX-RAMP right now, and both he and Allan have done research on FedRAMP and StateRAMP as well. What are the differences?  Why might you choose one over the other?  What are the gotchas? This is a great show and you'll get to learn a bit about Allan's brief foray into state government as well... Sponsored by our good friends at Dazz: Dazz takes the pain out of the cloud remediation process using automation and intelligence to discover, reduce, and fix security issues—lightning fast. Visit Dazz.io/demo and see for yourself.