The Cyber Ranch Podcast

This is Part 1 of an incredible series of interviews Allan conducted live at RSA 2023.  Guests include: Gary Hayslip, CISO @ Softbank Investment Advisers Michael Calderin, CISO @ YAGEO Group David Cross, CISO @ Oracle SaaS Cloud Audra Streetman, Security Strategist @ Splunk Adrian Peters, CISO @ Vista Equity Partners Robin Sundaram, CISO @ RELX Merritt Baer, Office of the CISO @ AWS Rob Wood, CISO @ Centers for Medicare & Medicaid Services Bryan Green, CISO Americas @ ZScaler Stephanie Derdouri, Sr. Manager, Information Security and Technology Risk Management @ Capital Group Andres Andreu, CISO @ 2U Paul Love, CISO & Chief Privacy Officer @ Co-op Solutions Royce Markose, former CISO Bob Schuetter, CISO @ Ashland Susan Thomas, CEO @ 10Fold Brian Markham, CISO @ EAB Ken Foster, VP of IT GRC @ FLEETCOR Elizabeth Martinez, Account Exec @ ThreatLocker Josiah Dykstra, Senior Fellow, Office of Innovation @ The NSA Kevin Brown, CEO @ Innit Brent Deterding, CISO @ Afni Audra Streetman, Security Strategist @ Splunk Wendy Whitmore, SVP, Unit 42 @ Palo Alto Networks I ask my guests several questions including: How do you impact the top and bottom line? What topics are you tired of in cybersecurity? There are also some special interviews at the end - discussions about the RSA conference itself, tech stack sprawl, and personal branding and marketing for CISOs.  Oh - and a question about how vendors and CISOs can work better together AND a conversation about how government and industry can work together in cybersecurity. Give this one a listen!  It's jam-packed with great insights! Sponsored by AttackIQ & Semperis. AttackIQ offers a new fully managed breach and attack simulation service.  They are the premier provider of MITRE ATT&CK-based security control validation.  https://attackiq.com Semperis provides the industry's most comprehensive Active Directory and Azure AD cyber resilience platform, supported by specialized AD incident response expertise.  https://semperis.com      

This week's show is exciting because Allan has been waiting for Andy's book on leadership to come out for quite some time.  The book is called “1% Leadership – Master The Small, Daily Improvements That Set Great Leaders Apart”, and it consists of 54 chapters - each of which presents a specific facet of good leadership in a nearly "buffet style" manner. You can pick and choose topics that resonate with you and dive right in. Allan picked 6 chapters that resonated with him in particular and got Andy to elaborate: Chapter 1 - “Personal improvement is a prerequisite to leading professionally” Chapter 6 - “Gift kindness where it isn’t expected” Chapter 8 – “An uncompelled apology unburdens everyone” Chapter 13 - "Your wellness is one of the greatest assets you control" (Listen as Andy hits Allan straight in the feels on this topic) Chapter 24 – "People need to see versions of themselves to feel welcome" Chapter 35 - "In general, be vague" The book is amazing, these particular chapters are amazing, and Andy's expounding upon them is amazing as well! Y'all be good now!

This episode is a bit scary.  Adrian Sanabria, who on an earlier show busted many cybersecurity myths, is back again, this time analyzing the impact of Large Language Model Artificial Intelligence on a hypothesized skills gap on the bad guy side. Premise One: Given how many organizations that are vulnerable and that have NOT been breached, the bad guys are suffering the same skills gap we are. Premise Two: Exploit attacks (think of exploits as ransomware, data hostage situations, threats to publish breached data, etc.) can benefit from LLM AI. It's really that simple a connecting of the dots.  Adrian and Allan deconstruct the steps of an exploit attack, analyze the capabilities of LLM AI and cross-reference the two. If they are right, then we have a burden of leveraging and learning LLM AI ourselves, as quickly as possible... Sponsored by our good friends at Dazz: Dazz takes the pain out of the cloud remediation process using automation and intelligence to discover, reduce, and fix security issues—lightning fast. Visit Dazz.io/demo and see for yourself.

This is Part 1 of an incredible series of interviews Allan conducted live at RSA 2023.  Guests include: Chris Kennedy, CISO @ Citadel Gary Hayslip, CISO @ Softbank Investment Advisers Michael Calderin, CISO @ YAGEO Group Reet  Kaur, CISO @ Portland Community College Rob LaMagna-Reiter, CISO @ Hudl Matthew Lang, vCISO David Cross, CISO @ Oracle SaaS Cloud Audra Streetman, Security Strategist @ Splunk Vishal Amin, General Manager of Security Solutions (Federal) @ Microsoft Adrian Peters, CISO @ Vista Equity Partners Kelly Shortridge, Author of “Security Chaos Engineering: Sustaining Resilience in Software and Systems” Robin Sundaram, CISO @ RELX Merritt Baer, Office of the CISO @ AWS Tim Rohrbaugh, former CISO & Industry Leader Rob Wood, CISO @ Centers for Medicare & Medicaid Services Bryan Green, CISO Americas @ ZScaler Stephanie Derdouri, Sr. Manager, Information Security and Technology Risk Management @ Capital Group Andres Andreu, CISO @ 2U Paul Love, CISO & Chief Privacy Officer @ Co-op Solutions Royce Markose, former CISO Bob Schuetter, CISO @ Ashland I ask my guests several questions: What is the best part of RSAC 2023 for you? What is the single most critical skill a security leader needs? What's missing in cybersecurity? What is your take on Purple Teaming and MITRE ATT&CK? How do you co-lead the organization? There is also a VERY special interview with James Stanley, Chief of Product Development at CISA at the end.  Don't miss it! Sponsored by Semperis & AttackIQ. Semperis provides the industry's most comprehensive Active Directory and Azure AD cyber resilience platform, supported by specialized AD incident response expertise.  https://semperis.com AttackIQ offers a new fully managed breach and attack simulation service.  They are the premier provider of MITRE ATT&CK-based security control validation.  https://attackiq.com    

Leadership skills, technical skills, cybersecurity skills, pluck, drive and determination are all on display as Allan interviews Merav Bahat, CEO @ Dazz and Mickey Bresman, CEO @ Semperis. Dazz has completed a Series A investment round.  Semperis a Series C.  It turns out that the skills each CEO needs are still remarkably the same. Saddle up for another episode, where Allan asks his guests: What’s the coolest thing that has happened for you or to you as a startup CEO? What has been the biggest single challenge? What are your top 3 tenets of leadership? What is the purpose of vision and how clear must it be? What is the purpose of mission and how clear must it be? What is your advice to those who would want to become a startup CEO? Sponsored by our good friends at Dazz: Dazz takes the pain out of the cloud remediation process using automation and intelligence to discover, reduce, and fix security issues—lightning fast. Visit Dazz.io/demo and see for yourself.

What is security chaos engineering?  You may remember Kelly Shortridge, our very first guest, who came on the show to talk about behavioral economics and cybersecurity.  Well Kelly is back to talk about her new book, "Security Chaos Engineering: Sustaining Resilience in Software and Systems".   Security chaos engineering is derived from chaos engineering, a relatively new discipline in software development that seeks to test distributed computing systems to ensure that they withstand unexpected disruptions.  It's all about resilience, in other words.  Security chaos engineering seeks to do the same for the security of such software systems.   Kelly breaks down her book during a lively conversation featuring an opinion or two her cat, Link (yes, a Zelda reference!): Who should read this book? Resilience in software and systems Systems-oriented security Architecting and designing Building and delivering Operating and observing (Allan's favorite chapter as it intersects with one of his Zero Trust tenets) Responding and recovering Platform resilience engineering Security chaos experiments (a very fun chapter!) Case studies Note that the book is peppered with references and quotes from other disciplines.  We would expect no less from Kelly.   Sponsored by our good friends at Dazz: Dazz takes the pain out of the cloud remediation process using automation and intelligence to discover, reduce, and fix security issues—lightning fast. Visit Dazz.io/demo and see for yourself.

Bryan Liebert is one smart cookie.  Who bakes cybersecurity cakes.  But seriously, Bryan has been a CISO, consultant, architect, and has served many other roles in cybersecurity.  His specialty is creating simple to digest (we could not help it, sorry!) models for managing and reporting on cybersecurity programs and practices. Join Bryan and Allan as they serve up (we're still doing it!) a lively and informative episode! Sponsored by our good friends at Dazz: Dazz takes the pain out of the cloud remediation process using automation and intelligence to discover, reduce, and fix security issues—lightning fast. Visit Dazz.io/demo and see for yourself.

Adrian Wright, "The Cynical CISO" of LinkedIn fame, joins Allan to discuss four areas where cybersecurity is perhaps getting it wrong: Cybersecurity viewed as a necessary evil, related to The Twilight Zone Ownership, Authority, Accountability: Inventory and Means of Control Are WE the baddies? (Largely) Forgotten Security Principles Allan and Adrian dissect cybersecurity practice in this great episode! Sponsored by our good friends at Dazz: Dazz takes the pain out of the cloud remediation process using automation and intelligence to discover, reduce, and fix security issues—lightning fast. Visit Dazz.io/demo and see for yourself.

Join us for a SPECIAL EDITON! episode of The Cyber Ranch Podcast LIVE! from CISO XC in Dallas-Fort Worth, Texas! The topic is data security: its challenges and how to overcome them. Joining Allan are Cecil Pineda of R1 ("Cecil the CISO") and Gene Moore of Securiti. The conversation is live and lively, recorded as-is and delivered to you. Enjoy! Sponsored by Securiti - https://securiti.ai/

We always think of cybersecurity startups as companies who contribute to the tech stack in an organizational environment - usually the enterprise.  We also think of personal cybersecurity in terms of protecting Grandma or our kids from the bad guys.  But these two worlds intersect far more than you would think, and the techniques for addressing these problems intersect as well. This week Allan is joined by Leigh Honeywell, CEO at Tall Poppy, to discuss these intersections.  Leigh is uniquely qualified, as her non-traditional startup addresses "personal security outside the firewall", which includes executive protection...   Sponsored by our good friends at Dazz: Dazz takes the pain out of the cloud remediation process using automation and intelligence to discover, reduce, and fix security issues—lightning fast. Visit Dazz.io/demo and see for yourself.