Emily Heath is a well-known and well-respected figure in cybersecurity.  She has been a CISO three times in a variety of industries, including software and a major airline.  She has been in law enforcement, is a partner at a VC firm, and serves on boards of directors as well. With this wealth of experience she has come to value design partnerships - working with small startups to help craft their solutions to meet hers and their needs. But what are some of the challenges in design partnerships?  Allan and Emily tackle the following questions: What inspires one towards design partnerships? How can a practitioner design partner help a first-time founder? Where does the innovation come from in this model? Does the vast amount of cyber vendors help or hinder the design partnership model? What are the pros and cons of alternatives to design partnership? How does a practitioner get started with design partnership? Sponsored by our good friends at Dazz: Dazz takes the pain out of the cloud remediation process using automation and intelligence to discover, reduce, and fix security issues—lightning fast. Visit Dazz.io/demo and see for yourself.

This week Allan is joined by Karla Reffold, COO at Orpheus Cyber.  Yes, that makes her a vendor, but, yes, she follow's the show's rules:  She is a friend, not a sponsor; she is not all vendory; and most importantly she is a subject matter expert on this week's topic: advisory boards! In fact, Karla has written an ebook on the subject which is available here: https://karlareffold.co.uk/advisory-boards-guide-book Topics covered in the show: - The ethical entanglements of being on an advisory board - Paid vs. unpaid advisory board roles (and cash vs. equity) - Advisory board roles as kickbacks (yes, it happens) - Advisors who are customers vs. advisors who are not - Do advisory board roles help or hurt a CISO's career? Enjoy!  Y'all be good!  

Becoming a CISO means changing a lot of perspectives.  Individual contributors need to learn this, and the CISO is the best one to teach them.  "They're never going to get it!" is a mantra used by both sides of that dialogue, and that is not a solution.  Will and Allan discuss:   - What precepts really are "obvious" - How does one onboard leadership and business perspectives? - What should CISOs do to ensure their teams gain those perspectives? - What can individual contributors do to ensure that they gain those perspectives? - The value of self-teaching and mentorship - Beliefs we should get rid of   It's a great conversation!  Ya'll enjoy it!

This episode is a story about an entire vendor encounter gone horribly wrong.  Allan is joined by Paul Moreno, VP of InfoSec at Catawii, formerly SVP of Cybersecurity at Adyen, investor and advisor.  Paul found a cybersecurity vendor.  Paul found good references.  Paul got referrals from peers.  Paul did a PoC.  And after that, it all went downhill.  Paul was kind enough to share his story as he and Allan pick apart the failings and deliberate on ways we can all avoid such encounters. Topics covered are: - How to spot lies - Vetting the vendor's internal security landscape - ISO 27001 Statement of Applicability - Breaches and whistleblowing - GDPR violations in charging to delete data It is a story you will want to hear, and the analysis just might save you some pain down the road... Sponsored by Allan Alford Consulting https://allanalford.com/about  

Join Allan and Dr. Mike Brass (whose degree is in archaeology!) as they jointly explore the technical side of the house vs. the GRC side of the house, noting that GRC can be a great path to CISO. Hear Mike's journey from IT technician to GRC to CISO. Topics Allan and Mike cover: The tension between tech teams and GRC teams, and how a CISO can bridge the two teams Reasons why GRC makes such a great background for the CISO role (and how to get there) What engineering/architecture folks should know about GRC What GRC folks should know about the tech side of the house What the rest of the business should know about GRC You also get to hear Mike's journey, which has spanned small and large companies, government think tanks and more! Sponsored by Allan Alford Consulting https://allanalford.com

We have this idea that we can be perfect.  And we know that idea is unsound.  So we settle for imperfection.  But are we doing that purposefully?  Do we have a conscious plan for embracing imperfection?  How can we, as cyber professionals, embrace our imperfection meaningfully and with intent?   Join Allan and Robin Sundaram as they explore this topic, covering areas such as: NIST CSF is all about imperfection Embracing CMDB imperfection Vulnerability Management and Patch Management Product/Project Rollouts Dev teams and the pipeline Imperfection and GRC It's a great conversation and you are sure to learn a thing or two! Sponsored by Allan Alford Consulting: https://allanalford.com

In this episode, Allan is joined by Omkhar Arasaratnam, a force in the industry and an expert in the intersection of software and security (you may remember Omkhar from an earlier show about supply chain security). They challenge each other to a game, "Technical Case vs. Business Case", where they must provide both arguments for a given technology deployment.  The real subtext here is that whenever these two get together, they always lean towards a technical conversation, so they are challenging themselves. Topics Covered: MFA Service Accounts Refresh Cycles Token Expiration Recovery Emails Regulatory Mandates Biometrics SBOM It's a lively conversation and we hope you will find value in it! Sponsor Links: Thank you to our sponsor TrustMAPP for bringing this episode to life! The TrustMAPP solution gets you out of spreadsheets and slide decks and into managing, measuring and reporting on your cybersecurity with an all-in-one solution that combines cybersecurity frameworks, maturity, risk and business objectives and cross-references them to remediation costs.  Find out more at https://trustmapp.com

Join Allan, Shaun Marion (CISO of McDonald's) and ChatGPT itself for a lively conversation about the implications of this new tool, AI in general, and nuances about ChatGPT's usage. Even after controls were put into place to prevent ChatGPT from helping the bad guys, Allan and Shaun were able to trick it into giving up details on hacking, authoring phishing emails and more. Shaun and Allan explore the potential for abuse and the positive promise and excitement that this new era of AI is ushering in. What are the societal implications of ChatGPT? What are the positive advances of AI? Should we be cautious with what we feed ChatGPT? Hear answers to these questions and more on this week's lively episode.  Sponsor Links: Thank you to our sponsor TrustMAPP for bringing this episode to life! The TrustMAPP solution gets you out of spreadsheets and slide decks and into managing, measuring and reporting on your cybersecurity with an all-in-one solution that combines cybersecurity frameworks, maturity, risk and business objectives and cross-references them to remediation costs.  Find out more at https://trustmapp.com

How important are communications after your company has been breached?  They can make or break customer perception, and the perception of the world.  Bad communications are perceived as bad intent. Joining Allan this week is Heather Noggle, owner of Codistac - a company that specializes in cyber communications, advocacy and awareness.  She studied communications in college, and takes this stuff very seriously. The pair cover LastPasss, Okta and Reddit breaches, comparing the bad to the good. Topics covered: Poor editing of communications Willful non-communication Obfuscation Apologies Letting the lawyers have their say - but not the last say The balance between speed and accuracy It's a great conversation and a great show. Sponsor Links: Thank you to our sponsor TrustMAPP for bringing this episode to life! The TrustMAPP solution gets you out of spreadsheets and slide decks and into managing, measuring and reporting on your cybersecurity with an all-in-one solution that combines cybersecurity frameworks, maturity, risk and business objectives and cross-references them to remediation costs.  Find out more at https://trustmapp.com

Do you want to be a CISO one day?  Are you a CISO today who wants to strengthen your ties into the rest of the business?  The Business Information Security Officer (BISO) role is one you should explore. The role can vary quite a bit, as you will hear on this episode with not one, not two, but three BISOs joining Allan Alford to discuss the role and its nuances:  where it fits, what is required, how it is best positioned and managed. Allan has been a BISO himself and has managed BISOs as well, so the conversation is rapid and productive. Join Allan along with Ann Hines (BISO @ USAA), James Binford (BISO @ Humana) and Matt Winkeler (BISO @ Equifax) as the explore the BISO role. Sponsor Links: Thank you to our sponsor TrustMAPP for bringing this episode to life! The TrustMAPP solution gets you out of spreadsheets and slide decks and into managing, measuring and reporting on your cybersecurity with an all-in-one solution that combines cybersecurity frameworks, maturity, risk and business objectives and cross-references them to remediation costs.  Find out more at https://trustmapp.com