Becoming a CISO means changing a lot of perspectives. Individual contributors need to learn this, and the CISO is the best one to teach them. "They're never going to get it!" is a mantra used by both sides of that dialogue, and that is not a solution. Will and Allan discuss: - What precepts really are "obvious" - How does one onboard leadership and business perspectives? - What should CISOs do to ensure their teams gain those perspectives? - What can individual contributors do to ensure that the...
Mar 29, 2023•31 min•Transcript available on Metacast This episode is a story about an entire vendor encounter gone horribly wrong. Allan is joined by Paul Moreno, VP of InfoSec at Catawii, formerly SVP of Cybersecurity at Adyen, investor and advisor. Paul found a cybersecurity vendor. Paul found good references. Paul got referrals from peers. Paul did a PoC. And after that, it all went downhill. Paul was kind enough to share his story as he and Allan pick apart the failings and deliberate on ways we can all avoid such encounters. Topics covered ar...
Mar 22, 2023•29 min•Transcript available on Metacast Join Allan and Dr. Mike Brass (whose degree is in archaeology!) as they jointly explore the technical side of the house vs. the GRC side of the house, noting that GRC can be a great path to CISO. Hear Mike's journey from IT technician to GRC to CISO. Topics Allan and Mike cover: The tension between tech teams and GRC teams, and how a CISO can bridge the two teams Reasons why GRC makes such a great background for the CISO role (and how to get there) What engineering/architecture folks should know...
Mar 15, 2023•27 min•Transcript available on Metacast We have this idea that we can be perfect. And we know that idea is unsound. So we settle for imperfection. But are we doing that purposefully? Do we have a conscious plan for embracing imperfection? How can we, as cyber professionals, embrace our imperfection meaningfully and with intent? Join Allan and Robin Sundaram as they explore this topic, covering areas such as: NIST CSF is all about imperfection Embracing CMDB imperfection Vulnerability Management and Patch Management Product/Project Rol...
Mar 08, 2023•34 min•Ep 109•Transcript available on Metacast In this episode, Allan is joined by Omkhar Arasaratnam, a force in the industry and an expert in the intersection of software and security (you may remember Omkhar from an earlier show about supply chain security). They challenge each other to a game, "Technical Case vs. Business Case", where they must provide both arguments for a given technology deployment. The real subtext here is that whenever these two get together, they always lean towards a technical conversation, so they are challenging ...
Mar 01, 2023•37 min•Ep 108•Transcript available on Metacast Join Allan, Shaun Marion (CISO of McDonald's) and ChatGPT itself for a lively conversation about the implications of this new tool, AI in general, and nuances about ChatGPT's usage. Even after controls were put into place to prevent ChatGPT from helping the bad guys, Allan and Shaun were able to trick it into giving up details on hacking, authoring phishing emails and more. Shaun and Allan explore the potential for abuse and the positive promise and excitement that this new era of AI is ushering...
Feb 22, 2023•26 min•Ep 107•Transcript available on Metacast How important are communications after your company has been breached? They can make or break customer perception, and the perception of the world. Bad communications are perceived as bad intent. Joining Allan this week is Heather Noggle, owner of Codistac - a company that specializes in cyber communications, advocacy and awareness. She studied communications in college, and takes this stuff very seriously. The pair cover LastPasss, Okta and Reddit breaches, comparing the bad to the good. Topics...
Feb 15, 2023•31 min•Transcript available on Metacast Do you want to be a CISO one day? Are you a CISO today who wants to strengthen your ties into the rest of the business? The Business Information Security Officer (BISO) role is one you should explore. The role can vary quite a bit, as you will hear on this episode with not one, not two, but three BISOs joining Allan Alford to discuss the role and its nuances: where it fits, what is required, how it is best positioned and managed. Allan has been a BISO himself and has managed BISOs as well, so th...
Feb 08, 2023•32 min•Transcript available on Metacast Joining Allan today are two folks who are passionate about leadership – not just practicing good leadership, but instilling good leadership in future generations. Joey Rachid is CISO in the ecommerce and financial services industry, is on advisory boards, has worked for the Big Four, and more importantly is a former US Marine (although all the Marines will tell you there is no such thing as a former Marine!) Scott Moser is SVP and CISO at Sabre Corporation, has also been a CISO for Caesar’s (the...
Feb 01, 2023•34 min•Transcript available on Metacast This week Allan is joined by Nipun Gupta, and industry veteran who has been a consultant, practitioner, vendor, advisor and investor. The topic is "What are we really protecting in cyber?" and the nuances of that question are explored in depth - as well as the interrelationships. Is "protect the business" a guardrail statement while "protect data and people" is the mission? How do we tie protecting people to protecting the business? For the people? For the business? How do we map data to the bus...
Jan 25, 2023•32 min•Transcript available on Metacast This week, Allan is joined by Peter Schawacker, CEO @ Nearshore Cyber, former CISO, advisor to MSPs, etc. Another one of Allan's illustrious guests with 25 years in cyber. (https://www.linkedin.com/in/schawacker/). The topic started as all that the two have learned outside of cybersecurity that has helped them in cyber. But it gets way more esoteric than that, and quickly. Detailed show notes and links are provided below because this show is all over the place! 02:11 Point MOOt, Texas: MOO-based...
Jan 18, 2023•34 min•Transcript available on Metacast This episode is jam-packed with wisdom that is delivered at a rapid pace. Some folks will find themselves rewinding and taking notes. Luis Valenzuela, Director of Data Loss Prevention and Data Governance at InComm Payments, joins Allan Alford to talk about managing careers - how to manage your own, and, for leaders, how to help your team manage theirs. Topics include: - Pivotal career transitions - Is a plan _really_ required? - Principles, foundations, and successful behaviors - Practical steps...
Jan 11, 2023•31 min•Ep 101•Transcript available on Metacast To celebrate the 100th episode, Allan decided to let the audience participate in the show. 21 people called in and answered a wide variety of questions about cybersecurity. It is a fantastic show and it is very fun to hear all the different perspectives from folks who have just about every role in cybersecurity you can imagine: 00:00:58 - Brent Deterding - What can practioners do to show more love to vendors? 00:03:07 - Evgeniy Kharam - How important are soft skills in cybersecurity? 00:03:54 - ...
Jan 04, 2023•2 hr 32 min•Transcript available on Metacast This is another "'E' for explicit" show as this one is another LIVE! show from the CISO XC conference in Dallas-Fort Worth. Why the 'E'? Because halfway through Allan Alford's conversation with Andy Ellis (CISO at Orca, Operating Partner at YL Ventures, former CISO at Akamai), Chris Roberts (CISO at Boom Supersonic) joins the stage with some fine whisky and his own clever takes on measuring risk. Join Allan, Andy, and Chris as they deconstruct risk, extolling its virtues, and hopefully change th...
Dec 14, 2022•36 min•Transcript available on Metacast In this episode, Allan Alford plays Devil's advocate - challenging the practitioner community to refute the idea that we should quit trying to make the organization care and simply make suggestions and accept the organization's level of risk tolerance. Allan posted this topic on LinkedIn and it created quite a buzz. The show features quotes from Simon Goldsmith, Kevin Pope, Malcolm Harkins, and others. Listen to hear a deconstruction of this position, and hear some great arguments both for and a...
Dec 07, 2022•28 min•Ep 98•Transcript available on Metacast Scott Schindler, veteran CISO, vCISO, and adjunct professor joins Allan at the ranch to talk about how to build, strengthen, participate in, contribute to and benefit from a cybersecurity community. Allan chose Scott for this show because of his incredible community focus and the high level of participation and engagement he demonstrates in his own career. How can we, as privacy and security professionals, overcome our paranoia in order to build community? How do we, as new members of cybersecur...
Nov 30, 2022•34 min•Transcript available on Metacast Dan Holden, a 20+ year industry veteran, former vendor, and current CISO at Big Commerce joins Allan Alford at the ranch to talk about the BIG picture. Join them on this wild trail ride that goes as far back as the Monroe Doctrine of 1823, the pre-cursors to WWI, Regan-era cyber doctrine, cyber and modern warfare, lessons learned from the COVID economy (hint: GDP is now part of critical infrastructure), famous APT heists, modern global imperialism... This show ties these threads together into a ...
Nov 16, 2022•54 min•Transcript available on Metacast This week Allan Alford is joined by Duane Gran, Director of Information Security at Converge Technology Solutions to discuss three different aspects of the CISO craft -- and to offer practical, concrete guidance on how to achieve the right outcomes: Eliminating the culture of "No!" Managing Third-Party Risk Building a "No Blame" Culture The common thread behind all of these themes is relationship building and goodwill - but the details are well worth the listen! Sponsor Links: Thank you to our s...
Nov 09, 2022•35 min•Transcript available on Metacast In this week's show, Allan and his guest Andy Bennett (a very clever CISO with a heck of a pedigree) decide to tackle some thought exercises with a series of questions that all start with "Should the CISO...?" Should the CISO be the one to decide whether to report breaches? Should the CISO own the SOC? Should the CISO report to the CIO? Should the CISO have an MBA? Should the CISO be mentoring individual contributors in their team? Should the CISO be sharing the political realities of “upstairs”...
Nov 02, 2022•37 min•Transcript available on Metacast Once again, Allan, Rich, and Michael dissect topics in our community that are, well, tired. Topics are brought up to spur online debate, but for which a conclusion is never reached. Topics that bifurcate our community without moving our industry forward. Topics that cause us to overly rotate on the wrong areas. In this show we address: Defining terms: zero trust, ML, AI, hacker vs. cracker, cybersecurity vs information security How to pronounce "CISO" Work from home vs coming to the office Do we...
Oct 26, 2022•33 min•Transcript available on Metacast We have all seen the conversations on LinkedIn where someone starts with a hotly debated topic, and the debate goes on and on, nothing is concluded, and then the next week, someone else posts the same topic and starts the gerbil wheel spinning again. We have seen this phenomenon with common complaints too. These are, in short, tired conversations. Join Allan Alford, Rich Mason, and Michael Santarcangelo as they rope in some of these tired topics and propose alternative ways of looking at them. T...
Oct 19, 2022•1 hr 3 min•Transcript available on Metacast CISOs and other security executives have relied on spreadsheets to perform a great deal of the management functions of their programs. What if there was a better way? Derly Gutierrez is back on the ranch for a third time now to discuss his alternative - the humble ticketing system. It might seem obvious in some cases, but Derly has pushed the use cases far beyond what you might imagine. Topics Derly and Allan cover include: Risk Management Lifecycle Vendor Management Lifecycle Personnel Onboardi...
Oct 12, 2022•26 min•Transcript available on Metacast Josiah Dykstra, Cybersecurity Technical Fellow at the NSA and Author, kicks up the dust off some previous topics discussed on the Ranch and deepens the conversation on cybersecurity myths and behavioral economics. Prior to the release of his latest book, Cybersecurity Myths and Misconceptions, Josiah breaks down some biases, fallacies, myths, and magical thinking that cybersecurity practitioners fall victim to. Josiah taps into cyber’s psyche and exposes the errors behind practitioners playing m...
Oct 05, 2022•27 min•Transcript available on Metacast Christian Espinosa, Author, Speaker, and CEO, comes down to the Ranch to talk about the journey of starting, growing, selling, and moving on from the business he created, Alpine Security. From correcting the problems with his high IQ staff to unshackling himself from the golden handcuffs of a business sale, Christian breaks down the specific conflicts he faced on his entrepreneurial journey— and reveals how these experiences have inspired two books about cybersecurity, business ownership, and li...
Sep 28, 2022•23 min•Transcript available on Metacast Chuck Herrin, CTO at Wib, came down to the Ranch to explain the risks and threats currently facing APIs, or application programming interfaces. Simply put, APIs facilitate people and applications in communicating with other applications, but Chuck sees the lack of protocols, regulations, and security plans laid out for these APIs as a massive security threat. Breaking down the process using an API hack he performed as an example, Chuck talks about what the state of API security is and where it n...
Sep 21, 2022•27 min•Transcript available on Metacast Matthew Lang, former CISO at SECU, former CISO of 3D Systems, and former Chief Petty Officer in the US Navy, comes on down to the Ranch to talk about what it really means to be a CISO. Many folks wear the title of CISO, but the role itself is still often considered a confusing mixed bag when talking about what it entails and who should have this role. Matthew walks through what a CISO is, what a CISO isn’t, and where the bridges between the CISO role and other roles in the company should be. Tim...
Sep 14, 2022•32 min•Transcript available on Metacast Leon Ravenna, CISO & CIO at KAR Global, former VP of Security & Compliance at Interactive Intelligence joins Allan this week to talk about the increases in cybersecurity threats and risks - increases in breadth and depth of various attacks and increases in our own problems in dealing with those attacks. It has implications for all of us, as we have not necessarily seen an increase in the right defensive capabilities to maintain parity. COVID and work-from-home have not helped either... Questions...
Sep 07, 2022•39 min•Ep 86•Transcript available on Metacast Yaron Levi, current CISO at Dolby and former CISO at Blue Cross Blue Shield in Kansas City, comes down to the Ranch to talk about the March 2022 proposal from Securities and Exchange Commission (SEC). Titled the Cybersecurity Risk Management Strategy: Governance and Incident Disclosure, this report has huge implications for cybersecurity in any publicly-traded company. Yaron walks through his research into this report and explains what this means in the future for real-world cyber practitioners....
Aug 31, 2022•32 min•Transcript available on Metacast Allan Alford, CISO/CTO and host of the Cyber Ranch podcast, resumes his session of AMA, or “ask me anything,” to cover the remaining questions left by curious cybersecurity practitioners on his LinkedIn. Previously, Allan posed two questions: If you could ask a 5-time CISO any question, what would it be? How about a cybersecurity startup CTO? Using the responses he received, Allan continues to walk through every topic under the cybersecurity umbrella and give further insight into what it means t...
Aug 24, 2022•36 min•Transcript available on Metacast Allan Alford, CISO/CTO and host of the Cyber Ranch podcast, changes things up this week with a session of AMA, or “ask me anything”. Instead of hosting a guest, Allan takes center stage. On LinkedIn, Allan posed two questions: If you could ask a 5-time CISO any question, what would it be? How about a cybersecurity startup CTO? Using the responses he received, he walks through every topic under the cybersecurity umbrella and gives further insight into what it means to be a CISO. Timecoded Guide: ...
Aug 17, 2022•40 min•Transcript available on Metacast 
