12 episodes

Ride the cyber trails with one CISO (Allan Alford) and a diverse group of friends and experts who bring a human perspective to cybersecurity.

The Cyber Ranch Podcas‪t‬ Allan Alford

    • Technology
    • 5.0 • 11 Ratings

Ride the cyber trails with one CISO (Allan Alford) and a diverse group of friends and experts who bring a human perspective to cybersecurity.

    Maturing Purple Teaming w/ Gabe Lawrence

    Maturing Purple Teaming w/ Gabe Lawrence

    Welcome to The Cyber Ranch Podcast, recorded under the big blue skies of Texas, where one CISO explores the cybersecurity landscape with the help of friends and experts! Today, host and CISO Allan Alford interviews Gabe Lawerence, General Manager of Cyber Security Protection at Toyota Motor North America. Gabe has seen the good and bad of purple teaming, and we’re here today to discuss what a mature purple teaming organization looks like.

    To start the conversation, Allan asks Gabe to share a little about himself, his background in information security and what he does at his day job. His path to security hasn’t been linear - he has been a developer, an entrepreneur and a startup owner, slowly making his way to different levels of management in the security space. Gabe runs Enterprise Security at Toyota North America and is responsible for the technical side of the business and manufacturing environment.

    When discussing what successful purple teaming looks like, Gabe points to the heightened alert of fidelity being among its greatest benefits. Rather than a red versus blue mindset, purple teaming encourages community and collaboration. Then, Allan asks Gabe to share a specific time he found unexpected success in purple teaming. Gabe gives an example reiterating the advantage of having a red and blue team working collaboratively.

    In managing an enterprise, Gabe says there is always something changing. Validating your controls, alerts and responses are just a few of many tasks best tackled in smaller chunks. Embedding the automation from purple teaming as the ongoing environment keeps things in a high functioning state and serves as a persistent health check. Gabe explains how a buffer overflow isn’t exactly instantaneous and combatting lingering attacks.

    Though purple teaming has many great benefits, it requires a bit of maturity. Having different teams interact together as they mature ensures they understand each other's roles and can effectively work together. Gabe urges people in the industry to think of themselves not only as part of a specific team, but as a part of a broader collective. In the hiring process, he describes seeking candidates with experience in software development and scripting. Additionally, it’s crucial to be willing and excited to learn and have keen problem solving abilities. In closing, Gabe looks forward to working in server-less spaces like the Cloud in the future and says his favorite thing about his career field is that it never fails to offer something new.

    Key Takeaways
    0:21 - Host Allan Alford welcomes listeners to the show and introduces Gabe Lawerence.
    1:12 - Allan asks Gabe to share about his background and day job.
    2:40 - What is successful purple teaming?
    4:30 - Gabe shares both positive and negative personal experiences in purple teaming.
    9:42 - How do you automate purple teaming?
    14:11 - Fine tuning the deployment of the controls.
    19:20 - How Gabe designs and hires for his team.
    26:20 - What keeps Gabe in Information Security?
    Links:
    Learn more about Gabe Lawrence on LinkedIn
    Follow Allan Alford on LinkedIn and Twitter
    Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
    Sponsored by our good friends at AttackIQ

    Interview with a Vendor w/ Dutch Schwartz

    Interview with a Vendor w/ Dutch Schwartz

    In this episode, host and CISO Allan Alford interviews his friend Dutch Schwartz, Principal Security Specialist at Amazon Web Services. Dutch is a vendor, but do not press 'stop' just yet! Dutch is an empathetic outsider, an observor, and a constant learner and researcher. He brings some unique insights to our practice.

    Dutch talks about his encounters with CISOs and their direc staffs, and opines on the debate as to how technical a CISO should be (versus business-oriented).

    Allan and Dutch discuss healthy vs. unhealthy (Dutch prefers the term 'challenging') security cultures.

    Dutch talks about all security efforst aligning with business initiatives, and Allan espouses his theory that all CISO actions should ties to business initiatives, risk reduction, and maturity improvement.

    Dutch remains enthused about cybersecurity because of conversations like this very interview.

    Key Takeaways
    1:32 - Dutch shares his cyber origin story - stumbling into cyber after a militiary career as an officer, and working an integrator for a VAR.
    4:54 - Today Dutch works at AWS and supports the largest customers as a cloud security strategist, working with CISOs and their staffs.
    5:47 - With Dutch's Fortune 50 customers, he meets wit the CISO on a monthly or bi-monthly basis, depending upon how hands-on the CISOs are. Daily he meets with the CISOs direct reports.
    7:04 - Dutch explains that over the years the CISOs' have changed from a more technical bent to a more business and risk-management orientation. Some struggle with this growth.
    12:15 - Allan describes his CISOs communication philosophy of "Business Terms First, Risk Terms Second, Technology Terms Third".
    13:23 - Allan talks about CISOs asking each other whether they are more technical or business/softskills-oriented.
    15:00 - Dutch says that how technical a CISO is depends partially upon risk tolerance.
    18:02 - Dutch elaborates that a bad security culture results in more breaches.
    19:18 - Dutch explains how a company's culture can be measured.
    19:54 - Dutch says culture is not what the leadership preaches, but rather what the factory worker in a remote location believes it to be.
    20:16 - Dutch says challenging cultures are the ones where leadership is not aligned.
    21:53 - Dutch starts his conversations with his clients by talking first and foremost about business initiatives.
    23:40 - Dutch often compares security to quality when getting his clients to understand the overarching perspective.
    26:50 - Allan says all CISO initiatives should be tied to business objectives, reduction of known risks, and how his actions might improve maturity.
    29:29 - Conversations like this one are what keeps Duth in information security.
    Links:
    Learn more about Dutch Schwartz on LinkedIn and Twitter.
    Follow Allan Alford on LinkedIn and Twitter
    Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
    Sponsored by our good friends at Axonius

    Advancing Cybersecurity Careers w/ Christophe Foulon

    Advancing Cybersecurity Careers w/ Christophe Foulon

    In this episode, host and CISO Allan Alford interviews his friend Chris Foulon, Sr. Manager of Cybersecurity at a leading fintech compnay, and co-host of the "Breaking into Cybersecurity" podcast.

    Chris has 15 years in information security, having started at the helpdesk years ago. His biggest desire in infosec is helping others. In his day job Chris gets to work with every part of the business.

    On the subject of the personnel shortage in cybersecurity, Chris believes that there is no shortage. Rather, he suggests that hiring managers limit their choices by holding out for too high an experience level, and by neglecting diversity and inclusion.

    His advice for those who are entering the profession is to combine experience, certifications and education as suited to themselves and the roles they are applying for. He suggests reserach and listening to podcasts like this one. Chris suggests finding a mentor has well.

    Chris and Allan discuss diversity, inclusion and allyship at length, going into such details as how job descriptions can discourage diverse candidates.

    Chris' motivation in cybersecurity is the fact that the industry is ever-evolving and always presents opportunities for creative problem solving.

    Key Takeaways
    1:18 - Chris shares his history with cybersecurity
    3:20 - Chris describes why he thinks there is no infosec personnel shortage
    4:43 - Chris describes how to write a job description to generate more candidates
    6:28 - Chris tells people with other backgrounds not to start over in cyber but to move in laterally and learnd the tech
    8:02 - Chris explains how to get experience and subject matter expertise before you start you first job
    12:35 - Chris talks about certifications
    16:11 - Chris talks about including neurodiverse candidates
    17:52 - Chris describes how hiring managers can clean their job descriptions to encourage diverse candidates
    24:24 - Chris describes the benefits of mentoring
    25:24 - Chris describes what motivates him in infosec
    26:24 - Chris describes what he is looking forward to in infosec
    Links:
    Learn more about Chris Foulon on LinkedIn and Twitter.
    Chris' coaching site is CPF Coaching
    Follow Allan Alford on LinkedIn and Twitter
    Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
    Sponsored by our good friends at Axonius

    Developing Leadership w/ Gary Hayslip

    Developing Leadership w/ Gary Hayslip

    Today, host and CISO Allan Alford interviews friend and fellow CISO Gary Hayslip. Besides being a brilliant business leader, Gary is an author, mentor, and one of the best all-around humans Allan knows!

    To start the conversation, Allan asks Gary to share about himself and his background in cybersecurity. While he had a natural interest in computers and technology more generally, Gary’s formal entrance to the cybersecurity field came during his time in the military. He developed a love for security, and as he’s climbed within the industry in the years after his military service, he’s also developed a strong network as a colleague and mentor. Allan tapped into this shared community through one of its most-used platforms, LinkedIn, to find out what others in the field would most like to learn from Gary.

    The first questions deal with topics of leadership and training, and Gary explains his own practices of educating himself and his team. In his own life, he is committed to maintaining up-to-date knowledge of his rapidly changing field through research and reading; such knowledge is necessary if Gary is to lead as effectively as he can. Gary also provides opportunities for his staff to receive continuing education, and he does not worry that he might train employees beyond their roles. Rather, he embraces the privilege of partnering with his staff to see them succeed on their career paths.

    There is a lot that goes into Gary’s practice of crafting and leading a team, and the COVID-19 pandemic has caused him to make some coaching changes. One-on-one meetings and conversations about family are more frequent, but the emphasis on building team trust and leading team members to own the business strategy remain constant. Gary assigns team members to take the lead on and complete briefings for different aspects of the strategy, and also expects them to back each other up.

    This practice not only fosters ownership of business processes and development of employee skills, but also shapes the kind of culture Gary insists his team have. He requires team members to possess certain soft skills, be people of honesty who take personal responsibility, and be comfortable in team and group contexts. Gary tries to care for his workers by taking harder hours on himself than he expects them to work, but as the conversation wraps up, he explains that he is mainly motivated in his work by love for the community and people in the field!

    Key Takeaways
    0:21 - Host Allan Alford welcomes listeners to the show and introduces Gary Hayslip.
    1:08 - Allan asks Gary to share about his background.
    2:08 - The first questions deal with continuing education for Gary and his team.
    6:58 - How has Gary’s coaching changed because of COVID-19?
    10:54 - What are Gary’s methods for helping his team take on pieces of his strategy?
    17:55 - COVID-19 also raises new questions about work-life balance.
    21:45 - The next question deals with how Gary develops team culture.
    25:39 - What keeps Gary going in cybersecurity?

    Links:
    Learn more about Gary Hayslip on LinkedIn.
    Follow Allan Alford on LinkedIn and Twitter
    Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
    Sponsored by our good friends at Axonius

    The Post-COVID Reckoning w/ Dr. Rebecca Wynn - SPECIAL EDITION

    The Post-COVID Reckoning w/ Dr. Rebecca Wynn - SPECIAL EDITION

    In this show, host Allan Alford interviews Dr. Rebecca Wynn about information security decisions made during COVID and what the 2021 "reckoning" might look like. Dr. Wynn is a well-recognized CISO and Chief Privacy Officer, who faced some large-scale challenges during 2020. Allan welcomes Dr. Wynn to the cyber ranch!

    The show starts with Allan asking Dr. Wynn to introduce herself and to tell the listeners a bit about her background. Dr. Wynn has received quite a lot of recognition in the field.

    Allan and Rebecca Wynn share a wealth of connections in the CISO community, and both have consulted with numerous companies over 2020. This positions them to be able to talk to the broad spectrum of COVID-related actions and reactions taken during 2020.

    Moving workers to home all over the world resulted in an increased attack surface and increased privacy concerns as well. Security quesionnaires were on the rise, as were deeper investigations into PCI, SOC2, etc. report. COVID, in other words, really emphasized the supply chain risk posture.

    Allan and Dr. Wynn discuss the challenges and variety of preparedness for Zero Trust architectures - VPN, VDI, cellular dongles, taking desktop computers home, etc.

    Allan and Dr. Wynn talk about supply chain risk, contracts, penalties, and other facets of post-COVID third-party risk.

    To close the podcast, Dr. Wynn shares that she loves information security because of great companies out there who are forward-looking and paying real attention to security.

    Key Takeaways:
    1:18 - Dr. Wynn tells the audience about her information security background and recognitions.
    2:43 - Dr. Wynn had to move 10,000 people to work-from-home for COVID.
    4:31 - Dr. Wynn tells her clients to check the PCI, SOC2, etc. reports in detail for their supply chain.
    5:37 - Allan points out that supply chain questionnaires were on the rise due to COVID.
    6:45 - Dr. Wynn elaborates on Zero Trust architectures deployed during COVID and states that Zero Trust is not "one and done".
    8:20 - Dr. Wynn encourages her clients to really dig into the risk associated with the supply chain.
    9:12 - Allan points out that the Solarwinds breach was really a post-COVID phenomenon in terms of its impact and how folks responded.
    10:40 - Allan shares that some companies were not ready for Zero Trust at all vs. those who were so well prepared.
    12:49 - Dr. Wynn encourages auditors to go back and visit their 3rd-party risk.
    14:34 - Dr. Wynn points and Allan talk about the strength and significance of contracts in the cultures of various companies.
    16:50 - Dr. Wynn tells her clients to attach assessments to the contract and asks for transparency.
    19:40 - Dr. Wynn encourages her clients to ask their supply chain about end-of-life and end-of-service posture for the technical estate.
    23:05 - Allan advocates that vendors have honest conversations with their customers to be transparent about what new risks COVID onboarded.
    25:08 - Dr. Wynn predicts that 2021 will be the reckoning for companies who took shortcuts during COVID.
    25:42 - Dr. Wynn loves working for forward-looking companies and loves working for the greater good.
    26:48 - In Information Security, Dr. Wynn predicts growth and evolution and hopes for a real investment.

    Links:
    Follow Allan Alford on LinkedIn and Twitter
    Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
    Learn more about Dr. Rebecca Wynn on LinkedIn.
    Sponsored by our good friends at Axonius

    Business-Oriented Security w/ Chris Castaldo

    Business-Oriented Security w/ Chris Castaldo

    In this show, host Allan Alford interviews his friend Chris Castaldo about how to align information security with the business. Chris is the CISO at Crossbeam, and is also the author of the book "Start-Up Secure: Baking Cybersecurity into Your Company from Founding to Exit", available for pre-order at Amazon. Chris, like Allan, views himself as a very business-oriented CISO. Allan welcomes Chris down to the ranch to discuss business orientation and alignment of information security in detail.

    The show starts with Allan asking Chris to introduce himself and to tell the listeners a bit of his background. Chris's book fills the void in books for founders that seemed to utterly lack any reference to cybersecurity. Allan recommends the book, as he was one of the lucky few to review the book before its release.

    But that is not what they are here to chat about today... Allan asks Chris what it means to be a business-oriented CISO - and what does it look like to NOT be a business-oriented CISO?

    Allan asks Chris how a CISO can affect both the bottom line and the top line as well. Allan and Chris discuss the nuances of that conversation in the context of business-to-consumer ("B2C") businesses vs. business-to-business ("B2B") businesses.

    Allan and Chris discuss the challenges of striking the balance between meeting the business' security needs and being agile enough to quickly respond to the dynamic and ever-changing nature of the business.

    To close the podcast, Chris shares that he loves information security because of its always offering something new, and because of it evolving towards a user-centric approach.

    Key Takeaways:
    0:36 - Chris tells the audience about his security book for founders.
    2:19 - Chris talks about his day job as CISO at Crossbeam.
    3:08 - Chris talks about what it means to be a business-oriented CISO - it's mostly about understanding the rest of the business.
    6:05 - Chris walks through how a CISO's impact to the top and bottom line varies for startups vs. mature businesses.
    7:16 - Chris compares security aspects of a non-security offering to airbags in a car.
    9:02 - Allan shares his past as a product security professional and how business-aligned product security in tech companies is.
    12:00 - Chris compares B2C to B2B and how business-alignment for the CISO varies across the two.
    14:41 - Allan talks about expectations of security vs. liability caps for failing to deliver it: B2B vs. B2C.
    18:24 - Chris discusses how to enable security without putting the brakes on the business.
    22:40 - Allan explains how some of his basic security controls that also accelerate the business.
    25:17 - Chris explains why he loves working in information security.
    26:21 - Chris is looking forward to user-oriented cyber security.

    Links:
    Follow Allan Alford on LinkedIn and Twitter
    Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
    Learn more about Chris Castaldo on LinkedIn.
    Sponsored by our good friends at AttackIQ

Customer Reviews

5.0 out of 5
11 Ratings

11 Ratings

Chris Hacker Valley Studio ,

Allan is the perfect learning leader!

Allan is a brilliant leader with a humble mentality that pushes him to learn more. Love the podcast and the laid back style!

HeLives! ,

Solid intro and excited about the upcoming episodes!!!

Allan Alford is a cybersecurity champion! He is well respected throughout the industry and is an exemplary leader, contributor, and mentor. He is abundant in knowledge, charisma, and excitement, so it should be both informative and engaging. I would highly recommend every cybersecurity professional subscribe to this podcast as its content will not disappoint.

Top Podcasts In Technology