The Cyber Ranch Podcast

Howdy, y’all, and welcome to The Cyber Ranch Podcast!  Our guest today is Tim Brown.  If you don’t’ know who Tim Brown is, he is the CISO at SolarWinds, and as such, is one of us.

Or maybe in a way, he is all of us, really.  Tim advises and has held various other roles in the past, including product roles, which our listeners know are well-respected skills down at the 'Ranch.

The topic today is cyber regulation.  It can range from self-regulation to associations, principles, practices, lobbying – all the way up to full government regulation.  What works?  What’s required?

Topics covered:

• What is the case for regulation?

The call to action is ultimately this: If you don't have a seat at the table, folks will do things to you rather than with you.  So get involved!

Y'all be good now!

What can we established cybersecurity practitioners ACTUALLY do to help those new in the field besides blathering back and forth about the problem in the echo chamber that is LinkedIn?

Drew got the clever idea of inviting three folks who are brand new to the field or barely started on their cyber journey, and, get this: ASKING them what they're experiencing and what they need! Clever, huh? It's an eye-opening show for a CISO.

We are join on this week's episode by Amé Venter, May Ferreira, and Bryce Hill, who share their perspectives from their early stages in this field. It's a sobering perspective.

To a certain extent, they've all been lied to and led on, and that's all of our faults.

Key takeaways:

• Prodsec/Appsec might get you out of being a cost center in cybersecurity, but no intro programs seem to show folks how to get there.

CISOs, please listen to this show. Please re-think your hiring strategies!

Y'all be good now!

Howdy, y’all!  Our guest today is Wade Baker, cybersecurity researcher, entrepreneur, professor…  Wade is a Board of Directors member of the FAIR Institute, was an Advisory Board Member at the RSA Conference, was VP of Strategy & Risk Analytics at ThreatConnect, and is now Co-Founder of Cyentia Institute, which aims to advance cybersecurity knowledge and practice through data-driven research.  Wade joins Drew and Allan to talk about (go figure!) data-driven cybersecurity.  The three smash through a lot of assumptions and get to the heart of what is really going on in cybersecurity.

Questions covered:

1. What is the Information Risk Insights Study (IRIS)? (cyentia.com/iris/)

Y’all be good now!

Howdy, y’all, and welcome to The Cyber Ranch Podcast!  Our guest is Michael Santarcangelo, Founder and President at Security Catalyst.  He’s a former podcaster – co-creator of Business Security Weekly, he even did a stint on Down the Security Rabbit Hole with Raf and James.  True fact, hearing Santa (as his friends call him) and Paul Asadoorian on Business Security Weekly is what inspired Allan to become a podcaster in the first place!  But "Santa" (as his friends call him) has done the practitioner and the leader things as well, and got his start way back on the Global Security Team at Andersen Consulting… Santa joins Drew and Allan to discuss effective communication…

• The communication problem we’re trying to solve is not the one we think it is!

Y'all be good now!

Your organization runs on commercial software far more than it does open source.  But all you are delivered is binaries.  What is your technical control to ensure that you are safe from this software?

Such software is composed of:

• Open source libraries

You need to be able to see it, understand it, probe it for malware, backdoors, corruption, CVEs, KEVs, etc.  Well now you can.  SBOMs are just the beginning...

Allan and Drew are joined by Sasa Zdjelar, Chief Trust Officer at ReversingLabs, who have spent 15 years solving this highly specific and highly challenging problem in cybersecurity.

The show is not sponsored by ReversingLabs.  Allan and Drew wanted the world to know that they exist, and that this capability is now in-hand...

Y'all be good now!

This is our third and final episode of this miniseries.  In this episode we are joined by Ross Young, a well-established member of the cybersecurity community with a storied background and penchant for giving back via various means.  Ross joins Allan and Drew in exploring the role of technology in the People, Process and Technology triad.

Questions covered:

• The traditional triad of people, process, technology has been with us since 1964, from an era when digital systems were in their infancy and computing as we know it today was science fiction.  Is PPT still the right way to look at business problems?

Thanks as always for listening.  Y'all be good now!

Howdy, y'all!  In part two of our three-part miniseries, we tackle Process with Malcolm Harkins.  Malcolm is former CISO at Intel, a good friend of Allan's, former Cylance Chief Trust and Security Officer, member of the board of director over at TrustMAPP (where Allan used to be COO), and is now at Hidden Layer, working to secure AI.  Hidden Layer did not sponsor this show.

Allan, Drew and Malcolm discuss the following:

1. People, process technology – what is the role of process in that triad?

Thank you for listening!  Y'all be good now!

Thanks for listening, y'all!  Our next show is all about Process (we already did a show on People) and after that comes Technology.

Y'all be good now!

Jeremiah Roe has held many roles in cybersecurity:  Field CISO, Red Teamer, Advisor, Consultant, Etc.  He currently advises for OffSec, who provide quality cybersecurity training.  Drew Simonis and Allan Alford determined that Jeremiah would be a great guest for launching a 3-part mini series - each of the three shows exploring People, Process and Technology respectively.

The three cover the following topics in a lively conversation that journeys into several aspects of People as they relate to cybersecurity:

• People, Process, and Technology - Which is most important?

Join the three as they ride the cyber trails of "People" in the PPT triad!

Y'all be good now!

Drew and Allan were skeptical about SABSA, as it is a model one CISO friend described as being "only good for a graduate student writing a paper!"  Another CISO pointed out that SABSA was designed long before modern engineering practices.

Andrew Townley, a long-term SABSA consultant, on the other hand, gets straight to the practicality of it.  There is indeed an academic and theoretical foundation behind SABSA, but it is most definitely leveraged for one purpose -  to achieve desirable business outcomes.

Drew and Allan ask:

• What is SABSA's purpose?

Both Allan and Drew walk away with enough curiosity to dig into SABSA more.

Note that Andrew several times also cites the work of Russell Ackoff, another academician who enjoyed a rather brilliant career as a business consultant - grounding his systems theory into meaningful business practicality.

More on Russell Ackoff here:

https://en.wikipedia.org/wiki/Russell_L._Ackoff