The Cyber Ranch Podcast

Tim Silverline, VP of Security at Gluware, joins host Allan Alford on the Ranch this week for a discussion about user awareness training and the latest and greatest (as well as not the greatest) methods around phishing simulations. Tim and Allan get into the nitty gritty of how your company can improve user awareness results through avoiding basic click-through models, considering advanced warning for certain training exercises, and understanding risk quantification when evaluating employee metrics. Timecoded Guide: [04:30] Running the right phishing simulation for your user base and gauging your results appropriately [10:08] Pushing boundaries in the tactics used in phishing exercises and making employees pay attention more closely to their everyday emails [15:10] Calling out unlikely and unhelpful phishing strategies and simulations, including the harm of impersonating employees without any warning [21:04] Realizing which methods of user awareness are no longer effective and shifting away from the mindset of just “checking the box” in these training exercises [25:54] Changing security for the better with increased awareness and a better understanding around the value of risk exposure amongst employees Sponsor Links: Thank you to our sponsor Axonius for bringing this episode to life! Manual asset inventory just doesn't cut it anymore. That's where Axonious comes in. Take control of security complexities by uncovering gaps in your organization. Sign up for a free walk through of the platform atAxonius.com/Get-A-Tour [http://axonius.com/Get-A-Tour] What, to you, are the biggest highlights, the high points, the critical bits of user awareness training? Tim has seen the good and the bad of user awareness training, and has found the best results for his users in interactive training sessions, especially when paired with gamification. Allan compares this method and approach to modern virtual escape room sessions, and Tim agrees that the more interactive and hands-on a training can be, the better the learning experience will be. Instead of framing our user awareness and phishing exercises around checking boxes for cyber insurance companies, we should be striving for active learning engagements that demonstrate the value of security to our users. “After those trainings, users have come up to me and talked to me about how they weren't aware of this particular risk and hearing about it in a real-world use-case was very effective for them to really understand why it's important and why they should be behaving in a slightly different manner.” If the users never fall prey to attacks, is there a reason to continue performing them? Hearing Tim talk about his success, Allan was curious about how he chooses to approach successful user bases. If someone isn’t falling for Tim’s phish, does he still see the need to perform these exercises? The short answer was yes, but Tim explains that user awareness training should be customized to the needs of a user base. Testing new employees is a must, along with refreshing successful users on their skills a few times a year. Additionally, scheduling out different exercises that hone in on different phishing simulations exposes employees to a variety of learning opportunities and encourages them to see this beyond just a yearly test where they might as well “get it over with.” “If you've tested all your existing employees, and they haven't fallen or been susceptible to it, that doesn't mean that the next employee you hire is also going to be of that same mindset.” What ineffective methods are there in security awareness? Throughout the episode, Tim and Allan keep coming back to the simple fact that checking boxes no longer works. Having employees read or watch through videos and take “common sense” knowledge tests makes user awareness training a distracting activity that feels more like grunt work than a learning experience. While you never want to disrupt the workflow of your employees, stepping outside of the box with interactive activities that are explained in advance shows the value of these exercises to your users instead of making them feel that you’re yet again wasting their time with another gift card scam. “I find that there's the typical thing a lot of people do to hit compliance, which is having their users watch videos, and answer questionnaires. My feeling is that most people just try to get that done. Their goal is really to get it completed, so they can check the box and their company stops bothering them to complete it.” You are given a magic wand and you are told you can wave it and change any one thing in cybersecurity you want to change. What do you change? There’s so much in cybersecurity that Tim and Allan would love to change, especially when we look at cutting edge approaches to user awareness training. However, Tim makes one thing clear: if he could change anything, he would change our mindset. Instead of seeing security as just someone’s job, we should encourage our users to see themselves as an instrumental part of their company’s security. When everyone concerns themselves with following the right protocols and caring about security beyond simulations, companies will find themselves in a much stronger, less vulnerable place. “I think ultimately, a lot of the weaknesses inside of our organization are our users. If I could just increase the level of carefulness, or the level of interest that everybody has in keeping their own companies secure, I think we would overall improve the posture of all companies.” ------------- Links: Learn more about Tim Silverline on LinkedIn [https://www.linkedin.com/in/timsilverline/] and the Gluware website [https://gluware.com]. Follow Allan Alford [https://allanalford.com/] on LinkedIn [https://linkedin.com/in/allanalford] and Twitter [https://twitter.com/AllanAlfordinTX] Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store [https://store.hackervalley.com/] Continue this conversation on our Discord [https://discord.com/invite/avaeNEprYG] Listen to more from the Hacker Valley Studio [https://hackervalley.com/] and The Cyber Ranch Podcast [https://hackervalley.com/cyberranch]

Allan invites a founder and an angel investor to the ranch this week to talk about how founders and angel investors really connect. Meet Sameer Sait, former CISO at Amazon Whole Foods and now founder of BalkanID, and John Stewart, former CISO at Cisco and investor at Talons Ventures. Together, these gentlemen offer a lot about both sides of the investment story, from evaluation to the decision to work together, and what a mutually beneficial founder and angel investor relationship looks like. Timecoded Guide: [01:23] Exploring John and Sameer’s backgrounds in cyber and how they developed their own unique founder-angel investor connection [04:53] Understanding the triggering aspects that caused someone like John to become an angel investor in BalkanID and how BalkanID selected their investors [08:20] Delving into the uniqueness of different founder-investor relationships and how John (vs other BalkanID investors) makes his impact on Sameer’s work as a founder [13:30] Giving expert advice and explaining lessons learned in founding your first company and in investing in startups [22:12] Exploring how other experiences in life, outside of cybersecurity and investing, has informed John and Sameer’s work with BalkanID and with solving cyber issues Sponsor Links: Thank you to our sponsor Axonius for bringing this episode to life! Life is complex. But it’s not about avoiding challenges or fearing failure. Just ask Simone Biles — the greatest gymnast of all time. Want to learn more about how Simone controls complexity? Watch her video at axonius.com/simone [http://axonius.com/simone]. What inspired you to become a founder of BalkanID, Sameer? As the former CISO of Amazon Whole Foods and an investor at numerous cybersecurity companies, Sameer has a great resume to show off. However, his work with BalkanID offered him the opportunity to be a founder, something that Sameer had never done before. When asked what inspired him to be a first-time founder, he tells us that he continuously encountered the same problems over and over again, and wasn’t seeing anyone coming up with the right solution. Continuing to move forward with so much at stake with this issue of entitlements felt like a missed opportunity, and with the right investors and co-founders on his side, BalkanID was born. “I knew that we could do better, right? And I knew the existing solutions were not scaling. And I think the last inspiration was really finding the right co-founders to go at this with. That was the biggest inspiration of all.” - Sameer Sait John, what were the triggering factors that made you decide to invest in BalkanID? Just like Sameer, John has some incredible experience to show off in the tech world and in the investment world. But why BalkanID? A simple answer would be the connection between these two men, having met numerous times throughout their careers, developing a strong working relationship. However, John sees so much potential in BalkanID and in Sameer beyond just their work friendship. John believes that you don’t invest in tech, you invest in people, and the qualities he sees in Sameer as a founder and a leader in the tech world excites him and he felt he could lend his expertise to BalkanID in a beneficial way. “Sameer is very self-aware. These things matter. He knows what he knows, he knows what he doesn't know, he's comfortable bringing in people that complement his skills and make a stronger team around him. In the end, that's why I say you bet on people, not on tech.” - John Stewart What advice do you have for potential investors looking to get involved in startups, John? Being an investor isn’t always easy, and John has made some mistakes that taught him the hard way about how to be a good investor. With a hands-on approach and now tons of projects under his belt, John is asked to give some advice to future investors. A hugely important piece of advice from John is to know your founder, know their wants and needs, and to see ahead of what their future holds. You’re an investor, but it is their company, and you have to be aligned in order to produce a mutually beneficial relationship. “As an investor, I follow out and look for all of those things. I look at how optionality is, how CEOs think, how many chances they have, what directions could they go. Are they strategically capable of looking beyond today's decision and thinking about what might happen in the future?” - John Stewart Sameer, what advice would you give fellow founders? Despite his experiences at other companies, BalkanID is Sameer’s first founding experience so far. His biggest lesson to date? Not getting caught up in the buzz and the hype. BalkanID’s approach to their audience and their product has been to focus on their customer and work backwards to find their problem and their ideal solution. This takes time, and it’s easy to fall into the trap of comparing your revenue, launches, products, and marketing tactics of other companies. This only hurts your brand in the long-run because you’ll no longer be focused on your customer’s problem. “As an early stage, first-time entrepreneur, a part of me would get nervous. ‘Oh, my God, look what's happening out there. Oh, we're so slow.’ I think of taking a step back and saying, ‘Well, we are on our journey,’ right? We have supporters, we have backers, we have a real problem we're solving. The fact that other people want to solve the same problem is validation that it's a real problem.” - Sameer Sait ------------- Links: Stay in touch with Sameer Sait on LinkedIn [https://www.linkedin.com/in/sameersait/] and the BalkanID website. [https://www.balkan.id/about] Stay in touch with John Stewart on LinkedIn [https://www.linkedin.com/in/john-stewart-ba32a5195/]. Follow Allan Alford [https://allanalford.com/] on LinkedIn [https://linkedin.com/in/allanalford] and Twitter [https://twitter.com/AllanAlfordinTX] Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store [https://store.hackervalley.com/] Continue this conversation on our Discord [https://discord.com/invite/avaeNEprYG] Listen to more from the Hacker Valley Studio [https://hackervalley.com/] and The Cyber Ranch Podcast [https://hackervalley.com/cyberranch]

“When people come to Security and tell you everything they are doing, that’s a real win.” - James Allan-McLean Allan is joined by James Allan-McLean, Group CISO at Soletanche Freyssinet and former Information Security Manager within the British military, to talk about his ‘Open Door Security’ method and the benefits of transparent, no-strings-attached approach to security. In this episode, Allan and James take a deep dive into this methodology and address questions such as: -What is Open Door Security? -What does a successful Open Door Security program look like? -How to go about tackling security implications within your org -The philosophy behind James’ ‘handrail’ metaphor Sponsor Links: Thank you to our sponsor Axonius for bringing this episode to life! Life is complex. But it’s not about avoiding challenges or fearing failure. Just ask Simone Biles — the greatest gymnast of all time. Want to learn more about how Simone controls complexity? Watch her video at axonius.com/simone [http://axonius.com/simone] Guest Bio: James is a highly effective and motivated information security leader with extensive experience in a range of sectors. He is a Group CISO at Soletanche Freyssinet and former Information Security Manager within the British military. Links: Stay in touch with James Allan-McLean on LinkedIn [https://www.linkedin.com/in/james-a-0a691756/] Follow Allan Alford [https://allanalford.com/] on LinkedIn [https://linkedin.com/in/allanalford] and Twitter [https://twitter.com/AllanAlfordinTX] Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store [https://store.hackervalley.com/] Continue this conversation on our Discord [https://discord.com/invite/avaeNEprYG] Listen to more from the Hacker Valley Studio [https://hackervalley.com/] and The Cyber Ranch Podcast [https://hackervalley.com/cyberranch]

Allan is joined by Chris Hughes, CISO & Co-founder at Aquia and adjunct professor at UMGC, to talk about all things DevSecOps (Development, Security and Operations). They explore the DevSecOps phrase itself, as well as why security should be treated as an integral component and not a separate entity. In this episode, Allan and Chris take a deep dive into the subject and bring clarity to questions, such as: -What roles help achieve security in DevOps? -What are the cultural barriers to implementing secure DevOps? -What are some common mistakes as well as best tips? Sponsor Links: Thank you to our sponsor Axonius for bringing this episode to life! Life is complex. But it’s not about avoiding challenges or fearing failure. Just ask Simone Biles — the greatest gymnast of all time. Want to learn more about how Simone controls complexity? Watch her video at axonius.com/simone [http://axonius.com/simone] Guest Bio: Chris Hughes is a proven Cloud/Cybersecurity leader with nearly 20 years of experience in both the Federal and commercial industries. Chris has a dynamic skill set, with a blend of IT, Cyber/Cloud Security and DevSecOps experience. He enjoys working across interdisciplinary teams to solve complex organizational and industry-wide problems to achieve technological transformation securely. Additional Resources: Google SLSA framework: https://slsa.dev/ [https://slsa.dev/]CSCRM – NIST Appendix F : https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-161r1.pdf [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-161r1.pdf]Open SSF – OSS Mobilization Plan: https://8112310.fs1.hubspotusercontent-na1.net/hubfs/8112310/OpenSSF/White%20House%20OSS%20Mobilization%20Plan.pdf?hsCtaTracking=3b79d59d-e8d3-4c69-a67b-6b87b325313c%7C7a1a8b01-65ae-4bac-b97c-071dac09a2d8 [https://8112310.fs1.hubspotusercontent-na1.net/hubfs/8112310/OpenSSF/White%20House%20OSS%20Mobilization%20Plan.pdf?hsCtaTracking=3b79d59d-e8d3-4c69-a67b-6b87b325313c%7C7a1a8b01-65ae-4bac-b97c-071dac09a2d8]Sounil/Andy Debate: https://www.securityweek.com/video-civil-discourse-sboms [https://www.securityweek.com/video-civil-discourse-sboms] Links: Stay in touch with Chris Hughes on LinkedIn [https://www.linkedin.com/in/chris-h-97680442/] Follow Allan Alford [https://allanalford.com/] on LinkedIn [https://linkedin.com/in/allanalford] and Twitter [https://twitter.com/AllanAlfordinTX] Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store [https://store.hackervalley.com/] Continue this conversation on our Discord [https://discord.com/invite/avaeNEprYG] Listen to more from the Hacker Valley Studio [https://hackervalley.com/] and The Cyber Ranch Podcast [https://hackervalley.com/cyberranch]

Andy Ellis, CISO at Orca Security, is back for part 2 of this series on Board Reporting Metrics. In Episode 1, Andy and host Allan Alford addressed some of the most common questions posed by the board and shared their perspective on what the board needs to know from a cybersecurity standpoint. In this episode, they continue the conversation by fielding questions from LinkedIn on topics such as: -Vulnerability and threat hunting metrics -Top 3 metrics to report to the board and why -Breach reporting implications and much more! Check out part 1 of Board Reporting Metrics here [https://hackervalley.com/cyberranch/board-reporting-metrics-pt.-1-w-andy-ellis] Sponsor Links: Thank you to our sponsor Axonius for bringing this episode to life! Life is complex. But it’s not about avoiding challenges or fearing failure. Just ask Simone Biles — the greatest gymnast of all time. Want to learn more about how Simone controls complexity? Watch her video at axonius.com/simone [http://axonius.com/simone] Guest Bio: Andy Ellis is a visionary technology and business executive with deep expertise in security, managing risk, and leading an inclusive culture. A graduate of MIT and former US Air Force officer, Andy designed, built, and brought to market many of Akamai’s security products, leading the Fortune 1000 company from its start as a content delivery network into an industry powerhouse with a billion-dollar dedicated cybersecurity business. In his twenty year tenure, Andy led Akamai’s information security team from a single individual to a 90+ person team, over 40% of whom were women. In running Akamai’s security program, Andy designed systems, governed risk management, implemented policy, and supported go-to-market functions. Widely respected across the cybersecurity industry for his pragmatic approach to aligning security and business needs, Andy regularly speaks and writes on cybersecurity, leadership, diversity & inclusion, and decision making. Additional Links: Stay in touch with Andy Ellis on LinkedIn [https://www.linkedin.com/in/csoandy/] Follow Allan Alford [https://allanalford.com/] on LinkedIn [https://linkedin.com/in/allanalford] and Twitter [https://twitter.com/AllanAlfordinTX] Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store [https://store.hackervalley.com/] Continue this conversation on our Discord [https://discord.com/invite/avaeNEprYG] Listen to more from the Hacker Valley Studio [https://hackervalley.com/] and The Cyber Ranch Podcast [https://hackervalley.com/cyberranch]