Between Two Kernels: Allan Alford – E02

March 26, 2019

In Episode 2 of Between Two Kernels Kelly chats with CISO Allan Alford about being the most hated man in his organization, the three biggest mistakes of his life, and which infosec category he would date, marry, and kill. Check out the highlights below and full video if you’re interested!

Episode Transcript

Kelly: Welcome to Between the Two Kernels. My guest today is Allan Alford, who is, I guess, a cowboy. Is that right?

Allan: Yeah. I’m a rancher.

Kelly: Okay. A rancher, well that should be very enlightening about InfoSec, so I guess in your spare time, you’re a CISO?

Allan: Yeah.

Kelly: Okay. What is it like being the most hated person in your organization as CISO?

Allan: I cry a lot. I cry a lot. I like to go home and just sort of cry. But then I go back to work cheerful and ready to go the next day-

Kelly: That’s wonderful.

Allan: … and it starts all over again.

Kelly: Yeah. So were there any vendors at the hall at RSA that were helping with your crying at night?

Allan: No, not really. Usually speaking to the vendors just makes me cry more.

Kelly: More tears?

Allan: More tears.

Kelly: More tears.

Allan: More tears.

Kelly: Well, that’s our industry, I suppose. You’ve written a bit about information security taglines and the interesting combination of words that can be used. Would you say they’re kind of like pickup lines by vendors?

Allan: Oh, I think so. I think absolutely, it’s like pickup lines. It’s what can they say to get my money? How quickly can they say it, and you know, do I come here often, and what’s my sign?

Kelly: Right. Do they neg you ever?

Allan: Oh yeah, sometimes.

Kelly: Yeah?

Allan: Sometimes.

Kelly: Do you have any good examples?

Allan: Oh, I’d have to think. Not off the top of my head.

Kelly: I feel like a common thread is always like whatever you’re doing is not good enough.

Allan: Oh, yeah, yeah, yeah. There’s always that one. There’s always the whole, “You’re doing it wrong. You need me.” You know, “It’s not me. It’s you.”

Kelly: And more tears.

Allan: And more tears.

Kelly: More tears.

Allan: More tears.

Kelly: More tears. So one question that I think is on a lot of people’s minds is what are CISOs doing wrong? What are some of the biggest mistakes you see your peers making? Feel free to name names.

Allan: So, I think the biggest thing we’re all doing wrong is we’re getting obsessed with our tech stack. That’s really what we’re doing wrong. The CISO should live at the point of intersection … you know, the intersection of risk and business, and what we tend to live at is the intersection of risk, business, and a giant stack of technology hocked at us by vendors, and we get obsessed with that technology, we get focused on that technology, and we forget the big picture, which is the business picture.

Kelly: So the process part is getting lost?

Allan: Absolutely. We need a conference for the process part.

Kelly: Why do you think there isn’t a conference for it?

Allan: Because that’s the boring part.

Kelly: And it doesn’t make as much money for the vendors?

Allan: Exactly. It would be a bunch of consultants vying for our attention and hoping to get that one deal. It wouldn’t really play out in the conference format.

Kelly: That makes a lot of sense. What are some of the biggest mistakes you feel like you’ve made?

Allan: Becoming a CISO would be number one.

Kelly: That’s a big one.

Allan: Continuing-

Kelly: That’s a big one.

Allan: … to be a CISO would be number two, and then continuing to be a CISO again would be number three.

Kelly: All the tears.

Allan: All the tears. Lots of tears.

Kelly: What would you do instead? Ranching?

Allan: Ranching, farming, farming, ranching. Probably raise a lively herd of penguins.

Kelly: Okay. Do the penguins live in a data lake? How does that work?

Allan: On the shores of data beach, swimming in a sea of vague metrics.

Kelly: That sounds beautiful. Sounds really beautiful. How do you reconcile the disconnect between you as a CISO, you’re the buyer of these tools, but probably not often the user? How do you figure that out in your buying process?

Allan: What I like to do is pick things at random, sort of really on whims. Basically, I’ll read an airline magazine, and a half-baked article will-

Kelly: Do you have any recommendations for the best?

Allan: … motivate me. Oh, just any airline, really. The magazines are all the same. You just read the half-baked article and you get a great idea, and then you buy that tool, and then you go to your team and say, “Deploy this and make it work, because the article said it would.”

Kelly: So your goal is to … I would say you’re optimizing the transfer of tears away from you onto your team.

Allan: It’s a distributed tear network. It’s the only way to survive as a CISO.

Kelly: I like that, yeah. I like that a lot. That’s interesting, so how does your team react when you do that?

Allan: Oh, they love that. They love that. They live for the challenges represented by useless tools.

Kelly: I can imagine that. I’m sure they really feel like you empathize with their day-to-day pain.

Allan: I try as much as I can to be the sort of leader they can admire from a distance.

Kelly: That’s really inspiring. If you had to choose a InfoSec category to date, marry, and to kill, what would you choose and why?

Allan: I guess I would date … I’m going to date vulnerability management, because vulnerability management … Well, you know, that’s not true. That’s not true at all. I’m going to date an MDR.

Kelly: Okay.

Allan: Because MDRs are a little more exciting, a little more adventurous.

Kelly: Spicy, yeah.

Allan: A little spicy, but I’m going to marry vulnerability management.

Kelly: Okay.

Allan: Because that’s where you want to settle down, have a good routine [crosstalk 00:05:05]

Kelly: Good commitment. It’s okay if it’s a little boring, because it’s, you know.

Allan: It’s marriage. Marriage should be boring. You should cry, really. There should be tears.

Kelly: Okay.

Allan: There should be tears.

Kelly: Healthy tears.

Allan: Healthy tears.

Kelly: Yeah.

Allan: Shared tears.

Kelly: Yes.

Allan: Shared tears.

Kelly: That’s very important, yes.

Allan: And then, kill would have to be … You know, this week, I would have to go with threat intelligence.

Kelly: Did you see a lot of threat intelligence vendors [crosstalk 00:05:26]

Allan: A did. Quite a few accosted me, admiring my hat really, mostly.

Kelly: What were some of your favorite taglines related to those vendors?

Allan: Assurances that they will provide meaningful intelligence, assurances that it’s not just data, but actionable intelligence, assurances that I can integrate the intelligence. The key here is that the use of the word intelligence in as many sentences as possible.

Kelly: Do you feel like you have sufficient intelligence as a person?

Allan: No. No, not really. This is why I’m a CISO.

Kelly: That makes perfect sense. Thank you for coming on today.

Allan: No problem.

Kelly: You can have some of the popcorn.