Drew and Allan were skeptical about SABSA, as it is a model one CISO friend described as being "only good for a graduate student writing a paper!" Another CISO pointed out that SABSA was designed long before modern engineering practices.

Andrew Townley, a long-term SABSA consultant, on the other hand, gets straight to the practicality of it. There is indeed an academic and theoretical foundation behind SABSA, but it is most definitely leveraged for one purpose - to achieve desirable business outcomes.

Drew and Allan ask:

• What is SABSA's purpose?
• Is Andrew's specific practically applied methodology a deviation from the official SABSA cannon?
• How can prove its effectiveness? What are the practical business outcomes?

Both Allan and Drew walk away with enough curiosity to dig into SABSA more.

Note that Andrew several times also cites the work of Russell Ackoff, another academician who enjoyed a rather brilliant career as a business consultant - grounding his systems theory into meaningful business practicality.

More on Russell Ackoff here:

https://en.wikipedia.org/wiki/Russell_L._Ackoff

Hang on to your saddle for this one! Drew Simonis joins Allan as his new co-host in a show where the two of them explore alternative models for selling and funding the cyber mission!

You probably know about corporate social responsibility initiatives.

Did you know that it's not a a new idea in the history of capitalism, but rather a throwback?

Before shareholder capitalism, there was stakeholder capitalism:

Stakeholder capitalism proposes that corporations should serve the interests of all their stakeholders, and not just shareholders. Stakeholders can include investors, owners, employees, vendors, customers, and the general public at large. The focus is on long-term value creation, not merely enhancing shareholder value.

Drew walks Allan through some very compelling arguments in favor of this model, and Drew and Allan together tie it to how CISOs can implement and fund cybersecurity...

Random highlights:

1. The short-sightedness of quarter-over-quarter thinking

2. Comparison to the Chinese Communist Party, who gets a big thumbs down from both Drew and Allan, but who do get credit for being able to enact truly long-term plans.

3. Jack Welch and other prominent CEOs advocating for aspects of stakeholder capitalism

4. Random tie-ins to cybersecurity all throughout.

Allan is stoked to have Drew join him as co-host, and this show is most definitely one of the more philosophical episodes, while still grounding itself in the practicalities of running cybersecurity programs.

Y'all be good now!

Howdy, y’all, and welcome to The Cyber Ranch Podcast! Our guest toda is Tomer Schwartz, co-founder and CTO over at Dazz Yup! He’s a vendor! And OMG he’s a sponsoring vendor too! Whatever will we do? But wait, y’all know Allan's rule: Vendors are allowed on the show if and when they can add more value on a given subject vs. any practitioners in The Cyber Ranch network. Tomer fits that bill perfectly! Tomer has worked in the Microsoft Security Response Center, he’s the former Armis co-founder & CTO, current co-founder & CTO at Dazz, who is a leader in the Application Security Posture Management space. Tomer is also a coffee aficionado. Now what does Dazz do and why did we ask Tomer to be on the show? Dazz is in the Application Security Posture Management space, which is relatively new around here, but they also collate and track threat exposure realtime, and also secure the SDLC in a DevOps’y way...

Questions

• The elephant in the room is Gartner’s newest category in this space. Some say ASPM fits into: CTEM, which is Continuous Threat Exposure Management for those behind on eating their alphabet soup. Tomer, what’s your perspective on that?
• Let’s talk about the problem in the ASPM/CTEM space: noise / too much data, no context, limited visibility from code to cloud and everything in between. For real, most solutions suck, as their single pane of glass is a very, very dirty pane of glass, and no amount of Windex is going to help. And our listeners know we believe in 3-4 “single” panes anyway. Is there such a thing as a single pane of glass in the ASPM space? Do we want a single pane? How does it play nicely with my “single” panes from other spaces?
• Here comes the can of worms: Can AI help with this?
• Gartner says by 2026 40% of enterprises will have an ASPM solution - do you agree?
• And then there’s good ol’ UVM - Unified Vulnerability Management. Feels like a past promise that didn’t deliver. And it hasn’t addressed DevOps or even Dev very well at all IMHO. What’s your take?
• How should CISOs be thinking about all of these technologies and practices? It can get very complicated very fast and if it’s not done right the devs will run screaming.
• Where is this all headed? What’s the ideal future state in this space?
• Here’s your chance to tell thousands of CISOs and other high-level practitioners what you want them to know. What do you want them to know?

Check out Dazz at https://dazz.io