CISO Tradecraft®

#260 - Mastering Defense Against Configurations ( Yuriy Tsibere) Nov 24, 2025

In this episode of CISO Tradecraft, host G Mark Hardy is joined by Yuriy Tsibere from ThreatLocker to discuss an essential topic for cybersecurity leaders: Defense Against Configurations (DAC). With a focus on the significant risks posed by misconfigurations, Yuriy shares insights on how ThreatLocker's new DAC tool helps organizations identify and rectify vulnerabilities in OS configurations, ensuring a higher degree of security. They explore the critical role of maintaining proper endpoint configurations, Zero Trust principles, and how DAC seamlessly integrates into ThreatLocker’s platform to provide real-time monitoring and reporting. Yuriy also touches on how DAC supports various security frameworks and compliance standards, making it a valuable asset for any organization aiming to enhance its cybersecurity posture.

Big Thanks to Threatlocker for supporting this episode. Register to attend Zero Trust World 2026: https://ztw.com/?utm_source=ciso_tradecraft&utm_medium=sponsor&utm_campaign=dac_yuriy_q4_25&utm_content=dac_yuriy-&utm_term=video

Use discount code ZTWCISOTRADECRAFT26 for $200 off

#259 - Transforming Security Operations (with Brian Carbaugh and William Macmillan) Nov 17, 2025

Join host G Mark Hardy in an exciting episode of CISO Tradecraft where we delve into the cutting-edge world of Human AI Security Operation Centers (SOCs). With special guests Brian Carbaugh and William McMillan, former CIA operatives and leading figures in cybersecurity innovation, we explore how AI is transforming the landscape of security operations. Discover the unparalleled efficiency, accuracy, and proactive threat detection offered by AI-driven SOCs compared to traditional platforms. Learn from real-world examples, such as condensing hundreds of investigative hours into just 90 seconds, and understand the critical role of contextual data in modern threat detection. Perfect for CISOs ready to elevate their security strategies, this episode provides actionable insights and expert advice on navigating AI SOC adoption and integration. Don't miss this informative and forward-thinking discussion! Big thanks to our sponsor

Big thanks to our sponsor Forcepoint

Check out their The Practical Guide to Mastering Data Compliance: https://www.forcepoint.com/resources/ebooks/practical-guide-mastering-data-compliance?utm_source=&sf_src_cmpid=701a600000exxd7AAA&utm_medium=display&utm_content=AW_NC_LinkedInAds_October25_ban&utm_campaign=LinkedInAds_October25

William MacMillan - https://www.linkedin.com/in/william-andesite/

Brian Carbaugh- https://www.linkedin.com/in/brian-carbaugh-38b339243/

#258 - From Invention to Entrepreneurship (with Jeri Ellsworth) Nov 10, 2025

In this captivating episode of CISO Tradecraft, hosted by G. Mark Hardy, we delve into the incredible life journey of Jeri Ellsworth—a renowned inventor and tech entrepreneur. From her early fascination with electronics in rural Oregon to her innovative ventures in Silicon Valley, Jeri shares her unique experiences and hard-earned wisdom. Discover the highs and lows of her career, including her time at Valve Software, navigating significant security breaches, and her foray into the world of crowdfunding and startups. This episode is packed with invaluable lessons for CISOs, cybersecurity professionals, and aspiring entrepreneurs alike. Tune in now and get inspired by Jeri's story of resilience, innovation, and leadership.

Jerri Ellsworth - https://www.linkedin.com/in/jeriellsworth/

#257 - Patch or Perish (with Ross Young) Nov 03, 2025

Imagine stepping into a role and discovering your predecessor had been severely underreporting vulnerabilities, leaving your systems 300 days behind on patches. Join G Mark Hardy and Ross Young in this riveting episode of CISO Tradecraft as they unveil a startling real-world scenario and a proven strategy to revolutionize your patching process. Learn how to tackle the ever-growing number of vulnerabilities, leverage AI and automation, and instill a culture of accountability and gamification among your team. With expert insights and practical steps, this episode is a must-watch for every cybersecurity leader looking to stay ahead of threats and secure their organization's future.

Big thanks to our sponsor, Forcepoint. Check out how they can help you shut down ShadowAI. https://www.forcepoint.com/resources/ebooks/shadow-ai-security-guide?utm_source=linkedin&sf_src_cmpid=701a600000exxd7AAA&utm_medium=display&utm_content=AW_NC_LinkedInAds_October25_ban&utm_campaign=LinkedInAds_October25

Slides can be found here: https://www.linkedin.com/posts/mrrossyoung_patch-or-perish-activity-7389964440546471936--I_F?utm_source=share&utm_medium=member_desktop&rcm=ACoAABnnk5MBYbK8I-lYgI25f6ro7t6rOeP-Ods

Chapters

00:00 Introduction: The CISO Challenge 00:31 The Importance of Data Security 01:05 Welcome to CISO Tradecraft 02:01 Ross Young's Patching Journey 03:34 The Growing Threat of Vulnerabilities 05:16 AI and Cybersecurity 07:34 Developing a Comprehensive Security Approach 10:51 Accountability and Metrics 15:30 Improving Vulnerability Management Processes 19:28 Advanced Tooling and Automation 23:16 Future Trends in Cybersecurity 27:06 Conclusion: Adapting to the Future

#256 - Maximize Your Cybersecurity Budgets (with Ross Young) Oct 27, 2025

In this episode of CISO Tradecraft, G Mark Hardy and Ross Young dive into part two of their series on cybersecurity budgets. Continuing from where they left off, they discuss the OWASP Threat and Safeguard Matrix (TaSM), effective protection scoring, and practical strategies to enhance your budget management as a CISO. Learn about the importance of understanding material threats, leveraging AI, and employing tools like murder boards to optimize security practices. Ross also shares inside tips for negotiating master service agreements and improving organizational processes, all aimed at making you a more effective security leader.

#255 - Maximize the Outcomes Per Dollar in Cyber (with Ross Young) Oct 20, 2025

Welcome to another episode of CISO Tradecraft! Join G Mark Hardy and Ross Young as they dive deep into strategies for maximizing your security budget while minimizing waste. Ross, the author of the soon-to-be-released 'Cybersecurity's Dirty Secret,' shares insights from his 20-year career, including his time at the CIA, Capital One, and Caterpillar Financial. Get expert tips on zero-based budgeting, total cost of ownership, avoiding meeting waste, and more. Don't miss this episode if you want to learn how to make every cybersecurity dollar count!

Free Templates: https://www.cisotradecraft.com/store

Course: https://www.cisotradecraft.com/course-master-the-budget-game-in-cybersecurity

#254 - AI, Privacy, & Security Insights (with Aimee Cardwell) Oct 13, 2025

Welcome to another insightful episode of CISO Tradecraft! In this episode, host G Mark Hardy engages with Aimee Cardwell, an accomplished cybersecurity expert with an impressive portfolio including UnitedHealth Group, AMEX, eBay, and more. Tune in as they dive deep into the increasing concerns of privacy, the evolving role of AI in cybersecurity, and the importance of data governance. Learn practical strategies for managing the complexities of AI and privacy, explore the intersections between cybersecurity and privacy, and get invaluable tips for aspiring CISOs. Don't miss this episode packed with expert advice and forward-thinking perspectives!

Aimee Cardwell's Linkedin - https://www.linkedin.com/in/acardwell/

#253 - DARPA’s AI Cyber Challenge Unveiled (with Andrew Carney) Oct 06, 2025

Dive into an exciting discussion on CISO Tradecraft as host G Mark Hardy engages with DARPA's AI Cyber Challenge director, Andrew Carney. Learn about the world of autonomous systems capable of identifying and fixing vulnerabilities at an unprecedented speed and scale. Discover the highs and lows of AIxCC's two-year journey, its groundbreaking impact on cybersecurity, and the potential it holds for the future. Whether you're a seasoned CISO or just passionate about cybersecurity, this episode is packed with insights on leveraging AI to protect critical infrastructure and defend against cyber threats. Don't miss it! https://aicyberchallenge.com/

#252 - Master Storytelling for CISOs (with Neal Foard) Sep 29, 2025

Join us in this captivating episode of CISO Tradecraft as host G Mark Hardy sits down with storytelling maestro Neal Foard. Learn the secrets of impactful storytelling straight from Neal, who shares an engaging story about an unforgettable lesson at the New Jersey State Fair. Delve into the importance of emotions in storytelling, glean tips for effective communication, and discover how being an inspiring leader can propel your cybersecurity career. Don't miss this opportunity to enhance your storytelling prowess and become a more effective cybersecurity leader!

#251 - AI Just Changed Data Security Requirements (with Ronan Murphy) Sep 22, 2025

Learn how to elevate Data Protection in the Age of AI with Ronan Murphy In this episode of CISO Tradecraft, host G Mark Hardy and guest Ronan Murphy, Chief Strategy Officer at Forcepoint, discuss the critical importance of data protection for enterprises in the age of AI. Discover expert insights on common mistakes CISOs make, how AI revolutionizes data security, and the evolving role of CISOs from enforcers to strategists. Learn about effective data governance, AI’s impact on data, and leveraging tools like DLP & CASB for robust cybersecurity.

Plus, hear about Forcepoint Aware 2025 and actionable strategies for elevating your organization's data security posture. https://www.forcepoint.com/aware

#250 - Understanding Vulnerabilities, Exploits, and Cybersecurity Sep 15, 2025

Join host G Mark Hardy on CISO Tradecraft as he welcomes Patrick Garrity from VulnCheck and Tod Beardsley from Run Zero to discuss the latest in cybersecurity vulnerabilities, exploits, and defense strategies. Learn about their backgrounds, the complexities of security research, and strategies for effective communication within enterprises. The discussion delves into vulnerabilities, the significant risks posed by ransomware, and actionable steps for CISOs and security executives to protect their organizations. Stay tuned for invaluable insights on cybersecurity leadership and management.

Chapters

00:00 Introduction and Guest Welcome
00:57 Meet Patrick Garrity: Security Researcher and Skateboard Enthusiast
02:12 Meet Todd Beardsley: From Hacker to Security Research VP
03:58 The Evolution of Vulnerabilities and Patching
07:06 Understanding CVE Numbering and Exploitation
14:01 The Role of Attribution in Cybersecurity
16:48 Cyber Warfare and Global Threat Landscape
20:18 The Rise of International Hacking
22:01 Delegation of Duties in Offensive Warfare
22:25 The Role of Companies in Cyber Defense
23:00 Attack Vectors and Exploits
24:25 Real-World Scenarios and Threats
28:46 The Importance of Communication Skills for CISOs
31:42 Ransomware: A Divisive Topic
38:39 Actionable Steps for Security Executives

#249 - Unveiling AI and Crypto Threats with Microsoft's Tomas Roccia Sep 08, 2025

In this episode of CISO Tradecraft, host G Mark Hardy sits down with Tomas Roccia, a senior threat researcher at Microsoft, to delve into the evolving landscape of AI and cybersecurity. From AI-enhanced threat detection to the complexities of tracking cryptocurrency used in cybercrime, Tomas shares his extensive experience and insights. Discover how AI is transforming both defensive and offensive strategies in cybersecurity, learn about innovative tools like Nova for adversarial prompt detection, and explore the sophisticated techniques used by cybercriminals in high-profile crypto heists. This episode is packed with valuable information for cybersecurity professionals looking to stay ahead in a rapidly changing field.

Defcon presentation: Where is my crypto Dude? https://media.defcon.org/DEF%20CON%2033/DEF%20CON%2033%20presentations/Thomas%20Roccia%20-%20Where%E2%80%99s%20My%20Crypto%2C%20Dude%20The%20Ultimate%20Guide%20to%20Crypto%20Money%20Laundering%20%28and%20How%20to%20Track%20It%29.pdf

GenAI Breaches Generative AI Breaches: Threats, Investigations, and Response - Speaker Deck https://speakerdeck.com/fr0gger/generative-ai-breaches-threats-investigations-and-response

Transcripts: https://docs.google.com/document/d/1ZPkJ9P7Cm7D_JdgfgNGMH8O_2oPAbnlc

Chapters

00:00 Introduction to AI and Cryptocurrencies
00:27 Welcome to CISO Tradecraft
00:55 Guest Introduction: Tomas Roccia
01:06 Tomas Roccia's Background and Career
02:51 AI in Cybersecurity: Defensive Approaches
03:19 The Democratization of AI: Risks and Opportunities
06:09 AI Tools for Cyber Defense
08:09 Challenges and Limitations of AI in Cybersecurity
09:20 Microsoft's AI Tools for Defenders
12:13 Open Source AI Security: Project Nova
18:37 Community Contributions and Open Source Projects
19:30 Case Study: Babit Crypto Hack
22:12 Money Laundering Techniques in Cryptocurrency
23:01 AI in Tracking Cryptocurrency Transactions
26:09 Sophisticated Attacks and Money Laundering
33:50 Future of AI and Cryptocurrency
38:17 Final Thoughts and Advice for Security Executives
41:28 Conclusion and Farewell

#248 - A Black Hat Chat with ThreatLocker CEO Danny Jenkins Sep 01, 2025

In this episode of CISO Tradecraft, host G Mark Hardy sits down with Danny Jenkins, CEO and founder of ThreatLocker, live from the Black Hat conference. Danny shares insights into his technical background and explains how a customer-focused culture drives innovation and improvement at ThreatLocker. Learn about the company's unique practices, such as their 'control alt delight' sessions, 24/7 customer support, and how leadership at ThreatLocker leads by example. Danny also discusses the importance of learning from failures and removing obstacles for team members to help the company and its products continually evolve. Danny's LinkedIn - https://www.linkedin.com/in/dannyjenkinscyber/

ThreatLocker - https://www.threatlocker.com/

Transcripts -https://docs.google.com/document/d/1TOib3nTXwrWuwF6sJMlVjTFurgr-jc1b Chapters

00:00 Introduction and Welcome
00:27 Meet Danny Jenkins, CEO of Threat Locker
01:12 The Philosophy Behind Threat Locker
02:52 Customer-Centric Culture at Threat Locker
04:32 Technical Leadership and Personal Insights
08:55 Leadership Advice for Aspiring CISOs
11:22 Conclusion and Farewell

#247 - What most leaders don't understand about AI (with Dave Lewis) Aug 25, 2025

In this episode of CISO Tradecraft, host G Mark Hardy engages in an insightful conversation with Dave Lewis, Global Advisory CISO from 1Password, about AI governance and its importance in cybersecurity. They discuss AI policy and its implications, the evolving nature of AI and cybersecurity, and the critical need for governance frameworks to manage AI safely and securely. The discussion delves into the visibility challenges, shadow AI, the role of credentials, and the importance of maintaining fundamental security practices amidst rapid technological advancements. They also touch on the potential risks associated with AI, the misconceptions about its impact on jobs, and the need for a balanced approach to leveraging AI in a beneficial manner while safeguarding against its threats. This episode provides valuable guidance for cybersecurity professionals and organizations navigating the complexities of AI governance.

Chapters

00:00 Introduction to AI Governance
00:30 Guest Introduction: Dave Lewis
00:49 The Importance of AI Governance
01:42 Challenges in AI Implementation
03:20 AI in the Modern Enterprise
03:49 Shadow AI and Security Concerns
04:49 AI's Impact on Jobs and Industry
05:27 The Gartner Hype Cycle and AI
05:43 AI's Influence on the Stock Market
06:14 Historical Context of AI
06:32 AI and Credential Security
08:29 The Role of Governance in AI
12:47 The Future of AI and Security
18:36 Governance and Policy Recommendations
19:26 AI Governance and Ethical Concerns
20:01 AI Self-Preservation and Human Safety
20:18 Uncontrollable AI Applications
21:17 Vectors of AI Trouble
21:58 AI Hallucinations and Data Security
22:53 AI Vulnerabilities and Exploits
26:29 Deepfakes and AI Misuse
27:33 Historical Cybersecurity Incidents
29:04 Future of AI and Job Security
33:47 Managing AI Identities and Credentials
34:21 Conclusion and Final Thoughts

#246 - Tim Brown on SolarWinds: What Every CISO Should Know Aug 18, 2025

In this episode of the CISO Tradecraft podcast, host G Mark Hardy speaks with Tim Brown, the CISO of SolarWinds, at the Black Hat conference in Las Vegas. They delve into the details of the infamous SolarWinds breach, discussing the timeline of events, the involvement of the Russian SVR, and the immediate and long-term responses by SolarWinds. Tim shares insights on the complexities of supply chain security, the importance of clear communication within an organization, and the evolving regulatory landscape for CISOs. Additionally, they discuss the personal and professional ramifications of dealing with such a high-profile incident, offering valuable lessons for current and future cybersecurity leaders.

Chapters

00:00 Introduction and Welcome
00:59 The SolarWinds Incident Unfolds
03:13 Understanding the Attack and Response
04:04 The Role of SVR and Supply Chain Security
10:43 Technical Details of the Attack
14:56 Compliance and Reporting Challenges
19:24 Rebuilding Trust and Personal Impact
22:06 CISO Concerns and Company Support
22:14 Legal Challenges and Company Expenses
23:40 SEC Charges and Legal Proceedings
29:35 Supply Chain Security and Vendor Assurance
35:47 CISO Accountability and Industry Standards
39:41 Final Thoughts and Advice for CISOs

#245 - Mastering Cybersecurity Recruitment and Career Growth (with Casey Marquette) Aug 11, 2025

In this episode of CISO Tradecraft, host G Mark Hardy is joined by cybersecurity expert Casey Marquette to discuss effective HR and recruiting strategies for building a top-notch cybersecurity team. They dive into career development, the importance of networking, and how to navigate the challenges of hiring in cybersecurity. Casey shares his personal journey from law enforcement to becoming a leading figure in the cybersecurity world, highlighting the role of mentorship and continuous learning. The episode also covers innovative uses of AI in the hiring process and provides practical advice for both hiring managers and job seekers in the cybersecurity field. Tune in for valuable insights on how to hire the best talent and advance your career in cybersecurity. Transcripts https://docs.google.com/document/d/1c-3qy6KkQuhjuHquycQ3rRwMdSlZBfz4 Chapters

00:00 Introduction to Cybersecurity Recruitment
00:31 Guest Introduction: Casey Marquette
01:46 Casey's Career Journey
04:41 Hiring for Attitude vs. Skillset
05:30 Promoting from Within vs. Hiring Externally
07:34 Leadership and Morale
20:20 The Importance of Networking and Mentorship
22:19 AI in Recruitment
23:30 The Talent Pool and Recruitment Challenges
24:04 Introducing Scout: The AI Recruitment Tool
24:51 Security Measures in AI Recruitment
25:32 Addressing Fraudulent Candidates
26:10 Remote Hiring and Deepfake Concerns
28:52 Insider Threats and Tabletop Exercises
31:51 Enhancing Career Marketability for CISOs
37:47 Building Effective Networks and Relationships
42:04 The Importance of Specialized Recruitment
44:21 Final Thoughts and Contact Information

#244 - Breaking into Cybersecurity (with Christophe Foulon) Aug 04, 2025

Join host G Mark Hardy in another enlightening episode of CISO Tradecraft as he speaks with special guest Christophe Foulon, a seasoned cybersecurity professional and podcast host. In this episode, Christophe delves into his journey from the help desk to cybersecurity expert, the challenges faced by newcomers, and the keys to successfully building and leading cybersecurity teams. Learn about the importance of continuous learning, managing career transitions, and the emotional rewards and challenges of being a CISO. Whether you're an aspiring CISO or looking to advance in your cybersecurity career, this episode offers invaluable insights and practical advice.

Christophe's LinkedIn: https://www.linkedin.com/in/christophefoulon/ Christophe's Website: https://christophefoulon.com/ Christophe's Podcast: https://podcasts.apple.com/us/podcast/breaking-into-cybersecurity/id1463136698

Transcripts: https://docs.google.com/document/d/1UytoyelIMezzbtxdPHo5FE_oLiXYS_58

Chapters

00:00 Introduction to the Episode
00:27 Meet the Guest: Christophe Foulon
01:30 Christophe's Journey into Cybersecurity
06:24 The Allure and Challenges of a CISO Role
09:55 Developing Political and Leadership Skills
20:30 Aligning Team Members with Their Strengths
31:34 Navigating HR and Diversity in Cybersecurity
36:29 Becoming a Fractional or Virtual CISO
42:27 Final Thoughts and How to Connect with Christophe

#243 - Navigating Hacker Summer Camp in 2025 Jul 29, 2025

Navigating Hacker Summer Camp: A Comprehensive Guide Join host G Mark Hardy on this episode of CSO Tradecraft as he provides a detailed guide on what to expect at Hacker Summer Camp, a series of significant cybersecurity events including DEFCON, Black Hat, and BSides Las Vegas. G Mark shares historical insights, tips for first-timers, and personal anecdotes from his extensive experience attending these events over the years. Learn about the origins, key activities, and networking opportunities that make these conferences pivotal in the cybersecurity community. Stay tuned for practical advice on planning your visit and making the most out of your Hacker Summer Camp experience.

Transcripts: https://docs.google.com/document/d/1Y-MenErnVCzUga4xu20ZIz8hT9xsGSJD

Chapters

00:00 Introduction to Hacker Summer Camp
01:29 History and Significance of DEFCON
02:50 Spot the Fed and Early DEFCON Experiences
05:31 The Evolution of Black Hat
09:34 The Birth and Growth of BSides
11:19 Tips for Attending Hacker Summer Camp
19:57 Networking and Participation Strategies
25:31 Conclusion and Final Thoughts

#242 - The Secret to Career Success: Your Personal Board of Directors Jul 21, 2025

In this episode of CISO Tradecraft, co-host G Mark Hardy and guest Ross Young explore the concept of having a personal board of directors. Learn how to leverage mentors, coaches, and role models to gain diverse perspectives and valuable advice for your professional growth as a cybersecurity leader. Discover the importance of building authentic relationships and seeking advice from experienced individuals, and understand how to make informed career decisions. Tune in to hear practical tips on creating and maintaining your own board of directors, and how it can elevate your career in cybersecurity.

Helpful Reading

https://pe.gatech.edu/blog/working-learning/personal-board-of-directors

https://career.uga.edu/uploads/documents/hireuga/PersonalBoardOfDirectors-worksheet24.pdf

Transcripts:

https://docs.google.com/document/d/1qhx38KERHAc1T0qoE6mphUODeOt2xWC4 Chapters

00:00 Introduction to Personal Board of Directors
00:27 Welcome to CISO Tradecraft
01:25 Understanding the Concept of a Personal Board of Directors
03:51 The Role of Mentorship and Feedback
04:38 Building Effective Mentor-Mentee Relationships
06:53 The Importance of Sponsorship
07:57 Navigating Career Paths and Organizational Culture
09:28 Recruiting Your Personal Board of Directors
15:34 Making the Most of Mentorship
22:17 Advice and Board of Directors
22:46 The Power of a Mastermind
23:52 Identifying Key Roles for Your Board
26:27 Time Commitment and Mentor Relationships
27:22 Grave Diggers and Organizational Insights
28:26 Categories of Board Members
29:54 Leveraging Admins and Chiefs of Staff
31:55 Building Trust and Influence
35:09 Discernment in Taking Advice
41:23 Career Opportunities and Emerging Technologies
42:57 Summary and Final Thoughts

#241 - The OWASP Threat and Safeguard Matrix (with Ross Young) Jul 14, 2025

Join G Mark Hardy in this special episode of CISO Tradecraft as he interviews Ross Young, the creator of the OWASP Threat and Safeguard Matrix (TaSM). Ross shares his extensive cybersecurity background and discusses the development and utility of the TaSM, including its applications in threat modeling and risk management. Additionally, Ross introduces his upcoming book, 'Cybersecurity's Dirty Secret: How Most Budgets Are Wasted,' and provides insights on maximizing cybersecurity budgets. Don't miss this episode for essential knowledge on enhancing your cybersecurity leadership and strategies.

OWASP Threat and Safeguard Matrix - https://owasp.org/www-project-threat-and-safeguard-matrix/

Transcripts - https://docs.google.com/document/d/1anGewI3XccGnXoV3oE2h7BfelY5QxiSL/

Chapters

00:00 Introduction to the Threat and Safeguard Matrix

00:30 Meet Ross Young: Cybersecurity Expert

01:08 Ross Young's Career Journey

01:59 The Upcoming Book: Cybersecurity's Dirty Secret

03:04 Introduction to the Threat and Safeguard Matrix (TaSM)

03:48 Understanding the TaSM Framework

07:10 Applying the TaSM to Real-World Scenarios

19:32 Using TaSM for Threat Modeling and Risk Committees

21:58 Extending TaSM Beyond Cybersecurity

23:52 AI Risks and the TaSM

24:43 Conclusion and Final Thoughts

#240 - From CruiseCon to AI Threats (with Ira Winkler) Jul 07, 2025

Join us for an engaging episode of CISO Tradecraft, hosted by G Mark Hardy, featuring cybersecurity veteran Ira Winkler. In this episode, we dive deep into cybersecurity careers, discuss the unique CruiseCon cybersecurity event, and explore the evolution of information security. Hear firsthand accounts of career journey highlights, networking strategies, and the importance of democratizing top-tier content. Learn about the impacts of AI in cybersecurity, data poisoning, and upcoming cybersecurity conferences. Whether you're a seasoned professional or just starting your journey, this episode is packed with invaluable insights and advice.

https://cruisecon.com/

Don't forget to the the following code for 10% off "CISOTRADECRAFT10"

Transcripts: https://docs.google.com/document/d/1-H1CShsyirr4ZL9d1WCx6IMA_ngjWoEN

Chapters

00:00 Introduction to CISO Tradecraft
01:34 Meet Ira Winkler: Cybersecurity Veteran
02:50 The Concept of CruiseCon
05:58 Challenges in Cybersecurity Events
08:03 Building a Cybersecurity Community
13:45 Mentorship and Networking in Cybersecurity
21:52 The Importance of Relevant Mentorship
24:40 The Importance of Programmatic Principles
25:19 Finding the Right Mentor for Your Career Path
26:38 Adapting to a Shifting Career Landscape
27:05 Understanding AI Fundamentals
29:12 The Role of Data in AI
30:57 Agentic AI and Its Applications
32:48 Challenges and Risks in AI
41:33 Upcoming Events and Keynote Speakers
43:35 Leadership Lessons from Ground Zero
46:39 Future Cruise Con Events
47:44 Conclusion and Farewell

#239 - Actionable Gamification and Lasting Success (with Yu-Kai Chou) Jun 30, 2025

In this episode of CISO Tradecraft, host G Mark Hardy speaks with gamification pioneer Yu-Kai Chou about his new book, '10,000 Hours of Play: Unlock Your Real Life Legendary Success.' Explore key concepts such as aligning your passions, skills, and goals through six essential steps: choosing your game, knowing your attributes, selecting your role, enhancing your skills, building alliances, and achieving your quest. Discover how gamification can lead to personal and professional success. Tune in for an insightful conversation that could change the way you approach your career and life.

Yu-Kai Chou - https://www.linkedin.com/in/yukaichou/

Actionable Gamification Book - https://a.co/d/isv7K0W

10,000 Hours of Play Book - https://a.co/d/3L88jTs

Transcripts: https://docs.google.com/document/d/1gPxWVeS8QYNsgGpXt3EDQy5zGcCYH7hL

Chapters

00:00 Introduction: The Power of Play
00:34 Meet Yu-Kai Chou: Gamification Pioneer
04:16 Understanding the Octalysis Framework
07:34 10,000 Hours of Play: A New Perspective
09:24 Choosing Your Game: Discovering Your Life's Mission
16:49 Knowing Your Attributes: Identifying Your Strengths
22:14 Selecting Your Role: Layers of Your Role Sphere
23:12 Aspiration and Identity: Defining Who You Want to Be
24:46 Occupation and Specialization: Aligning Your Roles
26:48 The Importance of Direction and Continuous Growth
28:05 The Concept of Ikigai and Skill Enhancement
30:38 Creating a Skill Triangle and Role Models
31:39 Gamification in Cybersecurity and Beyond
32:50 The Role of Determination and Passion
37:50 Building Alliances for Success
41:27 Recap and Final Thoughts

#238 - The Impact of the Israel Iran Conflict (with Nathan Case) Jun 23, 2025

In this episode of CISO Tradecraft, host G Mark Hardy discusses the ongoing Israel-Iran conflict and its potential cyber implications with cybersecurity expert Nathan Case. They delve into lessons learned from the Russia-Ukraine conflict, discuss the effectiveness of cyber warfare, and evaluate Iran's cyber capabilities. The conversation also covers the ethical implications of cyber attacks, dual-use targets, and the danger of supply chain vulnerabilities. Practical advice is provided on improving cybersecurity measures, including the importance of MFA, network segmentation, and evaluating internal threats. Join us for an in-depth look at how current geopolitical tensions can impact global cybersecurity.

Nathan Case - https://www.linkedin.com/in/nathancase/

Chapters

00:00 Introduction to the Israel-Iran Conflict
00:52 Meet the Expert: Nate Case
01:51 Cyber Warfare Insights from Russia-Ukraine Conflict
03:36 The Impact of Cyber on Critical Infrastructure
08:00 Ethics and Rules of Cyber Warfare
15:01 Iran's Cyber Capabilities and Strategies
16:56 Historical Context and Modern Cyber Threats
23:28 Foreign Cyber Threats: The Iranian Example
24:06 Israel's Cyber Capabilities
25:39 The Role of Cyber Command
26:23 Challenges in Cyber Defense
27:11 The Complexity of Cyber Warfare
32:21 Ransomware and Attribution Issues
36:13 Defensive Cyber Operations
39:39 Final Thoughts and Recommendations

#237 - Build a World Class SOC (with Carson Zimmerman) Jun 16, 2025

Join G Mark Hardy and Carson Zimmerman, the author of '11 Strategies of a World-Class Cybersecurity Operations Center,' in this insightful episode of CISO Tradecraft. Carson shares his career journey, the evolution from the 10 to 11 strategies, and delves into the future needs of Security Operations Centers (SOCs). They discuss critical topics such as the importance of continuous improvement, AI's impact on SOCs, and the value of embracing neurodiversity in cybersecurity teams. Whether you're a seasoned cybersecurity leader or an aspiring professional, get actionable advice on how to enhance and revolutionize your SOC operations.

11 Strategies of a World Class Cybersecurity Operations Center https://www.mitre.org/sites/default/files/2022-04/11-strategies-of-a-world-class-cybersecurity-operations-center.pdf

14 Questions are all you need - https://www.first.org/resources/papers/conf2024/1445-14-Questions-Carson-Zimmerman.pdf

Transcripts - https://docs.google.com/document/d/1WVJi9WkxOG7yedQYWSooiqRFjBERd9kV

Chapters

00:00 Introduction and Guest Welcome
00:53 Background and Book Discussion
03:33 SOC Challenges and Stagnation
06:10 Managing SOC Alerts and Burnout
09:26 SOC Evolution and Neurodiversity
23:50 Career Progression in Cybersecurity
30:28 Impact of AI on SOC Operations
40:07 Final Thoughts and Conclusion

#236 - Build a World Class GRC Program (with Matt Hillary) Jun 09, 2025

In this episode of CISO Tradecraft, host G Mark Hardy sits down with Matt Hillary, the Chief Information Security Officer of Drata, to discuss governance, risk, and compliance (GRC) and trust management. They explore key topics such as the evolution of GRC, trust management, compliance automation, and the advent of AI in compliance processes. Matt shares insights on building a world-class GRC program, the challenges and opportunities in modern-day compliance, and the mental health aspects of being a cybersecurity leader. This episode is a must-watch for any cybersecurity professional looking to enhance their GRC strategies and compliance operations.

Big Thanks to our Sponsor Drata. You can learn more about them at https://drata.com/

Connect with Matt Hillary at https://www.linkedin.com/in/matthewhillary/

Transcripts - https://docs.google.com/document/d/1VzRQSEvgUwenDERlNn2bwlIpnz4QPQ15/

Chapters

01:39 Meet Matt Hillary: CISO of Drata
06:06 The Evolution of GRC and Trust Management
14:48 Continuous Compliance and Automation
19:26 Compliance as Code: The Future of GRC
22:18 The Importance of Getting It Right the First Time
23:15 Customer Compliance Challenges
24:21 Vendor Risk Management and Trust Building
26:26 Leveraging AI for Compliance and Risk Management
31:43 Evaluating Credibility of Third-Party Evidence
41:09 Common Mistakes in GRC Programs
43:56 Final Thoughts and Industry Call to Action

#235 - Grey is the New Black (with Ryan Gooler) Jun 02, 2025

Join G Mark Hardy at THOTCON in Chicago for an insightful podcast episode on building a successful cybersecurity career. Featuring guest Ryan Gooler, they discuss the non-linear paths to success, the value of mentorship, financial planning, and the importance of continuous learning and adapting. Learn how to navigate career transitions, embrace risks, and find joy in teaching and learning from others in the cybersecurity community.

Transcripts: https://docs.google.com/document/d/1nsd61mkIWbmIL1qube0-cdqINsDujAVH

Chapters

00:00 Welcome to THOTCON: Meeting Amazing People
00:26 Introducing Ryan Gooler: A Journey into Cybersecurity
04:09 The Value of Mentorship in Cybersecurity
06:22 Career Management and Setting Goals
09:33 Financial Planning for Cybersecurity Professionals
16:40 Automating Finances and Smart Spending
21:25 Financial Sophistication and Mutual Funds
22:07 Automating Life Tasks
22:41 The Concept of a Finishing Stamp
24:17 Leadership and Delegation in the Navy
26:06 Building and Maintaining Culture
27:21 Surviving Toxic Environments
29:55 Taking Risks and Finding Joy
34:34 Advice for Cybersecurity Careers
39:01 The Importance of Teaching and Learning
40:29 Conclusion and Farewell

#234 - Model Context Protocol (MCP) May 26, 2025

In this episode of CISO Tradecraft, host G Mark Hardy delves into the emerging concept of Model Context Protocol (MCP) and its significance in AI and enterprise security. Launched by Anthropic in November 2024, MCP is designed to standardize how AI systems interact with external data sources and applications. Hardy explores how MCP differs from traditional APIs, its implications for security, and the steps organizations need to take to prepare for its adoption. Key topics include the stateful nature of MCP, security risks such as prompt injection and tool poisoning, and the importance of developing a robust governance framework. By the end of the episode, listeners will have a comprehensive understanding of MCP and practical recommendations for safeguarding their AI-driven workflows.

Transcripts https://docs.google.com/document/d/1vyfFJgTbsH73CcQhtBBkOfDoTrJYqzl_

References

Model Context Protocol specification and security best practices, https://modelcontextprotocol.io ⁠

Security risks of MCP, https://pillar.security ⁠ ⁠

MCP security considerations, https://writer.com

Chapters

00:00 Introduction to Model Context Protocol (MCP)
00:27 Understanding MCP and Its Importance
01:41 How MCP Works and Its Security Implications
04:23 Comparing MCP to Traditional APIs
08:41 MCP Architecture and Security Benefits
12:07 Top Security Risks of MCP
18:00 Implementing Security Controls for MCP
25:00 Governance Framework for MCP
28:03 Future Trends and Strategic Recommendations
30:34 Conclusion and Next Steps

#233 - Web 3.0 Explained (with Aaron Markell) May 19, 2025

Web 3.0 Explained: Business Cases, Security, and Future Prospects | CISO Tradecraft In this episode of CISO Tradecraft, host G Mark Hardy welcomes special guest Aaron Markell to discuss the intricacies of Web 3.0. They explore the evolution from Web 1.0 and Web 2.0 to the decentralized structure of Web 3.0, describing its application in various industries like finance, healthcare, and supply chain. The conversation dives into blockchain technology, the role of tokens, smart contracts, and consensus mechanisms like proof of work and proof of stake. They also touch on potential future developments involving AI in Web 3.0, offering valuable insights for business leaders and cybersecurity professionals looking to understand and leverage this emerging technology.

Chapters

00:00 Introduction to Web 3.0
00:31 Meet the Expert: Aaron Markell
01:39 Aaron's Journey into Web 3.0
03:51 Understanding Web 1.0, 2.0, and 3.0
04:36 Decentralization and Blockchain Basics
05:51 The SETI Project and Distributed Workloads
08:09 Proof of Work and Blockchain Security
17:22 Smart Contracts Explained
20:10 Proof of Stake vs. Proof of Work
23:51 The Role of Tokens in Web 3.0
24:22 Understanding Microtransactions and Ownership
25:05 What is an NFT?
26:40 The Rise and Fall of NFTs
28:36 Web 3.0 and Its Impact on Industries
30:10 Blockchain in Finance and Commerce
30:55 Private Blockchains and Government Transparency
34:09 Blockchain in Legal and Healthcare Sectors
36:59 Supply Chain Transformation with Web 3.0
39:59 The Future of Web 3.0 and AI Integration
41:03 Final Thoughts and Security Tips

#232 - Inside The 2025 Verizon Data Breach Investigations Report May 12, 2025

Join G Mark Hardy, host of CISO Tradecraft, as he breaks down the latest insights from the 2025 Verizon Data Breach Investigations Report (DBIR). In this episode, discover the top 10 takeaways for cybersecurity leaders including the surge in third-party breaches, the persistence of ransomware, and the human factors in security incidents. Learn actionable strategies to enhance your organization's security posture, from improving vendor risk management to understanding industry-specific threats. Stay ahead of cybercriminals and secure your data with practical, data-driven advice straight from one of the industry's most anticipated reports.

Verizon DBIR - https://www.verizon.com/business/resources/reports/dbir/

Transcripts - https://docs.google.com/document/d/1h_YMpJvhAMB9wRyx92WkPYiKpFYyW2qz

Chapters

00:35 Verizon Data Breach Investigations Report (DBIR) Introduction
01:16 Accessing the DBIR Report
02:38 Key Takeaways from the DBIR
03:15 Third-Party Breaches
04:32 Ransomware Insights
08:08 Exploitation of Vulnerabilities
09:39 Credential Abuse
12:25 Espionage Attacks
14:04 System Intrusions in APAC
15:04 Business Email Compromise (BEC)
18:07 Human Risk and Security Awareness
19:19 Industry-Specific Trends
20:06 Multi-Layered Defense Strategy
21:08 Data Leakage to Gen AI

#231 - Tackle Your Technical Debt May 05, 2025

Join G Mark Hardy in this eye-opening episode of CISO Tradecraft as he shares a personal story about his dog Shelby's near-fatal experience and the costly lesson it taught him about technical debt. Discover how small overlooked issues in cybersecurity can compound and lead to significant risks and learn actionable steps to tackle technical debt before it turns into a crisis.

Pictures of Dog https://drive.google.com/file/d/1nBc9e3bBJVW0BQt5inGryhP3ahBz4XsQ/view?usp=drive_link https://drive.google.com/file/d/12V_DuwhgNBKgxJL0yqNq9Fopa4dauJfd/view?usp=drive_link

Transcripts https://docs.google.com/document/d/1-_X_9RQrurOLKRvbXyMjgbygESsabcCK

Chapters

00:21 Welcome to CISO Tradecraft
00:36 RSAC 2025 Conference Experience
01:22 Shelby's Health Scare
02:08 Understanding Technical Debt
02:41 The Consequences of Technical Debt
04:09 Shelby's Story as a Technical Debt Analogy
09:28 Lessons Learned from Shelby's Story
13:09 Conclusion and Call to Action

#230 - How To Make Your AI Less Chatty (with Sounil Yu) Apr 28, 2025

In this episode of CISO Tradecraft, host G Mark Hardy and guest Sounil Yu delve into the dual-edged sword of implementing Microsoft 365 Copilot in enterprises. While this productivity tool has transformative potential, it introduces significant oversharing risks that can be mitigated with the right strategies. Discover how Sounil and his team at Knostic have been tackling these challenges for over a year, presenting innovative solutions to ensure both productivity and security. They discuss the importance of 'need to know' principles and knowledge segmentation, providing insight into how organizations can harness the power of Microsoft 365 Copilot safely and effectively. Tune in to learn how to avoid becoming the 'department of no' and start being the 'department of know.'

Transcripts https://docs.google.com/document/d/1CT9HXdDmKojuXzWTbNYUE4Kgp_D64GyB

Knostic's Website - https://www.knostic.ai/solution-brief-request

Chapters

00:00 Introduction to Microsoft Copilot Risks
00:32 Meet the Guest: Sounil Yu
02:51 Understanding Microsoft 365 Copilot
06:09 The DIKW Pyramid and Knowledge Management
08:34 Challenges of Data Permissions and Oversharing
19:01 Need to Know: A New Approach to Access Control
35:10 Measuring and Mitigating Risks with Copilot
39:46 Conclusion and Next Steps

#229 - Understanding the Critical Role of CVEs and CVSS Apr 21, 2025

In this episode of CISO Tradecraft, host G Mark Hardy delves into the crucial topic of Common Vulnerabilities and Exposures (CVE) and the Common Vulnerability Scoring System (CVSS). Learn about the history, structure, and significance of the CVE database, the recent funding crisis, and what it means for the future of cybersecurity. We also explore the intricacies of CVE scoring and how it aids in prioritizing vulnerabilities. Tune in to understand how as a CISO, you can better prepare your organization against cyber threats and manage vulnerabilities efficiently.

Transcripts: https://docs.google.com/document/d/13VzyzG5uUVLGVhPA5Ws0UFbHPnfHbsII

Chapters

00:00 Introduction to CVE and CVSS
01:13 History of Vulnerability Tracking
03:07 The CVE System Explained
06:47 Understanding CVSS Scoring
13:11 Recent Funding Crisis and Its Impact
15:53 Future of the CVE Program
18:27 Conclusion and Final Thoughts

#228 - CIS CSAT (with Scott Gicking) Apr 14, 2025

Join host G Mark Hardy on CISO Tradecraft as he welcomes expert Scott Gicking to discuss the Center for Internet Security's (CIS) Controls Self-Assessment Tool (CSAT). Learn what CSAT is, how to effectively use it, and how it can enhance your career in cybersecurity. Stay tuned for insights on creating effective security frameworks, measuring maturity, and improving organizational security posture using the CSAT tool.

Scott Gicking - https://www.linkedin.com/in/scottgickingus/

CIS CSAT - https://www.cisecurity.org/controls/cis-controls-self-assessment-tool-cis-csat

Transcripts: https://docs.google.com/document/d/1WAI9U0WEUSJH1ZVWM1HdtFEf-O9hLJBe

Chapters

01:16 Guest Introduction: Scott Gicking
02:49 Scott's Career Journey
04:03 The Hollywood Cybersecurity Incident
07:38 Introduction to CIS and Its Importance
09:49 Understanding the CIS CSAT Tool
10:13 Implementing CIS CSAT in a Real-World Scenario
13:00 Benefits of the CIS CSAT Tool
18:38 Developing a Three-Year Roadmap with CSAT
23:25 Scoring Policies and Controls
24:20 Control Implementation and Automation
25:22 CMMC Certification Levels
27:52 Honest Self-Assessment
30:01 Quick and Dirty Assessment Approach
33:07 Building Trust and Reporting
37:38 Business Impact Analysis Tool
40:02 Reputational Damage and CISO Challenges
42:55 Final Thoughts and Contact Information

#227 - The 30 Year CISO Evolution Apr 07, 2025

Ever wonder how the CISO role went from obscure techie to boardroom MVP? In this episode of CISO Tradecraft, G Mark Hardy takes you on a journey through the evolution of the Chief Information Security Officer — from Steve Katz's groundbreaking appointment at Citibank in 1995 to the high-stakes, high-impact role CISOs play today.

Transcripts: https://docs.google.com/document/d/1FlKBW6zlVBqLoSTQMGZIfz--ZLD_aS9t/edit

Chapters

00:00 Introduction to the Evolution of the CISO Role
00:58 The First CISO: Steve Katz's Pioneering Journey
03:58 Rise of Security Certifications
08:39 Regulatory Wake-Up Calls and Compliance
12:23 Cybersecurity in the Age of State-Sponsored Attacks
17:58 The Impact of Major Cyber Incidents
25:07 Modern Challenges and the Future of the CISO Role
27:51 Conclusion and Final Thoughts

#226 - Vulnerability Management (with Chris Hughes) Mar 31, 2025

In this episode of CISO Tradecraft, we host Chris Hughes, CEO of Aquia, cybersecurity consultant, and author. Chris shares insights on the evolving landscape of cybersecurity, discussing software supply chain threats, vulnerability management, relationships between security and development, and the future impacts of AI. Tune in to gain expert advice on becoming an effective cybersecurity leader.

Chris Hughes - https://www.linkedin.com/in/resilientcyber/

Transcripts: https://docs.google.com/document/d/1j5ernS0Gk3LH-qcjhi6gOfojBqQljGhi

Chapters

00:00 Introduction and Special Guest Announcement
00:55 Chris Hughes' Background and Career Journey
02:46 Government and Industry Engagement
03:42 Supply Chain Security Challenges
07:34 Vulnerability Management Insights
12:13 Navigating the Overwhelming Vulnerability Landscape
22:19 Building Positive Relationships in Cybersecurity
23:41 Empowering Risk-Informed Decisions
24:29 Aligning with Organizational Risk Appetite
25:33 Navigating Job Changes and Organizational Fit
26:32 The Role of Compliance in Security
33:27 The Impact of AI on Security
43:05 Balancing Build vs. Buy Decisions
45:05 Conclusion and Final Thoughts

#225 - The Full Irish Mar 24, 2025

In this episode of CSO Tradecraft, host G. Mark Hardy introduces 'The Full Irish,' a cybersecurity framework based on the '12 Steps to Cybersecurity' guidance from Ireland's National Cybersecurity Center. The episode covers comprehensive steps from governance and risk management to incident response and resilience, making it a valuable resource for cybersecurity professionals. G Mark also discusses the implications of multinational companies operating in Ireland, including tax strategies and notable GDPR fines. The episode provides pragmatic guidance and actionable insights to enhance your cybersecurity program.

References: https://www.ncsc.gov.ie/pdfs/Cybersecurity_12_steps.pdf

Transcripts: https://docs.google.com/document/d/1VLeRozClLZAkZsusYsUn4Q9_1v7WCoN0

Chapters

00:00 Introduction to the Full Irish
01:32 Why Ireland?
02:40 Tax Avoidance Schemes
04:25 GDPR Penalties and Data Protection
05:54 Overview of the 12 Steps to Cybersecurity
07:19 Step 1: Governance and Organization
09:24 Step 2: Identify What Matters Most
10:31 Step 3: Understanding the Threats
12:35 Step 4: Defining Risk Appetite
14:10 Step 5: Education and Awareness
16:00 Step 6: Implement Basic Protections
18:00 Step 7: Detect and Attack
19:37 Step 8: Be Prepared to React
21:24 Step 9: Risk-Based Approach to Resilience
22:52 Step 10: Automated Protections
23:58 Step 11: Challenge and Test Regularly
25:29 Step 12: Cyber Risk Management Lifecycle
26:29 Conclusion and Final Thoughts

#224 - The Evolution of Data Loss Prevention (DLP) Mar 17, 2025

In this episode of CISO Tradecraft, host G. Mark Hardy dives into the evolution, challenges, and solutions of Data Loss Prevention (DLP). From early methods like 'dirty word lists' in the military to advanced AI and machine learning models of today, discover how DLP technologies have developed to safeguard sensitive information. Learn about different DLP phases, regulatory impacts, and modern tools like Microsoft Purview that can help manage and classify data effectively. This episode is packed with valuable insights to help you tackle data security with confidence and efficiency.

Transcripts

https://docs.google.com/document/d/1u7owNI5P3WajJvRPIXbzrUYy-PCsRcfC

References

Crash course in Microsoft Purview: A guide to securing and managing your data estate

Chapters

00:00 Introduction to Data Loss Prevention (DLP)
00:45 Early Days of DLP: Dirty Word Lists and Simple Networks
02:39 Evolution of DLP: Content Filtering and Endpoint Protection
06:05 Advanced Content Inspection and Policy Enforcement
09:19 Unified DLP and Cloud Adoption
16:04 Modern DLP: AI, Machine Learning, and Zero Trust
19:12 Implementing DLP with Microsoft Purview
28:59 Summary and Final Thoughts

#223 - A CISO Primer on Agentic AI Mar 10, 2025

In this episode of CISO Tradecraft, G. Mark Hardy dives deep into the world of Agentic AI and its impact on cybersecurity. The discussion covers the definition and characteristics of Agentic AI, as well as expert insights on its feasibility. Learn about its primary functions—perception, cognition, and action—and explore practical cybersecurity applications. Discover the rapid advancements made by tech giants and potential risks involved. This episode is a comprehensive guide to understanding and securely implementing Agentic AI in your enterprise.

Transcripts https://docs.google.com/document/d/1tIv2NKX0DL4NTnvqKV9rKrgrewa68m3W

References

Vladimir Putin - https://www.rt.com/news/401731-ai-rule-world-putin/
Minds and Machines - https://link.springer.com/article/10.1007/s44163-024-00216-2
Anthropic - https://www.cnbc.com/2024/10/22/anthropic-announces-ai-agents-for-complex-tasks-racing-openai.html
Convergence AI - https://convergence.ai/training-web-agents-with-web-world-models-dec-2024/
OpenAI Operator - https://openai.com/index/introducing-operator/
ByteDance UITARS - https://venturebeat.com/ai/bytedances-ui-tars-can-take-over-your-computer-outperforms-gpt-4o-and-claude/
Zapier - https://www.linkedin.com/pulse/openai-bytedance-zapier-launch-ai-agents-getcoai-l6blf/
Microsoft OmniParser - https://www.microsoft.com/en-us/research/articles/omniparser-v2-turning-any-llm-into-a-computer-use-agent/
Google Project Mariner - https://deepmind.google/technologies/project-mariner/
Rajeev Sharma - Agentic AI Architecture - https://markovate.com/blog/agentic-ai-architecture/
NIST.AI.600-1 - https://doi.org/10.6028/NIST.AI.600-1
Mitre ATLAS - https://atlas.mitre.org/
OWASP Top 10 for LLMs - https://owasp.org/www-project-top-10-for-large-language-model-applications/
ISO 42001 - https://www.iso.org/standard/81230.html

Chapters

00:00 Introduction and Intriguing Quote
01:10 Defining Agentic AI
02:01 Expert Insights on Agency
04:32 Agentic AI in Practice
06:54 Recent Developments in Agentic AI
08:20 Deep Dive into Agentic AI Infrastructure
15:35 Use Cases for Agentic AI

#222 - 40 Years of Career Advice in 40 Minutes Mar 03, 2025

In this episode of CISO Tradecraft, G. Mark Hardy shares 15 crucial characteristics to help you succeed in your cybersecurity career and become an effective CISO. From knowing yourself and developing leadership skills to enhancing communications and staying current with trends, Hardy distills decades of wisdom into practical advice. Learn how to navigate career transitions, build technical credibility, become an effective storyteller, and master political skills essential for C-level success.

Transcripts: https://docs.google.com/document/d/1MpjXD8LqnHS_Lj1S-6T7vxcclxzUjEhe

Chapters

01:30 Know Yourself: The First Step to Success
05:23 Develop Your Leadership Skills
07:09 Enhance Your Communication Skills
11:37 Gain Broad Experience
14:28 Pursue Advanced Education
18:13 Network with Other Professionals
20:47 The Importance of Mentorship
22:20 Building Valuable Connections
23:43 Aligning with Business Goals
25:38 Deepening Technical Expertise
26:59 Staying Current with Trends
28:03 Promoting a Security-First Culture
30:18 Addressing Skills Gaps
31:53 Becoming a Master Storyteller
33:35 Engaging with Executives
34:41 Strategic Thinking and Time Management
37:27 Mastering Political Skills
39:14 Conclusion and Final Thoughts

#221 - Microsoft Majorana is Taking the Quantum Leap Feb 24, 2025

In this episode of CISO Tradecraft, host G Mark Hardy discusses Microsoft's groundbreaking announcement of their new quantum chip, the Majorana. The chip harnesses properties of a topological superconductor, making quantum computing promises more tangible. The episode delves into the technical aspects of quantum bits (qubits), cryptography, and the implications of topological quantum computing. With insights on competitor advancements by Google and potential challenges, this episode provides a comprehensive overview of quantum computing's future and its cyber security implications.

Transcripts: https://docs.google.com/document/d/1O2XG47o2_6jHBtPKL2PcwGRKPe69wFvi

Link: https://azure.microsoft.com/en-us/blog/quantum/2025/02/19/microsoft-unveils-majorana-1-the-worlds-first-quantum-processor-powered-by-topological-qubits/

Chapters

00:00 Introduction to CISO Tradecraft
00:26 Microsoft's Quantum Chip Announcement
01:51 Understanding Quantum Bits
03:23 Quantum Computing and Cryptography
06:00 Microsoft's Quantum Leap
09:41 The Physics Behind Quantum Computing
16:48 Majorana Particle and Its Significance
20:29 Applications and Future of Quantum Computing
25:01 Conclusion and Final Thoughts

#220 - Executive Updates to AI Feb 17, 2025

In this CISO Tradecraft episode, host G. Mark Hardy delves into the recent U.S. presidential executive orders impacting AI and their implications for cybersecurity professionals. Learn about the evolution of AI policies from various administrations and how they influence national security, innovation, and the strategic decisions of CISOs. Discover key directives, deregulatory moves, and practical steps you can take to secure your AI systems in an era marked by rapidly changing regulations. Plus, explore the benefits of using AI tools like ZeroPath to bolster your cybersecurity efforts.

Big Thanks to our Sponsors: ZeroPath - https://zeropath.com/

Transcripts: https://docs.google.com/document/d/1Nv27tpDQs2fjdOedJOi0LhlkyQ5N5dKt

Links:

Chapters

00:00 Introduction to AI Policy Shifts
00:23 AI Tool for Cybersecurity: ZeroPath
01:12 Understanding Executive Orders

#219 - The Professionalization of CISOs (with Steve Zalewski & Tyson Kopczynski) Feb 10, 2025

This podcast episode discusses the formation of a professional association for CISOs, driven by increasing personal liability risks faced by these executives. The conversation centers on establishing a formal definition and accreditation process for the CISO role, moving beyond existing certifications to demonstrate operational and theoretical expertise. This professionalization effort aims to reduce personal liability through a tailored insurance product, negotiated collectively by the association, and preempt potentially ill-defined government regulations. Ultimately, the goal is to create a structured, respected profession for CISOs, offering benefits such as insurance, professional development, and a unified voice within the industry.

Professional Association of CISOs - https://theciso.org/

Transcripts - https://docs.google.com/document/d/1BNeUzSyPYX-vAYwQl9qCi0GhknYhKnWF/

Chapters

00:00 Introduction to Professionalizing the CISO Role
00:52 The Genesis of a Professional Association
03:39 Challenges and Legal Liabilities for CISOs
04:43 The Value of Joining the Association
06:24 Accreditation and Certification Process
10:38 Insurance and Risk Management for CISOs
18:45 Future Directions and Getting Involved

#218 - How AI Changes Talent Management (with Colleen Lennox) Feb 03, 2025

In this episode of CISO Tradecraft, host G. Mark Hardy and special guest Colleen Lennox dive into the transformative power of AI in HR. Discover how AI can revolutionize identifying, attracting, and retaining cybersecurity talent. They discuss the challenges of finding the right personnel in the cybersecurity field, the innovative AI-driven solutions that can streamline recruitment processes, and how these tools can help in talent management and career progression. Stay tuned as they explore the potential of AI in creating a more effective and bias-free hiring process, while also discussing the future implications for HR and recruiters in the evolving landscape. Big Thanks to our

Sponsors: CruiseCon - Use code CISOTRADECRAFT10 at https://cruisecon.com/ for 10% off registration!

Transcripts: https://docs.google.com/document/d/1f6B9Ye02WHWo7q15avBm0359pxGNqnVu

Chapters

00:00 Introduction: AI and Workforce Concerns
00:28 Welcome to CISO Tradecraft
01:01 Meet Colleen Lennox: AI in HR
01:27 Challenges in Cybersecurity Recruitment
03:11 AI-Powered Recruitment Solutions
07:07 Improving Talent Management with AI
13:36 Addressing Bias in AI Recruitment
17:20 Future of AI in HR and Recruitment
21:04 Conclusion and Contact Information

#217 - Includes No Dirt (with Bill Dougherty) Jan 27, 2025

In this episode of CISO Tradecraft, host G. Mark Hardy sits down with Bill Dougherty, CISO of Omada Health, to discuss a groundbreaking threat model called 'Includes No Dirt'. This comprehensive model integrates security, privacy, and compliance considerations, aiming to streamline and enhance threat modeling processes. The conversation covers the origin and principles of the model, its applicability across different sectors, and the essential aspects of threat modeling. Listeners are also treated to insights on handling third-party risks and adapting to emerging AI challenges. The episode provides practical advice for cybersecurity leaders looking to effectively manage and mitigate risks while reducing redundancy.

Big Thanks to our Sponsors:

ZeroPath - https://zeropath.com/

CruiseCon - Use code CISOTRADECRAFT10 at https://cruisecon.com/ for 10% off registration!

The No DIRT Threat Model can be found here: http://www.includesnodirt.com/nodirt.pdf

Transcripts: https://docs.google.com/document/d/1vWq4Zx7pzM_B65W933m8_TE0fLKaUw3X

Chapters

03:27 The Genesis of Includes No Dirt
05:05 Combining Security, Privacy, and Compliance
07:24 Implementing the No Dirt Model
11:42 Scoring and Evaluating Risks
17:41 Third-Party Risk Management
25:49 Evaluating SaaS Requests Based on Risk
27:55 Adapting Threat Models for AI
31:24 Principles of Minimum Necessary Data
33:42 General Applicability of Security Principles
35:12 Includes No Dirt: A Comprehensive Threat Model
40:15 Final Thoughts and Recommendations

#216 - The TTPs of a Security Champions Program (with Dustin Lehr) Jan 20, 2025

Join G. Mark Hardy in a riveting episode of CISO Tradecraft as he sits down with Dustin Lehr to uncover strategies for creating security champions among developers. Explore effective techniques to inspire culture change, leverage AI tools for security, and discover the difference between leadership and management. This insightful discussion includes actionable steps to establish a robust security champions program, from defining a vision to executing with gamification. Whether you’re an aspiring champion or a seasoned cybersecurity leader, this episode is packed with valuable insights to elevate your organization’s security practices.

Big Thanks to our Sponsors:

ZeroPath - https://zeropath.com/

CruiseCon - Use code CISOTRADECRAFT10 at https://cruisecon.com/ for 10% off registration!

Transcripts - https://docs.google.com/document/d/1IgPbmnNaEF_1GIQTRxHStOoUKtZM4azH

Learn more about this topic by reading Justin's Website - https://securitychampionsuccessguide.org/

Justin Lehr's Company - https://www.katilyst.com/

Chapters

01:05 Meet Dustin Lair
04:05 Leadership vs. Management
06:17 The Role of Security Champions
17:20 Recruiting Security Champions
24:42 Exploring the Framework: Vision and Goals
26:25 Defining Participants and Their Roles
28:37 Understanding the Current Setting
33:27 Conceptualizing Ideal Actions
35:20 Designing with Gamification in Mind
40:30 Effective Delivery and Continuous Tuning
41:30 Overcoming Challenges and Final Thoughts

#215 - CISO Predictions for 2025 Jan 13, 2025

In this episode of CISO Tradecraft, host G Mark Hardy explores the top 10 cybersecurity predictions for 2025. From the rise of AI influencers to new standards in encryption, Hardy discusses significant trends and changes expected in the cybersecurity landscape. The episode delves into topics such as branding, application security, browser-based security, and post-quantum cryptography, aiming to prepare listeners for future challenges and advancements in the field.

Big Thanks to our Sponsor

CruiseCon - https://cruisecon.com/

CruiseCon Discount Code: CISOTRADECRAFT10

Team8 Fixing AppSec Paper - https://bunny-wp-pullzone-pqzn4foj9c.b-cdn.net/wp-content/uploads/2024/11/Fixing-AppSec-Paper.pdf

Terraform and Open Policy Agent Example - https://spacelift.io/blog/terraform-best-practices#8-introduce-policy-as-code

Transcripts - https://docs.google.com/document/d/1u6B2PrkJ1D14d9HjQQHSg7Fan3M6n4dy

Chapters

01:19 1) AI Influencers become normalized
03:17 2) The Importance of Production Quality in Branding
05:19 3) Google and Apple Collaboration for Enhanced Security
06:28 4) Consolidation in Application Security and Vulnerability Management
08:36 5) The Rise of Models Committees
09:09 6) Formalizing the CISO Role
11:03 7) Exclusive CISO Retreats: The New Trend
12:12 8) Automating Cybersecurity Tasks with Agentic AI
13:10 9) Browser-Based Security Solutions
14:22 10) Post-Quantum Cryptography: Preparing for the Future

#214 - Deceive to Detect (with Yuriy Gatupov) Jan 06, 2025

🔥 Hackers Beware! Cyber Deception is Changing the Game 🔥

In this must-hear episode of CISO Tradecraft, we expose a mind-blowing cybersecurity strategy that flips the script on attackers. Instead of waiting to be breached, cyber deception technology tricks hackers into revealing themselves—before they can do real damage. 🚨🎭

Imagine laying digital traps—fake credentials, bogus systems, and irresistible bait—that lead cybercriminals straight into a controlled maze where every move they make is tracked.

Early threat detection? ✅

Real-time attacker intel? ✅

Fewer false positives? ✅

🎙️ Featuring deception tech guru Yuriy Gatupov, we break down:

✅ How deception tech works & why it’s a game-changer

✅ How to expose and track hackers in real time

✅ How to prove ROI and make the case for your org Cyber deception isn’t just defense—it’s offense against cyber threats. Are you ready to fight back? Listen now!

Big thanks to our Sponsors

ThreatLocker - https://hubs.ly/Q02_HRGK0

CruiseCon - https://cruisecon.com/

Contact Yuriy Gatupov - info@labyrinth.tech

Yuri's LinkedIn - https://www.linkedin.com/in/yuriy-gatupov-373155281/

Transcripts: https://docs.google.com/document/d/1oyQzCBRoPLbDOCOCypJMGGXxcPI5w75o

Chapters

02:05 History of Cyber Deception
04:57 Advantages of Deception Technology
06:57 Engagement and Detection Strategies
10:18 How Deception Technology Works
16:13 Attack Scenarios and Detection
24:09 Decoys and Deception: A New Paradigm
24:56 Real-World Success Stories
33:30 Deception in OT and SCADA Systems
37:38 Calculating ROI for Deception Technologies

#213 - How to Build a Successful Cybersecurity Startup (with Ross Haleliuk) Dec 30, 2024

In this episode of CISO Tradecraft, host G Mark Hardy interviews Ross Haleliuk, author of 'Cyber for Builders: The Essential Guide to Building a Cybersecurity Startup.' Ross shares valuable insights on starting a cybersecurity company, and emphasizes the importance of understanding market needs, customer engagement, and trust in the industry. They discuss the role of angel investors, the differences between product and service companies, and the challenges founders face. The episode also includes an announcement about CISO Tradecraft's partnership with CruiseCon for an upcoming cybersecurity conference. Additionally, Ross provides a glimpse into his non-traditional background and journey into the cybersecurity space.

Thank you to our sponsors

- ThreatLocker - https://hubs.ly/Q02_HRGK0

- CruiseCon - https://cruisecon.com/

Ross Haleliuk's Book - https://www.amazon.com/Cyber-Builders-Essential-Building-Cybersecurity/dp/173823410X/

Ross Haleliuk's LinkedIn Page - https://www.linkedin.com/in/rosshaleliuk/

Transcripts: https://docs.google.com/document/d/1b8UPolYvYWEYbmO7n_7NqrilObv-HNzo Chapters

02:28 Ross Haleliuk's Background and Journey
04:32 Discussing the Book: Cyber for Builders
10:52 Insights on Cybersecurity and Business
15:54 Challenges and Realities of Cybersecurity Startups
22:19 Navigating Market Competition
23:15 Entering Established Markets
24:28 Challenges in Security Tool Adoption
25:11 Legacy Vendors and Market Entrenchment
27:35 Building a Company: Beyond the Product
30:02 Validating Market Needs
32:27 Funding Your Startup
35:25 The Role of Angel Investors
43:29 Conclusion and Next Steps

#212 - Repeatable, Attestable, and Defensible AI (with AWS's Former Deputy CISO Merritt Baer) Dec 23, 2024

Join us on CISO Tradecraft as we explore the future of cybersecurity with Merritt Barrett, former Deputy CISO at AWS. Merritt, a Harvard Law graduate, shares her expert insights on the trends expected in the upcoming years, emphasizing the enduring aspects of cybersecurity, the implications of AI, and challenges in cloud security. Discover valuable strategies for managing security risks, the evolution of ransomware, and the integration of sustainable practices within the industry. Don't miss this episode filled with practical advice for current and aspiring CISOs!

Thank you to our sponsors

- ThreatLocker - https://hubs.ly/Q02_HRGK0

- CruiseCon - https://cruisecon.com/

Transcripts https://docs.google.com/document/d/1KRkN7jVZvAaYk1eSBde3GTiD-G9RPjXJ

Chapters

00:00 Introduction and Guest Overview
01:16 Future of Cybersecurity
02:18 AWS Security Insights
04:35 Shared Responsibility Model
09:59 AI in Cybersecurity
21:55 Security and Environmental Concerns
32:36 Predictions for 2025 and Beyond
42:46 Closing Remarks and Contact Information

#211 - Allowlisting and Ringfencing (with Kieran Human) Dec 16, 2024

In this episode of CISO Tradecraft, host G Mark Hardy discusses the history and evolution of endpoint protection with guest Kieran Human from ThreatLocker. Starting from the inception of antivirus software by John McAfee in the late 1980s, the episode delves into the advancements through Endpoint Detection and Response (EDR) and introduces the latest in endpoint security: allowlisting and ring fencing. The conversation highlights the limitations of traditional antivirus and EDR solutions in today's threat landscape, emphasizing the necessity of default-deny approaches to enhance cybersecurity. Kieran explains how ThreatLocker’s allowlisting and ring-fencing capabilities can block unauthorized applications and actions, thus significantly reducing the risk of malware and ransomware attacks. Practical insights, war stories, and deployment strategies are shared to help cybersecurity leaders implement these next-generation tools effectively.

Thank you to our sponsor ThreatLocker

https://hubs.ly/Q02_HRGK0

Transcripts: https://docs.google.com/document/d/1UMrK44ysBjltNkddCkwx9ly6GJ14tIbC

Chapters

00:00 Introduction to Endpoint Protection
00:41 Upcoming Event: CruiseCon 2025
01:18 History of Endpoint Protection
03:34 Evolution of Antivirus to EDR
05:25 Next-Gen Endpoint Protection: Allowlisting
06:44 Guest Introduction: Kieran Human from ThreatLocker
08:06 Benefits of Allowlisting and Ring Fencing
17:14 Challenges and Best Practices
26:19 Conclusion and Call to Action

#210 - Salt Typhoon and Vulnerable Telecoms Dec 09, 2024

In this crucial episode of CISO Tradecraft, host G Mark Hardy delves into the urgent topic of the 'Salt Typhoon' threat, with insights from experts Adam Isles and Andreas Kurland from the Chertoff Group. The episode covers the implications for corporate security using SMS text messages when Chinese actors are breaking into major telecommunication entities. The conversation focuses on encryption, secure communications, and measures to mitigate risks from vulnerabilities in telecommunications infrastructure. The discussion includes practical steps for securing messaging, voice calls, virtual meetings, and emails. Learn actionable strategies to bolster your organization’s cybersecurity posture and ensure robust defense against sophisticated state-level cyber threats.

Thank you to our sponsor Threat Locker

https://www.threatlocker.com/pages/essential-eight-fast-track?utm_source=ciso_tradecraft&utm_medium=sponsor&utm_campaign=essential-eight_q4_24&utm_content=essential-eight&utm_term=podcast

Link to recommendations:

https://chertoffgroup.com/end-to-end-encryption-is-essential/

Transcripts https://docs.google.com/document/d/13NKPUBU3c-qYQtX18NR08oYVRSSnHD_a

Chapters:

00:00 Introduction to Salt Typhoon
01:31 Meet the Experts: Adam Isles and Andreas Kurland
02:03 Understanding the Salt Typhoon Threat
04:49 Telecommunications and Security Risks
07:37 Messaging Security: Risks and Recommendations
20:14 Voice Communication Security
28:44 Securing Virtual Meetings
34:45 Email Security: Challenges and Solutions
41:35 Conclusion and Contact Information

#209 - AI Singularity (with Richard Thieme) Dec 02, 2024

In this riveting episode of CISO Tradecraft, host G Mark Hardy welcomes back Richard Thieme, a thought leader in cybersecurity and technology, almost three years after his last appearance. Richard delves into the necessity of thinking like a hacker, provides insights into the AI singularity, and discusses the ethical and societal implications of emerging technologies. The conversation also touches on Richard's extensive body of work, including his books and views on cyber warfare, disinformation, and ethical decision-making. Tune in for a thought-provoking discussion that challenges conventional wisdom and explores the interconnectedness of technology, consciousness, and our future.

Big Thanks to our Sponsor CruiseCon - https://cruisecon.com/

CruiseCon Discount Code: CISOTRADECRAFT10

Link to Richard’s home page (and links to Amazon for his books):

https://thiemeworks.com/

Link to the book, The Ending of Time:

https://store.kfa.org/products/the-ending-of-time-new-edition

Transcripts: https://docs.google.com/document/d/1Q7CJkF7Spji2iAbV_mYEyYHnKWobzo6N

Chapters

00:00 Introduction and Guest Announcement
00:56 Upcoming Cybersecurity Event: CruiseCon
01:41 Welcoming Back Richard Thieme
02:06 Reflecting on Past Discussions
02:59 The Necessity for Thinking Like a Hacker
03:10 Exploring Richard Thieme's Books
08:25 Understanding AI and Its Implications
18:28 Soft Power and Global Influence
24:01 The Power of Fiction in Revealing Truth
24:37 Ethical Frameworks Post 9/11
26:12 The Role of Empathy in Intelligence Work
26:37 The Blurring Line Between Fact and Fiction
29:52 The Isolation of Intelligence Work
31:18 The Interconnectedness of Everything
33:36 Exploring Remote Viewing and Consciousness
36:50 The Rise of AI and Ethical Considerations
39:43 The Evolution of Technology and Society
45:07 Final Thoughts and Reflections

#208 - Insider Threat (with Shawnee Delaney) Nov 25, 2024

This podcast episode of CISO Tradecraft features Shawnee Delaney, an insider threat expert, discussing insider threats in cybersecurity. Delaney, whose background includes espionage, explains how understanding human motivation and vulnerabilities is crucial for identifying and mitigating insider threats. The conversation highlights the importance of organizational culture, employee well-being, and proactive measures like employee lifecycle management and psychological testing in preventing such threats. Practical advice is offered for leaders to foster a supportive and communicative work environment to detect potential threats early. Finally, methods for creating effective insider threat programs and addressing cultural issues are explored.

Shawnee Delaney's LinkedIn - https://www.linkedin.com/in/shawnee-delaney/

Vaillance Group - https://www.vaillancegroup.com/

Transcripts: https://docs.google.com/document/d/1xJiEMDL8CjNwwfBSvNHfnhfsrVgOMuk0

Chapters

00:00 Introduction to Insider Threat
00:26 Guest Introduction: Shawnee Delaney
00:58 CruiseCon 2025 Announcement
01:33 Shawnee's Career Journey
02:18 Understanding Espionage
03:43 Motivations Behind Espionage
07:46 Indicators of Insider Threat
10:48 Building a Positive Organizational Culture
18:21 Implementing an Insider Threat Program
21:05 Psychological Testing in Hiring
23:26 Assessing Organizational Culture
25:34 Core Values in the Navy and Marine Corps
26:16 A Commanding Officer's Story
28:32 Identifying Insider Threats
32:01 The Impact of Job Uncertainty
36:50 Gamifying Security Incentives
39:12 Building a Strong Security Culture
42:05 Final Thoughts and Recommendations

#207 - CISO Burnout (with Raghav Singh) Nov 18, 2024

Welcome to another enlightening episode of CISO Tradecraft! In this episode, host G. Mark Hardy dives deep into the critical topic of CISO burnout with special guest Raghav Singh, a PhD candidate from the University of Buffalo. This is an eye-opening session for anyone in the cybersecurity field, especially those in or aspiring to the CISO role. Raghav shares valuable insights from his extensive research on the unique stresses faced by CISOs, the organizational factors contributing to burnout, and practical coping mechanisms. We also explore the evolutionary phases of CISOs, from technical experts to strategic business enablers. Whether you're dealing with resource limitations, seeking executive support, or managing ever-evolving cybersecurity threats, this episode offers actionable advice to navigate the demanding role of a CISO successfully. Don't forget to like, comment, and share to help other CISOs and cybersecurity leaders!

Big Thanks to our Sponsor CruiseCon - https://cruisecon.com/

CruiseCon Discount Code: CISOTRADECRAFT10

Transcripts: https://docs.google.com/document/d/1fhLkaj_JetlYFQ50Q69uMGmsw3fS3Wqa

CISO Burnout - https://aisel.aisnet.org/amcis2023/sig_lead/sig_lead/4/

CISO-CIO Power Dynamics https://aisel.aisnet.org/amcis2024/is_leader/is_leader/6/

Cybersec professionals and AI integration https://aisel.aisnet.org/amcis2024/security/security/29/

Raghav can be reached on rsingh45@buffalo.edu

Chapters

00:00 Introduction and Guest Welcome
02:34 Understanding CISO Burnout
03:24 PhD Journey and Challenges
10:12 Key Findings on CISO Burnout
18:39 Six Sources of CISO Burnout
32:47 CISO Maturity Levels
42:57 Conclusion and Call to Action

#206 - Ira Winkler CruiseCon Founder Nov 11, 2024

Setting Sail with Cybersecurity: Exclusive Insights from Ira Winkler on CruiseCon 2025 🛳️ Join us for an exciting episode of CISO Tradecraft as G Mark Hardy sits down with renowned cybersecurity expert Ira Winkler! Discover the groundbreaking CruiseCon 2025, the first at-sea cybersecurity conference, featuring top-tier speakers and unrivaled networking opportunities. Learn about Ira's illustrious career, the significance of certifications, and the current state of the cybersecurity job market. Don't miss out on this chance to enhance your career and connect with industry luminaries.

Big Thanks to our Sponsor CruiseCon - https://cruisecon.com/

CruiseCon Discount Code: CISOTRADECRAFT10

Transcripts: https://docs.google.com/document/d/1CGyFBxOrxvJitKsH9BRKwf2_g8rRPZ6K

Chapters

00:00 Introduction and Special Announcement
00:42 Reconnecting with Ira Winkler
04:07 Early Cybersecurity Days and Certifications
14:35 Innovative Ideas and CruiseCon
21:32 Meet the Top Cybersecurity Experts
22:13 Exciting Events and Networking Opportunities
24:10 Special Deals and Sponsorships
34:47 Addressing the Cybersecurity Job Market

#205 - Wisdom from the 1st Cyber Colonel (JC Vega) Nov 04, 2024

Join G. Mark Hardy on this exciting episode of CISO Tradecraft as he interviews J.C. Vega, the first cyber colonel in the United States Army. Vega shares his invaluable insights on leadership, team building, and success strategies that can transform your cybersecurity career. Plus, learn about CruiseCon 2025, Wee Dram, and how you can take your leadership skills to the next level. Don't miss out on this episode packed with wisdom, actionable advice, and some fun anecdotes. Subscribe, comment, and share with your peers!

Big Thanks to our Sponsor CruiseCon - https://cruisecon.com/

CruiseCon Discount Code: CISOTRADECRAFT10

JC Vega - https://www.linkedin.com/in/jcvega-cyber-colonel/

Transcripts: https://docs.google.com/document/d/1ExuX-WVO4_qqLoIZDuT0QS2VAvN2resW

Chapters

00:00 Introduction and Special Guest Announcement
01:15 Meet J.C. Vega: The First Cyber Colonel
01:55 The Wee Dram Community
03:39 Building a Trusted Cybersecurity Community
09:12 Leadership Principles from Military to Civilian Life
12:31 Building and Leading Effective Teams
24:17 The Peter Principle and Career Progression
24:49 Creating a Shared Understanding in Cybersecurity
26:43 Commander's Intent: Defining Success
29:29 Empowering Teams and Accepting Prudent Risk
36:19 Rules to Live By: The Vega's Top Three
44:58 Final Thoughts and Farewell

#204 - Shadows and Zombies in the Data Center Oct 28, 2024

In this special Halloween episode of CISO Tradecraft, host G Mark Hardy delves into the lurking dangers of Shadow IT and Zombie IT within organizations. Learn about the origins, risks, and impacts of these hidden threats, and discover proactive measures that CISOs can implement to safeguard their IT ecosystems. Strategies discussed include rigorous asset management, automation, and comprehensive compliance reviews. Tune in for insights to foster a secure, compliant, and efficient IT environment, and don't miss out on an exclusive opportunity to join a cybersecurity conference aboard a luxury cruise.

Big Thanks to our Sponsor

CruiseCon - https://cruisecon.com/

CruiseCon Discount Code: CISOTRADECRAFT10

Transcripts: https://docs.google.com/document/d/1lh-TQhaSOIA2rITaXgTaqugl7FRGevnn

Chapters

00:00 Introduction to Shadow IT and Zombie IT
02:14 Defining Shadow IT
04:58 Risks of Shadow IT
07:29 Introduction to Zombie IT
09:35 Risks of Zombie IT
11:25 Shadows vs Zombies
11:25 Comparing Shadow IT and Zombie IT
19:11 Lifecycle Management Strategies
19:56 Summarizing the Threats and Solutions
22:32 Final Thoughts and Call to Action

#203 - Be SOCcessful with the SOC-CMM Oct 21, 2024

Unlocking SOC Excellence: Master the SOC Capability Maturity Model Join host G Mark Hardy in this compelling episode of CISO Tradecraft as he explores the revolutionary SOC Capability Maturity Model (SOC CMM) authored by Rob van Os. This episode is a must-watch for CISOs, aspiring CISOs, and cybersecurity professionals aiming to optimize their Security Operations Center (SOC). Learn how to measure, evaluate, and enhance your SOC's maturity across key domains including Business, People, Process, Technology, and Services. Gain insights into leveraging radar charts for visualizing SOC capabilities and hear case studies such as a mid-sized financial company’s remarkable improvements. Discover why understanding your SOC's strengths and weaknesses and conducting risk-based improvement planning are crucial. Don't miss out—elevate your cyber resilience today, subscribe, and share with your network to set your SOC on the path to excellence!

References:

SOC-CMM - https://www.soc-cmm.com/products/soc-cmm/
Robert van Os - https://www.linkedin.com/in/socadvisor/

Transcripts: https://docs.google.com/document/d/1Fk6_t9FMyYXDF-7EfgpX_ZjLc0iPAgfN

Chapters

00:12 Introduction to CISO Tradecraft and SOCs
01:20 Understanding SOC CMM: A Game-Changing Tool
02:29 Evaluating SOC Maturity and Capability
06:04 Benefits and Implementation of SOC CMM
07:56 Understanding SOC Assessments
08:55 Deep Dive into SOC CMM Domains
12:42 Benefits and Flexibility of SOC CMM
14:40 Real-World Application and Conclusion

#202 - Cybersecurity Crisis: Are We Failing the Next Generation? Oct 14, 2024

In this episode of CISO Tradecraft, host G Mark Hardy explores the challenges and misconceptions facing the next generation of cybersecurity professionals. The discussion covers the myth of a talent shortage, the shortcomings of current educational and certification programs, and the significance of aligning curricula with real-world needs. Hardy emphasizes the importance of hands-on experience, developing soft skills, and fostering continuous learning. The episode also highlights strategies for retaining talent, promoting internal training, and creating leadership opportunities to cultivate a skilled and satisfied cybersecurity workforce.

Transcripts: https://docs.google.com/document/d/12fI2efHXuHR4dS3cu7P0UIBCtjBdgREI

Chapters

00:00 Introduction to the Cybersecurity Talent Crisis
00:40 Debunking the Talent Shortage Myth
02:23 The Real Talent Gap: Mid-Career Professionals
03:04 Outsourcing and Its Impact on Entry-Level Jobs
08:29 Challenges in Cybersecurity Education
16:13 The Importance of Practical Skills Over Theory
23:52 The Importance of Writing Skills
25:10 Continuous Learning and Self-Investment
26:07 Performance and Career Progression
28:40 Mentorship and Onboarding
29:51 Training and Development Challenges
32:32 Retention Strategies
33:44 Engaging Junior Employees
39:07 Technology and Innovation
40:54 Conclusion and Final Thoughts

#201 - Avoiding Hurricanes in the Cloud Oct 07, 2024

In this episode of CISO Tradecraft, hosted by G Mark Hardy, you'll learn about four crucial tools in cloud security: CNAPP, CASB, CSPM, and CWPP. These tools serve various functions like protecting cloud-native applications, managing access security, maintaining cloud posture, and securing cloud workloads. The discussion covers their roles, benefits, key success metrics, and best practices for CISOs. As the cloud security landscape evolves, understanding and integrating these tools is vital for keeping your organization safe against cyber threats.

Transcripts: https://docs.google.com/document/d/1Mx9qr30RuWrDUw1TLNkUDQ8xo4xvQdP_

Chapters

00:00 Introduction to Cloud Security Tools
02:24 Understanding CNAPP: The Comprehensive Cyber Defense
08:13 Exploring CASB: The Cloud Access Gatekeeper
11:12 Diving into CSPM: Ensuring Cloud Compliance
13:40 CWPP: Protecting Cloud Workloads
15:08 Best Practices for Cloud Security
15:54 Conclusion and Final Thoughts

#200 - Copywriting AI (with Mark Rasch) Sep 30, 2024

In this episode of CISO Tradecraft, hosts G Mark Hardy and Mark Rasch discuss the intersection of artificial intelligence and the law. Recorded at the COSAC computer conference in Dublin, this episode covers the legal implications of AI, copyright issues, AI-generated content, privacy concerns, and ethical considerations. They explore the nuances between directed and undirected AI, the importance of training data, and the potential risks and liabilities associated with AI-driven systems. Tune in for a deep dive into how AI is reshaping cybersecurity and legal landscapes.

Transcripts: https://docs.google.com/document/d/1s_eDwz-FPuyxYZRJaOknWi2Ozjqmodrl

Chapters

00:00 Introductions
01:13 Diving into Artificial Intelligence
04:04 Directed vs. Undirected AI
11:02 Legal and Ethical Issues of AI
23:47 AI and Copyright: Who Owns the Creation?
26:59 The Role of AI in Information Security
32:51 Ethical Dilemmas in AI Decision-Making
39:18 Future Challenges and Recommendations for AI

#199 - How to Secure Generative AI Sep 23, 2024

Join G. Mark Hardy in Torremolinos, Spain, for a deep dive into the security of Generative AI. This episode of CISO Tradecraft explores the basics of generative AI, including large language models like ChatGPT, and discusses the key risks and mitigation strategies for securing AI tools in the workplace. G. Mark provides real-world examples, insights into the industry's major players, and practical steps for CISOs to balance innovation with security. Discover how to protect sensitive data, manage AI-driven hallucinations, and ensure compliance through effective governance and ethical guidelines. Plus, get a glimpse into the future of AI vulnerabilities and solutions in the ever-evolving tech landscape.

References

OWASP Top 10 LLM Risks https://genai.owasp.org/

Gartner CARE Standard - https://www.gartner.com/en/documents/3980890

Make sure your controls work consistently over time (Consistency)
Make sure your controls meet the business needs (Adequacy)
Make sure your controls are appropriate and fair (Reasonableness)
Make sure your controls produce the desire outcome (Effectiveness)

Transcripts: https://docs.google.com/document/d/1V2ar7JBO503MN0RZcH7Q7VBkQUW9MYk6

Chapters

00:00 Introduction from Spain
00:42 Understanding Generative AI
03:25 Major Players in Generative AI
05:02 Risks of Generative AI
15:14 Mitigating Generative AI Risks
18:23 Implementing Solutions
24:09 Conclusion and Call to Action

#198 - Securing the Business Processes Sep 16, 2024

G Mark Hardy dives deep into effective strategies for securing your business. Learn why it's essential for cybersecurity leaders to communicate the real business impact of vulnerabilities and discover the importance of identifying and prioritizing critical business processes. Gain insights from historical references and practical frameworks like the CIA triad (Confidentiality, Integrity, Availability) to bolster your organization's cybersecurity posture. Tune in as G Mark, broadcasting from Glasgow, Scotland, shares valuable lessons on proactive security measures, risk-based decision-making, and crisis recovery strategies.

7 critical business processes common to most organizations.

Book
Order
Bill
Pay
Ship
Close
Communicate

Transcripts

https://docs.google.com/document/d/1Ra3c0J5Wo6s2BSqhNoNyqm9D65ogT07h

Chapters

00:00 Introduction to Securing the Business
00:12 Begin Podcast
01:08 Understanding Critical Business Processes
02:23 Identifying and Prioritizing Business Functions
03:00 Real-World Example: Restaurant Booking System
04:57 Decision Making in Crisis Situations
10:38 Mapping Confidentiality, Integrity, and Availability
19:42 Conclusion and Final Thoughts

#197 - Fedshark's Blueprint for Cost Effective Risk Reduction Sep 09, 2024

Join host G Mark Hardy as he dives deep into the complexities of compliance and reporting, featuring special guests Brian Bradley and Josh Williams from FedShark. Discover a unique and streamlined approach to compliance using FedShark's innovative tools and AI-assisted systems. Learn about their exclusive offers for CISO Tradecraft listeners, including free downloads and discounted pre-assessment tools. Topics covered include CMMC, HIPAA, PCI, and more. Whether you're part of the Defense Industrial Base or dealing with multiple compliance frameworks, this episode is packed with practical advice to make your compliance journey smoother and more effective.

Thanks to our podcast sponsor, Fedshark

CISO Traderaft Promo & Link to CMMC White Papers: https://fedshark.com/ciso

RapidAssess: https://fedshark.com/rapid-assess

Company website: https://fedshark.com

FedShark Blog: https://fedshark.com/blog

Schedule a Demo: https://fedshark.com/contact-us

LinkedIn Matt Beaghley: https://www.linkedin.com/in/mbeaghley/

LinkedIn Brian Bradley: https://www.linkedin.com/in/brian-bradley-97a82668/

Chapters

00:00 Introduction and Special Offer
03:18 Meet the Experts: Brian and Josh
06:49 Challenges in Compliance
16:23 Understanding CMMC
29:02 Understanding Scope in Compliance
30:22 Introducing the AI-Enhanced Compliance Solution
31:24 Streamlining Interviews and Documentation
42:19 Final Thoughts and Recommendations

#196 - Cyber Thrills and Author Quills (with Deb Radcliff) Sep 02, 2024

G Mark Hardy and guest Deb Radcliff talk about experiences and takeaways from Black Hat, and delve into the dynamic world of cybersecurity. Deb shares her perspectives on the intersection of AI, DevSecOps, and cyber warfare, while highlighting insights from her 'Breaking Backbones' trilogy.

Transcripts: https://docs.google.com/document/d/1XN9HjdljJYKlUITrxZ10HTq9e91R8FNT

Book 1: Breaking Backbones: Information Is Power https://amzn.to/4dLSBxQ Book 2: Breaking Backbones: Information Should Be Free https://amzn.to/4e3BRlB Book 3: Breaking Backbones: From Chaos to Order https://amzn.to/3X8e4u2

Chapters

00:00 Introduction and Welcome Back
01:18 Black Hat and Security Leaders Dinner
04:39 The Evolution of Cybersecurity Conferences
10:59 AI and Cybersecurity Trends
22:01 The Chip Dilemma: Parenting in a Monitored Society
23:09 Crafting Characters: Inspirations and Transformations
25:58 Writing Process: From Drafts to Details
31:38 Future of Cybersecurity: Autonomous Systems and Legal Challenges

#195 - Pentesting for Readiness not Compliance (with Snehal Antani) Aug 26, 2024

In this episode of CISO Tradecraft, host G Mark Hardy is joined by special guest Snehal Antani, co-founder of Horizon3.AI, to discuss the crucial interplay between offensive and defensive cybersecurity tactics. They explore the technical aspects of how observing attacker behavior can enhance defensive strategies, why traditional point-in-time pen testing may be insufficient, and how autonomous pen testing can offer continuous, scalable solutions. The conversation delves into Snehal’s extensive experience, the importance of readiness over compliance, and the future of cybersecurity tools designed with humans out of the loop. Tune in to learn how to elevate your cybersecurity posture in a rapidly evolving threat landscape.

Horizon3 - https://www.horizon3.ai

Snehal Antani - https://www.linkedin.com/in/snehalantani/

Transcripts: https://docs.google.com/document/d/1IFSQ8Uoca3I7TLqNHMkvm2X-RHk8SWpo

Chapters:

00:00 Introduction and Guest Welcome
01:43 Background and Experience of Snehal Antani
03:09 Challenges and Limitations of Traditional Pen Testing
14:47 The Future of Pen Testing: Autonomous Systems
23:10 Leveraging Data for Cybersecurity Insights
24:02 Expanding the Attack Surface: Cloud and Supply Chain
24:46 Third-Party Risk Management Evolution
44:37 Future of Cyber Warfare: Algorithms vs. Humans

#194 - The IAM Masterclass Aug 19, 2024

In this episode of CISO Tradecraft, host G Mark Hardy delves into the intricate world of Identity and Access Management (IAM). Learn the essentials and best practices of IAM, including user registration, identity proofing, directory services, identity federation, credential issuance, and much more. Stay informed about the latest trends like proximity-based MFA and behavioral biometrics. Understand the importance of effective IAM implementation for safeguarding sensitive data, compliance, and operational efficiency. Plus, hear real-world examples and practical advice on improving your IAM strategy for a secure digital landscape.

Transcripts: https://docs.google.com/document/d/15zUupqhCQz9llwy21GW5cam8qXgK80JB

Chapters

00:00 Introduction to CISO Tradecraft
01:24 Understanding Identity and Access Management (IAM)
01:54 Gartner's Magic Quadrant and IAM Vendors
03:29 The Importance of IAM in Enterprises
04:28 User Registration and Verification
06:48 Password Policies and Best Practices
09:53 Identity Proofing Techniques
14:53 Directory Services and Role Management
18:27 Identity Federation and Credential Issuance
22:22 Profile and Role Management
26:17 Identity Lifecycle Management
29:23 Access Management Essentials
35:05 Review and Conclusion

#193 - Security Team Operating System (with Christian Hyatt) Aug 12, 2024

In this comprehensive episode of CISO Tradecraft, host G Mark Hardy sits down with Christian Hyatt, author of 'The Security Team Operating System'. Together, they delve into the five essential components needed to transform your cyber security team from reactive to unstoppable. From defining purpose and values to establishing clear roles, rhythms, and goals, this podcast offers practical insights and tools that can improve the efficacy and culture of your security team. If you're looking for strategic frameworks to align your team with business objectives and create a resilient security culture, you won't want to miss this episode!

Christian Hyatt's LinkedIn Profile: https://www.linkedin.com/in/christianhyatt/

Link to the Book: https://a.co/d/aHpXXfr

Transcripts: https://docs.google.com/document/d/1ogBdtJolBJTOVtqyFLO5onuLxBsfqqQP

Chapters

00:00 Introduction and Guest Welcome
01:31 Overview of the Security Team Operating System
03:31 Deep Dive into the Five Elements
07:53 Aligning Security with Business Objectives
21:59 Defining Core Values for Security Teams
25:03 Aligning Organizational and Team Values
26:05 Establishing Clear Roles and Responsibilities
30:58 Implementing Effective Rhythms and Goals

#192 - From Cyber Burnout to VCISO Bliss (with Olivia Rose) Aug 05, 2024

Join host G Mark Hardy in this episode of CISO Tradecraft as he welcomes Olivia Rose, an experienced CISO and founder of the Rose CISO Group. Olivia discusses her journey in cybersecurity from her start in marketing to becoming a VCISO. They delve into key topics including the transition from CISO to VCISO, strategies for managing time and stress, the importance of understanding board dynamics, and practical advice on mentoring new entrants in the cybersecurity field. Olivia also shares her insights on maintaining business alignment, handling insurance as a contractor, and building a personal brand in the cybersecurity community.

Olivia Rose: https://www.linkedin.com/in/oliviarosecybersecurity/

Transcripts: https://docs.google.com/document/d/1S42BepIh1QQHVWsdhhgx6x99U188q5eL

Chapters

00:00 Introduction and Guest Welcome
01:14 Olivia Rose's Career Journey
06:42 Challenges in Cybersecurity Careers
15:47 Communicating with the Board
22:57 Navigating Compliance and Legal Challenges
24:10 Building Strategic Relationships
25:46 Aligning Security with Business Goals
35:05 The Importance of Reputation and Branding

#191 - From Breach to Bench (with Thomas Ritter) Jul 29, 2024

In this episode of CISO Tradecraft, host G Mark Hardy continues an in-depth discussion with cybersecurity attorney Thomas Ritter on the legal considerations for cybersecurity leaders. The episode touches on essential topics such as immediate legal steps after a data breach, the importance of using correct terminology, understanding attorney-client privilege and discovery, GDPR's impact, data localization, and proactive measures CISOs should take. The conversation also explores the implications of evolving cybersecurity laws and regulations like the Digital Operations Resilience Act and the potential criminal liabilities for CISOs.

Thomas Ritter: https://www.linkedin.com/in/thomas-ritter-2b91014a/

Transcripts: https://docs.google.com/document/d/15xQINUOdziGdcEFfh5SN8lS7svtK0JCT

Chapters

00:00 Introduction and Recap of Part 1
01:43 Starting the Discussion: Data Breaches
02:22 Legal Steps After a Data Breach
07:19 Understanding Attorney-Client Privilege
08:21 Discovery in Legal Cases
13:31 Staying Updated on Cybersecurity Laws
19:38 Impact of GDPR on Cybersecurity
32:00 Data Localization Challenges
34:55 Proactive Legal Preparedness
37:23 Final Thoughts and Conclusion

#190 - Lawyers, Breaches, and CISOs: Oh My (with Thomas Ritter) Jul 22, 2024

In this episode of CISO Tradecraft, host G Mark Hardy interviews cybersecurity lawyer Thomas Ritter. They discuss key legal topics for CISOs, including regulatory compliance, managing third-party risk, responding to data breaches, and recent legislative impacts. Thomas shares his journey into cybersecurity law and provides practical advice and real-world examples. Key points include the challenges of keeping up with evolving regulations, the intricacies of vendor management, and the implications of recent Supreme Court rulings. They also touch on major breaches like SolarWinds and Colonial Pipeline, exploring lessons learned and the importance of implementing essential security controls.

Thomas Ritter - https://www.linkedin.com/in/thomas-ritter-2b91014a/ Transcripts: https://docs.google.com/document/d/1EvZ_dOpFOLCSSv5ffqxCoMnLZDOnUv_K

Chapters

00:00 Introduction to CISO Tradecraft
00:48 Meet Thomas Ritter: Cybersecurity Lawyer
03:48 Legal Challenges for CISOs
04:54 Managing Third-Party Risks
13:01 Understanding Legal and Statutory Obligations
15:57 Supreme Court Rulings and Cybersecurity
32:57 Lessons from High-Profile Cyber Attacks
38:32 Ransomware Epidemic and Law Enforcement
43:30 Conclusion and Contact Information

#189 - Emotional Intelligence Jul 15, 2024

Emotional Intelligence for Cybersecurity Leaders | CISO Tradecraft In this episode of CISO Tradecraft, host G Mark Hardy delves into the essential topic of emotional intelligence (EI) for cybersecurity leaders. He explores the difference between IQ and EI, the origins and significance of emotional intelligence, and its impact on leadership effectiveness. The episode covers various models of EI, including the Ability Model, the Trait Model, and the Mixed Model, and emphasizes practical actions to enhance EI, such as self-awareness, self-regulation, empathy, and social skills. Tune in to understand how developing emotional intelligence can significantly benefit your career, leadership performance, and personal life.

Transcripts: https://docs.google.com/document/d/15pyhXu3XVHJ_VE1OwKjSqM73Rybjbsm0

Chapters:

00:00 Introduction to CISO Tradecraft
00:53 Understanding IQ: The Basics
04:08 Introduction to Emotional Intelligence
07:38 Models of Emotional Intelligence
13:06 The Importance of Emotional Intelligence in Leadership
25:12 Practical Steps to Improve Emotional Intelligence
32:42 Conclusion and Final Thoughts

#188 - Securing Small Businesses Jul 08, 2024

Securing Small Businesses: Essential Cybersecurity Tools and Strategies In this episode of CISO Tradecraft, host G Mark Hardy discusses cybersecurity challenges specific to small businesses. He provides insights into key tools and strategies needed for effective cybersecurity management in small enterprises, including endpoint management, patch management, EDR tools, secure web gateways, IAM solutions, email security gateways, MDR services, and password managers. Hardy also evaluates these tools against the CIS Critical Security Controls to highlight their significance in safeguarding small business operations.

Transcripts: https://docs.google.com/document/d/1Hon3h950myI7A3jzGmj7YIwRXow5W1V5

Chapters

00:00 Introduction to CISO Tradecraft
00:40 Challenges of Cybersecurity in Small Businesses
01:15 Defining Small Business and Security Baselines
01:53 Top Cybersecurity Tools for Small Businesses
02:05 Hardware and Software Essentials
04:35 Patch Management Solutions
05:19 Endpoint Detection and Response (EDR) Tools
06:06 Secure Web Gateways and Website Security
11:21 Identity and Access Management (IAM)
12:57 Email Security Gateways
14:15 Managed Detection and Response (MDR) Solutions
14:54 Recap of Essential Cybersecurity Tools
15:41 Bonus Tool: Password Managers
18:33 Aligning with CIS Controls
24:48 Conclusion and Call to Action

#187 - Ensuring Profitable Growth Jun 24, 2024

Welcome to another episode of CISO Tradecraft with your host, G. Mark Hardy! In this episode, we dive into how CISOs can drive the profitable growth of their company's products and services. Breaking the traditional view of security as a cost center, Mark illustrates ways CISOs can support business objectives like customer outreach, service enablement, operational resilience, and cost reduction. Tune in for insightful strategies to improve your impact as a cybersecurity leader and a sneak peek at our upcoming CISO training class! If you would like to learn more about our class, drop us a comment: https://www.cisotradecraft.com/comment

Transcripts: https://docs.google.com/document/d/19SDBdQSTLc58sP5ynwzhuedNHzk7QPKj

Chapters

00:00 Introduction to Profitable Growth for CISOs
01:16 Understanding Profit and Business Objectives
03:24 Enhancing Customer Experience through Cybersecurity
08:51 Service Enablement and Upselling Strategies
11:39 Ensuring Operational Resilience
13:36 Cost Reduction and Efficiency Improvements
18:31 Recap and Final Thoughts
19:10 Exciting Announcement: CISO Training Course

#186 - AI Coaching (with Tom Bendien) Jun 17, 2024

Exploring AI in Cybersecurity: Insights from an Expert - CISO Tradecraft with Tom Bendien In this episode of CISO Tradecraft, host G Mark Hardy sits down with AI expert Tom Bendien to delve into the impact of artificial intelligence on cybersecurity. They discuss the basics of AI, large language models, and the differences between public and private AI models. Tom shares his journey from New Zealand to the U.S. and how he became involved in AI consulting. They also cover the importance of education in AI, from executive coaching to training programs for young people. Tune in to learn about AI governance, responsible use, and how to prepare for the future of AI in cybersecurity.

Transcripts: https://docs.google.com/document/d/1x0UTLiQY7hWWUdfPE6sIx7l7B0ip7CZo

Chapters

00:00 Introduction and Guest Welcome
00:59 Tom Bendien's Background and Journey
02:30 Diving into AI and ChatGPT
04:29 Understanding AI Models and Neural Networks
07:11 The Role of Agents in AI
10:10 Challenges and Ethical Considerations in AI
13:47 Open Source AI and Security Concerns
18:32 Apple's AI Integration and Compliance Issues
24:01 Navigating AI in Cybersecurity
25:09 Ethical Dilemmas in AI Usage
27:59 AI Coaching and Its Importance
32:20 AI in Education and Youth Engagement
35:55 Career Coaching in the Age of AI
39:20 The Future of AI and Its Saturation Point
42:07 Final Thoughts and Contact Information

#185 - Ethics and Artificial Intelligence (AI) Jun 10, 2024

In this episode of CISO Tradecraft, host G Mark Hardy delves into the complex intersection of ethics and artificial intelligence. The discussion covers the seven stages of AI, from rule-based systems to the potential future of artificial superintelligence. G Mark explores ethical frameworks, such as rights-based ethics, justice and fairness, utilitarianism, common good, and virtue ethics, and applies them to AI development and usage. The episode also highlights ethical dilemmas, including privacy concerns, bias, transparency, accountability, and the impacts of AI on societal norms and employment. Learn about the potential dangers of AI and how to implement and control AI systems ethically in your organization.

Transcripts: https://docs.google.com/document/d/10AhefqdhkT0PrEbh8qBZVn9wWS6wABO6

Chapters

00:00 Introduction to CISO Tradecraft
01:01 Stages of Artificial Intelligence
03:33 Ethical Implications of AI
05:24 Business Models and Data Security
13:52 Ethical Frameworks Explained
23:18 AI and Human Behavior
25:44 The TikTok Feedback Loop and Digital Addiction
26:54 AI's Unpredictable Capabilities
28:25 The Ethical Dilemmas of AI
30:57 Generative AI and Its Implications
42:10 The Role of Government and Society in AI Regulation
45:49 Conclusion and Ethical Considerations

#184 - Complexity is Killing Us Jun 03, 2024

In this episode of CISO Tradecraft, host G Mark Hardy explores the challenges complexity introduces to cybersecurity, debunking the myth that more complex systems are inherently more secure. Through examples ranging from IT support issues to the intricacies of developing a web application with Kubernetes, the discussion highlights how complexity can obscure vulnerabilities, increase maintenance costs, and expand the attack surface. The episode also offers strategies to tackle complexity, including standardization, minimization, automation, and feedback-driven improvements, aiming to guide cybersecurity leaders toward more effective and less complex security practices.

Transcripts: https://docs.google.com/document/d/1J0rPr0HxULpeVJMIwXKXqHuCfnXn4gDu

Chapters

00:00 Introduction
01:03 The Misconception of Complexity in Cybersecurity
02:41 Real-World Complexities and Their Impact on IT
10:06 Simplifying Cybersecurity: Strategies and Solutions
14:48 Conclusion: Embracing Simplicity in Cybersecurity

#183 - Navigating the Cloud Security Landscape (with Chris Rothe) May 27, 2024

This episode of CISO Tradecraft features a conversation between host G. Mark Hardy and Chris Rothe, co-founder of Red Canary, focusing on cloud security, managed detection and response (MDR) services, and the evolution of cybersecurity practices. They discuss the genesis of Red Canary, the significance of their company name, and the distinctions between Managed Security Service Providers (MSSPs) and MDRs. The conversation also covers the importance of cloud security, the challenges of securing serverless and containerized environments, and leveraging open-source projects like Atomic Red Team for cybersecurity. They conclude with insights on the cybersecurity labor market, the value of threat detection reports, and the future of cloud security.

Red Canary: https://redcanary.com/

Chris Rothe: https://www.linkedin.com/in/crothe/

Transcripts: https://docs.google.com/document/d/1XN4Bp7Sa2geGCVaHuqMRmJckms4q7_L6

#182 - Shaping the SOC of Tomorrow (with Debbie Gordon) May 20, 2024

This episode of CISO Tradecraft, hosted by G Mark Hardy, features special guest Debbie Gordon. The discussion focuses on the critical role of Security Operations Centers (SOCs) in an organization's cybersecurity efforts, emphasizing the importance of personnel, skill development, and maintaining a high-performing team. It covers the essential aspects of building and managing a successful SOC, from hiring and retaining skilled incident responders to measuring their performance and productivity. The conversation also explores the benefits of simulation-based training with CloudRange Cyber, highlighting how such training can improve job satisfaction, reduce incident response times, and help organizations meet regulatory requirements. Through this in-depth discussion, listeners gain insights into best practices for enhancing their organization's cybersecurity posture and developing key skill sets to defend against evolving cyber threats.

Cloud Range Cyber: https://www.cloudrangecyber.com/

Transcripts: https://docs.google.com/document/d/18ILhpOgHIFokMrkDAYaIEHK-f9hoy63u

Chapters

00:00 Introduction
01:04 The Indispensable Role of Security Operations Centers (SOCs)
02:07 Building an Effective SOC: Starting with People
03:04 Measuring Productivity and Performance in Your SOC
05:36 The Importance of Continuous Training and Simulation in Cybersecurity
09:00 Debbie Gordon on the Evolution of Cyber Training
11:54 Developing Cybersecurity Talent: The Importance of Simulation Training
14:46 The Critical Role of People in Cybersecurity
21:57 The Impact of Regulations on Cybersecurity Practices
24:36 The Importance of Proactive Cybersecurity Training
26:26 Redefining Cybersecurity Roles and Training Approaches
30:08 Leveraging Cyber Ranges for Real-World Cybersecurity Training
36:03 Evaluating and Enhancing Cybersecurity Skills and Team Dynamics
37:49 Maximizing Cybersecurity Training ROI and Employee Engagement
41:40 Exploring CloudRange Cyber's Training Solutions
43:28 Conclusion: The Future of Cybersecurity Training

#181 - Inside the 2024 Verizon Data Breach Investigations Report May 13, 2024

In this episode of CISO Tradecraft, host G Mark Hardy discusses the findings of the 2024 Verizon Data Breach Investigations Report (DBIR), covering over 10,000 breaches. Beginning with a brief history of the DBIR's inception in 2008, Hardy highlights the evolution of cyber threats, such as the significance of patching vulnerabilities and the predominance of hacking and malware. The report identifies the top methods bad actors use for exploiting companies, including attacking VPNs, desktop sharing software, web applications, conducting phishing, and stealing credentials, emphasizing the growing sophistication of attacks facilitated by technology like ChatGPT for phishing and deepfake tech for social engineering. The episode touches on various cybersecurity measures, the omnipresence of multi-factor authentication (MFA) as a necessity rather than a best practice, and the surge in denial-of-service (DDoS) attacks. Hardy also discusses generative AI's role in enhancing social engineering attacks and the potential impact of deepfake content on elections and corporate reputations. Listeners are encouraged to download the DBIR for a deeper dive into its findings.

Transcripts: https://docs.google.com/document/d/1HYHukTHr6uL6khGncR_YUJVOhikedjSE

Chapters

00:00 Welcome to CISO Tradecraft
00:35 Celebrating Milestones and Offering Services
01:39 Diving into the Verizon Data Breach Investigations Report
04:22 Top Attack Methods: VPNs and Desktop Sharing Software Vulnerabilities
09:24 The Rise of Phishing and Credential Theft
19:43 Advanced Threats: Deepfakes and Generative AI
23:23 Closing Thoughts and Recommendations

#180 - There's Room For Everybody In Your Router (with Giorgio Perticone) May 06, 2024

In this joint episode of the Security Break podcast and CISO Tradecraft podcast, hosts from both platforms come together to discuss a variety of current cybersecurity topics. They delve into the challenge of filtering relevant information in the cybersecurity sphere, elaborate on different interpretations of the same news based on the reader's background, and share a detailed analysis on specific cybersecurity news stories. The discussion covers topics such as the implications of data sharing without user consent by major wireless providers and the fines imposed by the FCC, the significance of increasing bug bounty payouts by tech companies like Google, and a comprehensive look at how edge devices are exploited by hackers to create botnets for various cyberattacks. The conversation addresses the complexity of the cybersecurity landscape, including how different actors with varied objectives can simultaneously compromise the same devices, making it difficult to attribute attacks and protect networks effectively.

Transcripts: https://docs.google.com/document/d/1GtFIWtDf_DSIIgs_7CizcnAHGnFTTrs5

Chapters

00:00 Welcome to a Special Joint Episode: Security Break & CISO Tradecraft
01:27 The Challenge of Filtering Cybersecurity Information
04:23 Exploring the FCC's Fine on Wireless Providers for Privacy Breaches
06:41 The Complex Landscape of Data Privacy Regulations
16:00 The Economics of Data Breaches and Regulatory Fines
24:23 Bug Bounties and the Value of Security Research
33:21 Exploring the Economics of Cybersecurity
33:50 The Lucrative World of Bug Bounties
34:38 The Impact of Security Vulnerabilities on Businesses
35:50 Navigating the Complex Landscape of Cybersecurity
36:22 The Ethical Dilemma of Selling Exploit Information
37:32 Understanding the Market Dynamics of Cybersecurity
38:00 Focusing on Android Application Security
38:34 The Importance of Targeting in Cybersecurity Efforts
42:33 Exploring the Threat Landscape of Edge Devices
46:37 The Challenge of Securing Outdated Technology
49:28 The Role of Cybersecurity in Modern Warfare
53:15 Strategies for Enhancing Cybersecurity Defenses
01:05:25 Concluding Thoughts on Cybersecurity Challenges

#179 - The 7 Broken Pillars of Cybersecurity Apr 29, 2024

In this episode of CISO Tradecraft, host G. Mark Hardy discusses seven critical issues facing the cybersecurity industry, offering a detailed analysis of each problem along with counterarguments. The concerns range from the lack of a unified cybersecurity license, the inefficiency and resource waste caused by auditors, to the need for a federal data privacy law. Hardy emphasizes the importance of evaluating policies, prioritizing effective controls, and examining current industry practices. He challenges the audience to think about solutions and encourages sharing opinions and additional concerns, aiming to foster a deeper understanding and improvement within the field of cybersecurity.

Transcripts: https://docs.google.com/document/d/1H_kTbCG8n5f_d1ZHNr1QxsXf82xb08cG

Chapters

00:00 Introduction
01:28 Introducing the Seven Broken Things in Cybersecurity
02:00 1. The Lack of a Unified Cybersecurity License
06:53 2. The Problem with Cybersecurity Auditors
10:09 3. The Issue with Treating All Controls as High Priority
14:12 4. The Obsession with New Cybersecurity Tools
19:23 5. Misplaced Accountability in Cybersecurity
22:38 6. Rethinking Degree Requirements for Cybersecurity Jobs
26:49 7. The Need for Federal Data Privacy Laws
30:53 Closing Thoughts and Call to Action

#178 - Cyber Threat Intelligence (with Jeff Majka & Andrew Dutton) Apr 22, 2024

In this episode of CISO Tradecraft, hosts G Mark Hardy and guests Jeff Majka and Andrew Dutton discuss the vital role of competitive threat intelligence in cybersecurity. They explore how Security Bulldog's AI-powered platform helps enterprise cybersecurity teams efficiently remediate vulnerabilities by processing vast quantities of data, thereby saving time and enhancing productivity. The conversation covers the importance of diverse threat intelligence sources, including open-source intelligence and insider threat awareness, and the strategic value of AI in analyzing and prioritizing data to manage cybersecurity risks effectively. The discussion also touches on the challenges and potentials of AI in cybersecurity, including the risks of data poisoning and the ongoing battle between offensive and defensive cyber operations.

The Security Bulldog: https://securitybulldog.com/contact/

Transcripts: https://docs.google.com/document/d/1D6yVMAxv16XWtRXalI5g-ZdepEMYmQCe

Chapters

00:00 Introduction
00:56 Introducing the Experts: Insights from the Field
02:43 Unpacking Cybersecurity Intelligence: Definitions and Importance
04:02 Exploring Cyber Threat Intelligence (CTI): Applications and Strategies
13:11 The Role of AI in Enhancing Cybersecurity Efforts
16:43 Navigating the Complex Landscape of Cyber Threats and Defenses
19:07 The Future of AI in Cybersecurity: A Balancing Act
22:33 Exploring AI's Role in Cybersecurity
22:50 The Practical Application of AI in Cybersecurity
25:08 Challenges and Trust Issues with AI in Cybersecurity
26:52 Managing AI's Risks and Ensuring Reliability
31:00 The Evolution and Impact of AI Tools in Cyber Threat Intelligence
34:45 Choosing the Right AI Solution for Cybersecurity Needs
37:27 The Business Case for AI in Cybersecurity
41:22 Final Thoughts and the Future of AI in Cybersecurity

#177 - 2024 CISO Mindmap (with Rafeeq Rehman) Apr 15, 2024

This episode of CISO Tradecraft features a comprehensive discussion between host G Mark Hardy and guest Rafeeq Rehman, centered around the evolving role of CISOs, the impact of Generative AI, and strategies for effective cybersecurity leadership. Rafeeq shares insights on the CISO Mind Map, a tool for understanding the breadth of responsibilities in cybersecurity leadership, and discusses various focal areas for CISOs in 2024-2025, including the cautious adoption of Gen AI, tool consolidation, cyber resilience, branding for security teams, and maximizing the business value of security controls. The episode also addresses the importance of understanding and adapting to technological advancements, advocating for cybersecurity as a business-enabling function, and the significance of lifelong learning in information security.

Cybersecurity Learning Saturday: https://www.linkedin.com/company/cybersecurity-learning-saturday/

2024 CISO Mindmap: https://rafeeqrehman.com/2024/03/31/ciso-mindmap-2024-what-do-infosec-professionals-really-do/

Transcripts: https://docs.google.com/document/d/1axXQJoAdJI26ySKVfROI9rflvSe9Yz50

Chapters

00:00 Introduction
00:57 Rafeeq Rehman: Beyond the CISO MindMap
04:17 The Evolution of the CISO MindMap
08:30 AI and the Future of Cybersecurity Leadership
11:47 Embracing Change: The Role of AI in Cybersecurity
14:16 Generative AI: Hype, Reality, and Strategic Advice for CISOs
22:32 Navigating the Future Job Market with AI
22:53 Framing AI for Specific Roles
24:12 Harnessing Creativity with Generative AI
25:14 Consolidating Security Tools for Efficiency
28:31 Evaluating Security Tools: A Deep Dive
32:21 Cyber Resilience: Beyond Incident Response
35:51 Building a Business-Focused Security Strategy
39:39 Maximizing Business Value Through Security
43:15 Looking Ahead: Focus Areas for the Future
43:53 Concluding Thoughts and Future Predictions

#176 - Reality-Based Leadership (with Alex Dorr) Apr 08, 2024

In this episode of CISO Tradecraft, host G Mark Hardy welcomes Alex Dorr to discuss Reality-Based Leadership and its impact on reducing workplace drama and enhancing productivity. Alex shares his journey from professional basketball to becoming an evangelist of reality-based leadership, revealing how this approach helped him personally and professionally. They delve into the concepts of SBAR (Situation, Background, Analysis, Recommendation) for effective communication, toggling between low self and high self to manage personal reactions, and practical tools like 'thinking inside the box' to confront and solve workplace issues within given constraints. The conversation underscores the importance of focusing on actionable strategies over arguing with the drama and reality of workplace dynamics, aiming to foster a drama-free, engaged, and productive work environment.

Alex Dorr's Linkedin: https://www.linkedin.com/in/alexmdorr/

Reality-Based Leadership Website: https://realitybasedleadership.com/

Transcripts: https://docs.google.com/document/d/1wge0pFLxE4MkS6neVp68bdz8h9mHrwje

Chapters

00:00 Introduction
00:57 Alex Dorr's Journey from Basketball to Leadership Expert
03:54 The Core Principles of Reality-Based Leadership
06:20 Understanding the Human Condition in the Workplace
09:19 Tackling Workplace Drama with Reality-Based Leadership
11:58 The Power of Positive Energy Management
17:42 Navigating Unpreferred Realities and Finding Impact
19:44 Reality-Based Leadership in Action: Techniques and Outcomes
23:12 The Importance of Skill Development Over Perfecting Reality
24:32 The Challenge of Employee Engagement
25:49 Secrets to Embracing Reality and Taking Action
25:58 Leadership vs. Management: Navigating Workplace Dynamics
28:28 Empowering Employees with the SBAR Framework
34:04 Addressing Venting and Negative Behaviors
36:17 Developing People: The Core of Leadership
37:50 Choosing Happiness Over Being Right
40:15 Integrating New Leadership Models and Making Them Stick
46:24 Concluding Thoughts and Contact Information

#175 - Navigating NYDFS Cyber Regulation Apr 01, 2024

This episode of CISO Tradecraft dives deep into the New York Department of Financial Services Cybersecurity Regulation, known as Part 500. Hosted by G Mark Hardy, the podcast outlines the significance of this regulation for financial services companies and beyond. Hardy emphasizes that Part 500 serves as a high-level framework applicable not just in New York or the financial sector but across various industries globally due to its comprehensive cybersecurity requirements. The discussion includes an overview of the regulation's history, amendments to enhance governance and incident response, and a detailed analysis of key sections such as multi-factor authentication, audit trails, access privilege management, and incident response. Additionally, the need for written policies, designating a Chief Information Security Officer (CISO), and ensuring adequate resources for implementing a cybersecurity program are highlighted. The podcast also offers guidance on how to approach certain regulatory mandates, emphasizing the importance of teamwork between CISOs, legal teams, and executive management to comply with and benefit from the regulation's requirements.

AuditScripts: https://www.auditscripts.com/free-resources/critical-security-controls/

NYDFS: https://www.dfs.ny.gov/industry_guidance/cybersecurity

Transcripts: https://docs.google.com/document/d/1CWrhNjHXG1rePtOQT-iHyhed2jfBaZud

Chapters

00:00 Introduction
00:35 Why Part 500 Matters Beyond New York
01:48 The Evolution of Financial Cybersecurity Regulations
03:20 Understanding Part 500: Definitions and Amendments
08:44 The Importance of Multi-Factor Authentication
14:33 Navigating the Complexities of Cybersecurity Regulations
20:23 The Critical Role of Asset Management and Access Privileges 25:37 The Essentials of Application Security and Risk Assessment
31:11 Incident Response and Business Continuity Management
32:36 Concluding Thoughts on NYDFS Cybersecurity Regulation

#174 - OWASP Top 10 Web Application Attacks Mar 25, 2024

In this episode of CISO Tradecraft, host G. Mark Hardy delves into the crucial topic of the OWASP Top 10 Web Application Security Risks, offering insights on how attackers exploit vulnerabilities and practical advice on securing web applications. He introduces OWASP and its significant contributions to software security, then progresses to explain each of the OWASP Top 10 risks in detail, such as broken access control, injection flaws, and security misconfigurations. Through examples and recommendations, listeners are equipped with the knowledge to better protect their web applications and ultimately improve their cybersecurity posture.

OWASP Cheat Sheets: https://cheatsheetseries.owasp.org/

OWASP Top 10: https://owasp.org/www-project-top-ten/

Transcripts: https://docs.google.com/document/d/17Tzyd6i6qRqNfMJ8OOEOOGpGGW0S8w32

Chapters

00:00 Introduction
01:11 Introducing OWASP: A Pillar in Cybersecurity
02:28 The Evolution of Web Vulnerabilities
05:01 Exploring Web Application Security Risks
07:46 Diving Deep into OWASP Top 10 Risks
09:28 1) Broken Access Control
14:09 2) Cryptographic Failures
18:40 3) Injection Attacks
23:57 4) Insecure Design
25:15 5) Security Misconfiguration
29:27 6) Vulnerable and Outdated Software Components
32:31 7) Identification and Authentication Failures
36:49 8) Software and Data Integrity Failures
38:46 9) Security Logging and Monitoring Practices
40:32 10) Server Side Request Forgery (SSRF)
42:15 Recap and Conclusion: Mastering Web Application Security

#173 - Mastering Vulnerability Management Mar 18, 2024

In this episode of CISO Tradecraft, host G Mark Hardy delves into the critical subject of vulnerability management for cybersecurity leaders. The discussion begins with defining the scope and importance of vulnerability management, referencing Park Foreman's comprehensive approach beyond mere patching, to include identification, classification, prioritization, remediation, and mitigation of software vulnerabilities. Hardy emphasizes the necessity of a strategic vulnerability management program to prevent exploitations by bad actors, illustrating how vulnerabilities are exploited using tools like ExploitDB, Metasploit, and Shodan. He advises on deploying a variety of scanning tools to uncover different types of vulnerabilities across operating systems, middleware applications, and application libraries. Highlighting the importance of prioritization, Hardy suggests focusing on internet-facing and high-severity vulnerabilities first and discusses establishing service level agreements for timely patching. He also covers optimizing the patching process, the significance of accurate metrics in measuring program effectiveness, and the power of gamification and executive buy-in to enhance security culture. To augment the listener's knowledge and toolkit, Hardy recommends further resources, including OWASP TASM and books on effective vulnerability management.

Transcripts: https://docs.google.com/document/d/13P8KsbTOZ6b7A7HDngk9Ek9FcS1JpQij

OWASP Threat and Safeguard Matrix - https://owasp.org/www-project-threat-and-safeguard-matrix/

Effective Vulnerability Management - https://www.amazon.com/Effective-Vulnerability-Management-Vulnerable-Ecosystem/dp/1394221207

Chapters

00:00 Introduction
00:56 Understanding Vulnerability Management
02:15 How Bad Actors Exploit Vulnerabilities
04:26 Building a Comprehensive Vulnerability Management Program
08:10 Prioritizing and Remediation of Vulnerabilities
13:09 Optimizing the Patching Process
15:28 Measuring and Improving Vulnerability Management Effectiveness
18:28 Gamifying Vulnerability Management for Better Results
20:38 Securing Executive Buy-In for Enhanced Security
21:15 Conclusion and Further Resources

#172 - Table Top Exercises Mar 11, 2024

This episode of CISO Tradecraft, hosted by G Mark Hardy, delves into the concept, significance, and implementation of tabletop exercises in improving organizational security posture. Tabletop exercises are described as invaluable, informal training sessions that simulate hypothetical situations allowing teams to discuss and plan responses, thereby refining incident response plans and protocols. The podcast covers the advantages of conducting these exercises, highlighting their cost-effectiveness and the crucial role they play in crisis preparation and response. It also discusses various aspects of preparing for and executing a successful tabletop exercise, including setting objectives, selecting participants, creating scenarios, and the importance of a follow-up. Additionally, the episode touches on compliance aspects related to SOC 2 and the use of tabletop exercises to expose and address potential organizational weaknesses. The overall message underscores the importance of these exercises in preparing cybersecurity teams for real-world incidents.

Outline & References:

https://docs.google.com/document/d/13Qj4MOjPxWz9mhQCDQNBtoQwrXdTeIEf

Transcripts: https://docs.google.com/document/d/1yfmZALQfkhQCMfp9ao3151P9L2XcEXFm/

Chapters

00:00 Introduction
00:47 The Importance of Tabletop Exercises
01:53 The Benefits of Tabletop Exercises
03:06 How to Implement Tabletop Exercises
05:30 The Role of Tabletop Exercises in Compliance
08:24 The Participants in Tabletop Exercises
09:25 The Preparation for Tabletop Exercises
16:57 The Execution of Tabletop Exercises
21:58 Understanding Roles and Responsibilities in an Exercise
22:17 The Importance of a Hot Wash Up
23:36 Creating an After Action Report (AAR)
24:06 Implementing an Action Plan
24:34 Example Scenario: Network Administrator's Mistake
25:08 Formulating Targeted Questions for the Scenario
26:36 The Role of Innovation in Tabletop Exercises
27:11 The Connection Between Tabletop Exercises and Compliance
29:18 12 Key Steps to a Successful Exercise
30:43 The Importance of Realistic Scenarios
34:05 The Role of Communication in Crisis Management
37:33 The Impact of Cyber Attacks on Operations
39:57 The Importance of Tabletop Exercises and How to Get Started

#171 - Navigating Software Supply Chain Security (with Cassie Crossley) Mar 04, 2024

In this episode of CISO Tradecraft, host G Mark Hardy converses with Cassie Crossley, author of the book on software supply chain security. Hardy explores the importance of cybersecurity, the structure of software supply chains, and the potential risks they pose. Crossley shares her expert insights on different software source codes and the intricacies of secure development life cycle. She highlights the significance of Software Bill of Materials (SBOM) and the challenges in maintaining the integrity of software products. The discussion also covers the concept of counterfeits in the software world, stressing the need for continuous monitoring and a holistic approach towards cybersecurity.

Link to the Book: https://www.amazon.com/Software-Supply-Chain-Security-End/dp/1098133706?&_encoding=UTF8&tag=-0-0-20&linkCode=ur2

Transcripts: https://docs.google.com/document/d/1SJS2VzyMS-xLF0vlGIgrnn5cOP8feCV9

Chapters

00:00 Introduction
01:44 Discussion on Software Supply Chain Security
02:33 Insights into Secure Development Life Cycle
03:20 Understanding the Importance of Supplier Landscape
05:09 The Role of Security in Software Supply Chain
07:29 The Impact of Vulnerabilities in Software Supply Chain
09:06 The Importance of Secure Software Development Life Cycle
14:13 The Role of Frameworks and Standards in Software Supply Chain Security
17:39 Understanding the Importance of Business Continuity Plan
20:53 The Importance of Security in Agile Development
24:01 Understanding OWASP and Secure Coding
24:20 The Importance of API Security
24:50 The Concept of Shift Left in Software Development
25:20 The Role of Culture in Software Development
25:52 Exploring Different Source Code Types
26:19 The Rise of Low Code, No Code Platforms
28:53 The Potential Risks of Generative AI Source Code
34:24 Understanding Software Bill of Materials (SBOM)
41:07 The Challenge of Spotting Counterfeit Software
41:36 The Importance of Integrity Checks in Software Development
45:45 Closing Thoughts and the Importance of Cybersecurity Awareness

#170 - Responsibility, Accountability, and Authority Feb 26, 2024

In this episode of CISO Tradecraft, the host, G Mark Hardy, delves into the concepts of responsibility, accountability, and authority. These are considered critical domains in any leadership position but are also specifically applicable in the field of cybersecurity. The host emphasizes the need for a perfect balance between these areas to avoid putting one in a scapegoat position, which is often common for CISOs. Drawing on his military and cybersecurity experiences, he provides insights into how responsibility, accountability, and authority can be perfectly aligned for the efficient execution of duties. He also addresses how these concepts intertwine with various forms of power - positional, coercive, expert, informational, reward, referent, and connection. The host further empathizes with CISOs often put in tricky situations where they are held accountable but lack the authority or resources to execute their roles effectively and provides suggestions for culture change within organizations to overcome these challenges.

Transcripts: https://docs.google.com/document/d/1S8JIRztM6iaZonGv0qhtWY4vDyBfGhs-/

Chapters

00:00 Introduction
00:22 Understanding Responsibility, Accountability, and Authority
01:20 The Role of Leadership in Cybersecurity
02:47 Exploring the Concepts of Responsibility, Authority, and Accountability
03:08 Applying Responsibility, Authority, and Accountability to the CISO Role
04:20 The Interplay of Responsibility, Authority, and Accountability
11:57 Understanding Power and Its Forms
12:43 The Impact of Power on Leadership and Influence
24:04 The Role of Connection Power in Today's Digital Age
24:40 Understanding Different Sources of Power
25:13 The Power of Networking and Connections
26:49 The Challenges of Being a CISO
29:19 Understanding the Value of Your Role
33:56 The Importance of Expert Power
37:46 The Consequences of Ignoring Maintenance
43:40 Aligning Responsibility, Accountability, and Authority
44:39 The Importance of Legal Protections for CISOs
45:30 Wrapping Up: Balancing Responsibility, Authority, and Accountability

#169 - MFA Mishaps Feb 19, 2024

In this episode of CISO Tradecraft, host G Mark Hardy discusses various mishaps that can occur with Multi-Factor Authentication (MFA) and how these can be exploited by attackers. The talk covers several scenarios such as the misuse of test servers, bypassing of MFA via malicious apps and phishing scams, violation of the Illinois Biometric Information Protection Act by using biometric data without proper consent, and potential future legal restrictions on biometric data usage. G Mark also highlights the significance of correct implementation of MFA to ensure optimum organizational security and how companies can fail to achieve this due to overlooking non-technical issues like legal consent for biometric data collection.

Transcripts: https://docs.google.com/document/d/1FPCFlFRV1S_5eaFmjp5ByU-FCAzg_1kO

References:

Evil Proxy Attack- https://www.resecurity.com/blog/article/evilproxy-phishing-as-a-service-with-mfa-bypass-emerged-in-dark-web
Microsoft Attack - https://www-bleepingcomputer-com.cdn.ampproject.org/c/s/www.bleepingcomputer.com/news/security/microsoft-reveals-how-hackers-breached-its-exchange-online-accounts/amp/
Illinois Biometric Law - https://www.ilga.gov/legislation/publicacts/fulltext.asp?Name=095-0994

Chapters

00:00 Introduction
00:43 Understanding Multi Factor Authentication
01:05 Exploring Different Levels of Authentication
03:30 The Risks of Multi Factor Authentication
03:51 The Importance of Password Management
04:27 Exploring the Use of Trusted Platform Module for Authentication
06:17 Understanding the Difference Between TPM and HSM
09:00 The Challenges of Implementing MFA in Enterprises
11:25 Exploring Real-World MFA Mishaps
15:30 The Risks of Overprivileged Test Systems
17:16 The Importance of Monitoring Non-Production Environments
19:02 Understanding Consent Phishing Scams
30:37 The Legal Implications of Biometric Data Collection
32:24 Conclusion and Final Thoughts

#168 - Cybersecurity First Principles (with Rick Howard) Feb 12, 2024

In this episode of CISO Tradecraft, host G Mark Hardy is joined by special guest Rick Howard, Chief Security Officer, Chief Analyst and Senior Fellow at CyberWire. Rick shares his insights on first principles in cybersecurity, discussing how these form the foundations of any cybersecurity strategy. He emphasizes the importance of understanding materiality and integrating the concept of time bound risk assessment to achieve a resilient cybersecurity environment. The episode also delves into the value of Fermi estimates and Bayes algorithm for risk calculation. Amid humor and personal anecdotes, Rick and Mark also reflect on their experiences during 9/11. Rick introduces his book, 'Cybersecurity First Principles', elucidating the rationale behind its conception.

Link to the Cybersecurity First Principles Book: https://www.amazon.com/Cybersecurity-First-Principles-Strategy-Tactics/dp/B0CBVSX2H2/?&_encoding=UTF8&tag=-0-0-20&linkCode=ur2&linkId=1b3010fb678a109743f1fb564eb6d0fc&camp=1789&creative=9325

Transcripts: https://docs.google.com/document/d/1y8JPSzpmqDMd-1PZ-MWSqOuxgFTDVvre

Chapters

00:00 Introduction
02:00 Guest's Career Journey and Achievements
08:49 Discussion on Cybersecurity First Principles
15:27 Understanding Materiality in Cybersecurity
21:56 The Gap Between Security Teams and Business Leaders
22:21 The Importance of Speaking the Language of Business
23:03 The Art of the Elevator Pitch
24:04 The Impact of Cybersecurity on Business Value
25:10 The Importance of a Clear Cybersecurity Strategy
26:04 The Value of Business Fluency in Cybersecurity
27:44 The Role of Risk Calculation in Cybersecurity
29:41 The Power of Estimation in Risk Management
30:33 The Importance of Understanding Business Imperatives
41:25 The Role of Culture and Risk Appetite in Cybersecurity
45:39 The First Principle of Cybersecurity

#167 - Cybersecurity Apprenticeships (with Craig Barber) Feb 05, 2024

In this episode of CISO Tradecraft, host G Mark Hardy is joined by guest Craig Barber, the Chief Information Security Officer at SugarCRM. They discuss the increasingly critical topic of cybersecurity apprenticeships and Craig shares his personal journey from technical network engineer to CISO. They delve into the benefits of apprenticeships for both the individual and the organization, drawing parallels with guilds and trade schools of the past and incorporating real-world examples. They also look at the potential challenges and pitfalls of such programs, providing insights for organizations considering creating an apprenticeship scheme. Lastly, they examine the key attributes of successful apprentices and how these contribute to building stronger, more diverse cybersecurity teams.

Craig Barber's Profile: https://www.linkedin.com/in/craig-barber/

Transcripts https://docs.google.com/document/d/1J8nrhYCMBSmc0kLBasskBoY2RLIwR7Vb

Chapters

00:00 Introduction
00:23 Understanding Cybersecurity Apprenticeships
02:43 The Role of Mentorship in Cybersecurity
04:09 The Benefits of Cybersecurity Apprenticeships
07:17 The Evolution of Apprenticeships in the Tech Industry
10:00 The Value of Apprenticeships in Building Loyalty
11:08 The Difference Between Internships and Apprenticeships
15:32 The Role of Apprenticeships in Addressing the Skills Shortage
19:15 The Challenges of Implementing Apprenticeships
26:28 The Future of Cybersecurity Apprenticeships
44:32 Conclusion: The Value of Cybersecurity Apprenticeships

#166 - Cyber Acronyms You Should Know Jan 29, 2024

This video introduces a newly proposed acronym in the world of cybersecurity known as the 'Cyber UPDATE'. The acronym breaks down into Unchanging, Perimeterizing, Distributing, Authenticating and Authorizing, Tracing, and Ephemeralizing. The video aims to explain each component of the acronym and its significance in enhancing cybersecurity.

References:

Transcripts https://docs.google.com/document/d/16upm5bKTsIkDo3s-mvUMlgkX1uqUKnUH

Chapters

00:00 Introduction
01:34 Cybersecurity Acronyms: Pre-1990s
02:26 STRIDE and DREAD Models
02:39 PICERL and MITRE Models
05:04 Defining Cybersecurity
07:52 CIA Triad and Its Importance
09:00 Confidentiality, Integrity, and Availability
11:52 The Parkerian Hexad
17:30 D.I.E. Triad Concept
24:28 Cybersecurity UPDATE
24:51 Unchanging
25:46 Perimeterizing
29:36 Distributing

#165 - Modernizing Our SOC Ingest (with JP Bourget) Jan 22, 2024

In this episode of CISO Tradecraft, host G Mark Hardy interviews JP Bourget about the security data pipeline and how modernizing SOC ingest can improve efficiency and outcomes. Featuring discussions on cybersecurity leadership, API integrations, and the role of AI and advanced model learning in future data lake architectures. They discuss how vendor policies can impact data accessibility. They also reflect on their shared Buffalo roots and because their professional journeys. Tune in for valuable insights from top cybersecurity experts.

Transcripts: https://docs.google.com/document/d/1evI2JTGg7S_Hjaf0sV-Nk_i0oiv8XNAr

Chapters

00:00 Introduction
00:50 Guest's Background and Journey
05:27 Discussion on Security Data Pipeline
07:19 Introduction to SOAR
08:01 Benefits and Challenges of SOAR
12:40 Guest's Current Work and Company
14:04 Security Data Pipeline Modernization
22:20 Discussion on Vendor Integration
29:09 Security Pipeline Approach and AI
38:03 Closing Thoughts and Future Directions

#164 - The 7 Lies in Cyber Jan 15, 2024

In this episode of CISO Tradecraft, we debunk seven common lies pervasive in the cybersecurity industry. From the fallacy of achieving a complete inventory before moving onto other controls, the misconception about the accuracy of AppSec tools, to the fear of being viewed as a cost center - we delve deep into these misconceptions, elucidating their roots and impacts. We also discuss how ISO and FAIR, audits and certifications, risk assessments, and mandatory cyber incident reporting may not always be as straightforward as they seem. The episode is not only an eye-opener but also provides insightful guidance on how to navigate these misconceptions and enhance the effectiveness of your cybersecurity measures.

CloudGoat EC2 SSRF- https://rhinosecuritylabs.com/cloud-security/cloudgoat-aws-scenario-ec2_ssrf/

OWASP Benchmark - https://owasp.org/www-project-benchmark/

Transcripts - https://docs.google.com/document/d/1yZZ4TLlC2sRfwPV7bQmar7LY4xk2HcIo

Chapters

00:12 Introduction
00:56 The Lie of Accurate Inventory
05:29 The Lie of Accurate Risk Assessment
08:41 The Lie of Shifting Left in DevSecOps
13:45 The Lie of Certifications Ensuring Security
18:33 The Lie of Reporting Cyber Incidents in 72 Hours
20:44 The Lie of Accurate Application Security Tools
22:07 The Lie of Cybersecurity Not Being a Cost Center
24:44 Conclusion and Recap of Cybersecurity Lies

#163 - Operational Resilience Jan 08, 2024

Join G Mark Hardy in this episode of the CISO Tradecraft podcast where he details how cyber protects revenue. He clarifies how cybersecurity is seen as a cost center by most organizations, but stresses how it can become a protector of business profits. Concepts like Operational Resilience Framework (ORF) Version 2 by the Global Resilience Federation are discussed in depth. Hardy also outlines seven steps from ORF to operational resilience including implementing industry-recognized frameworks, understanding the organization's role in the ecosystem, defining viable service levels, and more.

Link to the ORF - https://www.grf.org/orf

Transcripts - https://docs.google.com/document/d/1ckYj-UKDa-wlOVbalWvXOdEO4OYgjO0i

Chapters

00:12 Introduction
01:47 Introduction to Operational Resilience Framework
02:38 Understanding Resilience and Antifragility
03:32 Common Cybersecurity Attacks and How to Anticipate Them 06:22 Building Resilience in Cybersecurity
09:43 Operational Resilience Framework: Steps and Principles
17:50 Preserving Datasets and Implementing Recovery Processes
20:18 Evaluating and Testing Your Disaster Recovery Plan
21:11 Recap of Operational Resilience Framework Steps
22:04 CISO Tradecraft Services and Closing Remarks

#162 - CISO Predictions for 2024 Jan 01, 2024

Looking for accurate predictions on what 2024 holds for cybersecurity? Tune into our latest episode of CISO Tradecraft for intriguing insights and industry trends. Listen now and boost your cybersecurity knowledge!

Earn CPEs: https://www.cisotradecraft.com/isaca

Transcripts: https://docs.google.com/document/d/11YX2bjhIVThSNPF6yEKaNWECErxjWA-R

Chapters

00:00 Introduction
02:11 1) CISOs flock to buy private liability and D&O insurance. It also becomes the norm for CISO hiring agreements.
05:25 2) CISO reporting structure changes. No more reporting to the CIO.
11:43 3) More CISOs get implicated in lawsuits, but the lawsuits rule in favor of the CISO.
13:36 4) Harder to find cyber talent since universities are not graduating as many students. This plus inflation increases result in major spike in cyber salaries
16:59 5) Cyber industry minimizes external consulting costs to weather reduced revenues during recession
19:44 6) AI-generated fraud will increase significantly
22:15 7) Shadow AI will result in Hidden Vulnerabilities
24:24 8) LLM attacks new vector for "AI-enabled" companies
27:23 9) Cyber insurance exclusions will tend to normalize and will prescribe activities that must be done if payout to occur
31:44 10) Self-driving cars will encounter regulatory setback
34:02 Review of Last Year's Predictions
41:03 Actionable Items for the Future
41:29 Closing Remarks and Invitation for 2024

#161 - Secure Developer Training Programs (with Scott Russo) Part 2 Dec 25, 2023

In the second half of the discussion about secure developer training programs, G Mark Hardy and Scott Russo delve deeper into how to engineer an effective cybersecurity course. They discuss the importance and impact of automation and shifting left, the customization needed for different programming languages and practices, and the role of gamification in engagement and learning. The conversation also touches upon anticipating secular trends, compliance with privacy and data protection regulations, different leaning styles and preferences, and effective strategies to enhance courses based on participant feedback. Scott highlights the lasting impacts and future implications of secure developer training, especially with the advent of generative AI in code generation.

ISACA Event (10 Jan 2024) With G Mark Hardy - https://www.cisotradecraft.com/isaca

Transcripts: https://docs.google.com/document/d/1zr09gVpJuZMUMmF9Y-Kc0DOy-1gH0cx-

Chapters

00:00 Introduction
01:08 Importance of Ongoing Support and Mentorship
01:46 The Role of Community in Training
03:03 Hands-on Exercises and Practical Experience
06:01 Success Stories and Testimonials
08:29 Incorporating Security Trends into Training
11:08 Balancing Security with Developer Productivity
18:17 Teaching Secure Coding Practices in Different Languages
20:27 Engaging and Motivating Participants
22:51 Promoting the Program: Engaging and Fun
23:37 Accommodating Different Learning Styles
24:16 Catering to Self-Paced Learners
26:19 Addressing Proficiency Levels and Remediation
28:55 Compliance with Privacy and Data Protection Regulations
30:48 Breaking Down Complex Security Concepts
32:05 Creating a Culture of Security Awareness
33:25 Partnerships and Collaborations in Secure Development
35:10 Feedback and Improvement of the Program
36:12 Cost Considerations for Secure Developer Training
39:20 Tracking Participants' Progress and Completion Rates
41:23 Trends in Secure Developer Training
43:42 Final Thoughts on Secure Developer Training

#160 - Secure Developer Training Programs (with Scott Russo) Part 1 Dec 18, 2023

In this episode of CISO Tradecraft, host G Mark Hardy invites Scott Russo, a cybersecurity and engineering expert for a deep dive into the creation and maintenance of secure developer training programs. Scott discusses the importance of hands-on engaging training and the intersection of cybersecurity with teaching and mentorship. Scott shares his experiences building a secure developer training program, emphasizing the importance of gamification, tiered training, showmanship, and real-world examples to foster engagement and efficient learning. Note this episode will continue in with a part two in the next episode

ISACA Event (10 Jan 2024) With G Mark Hardy - https://www.cisotradecraft.com/isaca

Scott Russo - https://www.linkedin.com/in/scott-russo/

HBR Balanced Scorecard - https://hbr.org/1992/01/the-balanced-scorecard-measures-that-drive-performance-2

Transcripts - https://docs.google.com/document/d/124IqIzBnG3tPj64O2mZeO-IDTx9wIIxJ

Youtube - https://youtu.be/NkrtTncAuBA

Chapters

00:00 Introduction
03:00 Overview of Secure Developer Training Program
04:46 Motivation Behind Creating the Training Program
06:03 Objectives of the Secure Developer Training Program
07:45 Defining the Term 'Secure Developer'
14:49 Keeping the Training Program Current and Engaging
21:10 Real World Impact of the Training Program
21:46 Understanding the Cybersecurity Budget Argument
21:58 Incorporating Real World Examples into Training
22:26 Personal Experiences and Stories in Training
24:06 Industry Best Practices and Standards
24:18 Aligning with OWASP Top 10
25:53 Balancing OWASP Top 10 with Other Standards
26:12 The Importance of Good Stories in Training
26:32 Duration of the Training Program
28:37 Resources Required for the Training Program
32:23 Measuring the Effectiveness of the Training Program
36:07 Gamification and Certifications in Training
38:56 Tailoring Training to Different Levels of Experience
41:03 Conclusion and Final Thoughts

#159 - Refreshing Your Cybersecurity Strategy Dec 11, 2023

In this episode of CISO Tradecraft, host G. Mark Hardy guides listeners on how to refresh their cybersecurity strategy. Starting with the essential assessments on the current state of your security, through to the creation of a comprehensive, one-page cyber plan. The discussion covers different approaches to upskilling the workforce, tools utilization, vulnerability management, relevant regulations, and selecting the best solution for your specific needs. The show also includes tips on building a roadmap, creating effective key performance indicators, and validation exercises or trap analysis to ensure the likelihood of success. At the end of the discussion, G. Mark Hardy invites listeners to reach out for any help needed for implementing these strategies.

Big Thanks to our Sponsors

Risk3Sixty - https://risk3sixty.com/

ISACA Event (10 Jan 2024) With G Mark Hardy https://www.cisotradecraft.com/isaca

CIO Wisdom Book - https://a.co/d/bmmZEAC

Transcripts - https://docs.google.com/document/d/1_bHsRtaRdlRJ9e9XXVh3GU7k3MbBLcHs

Chapters

00:00 Introduction
02:21 Building a Tactical and Strategic Plan
02:58 Assessing Your Current Cybersecurity Posture
03:11 Workforce Assessment and Rating
06:31 Understanding Your Cybersecurity Tools
08:29 Performing a Business Requirements Analysis
10:13 Defining the Desired Future State
12:03 Creating a Gap Analysis
14:14 Analyzing Current Options and Building a Roadmap
17:11 Presenting the New Plan to Management
21:36 Recap and Conclusion

#158 - Building a Data Security Lake (with Noam Brosh) Dec 04, 2023

Discover the key to a more effective cybersecurity strategy in the newest episode of CISO Tradecraft! We're talking SOC tools, building a data lake for security, and more with guest Noam Brosh of Hunters. Don't miss it!

Big Thanks to our Sponsors

Risk3Sixty - https://risk3sixty.com/
Hunters - https://www.hunters.security/

Noam Brosh - https://www.linkedin.com/in/noam-brosh-5743938/

Transcripts: https://docs.google.com/document/d/1ArTixgEvRsVpLVdV2uVFAKCKSB2mBUKo

Youtube Link: https://youtu.be/ThEpI2_LpD8

Chapters

00:00 Introduction and Welcome
01:20 Understanding the Role of SOC Tools
05:39 Challenges with Traditional SIEM Tools
08:48 The Shift to Data Lakes and the Impact on SIEMs
18:04 Understanding Different Cybersecurity Tools: SIEM, XDR, and SOC Platforms
19:25 The Role of Automation in Modern SOC Tools
26:01 The Importance of Third-Party Connection Tools in SOC Tools
27:27 Trends and Disruptions in the SIEM Space
28:09 Addressing False Positives in SOC Tools
31:14 Outsourcing Aspects of SOC and Staffing
36:28 Dealing with Multi-Cloud or Hybrid Cloud Environments
41:02 Reporting SOC Metrics to Executive Stakeholders

#157 - SOC Skills (with Hasan Eksi) Part 2 Nov 27, 2023

In this episode of CISO Tradecraft, G Mark Hardy and Hasan Eksi from CyberNow Labs continue the discussion about the vital skills needed for an effective incident responder within a Security Operations Center (SOC). The skills highlighted in this episode include: incident triage, incident response frameworks, communication, collaboration, documentation, memory analysis, incident containment and eradication, scripting and automation, cloud security, and crisis management.

Big Thanks to our Sponsors

Risk3Sixty - https://risk3sixty.com/
Adlumin - https://adlumin.com/

Hasan Eksi's LinkedIn Profile: https://www.linkedin.com/in/eksihasan/

Transcripts: https://docs.google.com/document/d/1rWixzKgf_unanPlnoL6dt8qpEsbZj9lv

Chapters

00:00 Introduction and Recap of the 10 Previous Skills
02:25 Skill #11) Incident Triage
04:21 Skill #12) Incident Response Frameworks
07:09 Skill #13) Communication
09:38 Skill #14) Collaboration
14:58 Skill #15) Documentation
19:35 Skill #16) Memory Analysis
22:36 Skill #17) Incident Containment and Eradication
25:31 Skill #18) Scripting and Automation
28:53 Skill #19) Cloud Security
31:10 Skill #20) Crisis Management
33:58 Recap of 20 SOC Skills and Conclusion

#156 - SMB CISO Challenges (with Kevin O’Connor) Nov 20, 2023

In this episode of CISO Tradecraft, host G Mark Hardy talks to Kevin O'Connor, the Director of Threat Research at Adlumin. They discuss the importance of comprehensive cybersecurity for Small to Medium-sized Businesses (SMBs), including law firms and mid-sized banks. The conversation explores the complexities of managing security infrastructures, the role of managed security service providers, and the usefulness of managed detection and response systems. The discussion also delves into the increasing threat of ransomware and the critical importance of managing data vulnerabilities and providing security awareness training.

Big Thanks to our Sponsor: Adlumin - https://adlumin.com/

Transcripts: https://docs.google.com/document/d/1V_qkMFdGC4NRLCG-80gcsiSA8ikT8SwP

Youtube: https://youtu.be/diCZfWWB3z8

Chapters

00:12 Introduction and Sponsor Message
01:42 Guest Introduction: Kevin O'Connor
02:29 Discussion on Cybersecurity Roles and Challenges
03:20 The Importance of Defense in Cybersecurity
04:23 The Role of Managed Security Services for SMBs
07:26 The Cost and Staffing Challenges of In-House SOCs
14:41 The Value of Managed Security Services for Legal Firms
16:30 The Threat Landscape for Small and Mid-Sized Banks
18:19 The Difference Between Compliance and Security
20:08 Understanding the Reality of Cybersecurity
20:45 The Challenges of Building IT Infrastructure
21:08 Outsourcing vs In-house Security Management
21:55 The Importance of Understanding Your Data
22:43 Security Operations Center vs Security Operations Platform
24:21 The Role of Managed Detection and Response
24:54 The Importance of Quick Response in Security
28:07 The Threat of Ransomware and Data Breaches
34:31 The Role of Pen Testing in Cybersecurity
36:33 The Growing Threat of Ransomware
38:28 The Importance of Security Awareness Training
40:42 The Role of Incident Response and Forensics
42:11 Final Thoughts on Cybersecurity

#155 - SOC Skills (with Hasan Eksi) Part 1 Nov 13, 2023

In this episode of CISO Tradecraft we have a detailed conversation with Hasan Eksi from CyberNow Labs. G Mark and Hasan discuss the top 20 skills required by incident responders, covering the first 10 in part 1 of this series. The discussion ranges from understanding cybersecurity fundamentals to incident detection, threat intelligence, and malware analysis. This episode aims to enhance listeners' understanding of incident response, its significance, the skills required, and strategies for effective training.

Big Thanks to our Sponsor

Adlumin - https://adlumin.com/

Hasan Eksi's LinkedIn Profile: https://www.linkedin.com/in/eksihasan/

Transcripts: https://docs.google.com/document/d/1lE9Tz-um1II2aNX4JU-bQ-BND7fPNteE/

Chapters

00:00 Introduction
14:15 Skill 1) IT/Cyber Fundamentals
17:17 Skill 2) Incident Detection
18:34 Skill 3) Threat Intelligence
20:11 Skill 4) Cybersecurity Tools
24:12 Skill 5) Network Analysis
25:55 Skill 6) Endpoint Analysis
28:33 Skill 7) Log Analysis
32:41 Skill 8) Malware Analysis
35:20 Skill 9) Forensics
38:30 Skill 10) Vulnerability Assessment

#154 - Data Protection (with Amer Deeba) Nov 06, 2023

In this episode of CISO Tradecraft, host G Mark Hardy welcomes special guest Amer Deeba, CEO and co-founder of Normalyze. They focus on the importance of data security in today's cloud-centric, multi-platform tech environment. Amer shares valuable insights on the need for a data security platform that offers a unified, holistic approach. The conversation also delves into the importance of understanding the value of your data, and how solutions such as Normalyze can accurately identify and classify sensitive data, measure its value, and mitigate risk of compromise. Ideal for CISOs and professionals navigating data security, this episode provides key recommendations for data visibility, security posture management, and response mechanisms, built around the principles of cybersecurity.

Big Thanks to our Sponsors

Normalyze - https://normalyze.ai/
Risk3Sixty - https://risk3sixty.com/whitepaper/

Transcripts: https://docs.google.com/document/d/1_z20Y5Xvs7qv6K9D2TUvM3ufLYSmXbvs

Chapters

00:00 Introduction
02:46 Understanding Data Security
03:58 The Importance of Data Security
04:21 The Challenges of Data Security
08:26 The Role of Data Security Posture Management
10:31 The Value of Data and Compliance
13:58 The Importance of Real-Time Data Protection
15:31 The Role of Encryption in Data Security
17:19 Understanding the Risks of Data Breaches
18:45 The Importance of Holistic Data Security
36:26 The Role of Anomaly Checks in Data Security
37:48 Understanding Generational Data
40:38 Conclusion and Contact Information

#153 - Game-Based Learning (with Andy Serwin & Eric Basu) Oct 30, 2023

On this episode we talk about the differences between Gamification and Game-Based Learning. We think you will enjoy hearing how Game-Based learning gets folks into the flow and creates novel training that resonates. We also have a great discussion on how games can be applicable for Board Members and Techies. You just need to get the right type of game for the right audience and let the magic happen.

Big Thanks to our Sponsors

Haiku - https://www.haikuinc.io/
Risk3Sixty - https://risk3sixty.com/whitepaper/

Transcripts

https://docs.google.com/document/d/1XmkMO7eJR3yAnXJPOCTaA5J9sakk639Q

Prefer to watch on YouTube?

https://www.youtube.com/watch?v=45eViHH_ktA

Chapters

00:00 Introduction
03:38 What is Game-Based Learning?
07:55 Training Board of Directors
10:18 Gamification vs Game-Based Learning
14:30 Do Your Duties
21:09 Delaware Fiduciary Duties
22:54 Building a Forge
26:11 Tailored Game Types
33:35 Teaching Girl Scouts Linux Commands
40:17 Retaining Your Best People

#152 - Speak My Language (with Andrew Chrostowski) Oct 23, 2023

Learn the language of the board with Andrew Chrostowski. In this episode we discuss the 3 major risk categories of opportunity risk, cybersecurity risk and complex systems. We highlight intentional deficit and what to do about it. Finally, don't miss the part where we talk about the time for a digital strategy is past. What is needed today is a comprehensive strategy for a world of digital opportunities and existential cyber risks.

Big thanks to our sponsor:

Risk3Sixty - https://risk3sixty.com/iso-27001-certification/

Transcripts https://docs.google.com/document/d/15PnB1gYwt7vj-wRE4ABuEWxvB-H96rp0

Chapters

00:00 Introduction
04:22 Communication is a Requirement
09:34 How does cyber create value?
11:30 Culture and Operational Excellence
16:51 How does growth strategy align with cyber?
22:30 Intention Deficit Disorder
26:48 Accountability Loops
28:39 What's the evolution for a digital strategy?
32:02 Sharpen your axe
36:40 Digital Directors Network & Qualified Technical Experts

#151 - Cyber War Oct 16, 2023

On this episode we do a master class on cyber warfare. Learn the terminology. Learn the differences and similarities between kinetic and cyber warfare. There's a lot of interesting discussion, so check it out.

Big thanks to our sponsor:

Risk3Sixty - https://risk3sixty.com/whitepaper/

Transcripts https://docs.google.com/document/d/1yJYoVs3pO4u_Zq8UC8YQmnYVGrsH93-H

Air Force Doctrine Publication 3-0 - Operations and Planning https://www.doctrine.af.mil/Portals/61/documents/AFDP_3-0/3-0-D15-OPS-Coercion-Continuum.pdf

Dykstra, J., Inglis, C., & Walcott, T. S. (Joint Forces Quarterly 99, October 2020) Differentiating Kinetic and Cyber Weapons to Improve Integrated Combat. https://ndupress.ndu.edu/Portals/68/Documents/jfq/jfq-99/jfq-99_116-123_Dykstra-Inglis-Walcott.pdf

Tallinn Manual 1.0 published April 2013; 2.0 in 2017 https://ccdcoe.org/research/tallinn-manual/

Version 3.0 under development; inputs solicited at https://ecv.microsoft.com/RRllEKKMJQ

https://www.csis.org/analysis/cyber-operations-during-russo-ukrainian-war

Chapters

00:00 Introduction
01:57 Definition of Cyber War
04:18 Kinetic vs Cyber War
07:02 Goal of Offensive Cyber Operations
10:06 International Law Applied to Cyber Operations (Sovereignty & Necessity)
11:33 Diplomatic, Information, Military, & Economic (DIME)
12:57 Proportionality
14:04 Law of Distinction
15:56 Tallinn Manual
18:15 Stuxnet, Sony Pictures, NotPetya, and SolarWinds attacks
23:47 Ukraine Cyber War
28:21 Comparing old tanks to old mainframes
39:55 Winning a Cyber War

#150 - Measuring Results Oct 09, 2023

On this episode we discuss the measuring results cheat sheet from Justin Mecham. Key focuses include:

Defining SMART Goals (Specific, Measurable, Achievable, Relevant, & Time-Bound)
Identifying KPIs (Key Performance Indicators)
Using the WOOP Model (Wish, Outcome, Obstacle, and Plan)
Using a Gap Analysis
Using the 5 Why Method
Using Plan, Do, Check, & Act.

Link to the Measuring Results Cheat Sheet https://www.linkedin.com/posts/justinmecham_harvard-says-leaders-are-10x-more-likely-activity-7112050615576391681-Ro60/

Big thanks to our sponsor:

Risk3Sixty - https://risk3sixty.com/whitepaper/

Transcripts https://docs.google.com/document/d/1Ok9cFBdubI6M4ubhcR0HZzmauHiU7fsN

Chapters

00:00 Introduction
03:34 SMART Goals (Specific, Measurable, Achievable, Relevant, and Time Bound)
07:29 Key Performance Indicators
09:36 WOOP Model (Wish, Outcome, Obstacle, and Plan)
09:59 Gap Analysis
12:36 Root Cause Analysis and the 5 Whys
14:09 Plan, Do, Check, and Act

#149 - Board Perspectives Oct 02, 2023

On this episode we discuss the four key roles Boards play in cybersecurity.

Setting the company's vision and risk strategy
Reviewing assessment results
Evaluating management cyber risk stance
Approving risk management plans

Big thanks to our sponsor:

Risk3Sixty - https://risk3sixty.com/whitepaper/

Transcripts - https://docs.google.com/document/d/1jarCcQYioT59jtIrppH4xZqyAy4Vn_tB/

Chapters

00:00 Introduction
01:36 What is a Board of Directors and what do they do?
09:33 FFIEC requirements for Boards
16:51 Establishing an Information Security Culture
19:08 Vision and Risk Appetite
22:00 Reviewing Cyber Assessments
25:09 Are we secure?
32:44 Castle Walls and Attacks
33:37 Getting your budget requests approved
37:10 Using use or loose money and reserved funding

#147 - Betting on MFA Sep 18, 2023

There's a lot of new cyber attacks occurring and today we are going to talk about them in more detail. Many bad actors are using SMS spoofing and Social Engineering to get in. Listen in an learn about how those attacks played out against the casino industry. You don't want to miss when we share what you can do to stop them. Pro-tip: Good MFA is your friend. Use it everywhere you can including on your employees and customers during phone calls.

Big Thanks to our Sponsor

Risk3Sixty - https://risk3sixty.com/whitepaper/

Mandiant Post - https://www.mandiant.com/resources/blog/unc3944-sms-phishing-sim-swapping-ransomware

Rachel Tobac Post - https://www.linkedin.com/feed/update/urn:li:activity:7108040643905474562

Transcripts: https://docs.google.com/document/d/186g8y_8wMcBPwdaiFjduhRiXC88ice0T/

Chapters

00:00 Introduction
01:06 Improving the Attacker Odds at the Casino
04:09 SEC 8-K filings
13:28 MGM Timeline of attack
16:55 What can we do against these attacks?
22:51 Upgrading your MFA
24:16 Custom Authentication Strength
27:11 New Social Engineering Attacks
32:31 OKTA attacks

#148 - Threat Modeling (with Adam Shostack) Sep 25, 2023

On this episode we bring on the leading expert of threat modeling (Adam Shostack) to discuss the four questions that every team should ask:

What are we working on?
What can go wrong?
What are we going to do about it?
Did we do a good enough job?

Big thanks to our sponsor:

Risk3Sixty - https://risk3sixty.com/whitepaper/

Adam Shostack's LinkedIn Profile - https://www.linkedin.com/in/shostack/

Learn more about threat modeling by checking out Adam's books on threat modeling Threats: What Every Engineer Should Learn From Star Wars https://amzn.to/3PFEv7L

Threat Modeling: Designing for Security https://amzn.to/3ZmfLo7 Also check out the Threat Modeling Manifesto: https://www.threatmodelingmanifesto.org/

Transcripts: https://docs.google.com/document/d/1Tu0Xj9QTbVqbVJNMbNRam-FEUvfda3ZS

Chapters

00:00 Introduction
06:02 The 4 Questions that allow you to measure twice cut once
09:29 How Data Flow Diagrams help teams
16:04 It's more than just looking at threats
19:23 Chasing the most fluid thing or the most worrisome thing
22:00 All models are wrong and some are useful
26:25 Actionable Remediation
31:05 LLMs and Threat Models

#146 - Living in a Materiality World Sep 11, 2023

Have you ever thought about what does it mean to say there has been a material incident? How is materiality determined? What is the history of how that term has been defined by U.S. Regulators. Listen to today's show and increase your CISO Tradecraft

Big Thanks to our Sponsors

Risk3Sixty - https://risk3sixty.com/whitepaper/
CPRIME - For those valuing leadership, policy, and governance in tech risk and security, Cprime is here to help. Enhance your skills with our training and workshops, ensuring effective policy design and strategy alignment. As a tech coaching firm, Cprime offers classes for teams and executives on security analytics and risk management. Led by a Cprime expert, align expectations, prioritize, and map tools for robust governance across your tech portfolio. Upgrade risk management at www.cprime.com/train and use code 'cprimepod' for 15% off training. Elevate your approach!

Transcripts https://docs.google.com/document/d/1h7IBZI27ZOg4nxec2fCBmrX0c-0O15Zr

Link to FAIR-MAM

https://www.fairinstitute.org/resources/fair-mam

Chapters

00:00 Introduction
02:16 What is the concept of material?
07:08 Investors increasingly seek information
11:21 Title 17 of the US Code Part 242
17:38 Backup and Recovery that is Resilient and Geographically Diverse
22:10 The New SEC requirements
26:38 Reporting Cyber Incidents
31:40 FAIR-MAM

#145 - The Cost of Cyber Defense Sep 04, 2023

On this episode we overview the CIS Document titled, "The Cost of Cyber Defense". https://www.cisecurity.org/insights/white-papers/the-cost-of-cyber-defense-cis-controls-ig1

Big Thanks to our Sponsors

Risk3Sixty - https://risk3sixty.com/whitepaper/
CPRIME - For those valuing leadership, policy, and governance in tech risk and security, Cprime is here to help. Enhance your skills with our training and workshops, ensuring effective policy design and strategy alignment. As a tech coaching firm, Cprime offers classes for teams and executives on security analytics and risk management. Led by a Cprime expert, align expectations, prioritize, and map tools for robust governance across your tech portfolio. Upgrade risk management at Cprime.com/train and use code 'cprimepod' for 15% off training. Elevate your approach!

Transcripts https://docs.google.com/document/d/1TAltDwJxQg9MqVRNCCgwIJa1a3WKpep5---WVOUsdLE/

Chapters

00:00 Introduction
01:30 What are the CIS Critical Security Controls?
03:00 How have the CIS Critical Security Controls evolved over time?
05:30 What are the benefits of implementing the CIS Critical Security Controls?
07:30 The three crucial questions for implementing the CIS Critical Security Controls
10:30 How to prioritize the CIS Critical Security Controls
12:30 What are Implementation Groups?
13:37 Enterprise Profiles
14:00 Why are Implementation Groups important?
15:30 How to choose the right Implementation Group for your organization
19:46 Cost Breakdown
23:16 Thoughts on the CIS Study

#144 - Handling Regulatory Change Aug 28, 2023

In this episode of CISO Tradecraft, we delve into the evolving landscape of cybersecurity regulations. From data incident notifications to required contract language, we uncover common trends and compliance challenges. Learn how to prepare, adapt, and network within your industry to stay ahead. Tune in for insights and tips!

Thanks again to our Sponsors for supporting this episode:

Risk3Sixty: Check out Risk3Sixty's weekly thought leadership webinars and downloadable resources at https://risk3sixty.com/?utm_source=cisotradecraft&utm_medium=podcast&utm_campaign=2023-ct&utm_term=1week&utm_content=sponser
CPrime: Today's "CISO Tradecraft" is sponsored by Cprime, offering advanced tech training for exceptional teams. Experience hands-on, lab-driven classes in just two days, enhancing your skills for immediate on-the-job impact. Discover our sought-after three-day Microsoft PowerBI training, empowering you to craft dashboards, integrate data, and perform swift statistical analysis. Visit Cprime.com/train, use code 'cprimepod' for 15% off, and elevate your expertise!

References

AuditScripts: https://www.auditscripts.com/free-resources/critical-security-controls/
Secure Controls Framework: https://securecontrolsframework.com/scf-download/

Transcripts https://docs.google.com/document/d/1RplLpZCMw8foLu9oqkZs1_A2aIbYk1Xo/

Chapters

00:00 Introduction
04:28 Meeting Cybersecurity Controls and Understanding Applicable Regulations
11:28 Ensuring Compliance with Laws and Regulations
15:42 Handling Regulatory Change: Mapping Controls & Tracking Requirements
22:02 Navigating Regulatory Changes and Ensuring Compliance

#143 - Authentication, Rainbow Tables, and Password Managers Aug 21, 2023

Here's a nice overview of cybersecurity on passwords, authentication, rainbow tables, and password managers. Enjoy the show and check out our other podcasts.

Special Thanks to our Sponsors:

Risk3Sixty: Being able to clearly articulate your vision for your security program to the board and other executives within your firm is critical to obtaining the buy in you need for your program's success. Risk3Sixty has created a presentation template that helps you structure your thoughts while telling a compelling story about where you want your security program to go. Download it today for free at: https://risk3sixty.com/?utm_source=cisotradecraft&utm_medium=podcast&utm_campaign=2023-ct&utm_term=1week&utm_content=sponser
CPrime: Today's "CISO Tradecraft" is sponsored by Cprime, offering advanced tech training for exceptional teams. Experience hands-on, lab-driven classes in just two days, enhancing your skills for immediate on-the-job impact. Discover our sought-after three-day Microsoft PowerBI training, empowering you to craft dashboards, integrate data, and perform swift statistical analysis. Visit Cprime.com/train, use code 'cprimepod' for 15% off, and elevate your expertise!

Transcripts: https://docs.google.com/document/d/1BD6LnITOpq6wrM2CsJzCHefN0Dw4hFp9

Chapters

00:00 Introduction
02:02 Evaluating Password Management Solutions and Design-Making Approaches
05:36 Password Security and Authentication Methods
27:25 Background Sanitization, Password Storage, and Login Screen Risks
28:52 The Importance of Commercial Password Managers and Security Threats
31:27 Considerations for Choosing a Password Manager

#142 - Powerful Questions Aug 14, 2023

Join us at the heart of Hacker Summer Camp for insights into the cybersecurity world! Discover the art of asking powerful questions that can change your career and impact others. Learn how CISOs assess cyber solutions and how startups can win their attention. Uncover the secrets of building connections and value through meaningful inquiries. Don't miss this episode featuring expert advice on navigating the cybersecurity landscape.

Special Thanks to our Sponsors:

The Chertoff Group: https://www.chertoffgroup.com
CPrime: At work, bridging the gap between risk management, IT security, and departments like finance, product, and development can be daunting. Enter Cprime, specializing in harmonious integration through secure code training, DevSecOps implementation, and zero trust practices. We streamline, optimize, and drive innovation, empowering continuous security ops. Transform risk management at Cprime.com/train and use code 'cprimepod' for 15% off training. Unleash potential with us!

Transcripts: https://docs.google.com/document/d/1qf9kH9a5rPlK8zaOWXGAp0-E6p7PNNuT/

Chapters

00:00 Introduction
01:49 How to Get More Sales at Blackhat
05:57 How to Differentiate Yourself From the Competition
10:05 How to Solve a Priority Problem
16:07 How to Achieve Bigger Goals Through Accelerating Teamwork
18:13 How to Find a CISO Job
20:30 How to follow a Rich Dad's Advice
22:59 How to Create an Opportunity Not Just for Yourself, but for Others
24:18 How to Create Value for Others
26:20 How to Provide Value to Others
28:21 The Power of Open-Ended Questions as a CISO
32:33 How to Ask Powerful Questions

#141 - Emerging Risks (with The Chertoff Group) Aug 07, 2023

On this episode, David London and Adam Isles from the Chertoff Group stop by to discuss emerging risk topics such as AI, Supply Chain Attacks, and the new SEC regulations. Stick around and learn the tradecraft to better protect your company.

Special Thanks to our Sponsors:

The Chertoff Group: https://www.chertoffgroup.com.Note you can read more about their thoughts on AI here: https://www.chertoffgroup.com/managing-ai-risks/
Prelude: https://www.preludesecurity.com/
CPrime: At work, bridging the gap between risk management, IT security, and departments like finance, product, and development can be daunting. Enter Cprime, specializing in harmonious integration through secure code training, DevSecOps implementation, and zero trust practices. We streamline, optimize, and drive innovation, empowering continuous security ops. Transform risk management at Cprime.com/train and use code 'cprimepod' for 15% off training. Unleash potential with us!

Transcripts: https://docs.google.com/document/d/1tW0kOYCURXgRF-z7UqeQGga0zAkwGuZ9/

Chapters

00:00 Introduction
02:33 The SEC's Final Rule on Cybersecurity Disclosure
05:29 What is a Material Incident?
07:13 The Commission's Final Rule on Board Engagement in Cybersecurity Risk
10:03 The Four Day Rule for Incident Reporting
12:46 The Implications of the New Role of the CISO
15:46 The Ticking Clock on Disclosure
18:31 SolarWinds and the Software Chain Security Exposure
19:53 The Role of the Software Bill of Materials (SBOM) in the Software Supply Chain Security Challenges
21:29 The Rise of the SBOM
23:16 The Rise of Expectations in the U.S. Government
25:02 The Future of Software Security
27:22 The Progress of the CMMC Program
29:59 The SEC Disclosure Requirements: What to Expect From Your Board
31:57 How to Reduce Complexity in Your Software Develop

#140 - Bobby the Intern Jul 31, 2023

Don't let Bobby the Intern cause havoc in your network. On this episode of CISO Tradecraft, G Mark Hardy discusses the importance of training new hires in cybersecurity to create a strong security culture within an organization. The focus is on shaping employees' behavior and beliefs to enhance the overall cybersecurity posture.

Special Thanks to our Two Sponsors:

1) The Chertoff Group: www.chertoffgroup.com

2) Prelude: https://www.preludesecurity.com/

Transcripts: https://docs.google.com/document/d/1Z4ftmqZdUMkxD6ATRRLp0EmO_DVluQ4n

Chapters

00:00 Introduction
03:57 How to Build a Security Culture
07:19 The Importance of a Good Username and Password
11:24 How to Use MFA to Protect Your Brand
12:50 How to Teach Your Employees About Phishing
17:07 How to Deal with External Email Addresses
20:30 How to Avoid a Business Email Compromise
22:42 How to Protect Your Website from Attackers
24:40 How to Secure Your Applications
26:46 The Importance of Threat Modeling
30:48 QR Codes and How to Use Them Effectively
32:34 Delaying Desktop Patches
34:36 How to Teach Your New Hires About Security
36:30 How to Orient Your New Employees

#139 - Insider Threat Operations (with Jim Lawler) Jul 24, 2023

On this episode we bring on CIA Veteran James "Jim" Lawler to discuss how spies are recruited, how individuals are turned, and what makes them vulnerable to being turned. Learn what managers and executives can and should know about their people to help them better understand who's at risk and the types of programs that executives can put into place to stop insider threats.

Special Thanks to our Two Sponsors:

1) Prelude: https://www.preludesecurity.com/

2) Risk3Sixty is cyber security technology and consulting firm that works with high-growth technology firms to help leaders build, manage and certify security, privacy, and compliance programs. They publish weekly thought leadership, webinars, and downloadable resources like budget and assessment templates. Learn more at: https://risk3sixty.com/?utm_source=cisotradecraft&utm_medium=podcast&utm_campaign=2023-ct&utm_term=1week&utm_content=sponser

Be sure to read Jim's books

1) Living Lies: A Novel of the Iranian Nuclear Weapons Program https://amzn.to/3Y5x2Sc

2) In the Twinkling of an Eye: A Novel of Biological Terror and Espionage https://amzn.to/43EkvpE

Chapters

00:00 Introduction
02:24 The Importance of Recruiting Insiders
08:06 How to Be a Successful Case Officer
11:09 The Importance of Identifying Vulnerabilities in Insider Threats
14:00 The Cockamamie Recruitment Pitch Scheme
18:50 The Importance of Rationality in Espionage
21:10 The Complex Motivations for Espionage
23:49 The Key to Stress in a Target Life
27:34 The Importance of Listening to Your People
30:02 How to Be a Good Leader
35:02 The Metaphysics of Recruitment
37:31 How to Firewall a Threat to Your Organization
41:00 Living Lies
44:49 How to Be a Better Writer
49:31 How to Be a Better Threat Manager

#138 - Updating the Mindmap (with Rafeeq Rehman) Jul 17, 2023

This week Rafeeq Rehman returns to discuss the 2023 updates to the CISO Mindmap. Note you can find his work here: https://rafeeqrehman.com/2023/03/25/ciso-mindmap-2023-what-do-infosec-professionals-really-do/

Thanks to our two sponsors for this episode.

1) Prelude: https://www.preludesecurity.com/

2) Risk3Sixty - Get a free copy of The Five CISO Archetypes eBook from risk3sixty. By reading this eBook, you will discover your strengths, weaknesses, areas where you need support from your team, and the types of organizations you best fit. The eBook also provides the tools to analyze organizations to understand their security priorities better. You will be able to use these tools to identify organizations that would most benefit from your natural strengths as a security leader. Organizations that you will love to work with and that would love to have you as part of their team. The steps outlined in this book will make you a more effective security leader and more satisfied with your career.

https://risk3sixty.com/whitepaper/five-ciso-archetypes-ebook/?utm_source=cisotradecraft&utm_medium=podcast&utm_campaign=2023-ct&utm_term=1week&utm_content=ebook

Transcripts: https://docs.google.com/document/d/1tFhZ6DdzwG12dYXvuVpaZdmfNWBVFswx

Chapters

00:00 Introduction
03:36 How to Write a Book
05:32 How to Master a Security Tool
09:19 Updating the Mind Map for 2023 and 2024
13:12 How to Resiliently Respond to Ransomware Attacks
16:15 The Importance of Redundancy in Security
19:18 How to Manage Your Security Budget Effectively
22:43 Building a Brand for a Security Organization
26:10 Untangle the Application Web of Components
29:38 The Importance of Software Build of Materials
33:28 How to Automate Security Operations
36:31 The Six Importances of a Security Mind Map
38:43 The Future of Generative AI
40:47 The Future of CISO Tradecraft

#137 - 1% Better Leadership (with Andy Ellis) Jul 10, 2023

Imagine if you could get 1% better every day at something and do this for an entire year. Well, that's 365 days. And you go, okay, fine. 1%. 1%. That's going to be like 3.65%, right? No, because it compounds. And if you go ahead and open up your calculator and you take 1.01 and you raise it to the 365th power you're going to get 37.78. On today's show we have Andy Ellis discuss ways to get 1% better as a leader.

Thanks to our two sponsors for this episode.

1) Prelude: https://www.preludesecurity.com/

2) Risk3Sixty - Risk3Sixty is cyber security technology and consulting firm that works with high-growth technology firms to help leaders build, manage and certify security, privacy, and compliance programs. They publish weekly thought leadership, webinars, and downloadable resources like budget and assessment templates. https://risk3sixty.com/whitepaper/security-program-maturity-presentation-template-for-cisos/?utm_source=cisotradecraft&utm_medium=podcast&utm_campaign=2023-ct&utm_term=1week&utm_content=ebook

1% Leadership Book: https://www.amazon.com/1-Leadership-Master-Improvements-Leaders-ebook/dp/B0B8YXJ2H1?&_encoding=UTF8&tag=cisotradecr05-20&linkCode=ur2&linkId=51e35f5bdcbe65e448e03d779143278c&camp=1789&creative=9325

Transcripts: https://docs.google.com/document/d/1Ul9N9cw579JMB_e7Vlk91_JpYxOBXQmx/

Chapters:

00:00 Introduction
02:09 Andy's career in cyber
04:04 The Butterfly Effect
06:06 How to Be 1% More Efficient at Cyber
09:01 The Importance of Uncloneability
10:57 The Importance of Personal Improvement in Leadership
14:21 The Importance of Commitment
16:10 The Importance of Feedback
20:23 Planning for a Sudden Change in Your Environment
26:51 How to Create Safety for Cyber Professionals
29:01 How to Face Adversity with Grace
30:36 The Importance of Culture in Email Security
32:11 The Importance of Delegation
33:55 Delegating vs Dumping
36:02 How to Reduce the Energy Cost of Inclusion
40:18 The Importance of Diversity in Organizations
42:07 Don't Borrow Evil

#136 - From Hacking to Hardcover (with Bill Pollock) Jul 03, 2023

Are you a Chief Information Security Officer (CISO) looking to share your knowledge and insights with the world? In this episode, we explore how CISOs can embark on their journey of writing their first book. Join us as we delve into valuable tips and advice, including learning from renowned author Bill Pollock, who has paved the way for aspiring CISO authors.

Risk3Sixty is cyber security technology and consulting firm that works with high-growth technology firms to help leaders build, manage and certify security, privacy, and compliance programs. They publish weekly thought leadership, webinars, and downloadable resources like budget and assessment templates.

https://risk3sixty.com/whitepaper/security-program-maturity-presentation-template-for-cisos/?utm_source=cisotradecraft&utm_medium=podcast&utm_campaign=2023-ct&utm_term=1week&utm_content=ebook

Transcripts: https://docs.google.com/document/d/1uxNgxe7ad9VBfRLeRH4nWY6tSkI-Kexd

Chapters

00:00 Introduction
04:37 How No Starch Press was Founded
07:24 The Rise and Fall of the Hacking Underground
11:41 How to be a Successful Hacker
14:11 How to Edit a Book
16:38 How to Be a Good Writer
18:14 How to Write a Book Proposal
23:50 How to Overclock Your Computer
26:31 The Future of AI
28:15 The Value of a Author Book Publishing Agreement
33:39 How to Make Money Writing a Book
37:34 The No Starch Press Foundation and the Hacker Initiative
40:30 Hacker Initiative: A Public Charity for Cyber Security

#135 - Board Decks (with Demetrios Lazarikos) Jun 26, 2023

One of the most important activities a CISO must perform is presenting high quality presentations to the Board of Directors. Listen and learn from Demetrios Lazarikos (Laz) and G Mark Hardy as they discuss what CISOs are putting in their decks and how best to answer the board's questions.

Special thanks to our sponsor Risk3Sixty for supporting this episode. Risk3sixty has created a presentation template that helps you structure your thoughts while telling a compelling story about where you want your security program to go. Download it today for free at: https://risk3sixty.com/whitepaper/security-program-maturity-presentation-template-for-cisos/?utm_source=cisotradecraft&utm_medium=podcast&utm_campaign=2023-ct&utm_term=1week&utm_content=ebook

References

RSAC ESAF Download: https://www.rsaconference.com/rsac-programs/executive-security-action-forum
NACD 2023 Directors Handbook: https://www.nacdonline.org/insights/publications.cfm?ItemNumber=74777
Blue Lava: https://bluelava.io/cybersecurity-board-reporting/

Transcripts: https://docs.google.com/document/d/1juM8MQUEtAZEDp1HpzkPdNw-D11O3ofq

Chapters

00:00 Introduction
05:17 The Importance of External Audits in Managing Risk
06:48 How to Help Your Business of Revenue Protection Reduce Risk
11:15 How to be a Successful CISO
12:52 How to Measure the Threat to Your Environment
15:04 How to Prepare for Cyber Threats and Incidents
18:49 The Importance of Understanding the Business's Critical Assets
22:28 OSINT and CSIRT.global Tools and Technologies
25:14 Building a Matrix of Good Intention, Bad Behavior, and Access Management
28:10 How to Create an Incident Response Plan
30:20 How to Keep Your Board of Directors Informed of Cybersecurity Incidents
31:50 How to Keep Track of the Latest Cyber Threats Coming Around the Corner
34:11 How to Achieve Cyber Insurance Coverage
37:06 Cyber Liability Insurance: A Necessary Component of Running Your Business in 2023
39:22 How to Measure the Effectiveness of a Company's Cybersecurity Program
40:54 The Importance of Business Alignment

#134 - Ransomware Response (with Ricoh Danielson) Jun 19, 2023

A lot of times we focus on preventing ransomware, but we forget what we should do when we actually encounter it. That's why we are bringing on Ricoh Danielson to talk about it. Learn from him as he discusses tactics and techniques for businesses to follow then stuff hits the fan.

Special thanks to our sponsor Risk3Sixty for supporting this episode. https://risk3sixty.com/whitepaper/security-program-maturity-presentation-template-for-cisos/?utm_source=cisotradecraft&utm_medium=podcast&utm_campaign=2023-ct&utm_term=1week&utm_content=ebook

Ricoh Danielson - https://www.linkedin.com/in/ricoh-danielson-736a0715/

Transcript: https://docs.google.com/document/d/1R82dUBChC3URM6iaP3D7dds_2nh27DTs/

Chapters

00:00 Introduction
03:19 How to Help a Small Business Dig Out of Cybercrime
05:00 How to Negotiate with Your Cyber Insurance Company
08:58 How to Deal with a Threat Actor
12:57 The Importance of Treating Everything Equally
15:45 How to Use Microsoft Tools to Capture Information
17:25 How to Combat a Threat Actor with Microsoft Defender
22:41 Set up PGP Keys in Advance
25:26 How to Negotiate with an OFAC sanctioned organization
28:24 How to Deal with Ransomware
30:28 The Nature of Instant Response
32:25 How to Get Concurrency in your Organization
34:05 The Importance of a a Strong Relationship with a Client
37:34 The Importance of Breach Notifications
39:21 How to Hand Combat a Threat Actor

#133 - The Seesaw of Cyber Recruiting (with Lee Kushner) Jun 12, 2023

This episode features Lee Kushner discussing various topics, including negotiating skills, the importance of degrees in the cybersecurity field, the need for diversity in the industry, challenges faced by cybersecurity professionals, starting a career in cybersecurity, and the value of technical skills. The conversation emphasizes the need for individuals to acquire technical skills, such as coding and networking, as they are in high demand and can differentiate them in the job market. It also mentions the importance of understanding the industry and its composition when seeking employment in cybersecurity.

Special thanks to our sponsor Risk3Sixty for supporting this episode. Be sure to check their weekly thought leadership, webinars, and downloadable resources like budget and assessment templates at: https://risk3sixty.com/?utm_source=cisotradecraft&utm_medium=podcast&utm_campaign=2023-ct&utm_term=1week&utm_content=sponser

Transcripts: https://docs.google.com/document/d/11askuaFcV_jYov2FklkbZXxVN3JSNu6y/

Chapters

00:00 Introduction
07:56 The Importance of Professional First Mindset in the Staffing Industry
09:33 The Importance of Perception in a Staffing Environment
11:36 The Role of the Research Professional in a Hiring Process
16:03 How to Overcome Barriers in the Recruitment Process
18:09 The Importance of Education in Executive Search
20:41 The Importance of Diversity in Cyber Talent
25:25 How to Get a Job in Cyber Security
27:48 The Importance of a Technical Foundation in Careers
32:08 How to Become a Cybersecurity Professional
34:06 The Future of Cybersecurity Career Paths
35:56 The Future of Security
41:24 How to Get in Touch With Your Clients

#132 - Founding to Funding (with Cyndi and Ron Gula) Jun 05, 2023

On this episode we bring in Cyndi and Ron Gula from Gula Tech (https://www.gula.tech/) to talk about their cyber security experiences. Listen and enjoy as they tell their stories about leaving the NSA, creating the first commercial network Intrusion Detection System (IDS), Founding Tenable Network Security, and investing in multiple cybersecurity startups.

Special thanks to our sponsor Risk3Sixty for supporting this episode. Be sure to check their weekly thought leadership, webinars, and downloadable resources like budget and assessment templates at: https://risk3sixty.com/?utm_source=cisotradecraft&utm_medium=podcast&utm_campaign=2023-ct&utm_term=1week&utm_content=sponser

Transcripts: https://docs.google.com/document/d/1zdJwzJUXHBLlQvOGYWtWVQqmxFzmAe5Z

Chapters

00:00 Introduction
02:30 The Importance of Computer Security
04:46 The Career Path to the National Security Agency
07:39 The Importance of Compatibility
10:40 How to Get Your First Customer Off the Ground
14:28 How to Make your First Hire as a Beginning Entrepreneur
16:10 The Transition to Network Security Wizards
18:35 The Origins of Tenable
21:38 How to to Survive Contact with the Enemy
24:45 The Importance of Culture in the Military
29:31 Gula Tech Adventures
33:24 The Future of Venture Investing
36:13 Secrets of Working Together as Spouses
39:33 The Future of Venture Capital
42:21 Google Tech Adventures: How to Learn Startups

#131 - Framing Executive Discussions May 29, 2023

How do we frame an executive discussion so we can structure and present information in a way that effectively engages and aligns with the needs and interests of the executive audience? On this episode we answer that question by discussing the 8 important elements of framing a discussion with executives:

Clearly define the objective
Start with the big picture
Identify key issues
Highlight impacts and benefits
Use visually compelling data and metrics
Be able to anticipate questions and concerns
Provide actionable recommendations
Seek alignment with existing perspectives of the organization

Special thanks to our sponsor Risk3Sixty for supporting this episode. Be sure to check their Security Budget & Business Case Template: https://risk3sixty.com/whitepaper/security-budget-template/?utm_source=cisotradecraft&utm_medium=podcast&utm_campaign=2023-ct&utm_term=1week&utm_content=budget

Full Transcripts: https://docs.google.com/document/d/1vhLmqEAy-yQ01ZY1y8Nf7y-u_swTYCm8

Chapters

00:00 Introduction
02:42 How should we frame an executive discussion?
05:30 Start with the Bottom Line Up Front (BLUF)
07:11 1) Clearly Define the Objective
08:13 2) Start with the Big Picture
09:46 3) Identify Key Issues
10:47 4) Highlight Impact and Benefits
12:17 5) Use Visually Compelling Data and Metrics
13:07 6) Be able to Anticipate Questions and Concerns
15:06 7) Provide Actionable Recommendations
17:35 8) Seek Alignment with Existing Perspectives of the Organization

#130 - Financial Planning (with Logan Jackson) May 22, 2023

Learn how to unlock financial success with key strategies by Logan Jackson from Ray Capital Advisors. Logan highlights how to set clear goals, choose the right asset class, diversify your portfolio for stability and growth, build a well-diversified investment portfolio to create wealth and mitigate risk, take control of your financial future through retirement planning and goal setting, & leverage tax loss harvesting. He also discusses how to prioritize tax planning, understand the impact of behavioral finance, seek professional money management, navigate conflicts of interest in financial planning, and discover hidden wealth advisors for personalized guidance.

Special thanks to our sponsor Risk3Sixty for supporting this episode. Be sure to check their Security Program Maturity Presentation for CISOs: https://risk3sixty.com/whitepaper/security-program-maturity-presentation-template-for-cisos/?utm_source=cisotradecraft&utm_medium=podcast&utm_campaign=2023-ct&utm_term=1week&utm_content=template

Also if you would like to contact Logan Jackson please use his contact page at: https://www.raycapitaladvisors.com/

Full Transcripts: https://docs.google.com/document/d/1DLXnE5PTm4tDbONRSBarMa-1T8aduztf

Chapters

00:00 Introduction
02:37 The Importance of Financial Goal Setting
06:48 How to Choose the Right Asset Class for Your Family
11:17 How to Diversify Your Portfolio
12:56 How to Build a Diversified Investment Portfolio
15:22 How to Diversify a Portfolio and Build Wealth
19:48 How to Take Risk Off the Table
22:47 The Importance of Diversifying Your Portfolio
24:13 The Importance of Retirement Planning
28:56 The Importance of Goal Setting
30:35 The Importance of Tax Planning
33:10 How to Maximize Your Tax Implications in Taxable Investment Accounts
35:20 How to Use Tax Loss Harvesting to Avoid Tax Losses
39:51 The Importance of Behavioral Finance in Investing
43:39 The Importance of Professional Money Management
45:55 The Conflicts of Interest in Financial Planning
47:50 How to Find a Hidden Wealth Advisor

#129 - Protecting Your Family May 15, 2023

Are you looking for ways to protect your most valuable asset? In this episode, G Mark Hardy argues that our most valuable asset is our family, not the crown jewels or critical assets of a corporation. He emphasizes the importance of managing money, having an emergency fund, obtaining life insurance, building retirement savings, protecting against credit card fraud, and creating a plan for your children's digital life.

Special thanks to our sponsor Risk3Sixty for supporting this episode. You can learn more about them from the Risk3Sixty Website: https://tinyurl.com/yc4xv7bj

Full Transcript: https://docs.google.com/document/d/1vVASHmOV7n7Js0luDF1kWBF3qoytDnTy

Chapters

00:00 Introduction
02:01 How to Manage Your Money
05:54 The Millionaire Next Door
10:28 How to Diversity your Investments
12:35 The Importance of Paying Yourself First
15:41 How to Buy Paper I Bonds for Yourself
17:39 How to Choose the Right Life Insurance for You
21:28 The Cost of Life Insurance
23:12 The Importance of Retirement Savings
26:51 How to Optimize Your Retirement Income
28:47 How to Protect Yourself From Credit Card Fraud
30:40 How to Manage Your Credit
33:34 How to Avoid a Data Breach
35:44 How to Manage Your Passwords Effectively
37:36 How to Protect Your Children from the Risks of Online Content
41:23 How to Get Out of Dodge Quickly

#128 - How do CISOs spend their time? May 08, 2023

In this episode of "CISO Tradecraft," G. Mark Hardy defines the role of a CISO and discusses the Top 10 responsibilities of a Chief Information Security Officer

Full Transcript: https://docs.google.com/document/d/1J_sCMkqEeIB7pUY4KmjCiS1sz7t6LX2F

Chapters

00:00 Introduction
01:25 Defining the Role of the CISO
04:43 1) Developing and implementing a cybersecurity strategy
07:27 2) Overseeing the organization's cybersecurity key programs and initiatives
08:20 3) Ensuring that the organization's cybersecurity policies and procedures are up-to-date and in compliance
10:44 4) Collaborating with other departments and teams
12:06 5) Developing and implementing a cybersecurity budget
14:21 6) Maintaining a high level of awareness about emerging cybersecurity threats, vulnerabilities, and technologies
15:29 7) Building and maintaining relationships with external partners and networking groups
18:07 8) Providing education, guidance, and support to the organization's employees
21:34 9) Leading and managing a team of cybersecurity professionals
24:10 10) Conducting regular risk assessments

#127 - How to Stop Bad Guys from Staying on Your Network (with Kevin Fiscus) May 01, 2023

In this episode of CISO Tradecraft, G Mark Hardy and guest Kevin Fiscus discuss the challenges of cybersecurity and the importance of prioritizing security decisions. Fiscus emphasizes the need for effective protective controls and detection measures, as well as the limitations of protective controls and the importance of detection. He suggests a "Detection Oriented Security Architecture" (DOSA) that includes high-fidelity, low-noise detection, automated response, and continuous monitoring. Fiscus also discusses the concept of cyber deception and proposes a new approach to cybersecurity that involves redirecting attackers to a decoy environment.

Kevin Fiscus: https://www.linkedin.com/in/kevinbfiscus/

Full Transcripts: https://docs.google.com/document/d/1zIph4r5u8UtuhsMSmIyi90bCtV52xnHv

Chapters

00:00 Introduction
04:55 The Average Time to Identify Bad Actors is 28-207 days
07:11 Why Protective Controls Don't Always Work
08:32 Protective Controls Create Resistance
10:34 The Cost of Detecting Bad Guys on Your Network
12:40 The Effects of Resistance on Protective Controls
15:56 The Problem with False Positive Alerts
20:08 How to Define Bad Guy Activity with 100% Accuracy
22:09 The Four Components of Security
24:14 Four Components of Detection Oriented Security Architecture (DOSA)
26:17 Differentiating between Monitoring & Alerting
27:13 High Fidelity and Low Fidelity Alerts
33:06 Setting a Squelch for Radios
31:37 How to Deal with False Negatives
33:56 The Importance of Non Production Resources in Detection
37:56 How to Use Cyber Trapping to Deceive an Attacker
42:54 The Role of Environment Variability in Deception
47:08 Blowing Sunshine at Attackers

#126 - ChatGPT & Generative AI (with Konstantinos Sgantzos) Apr 24, 2023

Have you heard about the latest trends in Generative Artificial Intelligence (GAI)? Listen to this episode of CISO Tradecraft to learn from Konstantinos Sgantzos and G Mark Hardy as they talk about the potential risks of GAI and how it generates new content.

Show Notes with Links: https://docs.google.com/document/d/10eCg3L00GgnHmze14g_JUkBbfHEdGZ8HW0eAGMk4PPE

Chapters

00:00 Introduction
01:37 The Future of Generative Artificial Intelligence (GAI)
06:08 The Implications of Hallucination in Generative AI
09:06 Hallucination Trivia Test for Large Language Models
10:48 The Consequences of Using Generative AI Models
12:39 The Importance of Education in Cybersecurity
14:45 The Future of Generative AI
16:17 The Importance of Understanding Large Language Models
19:47 The Differences Between Eliza and Machine Learning
24:26 How to Armorize Generative AI
29:39 The Future of Programming
31:23 The Future of Machines
33:53 The Future of Technology
37:52 The Future of CISOs
40:25 The Future of Generative AI

#125 - Cyber Ranges (with Debbie Gordon) Apr 17, 2023

Are you worried about cyber threats and data breaches? Do you want to build a strong cybersecurity program to protect your organization? Look no further! In this episode of CISO Tradecraft, G Mark Hardy and Debbie Gordon discuss the three dimensions of an effective Information Security Management System: Policy, Practice, and Proof. G Mark emphasizes the importance of having a proper cybersecurity policy that references information security controls or outcome-driven statements. However, it's not enough to have policies on paper; organizations need to practice what's on paper to be prepared for cyber events. This is where ranges come in. Ranges are a full replica of an enterprise network with real tools, traffic, and malware. They allow teams to practice detecting and responding to attacks in a safe environment. Debbie Gordon, founder of Cloud Range, explains how ranges can help organizations accelerate experience and reduce risk in cybersecurity. She emphasizes the importance of educating an organization's user base to become the first and last lines of defense against cyber threats. By training non-technical executives to spot suspicious activity and bring it to the attention of the security team, organizations can minimize the damage caused by phishing attacks, ransomware, and other cyber threats. Gordon also highlights the importance of team training in cybersecurity because it's not just about individual skills, but also about how teams work together to respond to threats. By practicing together in a range environment, organizations can improve their processes, handoffs, and speed in detecting and responding to attacks.

Special thanks to our sponsor Cloud Range Cyber for supporting this episode.

Website: www.cloudrangecyber.com

Email: info@cloudrangecyber.com

Full Transcripts: https://docs.google.com/document/d/1yWenwauzfAiQYafFW0Iew33vbzvlO2BO

Chapters

00:00 Polished Security Programs need Policy, Practice, and Proof
00:54 Policy
02:47 Practice
03:44 Proof
04:28 How to Apply the Concepts of Ranges to Help Organizations
06:05 The importance of Experiential Learning
07:48 The Importance of following Procedures
12:12 The Benefits of Team Training for Cyber Ranges
15:33 The Importance of Muscle Memory
20:22 How to Maximize Your Investment in Cybersecurity (KPIs & Measurable Results)
24:33 The Advantages of using the MITRE ATT&CK® Framework
27:41 The Advantages of Following ISO Standards
31:36 How to Improve your Cloud Range Exercises
33:22 How to use Cognitive Aptitude Assessments for Workforce Development
37:44 How to level the Playing field for Cyber Talent

#124 - Simple, Easy, & Cheap Cybersecurity Measures (with Brent Deterding) Apr 10, 2023

Are you concerned about the security of your data? If so, you're in luck, because we have an incredible episode that has Brent Deterding discuss how to implement simple, easy, and cheap cybersecurity measures.

One of the key takeaways from the episode is the importance of understanding, managing, and mitigating the risk of critical data being exposed, altered, or denied. Brent Deterding shares his top four tips for CISOs, which include implementing multi-factor authentication, device posture management, endpoint detection and response, and external patching. He emphasizes the importance of keeping things simple, easy, and cheap.

Overall, the episode emphasizes the importance of taking a proactive approach to cybersecurity and being prepared for potential cyber threats. Brett Dietrich shares his approach to reducing risk for his company when negotiating with underwriters. Remember significant risk reduction is simple, easy, and cheap, so don't wait to implement these tools and strategies.

10 Immutable Laws of Security: https://learn.microsoft.com/en-us/security/zero-trust/ten-laws-of-security

Transcripts: https://docs.google.com/document/d/1eP7F8pD3kcrbja2sfSwSKGnJ-ADHviUt

Chapters:

00:00 Introduction
02:05 How to Protect Your Organization's Critical Data
01:43 Scenario of Protecting a Small Company
08:01 The 10 Immutable Laws of Security
14:26 Tips for CISOs
15:30 Simple, Easy, & Cheap is a Technology State
19:00 How Much Do You Care About Phishing Problems?
20:46 How to a be successful at RSA?
26:00 How to Enable the Business without Reducing Friction?
28:37 How to Adopt the Australian Essential 8
31:06 Team Platform vs Best of Bread
33:00 Those with a fear of vendor lock-in are retired
36:36 How to Save Money on Cyber Insurance
38:27 How to implement the Four Hills Strategy (MFA, EDR, Device Posture Management, & Patch Management)
40:57 How to Negotiate Effectively With Insurance Companies
42:48: Getting Material Risk Reduction is Simple, Easy, and Cheap

#123 - Accepted Cyber Strategy (with Branden Newman) Apr 03, 2023

In this episode of "CISO Tradecraft," G Mark Hardy discusses how to build an effective cyber strategy that executives will appreciate. He breaks down the four questions (Who, What, Why, and How) that need to be answered to create a successful strategy and emphasizes the importance of understanding how the company makes money and what critical business processes and IT systems support the mission. Later in the episode, Branden Newman shares his career path to becoming a CISO and his approach to building an effective cyber strategy. Newman stresses the importance of communication skills and the ability to influence people as the most critical skills for a CISO. He also shares his advice on how to effectively influence executives as a CISO.

Full Transcripts - https://docs.google.com/document/d/1nFxpOxVl6spkK-Y8GLU5q2f6R_4VD-a2

Chapters:

00:00 Introduction
01:06 The Four Questions (Who, What, Why, and How)
08:11 Building an accepted cyber strategy
09:19 Importance of communication skills for a CISO
10:19 Understanding financial statements
12:47 Following the money
14:09 Reputation and cybersecurity
15:24 Getting executive buy-in into cybersecurity
15:57 Building Trust with Executives
16:45 Security Enables New Elements of Business
17:13 Why Cybersecurity Gets Ignored
20:07 Framing Cybersecurity as a Competitive Advantage
21:19 Mistakes CISOs Make When Communicating with Executives
22:54 Telling Stories to Communicate with Executives
24:09 Using Business Cases and Examples
27:28 The Importance of Listening to the Executives
29:31 Making Informed Risk-Based Decisions
30:54 Building Trust and Champions
32:55 Building a Network of Trust
35:13 Being Pragmatic

#122 - Methodologies for Analysis (with Christopher Crowley) Mar 27, 2023

Sometimes you just need structure to the madness. Christopher Crowley stops by to talk about methodologies that can help security organizations. Come and see why you need them, how we get the scientific method wrong in cyber, and how to leverage a CIA analytical methodology that can help you. There's a lot more to check out so tune in.

Analysis of Competing Hypothesis https://www.cia.gov/static/9a5f1162fd0932c29bfed1c030edf4ae/Pyschology-of-Intelligence-Analysis.pdf

Christopher Crowley's Company https://montance.com/

Full Transcripts: https://docs.google.com/document/d/1P4MI02fIw3y_u8RhLVDbB3iu0o7e27Fr

Chapters

00:00 Introduction
02:30 The Morris Worm and the Internet
04:17 The Future of Cybersecurity
06:41 How to setup a shared drive for multitasking
10:26 The Evolution of Career Paths
12:02 The Importance of Methodology in Problem Solving
14:16 The Importance of Hypothesis in Cybersecurity
19:58 MITRE ATT&CK® Framework: A Two Dimensional Array
21:54 The Importance of a Foregone Conclusion Methodology
23:29 The Disruptor's Role in Hypothesis Brainstorming
25:18 The Importance of Resilience in Leadership
27:45 Methodologies and Threat Hunting
29:21 The Importance of Information Bias in Threat Hunting
34:31 How to Sort Hypothesis in a Spreadsheet
37:22 The Importance of Refining the Matrix
40:34 How to Automate Analysis of Competing Hypothesis

#121 - Legal Questions (with Evan Wolff) Mar 20, 2023

Have you ever wanted to get a legal perspective on cybersecurity? On this episode of CISO Tradecraft, Evan Wolff stops by to discuss terms such as legal disclaimers, negligence, due care, and others. He also provides important insights on how to structure your cyber policies, respond to regulators/auditors, and partner with general council. Please enjoy.

Full Transcripts: https://docs.google.com/document/d/1hbqB5GQfQsi0egPVdOtdfYEwLA3-1Jnh

Chapters

00:00 Introductions
01:52 The Attorney Client Privilege
04:49 What's the Difference Between a Discovery Order and an Attorney Client Privilege
06:30 CISO Disclaimer
09:23 Security Is a Component of Government Contracts
11:59 What are the Borders Between Information Security and Legal Risk
15:31 Cyber Security - Is there a Standard of Care?
18:11 Do you have a Reasonable Best Effort?
21:27 CMMC 2.0
26:22 Is your Privacy Policy going to expire?
28:30 What is Reasonable Assurance?
33:41 Advice for Partnering with the General Counsel

#120 - Negotiating Your Best CISO Package (with Michael Piacente) Mar 13, 2023

Have you ever wondered how to negotiate your best CISO compensation package? On this episode, we invite Michael Piacente from Hitch Partners to discuss important parts of the compensation packages. Examples include but are not limited to: - Base Salary,

Bonuses (Annual, Relocation, & Hiring)
Reserve Stock Units
Annual Leave
Title (VP or SVP)
Directors & Officers Insurance
Accelerated Vesting Clauses
Severance Agreements

You can learn more about CISO compensations by Googling any of the following compensation surveys

Hitch Partners CISO Compensation and Organizational Structure Survey Report: https://www.hitchpartners.com/ciso-security-leadership-survey-results-23
Heidrick & Struggles Global Chief Information Officer Survey: https://www.heidrick.com/en/insights/...
IANS CISO Compensation and Budget Benchmark Study: https://www.iansresearch.com/ciso-com...

Full Transcripts: https://docs.google.com/document/d/1e...

Chapters:

00:00 Introduction
01:58 What's the Difference?
06:50 The Three-Legged Stool (Base Salary, Bonuses, & RSUs)
11:44 Is there a signing bonus?
13:56 What's the difference between RSUs & Options?
18:52 Private Companies - What's the Value of the Offer?
22:04 Double Triggers in Private Companies
26:38 Should you counter an offer?
28:17 Corporate Liability Insurance
29:50 Do you want to be extended on the Director and Officer Insurance Policy?
32:56 How to negotiate a severance agreement
36:00 Compensation Survey Reports

#119 - Ethics (with Stephen Northcutt) Mar 06, 2023

One of the most difficult things to do as a manager or leader is to take an ethical stance on something you believe in. Sometimes ethical stances are clear and you know you are doing what’s right. Others are blurry, messy, and really weigh on your mind. So we thought we would take this episode to talk about various ethical models, tricky ethical scenarios you might encounter as a CISO, and finally we will look at the Federal Case where Joe Sullivan the Former Chief Security Officer of Uber was convicted of federal charges for covering up a data breach. Thanks to Stephen Northcutt for coming on today's show.

Full Transcript https://docs.google.com/document/d/1vin7gMBt9YvVGaVqT91ycPmacsKZe2T9

Chapters

00:00 Introduction
01:49 How to Make a Difference in Cybersecurity
03:34 Hackers and the Pursuit of Higher Principles
06:06 Is There a Use Case in Cybersecurity
10:56 Human Capital is the Most Important Asset That Any Organization Has
14:00 The Human Frailty Factor
18:21 Has Your Company Fully Embraced Diversity, Equity, and Inclusion
20:24 Do you have a Diversity of Experience
24:11 Getting Your EXO to Talk to Power and say you are wrong
27:40 CISOs and CISOs - Is this a Criminal Thing?
30:15 The Penalty of Crossing the Law
34:56 Pay the Ransom?
36:59 The Key to Resilience as a CISO

#118 - Data Engineering (with Gal Shpantzer) Feb 27, 2023

Our systems generate fantastic amounts of information, but do we have a complete understanding of how we collect, analyze, manage, store, and retrieve possibly petabytes a day? Gal Shpantzer has been doing InfoSec for over 20 years and has managed some huge data engineering projects, and offers a lot of actionable insights in this CISO Tradecraft episode.

Gal's LinkedIn Page - https://www.linkedin.com/in/riskmanagement/

Gal's Twitter Page - https://twitter.com/Shpantzer

Full Transcript - https://docs.google.com/document/d/14RXnsVttvKlRi6VL94BTrItCjOAjgGem/

Chapters

00:00 Introduction
02:00 How do you Architect Big Data Data Infrastructure
03:33 Are you taking a look at Ransomware?
06:11 Web Scale Technologies are used mostly in Marketing & Fraud Detection
08:11 Data Engineering - The Mindset Shift
10:51 The Iron Triangle of Data Engineering
13:55 Can I Outsource My Logging Pipeline to a Vendor
15:37 Kafka & Flink - Data Engineering in the Pipeline
18:12 Streaming Analytics & Kafka
22:08 How to Enable Data Science Analytics with Streaming Analytics
26:33 Streaming Analytics
30:25 Data Engineering - Is there a Security Log
32:30 Streaming Analytics is a Weird Thing
35:50 How to Get a Handle on a Big Data Pipeline
39:11 Data Engineering Hacks for Big Data Analytics

#117 - Good Governance (with Sameer Sait) Feb 20, 2023

Has bad governance given you trauma, boring committees, and long speeches on irrelevant issues? Today we are going to overcome that by talking about what good governance looks like. We bring on the former CISO of Amazon Whole Foods (Sameer Sait) to discuss his lessons learned as a CISO. We also highlight key topics of good governance found in the Cyber Security Profile from the Cyber Risk Institute. Cyber Risk Institute - Cyber Security Profile https://cyberriskinstitute.org/the-profile/ Full Transcripts: https://docs.google.com/document/d/1vBM6A0utvhRFMA04wzrZvR8ktNwYo-li

Chapters

00:00 Introduction
03:10 Good Governances is a Good Thing, Right?
05:08 Cyber Strategy & Framework
06:43 Is NIST the Same as ISO?
08:40 How to Convince the Executive Leadership Team to Buy In
11:19 The CEO's Challenge is Taking Measured Risk
20:05 Is there a Cybersecurity Policy
22:32 Culture eats Policy for Lunch
24:14 The Role of the CISO
27:52 How do you Convince the Leadership Team that you need extra resources
29:51 How do you Measure Cybersecurity?
32:22 How do we communicate Risk Findings to Senior Management
36:07 Are you Aligning with the Audit Committee

#116 - A European view of CISO responsibilities (with Michael Krausz) Feb 13, 2023

In the US we often focus on SOC-2, NIST Special Pubs, and the Cybersecurity Framework. In Europe (and most of the rest of the world), ISO 27001 is the primary standard. ISO concerns itself with policy, practice, and proof, whereas NIST often shows the method to follow. Michael points out that a CISO is responsible for governance, (internal) consulting, and audit. In early stages of growing a security function, a CISO needs to be technically-focused, but as a security department matures, the CISO must be organizationally-focused. Also, to effectively grow your team, first determine what actions need to take place, how much effort it requires, and how often it needs to take place. Then, build an action sheet and collect data for three months. Finally, take that to your executives and document your requirements for more staff.

Michael Krausz LinkedIn Profile: https://www.linkedin.com/in/michael-krausz-b55862/

Michael Krausz Website: https://i-s-c.co.at/

Full Transcript: https://docs.google.com/document/d/13fghym7IWyPvuRANQXUvmv-ulkSj93xv

Chapters

00:00 Introduction
04:01 Is there a Gap Analysis in ISO 27001?
08:05 Is there a Requirement for ISO Standards?
10:57 What is ISO 27001?
13:11 Is there a Parallel Development between the US and EU?
16:57 Do you want to be a trooper?
21:17 What's the Oldest Operating System?
23:09 Is there a Legacy Operating Systems that you can't get away with?
24:11 The Most Important Class for a CISO
26:33 The Secrets of a Successful CISO
29:30 CISO - I need 6 people period
33:40 What's the Primary Skill Needed in a CISO?
37:41 How to Maximize the Number of FTEs

#115 - The Business Case for a Global Lead of Field Cybersecurity (with Joye Purser) Feb 06, 2023

How can cyber best help the sales organization? It's a great thought exercise that we bring on Joye Purser to discuss. Learn from her experience as we go over how cybersecurity is becoming an even closer business partner with the creation of a new important role.

Full Transcript: https://docs.google.com/document/d/1Shd1Qldb8iKEHBgXJqFez81Iwfpl6JT-/

Chapters

00:00 Introduction
02:58 How did you marry those two cultures?
06:40 Building a Diverse Workforce
08:23 Is this a new role based on Pain Points?
10:27 Global Lead for Field Cyber Security
15:51 Is the Global Lead for Field Cybersecurity linked to sales numbers?
19:07 Is there a Global Lead for Field Cybersecurity?
24:46 Building Relationships in a Security Leadership Role
27:48 Do you have any lessons learned from your success at Global Management Consulting?
29:33 You need to schedule time to get things done
33:33 What about Due Diligence?
37:36 The Chief Technology Officer, CRO, & CTO

#114 - One Vendor to Secure Them All Jan 30, 2023

Did you ever wonder how much security you can implement with a single vendor? We did and were surprised by how much you can do using the Australian Top Eight as a template. We'll bet you can improve your security by using these tips, tools, and techniques that you might not have even known were there.

Special thanks to our sponsor Praetorian for supporting this episode.

https://www.praetorian.com/

Full Transcripts:

https://docs.google.com/document/d/12HsuOhY9an1QzIw9wOREPMX0pXe5hqkJ

Helpful Links

Essential 8 https://www.microsoft.com/en-au/business/topic/security/essential-eight
Blocking Macros https://ite8.com.au/the-essential-8/office-macros-explained/
Windows Defender Application Control or WDAC (available from Windows 10 or Server 2016 or newer) previously Windows had App Locker (Windows 7 / 8)
- https://docs.microsoft.com/en-us/mem/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager
- https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control
Windows Group Policies
- https://techexpert.tips/windows/gpo-block-website-url-google-chrome/
- https://chromeenterprise.google/policies/#SafeBrowsingAllowlistDomains
- https://data.iana.org/TLD/tlds-alpha-by-domain.txt
- Software Restriction Policies http://woshub.com/how-to-block-viruses-and-ransomware-using-software-restriction-policies/
- Blocking websites URL - only allow (.com, .org, .net, edu, .gov, .mil, and the countries you want).
- Locking down Active Directory https://attack.stealthbits.com/tag/active-directory
File Service Resource Management
- http://woshub.com/using-fsrm-on-windows-file-server-to-prevent-ransomware/
Enable MFA for RDP
- https://docs.microsoft.com/en-us/azure/active-directory-domain-services/secure-remote-vm-access
- https://duo.com/docs/rdp
Enable MFA for SSH
- https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/auth-ssh
- https://docs.microsoft.com/en-us/azure/active-directory/devices/howto-vm-sign-in-azure-ad-linux
Windows Controlled Folder Access
- https://support.microsoft.com/en-

#113 - SAST Security (with John Steven) Jan 23, 2023

This episode provides a deep dive into Static Application Security Testing (SAST) tools. Learn how they work, why they don't work as well as you think they will in certain use cases, and find some novel ways apply them to your organization. Special thanks to John Steven for coming on the show to share his expertise.

Special thanks to our sponsor Praetorian for supporting this episode.

https://www.praetorian.com/

Full Transcripts - https://docs.google.com/document/d/1zoA70k78IjqyJky-2u7_-i2jlWke8_cb

Chapters:

00:00 Introduction
02:51 Source Code Analyzers
04:22 The three bears of Static Analysis
06:01 Do Linters work Better?
08:00 The Value of Full Programming Analysis Tools over Linters
11:30 The Impact of a Developer's Analysis on a Developer Environment
13:05 SAST Testing
15:47 OWASP Benchmarking
19:13 The First Static Analysis Tools
20:53 Can you break up that worry about Automated Testing?
22:44 Using Static Analysis for Defect Discovery
24:18 Using Static Analysis to Improve Web Security
31:37 Using Static Analysis to Drive Cloud Security
33:15 The Second Thing to Look Out for When Choosing a Static Analysis Tool
34:55 Using Static Analysis to Build a Vulnerability Management Practice
37:35 Can you use Static Analysis to Find Insider Threat?

#112 - Attack Surface Management (with Richard Ford) Jan 17, 2023

How do you defend against automated attacks in an era of ChatGPT-formulated malware, coordinated nation-state actors, and a host of disgruntled laid-off security professionals? Want to find your vulnerabilities faster than the bad actors do? Come listen to Richard Ford to learn how to apply best practices in attack surface management and defend your crown jewels.

Special thanks to our sponsor Praetorian for supporting this episode.

Full Transcripts - https://docs.google.com/document/d/18QyrN-7V91nxOyRQ0KsNeJU0-k-bTlqj

Chapters:

00:00 Introduction
04:22 The Impact of Continuous Attack Surface Mapping on Security Responses
07:48 What's the Difference between a CTO and a CIO?
10:24 What attracted you to the problem space?
12:53 Is the Attack Surface really exposed?
16:12 Shadow IT - The Unknown Unknowns that could Bite You
19:56 Is there a Shadow IT problem?
23:24 How to get management on board with Shadow IT?
26:38 Building an Attack Surface Management Program
29:57 You Get What You Measure, Right?
33:27 Do I Have Vulnerable Assets?
39:24 Attack Surface Management

#111 - Leading with Style Jan 09, 2023

Have you ever wanted to be like Neo in "The Matrix" and learn things like Kung Fu in just a few minutes? Well on today's episode, we try to do just that by cramming powerful leadership concepts into your head in just 45 minutes. So sit back, relax, and enjoy CISO Tradecraft.

Show Notes with Pictures & References:

https://docs.google.com/document/d/1z5FwVwYlNiJlevQXP9IK48Z5kYqG-Ee_/edit?usp=sharing&ouid=104989998442085477687&rtpof=true&sd=true

Full Transcript: https://docs.google.com/document/d/11iTdKRxtg1UYiQeUn-mdgM7zKqafTq34/edit?usp=sharing&ouid=104989998442085477687&rtpof=true&sd=true

#110 - CISO Predictions for 2023 Jan 02, 2023

Want to know CISO Tradecraft's Top 10 cyber security predictions for 2023? Listen to the episode to learn more about:

Proactive Identity Management = Automated Provisioning of Access + Minimizing Digital Blast Radius
Convergence of Security Tools
Collaboration Technology
Evolution of the Endpoint (Chromebooks or Browser Isolation)
Chatbots
Vague and unclear cyber laws
CISO liability increases
Umbrella IT general controls mapping
Companies will be less truthful during 3rd party questionnaires
Cyber defense will become more difficult because of people

Be sure to also check out G Mark Hardy's annual ISACA talk at http://isaca-cmc.org/

Link to full transcripts of the podcast can be found here: https://docs.google.com/document/d/1RkrtkuunBn-qaU-Y9HvgHJzAKoIIszcW/edit?usp=sharing&ouid=104989998442085477687&rtpof=true&sd=true

#109 - The Right Stuff Dec 19, 2022

Success leaves clues, but sometimes we limit ourselves by only looking close by for them. This week, we pondered what business skills are essential for a successful CISO, and then extended the search to some non-traditional sources to find some very relevant advice. Take the time to listen and do a self-examination (you don't have to submit for a grade :) and see where you could boost your skills portfolio to increase your success as a security leader. Some of the essential skills we discuss on this episode of CISO Tradecraft are:

Be a leader
Manage money and resources
Differentiate yourself and your message
Communicate with clarity and emphasis
Delegate and hold subordinates accountable
Build a personal network
Mentor your team
Be adaptable
Be sensitive to cultural and political issues
Watch the details and ensure your management makes informed risk-based decisions &
Know your limitations

We thank our sponsor Nucleus Security for supporting this episode

Full Transcript: https://docs.google.com/document/d/1C357cX_4wKTRmhRUsGh_2d9vIMX5LspL/

Show links:

https://www.smallbusiness.wa.gov.au/starting-and-growing/essential-business-skills

https://cisotradecraft.podbean.com/e/108-budgeting-for-cisos-with-nick-vigier/

https://nativeintelligence.com/

https://github.com/cisotradecraft/Podcast#business-management--leadership

https://www.ef.com/wwen/blog/efacademyblog/skills-for-success/

https://www.criticalthinking.org/pages/defining-critical-thinking/766

https://your.yale.edu/learn-and-grow-what-adaptability-workplace

https://openai.com/blog/chatgpt/

https://openai.com/dall-e-2/

#108 - Show Me The Money (with Nick Vigier) Dec 12, 2022

There's a lot of things you need to know as a CISO, but one of the things least taught is budgeting best practices. On today's episode, CISO Nick Vigier stops by to share his lessons learned on the topic. His conversations focus on spends vs investments. Remember spends = overhead, whereas investments = growth. Here's a great point.

[10:00] There are opportunities that we have to frame some of these things as investments versus framing them as risk mitigations. And so one of the mantras or things that I like to think about is the business has a limited appetite for risk management, but they have infinite appetite for profits and making money.

So if you're able to frame them as how they're actually going to help accelerate the business or improve the business that brings the CEO and the CFO along on the journey, that you're not just there to lock the doors, you might actually be there to help put another floor on the building and that's a very different conversation.

We also thank our sponsor Nucleus Security for supporting this episode.

Full Transcript: https://docs.google.com/document/d/1nURiml3BJFnszFRA8qov1CgO_VkDFaCY

#106 - How to Win Your First CISO Role Nov 28, 2022

Are You Ready To Win Your First CISO role? Apply these techniques into your resume and interview process so both recruiters and hiring managers will offer you the job. This show focuses on:

Highlighting the Different Types of CISO Roles
Showing how to progress from a Senior Director Role into a Fortune 100 CISO
Resume Tricks and Tips that get you noticed by recruiters
How to have a great interview with a recruiter
What Hiring Managers want to see from CISOs during their interviews

Please note the full show transcript can be found here https://docs.google.com/document/d/18Feg4eXbezHVPiNQ9qO6Pdht3P0eQ5nn

#107 - Consolidating Vulnerability Management (with Jeff Gouge) Dec 05, 2022

Special thanks to Jeff Gouge for sharing his thoughts on consolidating vulnerability management. We also thank our sponsor Nucleus Security for supporting this episode.

Consistently tracking and prioritizing vulnerabilities is a difficult problem. This episode talks about it in detail and helps you increase your understanding in:

Various application security scanning tools (SAST, DAST, SCA, Container, IoT, Secret Scanners, Cloud Security Scans, ...) and why companies need so many
How CVSS base scores are actually calculated so you can understand its strengths and weaknesses
How Threat Intelligence Data improves CVSS scoring
- Knowing which vulnerabilities are being actively exploited by bad actors through the CISA Known Exploited Vulnerabilities Catalog
- Knowing with vulnerabilities are being exploited in your industry or organization
- Knowing how the Exploit Prediction Scoring System (EPSS) can predict which vulnerabilities will be exploited soon
Learning about the Stakeholder-Specific Vulnerability Categorization Guide (SSVC)

Note a Full Transcript of this podcast can be found here:

https://docs.google.com/document/d/1dWDS8rd-iscZuZ28U27IBuPPfrlFAV69/

#105 - Start Me Up (with Bob Cousins) Nov 21, 2022

Would you like to hear a master class on what Technology professionals need to know about startups? On this episode Bob Cousins stops by to share his knowledge and experience on working in technology companies, dealing with founders, and partnering with venture capitalists. Listen and learn more about:

What should a technology professional know about venture capital and dealing with venture capitalists?
What is the role of marketing?
What do engineers get wrong with helping businesses create profitable growth?
What is the value of a product?

Subscribe to the CISO Tradecraft LinkedIn Page

#104 - Breach and Attack Simulation (with Dave Klein) Nov 14, 2022

Special Thanks to our podcast sponsor, Cymulate.

On this episode, Dave Klein stops by to discuss the 3 Digital Challenges that organizations face:

Cyber threats evolve on a daily basis and this constant threat to our environment appears to be only accelerating
The level of vulnerabilities today is 30x what it was 10 years ago. We have more IT infrastructure, complexity, and developers in our current environment.
In the pursuit of digital innovation, we are changing our IT infrastructure by the hour. For Example: Infrastructure as Code capabilities (Chef, Puppet, Terraform, etc.) allow developers to deploy faster and create more opportunities for misconfigured code at scale.

Breach and Attack Simulation tooling address these 3 digital challenges by focusing on Breach Attack Simulation, Vulnerability Prioritization, & Threat Exposure Management. This combined approach allows a cyber organization to ensure its security is fully optimized and its risk exposure is minimized. Key benefits of adopting Breach and Attack Simulation software include:

Managing organizational cyber-risk end to end
Rationalizing security spend
Prioritizing mitigations based on validated risks
Protecting against the latest threats in near real-time
Preventing environmental drift

Welcome back listeners and thank you for continuing your education in CISO Tradecraft. Today we are excited to share with you a great episode focused on Breach and Attack Simulation software. To begin we will provide a solid background on Breach and Attack Simulation then we are going to bring on our special guest Dave Klein who will give us the pro tips that help CISOs maximize the value from Breach and Attack Simulation Software.

Starting from the beginning. What is Breach and Attack Simulation software and why is this needed? At the end of the day most companies are not on an island. They need to connect to clients, partners, and vendors. They need the ability for employees to visit websites. They need to host public facing websites to sell products and services. Each of these activities result in creating organizational assets such as IT equipment that has internet connectivity. Now internet connectivity isn’t a bad thing. Remember internet connectivity allows companies to generate income which allows the organization to exist. This income goes to funding expenses like the cyber organization so that is a good thing.

If bad actors with the intent and capability to cause your company harm can find your company's internet connected assets which have vulnerabilities, then you have a risk to your organization. So enter vulnerability assessment and penetration testing tools that companies can buy to identify and address this risk. Now sometimes you will hear the terms Cyber Asset Attack Surface Management or (CAASM). It’s also commonly referred to as continuous threat exposure management. Essentially these two categories of tools are the latest evolution of vulnerability management tooling that have the additional benefit of ingesting data from multiple sources. Essentially they are designed to address key questions such as:

How do we get an inventory of what we have?
How do we know our vulnerabilities? and
How do we know which vulnerabilities might be exploited by threat actors?

Now if you want to take this line of questioning one step further, then you should consider adopting Breach and Attack Simulation software. Note Breach and Attack Simulation software overlaps with

#103 - Listening to the Wise (with Bill Cheswick) Nov 07, 2022

Have you ever just met someone that was so interesting that you just sat and gave them your full attention? On this episode of CISO Tradecraft, we have Bill Cheswick come on the show. Bill talks about his 50 years in computing. From working with the pioneers of Unix at Bell Labs, inventing network visualization techniques for the DoD, and creating the early best practices in firewalls and perimeter defenses. He was also the first person to co-author a book on Internet Security. So listen in and enjoy. Also special thanks to our sponsor, Obsidian Security. You can learn more about them at: https://www.obsidiansecurity.com/sspm/

#102 - Mentorship, Sponsorship, and A Message to Garcia Oct 31, 2022

Hello, and welcome to another episode of CISO Tradecraft -- the podcast that provides you with the information, knowledge, and wisdom to be a more effective cybersecurity leader. My name is G. Mark Hardy, and today's episode is about how to better mentor your people (and in doing so, improve yourself as well.) Mentoring is an important part of being a leader, and I would venture that most listeners have achieved their current level of success with the insights of a mentor, along with a lot of hard work. Today we're going to give you a template for creating a personal development plan you can use with your team. I also want to introduce you to a booklet that I keep on my desk. It was written in 1899. Do you have any idea what it might be? Well, keep listening and you'll find out, and you may end up getting yourself a copy of your own.

Let's take a moment to hear from today's sponsor Obsidian Security.

Career success rarely happens independently -- it usually involves multiple milestones, promotions, and sometimes moves. But success shouldn't be a secret. As Tony Robbins said, "success leaves clues." One of the best ways to achieve personal or professional success, or indeed help others do the same, is through mentoring and sponsorship. But the right person rarely shows up at our doorstep offering us the key to the future -- we have to go out and make that relationship happen. Today we're going to talk about mentors, protégés, sponsors, and that little booklet that has a repeatable secret for success.

Definitions

Let's start with what is a mentor - the dictionary definition is "an experienced and trusted adviser." My definition is it's a person with more experience and WISDOM who is willing to provide guidance to someone else -- a protégé. Notice I didn't say anything about careers -- you can have a spiritual mentor, an academic mentor, and if you're a new grandparent you want to pass along some tips to help raise your grandkids. You may also hear the term "mentee" instead of protégé -- I see that used from time to time, but it makes me think of those big slow sea creatures that keep getting run over by speedboats.

Mentor

Let's talk about the who, what, when, why, and how of being a mentor. The WHO part is someone with experience and wisdom willing to share insights. Insights about WHAT, at least as far as we're concerned today, is usually career-related -- what jobs or assignments may be best, what personal characteristics are important, whom should you meet and why.

The WHEN portion of mentoring is usually a condition of the type of relationship. A traditional one-on-one mentor relationship may be established formally or informally. We established a program at work where those willing to offer advice could volunteer as a mentor and those seeking advice could request the assistance of a mentor. I was asked by our most senior technical security expert if I would serve as his mentor -- an assignment which I was pleased to accept, and we held mentoring sessions quarterly. Of course, we worked together more frequently than that, but those sessions were specifically about what he could learn from me as a mentor, and what I could do to structure his experiences to help with his personal and career growth. [Irish whiskey story]

The WHY can be either because there is a mentorship program at your organization (and if there isn't one, do your homework and consider proposing one) or because someone reached out and requested assistance. Mentoring is not like doing the dishes where anyone can do a competent job. It requires empathy, communication skills, wisdom, and time commitment. I'm at the point in my life and career where I actively try to help others who are not as old as I am. Many times, that's appreciated, but some people seem to pref

#101 - SaaS Security Posture Management (with Ben Johnson) Oct 24, 2022

Special Thanks to our podcast sponsor, Obsidian Security.

We are really excited to share today’s show on SaaS Security Posture Management. Please note we have Ben Johnson stopping by the show so please stick around and enjoy. First let’s go back to the basics:

Today most companies have already begun their journey to the cloud. If you are in the midst of a cloud transformation, you should ask yourself three important questions:

How many clouds are we in?
What data are we sending to the cloud to help the business?
How do we know the cloud environments we are using are properly configured?

Let’s walk through each of these questions to understand the cyber risks we need to communicate to the business as well as focus on one Cloud type that might be forecasting a major event. First let’s look at the first question.

How many clouds are we in? It’s pretty common to find organizations still host data in on premises data centers. This data is also likely backed up to a second location just in case a disaster event occurs and knocks out the main location. Example if you live in Florida you can expect a hurricane. When this happens you might expect the data center to lose power and internet connectivity. Therefore it’s smart to have a backup location somewhere else that would be unlikely to be impacted by the same regional event. We can think of our primary data center and our backup data center as an On-Premises cloud. Therefore it’s the first cloud that we encounter.

The second cloud we are likely to encounter is external. Most organizations have made the shift to using Cloud Computing Service providers such as Amazon Web Services, Azure, Google Cloud Platform, or Alibaba. Each of these cloud providers has a multitude of offerings designed to help organizations reduce the need to host IT services on premises. Now if you are using both on-premises and a cloud computing provider such as AWS, congratulations you are in what is known as a hybrid cloud environment. If you use multiple cloud computing providers such as AWS and Azure then you are in a multi-cloud environment. Notice the difference between terms. Hybrid cloud means you host on premises and use an external cloud provider, whereas multi-cloud means you use multiple external cloud providers. If you are using a Common Cloud platform like AWS, Azure, or GCP then you can look into a Gartner Magic Quadrant category known as Cloud Workload Protection Platforms. Here you might encounter vendors like Palo Alto Prisma Cloud, Wiz, or Orca who will provide you with recommendations for your cloud configuration settings.

So let’s say your organization uses on premises and AWS but not Azure or GCP. Does that mean you only have two clouds? Probably not. You see there’s one more type of cloud hosted service that you need to understand how to defend. The most common cloud model organizations leverage is Software as a Service commonly pronounced as (SaaS). Frankly we don’t hear about SaaS security being discussed much which is why we are doing a deep dive on its security in this episode. We think there's a real danger of SaaS clouds turning from a nice cloud that gently cools down a hot summer day into a severe weather storm that can cause an event. So let’s look at SaaS Security in more depth.

SaaS refers to cloud hosted solutions whereby vendors maintain most everything. They run the application, they host the data, they host runtime environments, middleware, operating systems, virtualization technologies, servers, storage, and networking. It can be a huge win to run SaaS soluti

#100 - 7 Ways CISOs Setup for Success Oct 17, 2022

References

Hello, and welcome to another episode of CISO Tradecraft -- the podcast that provides you with the information, knowledge, and wisdom to be a more effective cybersecurity leader. My name is G. Mark Hardy, and today's episode is something special for us and we hope for you as well. It’s hard to believe it but CISO Tradecraft has been producing episodes for about two years now. This is our 100th episode! We've covered quite a bit of ground over that time, and we thought we would do a little reflection on our previous episodes and highlight seven differentiators that set World Class CISOs apart from others. So, stick around and learn these seven tips that will enable you to enhance your CISO Tradecraft and help you have a more successful career.

The first tip we want you to understand is that you must always help others to understand your viewpoints through Connection. Now there is one thing to note: the way you connect depends on the size of the audience. We observe that there’s usually three different audience sizes that you will connect with: Individuals or 1:1, Small Teams (between 2 and 20), and Large Groups (more than 20).
1. With Individuals it’s all about building the one-on-one connection. An example of folks who excel at building connections are spies. Spies have a mission to build connections with others and recruit them to share important information. Now if you go back to Episode #84, we brought Robin Dreeke on the show to talk about Building Relationships of Trust. Robin was a long time FBI agent who excelled in recruiting and turning Russian spies. In the episode, Robin talked about the key to building relationships of trust. He mentioned four key recommendations:
  1. Seek the thoughts and opinions of others;
  2. Talk in terms of priorities, pain poi

#99 - Cyberwar and the Law of Armed Conflict (with Larry Dietz) Oct 10, 2022

Episode 99 - Cyberwar and the Law of Armed Conflict with Larry Dietz

We bring you another episode from Naas, Ireland today speaking about cyberwar and the law of armed conflict with Larry Dietz, a retired US Army Colonel and practicing attorney. This is a follow-up to Episode 98, where we cover the Tallin Manual, discover a surprise resource on cyber conflict hosted by the Red Cross, examine what critical infrastructure might be legitimate targets, and the importance for CISOs to establish relationships with law enforcement before things go bad.

References:

#98 - Outrunning the Bear Oct 03, 2022

Hello, and welcome to another episode of CISO Tradecraft -- the podcast that provides you with the information, knowledge, and wisdom to be a more effective cybersecurity leader. My name is G. Mark Hardy, and today we are going to discuss how nation state conflict and sponsored cyberattacks can affect us as non-combatants, and what we should be doing about it. Even if you don't have operations in a war zone, remember cyber has a global reach, so don't think that just because you may be half a world away from the battlefield that someone is not going to reach out and touch you in a bad way. So, listen for what I think will be a fascinating episode, and please do us a small favor and give us a "like" or a 5-star review on your favorite podcast platform -- those ratings really help us reach our peers. It only takes a click -- thank you for helping out our security leadership community.

I'm not going to get into any geopolitics here; I'm going to try to ensure that this episode remains useful for quite some time. However, since the conflict in Ukraine has been ongoing for over two hundred days, I will draw examples from that.

The ancient Chinese military strategist Sun Tzu wrote:

“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”

That's a little more detailed than the classic Greek aphorism, "know thyself," but the intent is the same even today. Let me add one more quote and we'll get into the material. Over 20 years ago, when he was Secretary of Defense, Donald Rumsfeld said:

"As we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns—the ones we don't know we don't know. And if one looks throughout the history of our country and other free countries, it is the latter category that tends to be the difficult ones.

So, knowledge seems extremely important throughout the ages. Modern governments know that, and as a result all have their own intelligence agencies. Let's look at an example. If we go to the CIA's website, we will see the fourfold mission of the Central Intelligence Agency:

Collecting foreign intelligence that matters
Producing objective all-source analysis
Conducting effective covert action as directed by the President
Safeguarding the secrets that help keep our nation safe.

Why do we mention this? Most governments around the world have similar Nation State objectives and mission statements. Additionally, it’s particularly important to understand what is wanted by "state actors" (note, I'll use that term for government and contract intelligence agents.).

What are typical goals for State Actors? Let's look at a couple:

Goal 1: Steal targeting data to enable future operations. Data such as cell phone records, banking statements or emails allow countries to better target individuals and companies when they know that identifying information. Additionally, targeting data allows Nation state organizations to understand how individuals are connected. This can be key when we are looking for key influencers for targets of interest. All targeting data should not be considered equal. Generally, Banking and Telecom Data are considered the best for collecting so be mindful if that is the type of company that you protect. State Actors target these organizations because of two factors:
- The Importance of the Data is the first factor. If one party sends a second party an email, that means there is a basic level

#97 - Mobile Application Security (with Brian Reed) Sep 26, 2022

Special Thanks to our podcast sponsor, NowSecure. On this episode, Brian Reed (Chief Mobility Officer at NowSecure) stops in to provide a world class education on Mobile Application Security. It's incredible to think that 70% of internet traffic is coming over mobile devices. Most of this traffic occurs via mobile applications so we need to understand mobile application security testing, before attackers show us how important it is. This episode will help you understand:

What should you be doing to secure your mobile applications?
Why managing a mobile device doesn't secure your application layer?
How should you vet your mobile applications according to recommendations from OWASP

References:

NowSecure Academy provides free mobile application security training and certificate programs- https://academy.nowsecure.com/ Mobile app growth trends and security issues in the news- https://www.nowsecure.com/mobile-app-breach-news/
Snapshot of the current risk profile for mobile apps in your industry- https://mobilerisktracker.nowsecure.com/
App Defense Alliance https://appdefensealliance.dev/
Google Play Data Safety- https://blog.google/products/google-play/data-safety/
OWASP CycloneDX- https://owasp.org/www-project-cyclonedx/
OWASP MASVS- https://github.com/OWASP/owasp-masvs

#96 - The 9 Cs of Cyber Sep 19, 2022

Ahoy! and welcome to another episode of CISO Tradecraft -- the podcast that provides you with the information, knowledge, and wisdom to be a more effective cyber security leader. My name is G. Mark Hardy, and today we’re going to -- talk like a pirate. ARRR

As always, please follow us on LinkedIn, and make sure you subscribe so you can always get the latest updates.

On today’s episode we are going to talk about the 9 Cs of Cyber Security. Note these are not the 9 Seas that you might find today, the 19th of September, which happens to be the 20th annual International Talk like a Pirate Day. They are the nine words that begin with the letter C (but not the letter ARRR):

Controls,
Compliance,
Continuity,
Coverage,
Complexity,
Competency,
Communication,
Convenience,
Consistency.

Please note that this talk is inspired by an article by Mark Wojtasiak from Vectra, but we have modified the content to be more aligned with our thoughts at CISO Tradecraft.

Now before we go into the 9 Cs, it’s important to understand that the 9 Cs represent three equal groups of three. Be sure to look at the show notes which will link to our CISO Tradecraft website that shows a 9-box picture which should make this easier to understand. But if you're listening, imagine a three-by-three grid where each row corresponds to a different stakeholder. Each stakeholder is going to be concerned with different things, and by identifying three important priorities for each, we have our grid. Make sense? Okay, let's dig in.

The first row in our grid is the focus of Executive Leaders. First, this group of executives such as the CEO, CIO, and CISO ensure that the IT controls and objectives are working as desired. Next, these executives want attestations and audits to ensure that compliance is being achieved and the organization is not just paying lip service to those requirements. Thirdly, they also want business continuity. IT systems must be constantly available despite attacks from ransomware, hardware failures, and power outages.
The second row in our grid is the focus of Software Development shops. This group consists of Architects, Developers, Engineers, and Administrators. First, they need to ensure they understand the Coverage of their IT systems in asset inventories -- can we account for all hardware and software. Next, developers should be concerned with how Complexity in their environment can reduce security, as these tend to work at cross-purposes. Lastly, developers care about Competency of their teams to build software correctly; that competency is a key predictor of the end quality of what is ultimately produced.
The third and final row in our grid is the focus of Security Operations Centers. This group consists of Incident Handlers and Responders, Threat Intelligence Teams, and Business Information System Officers commonly known as BISOs. They need to provide clear communication that informs others what they need to do, they need processes and tools that enable convenience so as to reduce friction. Finally, they need to be consistent. No one wants a fire department that only shows up 25% of the time.

So now that we have a high-level overview of the 9 C’s let’s start going into detail on each one of them. We'll start with the focus of executive leaders. Again, that is controls, compliance, and continuity.

Controls- According to James Hall's book on Accounting Information Systems[i], General Computer Controls are "specific activities performed by per

#95 - Got any Data Security (with Brian Vecci) Sep 12, 2022

Special Thanks to our podcast Sponsor, Varonis. Please check out Varonis's Webpage to learn more about their custom data security solutions and ransomware protection software.

On this episode Brian Vecci (Field CTO of Varonis) stops by CISO Tradecraft to discuss all things Data Security. He highlights the top 3 things every CISO needs to balance with regards to data security (Productivity, Convenience, and Security). He also discusses the most important security questions we need to understand:

What is Data Security and how does it fit into Data Protection?
How do we understand where our company’s data resides?
How do we know if our data is exposed?
How do we reduce the risk of data exposure without harming the business?

Enjoy the show and please share it with others. Also don't forget to follow the LinkedIn CISO Tradecraft Page to get more great content.

#94 - Easier, Better, Faster, & Cheaper Software Sep 05, 2022

Hello, and welcome to another episode of CISO Tradecraft, the podcast that provides you with the information, knowledge, and wisdom to be a more effective cybersecurity leader. My name is G. Mark Hardy, and today we're going to try to balance the impossible equation of better, faster, and cheaper. As always, please follow us on LinkedIn, and subscribe if you have not already done so.

Shigeo Shingo, who lived from 1909-1990, helped to improve efficiency at Toyota by teaching thousands of engineers the Toyota Production System, and even influenced the creation of Kaizen. He wrote, "There are four purposes for improvement: easier, better, faster, cheaper. These four goals appear in order of priority."

Satya Nadella, the CEO of Microsoft, stated that, “Every company is a software company. You have to start thinking and operating like a digital company. It’s no longer just about procuring one solution and deploying one solution… It’s really you yourself thinking of your own future as a digital company, building out what we refer to as systems of intelligence.”

The first time I heard this I didn’t really fully understand it. But after reflection it makes a ton of sense. For example, let’s say your company couldn’t send email. How much would that hurt the business? What if your company couldn’t use Salesforce to look up customer information? How might that impact future sales? What if your core financial systems had database integrity issues? Any of these examples would greatly impact most businesses. So, getting high-quality software applications that enable the business is a huge win.

If every company is a software or digital company, then the CISO has a rare opportunity. That is, we can create one of the largest competitive advantages for our businesses.

What if we could create an organization that builds software cheaper, faster, and better than all of our competitors?

Sounds good right? That is the focus of today’s show, and we are going to teach you how to excel in creating a world class organization through a focused program in Secure Software Development. Now if you like the sound of better, faster, cheaper, as most executives do, you might be thinking, where can I buy that? Let's start at the back and work our way forward.

We can make our software development costs cheaper by increasing productivity from developers.
We can make our software development practices faster by increasing convenience and reducing waste.
We can make our software better by increasing security.

Let’s first look at increasing productivity. To increase productivity, we need to under stand the Resistance Pyramid. If you know how to change people and the culture within an organization, then you can significantly increase your productivity. However, people and culture are difficult to change, and different people require different management approaches.

At the bottom of the pyramid are people who are unknowing. These individuals Don’t know what to do. You can think of the interns in your company. They just got to your company, but don't understand what practices and processes to follow. If you want to change the interns, then you need to communicate what is best practice and what is expected from their performance. Utilize an inquiry approach to decrease fear of not knowing, for example, "do you know to whom I should speak about such-and-such?" or "do you know how we do such-and-such here?" An answer of "no" allows you to inform them of the missing knowledge in a conversational rather than a directional manner.
The middle part of the pyramid is people who believe they are unable to adapt to change. These are individuals that don’t know how to do the task at hand. Here,

#93 - How to Become a Cyber Security Expert Aug 29, 2022

How do you become a Cyber Security Expert?

Hello and welcome to another episode of CISO Tradecraft, the podcast that provides you with the information, knowledge, and wisdom to be a more effective cybersecurity leader. My name is G. Mark Hardy, and today we're going to talk about how to provide advice and mentoring to help people understand how to become a cybersecurity expert. As always, please follow us on LinkedIn, and subscribe to our podcasts.

As a security leader, part of your role is to develop your people. That may not be written anywhere in your job description and will probably never be on a formal interview or evaluation, but after years of being entrusted with leadership positions, I have learned what differentiates true leaders from those who just accomplish a great deal is the making of the effort to develop your people.

Now, you may have heard the phrase, "take care of your people," but I'll take issue with that. I take care of my dog. I take care of a family member who is sick, injured, or incapacitated. Why? Because they are not capable of performing all of life's requirements on their own. For the most part, your people can do this. If you are constantly doing things for people who could have otherwise done it themselves, you run the risk of creating learned helplessness syndrome. People, and even animals, can become conditioned to not do what they otherwise could do out of a belief that someone else will do it for them. I am NOT going to get political here, so don't worry about that. Rather, I want to point out that effective leaders develop their people so that they may become independent actors and eventually become effective leaders themselves. In my opinion, you should measure your success by the promotion rate of the people entrusted to you, not by your own personal career advancement or financial success.

That brings me to the subject of today's podcast -- how do you counsel and mentor others on how to become a cyber security expert? If you are listening to this podcast, there's a very good chance that you already are an expert in our field, but if not, keep listening and imagine that you are mentoring yourself, because these lessons can apply to you without having seek out a mentor. Some people figure it out, and when asked their secret, they're like Bill Murray in the movie Stripes, "We trained ourselves, sir!" But most of the time, career mastery involves learning from a number of others.

Today on CISO Tradecraft we are going to analyze the question, " How do you become a Cyber Security Expert?" I'm going to address this topic as if I were addressing someone in search of an answer. Don't tune out early because you feel you've already accomplished this. Keep listening so you can get a sense of what more you could be doing for your direct reports and any proteges you may have.

Let’s start at the beginning. Imagine being a high school kid with absolutely zero work experience (other than maybe a paper route -- do kids still do that?) You see someone that tells you they have a cool job where they get paid to ethically hack into computers. Later on, you meet a second person that says they make really good money stopping bad actors from breaking into banks. Somehow these ideas stick into your brain, and you start to say to yourself, you know both of those jobs sound pretty cool. You begin to see yourself having a career in Cyber Security. You definitely prefer it to jobs that require a lot of manual labor and start at a low pay. So, you start thinking, "how I can gain the skills necessary to land a dream job in cyber security that also pays well?"

At CISO Tradecraft we believe that there are really four building blocks that create subject matter experts in most jobs. The four building blocks are:

#92 - Updating the Executive Leadership Team on Cyber Aug 22, 2022

Show Notes

Hello, and welcome to another episode of CISO Tradecraft -- the podcast that provides you with the information, knowledge, and wisdom to be a more effective cyber security leader. My name is G. Mark Hardy, and today we're going to offer tips and tools for briefing your executive leadership team, including the four major topics that you need to cover. As always, please follow us on LinkedIn, and make sure you subscribe so you can always get the latest updates.

Imagine you have been in your role as the Chief Information Security Officer for a while and it is now time to perform your annual brief to the Executive Leadership Team. What should you talk about? How do you give high level strategic presentations in a way that provides value to executives like the CEO, the CIO, the CFO, and the Chief Legal Officer?

Story about Kim Jones at Vantiv – things have changed

Let's first talk about how you make someone satisfied -- in this case your executives.

Fredrick Herzberg (1923-2000) introduced Motivator-Hygiene theory, which was somewhat like Maslow's hierarchy of needs, but focused more on work, not life in general.

What a hygiene factor basically means is people will be dissatisfied if something is NOT there but won't be motivated if that thing IS there, e.g., toilet paper in employee bathroom.

Or, said more concisely, satisfaction and dissatisfaction are not opposites. The opposite of Satisfaction is No Satisfaction. The opposite of Dissatisfaction is No Dissatisfaction.

According to Herzberg, the factors leading to job satisfaction are "separate and distinct from those that lead to job dissatisfaction."

For example, if you have a hostile work environment, giving someone a promotion will not make him or her satisfied.

So, what makes someone satisfied or dissatisfied?

Factors for Satisfaction

Achievement
Recognition
The work itself
Responsibility
Advancement
Growth

Factors for Dissatisfaction

Company policies
Supervision
Relationship with supervisor and peers
Work conditions
Salary
Status
Security

So, what will make a board member satisfied? Today, cyber security IS a board-level concern. In the past, IT really was only an issue if something didn't work right – a hygiene problem. If we learn from Herzberg, we may not be able to make the board satisfied with the state of IT security, but we can try to ensure they are not dissatisfied. Hopefully you now have context for what might otherwise be considered splitting hairs on terminology – essentially, we want our executive audience to not think negatively of your IT security program and how you lead it.

Remember, boards of directors generally come from a non-IT backgrounds . According to the 2021 U.S. Spencer Stuart Board Index, of the nearly 500 independent directors who joined S&P 500 boards in 2021, less than 4% have experience leading cybersecurity, IT, software engineering, or data analytics teams. And that 4% is mostly confined to tech-centric companies or businesses facing regulatory scrutiny.

So, there is essentially a mismatch between a board member's background and a CISO's background. That extends to your choice of language and terminology as well. Never go geeky with your executives – unless you have the rare situation where your entire leadership team are all IT savvy. Otherwise, you will tune them out by talking about bits and bytes and packets and statistics.

Instead, communicate by telling stories – show how other companies in similar industries have encountered security issues and what they did about them (either successfully or unsuccessfully). Show how your cybersecurity initiatives and efforts reduce multiple forms of

#91 - Hacker Summer Camp Aug 15, 2022

On this episode you can hear the tale of three conferences. Listen and learn about the history of BSides, Black Hat, and DEF CON. Learn what makes these conferences special and enjoy some of the untold history of each conference.

#90 - A CISO’s Guide to Pentesting Aug 08, 2022

A CISO’s Guide to Pentesting

References

****************************

Hello, and welcome to another episode of CISO Tradecraft -- the podcast that provides you with the information, knowledge, and wisdom to be a more effective cyber security leader. My name is G. Mark Hardy, and today we're going to explore a number of things a CISO needs to know about pentesting. As always, please follow us on LinkedIn, and make sure you subscribe so you can always get the latest updates.

Now to get a good understanding of pentesting we are going over the basics every CISO needs to understand.

What is it
Where are good places to order it
What should I look for in a penetration testing provider
What does a penetration testing provider need to provide
What’s changing on this going forward

First of all, let's talk about what a pentest is NOT. It is not a simple vulnerability scan. That's something you can do yourself with any number of publicly available tools. However, performing a vulnerability scan, and then acting on remediating what you find, is an important prerequisite for a pentest. Why pay hundreds of dollars per hour for someone to point out what you can find yourself in your bunny slippers sipping a latte?

Now let’s start with providing a definition of a penetration test. According to Wikipedia a penetration test or pentest is an authorized simulated cyber-attack on a computer system performed to evaluate the security of a system. It’s really designed to show weaknesses in a system that can be exploited. Let’s think of things we want to test. It can be a website, an API, a mobile application, an endpoint, a firewall, etc. There’s really a lot of things you can test, but the thing to remember is you have to prioritize what has the highest likelihood or largest impact to cause the company harm. You need to focus on high likelihood and impact because professional penetration tests are not cheap. Usually, they will usually cost between $10,000-$30,000 but if you have a complex system, it’s not unheard of to go up to $100,000. As a CISO you need to be able to defend this expenditure of resources. So, you will usually define a clear standard that our company will perform penetration tests on customer facing applications, PCI applications, and Financially Significan

#89 - Connecting the Dots (with Sean Heritage) Aug 01, 2022

I've been a fan of Sean Heritage for years when I first discovered his blog, "Connecting the Dots." Today I have the privilege to listen to his thoughts on cybersecurity careers in both the military and the "real world," how to prioritize your life, what careers goals you should (and should NOT) aim for, and the importance of great leadership.

Book reference:

Connecting the Dots: Deliberate Observations and Leadership Musings About Everyday Life

https://www.amazon.com/Connecting-Dots-Deliberate-Observations-Leadership/dp/1639373187?&_encoding=UTF8&tag=-0-0-20

#88 - Tackling 3 Really Hard Problems in Cyber (with Andy Ellis) Jul 25, 2022

This episode of CISO Tradecraft, Andy Ellis from Orca Security stops by to talk about three really hard problems that CISOs have struggled with for decades.

How do we build a phishing program that works?
How do we build a 3rd party risk management program that isn't a paper exercise?
How do we actually get good at patch management?

Stick around for some great answers such as:

Human error is a system in need of redesign
How do we put every employee on an island protected from the company?
If we stopped doing this practice/process, then how would the world be different?
What data/transactions does this third party have access to?
What are all of the dangerous things customers can do in their configurations that my organization needs to know about?
What if we turned on auto-patching for the desktop?
What if we set SLA tripwires to alert senior leaders when their developers are unable to meet patching timelines?

References:

Vulnerabilities Don't Count Link

#87 - From Hunt Team to Hunter (with Bryce Kunz) Jul 18, 2022

On this episode of CISO Tradecraft, Bryce Kunz from Stage 2 Security stops by to discuss how offensive cyber operations are evolving. Come and learn how attackers are bypassing MFA and EDR solutions to target your cloud environment. You can also hear what Bryce recommends to beat the bear that is Ransomware.

References: Link How Attackers Bypass MFA with Evilginx 2

Link Stage 2 Security Black Hat Course

#86 - The CISO MindMap (with Rafeeq Rehman) Jul 11, 2022

This episode features Rafeeq Rehman. He discusses the need for a CISO Mindmap and 6 Focus Areas for 2022-2023:

1. Re-evaluate ransomware defenses, detection and response capabilities, perform a business impact analysis and identify critical processes, applications and data.

2. Reduce/consolidate security tools/technologies and vendors. More tools don’t necessarily reduce risk but do add the need for maintaining expertise on security teams.

3. To serve your business better, train staff on business acumen, value creation, influencing and human experience.

4. Take an inventory of open source software (standalone and libraries) and make it part of your vulnerability management program.

5. Build team expertise in technology fields including machine learning (ML) models, model training, API security, service mesh, containers, DevSecOps.

6. Maintain a centralized risk register. Even better: integrate into your enterprise risk management program. Track risk for technology, insiders, processes, third parties, compliance and skill gaps.

Links:

CISO MindMap Link
CISO MindMap 2022 Recommendations Link
Information Security Leaders Handbook Link
Cybersecurity Arm Wrestling Link

#85 - The Fab 5 Security Outcomes Study (with Helen Patton) Jul 04, 2022

On this episode of CISO Tradecraft, we feature Helen Patton.

Helen shares many of her career experiences working across JP Morgan, The Ohio State University, and now Cisco.

-Is technical acumen needed for CISOs?

-Surviving organizational politics

(34:45) Helen discusses The Fab 5 Security Outcomes study.

Volume 1 Study - Link

Volume 2 Study - Link

#84 - Gaining Trust (with Robin Dreeke) Jun 27, 2022

On this episode of CISO Tradecraft we feature Robin Dreeke from People Formula. Robin was the former head of the FBI Counterintelligence Behavioral Analysis Program and has an amazing background in learning how individuals think, build trust, and communicate. Robin highlights 4 Pillars of Communicating:

Seek the thoughts and opinions of others
Talk in terms of priorities, pain points, and challenges of others
Use Nonjudgmental validation (ie seek to understand others without judging)
Empower others with choice and give them cause and effect of each choice

To learn more about Robin's way of thinking you can check out his podcast and books:

#83 - Cyber Defense Matrix Reloaded (with Sounil Yu) Jun 20, 2022

This episode is sponsored by Varonis. You can learn more on how to reduce your ransomware radius by performing a free ransomware readiness assessment Link

On this episode, Sounil Yu continues his discussion about his new book ("Cyber Defense Matrix"). Listen to learn more about:

Pre-Event Structural Awareness vs Post-Event Situational Awareness
Environmental vs Contextual Awareness
Understanding Security Handoffs
Rationalizing Technologies
Portfolio Analysis
Responding to Emerging Buzzwords (Zero Trust and SASE)

#82 - Cyber Defense Matrix (with Sounil Yu) Jun 13, 2022

This episode is sponsored by Varonis. You can learn more on how to reduce your ransomware radius by performing a free ransomware readiness assessment Link

This episode of CISO Tradecraft has Sounil Yu talk about his new book, "Cyber Defense Matrix: The Essential Guide to Navigating the Cybersecurity Landscape". Sounil reviews the Cyber Defense Matrix in depth. We discuss how the Cyber Defense Matrix can be used for:

Capturing & Organizing Measurements & Metrics
Developing a Cyber Security Roadmap
Gaining Greater Situational & Structural Awareness
Understanding Organizational Responsibilities & Handoffs
Rationalizing Technologies & Finding Investment Opportunities
Deciphering the Latest Industry Buzzword

You can purchase Sounil's new book here Link

#81- Career Lessons from a CISO (with John Hellickson) Jun 06, 2022

On this episode of CISO Tradecraft, John Hellickson from Coalfire talks about his career as a CISO. Listen and learn about:

The evolving role of the CISO
How John got started as a CISO
Whis is a Field CISO and how does it differ from a traditional CISO role
Tips on getting your career to the next level by attending the right conferences and getting an executive coach
How to get Business Alignment
How the Security Advisor Alliance is helping the next generation of cyber talent

#80 - Breaking Backbones (with Deb Radcliff) May 30, 2022

A respected journalist focusing on cybersecurity and our community of people for over 25 years, Deb Radcliff remains a trusted information source who checks and double-checks her sources before publication -- a refreshing change to the low signal - high noise world of social media. In this episode, we discuss where CISOs might turn for accurate information, how the industry has evolved in complexity, and take a look at the first of three fictional novels she's writing about a future world where hackers take on an oppressive digital state. What is really interesting is her explanation of how she went from book idea to published reality.

Breaking Backbones Information is Power may be purchased from the following Amazon Link

#79 - Addressing the Top CEO Concerns May 23, 2022

On this Episode of CISO Tradecraft we talk about the Top 10 areas of concern for the C Suite about Ransomware. Note you can read the full ISC2 Study here (Link).

Cybersecurity professionals should keep the following golden rules in mind when communicating with the C-suite about ransomware.

Increase Communication and Reporting to Leadership
Temper Overconfidence as Needed
Tailor Your Message
Make the Case for New Staff and Other Investments
Make Clear that Ransomware Defense is Everyone’s Responsibility

#78 - Business Objectives & 5 CISO Archetypes (with Christian Hyatt) May 16, 2022

On this episode of CISO Tradecraft, Christian Hyatt from risk3sixty stops by to discuss the 3 major Business Objectives for CISOs:

Risk Management
Cost Reduction
Revenue Generation

He also discusses the five CISO Archetypes.

The Executive
The Engineer
The GRC Guru
The Technician
The Builder

References: The 5 CISO Archetypes Book Link

Designing the CISO Role Link

#77 - Countering Corporate Espionage May 09, 2022

Chances are your organization has information that someone else wants. If it's another nation state, their methods may not be friendly or even legal. In this episode we address assessing risk, known "bad" actors, information targets, exfiltration, cyber security models, what the federal government is doing for contractors, and response strategies. Listen now so you don't become a statistic later.

References:

https://www.fbi.gov/file-repository/china-exec-summary-risk-to-corporate-america-2019.pdf

https://nhglobalpartners.com/made-in-china-2025/

https://www.cybintsolutions.com/cyber-security-facts-stats/

http://www.secretservice.gov/ntac/final_it_sector_2008_0109.pdf

http://www.secretservice.gov/ntac/final_government_sector2008_0109.pdf

CIS Controls v8.0, Center for Internet Security, May 2021, https://www.cisecurity.org

https://owasp.org/www-project-threat-and-safeguard-matrix/

https://www.acq.osd.mil/cmmc/about-us.html

#76 - The Demise of the Cybersecurity Workforce May 02, 2022

Our career has been growing like crazy with an estimated 3.5 million unfilled cybersecurity jobs within the next few years. More certs, more quals, more money, right? The sky’s the limit. But what if we’re wrong? AI, machine learning, security-by-design, outsourcing, and H-1B programs may put huge downward pressure on future job opportunities (and pay) in this country. Of course, we don’t WANT this, but shouldn’t a wise professional prepare for possibilities? [We did a ton of research looking at facts, figures, industry trends, and possible futures that might have us thinking that 2022 may have been “the good old days.” No gloom-and-doom here; just an objective look with a fresh perspective, you know, just in case.]

#75 - Avoiding Death By PowerPoint Apr 25, 2022

On this episode of CISO Tradecraft, we discuss how to avoid Death By PowerPoint by creating cyber awareness training that involves and engages listeners. Specifically we discuss:

The EDGE method: Explain, Demonstrate, Guide, and Enable
Escape Rooms
Tabletop Exercises
Polling During Presentations
Short videos from online resources

References:

https://blog.scoutingmagazine.org/2017/05/05/living-on-the-edge-this-is-the-correct-way-to-teach-someone-a-skill/

http://www.inquiry.net/ideals/scouting_game_purpose.htm

https://cisotradecraft.podbean.com/e/ciso-tradecraft-shall-we-play-a-game/

Escape Rooms

https://library.georgetown.org/virtual-escape-rooms/

https://research.fairfaxcounty.gov/unlimited/escape

Tabletop Exercises

From GCHQ

https://www.ncsc.gov.uk/information/exercise-in-a-box

From CISA

https://www.cisa.gov/cisa-tabletop-exercises-packages

Funny Videos on Cyber

https://staysafeonline.org/resource/security-awareness-episode/

#74 - Pass the Passwords Apr 18, 2022

On this episode of CISO Tradecraft, we focus on the Password Security and how it's evolving. Tune in to learn about:

Why do we need passwords
Ways consumers login and authenticate
How bad actors attack passwords
How long does it take to break passwords
Different types of MFA
The future of passwords with conditional access policies

Infographic:

References:

#73 - Wonderful Winn Schwartau Apr 11, 2022

Winn Schwartau is a well-recognized icon in the cybersecurity community, and also a dear friend for over 25 years. Always one to stir the pot and offer radical ideas (many of which come true), we discuss Hacker Jeopardy, INFOWARCON, his books "Pearl Harbor Dot Com", "Time-Based Security", and his magnum opus "Analog Security." We speculate on the future of our industry with respect to quantum and probabilistic computing, and after hanging up his pen, looks like he's doing a Tom Brady and writing one more amazing book. **Warning Adult Language**

Winn's Website Link

#72 - Logging In with SIEMs (with Anton Chuvakin) Apr 04, 2022

On this episode of CISO Tradecraft, Anton Chuvakin talks about Logging, Security Information & Event Management (SIEM) tooling, and Cloud Security. Anton share’s fantastic points of view on:

How moving to the cloud is like moving to a space station (13:44)
How you may be one IAM mistake away from a breach (20:05)
How a SIEM is a logging based approach, whereas EDRs require agents at endpoints. This becomes really interesting when cloud solutions don’t have an endpoint to install an agent (26:53)
Why you don’t want an on premises SIEM (32:35)
The 3 AM Test - Should you wake someone up for this alert at 3 AM (39:24)

#71 - Lessons Learned as a CISO (with Gary Hayslip) Mar 28, 2022

On this special episode of CISO Tradecraft, we have Gary Hayslip talk about his lessons learned being a CISO. He shares various tips and tricks he has used to work effectively as a CISO across multiple companies. Everything from fish tacos and beer to how to look at an opportunity when your boss has no clue about cyber frameworks. There's lots of great information to digest.

Additionally, Gary has co-authored a number of amazing books on cyber security that we strongly recommend reading. You can find them here on Gary's Amazon page.

#70 - Partnership is Key Mar 21, 2022

On this episode of CISO Tradecraft you can learn how to build relationships of trust with other executives by demonstrating executive skill & cyber security expertise. You can learn what to say to each of the following executives to build common ground and meaningful work:

CFO
Legal
Marketing
Business Units
CEO
CIO
HR

Note Robin Dreeke mentions 5 keys to building goals.:

Learn… about their priorities, goals, and objectives.
Place… theirs ahead of yours
Allow them to talk…. suspend your own need to talk.
Seek their thoughts and opinions.
Ego suspension!!! Validate them unconditionally and non-judgmentally for who they are as a human being.

During this week's Monday Morning Email, CISO Tradecraft answers the question on how to craft a winning resume to land your first CISO role.

InfoGraphic

#69 - Aligning Security Initiatives with Business Objectives Mar 14, 2022

On this episode of CISO Tradecraft, we talk about how cyber can help the four business key objectives identified by InfoTech:

1. Profit generation: The revenue generated from a business capability with a product that is enabled with modern technologies.

2. Cost reduction: The cost reduction when performing business capabilities with a product that is enabled with modern technologies.

3. Service enablement: The productivity and efficiency gains of internal business operations from products and capabilities enhanced with modern technologies.

4. Customer and market reach: The improved reach and insights of the business in existing or new markets.

We also discuss Franklin Covey's 4 Disciplines of Execution (TM):

Focus on the Wildly Important
Act on the lead measures
Keep a compelling scoreboard
Create a cadence of accountability

Please note references to Infotech and Franklin Covey Material can be found here:

Infographic:

#68 - Thought Provoking Discussions (with Richard Thieme) Mar 07, 2022

Today we speak with Richard Thieme, a man with a reputation for stretching your mind with his insights, who has spoken at 25 consecutive DEFCONs as well as keynoted BlackHat 1 and 2. In a far-ranging discussion, we cover the concept of what it's like to be a heretic (hint: it's one step beyond being a visionary), the thought that the singularity has already arrived, Pierre Teilhard de Chardin's noosphere, disinformation and cyber war, ethical decision-making in automated systems, and why there is convincing evidence we are not alone in this universe.

References: https://thiemeworks.com/

#67 - Knock, Knock? Who’s There and Whatcha Want? Feb 28, 2022

On this episode of CISO Tradecraft we are going to talk about various Access Control & Authentication technologies.

Access Control Methodologies:

Mandatory Access Control or (MAC)
Discretionary Access Control or (DAC)
Role Based Access Control or (RBAC)
Privileged Access Management or (PAM)
Rule Based Access Control
Attribute Based Policy Control (ABAC) or Policy Based Access Control (PBAC)

Authentication Types:

Password-based authentication
Certificate-based authentication
Token-based authentication
Biometric authentication
Two-factor Authentication (2FA)
Multi-Factor Authentication (MFA)
Location-based authentication
Computer recognition authentication
Completely Automated Public Turing Test to Tell Computers & Humans Apart (CAPTCHA)
Single Sign On (SSO)
Risk Based authentication

References

#66 - Working On The Supply Chain Gang Feb 21, 2022

On this episode of CISO Tradecraft, you can learn about supply chain vulnerabilities and the 6 important steps you can take to mitigate this attack within your organization:

Centralize your software code repository
Centralize your artifact repository
Scan open source software for malware
Scan software for vulnerabilities and vendor support
Run a Web Application Firewall (WAF)
Run a Runtime Application Self Protection (RASP)

References:

https://owasp.org/www-project-threat-and-safeguard-matrix/

https://slsa.dev/

Infographic:

#65 - Shall We Play A Game? Feb 14, 2022

Gamification is a superpower that CISOs can use to change the culture of an organization. On this episode of CISO Tradecraft we discuss how to use gamification concepts as a CISO.

What’s in a Game?

Objective
Rules
Challenge/Competition
Randomness or unpredictability
Designed for fun and sometimes learning

What Makes a Game Fun?

Challenge requires reasonable level of difﬁculty
Fantasy compelling setting for game action; temporary suspension of reality
Curiosity random events so that play is not completely deterministic
Control learners are confronted with choices

What’s in a Learning Game?

Active participation
Immediate feedback
Dynamic interaction
Competition
Novelty
Goal direction

5 Gamification Concepts

Leaderboards
Badges & Achievements
Levels & Progression
Unlockables
Virtual Economy

4 Player Types

Killers are players motivated by leader boards and ranks. These players focus on winning and peer to peer competition. Their focus is on acting on other players.
Achievers are players motivated by achievements and points. These players focus on achieving present goals quickly and completely. Their focus is on acting on the world.
Socializers are players motivated by friends lists, chat, and news feeds. These players focus on socializing and developing a network of friends. Their focus is on interacting with players
Explorers are players motivated by hidden content and levels. These players focus on exploring and discovering the unknown. Their focus is on interacting with the world.

References:

https://www.chaostheorygames.com/blog/serious-games-guide-everything-you-need-to-know-in-2021

https://www.chaostheorygames.com/blog/what-is-gamification-2020-definition

https://directivecommunication.net/the-ultimate-guide-to-work-gamification/

https://yukaichou.com/gamificationnews/4-dominant-applications-of-gamification/

https://medium.com/@chow0531/actionable-gamification-fbe27f6cb2d6

https://www.capgemini.com/2020/06/gamification/

https://insights.lytho.com/translation-fails-advertising

http://timboileau.wordpress.com

https://www.amazon.com/dp/1451611064/?coliid=I2J1XHCOBD5476&colid=2CQEH5MGKB5YX&psc=1&ref_=lv_ov_lig_dp_it

Infographic:

#64 - 3 Keys to Being a CISO (with Allan Alford) Feb 07, 2022

On this episode of CISO Tradecraft, we feature Allan Alford from The Cyber Ranch Podcast. Allan brings a wealth of knowledge as a CISO and shares the three things every CISO needs to bring to the table:

Use a Cyber Maturity Model such as CMMI to identify the current situation and build a roadmap of where the organization is headed
Quantify Known Risks through a Risk Register which gets routinely briefed to Executives
Align Cyber to Business Objectives to enable the business

If you enjoy listening to Allan Alford, then please subscribe to The Cyber Ranch Podcast for more great content.

Infographic:

#63 - Flirting with Disaster Jan 31, 2022

As a cyber executive you should expect disaster and disruption. When these unfortunate events occur, you can protect the business by maintaining critical business functions, ensuring employees are able to access an alternate work facility, and providing vital records to perform business functions.

The secret to accomplishing these objectives can be found in three important documents. Those being a Business Continuity Plan, Disaster Recovery Plan, & a Business Impact Analysis. Enjoy the show as we walk you through them.

FEMA BCP Example https://arlingtonva.s3.amazonaws.com/wp-content/uploads/2019/08/COOP-Template-Business-Continuity.pdf

IBM Disaster Recovery Plan

https://www.ibm.com/docs/en/i/7.1?topic=system-example-disaster-recovery-plan

Fire Drills https://en.wikipedia.org/wiki/Fire_drill

Business Impact Analysis https://www.ready.gov/sites/default/files/2020-03/business-impact-analysis-worksheet.pdf

Infographic:

#62 - Promotion Through Politics Jan 24, 2022

On this episode, we talk about the four types of skills you need to demonstrate in your career to climb through the ranks: (Technical Skills, Management Skills, Leadership Skills, & Political Skills)

We also highlight 6 crucial areas to improve your political skills

Social Astuteness - You need to get your cues right. Socially astute managers are well-versed in social interaction. In social settings they accurately assess their own behavior as well as that of others. Their strong powers of discernment and high self-awareness contribute to their political effectiveness.
Interpersonal Influence - Managers who are effective influencers have good rapport with others and build strong interpersonal relationships. They also tend to have a better understanding of broader situations and better judgment about when to assert themselves.
Networking Ability - Skilled networkers build friendships and working relationships by garnering support, negotiating, and managing conflict. They know when to call on others and are seen as willing to reciprocate.
Apparent Sincerity - Be sincere. Politically skilled individuals display high levels of integrity, authenticity, sincerity, and genuineness. They really are--and also are viewed as--honest, open, and forthright, inspiring trust and confidence.
Think before you speak - Politically skilled managers are careful about expressing feelings. They think about the timing and presentation of what they have to say.
Manage up and down - Leaders need to skillfully manage up by communicating with their bosses and keeping higher-ups informed. But this can become a double-edged sword; research shows that the people who are most skilled at managing up tend not to invest enough energy in building and leading their teams. True political skill involves relationships with teammates and direct reports as well as higher-ups.

References:

https://www.ckju.net/en/blog/6-behaviors-characterize-politically-skilled-individuals-organizations-how-learn-them/32148
https://en.wikipedia.org/wiki/Terry_Tate:_Office_Linebacker
https://hbr.org/2017/04/the-4-types-of-organizational-politics
https://www.forbes.com/2010/05/25/office-politics-psychology-leadership-managing-ccl.html
Ferris, G. R., Davidson, S. L., & Perrewe, P. L. (2005). Political skill at work: impact on work effectiveness. Mountain View, Calif. : Davies-Black Pub
Ferris, G. R., Treadway, D. C., Kolodinsky, R. W., Hochwarter, W. A., Kacmar, C. J., Douglas, C., & Frink, D. D. (2005). Development and Validation of the Political Skill Inventory. Journal of Management, 31(1), 126-152. doi: 10.1177/0149206304271386
Ferris, G. R., Berkson, H. M., Kaplan, D. M., Gilmore, D. C., Buckley, M. R., Hochwarter, W. A., et al. 1999. Development and initial validation of the political skill inventory. Paper presented at the 59th annual national meeting of the Academy of Management, Chicago.

Infographic:

#61 - Presentation Skills Jan 17, 2022

On this episode of CISO Tradecraft, we discuss how to give a great presentation.

Starting with the Bottom Line Up Front (BLUF)
Using pictures to Capture Attention
Asking Thought Provoking Questions
Succinct Points to tell a story
Decision slides that show
- The problem
- The proposed solution
- Cost to implement solution
- Why alternatives are not as good
- Next Steps after decision is made

We also discuss the Angels Cocktail which is a concept taken from a Ted Talk by JP Phillips

Dopamine is a neurotransmitter that stimulates focus, motivation, and memory. If you want to use this chemical, then tell a story that has obstacles to build suspense and create cliffhangers
Oxytocin is the hormone associated with generosity, trust, and bonding. If you want to use this chemical, tell a story that creates empathy or makes you vulnerable. You can make the story more impactful by using the concept of delaying resolution of the story.
Endorphins are the last hormone which are associated with making people creative, relaxed, and focused. If you want to use this chemical try making others laugh. One way to do this is by being overly dramatic.

References

https://www.verywellmind.com/glossophobia-2671860

https://hbr.org/2019/09/to-overcome-your-fear-of-public-speaking-stop-thinking-about-yourself

https://hbr.org/2013/06/how-to-give-a-killer-presentation

https://www.cnbc.com/id/100646197

https://www.youtube.com/watch?v=Nj-hdQMa3uA

https://www.resourcefulmanager.com/storytelling-as-a-leadership-tool/

https://hbr.org/2014/07/how-to-tell-a-great-story

Infographic:

#60 - CISO Knowledge Domains Part 2 Jan 10, 2022

One of the most common questions that we get asked on CISO Tradecraft is what do I need to learn to be a good CISO? After a lot of reflection, CISO Tradecraft put together a Top 10 List of CISO knowledge domains that we believe are the core skills which produce really good CISOs. This episode is a continuation from the previous episode and will go over the 6th -10th knowledge areas.

Product Security focuses on ensuring developers write secure code
Defensive Technologies focuses on creating multiple layers of defenses in an organization to protect against a multitude of attacks
Detection & Response Capabilities is about creating mechanisms to identify how attackers might circumvent your organization’s defensive technologies
Laws, Regulations, & Oversight is about ensuring compliance with appropriate laws and regulations
Enabling Technologies is about enabling businesses to create digital transformation
Risk Management is about effectively identifying what are the biggest risks to the company, what's the likelihood and magnitude of a potential attack, and how to estimate the cost of remediation
Governance is about understanding what technology your organization uses so you can effectively manage it through a process
Identity & Access Management is about limiting the scope of an attacker who could cause harm to your organization
Business Management & Leadership is an essential skill for executives to lead and influence others
Security Culture is about building an organization where the entire company becomes resilient

https://github.com/cisotradecraft/podcast

Infographic:

#59 - CISO Knowledge Domains Part 1 Jan 03, 2022

One of the most common questions that we get asked on CISO Tradecraft is what do I need to learn to be a good CISO? After a lot of reflection, CISO Tradecraft has put together a Top 10 List of CISO knowledge domains that we believe are the core skills which produce really good CISOs. This episode will go over just the first 5 knowledge areas with the remaining five on a future episode.

Product Security focuses on ensuring developers write secure code
Defensive Technologies focuses on creating multiple layers of defenses in an organization to protect against a multitude of attacks
Detection & Response Capabilities is about creating mechanisms to identify how attackers might circumvent your organization’s defensive technologies
Laws, Regulations, & Oversight is about ensuring compliance with appropriate laws and regulations
Enabling Technologies is about enabling businesses to create digital transformation

https://github.com/cisotradecraft/podcast

#58 - Active Directory is Active with Attacks Dec 27, 2021

After bad actors gain an initial foothold into an organization, they often use active directory attacks to gain administrative privileges. On this episode of CISO Tradecraft, we discuss Active Directory. You can learn what it is, how it works, common attacks used against it, and ways you can secure it.

References:

Stealthbits Active Directory Attacks

Wikipedia Active Directory

Wikipedia Directory Service

Wired Story on Not Petya

Indeed Active Directory Job Listing

Infographics:

#57 - Brace for Audit Dec 20, 2021

You just got the news that the Cyber Organization is going to be audited. Do you know what an audit is, how best to prepare for it, and how to respond to audit findings? On this episode of CISO Tradecraft, we help you understand key auditing concepts such as:

Audit Subject
Audit Objective
- Vulnerability
- Threat
- Risk & Impact
Audit Scope with Goals & Objectives
Audit Plan
Audit Response

#56 - Say Firewall One More Time Dec 13, 2021

Have you ever heard someone say our firewalls block this type of attack? In this episode, you can increase your understanding of firewalls so it won’t just be another buzzword. 6 Basic categories of firewalls that we discuss on the show include:

Packet Filters focus on IP and port blocking
Stateful Inspection Firewall looks at active connections and consider context
Network Address Translation Firewalls tools that allow private networks to connect to public ones and create secure enclaves
Proxy Servers classify web traffic into topics that might be allowed or not allowed
Web Application Firewalls block Web Application Attacks (SQL Injection,Cross Site Scripting, …)
Next Generation Firewalls that try to do everything.

References - sitereview.bluecoat.com

Infographics:

#55 - I have more Agents than the FBI Dec 03, 2021

On this episode of CISO Tradecraft you can learn all about Software Agents. Specifically we discuss: What does an Agent do, Why is an Agent helpful, and the 7 common types of Software Agents you would expect to find in large IT organizations. Also, if you stick to the end you can also learn about Secret Agents (ie Agentless).

7 Common Software Agents are:

Endpoint Configuration Agents - Tools like Microsoft Endpoint Manager or SCCM
Mobile Device Managers - Tools like Microsoft Intune or Google Endpoint Management
Vulnerability Agents - Tools like Qualys or Nessus
Antivirus Agents - Tools like McAfee or Symantec
Endpoint Detection & Response Agents - Tools like Crowdstrike or Carbon Black
Data Loss Prevention Agents - Tools like Forcepoint or GTB Technologies
Privilege Access Management Agents - Tools like BeyondTrust or CyberArk

#54 - The Great Resignation Nov 19, 2021

The Great Resignation is upon us, and if some of your top talent hasn't given you their notice, it may be happening soon. Or not, depending on what you choose to do. With plenty of time to contemplate options, people are quitting jobs at a record pace. But wise leaders learn how to listen to their people's needs and desires, create a sense of purpose that motivates far beyond a paycheck, and creates a safe working space by allowing people to be human and make the occasional mistake. Keep your IT Security team intact with these concepts and much more.

For more great CISO content please subscribe to our LinkedIn Page

Thank you for listening to CISO Tradecraft

References:

https://www.bls.gov/news.release/archives/jolts_06082021.pdf
https://info.workinstitute.com/hubfs/2020%20Retention%20Report/Work%20Institutes%202020%20Retention%20Report.pdf
https://www.npr.org/2021/10/22/1048332481/the-great-resignation-why-people-are-leaving-their-jobs-in-growing-numbers
https://blog.trello.com/enterprise/how-to-retain-employees
https://hbr.org/2016/09/why-people-quit-their-jobs
https://www.mckinsey.com/business-functions/people-and-organizational-performance/our-insights/great-attrition-or-great-attraction-the-choice-is-yours
https://blog.trello.com/supportive-company-culture
https://www.statista.com/chart/19064/number-of-unused-vacation-days/
https://www.glassdoor.com/blog/vacation-realities-2017/
https://hbr.org/2016/03/two-thirds-of-managers-are-uncomfortable-communicating-with-employees
https://www.mckinsey.com/business-functions/people-and-organizational-performance/our-insights/igniting-individual-purpose-in-times-of-crisis
https://allthatsinteresting.com/myers-briggs-test
https://cybersecurityventures.com/jobs

#53 - Fun and Games to Stop Bad Actors (with Dr. Neal Krawetz) Nov 05, 2021

In this episode, you can hear from Dr. Neal Krawetz, creator of Hacker Factor and FotoForensics. Neal's a long-time security practitioner who shares some fascinating insights in terms of how to identify potential bad actors early on (think reconnaissance interception), techniques for detecting bots and malicious entities, and ways to protect your team members from misattributed fake blog entries.

#52 - Welcome to the C-Level (with Nate Warfield) Oct 29, 2021

Special Thanks to our podcast Sponsor, Prevailion.

Some of the best C-level executives start in the technical ranks. This episode features Nate Warfield, CTO of Prevailion, who differentiated himself by creating the CTI-League.com to assist healthcare companies with ransomware. We'll cover some of that organization, how Nate got his first C-level job, and some lessons learned you might appreciate in your own CISO journey.

To learn more about Cyber Adversary Intelligence, please check out Prevailion who sponsored this episode.

#51 - New Kid in Town (with Rebecca Mossman) Oct 18, 2021

When you first start a cybersecurity job, or hire someone into a cybersecurity job, there is a window of opportunity to see things with a new perspective. In this episode, we’re privileged to share ideas with Rebecca Mossman, a successful cybersecurity leader who has led successfully a number of teams in her career. We’ll examine relationships, stakeholders, setting priorities, communication, and knowing when to call something “done” and move on to the next task.

#50 - Border Gateway Protocol (BGP) Oct 11, 2021

A Border Gateway Protocol (BGP) misconfiguration is what took out Facebook on 4 October. Most IT folks don't understand how BGP works. This episode helps you gain a better understanding of the protocol that creates routing tables to move information from one end of the Internet to the other. We'll explain how Autonomous Systems (AS) share BGP route information, what should happen when things go right, and then examine what likely went wrong at Facebook and how you might be able to prepare for potential problems in advance before they occur.

#49 - Cyberlaw Musings (with Mark Rasch) Oct 01, 2021

This is a special treat. On this episode of CISO Tradecraft you can hear Mark D. Rasch, JD, discuss legal and security topics that he's encountered in his more than 30 years of experience in cybersecurity law. We look into ransomware, reportable breaches, the appropriateness (or lack thereof) of certain legal statues, and finish with some actionable advice for CISOs and security leaders that you really need to hear.

#48 - Effective Meetings Sep 24, 2021

We've all suffered through horrible meetings that felt like a total waste of time. As a security leader, you'll be convening your fair share of meetings with your staff. Don't be "that boss" who can't run an effective meeting. This episode shows ways you can ensure your meetings are both efficient and effective, result in actionable tasking, and keep people coming back for more because you showed respect for their time and their ideas. And we even practice what we preach -- this episode ends early.

Harvard Meeting Cost Calculator Link

OSS Simple Sabotage Manual Link

#47 - More Risky Business with FAIR Sep 17, 2021

In our 31 July 2021 Episode 42, Risky Business, we covered the basics of risk and risk assessment. This part 2 episode gets into the practical application of risk management using the FAIR model, or Factor Analysis of Information Risk. We explain key risk terminology and walk through examples of how to express risk using this model, as well as creating a meaningful way to explain to executives that is actionable.

Risk Matrix Example: Link

One Page FAIR Model: Link

Measuring & Managing Information Risk: Link

FAIR Wiki: Link

#46 - Crisis Leadership with G Mark Hardy‘s 9/11 Experience Sep 10, 2021

Have you ever faced a crisis? How well did you do? You should always want to improve your skills in case another happens. On the 20th anniversary of 9/11, G. Mark Hardy shares some of his experiences as the on-scene commander for the military first responders at the World Trade Center, and expands that into a set of skills and attributes that you can cultivate to become a more effective crisis response leader in your role as a cybersecurity professional.

References:

5 Leadership Skills Link
How to Combat a Crisis Link
Manage a Crisis Link
Lessons in Crisis Leadership Link
Creative Leadership Guidebook Link
Financial Interest in Situations Link
G Mark Hardy Ground Zero Video 1 of 2 Link
G Mark Hardy Ground Zero Video 2 of 2 Link

#45 - Protecting your Crown Jewels (with Roselle Safran) Sep 03, 2021

Traditional risk models focus on calculating loss frequency and magnitude, but don't go far enough in terms of modeling the most important assets in our organization, known as "crown jewels." This episode of CISO Tradecraft is a fascinating interview with the CEO and founder of a startup focusing on crown jewel analysis -- Roselle Safran. We'll look into how making this a part of your portfolio helps put the "C" in CISO by showing your understanding of the business in which you work. We'll also extend our discussion to challenges faced by women in cybersecurity, and encouragement for women (and others) to enter our exciting profession.

#44 - Intro to Docker Containers and Kubernetes (K8s) Aug 27, 2021

Containers are a lightweight technology that allows applications to deploy to a number of different host Operating Systems without having to make any modifications at all to the code. As a result, we're been seeing a big increase in the use of Docker, Kubernetes, and other tools deployed by enterprises. In this episode, we'll cover the fundamentals of containers, Docker, orchestration tools such as Kubernetes, and provide you with knowledge to understand this environment, and maybe even tempt you to create your own container to test your skill.

Major links referenced in the show

Container Architecture Link
Kubernetes Diagrams Link
Kubernetes Glossary Link
Kubernetes Primer Link

Special Thanks to our podcast Sponsor, CyberGRX

#43 - Cyber Deception (with Kevin Fiscus) Aug 20, 2021

Join CISO Tradecraft for a fascinating discussion on how to build cyber traps for the bad guys that really work. By creating a deceptive environment that "booby-trap" your networks with fake services, enticing resources, and make-believe traffic, we can create a high-fidelity, low-noise intrusion sensor system -- no legitimate user would ever try these. Improve your SOC efficiency by actively engaging with intruders rather than sifting through false positives. There's a lot to learn here, and Kevin Fiscus offers a promise of more to come. By listening to this episode you will learn:

What is cyber deception?
What problem does cyber deception solve?
How do cyber deception technologies work?
Why is deception more effective than other detection and response technologies?

If you would like to learn more about Cyber Deception, then be sure to check out these great resources:

Kevin’s YouTube channel, Take Back the Advantage Link
The Mitre Engage Matrix Link
SANS SEC 550 Link

Special Thanks to our podcast Sponsor, CyberGRX

#42 - Third Party Risk Management (with Scott Fairbrother) Aug 13, 2021

Special Thanks to our podcast Sponsor, C yberGRX

On today’s episode, we bring in Scott Fairbrother to help tackle key questions with Third Party Risk Management:

How do you identify which vendors pose the highest risk to your business?
How do you see which vendor’s security controls protect against threats?
How do you validate their risk profiles by scanning, dark web monitoring or other techniques to correlate what attackers are seeing and acting upon?
Do you have an understanding of how to improve risk mitigation in your third-party ecosystem?

Also please subscribe to to the CISO Tradecraft LinkedIn Page to get more relevant content

#41 - Got any Threat Intelligence? Aug 06, 2021

Cyber Threat Intelligence is an important part of an effective CISO arsenal, but many security leaders don’t fully understand how to optimize it for their benefit. In this show, we examine why cyber threat intelligence is vital to fielding an effective defense, discuss the intelligence cycle, examine the four types of threat intelligence, and feature a special guest, Landon Winkelvoss of https://nisos.com, who has spent a career mastering this topic and shares a number of important insights you won’t want to miss.

#40 - Risky Business Aug 01, 2021

In this episode, we take a deep dive into that four-letter word RISK. Risk is measurable uncertainty. As a component of Governance, Risk, and Compliance (GRC), risk management is an important part of a security leader's responsibility. Risk assessment is conducted for a number of reasons, and measuring risk is an important component of effectively overseeing our IT investments. We'll look at NIST and ISO standards for risk, and define the different types of risk assessments. And, because there is risk inherent in many endeavors, this episode will be continued in a part 2, because we didn't allow for the risk of running over with this much great information.

#39 - Stressed Out? Find your Ikigai and 6 Invaluable Factors Jul 23, 2021

Being a CISO has been described as the "toughest job in the world." It comes with a lot of stress, which can lead to early burnout as well as a number of health and relationship problems. Well, we're going to tackle this elephant in the room and investigate some of the sources of stress and ways we can deal with it.

88% of CISOS report being "moderately or tremendously stressed" We discuss eight everyday situations that can cause CISO stress, and then explore the way of Ikigai, Japanese for "reason for being." The intersection of what you love, what you are good at, what the world needs, and what you can be paid for represents this ideal state. Mihaly Csikszentmihalyi describes this as "flow," when work comes seemingly effortlessly because we are in alignment with our actions. We'll also explore Dave Crenshaw's factors to being invaluable, which can help us better meet the demands of our job by being the best possible fit.

Tune in and gain some ideas on how to help yourself. and your staff, deal with stress.

CISO Tradecraft By Topic on GitHub

Csikszentmihalyi

Ikigai

Invaluable: The Secret to Becoming Irreplaceable

The Six Invaluable Factors by David Crenshaw

#38 - CMMC and Me Jul 18, 2021

This episode of CISO Tradecraft discusses CMMC. The Cybersecurity Maturity Model Certification (CMMC), is the US government response to the massive amounts of defense-related information compromised over the years from contractors and third parties. The program will be mandatory for all defense contractors by 2025, and has the potential to expand to the entire Federal government, affecting every entity that sells to Uncle Sam. CMMC has five levels of progressively more rigorous certification with up to 171 controls based on acquisition regulations, NIST standards, and Federal information processing standards. In addition, there will be an entire ecosystem of trainers, consultants, assessors, and the organizations that support them. We'll cover those in enough detail so that you can decide if expanding your career skill set into CMMC might make sense.

#37 - Cyber Security Laws & Regulations Jul 09, 2021

On this episode of CISO Tradecraft, you will hear about the most prominent Cyber Security Laws and Regulations:

The Health Insurance Portability and Accountability Act (HIPAA) advocates the security and privacy of personal health information
- Administrative Safeguards
- Physical Safeguards
- Technical Safeguards
The Sarbanes-Oxley Act (SOX) is designed to provide transparency on anything that could cause material impact to the financials of a company
- Cyber Risk Assessment
- Identify Disclosure Controls and Policies
- Implementing Cyber Security Controls Using a Reliable Framework (NIST CSF / ISO 27001)
- Monitor and Test SOX Controls
The Gramm Leach Bliley Act (GLBA) requires Financial Institutions to protect Personally Identifiable Information (PII)
The Federal Information Security Management Act (FISMA) requires executive agencies in the federal government to address cyber security concerns
- Plan for security
- Assign responsibility
- Periodically review security controls on systems
- Authorize systems to Operate
The Payment Card Industry Data Security Standards (PCI-DSS) is a framework required to protect payment card information
The General Data Protection Regulation (GDPR) - Data Compliance and Privacy law for European citizens
- Consent
- Data Minimization
- Individual Rights
The California Consumer Protection Act (CCPA) - Data Compliance and Privacy law for California residents. This law provides Californians the right to know what data is collected or sold, the right to access data, the ability to request its deletion, and the ability to opt out of it being collected or sold.
The Cybersecurity Maturity Model Certification (CMMC)- combines various cybersecurity standards and best practices and maps these controls and processes across maturity levels for Department of Defense contractors.

#36 - IPv6 Your Competitive Advantage (with Joe Klein) Jul 03, 2021

This episode of CISO Tradecraft is all about IPv6, featuring Joe Klein. IPv6 is becoming the dominant protocol on the Internet, and CISOs should understand the implications of how their enterprise is potentially vulnerable to attacks that may come from that vector, as well as be aware of defenses that may originate from an effective IPv6 deployment. This broadcast will cover the business cases for IPv6, the technical differences between IPv4 and IPv6, and the security implications of implementing this protocol correctly and incorrectly.

#35 - Setting Up an Application Security Program Jun 25, 2021

On this episode of CISO Tradecraft, you can learn how to build an Application Security program.

Start with Key Questions for
- Security
- IT Operations
- Application Development/Engineering Groups
Identify Key Activities
- Asset Discovery
- Asset Risk Prioritization
- Mapping Assets Against Compliance Requirements
- Setting up a Communications Plan
Perform Application Security Testing Activities
- SAST
- DAST
- Vulnerability Scanners
- Software Composition Analysis
- Secrets Scanning
- Cloud Security Scanning
Measure and Improve Current Vulnerability Posture through metrics
- The number of vulnerabilities present in an application
- The time to fix vulnerabilities
- The remediation rate of vulnerabilities
- The time vulnerabilities remain open
- Defect Density - number of vulnerabilities per server

We also recommend reading the Microsoft Security Developer Life Cycle Practices Link

For more great ideas on setting up an application security program please read this amazing guide from WhiteHat Security Link

If you would like to improve cloud security scanning by automating Infrastructure as Code checks, then please check out Indeni CloudRail Link

#34 - Metrics that Matter Jun 18, 2021

What is measured gets done. However before you measure you need to think about how best to measure. On this episode of CISO Tradecraft, we provide you new insights into optimizing metrics that matter.

What is a Metric?

Metrics drive outcomes. Before picking a metric consider the following:

What data is required?
What stories can it tell?
What questions does it invite?
How sustainable is it?

When you report metrics highlight three things:

Status or Measure- Where is your company right now?
Trends- What direction is your company headed?
Goals- A description of where your company wants to be

Goals or Metrics should be SMART:

Specific, Measurable, Achievable, Realistic, and Time-based

For a helpful list of metrics that you might consider please check out the following list from Security Scorecard Link

Thank you again to our sponsor CyberArk, please check out their CISO Reports.

#33 - 10 Steps to Cyber Incident Response Playbooks Jun 11, 2021

On this episode of CISO Tradecraft, you can learn the 10 steps to Incident Response Planning:

Establish a Cyber Incident Response Team
Develop a 24/7 Contact list for Response Personnel
Compile Key Documentation of Business-Critical Networks and Systems
Identify Response Partners and Establish Mutual Assistance Agreements
Develop Technical Response Procedures for Incident Handling that your team can follow:
- External Media - An alert identifies someone plugged in a removable USB or external device
- Attrition - An alert identifies brute force techniques to compromise systems, networks, or applications. (Examples Attackers trying thousands of passwords on login pages)
- Web - A Web Application Firewall alert shows attacks carried out against your website or web-based application
- Email - A user reports phishing attacks with a malicious link or attachment
- Impersonation - An attack that inserts malicious processes into something benign (example Rogue Access Point found on company property)
- Improper Usage - Attack stemming from user violation of the IT policies. (Example employee installs file sharing software on a company laptop)
- Physical Loss- Loss or theft of a physical device (Example employee loses their luggage containing a company laptop)
Classify the Severity of the Cyber Incident
Develop Strategic Communication Procedures
Develop Legal Response Procedures
Obtain CEO or Senior Executive Buy-In and Sign-off
Exercise the Plan, Train Staff, and Update the Plan Regularly

To learn more about Incident Response Planning, CISO Tradecraft recommends reading this helpful document from the American Public Power Association

If you would like to automate security reviews of infrastructure-as-code, then please check out Indeni CloudRail Link

#32 - Brace for Incident (with Bryan Murphy) Jun 04, 2021

Special Thanks to our podcast Sponsor, CyberArk.

Experienced CISOs know that it's not a matter of if, but when. Incidents happen, and there is an established response strategy nicknamed PICERL that works:

(P)reparation
(I)dentification
(C)ontainment
(E)radication
(R)ecovery
(L)essons Learned

If we "shift left" with our incident planning, we can minimize our organizational risk -- thorough preparation, including establishing an environment of least privilege, significantly increases the challenge for an attacker, buys us time to identify early, and limits the damage potential from an incident.

This episode features Bryan Murphy, the Incident Response team leader at CyberArk. His insights from managing dozens of responses are invaluable, and they are now yours through this special episode

#31 - Executive Order on Improving the Nation’s Cybersecurity May 28, 2021

On this episode of CISO Tradecraft, you can learn about the new Executive Order on Improving the Nation's Cyber Security. The episode provides a brief background on three security incidents which have influenced the Biden administration:

SolarWinds
Microsoft Exchange Servers
Colonial Pipeline Attack

The episode then overviews the various sections of the new Executive Order:

Policy
Removing Barriers to Sharing Threat Information
Modernizing Federal Government Cybersecurity
Enhancing Software Supply Chain Security
Establish a Cyber Safety Review Board
Standardizing the Federal Government’s Playbook for Responding to Cybersecurity Vulnerabilities and Incidents
Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Networks
Improving the Federal Government’s Investigative and Remediation Capabilities
National Security Systems

Thanks to CyberArk for sponsoring this episode. Please check out CyberArk's new conference

#30 - Cloud Drift (with Yoni Leitersdorf) May 21, 2021

This episode is sponsored by Indeni.

On this episode of CISO Tradecraft, G Mark Hardy discusses with Yoni Leitersdorf (CEO and CISO of Indeni) the risks which can occur in a cloud environment after it has been provisioned. Essentially it's quite common for organizations to change their cloud environment from what was declared in a Terraform or Cloud Formation Script. These unapproved cloud changes or Cloud Drift often create harmful misconfigurations and have the potential to create data loss events.

The podcast discusses the pros and cons of two key approaches to solve the Cloud Drift problem:

Static Security Testing in a build pipeline
Runtime Inventory Approaches

The podcast features Yoni Leitersdorf. Yoni founded a company (Indeni) to address Cloud Drift and discusses the business point of view of why this is a critical concern for the business. If you would like to learn more about what Yoni is working on please check out Indeni

Yoni Leitersdorf can also be found on: LinkedIn

Twitter

#29 - Identity and Access Management is the New Perimeter May 14, 2021

Identity is the New Perimeter. On this episode of CISO Tradecraft you will increase your understanding of Identity and Access Management. Key topics include:

Audit Trail
Authentication
Authorization
Identity Compromise
Least Privilege
Microsegmentation
Multi Factor Authentication (MFA)
Privileged Access/Account Management (PAM)
Role Based Access Control (RBAC)
Single Sign On (SSO)

#28 - AI and ML and How to Tell When Vendors Are Full of It May 08, 2021

Have you ever heard a vendor has software features such as Artificial Intelligence (AI) or Machine Learning (ML)? What does that mean? On this episode we answer those questions so you know when vendors are full of it.

Common reasons to use Artificial Intelligence
Types of Artificial Intelligence
What Machine Learning is
How Machine Learning works
How to select the right algorithm

References

How to Select Machine Learning Algorithms

ML Algorithm Cheat Sheet

63 Machine Learning Algorithms

#27 - Roses, Buds, & Thorns May 01, 2021

Today, CISO Tradecraft hosts a 5 minute discussion to talk about reflection. The concept is Roses, Buds, and Thorns. It’s an exercise designed to identify opportunities to make positive change.

Roses- What’s working
Buds - What are new ideas
Thorns- What do we need to stop

If you would like to learn more please check out the article from MITRE

We would love to hear your feedback here.

Thank you, CISO Tradecraft

#26 - Blockchain for CISOs Apr 23, 2021

On this episode CISO Tradecraft we dive into the world of blockchain. As a CISO you may be expected to explain to executives what the technology does and possibly how it works. Here's your briefing to make you successful. We'll cover:

History of money and birth of bitcoin
Why blockchain uniquely solves an age-old trust problem
Potential business uses of blockchain technology
Smart contracts and why they work
Blockchain variants such as private and permissioned

https://www.cisotradecraft.com

#25 - Slay the Dragon or Save the Princess? Apr 16, 2021

This episode CISO Tradecraft continues the Ransomware Discussion. Do you slay the dragon (avoid the ransom) or save the princess (recover your files)?

Talking points include:

Background on Ransomware
What if we choose to pay a ransom?
Is the Ransomware on the sanctions list?
Negotiation/Payments
Involving Law Enforcement
Involving Legal Council
Dealing with Cryptocurrencies

#24 - Everything you wanted to know about Ransomware Apr 08, 2021

Would you like to know more about Ransomware? On this episode of CISO Tradecraft, G Mark Hardy and Ross Young provide an in-depth discussion on Ransomware. Key discussions include:

What is ransomware?
Why does it work?
Ransomware Types (Client-Side, Server-Side, & Hybrid)
- How each of these enter a target environment
Ransomware Incidents
The Economics of Ransomware
How is Ransomware Evolving?
Why Ransomware continues to work :(
Ethical Issues to consider before paying
Ransomware Defenses

Please subscribe to the CISO Tradecraft LinkedIn Group to get even more great content

CISA Ransomware Guide Link

#23 - NSA’s Top 10 Cybersecurity Mitigation Strategies Apr 02, 2021

If there's one place that knows how Advanced Persistent Threat (APT) actors work, it's the National Security Agency (NSA). On this episode of CISO Tradecraft G Mark Hardy and Ross Young discuss NSA's Top Ten Cybersecurity Mitigation Strategies and how to use them to secure your company.

Since the mitigation strategies are ranked by effectiveness against known APT tactics, they can be used to set the priorities for organizations to minimize mission impact from cyber attacks.

Update and Upgrade Software Immediately
Defend Privileges and Accounts
Enforce Signed Software Execution Policies
Exercise a System Recovery Plan
Actively Manage Systems & Configurations
Continuously Hunt for Network Intrusions
Leverage Modern Hardware Security Features
Segregate Networks using Application-Aware Defenses
Integrate Threat Reputation Services
Transition to Multi-Factor Authentication

Link to NSA's Material

#22 - Modern Software Development Practices Mar 26, 2021

Would you like to know the best practices in modern software development? On this episode G Mark Hardy and Ross Young overview the 12 Factor App and its best practices:

Codebase: One codebase tracked in revision control with many deploys.
Dependencies: Explicitly declare and isolate dependencies.
Config: Store configurations in the environment.
Backing Services: Treat backing services as attached resources
Build, Release, Run: Strictly separate build and run stages
Processes: Execute the app as one or more stateless processes.
Port Binding: Export services are via port binding.
Concurrency: Scale out via the process model.
Disposability: Maximize robustness with fast startups and graceful shutdowns.
Dev/Prod parity: Keep development, staging, and production as similar as possible.
Logs: Treat logs as event streams.
Admin Processes: Run admin/management tasks as one-off processes.

The episode of CISO Tradecraft discusses important software development concepts such as Extreme Programming, Lean Product Development, and User Centered Design Methodologies. To learn more about these important concepts please look at the Pivotal Process

#21 - Your First 90 Days as a CISO (with Mark Egan) Mar 19, 2021

This special episode features Mark Egan (Former CIO of Symantec as well as VMWare). Mark discusses what he looks for during interviews with CISOs, what executives need to demonstrate during their first 90 days to be successful, and how he helps the next generation of cyber professionals at Merritt College.

Three Questions to ask during any interview:

What do you like best about this role?
What are the most challenging pieces of this role?
What does success look like for this role one year into the future?

Five Step Plan for New CISOs:

Start with an assessment of the current “As-Is” IT architecture
Perform Business Requirements Analysis (What are the strategic objectives, tactical issues, and business environment).
Design of the Future “To Be” IT architecture (application architecture, organization architecture, network architecture, infrastructure architecture)
Gap Analysis = (Future - Present). This is the most important step as you need to determine a good list of alternatives for management. Talk to consultants and peers in other companies to see how you can come up with a wide range of solutions.
Options to Bridge the Gaps = (Cost, Time, & Business Environment). Present management with alternative approaches for transforming the organization. Remember speak in business terms and specify ways that align with business objectives. In terms of cyber it might be Ensuring Financially Significant Applications don’t have operational disruption, ensuring revenue and brand protection by securing internet facing applications, meeting compliance and regulatory concerns, etc.

Merritt College Overview Link

Volunteer to Help Merritt College Link

Contact Merritt College Link

Mark Egan LinkedIn Profile Link

#20 - Zero Trust Mar 12, 2021

Would you actually like to learn about what Zero Trust is without a bunch of marketing jargon? On this week's episode G Mark Hardy and Ross Young provide a thoughtful discussion on Zero Trust from NIST and Microsoft:

Microsoft's Zero Trust Principles
- Verify Explicitly
- Use Least Privileged Access
- Assume Breach

NIST 800-207 Seven Tenets of Zero Trust
1. All data sources and computing services are considered resources
2. All communication is secured regardless of network location
3. Access to individual enterprise resources is granted on a per-session basis
4. Access to resources is determined by dynamic policy
5. The enterprise monitors and measures the integrity and security posture of all owned and associated assets
6. All resource authentication and authorization are dynamic and strictly enforced before access is allowed
7. The enterprise collects as much information as possible about the current state of assets, network infrastructure, and communication and uses it to improve its security posture

Six Foundational Elements of Zero Trust
1. Identities
2. Devices
3. Applications
4. Data
5. Infrastructure
6. Networks

#19 - Team Building Mar 05, 2021

Every leader needs to know how to lead and manage a team. On this episode G Mark Hardy and Ross Young share tradecraft on team building.

Pitfalls to team building with becoming a hero
Organizational Maturity Models (Levels 1-5)
Tuckman Teaming Model (Forming, Storming, Norming, and Performing)
Leadership Styles (Telling, Selling, Participating, & Delegating)
Aligning your Team and Regaining former employees

#18 - Executive Presence Feb 26, 2021

Having the ability to inspire confidence is crucial to lead others and allows you the opportunity to gain access to executive roles. On this episode G Mark Hardy and Ross Young discuss executive presence:

What is it
Why you need it
How to get it

We will discuss Gerry Valentine's 7 Key Steps to building Your executive presence:

Have a vision, and articulate it well
Understand how others experience you
Build your communication skills
Become an excellent listener
Cultivate your network and build political savvy
Learn to operate effectively under stress
Make sure your appearance isn't a distraction

#17 - Global War on Email Feb 19, 2021

If you use email, this episode is for you. Attackers leverage email for ransomware, Business Email Compromise (BEC), account takeover, and other threats that can be reduced with effective technical controls (as well as user education.)

These three tools all involve placing simple entries in your DNS records. To work effectively, the recipient also needs to be checking entries. They are:

SPF = sender policy framework; designates only mail from designated IP address(es) or mail server(s) are valid. For example: v=spf1 include:spf.protection.outlook.com
DKIM = domain keys identified mail; advertises a public key that can be used to validate all mail sent was signed with corresponding private key. For example: v=DKIM1\; k=rsa\; 0123456789ABCDEF…
DMARC = domain-based message authentication, reporting, and conformance; establishes policy of what recipient should do when message fails an SPF or DKIM check. For example: v=DMARC1; p='quarantine'

Check your settings at MXToolbox

Learn DMARC Link

Implementing these protections require a small amount of work but can yield outsized benefits. In addition to allowing recipients of your mail to validate SPF, DKIM, and DMARC, ensure your incoming mail is checked for conformance as well, labeling, quarantining, or rejecting any that fail.

Lastly, blocking top-level domains (TLDs) with which you do not do business can significantly improve your security by short-circuiting many ransomware, command-and-control, and malware URLs that will be unable to resolve through your DNS. Get the latest list from IANA

Great Background Reading from Australian Signals Directorate Link

Email Authenticity 101 Link

#16 - The Essential Eight Feb 12, 2021

The Australian Cyber Security Center (ACSC) believes that not all cyber security controls are created equal. The have assessed various strategies to mitigate cyber security incidents and determined there are eight essential cyber security controls which safeguard any organization more than another control. These controls are commonly known as, "The Essential Eight" are highly recommended.

Application control to prevent execution of unapproved/malicious programs including .exe, DLL, scripts (e.g. Windows Script Host, PowerShell and HTA) and installers.
Patch applications (e.g. Flash, web browsers, Microsoft Office, Java and PDF viewers). Patch/mitigate computers with ‘extreme risk’ security vulnerabilities within 48 hours. Use the latest version of applications.
Configure Microsoft Office macro settings to block macros from the internet, and only allow vetted macros either in ‘trusted locations’ with limited write access or digitally signed with a trusted certificate.
User application hardening. Configure web browsers to block Flash (ideally uninstall it), ads and Java on the internet. Disable unneeded features in Microsoft Office (e.g. OLE), web browsers and PDF viewers.
Restrict administrative privileges to operating systems and applications based on user duties. Regularly revalidate the need for privileges. Don’t use privileged accounts for reading email and web browsing.
Patch operating systems. Patch/mitigate computers (including network devices) with ‘extreme risk’ security vulnerabilities within 48 hours. Use the latest operating system version. Don’t use unsupported versions.
Multi-factor authentication including for VPNs, RDP, SSH and other remote access, and for all users when they perform a privileged action or access an important (sensitive/high-availability) data repository.
Daily backups of important new/changed data, software and configuration settings, stored disconnected, retained for at least three months. Test restoration initially, annually and when IT infrastructure changes.

Strategies to mitigate cyber incidents Link

Strategies to mitigate cyber incidents poster Link

Essential Eight Maturity Model Link Link

#15 - IT Governance Feb 05, 2021

As a CISO, one of the key functions you will be responsible for is IT Governance. On this episode we discuss what the intent is for a wide variety of cybersecurity documentation that you can leverage, influence, and enforce.

Examples include:

Policies
Control Objectives
Standards
Guidelines
Controls
Procedures
...

Helpful visual from ComplianceForge which shows how various documentation standards can be integrated Link

#14 - How to Compare Software Jan 29, 2021

At some point in time, a CISO will need to purchase new security technology. Whether it's antivirus, firewalls, or SIEMs you need to understand how to choose a product that will benefit your organization for years to come. This podcast discusses 5 different techniques that CISOs can apply to help with product selection

Perform Market Research to learn the players
- Gartner Magic Quadrant
- Forrester Wave
Leverage Vendor Comparison Tools to spot the features
- Mitre ATT&CK Evaluation
- AV-Comparatives
- MoSCoW Method (Must Have, Should Have, Could Have, & Will not Have)
- Pugh Matrix
Use Predictive Analysis tools to see the trends
Apply Problem Framing to understand the limitations and politics
- Define the Problem: List the current problem you are facing.
- State the Intended Objective: Identify the goal an organization is trying to achieve so that a consensus can be made when the original problem has been solved
- Understand the Status Quo: If you take no action, does the current problem get worse, get better, or remain the same.
- List any Implied Solutions: List early solutions that appear to address the initial problem. Likely these solutions may come from your direct boss who has a certain way of doing things.
- Identify the Gap- The gap is roughly the difference between the intended objective and the status quo. Essentially this is the opportunity cost your organization must use when comparing this against other problems in the organization.
- Identify the Trap- For each of the implied solutions imagine how you might build the product or service as directed and still not solve the intended objective.
- Explore Alternatives- Are there other solutions that avoid traps or gaps to address a problem that have not been previously evaluated?
Execute an Analytical Hierarchy Process (AHP) to remove bias
- AHP is a structured process that helps remove politics or bias from decision-making. It relies on creating relative weights among decision criteria, and possibly decomposing those into sub-criteria resulting in a weighted formula for all inputs. Those become the equation that is used to evaluate alternatives; each alternative is scored on its sub-criteria then summed up by relative weight, resulting in a relative scoring based on numeric analysis. For example, selecting a new product might involve evaluating three major criteria: cost, functionality, and maintenance. These are ranked pairwise on a relative scale of 1x-9x. For this example, cost is twice as important as maintenance; functionality is twice as important as maintenance; cost is equally important to functionality. From that comes a 40% - 40% - 20% ranking (all must sum to 100%). Next, sub-criteria may be identified and weighted, e.g., initial cost is 1/3 the importance of ongoing cost. Thus, the 40% global weighting for cost would consist of local weighting of 1 part initial cost [25%] to 3 parts ongoing cost [75%]

#13 - Executive Competencies Jan 22, 2021

Have you ever wanted to become an executive, but didn’t know what skills to focus on? On this episode of CISO Tradecraft, G Mark Hardy and Ross Young provide guidance from the Office of Personnel Management (Chief Human Resources Agency and personnel policy manager for the US government). The podcast discusses the 6 Fundamental Competencies and the 5 Executive Core Qualifications required by all federal executives.

Fundamental Competencies:

Interpersonal Skills
Oral Communication
Integrity/Honesty
Written Communication
Continual Learning
Public Service Motivation

Executive Core Qualifications

Leading Change
Leading People
Results Driven
Business Acumen
Building Coalitions

https://www.opm.gov/policy-data-oversight/senior-executive-service/executive-core-qualifications/#url=Overview

#12 - The Three Ways of DevOps Jan 15, 2021

Making things cheaper, faster, and better is the key to gaining competitive advantage. If you can gain a competitive advantage in cyber, then you will reduce risk to the business and protect key revenue streams. This episode discusses the three ways of DevOps and how you can use them to improve information security.

The three ways of DevOps consist of:

The First Way: Principles of Flow
The Second Way: Principles of Feedback
The Third Way: Principles of Continuous Learning

If you would like to learn more about the three ways of DevOps, G Mark Hardy and Ross Young invite you to read The Phoenix Project by Gene Kim

https://www.amazon.com/Phoenix-Project-DevOps-Helping-Business/dp/0988262592

#11 - Cryptography Jan 08, 2021

Most organizations generate revenue by hosting online transactions. Cryptography is a key enabler to securing online transactions in untrusted spaces. Therefore it's important for CISOs to understand how it works. This episode discusses the fundamentals of cryptography:

What are the requirements for cryptography?
How long has cryptography been around?
Are there differences between legacy and modern cryptography?
Differences between symmetric and asymmetric encryption
Common use of encryption at rest
Encryption in transit

#10 - Securing the Cloud Jan 01, 2021

Understanding how to secure the cloud is a crucial piece of tradecraft that every CISO needs to understand. This episode provides an in depth discussion of AWS's 7 design principles for securing the cloud:

Implement a strong identity foundation
Enable traceability
Apply security at all layers
Automate security best practices
Protect data in transit and rest
Keep people away from data
Prepare for security events

Please note the AWS Well-Architected Framework Security Design Principles can be found here: https://wa.aws.amazon.com/wat.pillar.security.en.html

Chapters

00:00 Introduction
02:33 Seven design principles for securing the cloud
04:17 Multi Factor Authentication (MFA)
05:59 How to prevent password guessing attacks on the cloud
08:19 How to limit access to your applications
11:05 How to enable traceability in your environment
13:15 The importance of cloud infrastructure
14:47 How to monitor security in the cloud
17:09 How to automate monitoring, alerting, and auditing
19:09 Configuring a strong identity foundation
20:52 How to have an effective real time view of what your developers have produced
22:48 How to automate your security best practices
26:42 How to protect your data in the cloud
28:36 How to limit access to your data
31:36 How to scan your APIs to protect your data
33:41 The importance of permissions in a data science environment
36:06 The importance of identity in cloud computing
41:30 Review of the 7 design principles for securing the cloud

#9 - Introduction to the Cloud Dec 25, 2020

Have you ever wanted to learn the basic fundamentals of the cloud? This podcast provides a 50,000 foot view of the cloud. Specific discussions include:

What is the cloud?
What types of clouds are there and what are the differences?
What is the term shared responsibility model and what does that mean for securing the cloud?

Chapters

00:00 Introduction
02:10 The Basics of Cloud Computing
06:20 Cloud Computing and Infrastructure as a Service Model
10:17 The different levels of responsibility in an Elastic Compute Cloud Environment
13:18 How to host a server in the cloud
15:33 The differences between IaaS, PaaS, and SaaS
17:30 The consequences of committing to the cloud
19:15 The rise of AWS locations
21:21 The politics of Cloud Provider Infrastructure
24:15 The benefits of the cloud
26:30 AWS's share responsibility model
30:43 The impediments to a high level of security in the cloud
34:46 How to sleep soundly with your data n the cloud
37:18 How to run a hybrid cloud
39:46 The challenges of hybrid clouds
43:03 Seven design principles for securing the cloud

#8 - Crucial Conversations Dec 18, 2020

CISOs often encounter situations where everyone has a different opinion, it's a high stakes decision, and emotions are running high. These situations create crucial conversations opportunities where a CISO needs to be effective. This podcast discusses how to turn disagreement into dialogue, surface any subject, and make it safe to discuss. Please listen as G Mark Hardy and Ross Young discuss the 8 step process from the book, "Crucial Conversations."

Get Unstuck
Start With Heart
Master My Stories
State My Path
Learn To Look
Make IT Safe
Explore Others' Path
Move To Action

We recommend you visit the following Crucial Conversations Website to learn more https://www.vitalsmarts.com/crucial-conversations-training/

The Crucial Conversation Book can be found on Amazon https://www.amazon.com/dp/0071771328/ref=cm_sw_em_r_mt_dp_0Cj3FbY9KA429

Chapters

00:00 Introduction
02:13 How to have crucial conversations
06:14 How to make better decisions
09:54 The dangers of talking about business
14:26 The importance of clarifying what you really want
17:51 The importance of mutual respect
25:18 How to achieve a shared goal
29:11 How to partner together to stop terrorism
33:13 How to create a mutual purpose
37:08 How to speak your mind in a safe environment
40:52 The importance of being vulnerable
51:56 The importance of listening to people
54:56 How to be a successful CISO

#7 - DevOps Dec 11, 2020

On this Episode we will explore DevOps as a topic and discuss why you need to care as a CISO. Key discussions include:

What are the key principles behind DevOps?
What benefits does security see from DevOps?
What is a CI/CD pipeline?
What are common types of DevOps tools that I need to understand as a CISO?
Where does DevSecOps fit in?
What are 4 types of Application Security Testing tools we see in DevOps Pipelines?
What are 3 common ways to make DevOps / DevSecOps go viral in any organization?

Chapters

00:00 Introduction
04:56 DevOps - What are your thoughts?
08:57 Microsoft Super Patch Tuesday
13:03 DevOps - What's it all about?
14:22 What is CALMS (Culture, Automation, Lean, Measuring, & Sharing)
26:32 CI/CD
32:12 Containers & DevOps
33:45 Where does security fit in?
36:26 Application Security Testing
41:54 DevOps & DevSecOps - What are the tools?

#6 - Change Management Dec 04, 2020

If you want to make impact as a leader, then you need to understand how to lead change. This episode overviews Dr. John Kotter's 8-Step process to accelerating change.

Create a sense of urgency
Build a guiding coalition
Form a strategic vision and initiatives
Enlist a volunteer army
Enable action by removing barriers
Generate short-term wins
Sustain acceleration
Institute change

We highly recommend you read Kotter's ebook to learn more:

https://www.kotterinc.com/8-steps-process-for-leading-change/

Chapters

00:00 Introduction
04:25 Are you creating change without urgency?
07:16 How can we drive security into the mobile app experience?
10:55 How to build a guiding coalition to transform the organization
13:49 The one trick I've learned from public speaking
16:15 What's the 3rd step in creating a strategic vision and initiatives
19:12 A great strategic vision drives direction
20:50 How to accelerate the change in your organization
24:31 Creating partnerships to transform security
28:04 Identifying the barriers that are creating problems in your organization
33:01 How to document short term wins
36:13 The next step is sustained acceleration
39:28 How to anchor change in corporate culture
45:02 Leadership and management from a leadership perspective

#5 - Cyber Frameworks Nov 27, 2020

Cyber Frameworks help CISOs build, measure, and execute top-notch information security programs. This podcast overviews the differences between Cyber Control Frameworks (CIS Controls & NIST 800-53), Program Frameworks (ISO 27001 & NIST CSF), and Risk Frameworks (FAIR, ISO 27005, & NIST 800-39) as well as provides useful tips on how to implement them.

Chapters

00:00 Introductions
03:29 Creating a Framework for Cyber Security Programs
06:48 What are the Most Important Controls
11:08 Having an Inventory of Your Network Assets
14:01 Patch Tuesday and Remediation
18:20 Penetration Testing - The Last of the 20 SANS Controls
20:58 What's the NIST Cyber Security Framework
29:17 The Evolution of Security Controls
35:03 ISO 27000 Series Gap Analysis
40:03 Cyber is in the Business of Revenue Protection
44:53 The Risk Matrix - Likelihood and Impact
49:32 Risk Management & Continuous Vulnerability Management
51:41 Your four options? (Accept, Mitigate, Avoid, or Assign)

#4 - Asset Management Nov 20, 2020

If you want to assess your current level of security, then you should start with an asset management program. Asset management provides the basic building blocks to enable vulnerability management and remediation programs.

This podcast provides key lessons learned on what is required for effective asset management as well as discuss how asset management evolves with the cloud. Listeners will also learn important steps to take to create a world class asset management program.

Chapters

00:00 Introduction
02:00 The SANS Top 20 Controls
06:04 What if I don't have an Agent on my Endpoint?
09:08 Cloud Native CMDB Systems
11:35 Shadow IT in the Cloud
14:12 Software Bill of Materials for your Applications
19:33 What's the problem with older versions of software?
22:02 Is there a Vulnerability in Windows 10?
24:34 The Criticality of the Enterprise Patch Cycle
28:43 How do we have a Good Inventory?
31:34 Continuity of Operations & Disaster Recovery
33:17 Is your Asset Inventory Complete?
35:17 Is Asset Management Key for your Organization?

#3 - How to Read Your Boss Nov 13, 2020

The ability to persuade others is a core tradecraft for every CISO. This podcast discusses the most common styles of executive decision making (Charismatics, Thinkers, Skeptics, Followers, and Controllers). After listening to this podcast, you will understand how to more effectively tailor your message to best influence each style of executive.

If you would like to learn more about this topic, we strongly recommend you read the Harvard Business Review article, “Change the Way You Persuade”, by Gary A. Williams and Robert B. Miller

https://hbr.org/2002/05/change-the-way-you-persuade

Chapters

00:00 Introductions
03:04 How to Persuade a Charismatic Leader
06:49 How do you use Visual Aids to Help Thinkers
10:39 What approaches do you take with Skeptics?
15:47 How do we overcome Skeptics?
17:24 Are Followers Leaders?
20:58 Can we do a Pilot Program?
22:59 Strategic Tools to be more Successful in your Career
24:47 Do you have any experiences with Controllers?
28:03 How to use your Egos and their Past Experiences to your Advantage
31:06 The Pointy Haired Boss
36:35 How to Adapt a Leader's Style

#2 - Principles of Persuasion Nov 06, 2020

To become an effective CISO you need influence skills. On this episode we explore Robert Cialdini's book, "Influence" and discuss the psychology of persuasion. We will explore 6 key areas of influence:

Liking- If people like you - because they sense that you like them, or because of things you have in common - they're more apt to say yes to you
Reciprocity- People tend to return favors. If you help people, they'll help you. If you behave in a certain way (cooperatively, for example), they'll respond in kind
Social Proof- People will do things that they see other people doing- especially if those people seem similar to them
Commitment and Consistency- People want to be consistent, or at least to appear to be. If they make a public, voluntary commitment, they'll try to follow through
Authority- People defer to experts and to those in positions of authority (and typically underestimate their tendency to do so)
Scarcity- People value things more if they perceive them to be scarce

If you would like to more on this topic, then we recommend you read Cialdini's work:

Website https://www.influenceatwork.com/principles-of-persuasion/

Book https://www.amazon.com/Influence-Psychology-Persuasion-Robert-Cialdini/dp/006124189X

Chapters