CISO Tradecraft®

Welcome to CISO Tradecraft®. A podcast designed to take you through the adventure of becoming a Chief Information Security Officer (CISO) and learning about cyber security. This podcast was started because G Mark Hardy and Ross Young felt impressed to help others take their Information Security Skills to an executive level. We are thrilled to be your guides to lead you through the various domains of becoming a competent and effective CISO.

Listen on:

  • Apple Podcasts
  • Google Podcasts
  • Podbean App
  • Spotify
  • Amazon Music
  • Pandora
  • TuneIn + Alexa
  • iHeartRadio
  • PlayerFM
  • Listen Notes
  • Samsung
  • Podchaser
  • BoomPlay


5 days ago

In this episode of CISO Tradecraft, host G Mark Hardy discusses various mishaps that can occur with Multi-Factor Authentication (MFA) and how these can be exploited by attackers. The talk covers several scenarios such as the misuse of test servers, bypassing of MFA via malicious apps and phishing scams, violation of the Illinois Biometric Information Protection Act by using biometric data without proper consent, and potential future legal restrictions on biometric data usage. G Mark also highlights the significance of correct implementation of MFA to ensure optimum organizational security and how companies can fail to achieve this due to overlooking non-technical issues like legal consent for biometric data collection.
Evil Proxy Attack-
Microsoft Attack -
Illinois Biometric Law -
00:00 Introduction
00:43 Understanding Multi Factor Authentication
01:05 Exploring Different Levels of Authentication
03:30 The Risks of Multi Factor Authentication
03:51 The Importance of Password Management
04:27 Exploring the Use of Trusted Platform Module for Authentication
06:17 Understanding the Difference Between TPM and HSM
09:00 The Challenges of Implementing MFA in Enterprises
11:25 Exploring Real-World MFA Mishaps
15:30 The Risks of Overprivileged Test Systems
17:16 The Importance of Monitoring Non-Production Environments
19:02 Understanding Consent Phishing Scams
30:37 The Legal Implications of Biometric Data Collection
32:24 Conclusion and Final Thoughts

Monday Feb 12, 2024

In this episode of CISO Tradecraft, host G Mark Hardy is joined by special guest Rick Howard, Chief Security Officer, Chief Analyst and Senior Fellow at CyberWire. Rick shares his insights on first principles in cybersecurity, discussing how these form the foundations of any cybersecurity strategy. He emphasizes the importance of understanding materiality and integrating the concept of time bound risk assessment to achieve a resilient cybersecurity environment. The episode also delves into the value of Fermi estimates and Bayes algorithm for risk calculation. Amid humor and personal anecdotes, Rick and Mark also reflect on their experiences during 9/11. Rick introduces his book, 'Cybersecurity First Principles', elucidating the rationale behind its conception.
Link to the Cybersecurity First Principles Book:
00:00 Introduction
02:00 Guest's Career Journey and Achievements
08:49 Discussion on Cybersecurity First Principles
15:27 Understanding Materiality in Cybersecurity
21:56 The Gap Between Security Teams and Business Leaders
22:21 The Importance of Speaking the Language of Business
23:03 The Art of the Elevator Pitch
24:04 The Impact of Cybersecurity on Business Value
25:10 The Importance of a Clear Cybersecurity Strategy
26:04 The Value of Business Fluency in Cybersecurity
27:44 The Role of Risk Calculation in Cybersecurity
29:41 The Power of Estimation in Risk Management
30:33 The Importance of Understanding Business Imperatives
41:25 The Role of Culture and Risk Appetite in Cybersecurity
45:39 The First Principle of Cybersecurity

Monday Feb 05, 2024

In this episode of CISO Tradecraft, host G Mark Hardy is joined by guest Craig Barber, the Chief Information Security Officer at SugarCRM. They discuss the increasingly critical topic of cybersecurity apprenticeships and Craig shares his personal journey from technical network engineer to CISO. They delve into the benefits of apprenticeships for both the individual and the organization, drawing parallels with guilds and trade schools of the past and incorporating real-world examples. They also look at the potential challenges and pitfalls of such programs, providing insights for organizations considering creating an apprenticeship scheme. Lastly, they examine the key attributes of successful apprentices and how these contribute to building stronger, more diverse cybersecurity teams.
Craig Barber's Profile:
00:00 Introduction
00:23 Understanding Cybersecurity Apprenticeships
02:43 The Role of Mentorship in Cybersecurity
04:09 The Benefits of Cybersecurity Apprenticeships
07:17 The Evolution of Apprenticeships in the Tech Industry
10:00 The Value of Apprenticeships in Building Loyalty
11:08 The Difference Between Internships and Apprenticeships
15:32 The Role of Apprenticeships in Addressing the Skills Shortage
19:15 The Challenges of Implementing Apprenticeships
26:28 The Future of Cybersecurity Apprenticeships
44:32 Conclusion: The Value of Cybersecurity Apprenticeships

Monday Jan 29, 2024

This video introduces a newly proposed acronym in the world of cybersecurity known as the 'Cyber UPDATE'. The acronym breaks down into Unchanging, Perimeterizing, Distributing, Authenticating and Authorizing, Tracing, and Ephemeralizing. The video aims to explain each component of the acronym and its significance in enhancing cybersecurity. 
00:00 Introduction
01:34 Cybersecurity Acronyms: Pre-1990s
02:26 STRIDE and DREAD Models
02:39 PICERL and MITRE Models
05:04 Defining Cybersecurity
07:52 CIA Triad and Its Importance
09:00 Confidentiality, Integrity, and Availability
11:52 The Parkerian Hexad
17:30 D.I.E. Triad Concept
24:28 Cybersecurity UPDATE
24:51 Unchanging
25:46 Perimeterizing
29:36 Distributing
29:50 Authenticating
33:58 Tracing
36:07 Ephemeralizing 

Monday Jan 22, 2024

In this episode of CISO Tradecraft, host G Mark Hardy interviews JP Bourget about the security data pipeline and how modernizing SOC ingest can improve efficiency and outcomes. Featuring discussions on cybersecurity leadership, API integrations, and the role of AI and advanced model learning in future data lake architectures. They discuss how vendor policies can impact data accessibility. They also reflect on their shared Buffalo roots and because their professional journeys. Tune in for valuable insights from top cybersecurity experts.
00:00 Introduction
00:50 Guest's Background and Journey
05:27 Discussion on Security Data Pipeline
07:19 Introduction to SOAR
08:01 Benefits and Challenges of SOAR
12:40 Guest's Current Work and Company
14:04 Security Data Pipeline Modernization
22:20 Discussion on Vendor Integration
29:09 Security Pipeline Approach and AI
38:03 Closing Thoughts and Future Directions

#164 - The 7 Lies in Cyber

Monday Jan 15, 2024

Monday Jan 15, 2024

In this episode of CISO Tradecraft, we debunk seven common lies pervasive in the cybersecurity industry. From the fallacy of achieving a complete inventory before moving onto other controls, the misconception about the accuracy of AppSec tools, to the fear of being viewed as a cost center - we delve deep into these misconceptions, elucidating their roots and impacts. We also discuss how ISO and FAIR, audits and certifications, risk assessments, and mandatory cyber incident reporting may not always be as straightforward as they seem. The episode is not only an eye-opener but also provides insightful guidance on how to navigate these misconceptions and enhance the effectiveness of your cybersecurity measures.
CloudGoat EC2 SSRF-
OWASP Benchmark -
Transcripts -
00:12 Introduction
00:56 The Lie of Accurate Inventory
05:29 The Lie of Accurate Risk Assessment
08:41 The Lie of Shifting Left in DevSecOps
13:45 The Lie of Certifications Ensuring Security
18:33 The Lie of Reporting Cyber Incidents in 72 Hours
20:44 The Lie of Accurate Application Security Tools
22:07 The Lie of Cybersecurity Not Being a Cost Center
24:44 Conclusion and Recap of Cybersecurity Lies 

Monday Jan 08, 2024

Join G Mark Hardy in this episode of the CISO Tradecraft podcast where he details how cyber protects revenue. He clarifies how cybersecurity is seen as a cost center by most organizations, but stresses how it can become a protector of business profits. Concepts like Operational Resilience Framework (ORF) Version 2 by the Global Resilience Federation are discussed in depth. Hardy also outlines seven steps from ORF to operational resilience including implementing industry-recognized frameworks, understanding the organization's role in the ecosystem, defining viable service levels, and more. 
Link to the ORF -
Transcripts -
00:12 Introduction
01:47 Introduction to Operational Resilience Framework
02:38 Understanding Resilience and Antifragility
03:32 Common Cybersecurity Attacks and How to Anticipate Them 06:22 Building Resilience in Cybersecurity
09:43 Operational Resilience Framework: Steps and Principles
17:50 Preserving Datasets and Implementing Recovery Processes
20:18 Evaluating and Testing Your Disaster Recovery Plan
21:11 Recap of Operational Resilience Framework Steps
22:04 CISO Tradecraft Services and Closing Remarks

Monday Jan 01, 2024

Looking for accurate predictions on what 2024 holds for cybersecurity? Tune into our latest episode of CISO Tradecraft for intriguing insights and industry trends. Listen now and boost your cybersecurity knowledge!
Earn CPEs:
00:00 Introduction
02:11 1) CISOs flock to buy private liability and D&O insurance. It also becomes the norm for CISO hiring agreements.
05:25 2) CISO reporting structure changes. No more reporting to the CIO.
11:43 3) More CISOs get implicated in lawsuits, but the lawsuits rule in favor of the CISO.
13:36 4) Harder to find cyber talent since universities are not graduating as many students. This plus inflation increases result in major spike in cyber salaries
16:59 5) Cyber industry minimizes external consulting costs to weather reduced revenues during recession
19:44 6) AI-generated fraud will increase significantly
22:15 7) Shadow AI will result in Hidden Vulnerabilities
24:24 8) LLM attacks new vector for "AI-enabled" companies
27:23 9) Cyber insurance exclusions will tend to normalize and will prescribe activities that must be done if payout to occur
31:44 10) Self-driving cars will encounter regulatory setback
34:02 Review of Last Year's Predictions
41:03 Actionable Items for the Future
41:29 Closing Remarks and Invitation for 2024

Monday Dec 25, 2023

In the second half of the discussion about secure developer training programs, G Mark Hardy and Scott Russo delve deeper into how to engineer an effective cybersecurity course. They discuss the importance and impact of automation and shifting left, the customization needed for different programming languages and practices, and the role of gamification in engagement and learning. The conversation also touches upon anticipating secular trends, compliance with privacy and data protection regulations, different leaning styles and preferences, and effective strategies to enhance courses based on participant feedback. Scott highlights the lasting impacts and future implications of secure developer training, especially with the advent of generative AI in code generation.
ISACA Event (10 Jan 2024) With G Mark Hardy -
00:00 Introduction
01:08 Importance of Ongoing Support and Mentorship
01:46 The Role of Community in Training
03:03 Hands-on Exercises and Practical Experience
06:01 Success Stories and Testimonials
08:29 Incorporating Security Trends into Training
11:08 Balancing Security with Developer Productivity
18:17 Teaching Secure Coding Practices in Different Languages
20:27 Engaging and Motivating Participants
22:51 Promoting the Program: Engaging and Fun
23:37 Accommodating Different Learning Styles
24:16 Catering to Self-Paced Learners
26:19 Addressing Proficiency Levels and Remediation
28:55 Compliance with Privacy and Data Protection Regulations
30:48 Breaking Down Complex Security Concepts
32:05 Creating a Culture of Security Awareness
33:25 Partnerships and Collaborations in Secure Development
35:10 Feedback and Improvement of the Program
36:12 Cost Considerations for Secure Developer Training
39:20 Tracking Participants' Progress and Completion Rates
41:23 Trends in Secure Developer Training
43:42 Final Thoughts on Secure Developer Training

Monday Dec 18, 2023

In this episode of CISO Tradecraft, host G Mark Hardy invites Scott Russo, a cybersecurity and engineering expert for a deep dive into the creation and maintenance of secure developer training programs. Scott discusses the importance of hands-on engaging training and the intersection of cybersecurity with teaching and mentorship. Scott shares his experiences building a secure developer training program, emphasizing the importance of gamification, tiered training, showmanship, and real-world examples to foster engagement and efficient learning. Note this episode will continue in with a part two in the next episode
ISACA Event (10 Jan 2024) With G Mark Hardy -
Scott Russo -
HBR Balanced Scorecard -
Transcripts -
Youtube - 
00:00 Introduction
03:00 Overview of Secure Developer Training Program
04:46 Motivation Behind Creating the Training Program
06:03 Objectives of the Secure Developer Training Program
07:45 Defining the Term 'Secure Developer'
14:49 Keeping the Training Program Current and Engaging
21:10 Real World Impact of the Training Program
21:46 Understanding the Cybersecurity Budget Argument
21:58 Incorporating Real World Examples into Training
22:26 Personal Experiences and Stories in Training
24:06 Industry Best Practices and Standards
24:18 Aligning with OWASP Top 10
25:53 Balancing OWASP Top 10 with Other Standards
26:12 The Importance of Good Stories in Training
26:32 Duration of the Training Program
28:37 Resources Required for the Training Program
32:23 Measuring the Effectiveness of the Training Program
36:07 Gamification and Certifications in Training
38:56 Tailoring Training to Different Levels of Experience
41:03 Conclusion and Final Thoughts

Monday Dec 11, 2023

In this episode of CISO Tradecraft, host G. Mark Hardy guides listeners on how to refresh their cybersecurity strategy. Starting with the essential assessments on the current state of your security, through to the creation of a comprehensive, one-page cyber plan. The discussion covers different approaches to upskilling the workforce, tools utilization, vulnerability management, relevant regulations, and selecting the best solution for your specific needs. The show also includes tips on building a roadmap, creating effective key performance indicators, and validation exercises or trap analysis to ensure the likelihood of success. At the end of the discussion, G. Mark Hardy invites listeners to reach out for any help needed for implementing these strategies.
Big Thanks to our Sponsors
Risk3Sixty -
ISACA Event (10 Jan 2024) With G Mark Hardy
CIO Wisdom Book -
Transcripts -
00:00 Introduction
02:21 Building a Tactical and Strategic Plan
02:58 Assessing Your Current Cybersecurity Posture
03:11 Workforce Assessment and Rating
06:31 Understanding Your Cybersecurity Tools
08:29 Performing a Business Requirements Analysis
10:13 Defining the Desired Future State
12:03 Creating a Gap Analysis
14:14 Analyzing Current Options and Building a Roadmap
17:11 Presenting the New Plan to Management
21:36 Recap and Conclusion

Monday Dec 04, 2023

Discover the key to a more effective cybersecurity strategy in the newest episode of CISO Tradecraft! We're talking SOC tools, building a data lake for security, and more with guest Noam Brosh of Hunters. Don't miss it!
Big Thanks to our Sponsors
Risk3Sixty -
Hunters -
Noam Brosh -
Youtube Link: 
00:00 Introduction and Welcome
01:20 Understanding the Role of SOC Tools
05:39 Challenges with Traditional SIEM Tools
08:48 The Shift to Data Lakes and the Impact on SIEMs
18:04 Understanding Different Cybersecurity Tools: SIEM, XDR, and SOC Platforms
19:25 The Role of Automation in Modern SOC Tools
26:01 The Importance of Third-Party Connection Tools in SOC Tools
27:27 Trends and Disruptions in the SIEM Space
28:09 Addressing False Positives in SOC Tools
31:14 Outsourcing Aspects of SOC and Staffing
36:28 Dealing with Multi-Cloud or Hybrid Cloud Environments
41:02 Reporting SOC Metrics to Executive Stakeholders

Monday Nov 27, 2023

In this episode of CISO Tradecraft, G Mark Hardy and Hasan Eksi from CyberNow Labs continue the discussion about the vital skills needed for an effective incident responder within a Security Operations Center (SOC). The skills highlighted in this episode include: incident triage, incident response frameworks, communication, collaboration, documentation, memory analysis, incident containment and eradication, scripting and automation, cloud security, and crisis management.
Big Thanks to our Sponsors
Risk3Sixty -
Adlumin -
Hasan Eksi's LinkedIn Profile:
00:00 Introduction and Recap of the 10 Previous Skills
02:25 Skill #11) Incident Triage
04:21 Skill #12) Incident Response Frameworks
07:09 Skill #13) Communication
09:38 Skill #14) Collaboration
14:58 Skill #15) Documentation
19:35 Skill #16) Memory Analysis
22:36 Skill #17) Incident Containment and Eradication
25:31 Skill #18) Scripting and Automation
28:53 Skill #19) Cloud Security
31:10 Skill #20) Crisis Management
33:58 Recap of 20 SOC Skills and Conclusion

Monday Nov 20, 2023

In this episode of CISO Tradecraft, host G Mark Hardy talks to Kevin O'Connor, the Director of Threat Research at Adlumin. They discuss the importance of comprehensive cybersecurity for Small to Medium-sized Businesses (SMBs), including law firms and mid-sized banks. The conversation explores the complexities of managing security infrastructures, the role of managed security service providers, and the usefulness of managed detection and response systems. The discussion also delves into the increasing threat of ransomware and the critical importance of managing data vulnerabilities and providing security awareness training.
Big Thanks to our Sponsor: Adlumin -
00:12 Introduction and Sponsor Message
01:42 Guest Introduction: Kevin O'Connor
02:29 Discussion on Cybersecurity Roles and Challenges
03:20 The Importance of Defense in Cybersecurity
04:23 The Role of Managed Security Services for SMBs
07:26 The Cost and Staffing Challenges of In-House SOCs
14:41 The Value of Managed Security Services for Legal Firms
16:30 The Threat Landscape for Small and Mid-Sized Banks
18:19 The Difference Between Compliance and Security
20:08 Understanding the Reality of Cybersecurity
20:45 The Challenges of Building IT Infrastructure
21:08 Outsourcing vs In-house Security Management
21:55 The Importance of Understanding Your Data
22:43 Security Operations Center vs Security Operations Platform
24:21 The Role of Managed Detection and Response
24:54 The Importance of Quick Response in Security
28:07 The Threat of Ransomware and Data Breaches
34:31 The Role of Pen Testing in Cybersecurity
36:33 The Growing Threat of Ransomware
38:28 The Importance of Security Awareness Training
40:42 The Role of Incident Response and Forensics
42:11 Final Thoughts on Cybersecurity

Monday Nov 13, 2023

In this episode of CISO Tradecraft we have a detailed conversation with Hasan Eksi from CyberNow Labs. G Mark and Hasan discuss the top 20 skills required by incident responders, covering the first 10 in part 1 of this series. The discussion ranges from understanding cybersecurity fundamentals to incident detection, threat intelligence, and malware analysis. This episode aims to enhance listeners' understanding of incident response, its significance, the skills required, and strategies for effective training.
Big Thanks to our Sponsor
Adlumin -
Hasan Eksi's LinkedIn Profile:
00:00 Introduction
14:15 Skill 1) IT/Cyber Fundamentals
17:17 Skill 2) Incident Detection
18:34 Skill 3) Threat Intelligence
20:11 Skill 4) Cybersecurity Tools
24:12 Skill 5) Network Analysis
25:55 Skill 6) Endpoint Analysis
28:33 Skill 7) Log Analysis
32:41 Skill 8) Malware Analysis
35:20 Skill 9) Forensics
38:30 Skill 10) Vulnerability Assessment

Monday Nov 06, 2023

In this episode of CISO Tradecraft, host G Mark Hardy welcomes special guest Amer Deeba, CEO and co-founder of Normalyze. They focus on the importance of data security in today's cloud-centric, multi-platform tech environment. Amer shares valuable insights on the need for a data security platform that offers a unified, holistic approach. The conversation also delves into the importance of understanding the value of your data, and how solutions such as Normalyze can accurately identify and classify sensitive data, measure its value, and mitigate risk of compromise. Ideal for CISOs and professionals navigating data security, this episode provides key recommendations for data visibility, security posture management, and response mechanisms, built around the principles of cybersecurity.
Big Thanks to our Sponsors
Normalyze -
Risk3Sixty -
00:00 Introduction
02:46 Understanding Data Security
03:58 The Importance of Data Security
04:21 The Challenges of Data Security
08:26 The Role of Data Security Posture Management
10:31 The Value of Data and Compliance
13:58 The Importance of Real-Time Data Protection
15:31 The Role of Encryption in Data Security
17:19 Understanding the Risks of Data Breaches
18:45 The Importance of Holistic Data Security
36:26 The Role of Anomaly Checks in Data Security
37:48 Understanding Generational Data
40:38 Conclusion and Contact Information

Monday Oct 30, 2023

On this episode we talk about the differences between Gamification and Game-Based Learning. We think you will enjoy hearing how Game-Based learning gets folks into the flow and creates novel training that resonates.  We also have a great discussion on how games can be applicable for Board Members and Techies.  You just need to get the right type of game for the right audience and let the magic happen.
Big Thanks to our Sponsors
Haiku -
Risk3Sixty -
Prefer to watch on YouTube? 
00:00 Introduction
03:38 What is Game-Based Learning?
07:55 Training Board of Directors
10:18 Gamification vs Game-Based Learning
14:30 Do Your Duties
21:09 Delaware Fiduciary Duties
22:54 Building a Forge
26:11 Tailored Game Types
33:35 Teaching Girl Scouts Linux Commands
40:17 Retaining Your Best People

Monday Oct 23, 2023

Learn the language of the board with Andrew Chrostowski. In this episode we discuss the 3 major risk categories of opportunity risk, cybersecurity risk and complex systems. We highlight intentional deficit and what to do about it. Finally, don't miss the part where we talk about the time for a digital strategy is past. What is needed today is a comprehensive strategy for a world of digital opportunities and existential cyber risks.
Big thanks to our sponsor:
Risk3Sixty -
00:00 Introduction
04:22 Communication is a Requirement
09:34 How does cyber create value?
11:30 Culture and Operational Excellence
16:51 How does growth strategy align with cyber?
22:30 Intention Deficit Disorder
26:48 Accountability Loops
28:39 What's the evolution for a digital strategy?
32:02 Sharpen your axe
36:40 Digital Directors Network & Qualified Technical Experts

#151 - Cyber War

Monday Oct 16, 2023

Monday Oct 16, 2023

On this episode we do a master class on cyber warfare. Learn the terminology. Learn the differences and similarities between kinetic and cyber warfare. There's a lot of interesting discussion, so check it out.
Big thanks to our sponsor:
Risk3Sixty -
Air Force Doctrine Publication 3-0 - Operations and Planning
Dykstra, J., Inglis, C., & Walcott, T. S. (Joint Forces Quarterly 99, October 2020) Differentiating Kinetic and Cyber Weapons to Improve Integrated Combat.
Tallinn Manual 1.0 published April 2013; 2.0 in 2017
Version 3.0 under development; inputs solicited at
00:00 Introduction
01:57 Definition of Cyber War
04:18 Kinetic vs Cyber War
07:02 Goal of Offensive Cyber Operations
10:06 International Law Applied to Cyber Operations (Sovereignty & Necessity)
11:33 Diplomatic, Information, Military, & Economic (DIME)
12:57 Proportionality
14:04 Law of Distinction
15:56 Tallinn Manual
18:15 Stuxnet, Sony Pictures, NotPetya, and SolarWinds attacks
23:47 Ukraine Cyber War
28:21 Comparing old tanks to old mainframes
39:55 Winning a Cyber War

#150 - Measuring Results

Monday Oct 09, 2023

Monday Oct 09, 2023

On this episode we discuss the measuring results cheat sheet from Justin Mecham.  Key focuses include:
Defining SMART Goals (Specific, Measurable, Achievable, Relevant, & Time-Bound)
Identifying KPIs (Key Performance Indicators)
Using the WOOP Model (Wish, Outcome, Obstacle, and Plan)
Using a Gap Analysis
Using the 5 Why Method
Using Plan, Do, Check, & Act.
Link to the Measuring Results Cheat Sheet
Big thanks to our sponsor:
Risk3Sixty -
00:00 Introduction
03:34 SMART Goals (Specific, Measurable, Achievable, Relevant, and Time Bound)
07:29 Key Performance Indicators
09:36 WOOP Model (Wish, Outcome, Obstacle, and Plan)
09:59 Gap Analysis
12:36 Root Cause Analysis and the 5 Whys
14:09 Plan, Do, Check, and Act

#149 - Board Perspectives

Monday Oct 02, 2023

Monday Oct 02, 2023

On this episode we discuss the four key roles Boards play in cybersecurity.
Setting the company's vision and risk strategy
Reviewing assessment results
Evaluating management cyber risk stance
Approving risk management plans
Big thanks to our sponsor:
Risk3Sixty -
Transcripts -
00:00 Introduction
01:36 What is a Board of Directors and what do they do?
09:33 FFIEC requirements for Boards
16:51 Establishing an Information Security Culture
19:08 Vision and Risk Appetite
22:00 Reviewing Cyber Assessments
25:09 Are we secure?
32:44 Castle Walls and Attacks
33:37 Getting your budget requests approved
37:10 Using use or loose money and reserved funding

Monday Sep 25, 2023

On this episode we bring on the leading expert of threat modeling (Adam Shostack) to discuss the four questions that every team should ask:
What are we working on?
What can go wrong?
What are we going to do about it?
Did we do a good enough job?
Big thanks to our sponsor:
Risk3Sixty -
Adam Shostack's LinkedIn Profile -
Learn more about threat modeling by checking out Adam's books on threat modeling Threats: What Every Engineer Should Learn From Star Wars
Threat Modeling: Designing for Security Also check out the Threat Modeling Manifesto:
00:00 Introduction
06:02 The 4 Questions that allow you to measure twice cut once
09:29 How Data Flow Diagrams help teams
16:04 It's more than just looking at threats
19:23 Chasing the most fluid thing or the most worrisome thing
22:00 All models are wrong and some are useful
26:25 Actionable Remediation
31:05 LLMs and Threat Models

#147 - Betting on MFA

Monday Sep 18, 2023

Monday Sep 18, 2023

There's a lot of new cyber attacks occurring and today we are going to talk about them in more detail.  Many bad actors are using SMS spoofing and Social Engineering to get in.  Listen in an learn about how those attacks played out against the casino industry. You don't want to miss when we share what you can do to stop them.  Pro-tip: Good MFA is your friend.  Use it everywhere you can including on your employees and customers during phone calls.  
Big Thanks to our Sponsor
Risk3Sixty -
Mandiant Post -
Rachel Tobac Post - 
00:00 Introduction
01:06 Improving the Attacker Odds at the Casino
04:09 SEC 8-K filings
13:28 MGM Timeline of attack
16:55 What can we do against these attacks?
22:51 Upgrading your MFA
24:16 Custom Authentication Strength
27:11 New Social Engineering Attacks
32:31 OKTA attacks

Monday Sep 11, 2023

Have you ever thought about what does it mean to say there has been a material incident? How is materiality determined? What is the history of how that term has been defined by U.S. Regulators. Listen to today's show and increase your CISO Tradecraft
Big Thanks to our Sponsors
Risk3Sixty -
CPRIME - For those valuing leadership, policy, and governance in tech risk and security, Cprime is here to help. Enhance your skills with our training and workshops, ensuring effective policy design and strategy alignment. As a tech coaching firm, Cprime offers classes for teams and executives on security analytics and risk management. Led by a Cprime expert, align expectations, prioritize, and map tools for robust governance across your tech portfolio. Upgrade risk management at and use code 'cprimepod' for 15% off training. Elevate your approach!
Link to FAIR-MAM
00:00 Introduction
02:16 What is the concept of material?
07:08 Investors increasingly seek information
11:21 Title 17 of the US Code Part 242
17:38 Backup and Recovery that is Resilient and Geographically Diverse
22:10 The New SEC requirements
26:38 Reporting Cyber Incidents
31:40 FAIR-MAM

Monday Sep 04, 2023

On this episode we overview the CIS Document titled, "The Cost of Cyber Defense".
Big Thanks to our Sponsors
Risk3Sixty -
CPRIME - For those valuing leadership, policy, and governance in tech risk and security, Cprime is here to help. Enhance your skills with our training and workshops, ensuring effective policy design and strategy alignment. As a tech coaching firm, Cprime offers classes for teamsand executives on security analytics and risk management. Led by a Cprime expert, align expectations, prioritize, and map tools for robust governance across your tech portfolio. Upgrade risk management at and use code 'cprimepod' for 15% offtraining. Elevate your approach!
00:00 Introduction
01:30 What are the CIS Critical Security Controls?
03:00 How have the CIS Critical Security Controls evolved over time?
05:30 What are the benefits of implementing the CIS Critical Security Controls?
07:30 The three crucial questions for implementing the CIS Critical Security Controls
10:30 How to prioritize the CIS Critical Security Controls
12:30 What are Implementation Groups?
13:37 Enterprise Profiles
14:00 Why are Implementation Groups important?
15:30 How to choose the right Implementation Group for your organization
19:46 Cost Breakdown
23:16 Thoughts on the CIS Study

Copyright 2024 All rights reserved.

Podcast Powered By Podbean

Version: 20230822