CISO Tradecraft

CISO Tradecraft header image 1
February 26, 2021  

CISO Tradecraft: Executive Presence

Having the ability to inspire confidence is crucial to lead others and allows you the opportunity to gain access to executive roles.  On this episode G Mark Hardy and Ross Young discuss executive presence:

  • What is it
  • Why you need it
  • How to get it

We will discuss Gerry Valentine's 7 Key Steps to building Your executive presence:

  1. Have a vision, and articulate it well
  2. Understand how others experience you
  3. Build your communication skills
  4. Become an excellent listener
  5. Cultivate your network and build political savvy
  6. Learn to operate effectively under stress
  7. Make sure your appearance isn't a distraction
February 19, 2021  

CISO Tradecraft: Global War on Email

If you use email, this episode is for you.  Attackers leverage email for ransomware, Business Email Compromise (BEC), account takeover, and other threats that can be reduced with effective technical controls (as well as user education.)

These three tools all involve placing simple entries in your DNS records.  To work effectively, the recipient also needs to be checking entries.  They are:

  • SPF = sender policy framework; designates only mail from designated IP address(es) or mail server(s) are valid.  For example:  v=spf1 
  • DKIM = domain keys identified mail; advertises a public key that can be used to validate all mail sent was signed with corresponding private key.  For example:  v=DKIM1\; k=rsa\; 0123456789ABCDEF…
  • DMARC = domain-based message authentication, reporting, and conformance; establishes policy of what recipient should do when message fails an SPF or DKIM check.  For example:  v=DMARC1; p='quarantine'

Check your settings at Dmarcian

Implementing these protections require a small amount of work but can yield outsized benefits.  In addition to allowing recipients of your mail to validate SPF, DKIM, and DMARC, ensure your incoming mail is checked for conformance as well, labeling, quarantining, or rejecting any that fail.

Lastly, blocking top-level domains (TLDs) with which you do not do business can significantly improve your security by short-circuiting many ransomware, command-and-control, and malware URLs that will be unable to resolve through your DNS.  Get the latest list from IANA

Great Background Reading from Australian Signals Directorate Link

February 12, 2021  

CISO Tradecraft: The Essential Eight

The Australian Cyber Security Center (ACSC) believes that not all cyber security controls are created equal.  The have assessed various strategies to mitigate cyber security incidents and determined there are eight essential cyber security controls which safeguard any organization more than another control. These controls are commonly known as, "The Essential Eight" are highly recommended.

  1. Application control to prevent execution of unapproved/malicious programs including .exe, DLL, scripts (e.g. Windows Script Host, PowerShell and HTA) and installers.
  2. Patch applications (e.g. Flash, web browsers, Microsoft Office, Java and PDF viewers). Patch/mitigate computers with ‘extreme risk’ security vulnerabilities within 48 hours. Use the latest version of applications.
  3. Configure Microsoft Office macro settings to block macros from the internet, and only allow vetted macros either in ‘trusted locations’ with limited write access or digitally signed with a trusted certificate.
  4. User application hardening. Configure web browsers to block Flash (ideally uninstall it), ads and Java on the internet. Disable unneeded features in Microsoft Office (e.g. OLE), web browsers and PDF viewers.
  5. Restrict administrative privileges to operating systems and applications based on user duties. Regularly revalidate the need for privileges. Don’t use privileged accounts for reading email and web browsing.
  6. Patch operating systems. Patch/mitigate computers (including network devices) with ‘extreme risk’ security vulnerabilities within 48 hours. Use the latest operating system version. Don’t use unsupported versions.
  7. Multi-factor authentication including for VPNs, RDP, SSH and other remote access, and for all users when they perform a privileged action or access an important (sensitive/high-availability) data repository.
  8. Daily backups of important new/changed data, software and configuration settings, stored disconnected, retained for at least three months. Test restoration initially, annually and when IT infrastructure changes.

Strategies to mitigate cyber incidents Link Link 2

Essential Eight Maturity Model Link Link

February 5, 2021  

CISO Tradecraft: IT Governance

As a CISO, one of the key functions you will be responsible for is IT Governance.  On this episode we discuss what the intent is for a wide variety of cybersecurity documentation that you can leverage, influence, and enforce. 

Examples include:

  • Policies
  • Control Objectives
  • Standards
  • Guidelines
  • Controls
  • Procedures
  • ...

Helpful visual from ComplianceForge which shows how various documentation standards can be integrated Link

January 29, 2021  

CISO Tradecraft: How to Compare Software

At some point in time, a CISO will need to purchase new security technology.  Whether it's antivirus, firewalls, or SIEMs you need to understand how to choose a product that will benefit your organization for years to come.  This podcast discusses 5 different techniques that CISOs can apply to help with product selection

  1. Perform Market Research to learn the players 

  2. Leverage Vendor Comparison Tools to spot the features
  3. Use Predictive Analysis tools to see the trends
  4. Apply Problem Framing to understand the limitations and politics 
    • Define the Problem: List the current problem you are facing.
    • State the Intended Objective: Identify the goal an organization is trying to achieve so that a consensus can be made when the original problem has been solved
    • Understand the Status Quo: If you take no action, does the current problem get worse, get better, or remain the same.
    • List any Implied Solutions: List early solutions that appear to address the initial problem. Likely these solutions may come from your direct boss who has a certain way of doing things.
    • Identify the Gap- The gap is roughly the difference between the intended objective and the status quo. Essentially this is the opportunity cost your organization must use when comparing this against other problems in the organization. 
    • Identify the Trap- For each of the implied solutions imagine how you might build the product or service as directed and still not solve the intended objective.
    • Explore Alternatives- Are there other solutions that avoid traps or gaps to address a problem that have not been previously evaluated?
  5. Execute an Analytical Hierarchy Process (AHP) to remove bias
    • AHP is a structured process that helps remove politics or bias from decision-making.  It relies on creating relative weights among decision criteria, and possibly decomposing those into sub-criteria resulting in a weighted formula for all inputs.  Those become the equation that is used to evaluate alternatives; each alternative is scored on its sub-criteria then summed up by relative weight, resulting in a relative scoring based on numeric analysis.  For example, selecting a new product might involve evaluating three major criteria:  cost, functionality, and maintenance.  These are ranked pairwise on a relative scale of 1x-9x.  For this example, cost is twice as important as maintenance; functionality is twice as important as maintenance; cost is equally important to functionality.  From that comes a 40% - 40% - 20% ranking (all must sum to 100%).  Next, sub-criteria may be identified and weighted, e.g., initial cost is 1/3 the importance of ongoing cost.  Thus, the 40% global weighting for cost would consist of local weighting of 1 part initial cost [25%] to 3 parts ongoing cost [75%] (1:3 ratio).  So, initial cost becomes 25% of the 40% of total cost = 10% of overall decision, and ongoing cost becomes 75% of the 40% of total cost = 30% of overall decision.  This may be repeated for other criteria at as many levels deep as desired, resulting in an overall weighting of input criteria based on simple pairwise comparisons.  Each candidate choice is now be scored for each criterion on a selected scale (e.g., Option A scores 4 of 10 for initial cost, Option B scores 8 of 10 for initial cost), and the weighted products are summed for a final score.
January 22, 2021  

CISO Tradecraft: Executive Competencies

Have you ever wanted to become an executive, but didn’t know what skills to focus on?  On this episode of CISO Tradecraft, G Mark Hardy and Ross Young provide guidance from the Office of Personnel Management (Chief Human Resources Agency and personnel policy manager for the US government).  The podcast discusses the 6 Fundamental Competencies and the 5 Executive Core Qualifications required by all federal executives.


Fundamental Competencies:

  1. Interpersonal Skills
  2. Oral Communication
  3. Integrity/Honesty
  4. Written Communication
  5. Continual Learning
  6. Public Service Motivation

Executive Core Qualifications

  1. Leading Change
  2. Leading People
  3. Results Driven
  4. Business Acumen
  5. Building Coalitions


January 15, 2021  

CISO Tradecraft: The Three Ways of DevOps

Making things cheaper, faster, and better is the key to gaining competitive advantage. If you can gain a competitive advantage in cyber, then you will reduce risk to the business and protect key revenue streams. This episode discusses the three ways of DevOps and how you can use them to improve information security. 

The three ways of DevOps consist of:

  • The First Way: Principles of Flow
  • The Second Way: Principles of Feedback
  • The Third Way: Principles of Continuous Learning

If you would like to learn more about the three ways of DevOps, G Mark Hardy and Ross Young invite you to read The Phoenix Project by Gene Kim

January 8, 2021  

CISO Tradecraft: Cryptography

Most organizations generate revenue by hosting online transactions.  Cryptography is a key enabler to securing online transactions in untrusted spaces.  Therefore it's important for CISOs to understand how it works.  This episode discusses the fundamentals of cryptography:

  • What are the requirements for cryptography?
  • How long has cryptography been around?
  • Are there differences between legacy and modern cryptography?
  • Differences between symmetric and asymmetric encryption
  • Common use of encryption at rest
  • Encryption in transit
January 1, 2021  

CISO Tradecraft: Securing the Cloud

Understanding how to secure the cloud is a crucial piece of tradecraft that every CISO needs to understand.  This episode provides an in depth discussion of AWS's 7 design principles for securing the cloud:

  1. Implement a strong identity foundation
  2. Enable traceability
  3. Apply security at all layers
  4. Automate security best practices
  5. Protect data in transit and rest
  6. Keep people away from data
  7. Prepare for security events

Please note the AWS Well-Architected Framework Security Design Principles can be found here:

December 25, 2020  

CISO Tradecraft: Introduction to the Cloud

Have you ever wanted to learn the basic fundamentals of the cloud?  This podcast provides a 50,000 foot view of the cloud.  Specific discussions include:

  • What is the cloud?
  • What types of clouds are there and what are the differences?
  • What is the term shared responsibility model and what does that mean for securing the cloud?

Play this podcast on Podbean App