CISO Tradecraft

CISO Tradecraft header image 1
February 5, 2021  

CISO Tradecraft: IT Governance

As a CISO, one of the key functions you will be responsible for is IT Governance.  On this episode we discuss what the intent is for a wide variety of cybersecurity documentation that you can leverage, influence, and enforce. 

Examples include:

  • Policies
  • Control Objectives
  • Standards
  • Guidelines
  • Controls
  • Procedures
  • ...

Helpful visual from ComplianceForge which shows how various documentation standards can be integrated Link

January 29, 2021  

CISO Tradecraft: How to Compare Software

At some point in time, a CISO will need to purchase new security technology.  Whether it's antivirus, firewalls, or SIEMs you need to understand how to choose a product that will benefit your organization for years to come.  This podcast discusses 5 different techniques that CISOs can apply to help with product selection

  1. Perform Market Research to learn the players 

  2. Leverage Vendor Comparison Tools to spot the features
  3. Use Predictive Analysis tools to see the trends
  4. Apply Problem Framing to understand the limitations and politics 
    • Define the Problem: List the current problem you are facing.
    • State the Intended Objective: Identify the goal an organization is trying to achieve so that a consensus can be made when the original problem has been solved
    • Understand the Status Quo: If you take no action, does the current problem get worse, get better, or remain the same.
    • List any Implied Solutions: List early solutions that appear to address the initial problem. Likely these solutions may come from your direct boss who has a certain way of doing things.
    • Identify the Gap- The gap is roughly the difference between the intended objective and the status quo. Essentially this is the opportunity cost your organization must use when comparing this against other problems in the organization. 
    • Identify the Trap- For each of the implied solutions imagine how you might build the product or service as directed and still not solve the intended objective.
    • Explore Alternatives- Are there other solutions that avoid traps or gaps to address a problem that have not been previously evaluated?
  5. Execute an Analytical Hierarchy Process (AHP) to remove bias
    • AHP is a structured process that helps remove politics or bias from decision-making.  It relies on creating relative weights among decision criteria, and possibly decomposing those into sub-criteria resulting in a weighted formula for all inputs.  Those become the equation that is used to evaluate alternatives; each alternative is scored on its sub-criteria then summed up by relative weight, resulting in a relative scoring based on numeric analysis.  For example, selecting a new product might involve evaluating three major criteria:  cost, functionality, and maintenance.  These are ranked pairwise on a relative scale of 1x-9x.  For this example, cost is twice as important as maintenance; functionality is twice as important as maintenance; cost is equally important to functionality.  From that comes a 40% - 40% - 20% ranking (all must sum to 100%).  Next, sub-criteria may be identified and weighted, e.g., initial cost is 1/3 the importance of ongoing cost.  Thus, the 40% global weighting for cost would consist of local weighting of 1 part initial cost [25%] to 3 parts ongoing cost [75%] (1:3 ratio).  So, initial cost becomes 25% of the 40% of total cost = 10% of overall decision, and ongoing cost becomes 75% of the 40% of total cost = 30% of overall decision.  This may be repeated for other criteria at as many levels deep as desired, resulting in an overall weighting of input criteria based on simple pairwise comparisons.  Each candidate choice is now be scored for each criterion on a selected scale (e.g., Option A scores 4 of 10 for initial cost, Option B scores 8 of 10 for initial cost), and the weighted products are summed for a final score.
January 22, 2021  

CISO Tradecraft: Executive Competencies

Have you ever wanted to become an executive, but didn’t know what skills to focus on?  On this episode of CISO Tradecraft, G Mark Hardy and Ross Young provide guidance from the Office of Personnel Management (Chief Human Resources Agency and personnel policy manager for the US government).  The podcast discusses the 6 Fundamental Competencies and the 5 Executive Core Qualifications required by all federal executives.


Fundamental Competencies:

  1. Interpersonal Skills
  2. Oral Communication
  3. Integrity/Honesty
  4. Written Communication
  5. Continual Learning
  6. Public Service Motivation

Executive Core Qualifications

  1. Leading Change
  2. Leading People
  3. Results Driven
  4. Business Acumen
  5. Building Coalitions


January 15, 2021  

CISO Tradecraft: The Three Ways of DevOps

Making things cheaper, faster, and better is the key to gaining competitive advantage. If you can gain a competitive advantage in cyber, then you will reduce risk to the business and protect key revenue streams. This episode discusses the three ways of DevOps and how you can use them to improve information security. 

The three ways of DevOps consist of:

  • The First Way: Principles of Flow
  • The Second Way: Principles of Feedback
  • The Third Way: Principles of Continuous Learning

If you would like to learn more about the three ways of DevOps, G Mark Hardy and Ross Young invite you to read The Phoenix Project by Gene Kim

January 8, 2021  

CISO Tradecraft: Cryptography

Most organizations generate revenue by hosting online transactions.  Cryptography is a key enabler to securing online transactions in untrusted spaces.  Therefore it's important for CISOs to understand how it works.  This episode discusses the fundamentals of cryptography:

  • What are the requirements for cryptography?
  • How long has cryptography been around?
  • Are there differences between legacy and modern cryptography?
  • Differences between symmetric and asymmetric encryption
  • Common use of encryption at rest
  • Encryption in transit
January 1, 2021  

CISO Tradecraft: Securing the Cloud

Understanding how to secure the cloud is a crucial piece of tradecraft that every CISO needs to understand.  This episode provides an in depth discussion of AWS's 7 design principles for securing the cloud:

  1. Implement a strong identity foundation
  2. Enable traceability
  3. Apply security at all layers
  4. Automate security best practices
  5. Protect data in transit and rest
  6. Keep people away from data
  7. Prepare for security events

Please note the AWS Well-Architected Framework Security Design Principles can be found here:

December 25, 2020  

CISO Tradecraft: Introduction to the Cloud

Have you ever wanted to learn the basic fundamentals of the cloud?  This podcast provides a 50,000 foot view of the cloud.  Specific discussions include:

  • What is the cloud?
  • What types of clouds are there and what are the differences?
  • What is the term shared responsibility model and what does that mean for securing the cloud?
December 18, 2020  

CISO Tradecraft: Crucial Conversations

CISOs often encounter situations where everyone has a different opinion, it's a high stakes decision, and emotions are running high.  These situations create crucial conversations opportunities where a CISO needs to be effective.  This podcast discusses how to turn disagreement into dialogue, surface any subject, and make it safe to discuss. Please listen as G Mark Hardy and Ross Young discuss the 8 step process from the book, "Crucial Conversations."

  1. Get Unstuck 
  2. Start With Heart
  3. Master My Stories
  4. State My Path
  5. Learn To Look
  6. Make IT Safe
  7. Explore Others' Path
  8. Move To Action

We recommend you visit the following Crucial Conversations Website to learn more

The Crucial Conversation Book can be found on Amazon

December 11, 2020  

CISO Tradecraft: DevOps

On this Episode we will explore DevOps as a topic and discuss why you need to care as a CISO.  Key discussions include:

  1. What are the key principles behind DevOps?
  2. What benefits does security see from DevOps?
  3. What is a CI/CD pipeline?
  4. What are common types of DevOps tools that I need to understand as a CISO?
  5. Where does DevSecOps fit in?
  6. What are 4 types of Application Security Testing tools we see in DevOps Pipelines?

  7. What are 3 common ways to make DevOps / DevSecOps go viral in any organization?

December 4, 2020  

CISO Tradecraft: Change Management

If you want to make impact as a leader, then you need to understand how to lead change.  This episode overviews Dr. John Kotter's 8-Step process to accelerating change.

  1. Create a sense of urgency
  2. Build a guiding coalition
  3. Form a strategic vision and initiatives
  4. Enlist a volunteer army
  5. Enable action by removing barriers
  6. Generate short-term wins
  7. Sustain acceleration
  8. Institute change

We highly recommend you read Kotter's ebook to learn more:

Podbean App

Play this podcast on Podbean App