CISO Tradecraft®

In this episode of CISO Tradecraft, host G Mark Hardy interviews JP Bourget about the security data pipeline and how modernizing SOC ingest can improve efficiency and outcomes. Featuring discussions on cybersecurity leadership, API integrations, and the role of AI and advanced model learning in future data lake architectures. They discuss how vendor policies can impact data accessibility. They also reflect on their shared Buffalo roots and because their professional journeys. Tune in for valuable insights from top cybersecurity experts.
Transcripts: https://docs.google.com/document/d/1evI2JTGg7S_Hjaf0sV-Nk_i0oiv8XNAr 
Chapters
00:00 Introduction
00:50 Guest's Background and Journey
05:27 Discussion on Security Data Pipeline
07:19 Introduction to SOAR
08:01 Benefits and Challenges of SOAR
12:40 Guest's Current Work and Company
14:04 Security Data Pipeline Modernization
22:20 Discussion on Vendor Integration
29:09 Security Pipeline Approach and AI
38:03 Closing Thoughts and Future Directions

In this episode of CISO Tradecraft, we debunk seven common lies pervasive in the cybersecurity industry. From the fallacy of achieving a complete inventory before moving onto other controls, the misconception about the accuracy of AppSec tools, to the fear of being viewed as a cost center - we delve deep into these misconceptions, elucidating their roots and impacts. We also discuss how ISO and FAIR, audits and certifications, risk assessments, and mandatory cyber incident reporting may not always be as straightforward as they seem. The episode is not only an eye-opener but also provides insightful guidance on how to navigate these misconceptions and enhance the effectiveness of your cybersecurity measures.
CloudGoat EC2 SSRF- https://rhinosecuritylabs.com/cloud-security/cloudgoat-aws-scenario-ec2_ssrf/
OWASP Benchmark - https://owasp.org/www-project-benchmark/
Transcripts - https://docs.google.com/document/d/1yZZ4TLlC2sRfwPV7bQmar7LY4xk2HcIo
Chapters
00:12 Introduction
00:56 The Lie of Accurate Inventory
05:29 The Lie of Accurate Risk Assessment
08:41 The Lie of Shifting Left in DevSecOps
13:45 The Lie of Certifications Ensuring Security
18:33 The Lie of Reporting Cyber Incidents in 72 Hours
20:44 The Lie of Accurate Application Security Tools
22:07 The Lie of Cybersecurity Not Being a Cost Center
24:44 Conclusion and Recap of Cybersecurity Lies 

Join G Mark Hardy in this episode of the CISO Tradecraft podcast where he details how cyber protects revenue. He clarifies how cybersecurity is seen as a cost center by most organizations, but stresses how it can become a protector of business profits. Concepts like Operational Resilience Framework (ORF) Version 2 by the Global Resilience Federation are discussed in depth. Hardy also outlines seven steps from ORF to operational resilience including implementing industry-recognized frameworks, understanding the organization's role in the ecosystem, defining viable service levels, and more. 
 
Link to the ORF - https://www.grf.org/orf
Transcripts - https://docs.google.com/document/d/1ckYj-UKDa-wlOVbalWvXOdEO4OYgjO0i
Chapters
00:12 Introduction
01:47 Introduction to Operational Resilience Framework
02:38 Understanding Resilience and Antifragility
03:32 Common Cybersecurity Attacks and How to Anticipate Them 06:22 Building Resilience in Cybersecurity
09:43 Operational Resilience Framework: Steps and Principles
17:50 Preserving Datasets and Implementing Recovery Processes
20:18 Evaluating and Testing Your Disaster Recovery Plan
21:11 Recap of Operational Resilience Framework Steps
22:04 CISO Tradecraft Services and Closing Remarks

Looking for accurate predictions on what 2024 holds for cybersecurity? Tune into our latest episode of CISO Tradecraft for intriguing insights and industry trends. Listen now and boost your cybersecurity knowledge!
Earn CPEs: https://www.cisotradecraft.com/isaca
Transcripts: https://docs.google.com/document/d/11YX2bjhIVThSNPF6yEKaNWECErxjWA-R
Chapters
00:00 Introduction
02:11 1) CISOs flock to buy private liability and D&O insurance. It also becomes the norm for CISO hiring agreements.
05:25 2) CISO reporting structure changes. No more reporting to the CIO.
11:43 3) More CISOs get implicated in lawsuits, but the lawsuits rule in favor of the CISO.
13:36 4) Harder to find cyber talent since universities are not graduating as many students. This plus inflation increases result in major spike in cyber salaries
16:59 5) Cyber industry minimizes external consulting costs to weather reduced revenues during recession
19:44 6) AI-generated fraud will increase significantly
22:15 7) Shadow AI will result in Hidden Vulnerabilities
24:24 8) LLM attacks new vector for "AI-enabled" companies
27:23 9) Cyber insurance exclusions will tend to normalize and will prescribe activities that must be done if payout to occur
31:44 10) Self-driving cars will encounter regulatory setback
34:02 Review of Last Year's Predictions
41:03 Actionable Items for the Future
41:29 Closing Remarks and Invitation for 2024

In the second half of the discussion about secure developer training programs, G Mark Hardy and Scott Russo delve deeper into how to engineer an effective cybersecurity course. They discuss the importance and impact of automation and shifting left, the customization needed for different programming languages and practices, and the role of gamification in engagement and learning. The conversation also touches upon anticipating secular trends, compliance with privacy and data protection regulations, different leaning styles and preferences, and effective strategies to enhance courses based on participant feedback. Scott highlights the lasting impacts and future implications of secure developer training, especially with the advent of generative AI in code generation.
ISACA Event (10 Jan 2024) With G Mark Hardy - https://www.cisotradecraft.com/isaca
Transcripts: https://docs.google.com/document/d/1zr09gVpJuZMUMmF9Y-Kc0DOy-1gH0cx-
Chapters
00:00 Introduction
01:08 Importance of Ongoing Support and Mentorship
01:46 The Role of Community in Training
03:03 Hands-on Exercises and Practical Experience
06:01 Success Stories and Testimonials
08:29 Incorporating Security Trends into Training
11:08 Balancing Security with Developer Productivity
18:17 Teaching Secure Coding Practices in Different Languages
20:27 Engaging and Motivating Participants
22:51 Promoting the Program: Engaging and Fun
23:37 Accommodating Different Learning Styles
24:16 Catering to Self-Paced Learners
26:19 Addressing Proficiency Levels and Remediation
28:55 Compliance with Privacy and Data Protection Regulations
30:48 Breaking Down Complex Security Concepts
32:05 Creating a Culture of Security Awareness
33:25 Partnerships and Collaborations in Secure Development
35:10 Feedback and Improvement of the Program
36:12 Cost Considerations for Secure Developer Training
39:20 Tracking Participants' Progress and Completion Rates
41:23 Trends in Secure Developer Training
43:42 Final Thoughts on Secure Developer Training

In this episode of CISO Tradecraft, host G Mark Hardy invites Scott Russo, a cybersecurity and engineering expert for a deep dive into the creation and maintenance of secure developer training programs. Scott discusses the importance of hands-on engaging training and the intersection of cybersecurity with teaching and mentorship. Scott shares his experiences building a secure developer training program, emphasizing the importance of gamification, tiered training, showmanship, and real-world examples to foster engagement and efficient learning. Note this episode will continue in with a part two in the next episode
ISACA Event (10 Jan 2024) With G Mark Hardy - https://www.cisotradecraft.com/isaca
Scott Russo - https://www.linkedin.com/in/scott-russo/
HBR Balanced Scorecard - https://hbr.org/1992/01/the-balanced-scorecard-measures-that-drive-performance-2
Transcripts - https://docs.google.com/document/d/124IqIzBnG3tPj64O2mZeO-IDTx9wIIxJ
Youtube - https://youtu.be/NkrtTncAuBA 
Chapters
00:00 Introduction
03:00 Overview of Secure Developer Training Program
04:46 Motivation Behind Creating the Training Program
06:03 Objectives of the Secure Developer Training Program
07:45 Defining the Term 'Secure Developer'
14:49 Keeping the Training Program Current and Engaging
21:10 Real World Impact of the Training Program
21:46 Understanding the Cybersecurity Budget Argument
21:58 Incorporating Real World Examples into Training
22:26 Personal Experiences and Stories in Training
24:06 Industry Best Practices and Standards
24:18 Aligning with OWASP Top 10
25:53 Balancing OWASP Top 10 with Other Standards
26:12 The Importance of Good Stories in Training
26:32 Duration of the Training Program
28:37 Resources Required for the Training Program
32:23 Measuring the Effectiveness of the Training Program
36:07 Gamification and Certifications in Training
38:56 Tailoring Training to Different Levels of Experience
41:03 Conclusion and Final Thoughts
 

In this episode of CISO Tradecraft, host G. Mark Hardy guides listeners on how to refresh their cybersecurity strategy. Starting with the essential assessments on the current state of your security, through to the creation of a comprehensive, one-page cyber plan. The discussion covers different approaches to upskilling the workforce, tools utilization, vulnerability management, relevant regulations, and selecting the best solution for your specific needs. The show also includes tips on building a roadmap, creating effective key performance indicators, and validation exercises or trap analysis to ensure the likelihood of success. At the end of the discussion, G. Mark Hardy invites listeners to reach out for any help needed for implementing these strategies.
Big Thanks to our Sponsors
Risk3Sixty - https://risk3sixty.com/
ISACA Event (10 Jan 2024) With G Mark Hardy https://www.cisotradecraft.com/isaca
CIO Wisdom Book - https://a.co/d/bmmZEAC
Transcripts - https://docs.google.com/document/d/1_bHsRtaRdlRJ9e9XXVh3GU7k3MbBLcHs
Chapters
00:00 Introduction
02:21 Building a Tactical and Strategic Plan
02:58 Assessing Your Current Cybersecurity Posture
03:11 Workforce Assessment and Rating
06:31 Understanding Your Cybersecurity Tools
08:29 Performing a Business Requirements Analysis
10:13 Defining the Desired Future State
12:03 Creating a Gap Analysis
14:14 Analyzing Current Options and Building a Roadmap
17:11 Presenting the New Plan to Management
21:36 Recap and Conclusion

Discover the key to a more effective cybersecurity strategy in the newest episode of CISO Tradecraft! We're talking SOC tools, building a data lake for security, and more with guest Noam Brosh of Hunters. Don't miss it!
Big Thanks to our Sponsors
Risk3Sixty - https://risk3sixty.com/
Hunters - https://www.hunters.security/
Noam Brosh - https://www.linkedin.com/in/noam-brosh-5743938/
Transcripts: https://docs.google.com/document/d/1ArTixgEvRsVpLVdV2uVFAKCKSB2mBUKo
Youtube Link: https://youtu.be/ThEpI2_LpD8 
Chapters
00:00 Introduction and Welcome
01:20 Understanding the Role of SOC Tools
05:39 Challenges with Traditional SIEM Tools
08:48 The Shift to Data Lakes and the Impact on SIEMs
18:04 Understanding Different Cybersecurity Tools: SIEM, XDR, and SOC Platforms
19:25 The Role of Automation in Modern SOC Tools
26:01 The Importance of Third-Party Connection Tools in SOC Tools
27:27 Trends and Disruptions in the SIEM Space
28:09 Addressing False Positives in SOC Tools
31:14 Outsourcing Aspects of SOC and Staffing
36:28 Dealing with Multi-Cloud or Hybrid Cloud Environments
41:02 Reporting SOC Metrics to Executive Stakeholders

In this episode of CISO Tradecraft, G Mark Hardy and Hasan Eksi from CyberNow Labs continue the discussion about the vital skills needed for an effective incident responder within a Security Operations Center (SOC). The skills highlighted in this episode include: incident triage, incident response frameworks, communication, collaboration, documentation, memory analysis, incident containment and eradication, scripting and automation, cloud security, and crisis management.
Big Thanks to our Sponsors
Risk3Sixty - https://risk3sixty.com/
Adlumin - https://adlumin.com/
Hasan Eksi's LinkedIn Profile: https://www.linkedin.com/in/eksihasan/
Transcripts: https://docs.google.com/document/d/1rWixzKgf_unanPlnoL6dt8qpEsbZj9lv
Chapters 
00:00 Introduction and Recap of the 10 Previous Skills
02:25 Skill #11) Incident Triage
04:21 Skill #12) Incident Response Frameworks
07:09 Skill #13) Communication
09:38 Skill #14) Collaboration
14:58 Skill #15) Documentation
19:35 Skill #16) Memory Analysis
22:36 Skill #17) Incident Containment and Eradication
25:31 Skill #18) Scripting and Automation
28:53 Skill #19) Cloud Security
31:10 Skill #20) Crisis Management
33:58 Recap of 20 SOC Skills and Conclusion

In this episode of CISO Tradecraft, host G Mark Hardy talks to Kevin O'Connor, the Director of Threat Research at Adlumin. They discuss the importance of comprehensive cybersecurity for Small to Medium-sized Businesses (SMBs), including law firms and mid-sized banks. The conversation explores the complexities of managing security infrastructures, the role of managed security service providers, and the usefulness of managed detection and response systems. The discussion also delves into the increasing threat of ransomware and the critical importance of managing data vulnerabilities and providing security awareness training.
Big Thanks to our Sponsor: Adlumin - https://adlumin.com/
Transcripts: https://docs.google.com/document/d/1V_qkMFdGC4NRLCG-80gcsiSA8ikT8SwP
Youtube: https://youtu.be/diCZfWWB3z8
 
Chapters
00:12 Introduction and Sponsor Message
01:42 Guest Introduction: Kevin O'Connor
02:29 Discussion on Cybersecurity Roles and Challenges
03:20 The Importance of Defense in Cybersecurity
04:23 The Role of Managed Security Services for SMBs
07:26 The Cost and Staffing Challenges of In-House SOCs
14:41 The Value of Managed Security Services for Legal Firms
16:30 The Threat Landscape for Small and Mid-Sized Banks
18:19 The Difference Between Compliance and Security
20:08 Understanding the Reality of Cybersecurity
20:45 The Challenges of Building IT Infrastructure
21:08 Outsourcing vs In-house Security Management
21:55 The Importance of Understanding Your Data
22:43 Security Operations Center vs Security Operations Platform
24:21 The Role of Managed Detection and Response
24:54 The Importance of Quick Response in Security
28:07 The Threat of Ransomware and Data Breaches
34:31 The Role of Pen Testing in Cybersecurity
36:33 The Growing Threat of Ransomware
38:28 The Importance of Security Awareness Training
40:42 The Role of Incident Response and Forensics
42:11 Final Thoughts on Cybersecurity

In this episode of CISO Tradecraft we have a detailed conversation with Hasan Eksi from CyberNow Labs. G Mark and Hasan discuss the top 20 skills required by incident responders, covering the first 10 in part 1 of this series. The discussion ranges from understanding cybersecurity fundamentals to incident detection, threat intelligence, and malware analysis. This episode aims to enhance listeners' understanding of incident response, its significance, the skills required, and strategies for effective training.
Big Thanks to our Sponsor
Adlumin - https://adlumin.com/
Hasan Eksi's LinkedIn Profile: https://www.linkedin.com/in/eksihasan/
Transcripts: https://docs.google.com/document/d/1lE9Tz-um1II2aNX4JU-bQ-BND7fPNteE/
Chapters
00:00 Introduction
14:15 Skill 1) IT/Cyber Fundamentals
17:17 Skill 2) Incident Detection
18:34 Skill 3) Threat Intelligence
20:11 Skill 4) Cybersecurity Tools
24:12 Skill 5) Network Analysis
25:55 Skill 6) Endpoint Analysis
28:33 Skill 7) Log Analysis
32:41 Skill 8) Malware Analysis
35:20 Skill 9) Forensics
38:30 Skill 10) Vulnerability Assessment

In this episode of CISO Tradecraft, host G Mark Hardy welcomes special guest Amer Deeba, CEO and co-founder of Normalyze. They focus on the importance of data security in today's cloud-centric, multi-platform tech environment. Amer shares valuable insights on the need for a data security platform that offers a unified, holistic approach. The conversation also delves into the importance of understanding the value of your data, and how solutions such as Normalyze can accurately identify and classify sensitive data, measure its value, and mitigate risk of compromise. Ideal for CISOs and professionals navigating data security, this episode provides key recommendations for data visibility, security posture management, and response mechanisms, built around the principles of cybersecurity.
Big Thanks to our Sponsors
Normalyze - https://normalyze.ai/
Risk3Sixty - https://risk3sixty.com/whitepaper/
Transcripts: https://docs.google.com/document/d/1_z20Y5Xvs7qv6K9D2TUvM3ufLYSmXbvs
Chapters
00:00 Introduction
02:46 Understanding Data Security
03:58 The Importance of Data Security
04:21 The Challenges of Data Security
08:26 The Role of Data Security Posture Management
10:31 The Value of Data and Compliance
13:58 The Importance of Real-Time Data Protection
15:31 The Role of Encryption in Data Security
17:19 Understanding the Risks of Data Breaches
18:45 The Importance of Holistic Data Security
36:26 The Role of Anomaly Checks in Data Security
37:48 Understanding Generational Data
40:38 Conclusion and Contact Information

On this episode we talk about the differences between Gamification and Game-Based Learning. We think you will enjoy hearing how Game-Based learning gets folks into the flow and creates novel training that resonates.  We also have a great discussion on how games can be applicable for Board Members and Techies.  You just need to get the right type of game for the right audience and let the magic happen.
Big Thanks to our Sponsors
Haiku - https://www.haikuinc.io/
Risk3Sixty - https://risk3sixty.com/whitepaper/
Transcripts
https://docs.google.com/document/d/1XmkMO7eJR3yAnXJPOCTaA5J9sakk639Q
Prefer to watch on YouTube?
https://www.youtube.com/watch?v=45eViHH_ktA 
Chapters
00:00 Introduction
03:38 What is Game-Based Learning?
07:55 Training Board of Directors
10:18 Gamification vs Game-Based Learning
14:30 Do Your Duties
21:09 Delaware Fiduciary Duties
22:54 Building a Forge
26:11 Tailored Game Types
33:35 Teaching Girl Scouts Linux Commands
40:17 Retaining Your Best People

Learn the language of the board with Andrew Chrostowski. In this episode we discuss the 3 major risk categories of opportunity risk, cybersecurity risk and complex systems. We highlight intentional deficit and what to do about it. Finally, don't miss the part where we talk about the time for a digital strategy is past. What is needed today is a comprehensive strategy for a world of digital opportunities and existential cyber risks.
Big thanks to our sponsor:
Risk3Sixty - https://risk3sixty.com/iso-27001-certification/
Transcripts https://docs.google.com/document/d/15PnB1gYwt7vj-wRE4ABuEWxvB-H96rp0
Chapters
00:00 Introduction
04:22 Communication is a Requirement
09:34 How does cyber create value?
11:30 Culture and Operational Excellence
16:51 How does growth strategy align with cyber?
22:30 Intention Deficit Disorder
26:48 Accountability Loops
28:39 What's the evolution for a digital strategy?
32:02 Sharpen your axe
36:40 Digital Directors Network & Qualified Technical Experts

On this episode we do a master class on cyber warfare. Learn the terminology. Learn the differences and similarities between kinetic and cyber warfare. There's a lot of interesting discussion, so check it out.
Big thanks to our sponsor:
Risk3Sixty - https://risk3sixty.com/whitepaper/
Transcripts https://docs.google.com/document/d/1yJYoVs3pO4u_Zq8UC8YQmnYVGrsH93-H
Air Force Doctrine Publication 3-0 - Operations and Planning https://www.doctrine.af.mil/Portals/61/documents/AFDP_3-0/3-0-D15-OPS-Coercion-Continuum.pdf
Dykstra, J., Inglis, C., & Walcott, T. S. (Joint Forces Quarterly 99, October 2020) Differentiating Kinetic and Cyber Weapons to Improve Integrated Combat. https://ndupress.ndu.edu/Portals/68/Documents/jfq/jfq-99/jfq-99_116-123_Dykstra-Inglis-Walcott.pdf
Tallinn Manual 1.0 published April 2013; 2.0 in 2017 https://ccdcoe.org/research/tallinn-manual/
Version 3.0 under development; inputs solicited at https://ecv.microsoft.com/RRllEKKMJQ
https://www.csis.org/analysis/cyber-operations-during-russo-ukrainian-war
Chapters
00:00 Introduction
01:57 Definition of Cyber War
04:18 Kinetic vs Cyber War
07:02 Goal of Offensive Cyber Operations
10:06 International Law Applied to Cyber Operations (Sovereignty & Necessity)
11:33 Diplomatic, Information, Military, & Economic (DIME)
12:57 Proportionality
14:04 Law of Distinction
15:56 Tallinn Manual
18:15 Stuxnet, Sony Pictures, NotPetya, and SolarWinds attacks
23:47 Ukraine Cyber War
28:21 Comparing old tanks to old mainframes
39:55 Winning a Cyber War

On this episode we discuss the measuring results cheat sheet from Justin Mecham.  Key focuses include:
Defining SMART Goals (Specific, Measurable, Achievable, Relevant, & Time-Bound)
Identifying KPIs (Key Performance Indicators)
Using the WOOP Model (Wish, Outcome, Obstacle, and Plan)
Using a Gap Analysis
Using the 5 Why Method
Using Plan, Do, Check, & Act.
Link to the Measuring Results Cheat Sheethttps://www.linkedin.com/posts/justinmecham_harvard-says-leaders-are-10x-more-likely-activity-7112050615576391681-Ro60/
Big thanks to our sponsor:
Risk3Sixty - https://risk3sixty.com/whitepaper/
Transcripts https://docs.google.com/document/d/1Ok9cFBdubI6M4ubhcR0HZzmauHiU7fsN
Chapters
00:00 Introduction
03:34 SMART Goals (Specific, Measurable, Achievable, Relevant, and Time Bound)
07:29 Key Performance Indicators
09:36 WOOP Model (Wish, Outcome, Obstacle, and Plan)
09:59 Gap Analysis
12:36 Root Cause Analysis and the 5 Whys
14:09 Plan, Do, Check, and Act

On this episode we discuss the four key roles Boards play in cybersecurity.
Setting the company's vision and risk strategy
Reviewing assessment results
Evaluating management cyber risk stance
Approving risk management plans
Big thanks to our sponsor:
Risk3Sixty - https://risk3sixty.com/whitepaper/
Transcripts - https://docs.google.com/document/d/1jarCcQYioT59jtIrppH4xZqyAy4Vn_tB/
Chapters
00:00 Introduction
01:36 What is a Board of Directors and what do they do?
09:33 FFIEC requirements for Boards
16:51 Establishing an Information Security Culture
19:08 Vision and Risk Appetite
22:00 Reviewing Cyber Assessments
25:09 Are we secure?
32:44 Castle Walls and Attacks
33:37 Getting your budget requests approved
37:10 Using use or loose money and reserved funding

On this episode we bring on the leading expert of threat modeling (Adam Shostack) to discuss the four questions that every team should ask:
What are we working on?
What can go wrong?
What are we going to do about it?
Did we do a good enough job?
Big thanks to our sponsor:
Risk3Sixty - https://risk3sixty.com/whitepaper/
Adam Shostack's LinkedIn Profile - https://www.linkedin.com/in/shostack/
Learn more about threat modeling by checking out Adam's books on threat modeling Threats: What Every Engineer Should Learn From Star Wars https://amzn.to/3PFEv7L
Threat Modeling: Designing for Security https://amzn.to/3ZmfLo7 Also check out the Threat Modeling Manifesto: https://www.threatmodelingmanifesto.org/
Transcripts: https://docs.google.com/document/d/1Tu0Xj9QTbVqbVJNMbNRam-FEUvfda3ZS
Chapters
00:00 Introduction
06:02 The 4 Questions that allow you to measure twice cut once
09:29 How Data Flow Diagrams help teams
16:04 It's more than just looking at threats
19:23 Chasing the most fluid thing or the most worrisome thing
22:00 All models are wrong and some are useful
26:25 Actionable Remediation
31:05 LLMs and Threat Models

There's a lot of new cyber attacks occurring and today we are going to talk about them in more detail.  Many bad actors are using SMS spoofing and Social Engineering to get in.  Listen in an learn about how those attacks played out against the casino industry. You don't want to miss when we share what you can do to stop them.  Pro-tip: Good MFA is your friend.  Use it everywhere you can including on your employees and customers during phone calls.  
Big Thanks to our Sponsor
Risk3Sixty - https://risk3sixty.com/whitepaper/
Mandiant Post - https://www.mandiant.com/resources/blog/unc3944-sms-phishing-sim-swapping-ransomware
Rachel Tobac Post - https://www.linkedin.com/feed/update/urn:li:activity:7108040643905474562 
Transcripts: https://docs.google.com/document/d/186g8y_8wMcBPwdaiFjduhRiXC88ice0T/
Chapters
00:00 Introduction
01:06 Improving the Attacker Odds at the Casino
04:09 SEC 8-K filings
13:28 MGM Timeline of attack
16:55 What can we do against these attacks?
22:51 Upgrading your MFA
24:16 Custom Authentication Strength
27:11 New Social Engineering Attacks
32:31 OKTA attacks

Have you ever thought about what does it mean to say there has been a material incident? How is materiality determined? What is the history of how that term has been defined by U.S. Regulators. Listen to today's show and increase your CISO Tradecraft
Big Thanks to our Sponsors
Risk3Sixty - https://risk3sixty.com/whitepaper/
CPRIME - For those valuing leadership, policy, and governance in tech risk and security, Cprime is here to help. Enhance your skills with our training and workshops, ensuring effective policy design and strategy alignment. As a tech coaching firm, Cprime offers classes for teams and executives on security analytics and risk management. Led by a Cprime expert, align expectations, prioritize, and map tools for robust governance across your tech portfolio. Upgrade risk management at www.cprime.com/train and use code 'cprimepod' for 15% off training. Elevate your approach!
Transcripts https://docs.google.com/document/d/1h7IBZI27ZOg4nxec2fCBmrX0c-0O15Zr 
Link to FAIR-MAM
https://www.fairinstitute.org/resources/fair-mam
Chapters
00:00 Introduction
02:16 What is the concept of material?
07:08 Investors increasingly seek information
11:21 Title 17 of the US Code Part 242
17:38 Backup and Recovery that is Resilient and Geographically Diverse
22:10 The New SEC requirements
26:38 Reporting Cyber Incidents
31:40 FAIR-MAM

On this episode we overview the CIS Document titled, "The Cost of Cyber Defense". https://www.cisecurity.org/insights/white-papers/the-cost-of-cyber-defense-cis-controls-ig1
Big Thanks to our Sponsors
Risk3Sixty - https://risk3sixty.com/whitepaper/
CPRIME - For those valuing leadership, policy, and governance in tech risk and security, Cprime is here to help. Enhance your skills with our training and workshops, ensuring effective policy design and strategy alignment. As a tech coaching firm, Cprime offers classes for teamsand executives on security analytics and risk management. Led by a Cprime expert, align expectations, prioritize, and map tools for robust governance across your tech portfolio. Upgrade risk management at Cprime.com/train and use code 'cprimepod' for 15% offtraining. Elevate your approach!
Transcripts https://docs.google.com/document/d/1TAltDwJxQg9MqVRNCCgwIJa1a3WKpep5---WVOUsdLE/ 
Chapters
00:00 Introduction
01:30 What are the CIS Critical Security Controls?
03:00 How have the CIS Critical Security Controls evolved over time?
05:30 What are the benefits of implementing the CIS Critical Security Controls?
07:30 The three crucial questions for implementing the CIS Critical Security Controls
10:30 How to prioritize the CIS Critical Security Controls
12:30 What are Implementation Groups?
13:37 Enterprise Profiles
14:00 Why are Implementation Groups important?
15:30 How to choose the right Implementation Group for your organization
19:46 Cost Breakdown
23:16 Thoughts on the CIS Study

In this episode of CISO Tradecraft, we delve into the evolving landscape of cybersecurity regulations. From data incident notifications to required contract language, we uncover common trends and compliance challenges. Learn how to prepare, adapt, and network within your industry to stay ahead. Tune in for insights and tips!
Thanks again to our Sponsors for supporting this episode:
Risk3Sixty: Check out Risk3Sixty's weekly thought leadership webinars and downloadable resources at https://risk3sixty.com/?utm_source=cisotradecraft&utm_medium=podcast&utm_campaign=2023-ct&utm_term=1week&utm_content=sponser
CPrime: Today's "CISO Tradecraft" is sponsored by Cprime, offering advanced tech training for exceptional teams. Experience hands-on, lab-driven classes in just two days, enhancing your skills for immediate on-the-job impact. Discover our sought-after three-day Microsoft PowerBI training, empowering you to craft dashboards, integrate data, and perform swift statistical analysis. Visit Cprime.com/train, use code 'cprimepod' for 15% off, and elevate your expertise!
References
AuditScripts: https://www.auditscripts.com/free-resources/critical-security-controls/
Secure Controls Framework: https://securecontrolsframework.com/scf-download/
Transcripts https://docs.google.com/document/d/1RplLpZCMw8foLu9oqkZs1_A2aIbYk1Xo/
Chapters
00:00 Introduction
04:28 Meeting Cybersecurity Controls and Understanding Applicable Regulations
11:28 Ensuring Compliance with Laws and Regulations
15:42 Handling Regulatory Change: Mapping Controls & Tracking Requirements
22:02 Navigating Regulatory Changes and Ensuring Compliance

Here's a nice overview of cybersecurity on passwords, authentication, rainbow tables, and password managers. Enjoy the show and check out our other podcasts.
Special Thanks to our Sponsors:
Risk3Sixty: Being able to clearly articulate your vision for your security program to the board and other executives within your firm is critical to obtaining the buy in you need for your program's success. Risk3Sixty has created a presentation template that helps you structure your thoughts while telling a compelling story about where you want your security program to go. Download it today for free at: https://risk3sixty.com/?utm_source=cisotradecraft&utm_medium=podcast&utm_campaign=2023-ct&utm_term=1week&utm_content=sponser
CPrime: Today's "CISO Tradecraft" is sponsored by Cprime, offering advanced tech training for exceptional teams. Experience hands-on, lab-driven classes in just two days, enhancing your skills for immediate on-the-job impact. Discover our sought-after three-day Microsoft PowerBI training, empowering you to craft dashboards, integrate data, and perform swift statistical analysis. Visit Cprime.com/train, use code 'cprimepod' for 15% off, and elevate your expertise!
Transcripts: https://docs.google.com/document/d/1BD6LnITOpq6wrM2CsJzCHefN0Dw4hFp9 
Chapters
00:00 Introduction
02:02 Evaluating Password Management Solutions and Design-Making Approaches
05:36 Password Security and Authentication Methods
27:25 Background Sanitization, Password Storage, and Login Screen Risks
28:52 The Importance of Commercial Password Managers and Security Threats
31:27 Considerations for Choosing a Password Manager

Join us at the heart of Hacker Summer Camp for insights into the cybersecurity world! Discover the art of asking powerful questions that can change your career and impact others. Learn how CISOs assess cyber solutions and how startups can win their attention. Uncover the secrets of building connections and value through meaningful inquiries. Don't miss this episode featuring expert advice on navigating the cybersecurity landscape.
Special Thanks to our Sponsors:
The Chertoff Group: https://www.chertoffgroup.com
CPrime: At work, bridging the gap between risk management, IT security, and departments like finance, product, and development can be daunting. Enter Cprime, specializing in harmonious integration through secure code training, DevSecOps implementation, andzero trust practices. We streamline, optimize, and drive innovation, empowering continuous security ops. Transform risk management at Cprime.com/train and use code 'cprimepod' for 15% off training. Unleash potential with us!
Transcripts: https://docs.google.com/document/d/1qf9kH9a5rPlK8zaOWXGAp0-E6p7PNNuT/
Chapters
00:00 Introduction
01:49 How to Get More Sales at Blackhat
05:57 How to Differentiate Yourself From the Competition
10:05 How to Solve a Priority Problem
16:07 How to Achieve Bigger Goals Through Accelerating Teamwork
18:13 How to Find a CISO Job
20:30 How to follow a Rich Dad's Advice
22:59 How to Create an Opportunity Not Just for Yourself, but for Others
24:18 How to Create Value for Others
26:20 How to Provide Value to Others
28:21 The Power of Open-Ended Questions as a CISO
32:33 How to Ask Powerful Questions

On this episode, David London and Adam Isles from the Chertoff Group stop by to discuss emerging risk topics such as AI, Supply Chain Attacks, and the new SEC regulations. Stick around and learn the tradecraft to better protect your company.
Special Thanks to our Sponsors:
The Chertoff Group: https://www.chertoffgroup.com.Note you can read more about their thoughts on AI here: https://www.chertoffgroup.com/managing-ai-risks/
Prelude: https://www.preludesecurity.com/
CPrime: At work, bridging the gap between risk management, IT security, and departments like finance, product, and development can be daunting. Enter Cprime, specializing in harmonious integration through secure code training, DevSecOps implementation, andzero trust practices. We streamline, optimize, and drive innovation, empowering continuous security ops. Transform risk management at Cprime.com/train and use code 'cprimepod' for 15% off training. Unleash potential with us!
Transcripts: https://docs.google.com/document/d/1tW0kOYCURXgRF-z7UqeQGga0zAkwGuZ9/
Chapters
00:00 Introduction
02:33 The SEC's Final Rule on Cybersecurity Disclosure
05:29 What is a Material Incident?
07:13 The Commission's Final Rule on Board Engagement in Cybersecurity Risk
10:03 The Four Day Rule for Incident Reporting
12:46 The Implications of the New Role of the CISO
15:46 The Ticking Clock on Disclosure
18:31 SolarWinds and the Software Chain Security Exposure
19:53 The Role of the Software Bill of Materials (SBOM) in the Software Supply Chain Security Challenges
21:29 The Rise of the SBOM
23:16 The Rise of Expectations in the U.S. Government
25:02 The Future of Software Security
27:22 The Progress of the CMMC Program
29:59 The SEC Disclosure Requirements: What to Expect From Your Board
31:57 How to Reduce Complexity in Your Software Development Lifecycle
34:05 How AI is Impacting Our Business and Cyber
37:32 How to Measure and Manage Cyber Risks Effectively
39:57 The SEC's Final Rule on Disclosure