CISO Tradecraft®

Welcome to CISO Tradecraft®, your guide to mastering the art of being a top-tier Chief Information Security Officer (CISO). Our podcast empowers you to elevate your information security skills to an executive level. Join us on this journey through the domains of effective CISO leadership. © Copyright 2024, National Security Corporation. All Rights Reserved

Listen on:

  • Apple Podcasts
  • Podbean App
  • Spotify
  • Amazon Music
  • Pandora
  • TuneIn + Alexa
  • iHeartRadio
  • PlayerFM
  • Listen Notes
  • Podchaser
  • BoomPlay

Episodes

Monday Dec 25, 2023

In the second half of the discussion about secure developer training programs, G Mark Hardy and Scott Russo delve deeper into how to engineer an effective cybersecurity course. They discuss the importance and impact of automation and shifting left, the customization needed for different programming languages and practices, and the role of gamification in engagement and learning. The conversation also touches upon anticipating secular trends, compliance with privacy and data protection regulations, different leaning styles and preferences, and effective strategies to enhance courses based on participant feedback. Scott highlights the lasting impacts and future implications of secure developer training, especially with the advent of generative AI in code generation.
ISACA Event (10 Jan 2024) With G Mark Hardy - https://www.cisotradecraft.com/isaca
Transcripts: https://docs.google.com/document/d/1zr09gVpJuZMUMmF9Y-Kc0DOy-1gH0cx-
Chapters
00:00 Introduction
01:08 Importance of Ongoing Support and Mentorship
01:46 The Role of Community in Training
03:03 Hands-on Exercises and Practical Experience
06:01 Success Stories and Testimonials
08:29 Incorporating Security Trends into Training
11:08 Balancing Security with Developer Productivity
18:17 Teaching Secure Coding Practices in Different Languages
20:27 Engaging and Motivating Participants
22:51 Promoting the Program: Engaging and Fun
23:37 Accommodating Different Learning Styles
24:16 Catering to Self-Paced Learners
26:19 Addressing Proficiency Levels and Remediation
28:55 Compliance with Privacy and Data Protection Regulations
30:48 Breaking Down Complex Security Concepts
32:05 Creating a Culture of Security Awareness
33:25 Partnerships and Collaborations in Secure Development
35:10 Feedback and Improvement of the Program
36:12 Cost Considerations for Secure Developer Training
39:20 Tracking Participants' Progress and Completion Rates
41:23 Trends in Secure Developer Training
43:42 Final Thoughts on Secure Developer Training

Monday Dec 18, 2023

In this episode of CISO Tradecraft, host G Mark Hardy invites Scott Russo, a cybersecurity and engineering expert for a deep dive into the creation and maintenance of secure developer training programs. Scott discusses the importance of hands-on engaging training and the intersection of cybersecurity with teaching and mentorship. Scott shares his experiences building a secure developer training program, emphasizing the importance of gamification, tiered training, showmanship, and real-world examples to foster engagement and efficient learning. Note this episode will continue in with a part two in the next episode
ISACA Event (10 Jan 2024) With G Mark Hardy - https://www.cisotradecraft.com/isaca
Scott Russo - https://www.linkedin.com/in/scott-russo/
HBR Balanced Scorecard - https://hbr.org/1992/01/the-balanced-scorecard-measures-that-drive-performance-2
Transcripts - https://docs.google.com/document/d/124IqIzBnG3tPj64O2mZeO-IDTx9wIIxJ
Youtube - https://youtu.be/NkrtTncAuBA 
Chapters
00:00 Introduction
03:00 Overview of Secure Developer Training Program
04:46 Motivation Behind Creating the Training Program
06:03 Objectives of the Secure Developer Training Program
07:45 Defining the Term 'Secure Developer'
14:49 Keeping the Training Program Current and Engaging
21:10 Real World Impact of the Training Program
21:46 Understanding the Cybersecurity Budget Argument
21:58 Incorporating Real World Examples into Training
22:26 Personal Experiences and Stories in Training
24:06 Industry Best Practices and Standards
24:18 Aligning with OWASP Top 10
25:53 Balancing OWASP Top 10 with Other Standards
26:12 The Importance of Good Stories in Training
26:32 Duration of the Training Program
28:37 Resources Required for the Training Program
32:23 Measuring the Effectiveness of the Training Program
36:07 Gamification and Certifications in Training
38:56 Tailoring Training to Different Levels of Experience
41:03 Conclusion and Final Thoughts
 

Monday Dec 11, 2023

In this episode of CISO Tradecraft, host G. Mark Hardy guides listeners on how to refresh their cybersecurity strategy. Starting with the essential assessments on the current state of your security, through to the creation of a comprehensive, one-page cyber plan. The discussion covers different approaches to upskilling the workforce, tools utilization, vulnerability management, relevant regulations, and selecting the best solution for your specific needs. The show also includes tips on building a roadmap, creating effective key performance indicators, and validation exercises or trap analysis to ensure the likelihood of success. At the end of the discussion, G. Mark Hardy invites listeners to reach out for any help needed for implementing these strategies.
Big Thanks to our Sponsors
Risk3Sixty - https://risk3sixty.com/
ISACA Event (10 Jan 2024) With G Mark Hardy https://www.cisotradecraft.com/isaca
CIO Wisdom Book - https://a.co/d/bmmZEAC
Transcripts - https://docs.google.com/document/d/1_bHsRtaRdlRJ9e9XXVh3GU7k3MbBLcHs
Chapters
00:00 Introduction
02:21 Building a Tactical and Strategic Plan
02:58 Assessing Your Current Cybersecurity Posture
03:11 Workforce Assessment and Rating
06:31 Understanding Your Cybersecurity Tools
08:29 Performing a Business Requirements Analysis
10:13 Defining the Desired Future State
12:03 Creating a Gap Analysis
14:14 Analyzing Current Options and Building a Roadmap
17:11 Presenting the New Plan to Management
21:36 Recap and Conclusion

Monday Dec 04, 2023

Discover the key to a more effective cybersecurity strategy in the newest episode of CISO Tradecraft! We're talking SOC tools, building a data lake for security, and more with guest Noam Brosh of Hunters. Don't miss it!
Big Thanks to our Sponsors
Risk3Sixty - https://risk3sixty.com/
Hunters - https://www.hunters.security/
Noam Brosh - https://www.linkedin.com/in/noam-brosh-5743938/
Transcripts: https://docs.google.com/document/d/1ArTixgEvRsVpLVdV2uVFAKCKSB2mBUKo
Youtube Link: https://youtu.be/ThEpI2_LpD8 
Chapters
00:00 Introduction and Welcome
01:20 Understanding the Role of SOC Tools
05:39 Challenges with Traditional SIEM Tools
08:48 The Shift to Data Lakes and the Impact on SIEMs
18:04 Understanding Different Cybersecurity Tools: SIEM, XDR, and SOC Platforms
19:25 The Role of Automation in Modern SOC Tools
26:01 The Importance of Third-Party Connection Tools in SOC Tools
27:27 Trends and Disruptions in the SIEM Space
28:09 Addressing False Positives in SOC Tools
31:14 Outsourcing Aspects of SOC and Staffing
36:28 Dealing with Multi-Cloud or Hybrid Cloud Environments
41:02 Reporting SOC Metrics to Executive Stakeholders

Monday Nov 27, 2023

In this episode of CISO Tradecraft, G Mark Hardy and Hasan Eksi from CyberNow Labs continue the discussion about the vital skills needed for an effective incident responder within a Security Operations Center (SOC). The skills highlighted in this episode include: incident triage, incident response frameworks, communication, collaboration, documentation, memory analysis, incident containment and eradication, scripting and automation, cloud security, and crisis management.
Big Thanks to our Sponsors
Risk3Sixty - https://risk3sixty.com/
Adlumin - https://adlumin.com/
Hasan Eksi's LinkedIn Profile: https://www.linkedin.com/in/eksihasan/
Transcripts: https://docs.google.com/document/d/1rWixzKgf_unanPlnoL6dt8qpEsbZj9lv
Chapters 
00:00 Introduction and Recap of the 10 Previous Skills
02:25 Skill #11) Incident Triage
04:21 Skill #12) Incident Response Frameworks
07:09 Skill #13) Communication
09:38 Skill #14) Collaboration
14:58 Skill #15) Documentation
19:35 Skill #16) Memory Analysis
22:36 Skill #17) Incident Containment and Eradication
25:31 Skill #18) Scripting and Automation
28:53 Skill #19) Cloud Security
31:10 Skill #20) Crisis Management
33:58 Recap of 20 SOC Skills and Conclusion

Monday Nov 20, 2023

In this episode of CISO Tradecraft, host G Mark Hardy talks to Kevin O'Connor, the Director of Threat Research at Adlumin. They discuss the importance of comprehensive cybersecurity for Small to Medium-sized Businesses (SMBs), including law firms and mid-sized banks. The conversation explores the complexities of managing security infrastructures, the role of managed security service providers, and the usefulness of managed detection and response systems. The discussion also delves into the increasing threat of ransomware and the critical importance of managing data vulnerabilities and providing security awareness training.
Big Thanks to our Sponsor: Adlumin - https://adlumin.com/
Transcripts: https://docs.google.com/document/d/1V_qkMFdGC4NRLCG-80gcsiSA8ikT8SwP
Youtube: https://youtu.be/diCZfWWB3z8
 
Chapters
00:12 Introduction and Sponsor Message
01:42 Guest Introduction: Kevin O'Connor
02:29 Discussion on Cybersecurity Roles and Challenges
03:20 The Importance of Defense in Cybersecurity
04:23 The Role of Managed Security Services for SMBs
07:26 The Cost and Staffing Challenges of In-House SOCs
14:41 The Value of Managed Security Services for Legal Firms
16:30 The Threat Landscape for Small and Mid-Sized Banks
18:19 The Difference Between Compliance and Security
20:08 Understanding the Reality of Cybersecurity
20:45 The Challenges of Building IT Infrastructure
21:08 Outsourcing vs In-house Security Management
21:55 The Importance of Understanding Your Data
22:43 Security Operations Center vs Security Operations Platform
24:21 The Role of Managed Detection and Response
24:54 The Importance of Quick Response in Security
28:07 The Threat of Ransomware and Data Breaches
34:31 The Role of Pen Testing in Cybersecurity
36:33 The Growing Threat of Ransomware
38:28 The Importance of Security Awareness Training
40:42 The Role of Incident Response and Forensics
42:11 Final Thoughts on Cybersecurity

Monday Nov 13, 2023

In this episode of CISO Tradecraft we have a detailed conversation with Hasan Eksi from CyberNow Labs. G Mark and Hasan discuss the top 20 skills required by incident responders, covering the first 10 in part 1 of this series. The discussion ranges from understanding cybersecurity fundamentals to incident detection, threat intelligence, and malware analysis. This episode aims to enhance listeners' understanding of incident response, its significance, the skills required, and strategies for effective training.
Big Thanks to our Sponsor
Adlumin - https://adlumin.com/
Hasan Eksi's LinkedIn Profile: https://www.linkedin.com/in/eksihasan/
Transcripts: https://docs.google.com/document/d/1lE9Tz-um1II2aNX4JU-bQ-BND7fPNteE/
Chapters
00:00 Introduction
14:15 Skill 1) IT/Cyber Fundamentals
17:17 Skill 2) Incident Detection
18:34 Skill 3) Threat Intelligence
20:11 Skill 4) Cybersecurity Tools
24:12 Skill 5) Network Analysis
25:55 Skill 6) Endpoint Analysis
28:33 Skill 7) Log Analysis
32:41 Skill 8) Malware Analysis
35:20 Skill 9) Forensics
38:30 Skill 10) Vulnerability Assessment

Monday Nov 06, 2023

In this episode of CISO Tradecraft, host G Mark Hardy welcomes special guest Amer Deeba, CEO and co-founder of Normalyze. They focus on the importance of data security in today's cloud-centric, multi-platform tech environment. Amer shares valuable insights on the need for a data security platform that offers a unified, holistic approach. The conversation also delves into the importance of understanding the value of your data, and how solutions such as Normalyze can accurately identify and classify sensitive data, measure its value, and mitigate risk of compromise. Ideal for CISOs and professionals navigating data security, this episode provides key recommendations for data visibility, security posture management, and response mechanisms, built around the principles of cybersecurity.
Big Thanks to our Sponsors
Normalyze - https://normalyze.ai/
Risk3Sixty - https://risk3sixty.com/whitepaper/
Transcripts: https://docs.google.com/document/d/1_z20Y5Xvs7qv6K9D2TUvM3ufLYSmXbvs
Chapters
00:00 Introduction
02:46 Understanding Data Security
03:58 The Importance of Data Security
04:21 The Challenges of Data Security
08:26 The Role of Data Security Posture Management
10:31 The Value of Data and Compliance
13:58 The Importance of Real-Time Data Protection
15:31 The Role of Encryption in Data Security
17:19 Understanding the Risks of Data Breaches
18:45 The Importance of Holistic Data Security
36:26 The Role of Anomaly Checks in Data Security
37:48 Understanding Generational Data
40:38 Conclusion and Contact Information

Monday Oct 30, 2023

On this episode we talk about the differences between Gamification and Game-Based Learning. We think you will enjoy hearing how Game-Based learning gets folks into the flow and creates novel training that resonates.  We also have a great discussion on how games can be applicable for Board Members and Techies.  You just need to get the right type of game for the right audience and let the magic happen.
Big Thanks to our Sponsors
Haiku - https://www.haikuinc.io/
Risk3Sixty - https://risk3sixty.com/whitepaper/
Transcripts
https://docs.google.com/document/d/1XmkMO7eJR3yAnXJPOCTaA5J9sakk639Q
Prefer to watch on YouTube?
https://www.youtube.com/watch?v=45eViHH_ktA 
Chapters
00:00 Introduction
03:38 What is Game-Based Learning?
07:55 Training Board of Directors
10:18 Gamification vs Game-Based Learning
14:30 Do Your Duties
21:09 Delaware Fiduciary Duties
22:54 Building a Forge
26:11 Tailored Game Types
33:35 Teaching Girl Scouts Linux Commands
40:17 Retaining Your Best People

Monday Oct 23, 2023

Learn the language of the board with Andrew Chrostowski. In this episode we discuss the 3 major risk categories of opportunity risk, cybersecurity risk and complex systems. We highlight intentional deficit and what to do about it. Finally, don't miss the part where we talk about the time for a digital strategy is past. What is needed today is a comprehensive strategy for a world of digital opportunities and existential cyber risks.
Big thanks to our sponsor:
Risk3Sixty - https://risk3sixty.com/iso-27001-certification/
Transcripts https://docs.google.com/document/d/15PnB1gYwt7vj-wRE4ABuEWxvB-H96rp0
Chapters
00:00 Introduction
04:22 Communication is a Requirement
09:34 How does cyber create value?
11:30 Culture and Operational Excellence
16:51 How does growth strategy align with cyber?
22:30 Intention Deficit Disorder
26:48 Accountability Loops
28:39 What's the evolution for a digital strategy?
32:02 Sharpen your axe
36:40 Digital Directors Network & Qualified Technical Experts

#151 - Cyber War

Monday Oct 16, 2023

Monday Oct 16, 2023

On this episode we do a master class on cyber warfare. Learn the terminology. Learn the differences and similarities between kinetic and cyber warfare. There's a lot of interesting discussion, so check it out.
Big thanks to our sponsor:
Risk3Sixty - https://risk3sixty.com/whitepaper/
Transcripts https://docs.google.com/document/d/1yJYoVs3pO4u_Zq8UC8YQmnYVGrsH93-H
Air Force Doctrine Publication 3-0 - Operations and Planning https://www.doctrine.af.mil/Portals/61/documents/AFDP_3-0/3-0-D15-OPS-Coercion-Continuum.pdf
Dykstra, J., Inglis, C., & Walcott, T. S. (Joint Forces Quarterly 99, October 2020) Differentiating Kinetic and Cyber Weapons to Improve Integrated Combat. https://ndupress.ndu.edu/Portals/68/Documents/jfq/jfq-99/jfq-99_116-123_Dykstra-Inglis-Walcott.pdf
Tallinn Manual 1.0 published April 2013; 2.0 in 2017 https://ccdcoe.org/research/tallinn-manual/
Version 3.0 under development; inputs solicited at https://ecv.microsoft.com/RRllEKKMJQ
https://www.csis.org/analysis/cyber-operations-during-russo-ukrainian-war
Chapters
00:00 Introduction
01:57 Definition of Cyber War
04:18 Kinetic vs Cyber War
07:02 Goal of Offensive Cyber Operations
10:06 International Law Applied to Cyber Operations (Sovereignty & Necessity)
11:33 Diplomatic, Information, Military, & Economic (DIME)
12:57 Proportionality
14:04 Law of Distinction
15:56 Tallinn Manual
18:15 Stuxnet, Sony Pictures, NotPetya, and SolarWinds attacks
23:47 Ukraine Cyber War
28:21 Comparing old tanks to old mainframes
39:55 Winning a Cyber War

#150 - Measuring Results

Monday Oct 09, 2023

Monday Oct 09, 2023

On this episode we discuss the measuring results cheat sheet from Justin Mecham.  Key focuses include:
Defining SMART Goals (Specific, Measurable, Achievable, Relevant, & Time-Bound)
Identifying KPIs (Key Performance Indicators)
Using the WOOP Model (Wish, Outcome, Obstacle, and Plan)
Using a Gap Analysis
Using the 5 Why Method
Using Plan, Do, Check, & Act.
Link to the Measuring Results Cheat Sheethttps://www.linkedin.com/posts/justinmecham_harvard-says-leaders-are-10x-more-likely-activity-7112050615576391681-Ro60/
Big thanks to our sponsor:
Risk3Sixty - https://risk3sixty.com/whitepaper/
Transcripts https://docs.google.com/document/d/1Ok9cFBdubI6M4ubhcR0HZzmauHiU7fsN
Chapters
00:00 Introduction
03:34 SMART Goals (Specific, Measurable, Achievable, Relevant, and Time Bound)
07:29 Key Performance Indicators
09:36 WOOP Model (Wish, Outcome, Obstacle, and Plan)
09:59 Gap Analysis
12:36 Root Cause Analysis and the 5 Whys
14:09 Plan, Do, Check, and Act

#149 - Board Perspectives

Monday Oct 02, 2023

Monday Oct 02, 2023

On this episode we discuss the four key roles Boards play in cybersecurity.
Setting the company's vision and risk strategy
Reviewing assessment results
Evaluating management cyber risk stance
Approving risk management plans
Big thanks to our sponsor:
Risk3Sixty - https://risk3sixty.com/whitepaper/
Transcripts - https://docs.google.com/document/d/1jarCcQYioT59jtIrppH4xZqyAy4Vn_tB/
Chapters
00:00 Introduction
01:36 What is a Board of Directors and what do they do?
09:33 FFIEC requirements for Boards
16:51 Establishing an Information Security Culture
19:08 Vision and Risk Appetite
22:00 Reviewing Cyber Assessments
25:09 Are we secure?
32:44 Castle Walls and Attacks
33:37 Getting your budget requests approved
37:10 Using use or loose money and reserved funding

Monday Sep 25, 2023

On this episode we bring on the leading expert of threat modeling (Adam Shostack) to discuss the four questions that every team should ask:
What are we working on?
What can go wrong?
What are we going to do about it?
Did we do a good enough job?
Big thanks to our sponsor:
Risk3Sixty - https://risk3sixty.com/whitepaper/
Adam Shostack's LinkedIn Profile - https://www.linkedin.com/in/shostack/
Learn more about threat modeling by checking out Adam's books on threat modeling Threats: What Every Engineer Should Learn From Star Wars https://amzn.to/3PFEv7L
Threat Modeling: Designing for Security https://amzn.to/3ZmfLo7 Also check out the Threat Modeling Manifesto: https://www.threatmodelingmanifesto.org/
Transcripts: https://docs.google.com/document/d/1Tu0Xj9QTbVqbVJNMbNRam-FEUvfda3ZS
Chapters
00:00 Introduction
06:02 The 4 Questions that allow you to measure twice cut once
09:29 How Data Flow Diagrams help teams
16:04 It's more than just looking at threats
19:23 Chasing the most fluid thing or the most worrisome thing
22:00 All models are wrong and some are useful
26:25 Actionable Remediation
31:05 LLMs and Threat Models

#147 - Betting on MFA

Monday Sep 18, 2023

Monday Sep 18, 2023

There's a lot of new cyber attacks occurring and today we are going to talk about them in more detail.  Many bad actors are using SMS spoofing and Social Engineering to get in.  Listen in an learn about how those attacks played out against the casino industry. You don't want to miss when we share what you can do to stop them.  Pro-tip: Good MFA is your friend.  Use it everywhere you can including on your employees and customers during phone calls.  
Big Thanks to our Sponsor
Risk3Sixty - https://risk3sixty.com/whitepaper/
Mandiant Post - https://www.mandiant.com/resources/blog/unc3944-sms-phishing-sim-swapping-ransomware
Rachel Tobac Post - https://www.linkedin.com/feed/update/urn:li:activity:7108040643905474562 
Transcripts: https://docs.google.com/document/d/186g8y_8wMcBPwdaiFjduhRiXC88ice0T/
Chapters
00:00 Introduction
01:06 Improving the Attacker Odds at the Casino
04:09 SEC 8-K filings
13:28 MGM Timeline of attack
16:55 What can we do against these attacks?
22:51 Upgrading your MFA
24:16 Custom Authentication Strength
27:11 New Social Engineering Attacks
32:31 OKTA attacks

Monday Sep 11, 2023

Have you ever thought about what does it mean to say there has been a material incident? How is materiality determined? What is the history of how that term has been defined by U.S. Regulators. Listen to today's show and increase your CISO Tradecraft
Big Thanks to our Sponsors
Risk3Sixty - https://risk3sixty.com/whitepaper/
CPRIME - For those valuing leadership, policy, and governance in tech risk and security, Cprime is here to help. Enhance your skills with our training and workshops, ensuring effective policy design and strategy alignment. As a tech coaching firm, Cprime offers classes for teams and executives on security analytics and risk management. Led by a Cprime expert, align expectations, prioritize, and map tools for robust governance across your tech portfolio. Upgrade risk management at www.cprime.com/train and use code 'cprimepod' for 15% off training. Elevate your approach!
Transcripts https://docs.google.com/document/d/1h7IBZI27ZOg4nxec2fCBmrX0c-0O15Zr 
Link to FAIR-MAM
https://www.fairinstitute.org/resources/fair-mam
Chapters
00:00 Introduction
02:16 What is the concept of material?
07:08 Investors increasingly seek information
11:21 Title 17 of the US Code Part 242
17:38 Backup and Recovery that is Resilient and Geographically Diverse
22:10 The New SEC requirements
26:38 Reporting Cyber Incidents
31:40 FAIR-MAM

Monday Sep 04, 2023

On this episode we overview the CIS Document titled, "The Cost of Cyber Defense". https://www.cisecurity.org/insights/white-papers/the-cost-of-cyber-defense-cis-controls-ig1
Big Thanks to our Sponsors
Risk3Sixty - https://risk3sixty.com/whitepaper/
CPRIME - For those valuing leadership, policy, and governance in tech risk and security, Cprime is here to help. Enhance your skills with our training and workshops, ensuring effective policy design and strategy alignment. As a tech coaching firm, Cprime offers classes for teamsand executives on security analytics and risk management. Led by a Cprime expert, align expectations, prioritize, and map tools for robust governance across your tech portfolio. Upgrade risk management at Cprime.com/train and use code 'cprimepod' for 15% offtraining. Elevate your approach!
Transcripts https://docs.google.com/document/d/1TAltDwJxQg9MqVRNCCgwIJa1a3WKpep5---WVOUsdLE/ 
Chapters
00:00 Introduction
01:30 What are the CIS Critical Security Controls?
03:00 How have the CIS Critical Security Controls evolved over time?
05:30 What are the benefits of implementing the CIS Critical Security Controls?
07:30 The three crucial questions for implementing the CIS Critical Security Controls
10:30 How to prioritize the CIS Critical Security Controls
12:30 What are Implementation Groups?
13:37 Enterprise Profiles
14:00 Why are Implementation Groups important?
15:30 How to choose the right Implementation Group for your organization
19:46 Cost Breakdown
23:16 Thoughts on the CIS Study

Monday Aug 28, 2023

In this episode of CISO Tradecraft, we delve into the evolving landscape of cybersecurity regulations. From data incident notifications to required contract language, we uncover common trends and compliance challenges. Learn how to prepare, adapt, and network within your industry to stay ahead. Tune in for insights and tips!
Thanks again to our Sponsors for supporting this episode:
Risk3Sixty: Check out Risk3Sixty's weekly thought leadership webinars and downloadable resources at https://risk3sixty.com/?utm_source=cisotradecraft&utm_medium=podcast&utm_campaign=2023-ct&utm_term=1week&utm_content=sponser
CPrime: Today's "CISO Tradecraft" is sponsored by Cprime, offering advanced tech training for exceptional teams. Experience hands-on, lab-driven classes in just two days, enhancing your skills for immediate on-the-job impact. Discover our sought-after three-day Microsoft PowerBI training, empowering you to craft dashboards, integrate data, and perform swift statistical analysis. Visit Cprime.com/train, use code 'cprimepod' for 15% off, and elevate your expertise!
References
AuditScripts: https://www.auditscripts.com/free-resources/critical-security-controls/
Secure Controls Framework: https://securecontrolsframework.com/scf-download/
Transcripts https://docs.google.com/document/d/1RplLpZCMw8foLu9oqkZs1_A2aIbYk1Xo/
Chapters
00:00 Introduction
04:28 Meeting Cybersecurity Controls and Understanding Applicable Regulations
11:28 Ensuring Compliance with Laws and Regulations
15:42 Handling Regulatory Change: Mapping Controls & Tracking Requirements
22:02 Navigating Regulatory Changes and Ensuring Compliance

Monday Aug 21, 2023

Here's a nice overview of cybersecurity on passwords, authentication, rainbow tables, and password managers. Enjoy the show and check out our other podcasts.
Special Thanks to our Sponsors:
Risk3Sixty: Being able to clearly articulate your vision for your security program to the board and other executives within your firm is critical to obtaining the buy in you need for your program's success. Risk3Sixty has created a presentation template that helps you structure your thoughts while telling a compelling story about where you want your security program to go. Download it today for free at: https://risk3sixty.com/?utm_source=cisotradecraft&utm_medium=podcast&utm_campaign=2023-ct&utm_term=1week&utm_content=sponser
CPrime: Today's "CISO Tradecraft" is sponsored by Cprime, offering advanced tech training for exceptional teams. Experience hands-on, lab-driven classes in just two days, enhancing your skills for immediate on-the-job impact. Discover our sought-after three-day Microsoft PowerBI training, empowering you to craft dashboards, integrate data, and perform swift statistical analysis. Visit Cprime.com/train, use code 'cprimepod' for 15% off, and elevate your expertise!
Transcripts: https://docs.google.com/document/d/1BD6LnITOpq6wrM2CsJzCHefN0Dw4hFp9 
Chapters
00:00 Introduction
02:02 Evaluating Password Management Solutions and Design-Making Approaches
05:36 Password Security and Authentication Methods
27:25 Background Sanitization, Password Storage, and Login Screen Risks
28:52 The Importance of Commercial Password Managers and Security Threats
31:27 Considerations for Choosing a Password Manager

#142 - Powerful Questions

Monday Aug 14, 2023

Monday Aug 14, 2023

Join us at the heart of Hacker Summer Camp for insights into the cybersecurity world! Discover the art of asking powerful questions that can change your career and impact others. Learn how CISOs assess cyber solutions and how startups can win their attention. Uncover the secrets of building connections and value through meaningful inquiries. Don't miss this episode featuring expert advice on navigating the cybersecurity landscape.
Special Thanks to our Sponsors:
The Chertoff Group: https://www.chertoffgroup.com
CPrime: At work, bridging the gap between risk management, IT security, and departments like finance, product, and development can be daunting. Enter Cprime, specializing in harmonious integration through secure code training, DevSecOps implementation, andzero trust practices. We streamline, optimize, and drive innovation, empowering continuous security ops. Transform risk management at Cprime.com/train and use code 'cprimepod' for 15% off training. Unleash potential with us!
Transcripts: https://docs.google.com/document/d/1qf9kH9a5rPlK8zaOWXGAp0-E6p7PNNuT/
Chapters
00:00 Introduction
01:49 How to Get More Sales at Blackhat
05:57 How to Differentiate Yourself From the Competition
10:05 How to Solve a Priority Problem
16:07 How to Achieve Bigger Goals Through Accelerating Teamwork
18:13 How to Find a CISO Job
20:30 How to follow a Rich Dad's Advice
22:59 How to Create an Opportunity Not Just for Yourself, but for Others
24:18 How to Create Value for Others
26:20 How to Provide Value to Others
28:21 The Power of Open-Ended Questions as a CISO
32:33 How to Ask Powerful Questions

Monday Aug 07, 2023

On this episode, David London and Adam Isles from the Chertoff Group stop by to discuss emerging risk topics such as AI, Supply Chain Attacks, and the new SEC regulations. Stick around and learn the tradecraft to better protect your company.
Special Thanks to our Sponsors:
The Chertoff Group: https://www.chertoffgroup.com.Note you can read more about their thoughts on AI here: https://www.chertoffgroup.com/managing-ai-risks/
Prelude: https://www.preludesecurity.com/
CPrime: At work, bridging the gap between risk management, IT security, and departments like finance, product, and development can be daunting. Enter Cprime, specializing in harmonious integration through secure code training, DevSecOps implementation, andzero trust practices. We streamline, optimize, and drive innovation, empowering continuous security ops. Transform risk management at Cprime.com/train and use code 'cprimepod' for 15% off training. Unleash potential with us!
Transcripts: https://docs.google.com/document/d/1tW0kOYCURXgRF-z7UqeQGga0zAkwGuZ9/
Chapters
00:00 Introduction
02:33 The SEC's Final Rule on Cybersecurity Disclosure
05:29 What is a Material Incident?
07:13 The Commission's Final Rule on Board Engagement in Cybersecurity Risk
10:03 The Four Day Rule for Incident Reporting
12:46 The Implications of the New Role of the CISO
15:46 The Ticking Clock on Disclosure
18:31 SolarWinds and the Software Chain Security Exposure
19:53 The Role of the Software Bill of Materials (SBOM) in the Software Supply Chain Security Challenges
21:29 The Rise of the SBOM
23:16 The Rise of Expectations in the U.S. Government
25:02 The Future of Software Security
27:22 The Progress of the CMMC Program
29:59 The SEC Disclosure Requirements: What to Expect From Your Board
31:57 How to Reduce Complexity in Your Software Development Lifecycle
34:05 How AI is Impacting Our Business and Cyber
37:32 How to Measure and Manage Cyber Risks Effectively
39:57 The SEC's Final Rule on Disclosure

#140 - Bobby the Intern

Monday Jul 31, 2023

Monday Jul 31, 2023

Don't let Bobby the Intern cause havoc in your network. On this episode of CISO Tradecraft, G Mark Hardy discusses the importance of training new hires in cybersecurity to create a strong security culture within an organization. The focus is on shaping employees' behavior and beliefs to enhance the overall cybersecurity posture.
Special Thanks to our Two Sponsors:
1) The Chertoff Group: www.chertoffgroup.com
2) Prelude: https://www.preludesecurity.com/ 
Transcripts: https://docs.google.com/document/d/1Z4ftmqZdUMkxD6ATRRLp0EmO_DVluQ4n
Chapters
00:00 Introduction
03:57 How to Build a Security Culture
07:19 The Importance of a Good Username and Password
11:24 How to Use MFA to Protect Your Brand
12:50 How to Teach Your Employees About Phishing
17:07 How to Deal with External Email Addresses
20:30 How to Avoid a Business Email Compromise
22:42 How to Protect Your Website from Attackers
24:40 How to Secure Your Applications
26:46 The Importance of Threat Modeling
30:48 QR Codes and How to Use Them Effectively
32:34 Delaying Desktop Patches
34:36 How to Teach Your New Hires About Security
36:30 How to Orient Your New Employees

Monday Jul 24, 2023

On this episode we bring on CIA Veteran James "Jim" Lawler to discuss how spies are recruited, how individuals are turned, and what makes them vulnerable to being turned. Learn what managers and executives can and should know about their people to help them better understand who's at risk and the types of programs that executives can put into place to stop insider threats.
Special Thanks to our Two Sponsors:
1) Prelude: https://www.preludesecurity.com/
2) Risk3Sixty is cyber security technology and consulting firm that works with high-growth technology firms to help leaders build, manage and certify security, privacy, and compliance programs. They publish weekly thought leadership, webinars, and downloadable resources like budget and assessment templates. Learn more at: https://risk3sixty.com/?utm_source=cisotradecraft&utm_medium=podcast&utm_campaign=2023-ct&utm_term=1week&utm_content=sponser
Be sure to read Jim's books
1) Living Lies: A Novel of the Iranian Nuclear Weapons Program https://amzn.to/3Y5x2Sc
2) In the Twinkling of an Eye: A Novel of Biological Terror and Espionage https://amzn.to/43EkvpE 
Chapters
00:00 Introduction
02:24 The Importance of Recruiting Insiders
08:06 How to Be a Successful Case Officer
11:09 The Importance of Identifying Vulnerabilities in Insider Threats
14:00 The Cockamamie Recruitment Pitch Scheme
18:50 The Importance of Rationality in Espionage
21:10 The Complex Motivations for Espionage
23:49 The Key to Stress in a Target Life
27:34 The Importance of Listening to Your People
30:02 How to Be a Good Leader
35:02 The Metaphysics of Recruitment
37:31 How to Firewall a Threat to Your Organization
41:00 Living Lies
44:49 How to Be a Better Writer
49:31 How to Be a Better Threat Manager

Monday Jul 17, 2023

This week Rafeeq Rehman returns to discuss the 2023 updates to the CISO Mindmap. Note you can find his work here: https://rafeeqrehman.com/2023/03/25/ciso-mindmap-2023-what-do-infosec-professionals-really-do/
Thanks to our two sponsors for this episode.
1) Prelude: https://www.preludesecurity.com/
2) Risk3Sixty - Get a free copy of The Five CISO Archetypes eBook from risk3sixty. By reading this eBook, you will discover your strengths, weaknesses, areas where you need support from your team, and the types of organizations you best fit. The eBook also provides the tools to analyze organizations to understand their security priorities better. You will be able to use these tools to identify organizations that would most benefit from your natural strengths as a security leader. Organizations that you will love to work with and that would love to have you as part of their team. The steps outlined in this book will make you a more effective security leader and more satisfied with your career.
https://risk3sixty.com/whitepaper/five-ciso-archetypes-ebook/?utm_source=cisotradecraft&utm_medium=podcast&utm_campaign=2023-ct&utm_term=1week&utm_content=ebook
Transcripts: https://docs.google.com/document/d/1tFhZ6DdzwG12dYXvuVpaZdmfNWBVFswx 
Chapters
00:00 Introduction
03:36 How to Write a Book
05:32 How to Master a Security Tool
09:19 Updating the Mind Map for 2023 and 2024
13:12 How to Resiliently Respond to Ransomware Attacks
16:15 The Importance of Redundancy in Security
19:18 How to Manage Your Security Budget Effectively
22:43 Building a Brand for a Security Organization
26:10 Untangle the Application Web of Components
29:38 The Importance of Software Build of Materials
33:28 How to Automate Security Operations
36:31 The Six Importances of a Security Mind Map
38:43 The Future of Generative AI
40:47 The Future of CISO Tradecraft

Monday Jul 10, 2023

Imagine if you could get 1% better every day at something and do this for an entire year. Well, that's 365 days. And you go, okay, fine. 1%. 1%. That's going to be like 3.65%, right? No, because it compounds. And if you go ahead and open up your calculator and you take 1.01 and you raise it to the 365th power you're going to get 37.78. On today's show we have Andy Ellis discuss ways to get 1% better as a leader.
Thanks to our two sponsors for this episode.
1) Prelude: https://www.preludesecurity.com/
2) Risk3Sixty - Risk3Sixty is cyber security technology and consulting firm that works with high-growth technology firms to help leaders build, manage and certify security, privacy, and compliance programs. They publish weekly thought leadership, webinars, and downloadable resources like budget and assessment templates. https://risk3sixty.com/whitepaper/security-program-maturity-presentation-template-for-cisos/?utm_source=cisotradecraft&utm_medium=podcast&utm_campaign=2023-ct&utm_term=1week&utm_content=ebook 
1% Leadership Book: https://www.amazon.com/1-Leadership-Master-Improvements-Leaders-ebook/dp/B0B8YXJ2H1?&_encoding=UTF8&tag=cisotradecr05-20&linkCode=ur2&linkId=51e35f5bdcbe65e448e03d779143278c&camp=1789&creative=9325
Transcripts: https://docs.google.com/document/d/1Ul9N9cw579JMB_e7Vlk91_JpYxOBXQmx/
Chapters:
00:00 Introduction
02:09 Andy's career in cyber
04:04 The Butterfly Effect
06:06 How to Be 1% More Efficient at Cyber
09:01 The Importance of Uncloneability
10:57 The Importance of Personal Improvement in Leadership
14:21 The Importance of Commitment
16:10 The Importance of Feedback
20:23 Planning for a Sudden Change in Your Environment
26:51 How to Create Safety for Cyber Professionals
29:01 How to Face Adversity with Grace
30:36 The Importance of Culture in Email Security
32:11 The Importance of Delegation
33:55 Delegating vs Dumping
36:02 How to Reduce the Energy Cost of Inclusion
40:18 The Importance of Diversity in Organizations
42:07 Don't Borrow Evil
44:17 How to Build a Relationship with Business Leaders
46:49 How to Stop Hurting Your Team

Copyright 2024 All rights reserved.

Podcast Powered By Podbean

Version: 20241125