CISO Tradecraft®

Welcome to CISO Tradecraft®. A podcast designed to take you through the adventure of becoming a Chief Information Security Officer (CISO) and learning about cyber security. This podcast was started because G Mark Hardy and Ross Young felt impressed to help others take their Information Security Skills to an executive level. We are thrilled to be your guides to lead you through the various domains of becoming a competent and effective CISO.

Listen on:

  • Apple Podcasts
  • Google Podcasts
  • Podbean App
  • Spotify
  • Amazon Music
  • Pandora
  • TuneIn + Alexa
  • iHeartRadio
  • PlayerFM
  • Listen Notes
  • Samsung
  • Podchaser
  • BoomPlay

Episodes

Monday Apr 10, 2023

Are you concerned about the security of your data? If so, you're in luck, because we have an incredible episode that has Brent Deterding discuss how to implement simple, easy, and cheap cybersecurity measures. 
One of the key takeaways from the episode is the importance of understanding, managing, and mitigating the risk of critical data being exposed, altered, or denied. Brent Deterding shares his top four tips for CISOs, which include implementing multi-factor authentication, device posture management, endpoint detection and response, and external patching. He emphasizes the importance of keeping things simple, easy, and cheap.
Overall, the episode emphasizes the importance of taking a proactive approach to cybersecurity and being prepared for potential cyber threats. Brett Dietrich shares his approach to reducing risk for his company when negotiating with underwriters.  Remember significant risk reduction is simple, easy, and cheap, so don't wait to implement these tools and strategies.
10 Immutable Laws of Security: https://learn.microsoft.com/en-us/security/zero-trust/ten-laws-of-security
Transcripts: https://docs.google.com/document/d/1eP7F8pD3kcrbja2sfSwSKGnJ-ADHviUt
Chapters:
00:00 Introduction
02:05 How to Protect Your Organization's Critical Data
01:43 Scenario of Protecting a Small Company
08:01 The 10 Immutable Laws of Security
14:26 Tips for CISOs
15:30 Simple, Easy, & Cheap is a Technology State
19:00 How Much Do You Care About Phishing Problems?
20:46 How to a be successful at RSA?
26:00 How to Enable the Business without Reducing Friction?
28:37 How to Adopt the Australian Essential 8
31:06 Team Platform vs Best of Bread
33:00 Those with a fear of vendor lock-in are retired
36:36 How to Save Money on Cyber Insurance
38:27 How to implement the Four Hills Strategy (MFA, EDR, Device Posture Management, & Patch Management)
40:57 How to Negotiate Effectively With Insurance Companies
42:48: Getting Material Risk Reduction is Simple, Easy, and Cheap

Monday Apr 03, 2023

In this episode of "CISO Tradecraft," G Mark Hardy discusses how to build an effective cyber strategy that executives will appreciate. He breaks down the four questions (Who, What, Why, and How) that need to be answered to create a successful strategy and emphasizes the importance of understanding how the company makes money and what critical business processes and IT systems support the mission. Later in the episode, Branden Newman shares his career path to becoming a CISO and his approach to building an effective cyber strategy. Newman stresses the importance of communication skills and the ability to influence people as the most critical skills for a CISO. He also shares his advice on how to effectively influence executives as a CISO.
Full Transcripts - https://docs.google.com/document/d/1nFxpOxVl6spkK-Y8GLU5q2f6R_4VD-a2
Chapters:
00:00 Introduction
01:06 The Four Questions (Who, What, Why, and How)
08:11 Building an accepted cyber strategy
09:19 Importance of communication skills for a CISO
10:19 Understanding financial statements
12:47 Following the money
14:09 Reputation and cybersecurity
15:24 Getting executive buy-in into cybersecurity
15:57 Building Trust with Executives
16:45 Security Enables New Elements of Business
17:13 Why Cybersecurity Gets Ignored
20:07 Framing Cybersecurity as a Competitive Advantage
21:19 Mistakes CISOs Make When Communicating with Executives
22:54 Telling Stories to Communicate with Executives
24:09 Using Business Cases and Examples
27:28 The Importance of Listening to the Executives
29:31 Making Informed Risk-Based Decisions
30:54 Building Trust and Champions
32:55 Building a Network of Trust
35:13 Being Pragmatic

Monday Mar 27, 2023

Sometimes you just need structure to the madness. Christopher Crowley stops by to talk about methodologies that can help security organizations. Come and see why you need them, how we get the scientific method wrong in cyber, and how to leverage a CIA analytical methodology that can help you. There's a lot more to check out so tune in.
Analysis of Competing Hypothesis https://www.cia.gov/static/9a5f1162fd0932c29bfed1c030edf4ae/Pyschology-of-Intelligence-Analysis.pdf
Christopher Crowley's Company https://montance.com/ 
Full Transcripts: https://docs.google.com/document/d/1P4MI02fIw3y_u8RhLVDbB3iu0o7e27Fr
Chapters
00:00 Introduction
02:30 The Morris Worm and the Internet
04:17 The Future of Cybersecurity
06:41 How to setup a shared drive for multitasking
10:26 The Evolution of Career Paths
12:02 The Importance of Methodology in Problem Solving
14:16 The Importance of Hypothesis in Cybersecurity
19:58 MITRE ATT&CK® Framework: A Two Dimensional Array
21:54 The Importance of a Foregone Conclusion Methodology
23:29 The Disruptor's Role in Hypothesis Brainstorming
25:18 The Importance of Resilience in Leadership
27:45 Methodologies and Threat Hunting
29:21 The Importance of Information Bias in Threat Hunting
34:31 How to Sort Hypothesis in a Spreadsheet
37:22 The Importance of Refining the Matrix
40:34 How to Automate Analysis of Competing Hypothesis

Monday Mar 20, 2023

Have you ever wanted to get a legal perspective on cybersecurity?  On this episode of CISO Tradecraft, Evan Wolff stops by to discuss terms such as legal disclaimers, negligence, due care, and others.  He also provides important insights on how to structure your cyber policies, respond to regulators/auditors, and partner with general council.  Please enjoy. 
Full Transcripts: https://docs.google.com/document/d/1hbqB5GQfQsi0egPVdOtdfYEwLA3-1Jnh
Chapters
00:00 Introductions
01:52 The Attorney Client Privilege
04:49 What's the Difference Between a Discovery Order and an Attorney Client Privilege
06:30 CISO Disclaimer
09:23 Security Is a Component of Government Contracts
11:59 What are the Borders Between Information Security and Legal Risk
15:31 Cyber Security - Is there a Standard of Care?
18:11 Do you have a Reasonable Best Effort?
21:27 CMMC 2.0
26:22 Is your Privacy Policy going to expire?
28:30 What is Reasonable Assurance?
33:41 Advice for Partnering with the General Counsel

Monday Mar 13, 2023

Have you ever wondered how to negotiate your best CISO compensation package?  On this episode, we invite Michael Piacente from Hitch Partners to discuss important parts of the compensation packages.  Examples include but are not limited to: - Base Salary,
Bonuses (Annual, Relocation, & Hiring)
Reserve Stock Units
Annual Leave
Title (VP or SVP)
Directors & Officers Insurance
Accelerated Vesting Clauses
Severance Agreements
You can learn more about CISO compensations by Googling any of the following compensation surveys
Hitch Partners CISO Compensation and Organizational Structure Survey Report: https://www.hitchpartners.com/ciso-security-leadership-survey-results-23
Heidrick & Struggles Global Chief Information Officer Survey: https://www.heidrick.com/en/insights/...
IANS CISO Compensation and Budget Benchmark Study: https://www.iansresearch.com/ciso-com...
Full Transcripts: https://docs.google.com/document/d/1e...
Chapters:
00:00 Introduction
01:58 What's the Difference?
06:50 The Three-Legged Stool (Base Salary, Bonuses, & RSUs)
11:44 Is there a signing bonus?
13:56 What's the difference between RSUs & Options?
18:52 Private Companies - What's the Value of the Offer?
22:04 Double Triggers in Private Companies
26:38 Should you counter an offer?
28:17 Corporate Liability Insurance
29:50 Do you want to be extended on the Director and Officer Insurance Policy?
32:56 How to negotiate a severance agreement
36:00 Compensation Survey Reports

Monday Mar 06, 2023

One of the most difficult things to do as a manager or leader is to take an ethical stance on something you believe in.  Sometimes ethical stances are clear and you know you are doing what’s right.  Others are blurry, messy, and really weigh on your mind.  So we thought we would take this episode to talk about various ethical models, tricky ethical scenarios you might encounter as a CISO, and finally we will look at the Federal Case where Joe Sullivan the Former Chief Security Officer of Uber was convicted of federal charges for covering up a data breach.  Thanks to Stephen Northcutt for coming on today's show.
Full Transcript https://docs.google.com/document/d/1vin7gMBt9YvVGaVqT91ycPmacsKZe2T9
Chapters
00:00 Introduction
01:49 How to Make a Difference in Cybersecurity
03:34 Hackers and the Pursuit of Higher Principles
06:06 Is There a Use Case in Cybersecurity
10:56 Human Capital is the Most Important Asset That Any Organization Has
14:00 The Human Frailty Factor
18:21 Has Your Company Fully Embraced Diversity, Equity, and Inclusion
20:24 Do you have a Diversity of Experience
24:11 Getting Your EXO to Talk to Power and say you are wrong
27:40 CISOs and CISOs - Is this a Criminal Thing?
30:15 The Penalty of Crossing the Law
34:56 Pay the Ransom?
36:59 The Key to Resilience as a CISO

Monday Feb 27, 2023

Our systems generate fantastic amounts of information, but do we have a complete understanding of how we collect, analyze, manage, store, and retrieve possibly petabytes a day? Gal Shpantzer has been doing InfoSec for over 20 years and has managed some huge data engineering projects, and offers a lot of actionable insights in this CISO Tradecraft episode.
Gal's LinkedIn Page - https://www.linkedin.com/in/riskmanagement/
Gal's Twitter Page - https://twitter.com/Shpantzer
Full Transcript - https://docs.google.com/document/d/14RXnsVttvKlRi6VL94BTrItCjOAjgGem/
Chapters
00:00 Introduction
02:00 How do you Architect Big Data Data Infrastructure
03:33 Are you taking a look at Ransomware?
06:11 Web Scale Technologies are used mostly in Marketing & Fraud Detection
08:11 Data Engineering - The Mindset Shift
10:51 The Iron Triangle of Data Engineering
13:55 Can I Outsource My Logging Pipeline to a Vendor
15:37 Kafka & Flink - Data Engineering in the Pipeline
18:12 Streaming Analytics & Kafka
22:08 How to Enable Data Science Analytics with Streaming Analytics
26:33 Streaming Analytics
30:25 Data Engineering - Is there a Security Log
32:30 Streaming Analytics is a Weird Thing
35:50 How to Get a Handle on a Big Data Pipeline
39:11 Data Engineering Hacks for Big Data Analytics

Monday Feb 20, 2023

Has bad governance given you trauma, boring committees, and long speeches on irrelevant issues?  Today we are going to overcome that by talking about what good governance looks like.  We bring on the former CISO of Amazon Whole Foods (Sameer Sait) to discuss his lessons learned as a CISO.  We also highlight key topics of good governance found in the Cyber Security Profile from the Cyber Risk Institute.Cyber Risk Institute - Cyber Security Profile https://cyberriskinstitute.org/the-profile/Full Transcripts: https://docs.google.com/document/d/1vBM6A0utvhRFMA04wzrZvR8ktNwYo-li
Chapters
00:00 Introduction
03:10 Good Governances is a Good Thing, Right?
05:08 Cyber Strategy & Framework
06:43 Is NIST the Same as ISO?
08:40 How to Convince the Executive Leadership Team to Buy In
11:19 The CEO's Challenge is Taking Measured Risk
20:05 Is there a Cybersecurity Policy
22:32 Culture eats Policy for Lunch
24:14 The Role of the CISO
27:52 How do you Convince the Leadership Team that you need extra resources
29:51 How do you Measure Cybersecurity?
32:22 How do we communicate Risk Findings to Senior Management
36:07 Are you Aligning with the Audit Committee

Monday Feb 13, 2023

In the US we often focus on SOC-2, NIST Special Pubs, and the Cybersecurity Framework. In Europe (and most of the rest of the world), ISO 27001 is the primary standard. ISO concerns itself with policy, practice, and proof, whereas NIST often shows the method to follow. Michael points out that a CISO is responsible for governance, (internal) consulting, and audit. In early stages of growing a security function, a CISO needs to be technically-focused, but as a security department matures, the CISO must be organizationally-focused. Also, to effectively grow your team, first determine what actions need to take place, how much effort it requires, and how often it needs to take place. Then, build an action sheet and collect data for three months. Finally, take that to your executives and document your requirements for more staff.
Michael Krausz LinkedIn Profile: https://www.linkedin.com/in/michael-krausz-b55862/
Michael Krausz Website: https://i-s-c.co.at/
Full Transcript: https://docs.google.com/document/d/13fghym7IWyPvuRANQXUvmv-ulkSj93xv 
Chapters
00:00 Introduction
04:01 Is there a Gap Analysis in ISO 27001?
08:05 Is there a Requirement for ISO Standards?
10:57 What is ISO 27001?
13:11 Is there a Parallel Development between the US and EU?
16:57 Do you want to be a trooper?
21:17 What's the Oldest Operating System?
23:09 Is there a Legacy Operating Systems that you can't get away with?
24:11 The Most Important Class for a CISO
26:33 The Secrets of a Successful CISO
29:30 CISO - I need 6 people period
33:40 What's the Primary Skill Needed in a CISO?
37:41 How to Maximize the Number of FTEs

Monday Feb 06, 2023

How can cyber best help the sales organization?  It's a great thought exercise that we bring on Joye Purser to discuss. Learn from her experience as we go over how cybersecurity is becoming an even closer business partner with the creation of a new important role.
Full Transcript: https://docs.google.com/document/d/1Shd1Qldb8iKEHBgXJqFez81Iwfpl6JT-/
Chapters
00:00 Introduction
02:58 How did you marry those two cultures?
06:40 Building a Diverse Workforce
08:23 Is this a new role based on Pain Points?
10:27 Global Lead for Field Cyber Security
15:51 Is the Global Lead for Field Cybersecurity linked to sales numbers?
19:07 Is there a Global Lead for Field Cybersecurity?
24:46 Building Relationships in a Security Leadership Role
27:48 Do you have any lessons learned from your success at Global Management Consulting?
29:33 You need to schedule time to get things done
33:33 What about Due Diligence?
37:36 The Chief Technology Officer, CRO, & CTO

Monday Jan 30, 2023

Did you ever wonder how much security you can implement with a single vendor?  We did and were surprised by how much you can do using the Australian Top Eight as a template.  We'll bet you can improve your security by using these tips, tools, and techniques that you might not have even known were there.
Special thanks to our sponsor Praetorian for supporting this episode.
https://www.praetorian.com/
Full Transcripts:
https://docs.google.com/document/d/12HsuOhY9an1QzIw9wOREPMX0pXe5hqkJ
Helpful Links
Essential 8 https://www.microsoft.com/en-au/business/topic/security/essential-eight
Blocking Macros https://ite8.com.au/the-essential-8/office-macros-explained/ 
Windows Defender Application Control or WDAC (available from Windows 10 or Server 2016 or newer) previously Windows had App Locker (Windows 7 / 8)
https://docs.microsoft.com/en-us/mem/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control
Windows Group Policies
https://techexpert.tips/windows/gpo-block-website-url-google-chrome/
https://chromeenterprise.google/policies/#SafeBrowsingAllowlistDomains 
https://data.iana.org/TLD/tlds-alpha-by-domain.txt 
Software Restriction Policies http://woshub.com/how-to-block-viruses-and-ransomware-using-software-restriction-policies/
Blocking websites URL - only allow (.com, .org, .net, edu, .gov, .mil, and the countries you want).   
Locking down Active Directory https://attack.stealthbits.com/tag/active-directory 
File Service Resource Management
http://woshub.com/using-fsrm-on-windows-file-server-to-prevent-ransomware/
Enable MFA for RDP
https://docs.microsoft.com/en-us/azure/active-directory-domain-services/secure-remote-vm-access  
https://duo.com/docs/rdp
Enable MFA for SSH
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/auth-ssh
https://docs.microsoft.com/en-us/azure/active-directory/devices/howto-vm-sign-in-azure-ad-linux 
Windows Controlled Folder Access
https://support.microsoft.com/en-us/topic/ransomware-protection-in-windows-security-445039d6-537a-488a-ad53-48906f346363
Use Windows File History to create backups to one drive.
https://www.ubackup.com/windows-10/file-history-backup-to-onedrive-4348.html
Storing your files to One Drive which has ransomware detection
https://support.microsoft.com/en-us/office/ransomware-detection-and-recovering-your-files-0d90ec50-6bfd-40f4-acc7-b8c12c73637f
Windows Update
Select Start > Settings > Windows Update > Advanced options. Under Active hours, choose to update manually or automatically in Windows 11. 
https://support.microsoft.com/en-us/windows/keep-your-pc-up-to-date-de79813c-7919-5fed-080f-0871c7bd9bde 
Microsoft Conditional Policies- https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-policy-common 
Microsoft Authenticator with Number Matching, Geo, & Additional Context
https://docs.microsoft.com/en-us/azure/active-directory/authentication/how-to-mfa-additional-context 
https://websetnet.net/microsoft-rolls-out-new-microsoft-authenticator-features-for-enterprise-users/
Application Approve List- https://www.bleepingcomputer.com/tutorials/create-an-application-whitelist-policy-in-windows/

Monday Jan 23, 2023

This episode provides a deep dive into Static Application Security Testing (SAST) tools.  Learn how they work, why they don't work as well as you think they will in certain use cases, and find some novel ways apply them to your organization.  Special thanks to John Steven for coming on the show to share his expertise.  
 
Special thanks to our sponsor Praetorian for supporting this episode.
https://www.praetorian.com/
Full Transcripts - https://docs.google.com/document/d/1zoA70k78IjqyJky-2u7_-i2jlWke8_cb
Chapters:
00:00 Introduction
02:51 Source Code Analyzers
04:22 The three bears of Static Analysis
06:01 Do Linters work Better?
08:00 The Value of Full Programming Analysis Tools over Linters
11:30 The Impact of a Developer's Analysis on a Developer Environment
13:05 SAST Testing
15:47 OWASP Benchmarking
19:13 The First Static Analysis Tools
20:53 Can you break up that worry about Automated Testing?
22:44 Using Static Analysis for Defect Discovery
24:18 Using Static Analysis to Improve Web Security
31:37 Using Static Analysis to Drive Cloud Security
33:15 The Second Thing to Look Out for When Choosing a Static Analysis Tool
34:55 Using Static Analysis to Build a Vulnerability Management Practice
37:35 Can you use Static Analysis to Find Insider Threat?

Tuesday Jan 17, 2023

How do you defend against automated attacks in an era of ChatGPT-formulated malware, coordinated nation-state actors, and a host of disgruntled laid-off security professionals? Want to find your vulnerabilities faster than the bad actors do? Come listen to Richard Ford to learn how to apply best practices in attack surface management and defend your crown jewels.
Special thanks to our sponsor Praetorian for supporting this episode.
Full Transcripts - https://docs.google.com/document/d/18QyrN-7V91nxOyRQ0KsNeJU0-k-bTlqj
Chapters:
00:00 Introduction
04:22 The Impact of Continuous Attack Surface Mapping on Security Responses
07:48 What's the Difference between a CTO and a CIO?
10:24 What attracted you to the problem space?
12:53 Is the Attack Surface really exposed?
16:12 Shadow IT - The Unknown Unknowns that could Bite You
19:56 Is there a Shadow IT problem?
23:24 How to get management on board with Shadow IT?
26:38 Building an Attack Surface Management Program
29:57 You Get What You Measure, Right?
33:27 Do I Have Vulnerable Assets?
39:24 Attack Surface Management

#111 - Leading with Style

Monday Jan 09, 2023

Monday Jan 09, 2023

Have you ever wanted to be like Neo in "The Matrix" and learn things like Kung Fu in just a few minutes?  Well on today's episode, we try to do just that by cramming powerful leadership concepts into your head in just 45 minutes.  So sit back, relax, and enjoy CISO Tradecraft.
 
Show Notes with Pictures & References:
https://docs.google.com/document/d/1z5FwVwYlNiJlevQXP9IK48Z5kYqG-Ee_/edit?usp=sharing&ouid=104989998442085477687&rtpof=true&sd=true
Full Transcript:https://docs.google.com/document/d/11iTdKRxtg1UYiQeUn-mdgM7zKqafTq34/edit?usp=sharing&ouid=104989998442085477687&rtpof=true&sd=true

Monday Jan 02, 2023

Want to know CISO Tradecraft's Top 10 cyber security predictions for 2023?  Listen to the episode to learn more about:
Proactive Identity Management = Automated Provisioning of Access + Minimizing Digital Blast Radius
Convergence of Security Tools
Collaboration Technology
Evolution of the Endpoint (Chromebooks or Browser Isolation)
Chatbots
Vague and unclear cyber laws
CISO liability increases
Umbrella IT general controls mapping
Companies will be less truthful during 3rd party questionnaires
Cyber defense will become more difficult because of people
Be sure to also check out G Mark Hardy's annual ISACA talk athttp://isaca-cmc.org/ 
Link to full transcripts of the podcast can be found here:https://docs.google.com/document/d/1RkrtkuunBn-qaU-Y9HvgHJzAKoIIszcW/edit?usp=sharing&ouid=104989998442085477687&rtpof=true&sd=true

#109 - The Right Stuff

Monday Dec 19, 2022

Monday Dec 19, 2022

Success leaves clues, but sometimes we limit ourselves by only looking close by for them.  This week, we pondered what business skills are essential for a successful CISO, and then extended the search to some non-traditional sources to find some very relevant advice.  Take the time to listen and do a self-examination (you don't have to submit for a grade :) and see where you could boost your skills portfolio to increase your success as a security leader.  Some of the essential skills we discuss on this episode of CISO Tradecraft are:
Be a leader
Manage money and resources
Differentiate yourself and your message
Communicate with clarity and emphasis
Delegate and hold subordinates accountable
Build a personal network
Mentor your team
Be adaptable
Be sensitive to cultural and political issues
Watch the details and ensure your management makes informed risk-based decisions &
Know your limitations
We thank our sponsor Nucleus Security for supporting this episode
Full Transcript: https://docs.google.com/document/d/1C357cX_4wKTRmhRUsGh_2d9vIMX5LspL/
Show links:
  https://www.smallbusiness.wa.gov.au/starting-and-growing/essential-business-skills
  https://cisotradecraft.podbean.com/e/108-budgeting-for-cisos-with-nick-vigier/
  https://nativeintelligence.com/
  https://github.com/cisotradecraft/Podcast#business-management--leadership
  https://www.ef.com/wwen/blog/efacademyblog/skills-for-success/
  https://www.criticalthinking.org/pages/defining-critical-thinking/766
  https://your.yale.edu/learn-and-grow-what-adaptability-workplace
  https://openai.com/blog/chatgpt/
  https://openai.com/dall-e-2/

Monday Dec 12, 2022

There's a lot of things you need to know as a CISO, but one of the things least taught is budgeting best practices.  On today's episode, CISO Nick Vigier stops by to share his lessons learned on the topic.  His conversations focus on spends vs investments.  Remember spends = overhead, whereas investments = growth.  Here's a great point.
[10:00] There are opportunities that we have to frame some of these things as investments versus framing them as risk mitigations. And so one of the mantras or things that I like to think about is the business has a limited appetite for risk management, but they have infinite appetite for profits and making money. 
So if you're able to frame them as how they're actually going to help accelerate the business or improve the business that brings the CEO and the CFO along on the journey, that you're not just there to lock the doors, you might actually be there to help put another floor on the building and that's a very different conversation.
We also thank our sponsor Nucleus Security for supporting this episode.
Full Transcript: https://docs.google.com/document/d/1nURiml3BJFnszFRA8qov1CgO_VkDFaCY

Monday Dec 05, 2022

Special thanks to Jeff Gouge for sharing his thoughts on consolidating vulnerability management.  We also thank our sponsor Nucleus Security for supporting this episode.
Consistently tracking and prioritizing vulnerabilities is a difficult problem.  This episode talks about it in detail and helps you increase your understanding in:
Various application security scanning tools (SAST, DAST, SCA, Container, IoT, Secret Scanners, Cloud Security Scans, ...) and why companies need so many
How CVSS base scores are actually calculated so you can understand its strengths and weaknesses
How Threat Intelligence Data improves CVSS scoring
Knowing which vulnerabilities are being actively exploited by bad actors through the CISA Known Exploited Vulnerabilities Catalog
Knowing with vulnerabilities are being exploited in your industry or organization
Knowing how the Exploit Prediction Scoring System (EPSS) can predict which vulnerabilities will be exploited soon
Learning about the Stakeholder-Specific Vulnerability Categorization Guide (SSVC)
Note a Full Transcript of this podcast can be found here:
https://docs.google.com/document/d/1dWDS8rd-iscZuZ28U27IBuPPfrlFAV69/

Monday Nov 28, 2022

Are You Ready To Win Your First CISO role? Apply these techniques into your resume and interview process so both recruiters and hiring managers will offer you the job.  This show focuses on:
Highlighting the Different Types of CISO Roles
Showing how to progress from a Senior Director Role into a Fortune 100 CISO
Resume Tricks and Tips that get you noticed by recruiters
How to have a great interview with a recruiter
What Hiring Managers want to see from CISOs during their interviews
Please note the full show transcript can be found here https://docs.google.com/document/d/18Feg4eXbezHVPiNQ9qO6Pdht3P0eQ5nn

Monday Nov 21, 2022

Would you like to hear a master class on what Technology professionals need to know about startups?  On this episode Bob Cousins stops by to share his knowledge and experience on working in technology companies, dealing with founders, and partnering with venture capitalists.  Listen and learn more about:
What should a technology professional know about venture capital and dealing with venture capitalists?
What is the role of marketing?
What do engineers get wrong with helping businesses create profitable growth?
What is the value of a product?
Subscribe to the CISO Tradecraft LinkedIn Page

Monday Nov 14, 2022

Special Thanks to our podcast sponsor, Cymulate. 
On this episode, Dave Klein stops by to discuss the 3 Digital Challenges that organizations face:
Cyber threats evolve on a daily basis and this constant threat to our environment appears to be only accelerating
The level of vulnerabilities today is 30x what it was 10 years ago.  We have more IT infrastructure, complexity, and developers in our current environment.
In the pursuit of digital innovation, we are changing our IT infrastructure by the hour.  For Example: Infrastructure as Code capabilities (Chef, Puppet, Terraform, etc.) allow developers to deploy faster and create more opportunities for misconfigured code at scale.  
Breach and Attack Simulation tooling address these 3 digital challenges by focusing on Breach Attack Simulation, Vulnerability Prioritization, & Threat Exposure Management.  This combined approach allows a cyber organization to ensure its security is fully optimized and its risk exposure is minimized.  Key benefits of adopting Breach and Attack Simulation software include:
Managing organizational cyber-risk end to end
Rationalizing security spend
Prioritizing mitigations based on validated risks
Protecting against the latest threats in near real-time
Preventing environmental drift
 
Welcome back listeners and thank you for continuing your education in CISO Tradecraft.  Today we are excited to share with you a great episode focused on Breach and Attack Simulation software.  To begin we will provide a solid background on Breach and Attack Simulation then we are going to bring on our special guest Dave Klein who will give us the pro tips that help CISOs maximize the value from Breach and Attack Simulation Software.
 
Starting from the beginning.  What is Breach and Attack Simulation software and why is this needed?  At the end of the day most companies are not on an island.  They need to connect to clients, partners, and vendors.  They need the ability for employees to visit websites.  They need to host public facing websites to sell products and services.  Each of these activities result in creating organizational assets such as IT equipment that has internet connectivity.  Now internet connectivity isn’t a bad thing.  Remember internet connectivity allows companies to generate income which allows the organization to exist.  This income goes to funding expenses like the cyber organization so that is a good thing.  
 
If bad actors with the intent and capability to cause your company harm can find your company's internet connected assets which have vulnerabilities, then you have a risk to your organization.  So enter vulnerability assessment and penetration testing tools that companies can buy to identify and address this risk.  Now sometimes you will hear the terms Cyber Asset Attack Surface Management or (CAASM).  It’s also commonly referred to as continuous threat exposure management.  Essentially these two categories of tools are the latest evolution of vulnerability management tooling that have the additional benefit of ingesting data from multiple sources.  Essentially they are designed to address key questions such as: 
How do we get an inventory of what we have?
How do we know our vulnerabilities? and 
How do we know which vulnerabilities might be exploited by threat actors?  
 
Now if you want to take this line of questioning one step further, then you should consider adopting Breach and Attack Simulation software.  Note Breach and Attack Simulation software overlaps with many of the CAASM capabilities, but it does something unique.  Breach and Attack Simulation software allows you to pose as bad actors on your network and perform red team exercises.  Essentially you learn how bad actors can bypass your cyber tooling and safeguards.  This means you go from knowing where you are vulnerable to actually seeing how well your incident response activities perform.  Example if I can take a normal user's laptop and spawn a Powershell Script or run a tool like MimiKatz to gain Domain Admin level privileges, then I want to know if the Cyber Security Incident Response team was alerted to that activity.  I also want to know if the Incident Response team blocked or disabled this account in a timely manner.  According to the 2022 Microsoft Digital Defense Report the median time it takes for an attacker to access your private data if you fall victim to a phishing email is 1 hour 12 minutes.  The report also stated that the median time for an attacker to begin moving laterally within your corporate network once a device is compromised is 1 hour 42 minutes.  Remember the difference to responding to these attacks in minutes vs hours can be the difference between how much files get encrypted when ransomware actors get into your environment.  
 
Another thing that CISOs need to ensure is that vulnerabilities get fixed.  How do you test that?  You have to replay the attack.  
 
You can think of fire drills as the comparison.  If an organization only did one fire drill every 24 months, then chances are the company’s time to exit the building isn’t going to decrease all that much.  It’s likely to stay the same.  Now if an organization does 8-12 fire drills over the course of 24 months, then you would generally see a good decrease in departure times as people get familiar with knowing how to leave the building in a timely fashion.  The good thing on Breach and Attack Simulation tools is they have the ability to replay numerous attacks with the click of a button.  This can save your penetration testing team hours over manual exploitation activities which would have to be repeated to confirm successful patches and mitigations.
 
If we look at Breach and Attack Simulation software the tools have typically come in two flavors.  One is an agent based approach.  Example.  A company might install an attack agent on a laptop inside the corporate environment that runs Data Loss Protection software.  The attack agent might look at how much data it can exfiltrate which is not stopped by the DLP tool.  The attack agent could also run similar attacks with how much malware the Antivirus detects, how much sensitive email it send outside the company despite there being an email protection solution.  These attack agents can also be placed on servers to determine how effective web applications firewalls are at stopping attacks.
 
Essentially having an attack agent on the internal side of a trusted network and one on the outside allows an organization to evaluate the effectiveness of various cyber tools.  Now there’s a few concerns with this type of approach.  One, companies don't want to add more agents across their network because it steals critical system resources and makes things slower.  Two, the time it takes to install and test agents means the value you can get out of these tools is delayed because cyber needs approvals from the desktop team, the network team, the firewall team, etc. before these solutions can be deployed.  Three, by having an agent you don’t always truly simulate what an attacker would do since you don't have to live off the land and gain permissions the attacker did.  Your agent may not be know to antivirus or EDR tools, but using windows libraries to gain access does. 
 
Now let’s compare this with an agentless approach.  This approach is quite popular since labs where agents are run don’t always look like a production environment.  Example they lack the amount of traffic, don’t possess the same amount of production data, or contain last month’s versions of software.  
 
Here attacker software may start with the premise what happens if someone from the Accounting Team opens an Excel document containing a malicious macro.  Let’s see how we can automate an attack after that initial compromise step occurs.  Then let’s walk through every attack identified by the Mitre Attack Framework and see what gets caught and what doesn’t.  The tooling can then look at the technical safeguards in the organization that should have been applied and provide recommendations on how to increase their effectiveness.  This might be something simple like adding a Windows Group Policy to stop an attack.  Also breach and attack simulation tools can provide alerting recommendations to the SIEM that help identify when an endpoint attack occurred.  Example: Instead of knowing that bad actors can run an attack, the Breach and Attack Simulation software actually gives you the Splunk Signature that your SOC team can leverage.  That’s a great add to minimize the amount of time to improve your alerting capabilities.  
 
Now when the breach and attack simulation software replays attacks each month, cyber leadership can look at how fast the Incident Response team detected and remediated the attack.  It might be as simple as we stopped this attack before it could happen by applying the new Windows Group Policy or it took the team 4 hours to determine XYZ account had been taken over.  These metrics allow you to know how well your Response plans work.  So you get the value of a penetration test with the automation & scaling of vulnerability management tools.  
 
What’s even more impressive is how these tools are evolving to meet the larger mission of cyber organizations.  
 
Example: Most Financial and Health Care organizations have to demonstrate evidence that IT controls are working effectively.  Generally this is a manual process done in the Governance Risk and Compliance (GRC) team within a cyber organization.  GRC teams have to ask developers to provide evidence to various IT controls such as are you monitoring and alerting to privilege activity.  Now imagine if you had an automated tool that showed evidence that monitoring tools are installed on 99% of endpoints and these tools actually stopped various MITRE attacks immediately.  That evidence would minimize the data call which takes time from the developer teams. 
 

Monday Nov 07, 2022

Have you ever just met someone that was so interesting that you just sat and gave them your full attention?  On this episode of CISO Tradecraft, we have Bill Cheswick come on the show.  Bill talks about his 50 years in computing.  From working with the pioneers of Unix at Bell Labs, inventing network visualization techniques for the DoD, and creating the early best practices in firewalls and perimeter defenses.  He was also the first person to co-author a book on Internet Security.  So listen in and enjoy.Also special thanks to our sponsor, Obsidian Security.  You can learn more about them at: https://www.obsidiansecurity.com/sspm/

Monday Oct 31, 2022

Hello, and welcome to another episode of CISO Tradecraft -- the podcast that provides you with the information, knowledge, and wisdom to be a more effective cybersecurity leader.  My name is G. Mark Hardy, and today's episode is about how to better mentor your people (and in doing so, improve yourself as well.)  Mentoring is an important part of being a leader, and I would venture that most listeners have achieved their current level of success with the insights of a mentor, along with a lot of hard work.  Today we're going to give you a template for creating a personal development plan you can use with your team.  I also want to introduce you to a booklet that I keep on my desk.  It was written in 1899.  Do you have any idea what it might be?  Well, keep listening and you'll find out, and you may end up getting yourself a copy of your own.
Let's take a moment to hear from today's sponsor Obsidian Security.
Career success rarely happens independently -- it usually involves multiple milestones, promotions, and sometimes moves.  But success shouldn't be a secret.  As Tony Robbins said, "success leaves clues."  One of the best ways to achieve personal or professional success, or indeed help others do the same, is through mentoring and sponsorship.  But the right person rarely shows up at our doorstep offering us the key to the future -- we have to go out and make that relationship happen.  Today we're going to talk about mentors, protégés, sponsors, and that little booklet that has a repeatable secret for success.
Definitions
Let's start with what is a mentor - the dictionary definition is "an experienced and trusted adviser."  My definition is it's a person with more experience and WISDOM who is willing to provide guidance to someone else -- a protégé.  Notice I didn't say anything about careers -- you can have a spiritual mentor, an academic mentor, and if you're a new grandparent you want to pass along some tips to help raise your grandkids.  You may also hear the term "mentee" instead of protégé -- I see that used from time to time, but it makes me think of those big slow sea creatures that keep getting run over by speedboats.
Mentor
Let's talk about the who, what, when, why, and how of being a mentor.  The WHO part is someone with experience and wisdom willing to share insights.  Insights about WHAT, at least as far as we're concerned today, is usually career-related -- what jobs or assignments may be best, what personal characteristics are important, whom should you meet and why.
The WHEN portion of mentoring is usually a condition of the type of relationship.  A traditional one-on-one mentor relationship may be established formally or informally.  We established a program at work where those willing to offer advice could volunteer as a mentor and those seeking advice could request the assistance of a mentor.  I was asked by our most senior technical security expert if I would serve as his mentor -- an assignment which I was pleased to accept, and we held mentoring sessions quarterly.  Of course, we worked together more frequently than that, but those sessions were specifically about what he could learn from me as a mentor, and what I could do to structure his experiences to help with his personal and career growth.  [Irish whiskey story]
The WHY can be either because there is a mentorship program at your organization (and if there isn't one, do your homework and consider proposing one) or because someone reached out and requested assistance.  Mentoring is not like doing the dishes where anyone can do a competent job.  It requires empathy, communication skills, wisdom, and time commitment.  I'm at the point in my life and career where I actively try to help others who are not as old as I am.  Many times, that's appreciated, but some people seem to prefer to make all of their own mistakes and resist the effort.  Oh, well.  As my Latin teacher used to say, "suum quique" -- to each their own.
Finally, the HOW.  Mentors should prioritize their sessions by preparing in advance and setting aside time without interruptions.  Establish an agenda based upon specific requirements -- not just what the protégé wants but what the mentor believes he needs.  Martina Bretous published an article on HubSpot where she points out ten ways to be an amazing mentor:
Understand what you want out of the relationship.
Set expectations together in the very beginning.
Take a genuine interest in your mentee as a person.
Build trust.
Know when to give advice.
Don’t assume anything about your mentee – ask.
Share your journey.
Celebrate their achievements.
Seek out resources to help your mentee grow.
Be sure you have the bandwidth.
In summary, if you want to be a mentor and seek out the right people in whom to invest your time, here's a short checklist.  Look for protégés with a strong work ethic -- people who have built a reputation of delivering on time on budget.  Select only those people of the proper character -- you don't want to be teaching a sociopath how to take over the organization.  And you'll find you work better with others who share similar values.  If you value hard work, honesty, humility, and perseverance, look for those characteristics, or at least the potential to develop those characteristics, in your potential mentee.  We all know how hard it is to change ourselves.  Think about how much harder it is to change someone else.  In the end, you're just showing the way and it's up to the other person to take the appropriate actions, but you want to build a winning record of successful mentorships -- it doesn't help your own career if you're viewed as the incubator of failure.
Protege
As listeners of this show, you are likely in a position to be a mentor.  But that doesn't mean you can't benefit from having a mentor yourself.  Let's look at the who, what, when, why, and how of being a protégé.  The WHO is someone who can gain insight from a relationship with someone farther along in a given path.  Mentees may be assigned a mentor relationship, or they may seek out that relationship on their own.  Both are valid paths, and even if a formal program exists it's often up to the mentee to select from available mentors.  It doesn't always work the other way around [Navy mentor story.]
The WHAT is the reason for participating in this type of relationship.  Usually, it's to gain insight into career and professional goals, but as I mentioned earlier, it can be about most anything where you could learn from someone who's not in the role of a teacher or supervisor.
WHEN should you seek the advice of a mentor?  Well, there's probably never a time NOT to seek advice, but if you're heads-down in a long project that you enjoy or find yourself in a position where you're content and soon winding down your career, then I suppose you're fine going it alone.  Otherwise, after you've been in a position for a year or so and you've figured out your current role and how you fit in, that might be a suitable time to start looking for a mentor.
I think the WHY is obvious, but let's address it.  No one knows everything, but someone usually knows what you need.  Seeking a mentor is a rational way of gaining insights that can help move your career along.
And HOW do you become a protégé?  You need to a-s-k to g-e-t.  Potential mentors are usually busy people -- they don't go looking for more things to add to an already overwhelming calendar.  That said, the saying "if you want something done, give it to a busy person" is often true, because busy people are in the business of making things happen.  If your organization offers a mentorship program, jump at the opportunity.  Just make sure that the person with whom you are paired has the time, the expertise, and the interest to help you in your career.
When searching for a mentor, remember that you should have a clear goal in mind.  "Hey, I need a mentor" isn't very specific, and the Mr. Rodger's "won't you be my mentor?" isn't very compelling.  Rather, start with a specific objective.  For example, it could be, "how do I become fully qualified to become a first-line manager?" or "what does this organization look for when selecting a C-level executive?"  Once you have your goal, you can start your search, but remember that you need to stay professional.  You're not seeking a drinking buddy -- a mentor rarely is a peer (although technically I have heard of peer-to-peer mentoring, but that runs the risk of the parable of the two blind men who both fall into a ditch.)  You want someone with relevant knowledge and experience.  And ideally first develop a working relationship before you pop the question.  A busy mentor will feel more comfortable working with a known quantity than being left to wonder if this person represents a reputational risk.
Let's turn our conversation now to sponsors.
Sponsors
Executive coach May Busch recommends forming a career board of directors to advance your career.  She points out that you need both mentors and sponsors -- sponsors are those in your organization with sufficient clout to put you into key assignments and can advocate behind closed doors for your career advancement.  Wow -- sounds great; where do I sign up?  The issue is that you typically can't recruit sponsors; they come looking for you.  Like a mentee, a "sponsee" represents potential risk to sponsors -- they are putting their own credibility with peers on the line by advocating for you.  If you crash and burn, you both lose.
Like any sales effort, you shouldn't put all of your eggs in a single basket, so if you want to identify a potential sponsor, look for a couple of candidates.  Now, where you work there may be exactly one person who controls the vertical and the horizontal, but in most matrixed organizations, there is a range of opportunities to find advocacy.  Find out who is senior enough to influence the decisions that can affect your career and also whether they are "in on things" to ensure that recommendations move you in the right direction.  There are people who continue to serve past their key roles -- often called "emeritus" as an honorary title, but they probably aren't keeping up with the details.  Look for someone who is still actively "in the game."  And, like finding a mentor, you must identify a natural link between their business interests and your interests.  Now, the intersection of all these criteria might yield exactly zero people, and if so, it's up to you to figure out your own way forward.  But if you do identify potential sponsors, you need to attract their attention.  But how?
Your potential sponsors need to see you in action.  Find ways to deliver executive presentations where they are present or participate in working groups and let the quality of your work differentiate you from peers.  Circulate innovative ideas that represent a step forward for your organization.  The result of these efforts should be to get you noticed.  Note also that you can do this for members of your team.  You may want to sponsor them for bigger and better things but don't have the organizational capital to make it happen on your own initiative.  By placing your best people in front of these more powerful decision-makers, you can facilitate their sponsorship when one of them decides this person should be going places.
Now, it's not just about performance.  During COVID, most of us got comfortable working in bunny slippers from home, but that's not going to differentiate you to a potential sponsor.  If you want to convince executives that you're C-level material, then you need to consistently look the part.  Check your appearance.  Do you look like the other executives in your organization?  I spent 30 years in the military, so part of that "look" was proper grooming, a pressed neat uniform, and being physically fit.  I remember my last semiannual physical fitness test -- I scored 295 out of 300 points and the young Sailor taking scores remarked, "not bad for an old man."  But looking the part is important if you are going to be present yourself as a leader.  [story at CNL -- overweight memorandum.]  Now, I suppose if you work in a dot com startup and the founders all wear t-shirts and jeans every day, then wearing a three-piece suit is not going to help.  But find a way to align with the organization's senior leadership culture so that you don't look like an outsider, which translates into risk.
Make sure your office space isn't full of junk and clutter and your home background on Zoom calls looks like a professional office space (or at least blur out the background.)  Better yet, use a corporate-logo themed background which says, "I'm on the team."
Okay, so let's say you've done all this and are now looking like you just came out of casting for The West Wing and you're sufficiently visible to senior executives.  Beyond looking the part, you need to act the part.  Sit up straight in meetings; don't fiddle with your phone when executives are in the room, no matter how boring the conversation may be at that moment.  I remember back in 2000 when I was working at a startup, our CEO nearly lost our biggest client because she couldn't put down her Blackberry when we were briefing the client's head of security.  He was a retired Navy captain and remarked to me privately (as a fellow Navy officer) how offended he was that this person couldn't be bothered to put down that phone for half an hour and focus on the conversation.  Better yet?  There is a superpower that few people have but you could master if you're a phone addict -- leave your phone on your desk when you go to a meeting.  That's right -- separate yourself from your "life support unit."  Now, in some circumstances you feel you need it because, "what if they ask who's available for a meeting next week and I don't have my calendar?"  Bring your laptop or tablet instead, and only consult it when you're asked something that needs looking up to answer.  Remember, even a CEO doesn't get a pass on distractions when your biggest client is in the room.
In addition to looking the part and acting the part, you need to deliver.  Make sure your work is exceptional and error-free.  At the Pentagon we had a term -- "finished staff work."  It means that what you turn in is correct, complete, and free of grammatical or typographical errors EVERY TIME.  That's a tough discipline.  I was a computer science and mathematics major at Northwestern, and there was nothing I wanted to avoid more than an English composition or writing class -- after all, I was going to be a technologist.  Years later when I joined the staff of Booz|Allen, I saw the importance of mastering a professional writing style.  As a consultant, you live or die by the pen -- how well you write proposals and deliverables.  As I became more senior in both my civilian as well as my military career, I kept improving that ability to write well.  
A small but powerful book you should own and master is Strunk and White's The Elements of Style.  It's the most succinct summary of writing rules I've read -- think of it as a syntax guide to the English language.  Granted, some of these conventions are considered quaint or even obsolete -- the Oxford comma and two spaces after a sentence, but I still write that way.  There's no reason if you can write a program that will compile (or if you're a Python programmer, not throw a Syntax Error) that you cannot write English with the same consistency.
May Busch points out that there are four mistakes you can make that will ruin your attempts to attract a sponsor.  One, which seems obvious, is that you're perceived as lacking potential.  Note I said "perceived."  I think all of us have slightly inflated expectations of ourselves -- that's called a healthy ego, but let's face it:  some people are rightly classified as low potential, high achievers -- they work really hard to achieve mediocre results.  "But I do consistently outstanding work at my current job!"  Okay, I'll give you that.  But remember -- we're talking about getting a sponsor for the NEXT job, and if you're not virtue signaling that you can perform at the next level, then a wise boss is likely to leave you where you are -- delivering consistently outstanding work.  Remember my four-phase career model:  technical, management, leadership, political?  You can often move easily within one of those phases without sponsorship, but to get to the next level usually requires something or someone external to yourself.
The second disqualifier is to be seen as "selectively motivated," meaning you only put forth full effort at the last minute.  It's somewhat of a synonym for a procrastinator -- many of us know there's nothing like the last minute to make sure things get done.  Sure, there are important things that are urgent, but if your MO is to goof off until just before a deadline and then rush out a finished product, that calls into question your long-term reliability for more responsible assignments.
The third disqualifier is lack of self-confidence.  If you present yourself as hesitant and uncertain, you do not inspire confidence.  "Do you think, umm, maybe we might possibly consider doing this?" is not as reassuring as, "Here's what we're going to do."  I'm not advocating for arrogancy here; but if you secretly worry about imposter syndrome or a belief that you're not as good as others perceive you to be, then that's likely to leak out in your words and actions and cause potential sponsors to pause.
The fourth way you can discourage a potential sponsor is to be inappropriate.  You say and do the wrong things at the wrong time to the wrong people.  You put your feet up on the conference table or make inappropriate or even offensive jokes when no one was looking for that type of input.  Walking up a senior executive and saying, "won't you be my sponsor?" is another example.  It's fine for Mr. Rodgers to ask, "won't you be my neighbor?" but as you know by now, you have to become the one who attracts attention, not demands it.
Being Inspirational
One of the best ways to help others move forward is to show them an example of what represents success.  I mentioned earlier the booklet that sits on my desk -- have you figured out what it might be?  It's "A Message to Garcia" written by Elbert Hubbard, the founder of the Roycrofters in East Aurora NY.  Hubbard was a writer, publisher, artist, and philosopher, who wrote that he sat down and penned this essay after dinner in under an hour.  What started as article in his magazine grew rapidly.  After receiving requests for a thousand copies of that issue, he inquired as to the reason.  "It's the stuff about Garcia."  The New York Central Railroad reprinted over one million copies in booklet form.  The Director of Russian Railways was in New York, was so impressed that when he returned to Moscow, ensured a translated copy was given to every railroad employee in Russia.  Every Russian soldier in the Russo-Japanese war had a copy, and when the Japanese officials noted Russian prisoners of war all carried it, they concluded it must be a good thing, translated it into their language and gave copies to every employee of the Japanese government.  By December 1913, over forty million copies of A Message to Garcia had been printed.  Tragically, Hubbard died on the 7th of May 1915 as a passenger onboard RMS Lusitania, which was torpedoed by a German U-boat.  I have a number of his publications, but this is the one that I reread the most.  It's not that long -- less than fifteen hundred words, and if you haven't heard it before, you should, and if you have heard it before and you're like me, you'll want to hear it again.  Remember, the context is 1899.  Here is…
A Message to Garcia By Elbert Hubbard
In all this Cuban business there is one man stands out on the horizon of my memory like Mars at perihelion. When war broke out between Spain and the United States, it was very necessary to communicate quickly with the leader of the Insurgents. Garcia was somewhere in the mountain vastness of Cuba- no one knew where. No mail nor telegraph message could reach him. The President must secure his cooperation, and quickly.
What to do!
Some one said to the President, "There’s a fellow by the name of Rowan will find Garcia for you, if anybody can."
Rowan was sent for and given a letter to be delivered to Garcia. How "the fellow by the name of Rowan" took the letter, sealed it up in an oil-skin pouch, strapped it over his heart, in four days landed by night off the coast of Cuba from an open boat, disappeared into the jungle, and in three weeks came out on the other side of the Island, having traversed a hostile country on foot, and delivered his letter to Garcia, are things I have no special desire now to tell in detail. The point I wish to make is this: McKinley gave Rowan a letter to be delivered to Garcia; Rowan took the letter and did not ask, "Where is he at?" By the Eternal! there is a man whose form should be cast in deathless bronze and the statue placed in every college of the land. It is not book-learning young men need, nor instruction about this and that, but a stiffening of the vertebrae which will cause them to be loyal to a trust, to act promptly, concentrate their energies: do the thing- "Carry a message to Garcia!" General Garcia is dead now, but there are other Garcias.
No man, who has endeavored to carry out an enterprise where many hands were needed, but has been well nigh appalled at times by the imbecility of the average man- the inability or unwillingness to concentrate on a thing and do it. Slip-shod assistance, foolish inattention, dowdy indifference, and half-hearted work seem the rule; and no man succeeds, unless by hook or crook, or threat, he forces or bribes other men to assist him; or mayhap, God in His goodness performs a miracle, and sends him an Angel of Light for an assistant. You, reader, put this matter to a test: You are sitting now in your office- six clerks are within call. Summon any one and make this request: "Please look in the encyclopedia and make a brief memorandum for me concerning the life of Correggio". Will the clerk quietly say, "Yes, sir," and go do the task?
On your life, he will not. He will look at you out of a fishy eye and ask one or more of the following questions: 
 Who was he?
 Which encyclopedia?
 Where is the encyclopedia?
 Was I hired for that?
 Don’t you mean Bismarck?
 What’s the matter with Charlie doing it?
 Is he dead?
 Is there any hurry?
 Shan’t I bring you the book and let you look it up yourself?
 What do you want to know for?
And I will lay you ten to one that after you have answered the questions, and explained how to find the information, and why you want it, the clerk will go off and get one of the other clerks to help him try to find Garcia- and then come back and tell you there is no such man. Of course I may lose my bet, but according to the Law of Average, I will not.
Now if you are wise you will not bother to explain to your "assistant" that Correggio is indexed under the C’s, not in the K’s, but you will smile sweetly and say, "Never mind," and go look it up yourself.
And this incapacity for independent action, this moral stupidity, this infirmity of the will, this unwillingness to cheerfully catch hold and lift, are the things that put pure Socialism so far into the future. If men will not act for themselves, what will they do when the benefit of their effort is for all? A first-mate with knotted club seems necessary; and the dread of getting "the bounce" Saturday night, holds many a worker to his place. Advertise for a stenographer, and nine out of ten who apply, can neither spell nor punctuate- and do not think it necessary to.
Can such a one write a letter to Garcia?
"You see that bookkeeper," said the foreman to me in a large factory.
"Yes, what about him?"
"Well he’s a fine accountant, but if I’d send him up town on an errand, he might accomplish the errand all right, and on the other hand, might stop at four saloons on the way, and when he got to Main Street, would forget what he had been sent for."
Can such a man be entrusted to carry a message to Garcia?
We have recently been hearing much maudlin sympathy expressed for the "downtrodden denizen of the sweat-shop" and the "homeless wanderer searching for honest employment," and with it all often go many hard words for the men in power.
Nothing is said about the employer who grows old before his time in a vain attempt to get frowsy ne’er-do-wells to do intelligent work; and his long patient striving with "help" that does nothing but loaf when his back is turned. In every store and factory there is a constant weeding-out process going on. The employer is constantly sending away "help" that have shown their incapacity to further the interests of the business, and others are being taken on. No matter how good times are, this sorting continues, only if times are hard and work is scarce, the sorting is done finer- but out and forever out, the incompetent and unworthy go. It is the survival of the fittest. Self-interest prompts every employer to keep the best- those who can carry a message to Garcia.
I know one man of really brilliant parts who has not the ability to manage a business of his own, and yet who is absolutely worthless to any one else, because he carries with him constantly the insane suspicion that his employer is oppressing, or intending to oppress him. He cannot give orders; and he will not receive them. Should a message be given him to take to Garcia, his answer would probably be, "Take it yourself."
Tonight this man walks the streets looking for work, the wind whistling through his threadbare coat. No one who knows him dare employ him, for he is a regular fire-brand of discontent. He is impervious to reason, and the only thing that can impress him is the toe of a thick-soled No. 9 boot.
Of course I know that one so morally deformed is no less to be pitied than a physical cripple; but in our pitying, let us drop a tear, too, for the men who are striving to carry on a great enterprise, whose working hours are not limited by the whistle, and whose hair is fast turning white through the struggle to hold in line dowdy indifference, slip-shod imbecility, and the heartless ingratitude, which, but for their enterprise, would be both hungry and homeless.
Have I put the matter too strongly? Possibly I have; but when all the world has gone a-slumming I wish to speak a word of sympathy for the man who succeeds -- the man who, against great odds has directed the efforts of others, and having succeeded, finds there’s nothing in it: nothing but bare board and clothes. I have carried a dinner pail and worked for day’s wages, and I have also been an employer of labor, and I know there is something to be said on both sides. There is no excellence, per se, in poverty; rags are no recommendation; and all employers are not rapacious and high-handed, any more than all poor men are virtuous.
My heart goes out to the man who does his work when the "boss" is away, as well as when he is at home. And the man who, when given a letter for Garcia, quietly take the missive, without asking any idiotic questions, and with no lurking intention of chucking it into the nearest sewer, or of doing aught else but deliver it, never gets "laid off," nor has to go on a strike for higher wages. Civilization is one long anxious search for just such individuals. Anything such a man asks shall be granted; his kind is so rare that no employer can afford to let him go. He is wanted in every city, town and village- in every office, shop, store and factory. The world cries out for such: he is needed, and needed badly- the man who can carry a message to Garcia.
-THE END- 
In 2009 as president of the Association of the United States Navy, I wrote a short article entitled "A New Message to Garcia."  There I called out the actions of a Sailor who went above and beyond what was expected without even being asked.  I hope he went on to bigger and better things because he had the right stuff.
Take Action
Let's put all of this together.  One of the best ways to formalize mentoring is to create a written performance development plan.  We've included a sample template in the show notes.  This is a way to memorialize conversations with SMART goals -- you remember, specific, measurable, achievable, relevant, and time-bound?  If you are a mentor, you can use this as a template for your counseling sessions.  If you are a mentee and there is no template in your organization, feel free to introduce this to your mentor -- you're showing initiative and creating potential value for more people than just yourself.
By putting goals in writing, they experience a magical transformation.  It was Napoleon Hill who wrote that "a goal is a dream with a deadline."  Until you write it down, it's easy to find other things that seem more important or urgent at the moment.  In addition, a written set of goals offers accountability -- it's a commitment between mentor and mentee that can be honored like a contract.
Start with the manager's organizational priorities and goals that provide a context for the session.  For example, if you are in the cybersecurity organization, these could be things such as, "create a cyber vigilant organization," "enable cybersecurity controls and compliance," and "safeguard the organization against major threats."  Each of these could have subgoals that get into a little more detail -- awareness training for users, secure coding training for developers, establishing a governance structure around cyber risk.  This requires inside knowledge, and if the mentor is within the same organization, it shouldn't be too difficult to ascertain.  In addition, if the mentor is the supervisor, then even better -- this shows how the protégé's goals fit in with the boss's vision of what should happen.  Better to find out early on that an idea isn't practical then to spend a year working on it only to find out it will never be implemented.
Next, the protégé lists individual development goals.  Not too many, especially if you are meeting quarterly.  Two or three may be sufficient.  If there are too many things to work on, the natural tendency is to go for those that are easiest, which may not be the ones that are the most important.  Next comes the BHAG -- the big, hairy, audacious goal -- the one that will represent a signature accomplishment.  Chances are, this won't happen in a month or a quarter, but it's perfectly reasonable for an annual cycle to align with performance reviews to specify a stretch goal.  And by doing it in writing and knowing someone is holding accountability, it's more likely to happen.
When it comes to making progress, actions can be separated into experiences, relationships, and learning.  Most of our progress is done through experience, so list multiple experiences that one expects to accomplish before the next session.  It can be part of a larger goal -- work on the team deploying a SIEM or complete a particular phase of a larger project.  This is where the majority of the accountability will reside -- did you complete what you set out to do?  It's helpful to be a bit aspirational, but this isn't another set of stretch goals.
List at least two relationship improvement opportunities -- these can be key relationships or even potential sponsors.  For example, it could include the head of a particular business unit that has specific security requirements -- that meeting would help address those concerns and provide an opportunity for the person seeking visibility.
Lastly, include learning opportunities.  Not all of us are going to school full-time, but we all should be working on self-improvement.  For example, you might set a goal to complete the next course in your degree program or take the exam that grants a particular certification.
What you have is a template for action and professional growth.  The action comes from the accountability of a written document, and the growth comes from the joint goal-setting that takes place under the guidance of a mentor.  Don't just file it away with the rest of your paperwork -- put it where you'll see it every day and challenge yourself to check off another accomplishment by week's end.  By encouraging this culture of accomplishment, you'll significantly increase the probability of success.
Conclusion
Inside the front cover of my Garcia booklet is a short essay entitled "Initiative."  Let me leave you with this as a final thought:
The world bestows its big prizes, both in money and in honors, for but one thing. And that is Initiative.
What is Initiative?
I’ll tell you: it is doing the right thing without being told.
But next to doing the thing without being told is to do it when you are told once. That is to say, carry the Message to Garcia: those who can carry a message get high honors, but their pay is not always in proportion.
Next, there are those who never do a thing until they are told twice; such get no honors and small pay.
Next, there are those who do the right thing only when necessity kicks them from behind, and these get indifference instead of honors, and a pittance for pay. This kind spends most of its time polishing a bench with a hard-luck story.
Then, still lower down in the scale than this, we have fellow who will not do the right thing even when some one goes along to show him how and stays to see that he does it; he is always out of job, and receives the contempt he deserves, unless he happens to have a rich Pa, in which case Destiny patiently awaits around a corner with a stuffed club.
To which class do you belong?
Thank you for listening to CISO Tradecraft; we hope you've found this show valuable.  If you learned something that you like, please help us by leaving us a 5-star review on your favorite podcast platform -- those ratings really help us reach other security leaders.  The more CISOs we can help, the more businesses we can protect.  This is your host, G. Mark Hardy.  Thanks again for listening and stay safe out there.
References:
https://blog.hubspot.com/marketing/mentor-tips-positive-impact
https://www.businessnewsdaily.com/6248-how-to-find-mentor.html
https://www.businessnewsdaily.com/3504-how-to-mentor.html
https://maybusch.com/career-board-of-directors-advance-career/
https://maybusch.com/find-sponsor/
https://www.amazon.com/Elements-Style-4th-William-Strunk/dp/0205313426?&_encoding=UTF8&tag=-0-0-20&linkCode=ur2
https://www.nato.int/nrdc-it/about/message_to_garcia.pdf
https://gmarkhardy.com/Navy_Articles/NRA-0909%20A%20New%20Message%20to%20Garcia.pdf
Example: Individual Performance Plan
Name: ________________________________ Date:  ________________
Leadership's Cyber Priorities and Goals
      Create a Cyber Vigilant Organization
Cyber Awareness Training, Secure Developer Training, and Proper Risk Approval and Governance
      Enable Compliance, Controls, and Cyber Security 
Controls (IT General Controls & SOX), Audits, and Cyber Maturity Frameworks (ISO 27001, NIST CSF, or FFIEC)
      Safeguard the Business against Key Threats
Phishing and Ransomware, Software Vulnerabilities, and Third-Party Risks
Individual Development Goals
Goal:
Goal:
Signature Accomplishment
 My Big Goal is to accomplish …
Actions I am taking this year (How)
 Experiences (70%)
Experience 1
Experience 2
Experience 3

Relationships (20%)
Relationship Improvement Opportunity 1
Relationship Improvement Opportunity 2
Learning (10%)
Learning Opportunity
Support Needed from My Manager
I need help with …

Monday Oct 24, 2022

Special Thanks to our podcast sponsor, Obsidian Security.  
We are really excited to share today’s show on SaaS Security Posture Management.  Please note we have Ben Johnson stopping by the show so please stick around and enjoy.  First let’s go back to the basics:
Today most companies have already begun their journey to the cloud.  If you are in the midst of a cloud transformation, you should ask yourself three important questions:  
How many clouds are we in?
What data are we sending to the cloud to help the business?
How do we know the cloud environments we are using are properly configured?
Let’s walk through each of these questions to understand the cyber risks we need to communicate to the business as well as focus on one Cloud type that might be forecasting a major event.  First let’s look at the first question.  
How many clouds are we in?  It’s pretty common to find organizations still host data in on premises data centers.  This data is also likely backed up to a second location just in case a disaster event occurs and knocks out the main location.  Example if you live in Florida you can expect a hurricane.  When this happens you might expect the data center to lose power and internet connectivity.  Therefore it’s smart to have a backup location somewhere else that would be unlikely to be impacted by the same regional event.  We can think of our primary data center and our backup data center as an On-Premises cloud.  Therefore it’s the first cloud that we encounter.  
The second cloud we are likely to encounter is external.  Most organizations have made the shift to using Cloud Computing Service providers such as Amazon Web Services, Azure, Google Cloud Platform, or Alibaba.  Each of these cloud providers has a multitude of offerings designed to help organizations reduce the need to host IT services on premises.  Now if you are using both on-premises and a cloud computing provider such as AWS, congratulations you are in what is known as a hybrid cloud environment.  If you use multiple cloud computing providers such as AWS and Azure then you are in a multi-cloud environment.  Notice the difference between terms.  Hybrid cloud means you host on premises and use an external cloud provider, whereas multi-cloud means you use multiple external cloud providers.  If you are using a Common Cloud platform like AWS, Azure, or GCP then you can look into a Gartner Magic Quadrant category known as Cloud Workload Protection Platforms.  Here you might encounter vendors like Palo Alto Prisma Cloud, Wiz, or Orca who will provide you with recommendations for your cloud configuration settings.
So let’s say your organization uses on premises and AWS but not Azure or GCP.  Does that mean you only have two clouds?  Probably not.  You see there’s one more type of cloud hosted service that you need to understand how to defend.  The most common cloud model organizations leverage is Software as a Service commonly pronounced as (SaaS). Frankly we don’t hear about SaaS security being discussed much which is why we are doing a deep dive on its security in this episode.  We think there's a real danger of SaaS clouds turning from a nice cloud that gently cools down a hot summer day into a severe weather storm that can cause an event.  So let’s look at SaaS Security in more depth.  
SaaS refers to cloud hosted solutions whereby vendors maintain most everything.  They run the application, they host the data, they host runtime environments, middleware, operating systems, virtualization technologies, servers, storage, and networking.  It can be a huge win to run SaaS solutions since it minimizes the need to have IT staff running all of these IT services.  Example: Hiring HVAC folks to ensure we have proper heating and cooling for servers on premises won’t add new sales revenue to the business.  
Now that you understand why SaaS is important you should ask yourself.  How many external SaaS providers are we sending sensitive data to?  Every company is different but most can expect to find dozens to hundreds of SaaS based solutions.  Examples of external SaaS solutions commonly encountered by most businesses include: 
Service Now or Jira in use as a ticketing service, 
Salesforce for customer relationship management
Workday for HR information
G Suite or Microsoft Office 365 in use to send emails and create important documents
Github as a source code repository for developers
Zoom for virtual teleconferences
Slack for instant messaging like conversations
Okta for Identity and Access Management
Once you build out an inventory of your third parties hosted SaaS solutions, you need to understand the second question.  What kind of data is being sent to each service?  Most likely it’s sensitive data.  Customer PII and PCI data might be stored in Salesforce, Diversity or Medical information for employees is stored in Workday, Sensitive Algorithms and proprietary software code is stored in GitHub, etc.  OK so if it is data that we care about then we need to ensure it doesn’t get into the wrong hands.  We need to understand why we care about SaaS based security which is commonly known as SaaS Security Posture Management.  Let’s consider the 4 major benefits of adopting this type of service.  
Detection of Account Compromise.  Today bad actors use man in the middle attacks to trick users to give their passwords and MFA tokens to them.  These attacks also provide the session cookie credentials that allow a website to know a user has already been authenticated.  If attackers replay these session cookie credentials there’s no malware on the endpoints.  This means that Antivirus and EDR tools don’t have the telemetry they need to detect account compromise.  Therefore, you need log data from the SaaS providers to see anomalous activity such as changing IP addresses on the application.  Note we talked about this attack in much more detail on episode 87 From Hunt Team to Hunter with Bryce Kunze.  
In addition to detecting account compromises, we see that SaaS security posture management solutions also improve detection times and response capabilities.  Let’s just say that someone in your organization has their login credentials to Office 365 publicly available on the dark web.  So a bad actor finds those credentials and logs into your Office 365 environment.  Next the bad actor begins downloading every sensitive file and folder they can find.  Do you have a solution that monitors Office 365 activity for Data Loss Prevention?  If not, then you are probably going to miss that data breach.  So be sure to implement solutions that both log and monitor your SaaS providers so you can improve your SaaS incident detection and response capabilities.
A third benefit we have seen is improvements to configuration and compliance.  You can think of news articles where companies were publicly shamed when they lost sensitive data by leaving it in a Public Amazon S3 bucket when it should have been private.  Similarly there are settings by most SaaS solutions that need to be configured properly.  The truth is many of these settings are not secure by default.  So if you are not looking at your SaaS configurations then access to sensitive data can become a real issue.  Here’s an all too common scenario.  Let’s say your company hires an intern to write a custom Salesforce page that shows customer documents containing PII.  The new intern releases updates to that webpage every two weeks.  Unfortunately the intern was never trained on all of the Salesforce best practices and creates a misconfiguration that allows customer invoices to be discovered by other customers.  How long would this vulnerability be in production before it’s detected by a bad actor?  If you think the answer is < 90 days, then performing yearly penetration tests is probably too slow to address the brand damage your company is likely to incur.  You need to implement a control that finds vulnerabilities in hours or days not months.  This control might notify you of compliance drift in real time when your Salesforce configuration stopped meeting a CIS benchmark.  Now you could pay a penetration testing provider thousands of dollars each week to continually assess your Salesforce environment, but that would become too cost prohibitive.  So focus on being proactive by switching from manual processes such as penetration testing to things that can be automated via tooling
The fourth major benefit that we observe is proper access and privilege management. Here’s one example.  For critical business applications you often need to enforce least privilege and prevent the harm that one person can cause.  Therefore, it’s common to require two or more people to perform a function.  Example: One developer writes the new code for a customer facing website, another developer reviews the code to detect if there’s any major bugs or glaring issues that might cause brand damage.  Having a solution that helps mitigate privilege creep ensures that developers don’t increase their access.  Another example of the importance to proper access management occurs when bad employees are fired.  When a bad employee is fired, then the company needs to immediately remove their access to sensitive data and applications.  This is pretty easy when you control access via a Single Sign On solution.  Just disable their account in one place.  However many SaaS providers don’t integrate with SSO/SAML.  Additionally the SaaS website is generally internet accessible so people can work from home even if they are not on a corporate VPN.  Therefore it’s common to encounter scenarios where bad employees are fired and their account access isn’t removed in a timely manner.  The manager probably doesn’t remember the 15 SaaS accounts they granted to an employee over a 3 year time frame.  When fired employees are terminated and access isn’t removed you can generally expect an audit finding, especially if it’s on a SOX application.  
OK so now that we talked about the 4 major drivers of SaaS Security Posture Management (detection of account compromise, improved detection and response times, improvements to configuration and compliance, and proper access and privilege management) let’s learn from our guest who can tell us some best practices with implementation.
Now I’m excited to introduce today’s guest:  Ben JohnsonLive Interview
Well thanks again for taking time to listen to our show today.  We hoped you learning about the various clouds we are in (On Premises, Cloud Computing Vendors, and SaaS), Understanding the new Gartner Magic Quadrant category known as SaaS Security Posture Management.  So if you want to improve your company’s ability on SaaS based services to:
detect account compromise, 
improve detection and response times, 
improve configuration and compliance, and 
proper access and privilege management 
Remember if you liked today’s show please take the 5 seconds to leave us a 5 star review with your podcast provider.  Thanks again for your time and Stay Safe out there.
 

Monday Oct 17, 2022

References
https://github.com/cisotradecraft/Podcast
https://cisotradecraft.podbean.com/e/84-gaining-trust-with-robin-dreeke/
https://www.youtube.com/shorts/vSART2mutwc
https://www.peopleformula.com/selfmastery
https://cisotradecraft.podbean.com/e/ciso-tradecraft-roses-buds-thorns/
https://cisotradecraft.podbean.com/e/ciso-tradecraft-how-to-compare-software/
https://cisotradecraft.podbean.com/e/ciso-tradecraft-shall-we-play-a-game/
https://cisotradecraft.podbean.com/e/ciso-tradecraft-aligning-security-initiatives-with-business-objectives/
https://cisotradecraft.podbean.com/e/ciso-tradecraft-promotion-through-politics/
https://cisotradecraft.podbean.com/e/ciso-tradecraft-presentation-skills/
https://cisotradecraft.podbean.com/e/ciso-tradecraft-avoiding-death-by-powerpoint/
https://cisotradecraft.podbean.com/e/ciso-tradecraft-partnership-is-key/
Hello, and welcome to another episode of CISO Tradecraft -- the podcast that provides you with the information, knowledge, and wisdom to be a more effective cybersecurity leader.  My name is G. Mark Hardy, and today's episode is something special for us and we hope for you as well.  It’s hard to believe it but CISO Tradecraft has been producing episodes for about two years now.  This is our 100th episode!  We've covered quite a bit of ground over that time, and we thought we would do a little reflection on our previous episodes and highlight seven differentiators that set World Class CISOs apart from others.  So, stick around and learn these seven tips that will enable you to enhance your CISO Tradecraft and help you have a more successful career.
 
The first tip we want you to understand is that you must always help others to understand your viewpoints through Connection.  Now there is one thing to note:  the way you connect depends on the size of the audience.  We observe that there’s usually three different audience sizes that you will connect with: Individuals or 1:1, Small Teams (between 2 and 20), and Large Groups (more than 20).With Individuals it’s all about building the one-on-one connection.  An example of folks who excel at building connections are spies.  Spies have a mission to build connections with others and recruit them to share important information.  Now if you go back to Episode #84, we brought Robin Dreeke on the show to talk about Building Relationships of Trust.  Robin was a long time FBI agent who excelled in recruiting and turning Russian spies.  In the episode, Robin talked about the key to building relationships of trust.  He mentioned four key recommendations:Seek the thoughts and opinions of others;
Talk in terms of priorities, pain points, and challenges of others;
Use nonjudgmental validation (i.e., seek to understand others without judging); and
Empower others with choices and give them the cause and effect of each choice.
There’s a lot more detail in that episode, so be sure to check it out if you haven't yet listened to it.  We would like to add one more key point to these thoughts from Robin.  It’s about seeking the thoughts and opinions of others.  You might be thinking to yourself, how do I connect with others, so they actually tell me their unfiltered opinions?  Jim Lawler, a 25-year veteran CIA operations officer came on Robin’s Dreeke’s Forging Trust podcast and provided a very interesting quote, “You don’t recruit people when you are in transmit mode.  You recruit people by listening.”  Therefore, find ways to listen with great questions.  Imagine if you asked these three powerful questions from Andy Ellis:
What is the stupidest risk that we are not taking care of that no one has dealt with?
What is the dumbest security control that gets in your way?
What is something that you wish we did better in security?
Now after you ask those three questions, take Jim’s advice, and just listen.  We mean to actively listen to every word coming off of the other person’s lips.  Don’t just listen for the purpose of responding right away and providing your opinion and guidance.  Remember, good listeners are very hard to come by.  It’s uncommon to find people who really take an interest in others.  So, listen with the purpose of understanding what the other person wants, not what you intend to say back.  When you care enough to truly listen, people feel heard, which generates a connection.
Small Teams - In addition to listening with others you will often need to connect with small teams.  This might be your executive leadership team.  It might be your boss and your peers.  To build connections with small groups you must enable Conversations of Candor.  If you haven’t heard of the word candor it means the quality of being open and honest in expression or frankness.  Here’s two examples of doing that:On Episode #27, we talked about how the Boy Scouts use the concept of Roses, Buds, and Thorns.  For those who were scouting leaders, after each campout you would talk about what’s going well (i.e., roses), what new ideas are working (i.e., buds) and what are the things you want to stop (i.e., thorns).  By consistently asking these questions in each of your staff meetings, you enable everyone the opportunity to speak their mind.  They have a venue to speak up.  Now if you really want to connect with small groups and build trust, then please act on their guidance.  If someone says a particular person isn’t responding, reach out to that other individual and say, "I would appreciate if you could assist so-and-so with this problem."  You're using the power of your leadership position to influence this other person.  When you step in for your team and work to help them, they will consider you as a good leader who helps his or her people.  [Navy story] By doing this, you enable trust and strengthen connections.
Another example of creating conversations of candor is problem framing.  Note you can learn about all the steps in problem framing from Episode #14, How to Compare Software.  Now in today's discussion we're not talking about software but about people, but in that episode, we talked about the importance of applying problem framing to understand limitations and politics.  The first two steps of the seven in that methodology were defining the problem and stating the intended objective.  To best solve problems in an organization, it’s important everyone agrees that something is a real problem worth focusing on.  If each person has a different problem in mind, then there really isn’t going to be any meaningful agreement.  Start by getting consensus -- we all agree this is the exact problem we are solving today.  Once the room agrees on a problem, you need everyone to agree on an intended objective.  You can think of these as SMART goals.  You know the acronym: specific, measurable, achievable, relevant (or realistic), and time bound.  For example, let's say that today our organization is unable to retain quality talent.  We see many of our best and brightest going to other companies for more money.  So, your organization creates an intended objective.  For next year, we will seek to retain 80% of our employee population throughout the year that are not retiring.  This metric will enable our company to measure ourselves each month to see if we are successful and will allow everyone to connect by working together on the same issue.  Naturally, there needs to be resources allocated to achieve this goal; but if you have this stated objective in place, you're much more likely to set up your organization for success.
Large Groups- The last audience size is large groups.  In large groups you don’t have the opportunity to connect with everyone and have detailed conversations.  Additionally, with over twenty folks it becomes very difficult to have a conversation with everyone being able to provide their opinions and feedback.  So, for this audience, we recommend using gamification techniques to build connections.  Most executives are competitive.  We have all been involved in friendly competitions growing up as well as many of us have played some type of organized sport.  So, if we can create a game that increases active participation, provides immediate feedback, includes dynamic interaction, has competition or novelty, and improves a company’s ability to achieve a goal, then you are on to something truly special.  If you would like to learn more about gamification concepts and the four player types that you need to support, please check out Episode #65 which is entitled, "Shall We Play a Game?"
 
The second differentiator of the seven used by World-Class CISOs involves understanding how to build an effective metrics program that drives ownership and accountability.  If there isn’t someone accountable, then chances are the project is going to fail.  So, we need to have an accountable party and a good metric to show progress.  Remember, that which gets measured gets done; that which gets done well gets funded again.  To create good metrics, we want to you use the 4 Lines Approach.  Every metric needs a start line, a trend line, a goal line, and a timeline.A metric needs to have a Start Line to show the current status of where the organization is right now.  This allows the accountable parties to have a scoreboard.  You can think of playing a pick-up game of basketball.  If you are just playing for fun, people might not play their best.  However, if you put up a scoreboard, suddenly it becomes competitive, and players put forth a little more effort.  This helpful competition increases individual as well as team productivity.
A metric should have a Trend Line to show how things have gone over the past four months.  Are things getting better, getting worse, or staying the same?  This tells management when something is going wrong, because negative trends indicate we need to change our course of action.  For example, if we see that the number of high and critical vulnerabilities on our SOX applications continues to increase, then we need to identify the root cause.  Are there enough resources on those teams, is something wrong from an architecture perspective, are our vendors not giving us the support we need, and so on?  If you are not watching the trend line, you will miss identifying when things are forecasted to go bad and end up taking corrective action much later than you could have.
Metrics need a Finish   Line- This is a goal that the organization is targeting.  It has a clearly defined definition of done.  For example, let’s say we really care about ransomware and being able to restore critical applications from offline backups.  We need to be specific on our restoration capabilities.  If a server goes down do we have 4 hours, 8 hours, 24 hours, or more before it catastrophically impacts the business?  This matters since the business is going to have to both recreate all of the data lost in that amount of time as well as account for loss of operational efficiencies when key IT systems are down.  Compliance can have a big impact on this as well, so make sure you know your requirements.
Metrics also need a Timeline- We need to set a time to which we hold people accountable for reaching the finish line.  Goals or definition of "done" might go on forever, which isn’t what you want.  You want results and that comes from accountability.  Therefore, ensure every task has a clear owner with a clear deadline.  Note if you want to hear more about these four lines, please check out Episode #69 on aligning security initiatives with business objectives.
 
The third differentiator of seven for World-Class CISOs is understanding the shift between being competent versus being effective.  On Episode #62 entitled Promotion Through Politics, we talked about the four major phases in your career and the different skillsets you must display to get promoted.  At first you are an individual contributor.  In this role you get promoted by demonstrating technical skills.  This phase usually lasts several years, and if you are proficient in your area of expertise, you'll get promoted to first line manager.  [If we use the Navy as an example, if you're a skilled pilot you'll compete well for promotion to Lieutenant Commander, or Major in the non-sea services.]  Here you must demonstrate your management skills -- executing to budget, managing paperwork effectively, meeting deadlines.  If you learn and do all this well, you get to become a manager of managers and are welcomed into middle management.  [Back to the Navy, if you do well as a department head, you'll be a strong candidate to promote to Commander (or Lieutenant Colonel) and select for Executive Officer or Commanding Officer.]  This is where you must demonstrate leadership skills -- inspiring and strengthening your team, setting and achieving stretch goals, accomplishing your mission through innovation.  [Today, less than half of those officers will be offered a promotion to Captain (or Colonel.)]  If you've seen the Top Gun Maverick movie, you'll see that Tom Cruise's character as a Captain does all of these things -- he portrays a seasoned leader building a team, teaching teamwork skills, inspiring confidence, and leading by example rather than just playing a hotshot pilot competing against his peers as he did in the first movie (although he still is the best of the best in the cockpit, but I don't want to spoil any of the plot if you still want to see it.)  This is where you get some of the most rewarding opportunities in your career -- leading men and women in accomplishing great tasks.  Many careers top out here.  Brigadier General Jeremy Horn writes in his article, The 10 Secret Rules of the Colonel, "Colonel is the last rank that you can make through personal effort.  Everything from here on out is luck and timing."  He's right.  Invitations to the executive suite, known in the military as Flag Officer, requires excellence in your record, your reputation, and your relationships.  If you want to read some more of my thoughts on that topic, look up my article on Running Up the Flagpole.  Finally, if you are lucky and haven’t burned too many bridges you get welcomed into the executive level.  [In the Navy, that would be promotion to Rear Admiral (Brigadier General), a selection rate by the way that was less than 1% in my community.  Think about that -- 99% of Navy captains retire as captain.  Essentially, you can consider this as your terminal pay grade.  That realization does one of three things -- there are a few that hit cruise control and are on what we call the ROAD program -- retired on active duty.  The majority work well in their roles and serve honorably and effectively while looking for a good civilian job to transition out of the military.  But for a handful of us, it became "no fear" -- leadership couldn't hold not getting your promotion over your head if you took a risk and lost, so you go for things that are considered impossible and make them happen.  [pin on story]  If you consider some of the names you might remember from the military -- Colonel John Boyd's OODA Loop -- observe, orient, decide, and act; Colonel David Hackworth, the most decorated officer from the Korean War and the Vietnam War with two Distinguished Service Crosses, ten Silver Stars, and eight Bronze Stars -- they retired as Colonels, not Generals].  In this final career phase at the very top, it's not about leadership, it's all about politics.  Leaders show their political acumen to get recognized as being able to serve at this level.  Those who do not understand this think they're just brown-nosing, but it really is a manner of virtue-signaling, IF done at the right point in one's career.
 
Now as you are moving between levels in your career there’s one subtle thing that we want to you understand about executives.  It’s this concept of being competent versus being effective.  When you are in an individual contributor and first line manager roles, you must be competent.  For example, a pentester who can’t go hands-on to the keyboard to find vulnerabilities isn’t providing much value.  A firewall engineer who can’t change the access control rules isn’t helping.  You must display competence.  However, by the time you are a manager of managers you aren’t touching a keyboard much anymore.  So, your competence isn’t as important.  It’s important you know what good looks like so you can provide your team guidance.  However, your ability to troubleshoot a firewall is probably behind you.  You need to make the shift to focus on effectiveness.  Instead of improving only yourself, you need to improve the effectiveness of the people assigned to you.  If you could make everyone 100% more productive, then that is like having twice as many people on your team.  Here’s another example.  There was a company that hired a CISO who wasn’t technical.  He had never had traditional cyber security roles such as running a Security Operations Center, building a compliance organization to keep auditors happy, or implementing antivirus and firewalls.  However, this CISO was really good at connecting with others and getting resources.  After meeting with all the technical experts within the cyber organization, he learns they needed funding.  So, he plays a round of golf with the CEO and gets the resources necessary to increase the team size to the appropriate levels.  Later on, he gets asked technical questions by the CIO about why the application security tools have so many false positives.  He responds that he will discuss this concern with his technical experts.  Later on, he brings those experts into a meeting where they brief the CIO on why the AppSec tools have issues and the recommended way forward to fix them.  This resolves the CIO's concerns.  We mention this story because the CISO was not competent as an application security expert.  However, he was extremely effective in his role.  Of course, competent CISOs can do more, but the main point we want you to understand is at the executive level you need to spend your time learning how to get things done more effectively, and you do this by enabling (or coercing) others to accomplish the work, not by becoming increasingly competent as a technical contributor.
 
The fourth differentiator of World-Class CISOs is they are amazing communicators.  Who wants to listen to a boring presentation?  The answer is no one.  So don’t be that type of speaker.  Imagine you are a world class communicator that your CXO peers love hearing from.  That type of speaker is going to get invited to talk again and again.  When that happens, you get the opportunity to influence, to change behavior, to discuss high priority risks, and to be seen.  This is all goodness.  On Episode #61, we talk about presentation skills and how to give great presentations.  We discuss a JP Phillips Ted Talk that explains if you want listeners to remember your talk, try adding a cliffhanger.  If you want to build trust with a team, then tell something vulnerable about yourself.  Finally, if you want people to be focused and relaxed, try being overly dramatic or funny.  Also don’t just try to communicate via email and PowerPoint.  On Episode #75, Avoiding Death by PowerPoint, we talk about using escape rooms, tabletop exercises, and polls to create unique experiences that others will enjoy.  Mix it up a little and you'll improve your ability to influence others.
 
The fifth differentiator that sets up World-Class CISOs for success is they align security initiatives with business objectives.  In Episode #69 we talk about profit generation, cost reduction, service enablement, and customer and market outreach as the four key objectives that build profitable growth for businesses.  To best learn the business objectives and build relationships of trust with the C Suite, you need to learn how to partner.  We give detailed explanations of this process in Episode #70, Partnership Is Key.  One example is the marketing department.  They often direct where the IT organization needs to build its next webpage or widget.  However, marketing folks are often not technical.  Now imagine if you are the CISO that really gets on well with them.  So, you and they both partner together to identify a way to send marketing material via text and social media platforms such as TikTok, WeChat, and others.  Marketing estimates this will create millions of dollars of new sales.  So, the marketing team, the CIO, and the CISO brief the CEO and CFO to ask for an additional budget to perform this effort.  The CEO and CFO hear the business case and listen to the CIO saying this can be built in a six-month time frame.  The CEO and CFO also hear from the CISO that this can be done securely.  After due consideration, they approve the funding request.  Guess what?  That’s a big win for the company.  Since you were involved early with marketing, you also have the greatest opportunity to design security correctly on the new solution, versus being asked to approve something the week before going live.  So, find ways to connect through partnership and always focus on enabling business objectives.
 
The sixth differentiator that sets CISOs up for success is they can create effective risk governance and management processes within an organization.  The business must see that cyber is a business risk and not just an IT risk.  For example, when system XYZ is unavailable, how does that affect each of the users of that IT system?  What business processes fail?  What are the potential impacts on revenue and customer service?  This is why cyber risks need to be acknowledged by both the business owners who can identify the consequences of downtime and the IT maintainers who can actually remediate the findings.
 
Now one important thing to remember is approval authorities.  For example, who in the organization has purchasing authority for two million dollars of software?  Can any manager do this, or does it need to receive approval from a director, vice president, or senior vice-president?  A quick conversation with the CFO can confirm spending levels.  Once you know the spending authorities, then you can make a comparison that accepting two million dollars in cyber risk is the same as approving two million dollars in additional spending.  If a third-party risk assessment identifies two million dollars in new software risk, then the business must acknowledge the risk by either moving forward, rejecting the software, or finding a way to remediate the vulnerability before using the software.  Remember, the purpose of cyber isn’t to say "no."  The purpose of cyber is to be in the business of revenue protection.  Cyber protects revenue when the business owners can make business decisions in their best interest.  Most business executives will not understand the likelihood of a system being compromised, but that’s where cyber can show real value.  Cyber can communicate the vulnerabilities within systems to the business in risk committees and governance boards.  This allows cyber and the business to document the risk decisions being made.  When you document discussions and decisions based on risks and money, then you are acting like an executive.  This is the way to success.
 
The last world class differentiator for CISOs is they are successful in their jobs.  Want to know how to set up for success in any job?  If so, then please follow this piece of advice.  You must accomplish three things:First you need to get the job done.  If others refer to you as a "closer" for finishing the job, then you build trust.  When leadership knows they can trust you with little things, you get bigger responsibilities.  Mission accomplishment is the coin of the realm.
The second thing to being successful in any job is you must cover all the angles.  Never let an overlooked detail derail you.  Good executives run efficient programs and projects that finish on time and within budget.  When things don’t go as forecasted there should not be big surprises to anyone since you keep a close watch of the details.  If you keep track of the details and think things through, then you can be successful.  You can succeed in this area by creating a culture of no-fear, specifically of not shooting messengers.  Are your people confident they can come to you early with potential issues for situational awareness, consideration, or possible resolution?  Can even your most junior person speak up and point out what might be a problem?  If it isn't, don't  cut them down, but patiently point out that that issue is already covered, but thank you for keeping your eyes open, and if you see other potential problems, continue to speak up.  You make better decisions when you don't have people afraid to bring you bad news.  I think we can all imagine a global leader today that none of us would want to approach saying things aren't going well and according to plan.  Don't be that kind of boss.
The final and most important thing to succeed in any job is to keep the customer happy.  Remember, if the customer isn’t happy, then it doesn’t matter what you have done.  The key thing to remember is determining who is the customer with every project.  Sometimes it’s your boss, sometimes it’s the business, sometimes it’s actually an external corporate customer.  If you know who that is and you keep them happy, then you usually have a high probability that you will stay gainfully employed.
 
Well, we hope you have enjoyed listening to the seven ways world class CISOs set themselves up for success.  Let's recap:
They focus on building connections;
They leverage effective metrics programs that drive ownership and accountability;
They know effectiveness is more valuable than being competent at the executive level;
They are great communicators;
They align security initiatives with business objectives;
They create effective risk governance and management processes; and finally,
They practice the three tips to be successful in any job.
If you want to learn more great tips on being an effective CISO, please take a look at our GitHub Page which lists each of our podcast episodes under ten high-level topics.  Also note there’s a link to each of the episodes we mentioned in our show notes.   And finally, if you learned something that you like, please help us celebrate one hundred episodes of CISO Tradecraft by leaving us a 5-star review on your favorite podcast platform -- those ratings really help us reach other security leaders.  The more CISOs we can help, the more businesses we can protect.  This is your host, G. Mark Hardy.  Thanks again for listening and stay safe out there.

Copyright 2024 All rights reserved.

Podcast Powered By Podbean

Version: 20230822