CISO Tradecraft®

Are you a Chief Information Security Officer (CISO) looking to share your knowledge and insights with the world? In this episode, we explore how CISOs can embark on their journey of writing their first book. Join us as we delve into valuable tips and advice, including learning from renowned author Bill Pollock, who has paved the way for aspiring CISO authors.
 
Risk3Sixty is cyber security technology and consulting firm that works with high-growth technology firms to help leaders build, manage and certify security, privacy, and compliance programs.  They publish weekly thought leadership, webinars, and downloadable resources like budget and assessment templates.
https://risk3sixty.com/whitepaper/security-program-maturity-presentation-template-for-cisos/?utm_source=cisotradecraft&utm_medium=podcast&utm_campaign=2023-ct&utm_term=1week&utm_content=ebook
 
Transcripts: https://docs.google.com/document/d/1uxNgxe7ad9VBfRLeRH4nWY6tSkI-Kexd
 
Chapters
00:00 Introduction
04:37 How No Starch Press was Founded
07:24 The Rise and Fall of the Hacking Underground
11:41 How to be a Successful Hacker
14:11 How to Edit a Book
16:38 How to Be a Good Writer
18:14 How to Write a Book Proposal
23:50 How to Overclock Your Computer
26:31 The Future of AI
28:15 The Value of a Author Book Publishing Agreement
33:39 How to Make Money Writing a Book
37:34 The No Starch Press Foundation and the Hacker Initiative
40:30 Hacker Initiative: A Public Charity for Cyber Security

One of the most important activities a CISO must perform is presenting high quality presentations to the Board of Directors.  Listen and learn from Demetrios Lazarikos (Laz) and G Mark Hardy as they discuss what CISOs are putting in their decks and how best to answer the board's questions. 
Special thanks to our sponsor Risk3Sixty for supporting this episode. Risk3sixty has created a presentation template that helps you structure your thoughts while telling a compelling story about where you want your security program to go. Download it today for free at: https://risk3sixty.com/whitepaper/security-program-maturity-presentation-template-for-cisos/?utm_source=cisotradecraft&utm_medium=podcast&utm_campaign=2023-ct&utm_term=1week&utm_content=ebook
References
RSAC ESAF Download: https://www.rsaconference.com/rsac-programs/executive-security-action-forum
NACD 2023 Directors Handbook: https://www.nacdonline.org/insights/publications.cfm?ItemNumber=74777
Blue Lava: https://bluelava.io/cybersecurity-board-reporting/
Transcripts: https://docs.google.com/document/d/1juM8MQUEtAZEDp1HpzkPdNw-D11O3ofq
Chapters
00:00 Introduction
05:17 The Importance of External Audits in Managing Risk
06:48 How to Help Your Business of Revenue Protection Reduce Risk
11:15 How to be a Successful CISO
12:52 How to Measure the Threat to Your Environment
15:04 How to Prepare for Cyber Threats and Incidents
18:49 The Importance of Understanding the Business's Critical Assets
22:28 OSINT and CSIRT.global Tools and Technologies
25:14 Building a Matrix of Good Intention, Bad Behavior, and Access Management
28:10 How to Create an Incident Response Plan
30:20 How to Keep Your Board of Directors Informed of Cybersecurity Incidents
31:50 How to Keep Track of the Latest Cyber Threats Coming Around the Corner
34:11 How to Achieve Cyber Insurance Coverage
37:06 Cyber Liability Insurance: A Necessary Component of Running Your Business in 2023
39:22 How to Measure the Effectiveness of a Company's Cybersecurity Program
40:54 The Importance of Business Alignment

A lot of times we focus on preventing ransomware, but we forget what we should do when we actually encounter it.  That's why we are bringing on Ricoh Danielson to talk about it.  Learn from him as he discusses tactics and techniques for businesses to follow then stuff hits the fan.
Special thanks to our sponsor Risk3Sixty for supporting this episode. https://risk3sixty.com/whitepaper/security-program-maturity-presentation-template-for-cisos/?utm_source=cisotradecraft&utm_medium=podcast&utm_campaign=2023-ct&utm_term=1week&utm_content=ebook
Ricoh Danielson - https://www.linkedin.com/in/ricoh-danielson-736a0715/
Transcript: https://docs.google.com/document/d/1R82dUBChC3URM6iaP3D7dds_2nh27DTs/
Chapters
00:00 Introduction
03:19 How to Help a Small Business Dig Out of Cybercrime
05:00 How to Negotiate with Your Cyber Insurance Company
08:58 How to Deal with a Threat Actor
12:57 The Importance of Treating Everything Equally
15:45 How to Use Microsoft Tools to Capture Information
17:25 How to Combat a Threat Actor with Microsoft Defender
22:41 Set up PGP Keys in Advance
25:26 How to Negotiate with an OFAC sanctioned organization
28:24 How to Deal with Ransomware
30:28 The Nature of Instant Response
32:25 How to Get Concurrency in your Organization
34:05 The Importance of a a Strong Relationship with a Client
37:34 The Importance of Breach Notifications
39:21 How to Hand Combat a Threat Actor

This episode features Lee Kushner discussing various topics, including negotiating skills, the importance of degrees in the cybersecurity field, the need for diversity in the industry, challenges faced by cybersecurity professionals, starting a career in cybersecurity, and the value of technical skills. The conversation emphasizes the need for individuals to acquire technical skills, such as coding and networking, as they are in high demand and can differentiate them in the job market. It also mentions the importance of understanding the industry and its composition when seeking employment in cybersecurity.
Special thanks to our sponsor Risk3Sixty for supporting this episode. Be sure to check their weekly thought leadership, webinars, and downloadable resources like budget and assessment templates at: https://risk3sixty.com/?utm_source=cisotradecraft&utm_medium=podcast&utm_campaign=2023-ct&utm_term=1week&utm_content=sponser
Transcripts: https://docs.google.com/document/d/11askuaFcV_jYov2FklkbZXxVN3JSNu6y/
Chapters
00:00 Introduction
07:56 The Importance of Professional First Mindset in the Staffing Industry
09:33 The Importance of Perception in a Staffing Environment
11:36 The Role of the Research Professional in a Hiring Process
16:03 How to Overcome Barriers in the Recruitment Process
18:09 The Importance of Education in Executive Search
20:41 The Importance of Diversity in Cyber Talent
25:25 How to Get a Job in Cyber Security
27:48 The Importance of a Technical Foundation in Careers
32:08 How to Become a Cybersecurity Professional
34:06 The Future of Cybersecurity Career Paths
35:56 The Future of Security
41:24 How to Get in Touch With Your Clients

On this episode we bring in Cyndi and Ron Gula from Gula Tech (https://www.gula.tech/) to talk about their cyber security experiences. Listen and enjoy as they tell their stories about leaving the NSA, creating the first commercial network Intrusion Detection System (IDS), Founding Tenable Network Security, and investing in multiple cybersecurity startups.
Special thanks to our sponsor Risk3Sixty for supporting this episode. Be sure to check their weekly thought leadership, webinars, and downloadable resources like budget and assessment templates at: https://risk3sixty.com/?utm_source=cisotradecraft&utm_medium=podcast&utm_campaign=2023-ct&utm_term=1week&utm_content=sponser
Transcripts: https://docs.google.com/document/d/1zdJwzJUXHBLlQvOGYWtWVQqmxFzmAe5Z 
Chapters
00:00 Introduction
02:30 The Importance of Computer Security
04:46 The Career Path to the National Security Agency
07:39 The Importance of Compatibility
10:40 How to Get Your First Customer Off the Ground
14:28 How to Make your First Hire as a Beginning Entrepreneur
16:10 The Transition to Network Security Wizards
18:35 The Origins of Tenable
21:38 How to to Survive Contact with the Enemy
24:45 The Importance of Culture in the Military
29:31 Gula Tech Adventures
33:24 The Future of Venture Investing
36:13 Secrets of Working Together as Spouses
39:33 The Future of Venture Capital
42:21 Google Tech Adventures: How to Learn Startups

How do we frame an executive discussion so we can structure and present information in a way that effectively engages and aligns with the needs and interests of the executive audience?  On this episode we answer that question by discussing the 8 important elements of framing a discussion with executives:
Clearly define the objective
Start with the big picture
Identify key issues
Highlight impacts and benefits
Use visually compelling data and metrics
Be able to anticipate questions and concerns
Provide actionable recommendations
Seek alignment with existing perspectives of the organization
Special thanks to our sponsor Risk3Sixty for supporting this episode.  Be sure to check their Security Budget & Business Case Template: https://risk3sixty.com/whitepaper/security-budget-template/?utm_source=cisotradecraft&utm_medium=podcast&utm_campaign=2023-ct&utm_term=1week&utm_content=budget
Full Transcripts: https://docs.google.com/document/d/1vhLmqEAy-yQ01ZY1y8Nf7y-u_swTYCm8
Chapters
00:00 Introduction
02:42 How should we frame an executive discussion?
05:30 Start with the Bottom Line Up Front (BLUF)
07:11 1) Clearly Define the Objective
08:13 2) Start with the Big Picture
09:46 3) Identify Key Issues
10:47 4) Highlight Impact and Benefits
12:17 5) Use Visually Compelling Data and Metrics
13:07 6) Be able to Anticipate Questions and Concerns
15:06 7) Provide Actionable Recommendations
17:35 8) Seek Alignment with Existing Perspectives of the Organization

Learn how to unlock financial success with key strategies by Logan Jackson from Ray Capital Advisors.  Logan highlights how to set clear goals, choose the right asset class, diversify your portfolio for stability and growth, build a well-diversified investment portfolio to create wealth and mitigate risk, take control of your financial future through retirement planning and goal setting, & leverage tax loss harvesting. He also discusses how to prioritize tax planning, understand the impact of behavioral finance, seek professional money management, navigate conflicts of interest in financial planning, and discover hidden wealth advisors for personalized guidance.
Special thanks to our sponsor Risk3Sixty for supporting this episode.  Be sure to check their Security Program Maturity Presentation for CISOs: https://risk3sixty.com/whitepaper/security-program-maturity-presentation-template-for-cisos/?utm_source=cisotradecraft&utm_medium=podcast&utm_campaign=2023-ct&utm_term=1week&utm_content=template
Also if you would like to contact Logan Jackson please use his contact page at: https://www.raycapitaladvisors.com/ 
Full Transcripts: https://docs.google.com/document/d/1DLXnE5PTm4tDbONRSBarMa-1T8aduztf
Chapters
00:00 Introduction
02:37 The Importance of Financial Goal Setting
06:48 How to Choose the Right Asset Class for Your Family
11:17 How to Diversify Your Portfolio
12:56 How to Build a Diversified Investment Portfolio
15:22 How to Diversify a Portfolio and Build Wealth
19:48 How to Take Risk Off the Table
22:47 The Importance of Diversifying Your Portfolio
24:13 The Importance of Retirement Planning
28:56 The Importance of Goal Setting
30:35 The Importance of Tax Planning
33:10 How to Maximize Your Tax Implications in Taxable Investment Accounts
35:20 How to Use Tax Loss Harvesting to Avoid Tax Losses
39:51 The Importance of Behavioral Finance in Investing
43:39 The Importance of Professional Money Management
45:55 The Conflicts of Interest in Financial Planning
47:50 How to Find a Hidden Wealth Advisor

Are you looking for ways to protect your most valuable asset? In this episode, G Mark Hardy argues that our most valuable asset is our family, not the crown jewels or critical assets of a corporation. He emphasizes the importance of managing money, having an emergency fund, obtaining life insurance, building retirement savings, protecting against credit card fraud, and creating a plan for your children's digital life.  
Special thanks to our sponsor Risk3Sixty for supporting this episode. You can learn more about them from the Risk3Sixty Website: https://tinyurl.com/yc4xv7bj
Full Transcript:  https://docs.google.com/document/d/1vVASHmOV7n7Js0luDF1kWBF3qoytDnTy
Chapters
00:00 Introduction
02:01 How to Manage Your Money
05:54 The Millionaire Next Door
10:28 How to Diversity your Investments
12:35 The Importance of Paying Yourself First
15:41 How to Buy Paper I Bonds for Yourself
17:39 How to Choose the Right Life Insurance for You
21:28 The Cost of Life Insurance
23:12 The Importance of Retirement Savings
26:51 How to Optimize Your Retirement Income
28:47 How to Protect Yourself From Credit Card Fraud
30:40 How to Manage Your Credit
33:34 How to Avoid a Data Breach
35:44 How to Manage Your Passwords Effectively
37:36 How to Protect Your Children from the Risks of Online Content
41:23 How to Get Out of Dodge Quickly

In this episode of "CISO Tradecraft," G. Mark Hardy defines the role of a CISO and discusses the Top 10 responsibilities of a Chief Information Security Officer
Full Transcript: https://docs.google.com/document/d/1J_sCMkqEeIB7pUY4KmjCiS1sz7t6LX2F
Chapters
00:00 Introduction
01:25 Defining the Role of the CISO
04:43 1) Developing and implementing a cybersecurity strategy
07:27 2) Overseeing the organization's cybersecurity key programs and initiatives
08:20 3) Ensuring that the organization's cybersecurity policies and procedures are up-to-date and in compliance
10:44 4) Collaborating with other departments and teams
12:06 5) Developing and implementing a cybersecurity budget
14:21 6) Maintaining a high level of awareness about emerging cybersecurity threats, vulnerabilities, and technologies
15:29 7) Building and maintaining relationships with external partners and networking groups
18:07 8) Providing education, guidance, and support to the organization's employees
21:34 9) Leading and managing a team of cybersecurity professionals
24:10 10) Conducting regular risk assessments

In this episode of CISO Tradecraft, G Mark Hardy and guest Kevin Fiscus discuss the challenges of cybersecurity and the importance of prioritizing security decisions. Fiscus emphasizes the need for effective protective controls and detection measures, as well as the limitations of protective controls and the importance of detection. He suggests a "Detection Oriented Security Architecture" (DOSA) that includes high-fidelity, low-noise detection, automated response, and continuous monitoring. Fiscus also discusses the concept of cyber deception and proposes a new approach to cybersecurity that involves redirecting attackers to a decoy environment.
Kevin Fiscus: https://www.linkedin.com/in/kevinbfiscus/
Full Transcripts: https://docs.google.com/document/d/1zIph4r5u8UtuhsMSmIyi90bCtV52xnHv
Chapters
00:00 Introduction
04:55 The Average Time to Identify Bad Actors is 28-207 days
07:11 Why Protective Controls Don't Always Work
08:32 Protective Controls Create Resistance
10:34 The Cost of Detecting Bad Guys on Your Network
12:40 The Effects of Resistance on Protective Controls
15:56 The Problem with False Positive Alerts
20:08 How to Define Bad Guy Activity with 100% Accuracy
22:09 The Four Components of Security
24:14 Four Components of Detection Oriented Security Architecture (DOSA)
26:17 Differentiating between Monitoring & Alerting
27:13 High Fidelity and Low Fidelity Alerts 
33:06 Setting a Squelch for Radios
31:37 How to Deal with False Negatives
33:56 The Importance of Non Production Resources in Detection
37:56 How to Use Cyber Trapping to Deceive an Attacker
42:54 The Role of Environment Variability in Deception
47:08 Blowing Sunshine at Attackers

Have you heard about the latest trends in Generative Artificial Intelligence (GAI)? Listen to this episode of CISO Tradecraft to learn from Konstantinos Sgantzos and G Mark Hardy as they talk about the potential risks of GAI and how it generates new content.
Show Notes with Links: https://docs.google.com/document/d/10eCg3L00GgnHmze14g_JUkBbfHEdGZ8HW0eAGMk4PPE
Chapters
00:00 Introduction
01:37 The Future of Generative Artificial Intelligence (GAI)
06:08 The Implications of Hallucination in Generative AI
09:06 Hallucination Trivia Test for Large Language Models
10:48 The Consequences of Using Generative AI Models
12:39 The Importance of Education in Cybersecurity
14:45 The Future of Generative AI
16:17 The Importance of Understanding Large Language Models
19:47 The Differences Between Eliza and Machine Learning
24:26 How to Armorize Generative AI
29:39 The Future of Programming
31:23 The Future of Machines
33:53 The Future of Technology
37:52 The Future of CISOs
40:25 The Future of Generative AI

Are you worried about cyber threats and data breaches? Do you want to build a strong cybersecurity program to protect your organization? Look no further! In this episode of CISO Tradecraft, G Mark Hardy and Debbie Gordon discuss the three dimensions of an effective Information Security Management System: Policy, Practice, and Proof. G Mark emphasizes the importance of having a proper cybersecurity policy that references information security controls or outcome-driven statements. However, it's not enough to have policies on paper; organizations need to practice what's on paper to be prepared for cyber events. This is where ranges come in. Ranges are a full replica of an enterprise network with real tools, traffic, and malware. They allow teams to practice detecting and responding to attacks in a safe environment. Debbie Gordon, founder of Cloud Range, explains how ranges can help organizations accelerate experience and reduce risk in cybersecurity. She emphasizes the importance of educating an organization's user base to become the first and last lines of defense against cyber threats. By training non-technical executives to spot suspicious activity and bring it to the attention of the security team, organizations can minimize the damage caused by phishing attacks, ransomware, and other cyber threats. Gordon also highlights the importance of team training in cybersecurity because it's not just about individual skills, but also about how teams work together to respond to threats. By practicing together in a range environment, organizations can improve their processes, handoffs, and speed in detecting and responding to attacks.
Special thanks to our sponsor Cloud Range Cyber for supporting this episode.
Website: www.cloudrangecyber.com
Email: info@cloudrangecyber.com
Full Transcripts: https://docs.google.com/document/d/1yWenwauzfAiQYafFW0Iew33vbzvlO2BO
Chapters
00:00 Polished Security Programs need Policy, Practice, and Proof
00:54 Policy
02:47 Practice
03:44 Proof
04:28 How to Apply the Concepts of Ranges to Help Organizations
06:05 The importance of Experiential Learning
07:48 The Importance of following Procedures
12:12 The Benefits of Team Training for Cyber Ranges
15:33 The Importance of Muscle Memory
20:22 How to Maximize Your Investment in Cybersecurity (KPIs & Measurable Results)
24:33 The Advantages of using the MITRE ATT&CK® Framework
27:41 The Advantages of Following ISO Standards
31:36 How to Improve your Cloud Range Exercises
33:22 How to use Cognitive Aptitude Assessments for Workforce Development
37:44 How to level the Playing field for Cyber Talent
39:39 The Importance of Degrees in Cyber Security
41:03 Making the CISO's job easier

Are you concerned about the security of your data? If so, you're in luck, because we have an incredible episode that has Brent Deterding discuss how to implement simple, easy, and cheap cybersecurity measures. 
One of the key takeaways from the episode is the importance of understanding, managing, and mitigating the risk of critical data being exposed, altered, or denied. Brent Deterding shares his top four tips for CISOs, which include implementing multi-factor authentication, device posture management, endpoint detection and response, and external patching. He emphasizes the importance of keeping things simple, easy, and cheap.
Overall, the episode emphasizes the importance of taking a proactive approach to cybersecurity and being prepared for potential cyber threats. Brett Dietrich shares his approach to reducing risk for his company when negotiating with underwriters.  Remember significant risk reduction is simple, easy, and cheap, so don't wait to implement these tools and strategies.
10 Immutable Laws of Security: https://learn.microsoft.com/en-us/security/zero-trust/ten-laws-of-security
Transcripts: https://docs.google.com/document/d/1eP7F8pD3kcrbja2sfSwSKGnJ-ADHviUt
Chapters:
00:00 Introduction
02:05 How to Protect Your Organization's Critical Data
01:43 Scenario of Protecting a Small Company
08:01 The 10 Immutable Laws of Security
14:26 Tips for CISOs
15:30 Simple, Easy, & Cheap is a Technology State
19:00 How Much Do You Care About Phishing Problems?
20:46 How to a be successful at RSA?
26:00 How to Enable the Business without Reducing Friction?
28:37 How to Adopt the Australian Essential 8
31:06 Team Platform vs Best of Bread
33:00 Those with a fear of vendor lock-in are retired
36:36 How to Save Money on Cyber Insurance
38:27 How to implement the Four Hills Strategy (MFA, EDR, Device Posture Management, & Patch Management)
40:57 How to Negotiate Effectively With Insurance Companies
42:48: Getting Material Risk Reduction is Simple, Easy, and Cheap

In this episode of "CISO Tradecraft," G Mark Hardy discusses how to build an effective cyber strategy that executives will appreciate. He breaks down the four questions (Who, What, Why, and How) that need to be answered to create a successful strategy and emphasizes the importance of understanding how the company makes money and what critical business processes and IT systems support the mission. Later in the episode, Branden Newman shares his career path to becoming a CISO and his approach to building an effective cyber strategy. Newman stresses the importance of communication skills and the ability to influence people as the most critical skills for a CISO. He also shares his advice on how to effectively influence executives as a CISO.
Full Transcripts - https://docs.google.com/document/d/1nFxpOxVl6spkK-Y8GLU5q2f6R_4VD-a2
Chapters:
00:00 Introduction
01:06 The Four Questions (Who, What, Why, and How)
08:11 Building an accepted cyber strategy
09:19 Importance of communication skills for a CISO
10:19 Understanding financial statements
12:47 Following the money
14:09 Reputation and cybersecurity
15:24 Getting executive buy-in into cybersecurity
15:57 Building Trust with Executives
16:45 Security Enables New Elements of Business
17:13 Why Cybersecurity Gets Ignored
20:07 Framing Cybersecurity as a Competitive Advantage
21:19 Mistakes CISOs Make When Communicating with Executives
22:54 Telling Stories to Communicate with Executives
24:09 Using Business Cases and Examples
27:28 The Importance of Listening to the Executives
29:31 Making Informed Risk-Based Decisions
30:54 Building Trust and Champions
32:55 Building a Network of Trust
35:13 Being Pragmatic

Sometimes you just need structure to the madness. Christopher Crowley stops by to talk about methodologies that can help security organizations. Come and see why you need them, how we get the scientific method wrong in cyber, and how to leverage a CIA analytical methodology that can help you. There's a lot more to check out so tune in.
Analysis of Competing Hypothesis https://www.cia.gov/static/9a5f1162fd0932c29bfed1c030edf4ae/Pyschology-of-Intelligence-Analysis.pdf
Christopher Crowley's Company https://montance.com/ 
Full Transcripts: https://docs.google.com/document/d/1P4MI02fIw3y_u8RhLVDbB3iu0o7e27Fr
Chapters
00:00 Introduction
02:30 The Morris Worm and the Internet
04:17 The Future of Cybersecurity
06:41 How to setup a shared drive for multitasking
10:26 The Evolution of Career Paths
12:02 The Importance of Methodology in Problem Solving
14:16 The Importance of Hypothesis in Cybersecurity
19:58 MITRE ATT&CK® Framework: A Two Dimensional Array
21:54 The Importance of a Foregone Conclusion Methodology
23:29 The Disruptor's Role in Hypothesis Brainstorming
25:18 The Importance of Resilience in Leadership
27:45 Methodologies and Threat Hunting
29:21 The Importance of Information Bias in Threat Hunting
34:31 How to Sort Hypothesis in a Spreadsheet
37:22 The Importance of Refining the Matrix
40:34 How to Automate Analysis of Competing Hypothesis

Have you ever wanted to get a legal perspective on cybersecurity?  On this episode of CISO Tradecraft, Evan Wolff stops by to discuss terms such as legal disclaimers, negligence, due care, and others.  He also provides important insights on how to structure your cyber policies, respond to regulators/auditors, and partner with general council.  Please enjoy. 
Full Transcripts: https://docs.google.com/document/d/1hbqB5GQfQsi0egPVdOtdfYEwLA3-1Jnh
Chapters
00:00 Introductions
01:52 The Attorney Client Privilege
04:49 What's the Difference Between a Discovery Order and an Attorney Client Privilege
06:30 CISO Disclaimer
09:23 Security Is a Component of Government Contracts
11:59 What are the Borders Between Information Security and Legal Risk
15:31 Cyber Security - Is there a Standard of Care?
18:11 Do you have a Reasonable Best Effort?
21:27 CMMC 2.0
26:22 Is your Privacy Policy going to expire?
28:30 What is Reasonable Assurance?
33:41 Advice for Partnering with the General Counsel

Have you ever wondered how to negotiate your best CISO compensation package?  On this episode, we invite Michael Piacente from Hitch Partners to discuss important parts of the compensation packages.  Examples include but are not limited to: - Base Salary,
Bonuses (Annual, Relocation, & Hiring)
Reserve Stock Units
Annual Leave
Title (VP or SVP)
Directors & Officers Insurance
Accelerated Vesting Clauses
Severance Agreements
You can learn more about CISO compensations by Googling any of the following compensation surveys
Hitch Partners CISO Compensation and Organizational Structure Survey Report: https://www.hitchpartners.com/ciso-security-leadership-survey-results-23
Heidrick & Struggles Global Chief Information Officer Survey: https://www.heidrick.com/en/insights/...
IANS CISO Compensation and Budget Benchmark Study: https://www.iansresearch.com/ciso-com...
Full Transcripts: https://docs.google.com/document/d/1e...
Chapters:
00:00 Introduction
01:58 What's the Difference?
06:50 The Three-Legged Stool (Base Salary, Bonuses, & RSUs)
11:44 Is there a signing bonus?
13:56 What's the difference between RSUs & Options?
18:52 Private Companies - What's the Value of the Offer?
22:04 Double Triggers in Private Companies
26:38 Should you counter an offer?
28:17 Corporate Liability Insurance
29:50 Do you want to be extended on the Director and Officer Insurance Policy?
32:56 How to negotiate a severance agreement
36:00 Compensation Survey Reports

One of the most difficult things to do as a manager or leader is to take an ethical stance on something you believe in.  Sometimes ethical stances are clear and you know you are doing what’s right.  Others are blurry, messy, and really weigh on your mind.  So we thought we would take this episode to talk about various ethical models, tricky ethical scenarios you might encounter as a CISO, and finally we will look at the Federal Case where Joe Sullivan the Former Chief Security Officer of Uber was convicted of federal charges for covering up a data breach.  Thanks to Stephen Northcutt for coming on today's show.
Full Transcript https://docs.google.com/document/d/1vin7gMBt9YvVGaVqT91ycPmacsKZe2T9
Chapters
00:00 Introduction
01:49 How to Make a Difference in Cybersecurity
03:34 Hackers and the Pursuit of Higher Principles
06:06 Is There a Use Case in Cybersecurity
10:56 Human Capital is the Most Important Asset That Any Organization Has
14:00 The Human Frailty Factor
18:21 Has Your Company Fully Embraced Diversity, Equity, and Inclusion
20:24 Do you have a Diversity of Experience
24:11 Getting Your EXO to Talk to Power and say you are wrong
27:40 CISOs and CISOs - Is this a Criminal Thing?
30:15 The Penalty of Crossing the Law
34:56 Pay the Ransom?
36:59 The Key to Resilience as a CISO

Our systems generate fantastic amounts of information, but do we have a complete understanding of how we collect, analyze, manage, store, and retrieve possibly petabytes a day? Gal Shpantzer has been doing InfoSec for over 20 years and has managed some huge data engineering projects, and offers a lot of actionable insights in this CISO Tradecraft episode.
Gal's LinkedIn Page - https://www.linkedin.com/in/riskmanagement/
Gal's Twitter Page - https://twitter.com/Shpantzer
Full Transcript - https://docs.google.com/document/d/14RXnsVttvKlRi6VL94BTrItCjOAjgGem/
Chapters
00:00 Introduction
02:00 How do you Architect Big Data Data Infrastructure
03:33 Are you taking a look at Ransomware?
06:11 Web Scale Technologies are used mostly in Marketing & Fraud Detection
08:11 Data Engineering - The Mindset Shift
10:51 The Iron Triangle of Data Engineering
13:55 Can I Outsource My Logging Pipeline to a Vendor
15:37 Kafka & Flink - Data Engineering in the Pipeline
18:12 Streaming Analytics & Kafka
22:08 How to Enable Data Science Analytics with Streaming Analytics
26:33 Streaming Analytics
30:25 Data Engineering - Is there a Security Log
32:30 Streaming Analytics is a Weird Thing
35:50 How to Get a Handle on a Big Data Pipeline
39:11 Data Engineering Hacks for Big Data Analytics

Has bad governance given you trauma, boring committees, and long speeches on irrelevant issues?  Today we are going to overcome that by talking about what good governance looks like.  We bring on the former CISO of Amazon Whole Foods (Sameer Sait) to discuss his lessons learned as a CISO.  We also highlight key topics of good governance found in the Cyber Security Profile from the Cyber Risk Institute.Cyber Risk Institute - Cyber Security Profile https://cyberriskinstitute.org/the-profile/Full Transcripts: https://docs.google.com/document/d/1vBM6A0utvhRFMA04wzrZvR8ktNwYo-li
Chapters
00:00 Introduction
03:10 Good Governances is a Good Thing, Right?
05:08 Cyber Strategy & Framework
06:43 Is NIST the Same as ISO?
08:40 How to Convince the Executive Leadership Team to Buy In
11:19 The CEO's Challenge is Taking Measured Risk
20:05 Is there a Cybersecurity Policy
22:32 Culture eats Policy for Lunch
24:14 The Role of the CISO
27:52 How do you Convince the Leadership Team that you need extra resources
29:51 How do you Measure Cybersecurity?
32:22 How do we communicate Risk Findings to Senior Management
36:07 Are you Aligning with the Audit Committee

In the US we often focus on SOC-2, NIST Special Pubs, and the Cybersecurity Framework. In Europe (and most of the rest of the world), ISO 27001 is the primary standard. ISO concerns itself with policy, practice, and proof, whereas NIST often shows the method to follow. Michael points out that a CISO is responsible for governance, (internal) consulting, and audit. In early stages of growing a security function, a CISO needs to be technically-focused, but as a security department matures, the CISO must be organizationally-focused. Also, to effectively grow your team, first determine what actions need to take place, how much effort it requires, and how often it needs to take place. Then, build an action sheet and collect data for three months. Finally, take that to your executives and document your requirements for more staff.
Michael Krausz LinkedIn Profile: https://www.linkedin.com/in/michael-krausz-b55862/
Michael Krausz Website: https://i-s-c.co.at/
Full Transcript: https://docs.google.com/document/d/13fghym7IWyPvuRANQXUvmv-ulkSj93xv 
Chapters
00:00 Introduction
04:01 Is there a Gap Analysis in ISO 27001?
08:05 Is there a Requirement for ISO Standards?
10:57 What is ISO 27001?
13:11 Is there a Parallel Development between the US and EU?
16:57 Do you want to be a trooper?
21:17 What's the Oldest Operating System?
23:09 Is there a Legacy Operating Systems that you can't get away with?
24:11 The Most Important Class for a CISO
26:33 The Secrets of a Successful CISO
29:30 CISO - I need 6 people period
33:40 What's the Primary Skill Needed in a CISO?
37:41 How to Maximize the Number of FTEs

How can cyber best help the sales organization?  It's a great thought exercise that we bring on Joye Purser to discuss. Learn from her experience as we go over how cybersecurity is becoming an even closer business partner with the creation of a new important role.
Full Transcript: https://docs.google.com/document/d/1Shd1Qldb8iKEHBgXJqFez81Iwfpl6JT-/
Chapters
00:00 Introduction
02:58 How did you marry those two cultures?
06:40 Building a Diverse Workforce
08:23 Is this a new role based on Pain Points?
10:27 Global Lead for Field Cyber Security
15:51 Is the Global Lead for Field Cybersecurity linked to sales numbers?
19:07 Is there a Global Lead for Field Cybersecurity?
24:46 Building Relationships in a Security Leadership Role
27:48 Do you have any lessons learned from your success at Global Management Consulting?
29:33 You need to schedule time to get things done
33:33 What about Due Diligence?
37:36 The Chief Technology Officer, CRO, & CTO

Did you ever wonder how much security you can implement with a single vendor?  We did and were surprised by how much you can do using the Australian Top Eight as a template.  We'll bet you can improve your security by using these tips, tools, and techniques that you might not have even known were there.
Special thanks to our sponsor Praetorian for supporting this episode.
https://www.praetorian.com/
Full Transcripts:
https://docs.google.com/document/d/12HsuOhY9an1QzIw9wOREPMX0pXe5hqkJ
Helpful Links
Essential 8 https://www.microsoft.com/en-au/business/topic/security/essential-eight
Blocking Macros https://ite8.com.au/the-essential-8/office-macros-explained/ 
Windows Defender Application Control or WDAC (available from Windows 10 or Server 2016 or newer) previously Windows had App Locker (Windows 7 / 8)
https://docs.microsoft.com/en-us/mem/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control
Windows Group Policies
https://techexpert.tips/windows/gpo-block-website-url-google-chrome/
https://chromeenterprise.google/policies/#SafeBrowsingAllowlistDomains 
https://data.iana.org/TLD/tlds-alpha-by-domain.txt 
Software Restriction Policies http://woshub.com/how-to-block-viruses-and-ransomware-using-software-restriction-policies/
Blocking websites URL - only allow (.com, .org, .net, edu, .gov, .mil, and the countries you want).   
Locking down Active Directory https://attack.stealthbits.com/tag/active-directory 
File Service Resource Management
http://woshub.com/using-fsrm-on-windows-file-server-to-prevent-ransomware/
Enable MFA for RDP
https://docs.microsoft.com/en-us/azure/active-directory-domain-services/secure-remote-vm-access  
https://duo.com/docs/rdp
Enable MFA for SSH
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/auth-ssh
https://docs.microsoft.com/en-us/azure/active-directory/devices/howto-vm-sign-in-azure-ad-linux 
Windows Controlled Folder Access
https://support.microsoft.com/en-us/topic/ransomware-protection-in-windows-security-445039d6-537a-488a-ad53-48906f346363
Use Windows File History to create backups to one drive.
https://www.ubackup.com/windows-10/file-history-backup-to-onedrive-4348.html
Storing your files to One Drive which has ransomware detection
https://support.microsoft.com/en-us/office/ransomware-detection-and-recovering-your-files-0d90ec50-6bfd-40f4-acc7-b8c12c73637f
Windows Update
Select Start > Settings > Windows Update > Advanced options. Under Active hours, choose to update manually or automatically in Windows 11. 
https://support.microsoft.com/en-us/windows/keep-your-pc-up-to-date-de79813c-7919-5fed-080f-0871c7bd9bde 
Microsoft Conditional Policies- https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-policy-common 
Microsoft Authenticator with Number Matching, Geo, & Additional Context
https://docs.microsoft.com/en-us/azure/active-directory/authentication/how-to-mfa-additional-context 
https://websetnet.net/microsoft-rolls-out-new-microsoft-authenticator-features-for-enterprise-users/
Application Approve List- https://www.bleepingcomputer.com/tutorials/create-an-application-whitelist-policy-in-windows/

This episode provides a deep dive into Static Application Security Testing (SAST) tools.  Learn how they work, why they don't work as well as you think they will in certain use cases, and find some novel ways apply them to your organization.  Special thanks to John Steven for coming on the show to share his expertise.  
 
Special thanks to our sponsor Praetorian for supporting this episode.
https://www.praetorian.com/
Full Transcripts - https://docs.google.com/document/d/1zoA70k78IjqyJky-2u7_-i2jlWke8_cb
Chapters:
00:00 Introduction
02:51 Source Code Analyzers
04:22 The three bears of Static Analysis
06:01 Do Linters work Better?
08:00 The Value of Full Programming Analysis Tools over Linters
11:30 The Impact of a Developer's Analysis on a Developer Environment
13:05 SAST Testing
15:47 OWASP Benchmarking
19:13 The First Static Analysis Tools
20:53 Can you break up that worry about Automated Testing?
22:44 Using Static Analysis for Defect Discovery
24:18 Using Static Analysis to Improve Web Security
31:37 Using Static Analysis to Drive Cloud Security
33:15 The Second Thing to Look Out for When Choosing a Static Analysis Tool
34:55 Using Static Analysis to Build a Vulnerability Management Practice
37:35 Can you use Static Analysis to Find Insider Threat?

How do you defend against automated attacks in an era of ChatGPT-formulated malware, coordinated nation-state actors, and a host of disgruntled laid-off security professionals? Want to find your vulnerabilities faster than the bad actors do? Come listen to Richard Ford to learn how to apply best practices in attack surface management and defend your crown jewels.
Special thanks to our sponsor Praetorian for supporting this episode.
Full Transcripts - https://docs.google.com/document/d/18QyrN-7V91nxOyRQ0KsNeJU0-k-bTlqj
Chapters:
00:00 Introduction
04:22 The Impact of Continuous Attack Surface Mapping on Security Responses
07:48 What's the Difference between a CTO and a CIO?
10:24 What attracted you to the problem space?
12:53 Is the Attack Surface really exposed?
16:12 Shadow IT - The Unknown Unknowns that could Bite You
19:56 Is there a Shadow IT problem?
23:24 How to get management on board with Shadow IT?
26:38 Building an Attack Surface Management Program
29:57 You Get What You Measure, Right?
33:27 Do I Have Vulnerable Assets?
39:24 Attack Surface Management