CISO Tradecraft®

This episode features Rafeeq Rehman.  He discusses the need for a CISO Mindmap and 6 Focus Areas for 2022-2023:
1.  Re-evaluate ransomware defenses, detection and response capabilities, perform a business impact analysis and identify critical processes, applications and data.
2.  Reduce/consolidate security tools/technologies and vendors. More tools don’t necessarily reduce risk but do add the need for maintaining expertise on security teams.
3.  To serve your business better, train staff on business acumen, value creation, influencing and human experience.
4.  Take an inventory of open source software (standalone and libraries) and make it part of your vulnerability management program.
5.  Build team expertise in technology fields including machine learning (ML) models, model training, API security, service mesh, containers, DevSecOps.
6.  Maintain a centralized risk register. Even better: integrate into your enterprise risk management program. Track risk for technology, insiders, processes, third parties, compliance and skill gaps.
Links:
CISO MindMap Link
CISO MindMap 2022 Recommendations Link
Information Security Leaders Handbook Link
Cybersecurity Arm Wrestling Link

On this episode of CISO Tradecraft, we feature Helen Patton.
Helen shares many of her career experiences working across JP Morgan, The Ohio State University, and now Cisco.  
-Is technical acumen needed for CISOs?
-Surviving organizational politics
(34:45) Helen discusses The Fab 5 Security Outcomes study.
Volume 1 Study - Link 
Volume 2 Study - Link

On this episode of CISO Tradecraft we feature Robin Dreeke from People Formula.  Robin was the former head of the FBI Counterintelligence Behavioral Analysis Program and has an amazing background in learning how individuals think, build trust, and communicate.  Robin highlights 4 Pillars of Communicating:
Seek the thoughts and opinions of others
Talk in terms of priorities, pain points, and challenges of others
Use Nonjudgmental validation (ie seek to understand others without judging)
Empower others with choice and give them cause and effect of each choice
To learn more about Robin's way of thinking you can check out his podcast and books:
Forged By Trust Podcast
Sizing People Up 
The Code of Trust 
It's Not All About Me
The People Formula Workbook 2.0: Communication Style Inventory
 

This episode is sponsored by Varonis.  You can learn more on how to reduce your ransomware radius by performing a free ransomware readiness assessment Link
On this episode, Sounil Yu continues his discussion about his new book ("Cyber Defense Matrix").  Listen to learn more about:   
Pre-Event Structural Awareness vs Post-Event Situational Awareness
Environmental vs Contextual Awareness
Understanding Security Handoffs
Rationalizing Technologies
Portfolio Analysis
Responding to Emerging Buzzwords (Zero Trust and SASE)

This episode is sponsored by Varonis.  You can learn more on how to reduce your ransomware radius by performing a free ransomware readiness assessment Link
This episode of CISO Tradecraft has Sounil Yu talk about his new book, "Cyber Defense Matrix: The Essential Guide to Navigating the Cybersecurity Landscape". Sounil reviews the Cyber Defense Matrix in depth.  We discuss how the Cyber Defense Matrix can be used for: 
Capturing & Organizing Measurements & Metrics
Developing a Cyber Security Roadmap
Gaining Greater Situational & Structural Awareness
Understanding Organizational Responsibilities & Handoffs
Rationalizing Technologies & Finding Investment Opportunities
Deciphering the Latest Industry Buzzword
You can purchase Sounil's new book here Link
 
 

On this episode of CISO Tradecraft, John Hellickson from Coalfire talks about his career as a CISO.  Listen and learn about:
The evolving role of the CISO
How John got started as a CISO
Whis is a Field CISO and how does it differ from a traditional CISO role
Tips on getting your career to the next level by attending the right conferences and getting an executive coach
How to get Business Alignment
How the Security Advisor Alliance is helping the next generation of cyber talent
 

A respected journalist focusing on cybersecurity and our community of people for over 25 years, Deb Radcliff remains a trusted information source who checks and double-checks her sources before publication -- a refreshing change to the low signal - high noise world of social media.In this episode, we discuss where CISOs might turn for accurate information, how the industry has evolved in complexity, and take a look at the first of three fictional novels she's writing about a future world where hackers take on an oppressive digital state. What is really interesting is her explanation of how she went from book idea to published reality.
Breaking Backbones Information is Power may be purchased from the following Amazon Link

On this Episode of CISO Tradecraft we talk about the Top 10 areas of concern for the C Suite about Ransomware.  Note you can read the full ISC2 Study here (Link).
Cybersecurity professionals should keep the following golden rules in mind when communicating with the C-suite about ransomware.
Increase Communication and Reporting to Leadership
Temper Overconfidence as Needed
Tailor Your Message
Make the Case for New Staff and Other Investments
Make Clear that Ransomware Defense is Everyone’s Responsibility

On this episode of CISO Tradecraft, Christian Hyatt from risk3sixty stops by to discuss the 3 major Business Objectives for CISOs:
Risk Management
Cost Reduction
Revenue Generation
He also discusses the five CISO Archetypes.  
The Executive
The Engineer
The GRC Guru
The Technician
The Builder
References:The 5 CISO Archetypes Book Link
Designing the CISO Role Link

Chances are your organization has information that someone else wants.  If it's another nation state, their methods may not be friendly or even legal.  In this episode we address assessing risk, known "bad" actors, information targets, exfiltration, cyber security models, what the federal government is doing for contractors, and response strategies.  Listen now so you don't become a statistic later.
 
References:
https://www.fbi.gov/file-repository/china-exec-summary-risk-to-corporate-america-2019.pdf
https://nhglobalpartners.com/made-in-china-2025/
https://www.cybintsolutions.com/cyber-security-facts-stats/
http://www.secretservice.gov/ntac/final_it_sector_2008_0109.pdf
http://www.secretservice.gov/ntac/final_government_sector2008_0109.pdf
CIS Controls v8.0, Center for Internet Security, May 2021, https://www.cisecurity.org
https://owasp.org/www-project-threat-and-safeguard-matrix/
https://www.acq.osd.mil/cmmc/about-us.html

Our career has been growing like crazy with an estimated 3.5 million unfilled cybersecurity jobs within the next few years.  More certs, more quals, more money, right?  The sky’s the limit.  But what if we’re wrong?  AI, machine learning, security-by-design, outsourcing, and H-1B programs may put huge downward pressure on future job opportunities (and pay) in this country.  Of course, we don’t WANT this, but shouldn’t a wise professional prepare for possibilities?  [We did a ton of research looking at facts, figures, industry trends, and possible futures that might have us thinking that 2022 may have been “the good old days.”  No gloom-and-doom here; just an objective look with a fresh perspective, you know, just in case.]

On this episode of CISO Tradecraft, we discuss how to avoid Death By PowerPoint by creating cyber awareness training that involves and engages listeners. Specifically we discuss:
The EDGE method:  Explain, Demonstrate, Guide, and Enable
Escape Rooms
Tabletop Exercises
Polling During Presentations
Short videos from online resources
References:
https://blog.scoutingmagazine.org/2017/05/05/living-on-the-edge-this-is-the-correct-way-to-teach-someone-a-skill/
http://www.inquiry.net/ideals/scouting_game_purpose.htm
https://cisotradecraft.podbean.com/e/ciso-tradecraft-shall-we-play-a-game/
Escape Rooms
https://library.georgetown.org/virtual-escape-rooms/
https://research.fairfaxcounty.gov/unlimited/escape
Tabletop Exercises
From GCHQ
https://www.ncsc.gov.uk/information/exercise-in-a-box
From CISA
https://www.cisa.gov/cisa-tabletop-exercises-packages
Funny Videos on Cyber
https://staysafeonline.org/resource/security-awareness-episode/
 

On this episode of CISO Tradecraft, we focus on the Password Security and how it's evolving.  Tune in to learn about:
Why do we need passwords
Ways consumers login and authenticate
How bad actors attack passwords
How long does it take to break passwords
Different types of MFA 
The future of passwords with conditional access policies
Infographic:
 
References:
https://danielmiessler.com/blog/not-all-mfa-is-equal-and-the-differences-matter-a-lot/ 
https://www.hivesystems.io/blog/are-your-passwords-in-the-green?utm_source=tabletext 
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-cloud-apps
https://en.wikipedia.org/wiki/RockYou
https://cisotradecraft.podbean.com/e/ciso-tradecraft-active-directory-is-active-with-attacks/
https://docs.microsoft.com/en-us/azure/active-directory/authentication/how-to-mfa-number-match

Winn Schwartau is a well-recognized icon in the cybersecurity community, and also a dear friend for over 25 years.  Always one to stir the pot and offer radical ideas (many of which come true), we discuss Hacker Jeopardy, INFOWARCON, his books "Pearl Harbor Dot Com", "Time-Based Security", and his magnum opus "Analog Security."  We speculate on the future of our industry with respect to quantum and probabilistic computing, and after hanging up his pen, looks like he's doing a Tom Brady and writing one more amazing book. **Warning Adult Language**
Winn's Website Link

On this episode of CISO Tradecraft, Anton Chuvakin talks about Logging, Security Information & Event Management (SIEM) tooling, and Cloud Security.  Anton share’s fantastic points of view on:
How moving to the cloud is like moving to a space station (13:44)
How you may be one IAM mistake away from a breach (20:05)
How a SIEM is a logging based approach, whereas EDRs require agents at endpoints.  This becomes really interesting when cloud solutions don’t have an endpoint to install an agent (26:53)
Why you don’t want an on premises SIEM (32:35)
The 3 AM Test - Should you wake someone up for this alert at 3 AM (39:24)

On this special episode of CISO Tradecraft, we have Gary Hayslip talk about his lessons learned being a CISO.  He shares various tips and tricks he has used to work effectively as a CISO across multiple companies.  Everything from fish tacos and beer to how to look at an opportunity when your boss has no clue about cyber frameworks.  There's lots of great information to digest.  
 
Additionally, Gary has co-authored a number of amazing books on cyber security that we strongly recommend reading.  You can find them here on Gary's Amazon page.  

On this episode of CISO Tradecraft you can learn how to build relationships of trust with other executives by demonstrating executive skill & cyber security expertise.  You can learn what to say to each of the following executives to build common ground and meaningful work: 
CFO
Legal
Marketing
Business Units
CEO
CIO
HR
Note Robin Dreeke mentions 5 keys to building goals.: 
Learn… about their priorities, goals, and objectives.
Place… theirs ahead of yours
Allow them to talk…. suspend your own need to talk.
Seek their thoughts and opinions.
Ego suspension!!! Validate them unconditionally and non-judgmentally for who they are as a human being.
During this week's Monday Morning Email, CISO Tradecraft answers the question on how to craft a winning resume to land your first CISO role.
 
InfoGraphic

On this episode of CISO Tradecraft, we talk about how cyber can help the four business key objectives identified by InfoTech:
1.  Profit generation: The revenue generated from a business capability with a product that is enabled with modern technologies.
2.  Cost reduction: The cost reduction when performing business capabilities with a product that is enabled with modern technologies.
3.  Service enablement: The productivity and efficiency gains of internal business operations from products and capabilities enhanced with modern technologies.
4.  Customer and market reach: The improved reach and insights of the business in existing or new markets.
We also discuss Franklin Covey's 4 Disciplines of Execution (TM): 
Focus on the Wildly Important
Act on the lead measures
Keep a compelling scoreboard
Create a cadence of accountability
Please note references to Infotech and Franklin Covey Material can be found here:
https://www.infotech.com/research/ss/build-a-business-aligned-it-strategy
https://www.franklincovey.com/the-4-disciplines/
Infographic:

Today we speak with Richard Thieme, a man with a reputation for stretching your mind with his insights, who has spoken at 25 consecutive DEFCONs as well as keynoted BlackHat 1 and 2.  In a far-ranging discussion, we cover the concept of what it's like to be a heretic (hint:  it's one step beyond being a visionary), the thought that the singularity has already arrived, Pierre Teilhard de Chardin's noosphere, disinformation and cyber war, ethical decision-making in automated systems, and why there is convincing evidence we are not alone in this universe. 
 
References:https://thiemeworks.com/

On this episode of CISO Tradecraft we are going to talk about various Access Control & Authentication technologies.
Access Control Methodologies:
Mandatory Access Control or (MAC)
Discretionary Access Control or (DAC)
Role Based Access Control or (RBAC)
Privileged Access Management or (PAM)
Rule Based Access Control
Attribute Based Policy Control (ABAC) or Policy Based Access Control (PBAC)
Authentication Types:
Password-based authentication
Certificate-based authentication
Token-based authentication
Biometric authentication
Two-factor Authentication (2FA)
Multi-Factor Authentication (MFA)
Location-based authentication
Computer recognition authentication
Completely Automated Public Turing Test to Tell Computers & Humans Apart (CAPTCHA)
Single Sign On (SSO)
Risk Based authentication
References
https://riskbasedauthentication.org/
https://blog.identityautomation.com/what-is-risk-based-authentication-types-of-authentication-methods
https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-countermeasures 
https://www.n-able.com/blog/network-authentication-methods 
https://www.getgenea.com/blog/types-of-access-control/ 
https://www.twingate.com/blog/access-control-models/ 
https://csrc.nist.gov/glossary/term/authentication 
https://csrc.nist.gov/glossary/term/authorization 
https://www.techtarget.com/searchsecurity/definition/access-control 

On this episode of CISO Tradecraft, you can learn about supply chain vulnerabilities and the 6 important steps you can take to mitigate this attack within your organization:
Centralize your software code repository
Centralize your artifact repository
Scan open source software for malware
Scan software for vulnerabilities and vendor support
Run a Web Application Firewall (WAF)
Run a Runtime Application Self Protection (RASP)
References:
https://owasp.org/www-project-threat-and-safeguard-matrix/
https://slsa.dev/
Infographic:

Gamification is a superpower that CISOs can use to change the culture of an organization.  On this episode of CISO Tradecraft we discuss how to use gamification concepts as a CISO. 
What’s in a Game?
Objective
Rules
Challenge/Competition
Randomness or unpredictability
Designed for fun and sometimes learning
What Makes a Game Fun?
Challenge requires reasonable level of difficulty
Fantasy compelling setting for game action; temporary suspension of reality
Curiosity random events so that play is not completely deterministic
Control learners are confronted with choices
What’s in a Learning Game?
Active participation
Immediate feedback
Dynamic interaction
Competition
Novelty
Goal direction
5 Gamification Concepts
Leaderboards
Badges & Achievements
Levels & Progression
Unlockables
Virtual Economy
4 Player Types
Killers are players motivated by leader boards and ranks.  These players focus on winning and peer to peer competition. Their focus is on acting on other players.
Achievers are players motivated by achievements and points.  These players focus on achieving present goals quickly and completely.  Their focus is on acting on the world.  
Socializers are players motivated by friends lists, chat, and news feeds.  These players focus on socializing and developing a network of friends. Their focus is on interacting with players
Explorers are players motivated by hidden content and levels.  These players focus on exploring and discovering the unknown.  Their focus is on interacting with the world.
References:
https://www.chaostheorygames.com/blog/serious-games-guide-everything-you-need-to-know-in-2021 
https://www.chaostheorygames.com/blog/what-is-gamification-2020-definition
https://directivecommunication.net/the-ultimate-guide-to-work-gamification/
https://yukaichou.com/gamificationnews/4-dominant-applications-of-gamification/
https://medium.com/@chow0531/actionable-gamification-fbe27f6cb2d6
https://www.capgemini.com/2020/06/gamification/
https://insights.lytho.com/translation-fails-advertising
http://timboileau.wordpress.com 
https://www.amazon.com/dp/1451611064/?coliid=I2J1XHCOBD5476&colid=2CQEH5MGKB5YX&psc=1&ref_=lv_ov_lig_dp_it 
Infographic:

On this episode of CISO Tradecraft, we feature Allan Alford from The Cyber Ranch Podcast.  Allan brings a wealth of knowledge as a CISO and shares the three things every CISO needs to bring to the table:
Use a Cyber Maturity Model such as CMMI to identify the current situation and build a roadmap of where the organization is headed 
Quantify Known Risks through a Risk Register which gets routinely briefed to Executives
Align Cyber to Business Objectives to enable the business
If you enjoy listening to Allan Alford, then please subscribe to The Cyber Ranch Podcast for more great content.
Infographic:

As a cyber executive you should expect disaster and disruption.  When these unfortunate events occur, you can protect the business by maintaining critical business functions, ensuring employees are able to access an alternate work facility, and providing vital records to perform business functions.
The secret to accomplishing these objectives can be found in three important documents.  Those being a Business Continuity Plan, Disaster Recovery Plan, & a Business Impact Analysis.  Enjoy the show as we walk you through them.
FEMA BCP Example https://arlingtonva.s3.amazonaws.com/wp-content/uploads/2019/08/COOP-Template-Business-Continuity.pdf
IBM Disaster Recovery Plan
https://www.ibm.com/docs/en/i/7.1?topic=system-example-disaster-recovery-plan
Fire Drillshttps://en.wikipedia.org/wiki/Fire_drill
Business Impact Analysishttps://www.ready.gov/sites/default/files/2020-03/business-impact-analysis-worksheet.pdf
Infographic:

On this episode,  we talk about the four types of skills you need to demonstrate in your career to climb through the ranks: (Technical Skills, Management Skills, Leadership Skills, & Political Skills)
We also highlight 6 crucial areas to improve your political skills
Social Astuteness - You need to get your cues right.  Socially astute managers are well-versed in social interaction.  In social settings they accurately assess their own behavior as well as that of others.  Their strong powers of discernment and high self-awareness contribute to their political effectiveness.
Interpersonal Influence - Managers who are effective influencers have good rapport with others and build strong interpersonal relationships.  They also tend to have a better understanding of broader situations and better judgment about when to assert themselves.
Networking Ability - Skilled networkers build friendships and working relationships by garnering support, negotiating, and managing conflict.  They know when to call on others and are seen as willing to reciprocate.
Apparent Sincerity - Be sincere.  Politically skilled individuals display high levels of integrity, authenticity, sincerity, and genuineness.  They really are--and also are viewed as--honest, open, and forthright, inspiring trust and confidence.
Think before you speak - Politically skilled managers are careful about expressing feelings.  They think about the timing and presentation of what they have to say.
Manage up and down - Leaders need to skillfully manage up by communicating with their bosses and keeping higher-ups informed.  But this can become a double-edged sword; research shows that the people who are most skilled at managing up tend not to invest enough energy in building and leading their teams.  True political skill involves relationships with teammates and direct reports as well as higher-ups.
References:
https://www.ckju.net/en/blog/6-behaviors-characterize-politically-skilled-individuals-organizations-how-learn-them/32148
https://en.wikipedia.org/wiki/Terry_Tate:_Office_Linebacker
https://hbr.org/2017/04/the-4-types-of-organizational-politics
https://www.forbes.com/2010/05/25/office-politics-psychology-leadership-managing-ccl.html
Ferris, G. R., Davidson, S. L., & Perrewe, P. L. (2005). Political skill at work: impact on work effectiveness. Mountain View, Calif. : Davies-Black Pub
Ferris, G. R., Treadway, D. C., Kolodinsky, R. W., Hochwarter, W. A., Kacmar, C. J., Douglas, C., & Frink, D. D. (2005). Development and Validation of the Political Skill Inventory. Journal of Management, 31(1), 126-152. doi: 10.1177/0149206304271386
Ferris, G. R., Berkson, H. M., Kaplan, D. M., Gilmore, D. C., Buckley, M. R., Hochwarter, W. A., et al. 1999. Development and initial validation of the political skill inventory. Paper presented at the 59th annual national meeting of the Academy of Management, Chicago.
Infographic: