CISO Tradecraft®

A CISO’s Guide to Pentesting
References
https://en.wikipedia.org/wiki/Penetration_test
https://partner-security.withgoogle.com/docs/pentest_guidelines#assessment-methodology
https://owasp.org/www-project-web-security-testing-guide/latest/3-The_OWASP_Testing_Framework/1-Penetration_Testing_Methodologies
https://www.pcisecuritystandards.org/documents/Penetration_Testing_Guidance_March_2015.pdf 
https://pentest-standard.readthedocs.io/en/latest/
https://www.isecom.org/OSSTMM.3.pdf
https://s2.security/the-mage-platform/
https://bishopfox.com/platform
https://www.pentera.io/
https://www.youtube.com/watch?v=g3yROAs-oAc 
 
****************************
Hello, and welcome to another episode of CISO Tradecraft -- the podcast that provides you with the information, knowledge, and wisdom to be a more effective cyber security leader.  My name is G. Mark Hardy, and today we're going to explore a number of things a CISO needs to know about pentesting.  As always, please follow us on LinkedIn, and make sure you subscribe so you can always get the latest updates.
 
Now to get a good understanding of pentesting we are going over the basics every CISO needs to understand.  
What is it
Where are good places to order it
What should I look for in a penetration testing provider
What does a penetration testing provider need to provide
What’s changing on this going forward
First of all, let's talk about what a pentest is NOT.  It is not a simple vulnerability scan.  That's something you can do yourself with any number of publicly available tools.  However, performing a vulnerability scan, and then acting on remediating what you find, is an important prerequisite for a pentest.  Why pay hundreds of dollars per hour for someone to point out what you can find yourself in your bunny slippers sipping a latte?
 
Now let’s start with providing a definition of a penetration test.  According to Wikipedia a penetration test or pentest is an authorized simulated cyber-attack on a computer system performed to evaluate the security of a system.  It’s really designed to show weaknesses in a system that can be exploited.  Let’s think of things we want to test.  It can be a website, an API, a mobile application, an endpoint, a firewall, etc.  There’s really a lot of things you can test, but the thing to remember is you have to prioritize what has the highest likelihood or largest impact to cause the company harm.  You need to focus on high likelihood and impact because professional penetration tests are not cheap.  Usually, they will usually cost between $10,000-$30,000 but if you have a complex system, it’s not unheard of to go up to $100,000.  As a CISO you need to be able to defend this expenditure of resources.  So, you will usually define a clear standard that our company will perform penetration tests on customer facing applications, PCI applications, and Financially Significant Application or SOX applications once per year.
 
My friend John Strand, who founded Black Hills Information Security, pointed out in a recent webcast that sometimes you, the client, may not know what you mean by the term pentest.  Sometimes clients want just a vulnerability scan, or sometimes an external scan of vulnerabilities to identify risk, or sometimes a compromise assessment where a tester has access to a workstation and tries to work laterally, or sometimes a red team where a tester acts like a threat actor and tries to bypass controls, or a collaborative effort involving both red teams and blue teams to document gaps and to help defenders do their job better.  He goes on to state that your pentest objective should be to "provide evidence of the effectiveness of current defensive mechanisms and attack detection methodologies."
 
Please do not confuse a penetration test with a Red Team exercise.  A red team exercise just wants to accomplish an objective like steal data from an application.  A penetration test wants to enumerate vulnerabilities in a scoped target system so the developer can patch and remediate.  It’s a subtle difference but consider that a red team only needs to find one vulnerability to declare success, whereas a penetration test keeps going to help identify potentially exploitable vulnerabilities.  Now, is a pentest about finding ALL vulnerabilities?  I would say no – there are vulnerabilities that might require a disproportionate amount of resources to exploit for little or no value – something with a CVSS score of 4.0 or the like.  Those can often be left unpatched without consequence – the cost of remediating may exceed the value of the risk avoided.  There really is a “good enough” standard of risk, and that is called “acceptable risk.”  So, when scoping a pentest or reviewing results, make sure that any findings are both relevant and make economic sense to remediate.
 
Let’s take the example that you want to perform a web application pentest on your public website so you can fix the vulnerabilities before the bad actors find them.  The first question you should consider is do you want an internal or an external penetration test.  Well, the classic answer of "it depends" is appropriate.  If this website is something of a service that you are selling to other companies, then chances are those companies are going to ask you for things like an ISO 27001 certification or SOC 2 Type 2 Report and both of those standards require, you guessed it, a penetration Test.  In this case your company would be expected to document a pentest performed by an external provider.  Now if your company has a website that is selling direct to a consumer, then chances are you don’t have the same level of requirement for an external pentest.  So, you may be able to just perform an internal penetration test performed by your company’s employees.
 
I'd be remiss if I didn't mention the Center for Internet Security Critical Controls, formerly know as the SANS Top 20.  The current version, eight, has 18 controls that are listed in order of importance, and they include pentesting.  What is the priority of pentesting, you may ask?  #18 of 18 -- dead last.  Now, that doesn't mean pentests are not valuable, or not useful, or even not important.  What it does mean is that pentests come at the end of building your security framework and implementing controls.  Starting with a pentest makes no sense IMHO, although compliance-oriented organizations probably do this more often than they should.  That approach makes the pen testers job one of filtering through noise -- there are probably a TON of vulnerabilities and weaknesses that should have been remediated in advance and could have been with very little effort.  Think of a pentest as a final exam if you will.  Otherwise, it's an expensive way to populate your security to-do list.
 
OK let’s say we want to have an external penetration test and we have the 10-30K on hand to pay an external vendor.  Remember this, a penetration test is only as good as the conductor of the penetration test.  Cyber is a very unregulated industry which means it can be tricky to know who is qualified.  Compare this to the medical industry.  If you go to a hospital, you will generally get referred to a Medical Doctor or Physician.  This is usually someone who has a degree such as a MD or DO which proves their competency.  They will also have a license from the state to practice medicine legally.  Contrast this to the cyber security industry.  There is no requirement for a degree to practice Cyber in the workforce.  Also, there is no license issued by the state to practice cyber or develop software applications.  Therefore, you need to look for relevant Cyber certifications to demonstrate competency to perform a Penetration Test.  There’s a number of penetration testing certifications such as the Certified Ethical Hacker or CEH, Global Information Assurance Certification or GIAC GPEN or GWAP, and the Offensive Security Certified Professional or OSCP.
 
We strongly recommend anyone performing an actual penetration test have an OSCP.  This certification is difficult to pass.  A cyber professional must be able to perform an actual penetration test and produce a detailed report to get the actual certification.  This is exactly what you want in a pentester, which is why we are big fans of this certification.  This certification is a lot more complicated than remembering a bunch of textbook answers and filling in a multiple-choice test.  Do yourself a favor and ask for individuals performing penetration tests at your company to possess this certification.  It may mean your penetration tests cost more, but it’s a really good way to set a bar of qualified folks who can perform quality penetration tests to secure your company.
 
Now you have money, and you know you want to look for penetration tests from companies that have skilled cyber professionals with years of experience and an OSCP.  What companies should you look at?  Usually, we see three types of penetration testing companies.  Companies that use their existing auditors to perform penetration tests – firms like KPMG, EY, PWC, or Deloitte (The Big 4 1/2).  This is expensive but it’s easy to get them approved since most large companies already have contracts with at least one of these companies.  The second type of company that we see are large penetration testing companies.  Companies like Bishop Fox, Black Hills Information Security, NCC Group, and TrustedSec, focus largely on penetration testing and don't extend into other areas like financial auditing.  They have at least 50+ penetration testers with experience from places like the CIA, NSA, and other large tech companies.  Note they are often highly acclaimed so there is often a waitlist of a few months before you can get added as a new client.  Finally, there are boutique shops that specialize in particular areas.  For example, you might want to hire a company that specializes in testing mobile applications, Salesforce environments, embedded devices, or APIs.  This is a more specialized skill and a bit harder to find so you have to find a relevant vendor.  Remember if someone can pass the OSCP it means they know how to test and usually have a background in Web Application Penetration testing.  Attacking a Web application means being an expert in using a tool like Burp Suite to look for OWASP Top 10 attacks like SQL injection or Cross Site Scripting.  This is a very different set of skills from someone who can hack a Vehicle Controller Area Network (CAN) bus or John Deere Tractor that requires reverse engineering and C++ coding.
 
Once you pick your vendor and successfully negotiate a master license agreement be sure to check that you are continuing to get the talent you expect.  It’s common for the first penetration test to have skilled testers but over time to have a vendor replace staff with cheaper labor who might not have the OSCP or same level of experience that you expect.  Don’t let this happen to your company and review the labor and contract requirements in a recurring fashion.
 
Alright, let’s imagine you have a highly skilled vendor who meets these requirements.  How should they perform a penetration test?  Well, if you are looking for a quality penetration testing guide, we recommend following the one used by Google.  Google, whose parent company is called Alphabet, has publicly shared their penetration testing guidelines and we have attached a link to it in our show notes.  It’s a great read so please take a look.  Now Google recommends that a good penetration test report should clearly follow an assessment methodology during the assessment.  Usually, penetration testers will follow an industry recognized standard like the OWASP Web Security Testing Guide, the OWASP Mobile Security Testing Guide, the OWASP Firmware Security Testing Guide, the PCI DSS Penetration Testing Guide, The Penetration Testing Execution Standard, or the OSSTMM which stands for The Open Source Security Testing Methodology Manual.  These assessment methodologies can be used to show that extensive evaluation was done, and a multitude of steps/attacks were carried out.  They can also standardize the documentation of findings.  Here you will want a list showing risk severity level, impact from a business/technical perspective, clear concise steps to reproduce the finding, screenshots showing evidence of the finding, and recommendations on how to resolve the finding.  This will allow you to build a quality penetration test that you can reuse in an organization to improve your understanding of technical risks.  
 
If I can get good penetration tests today, perhaps we should think about how penetration testing is changing in the future?  The answer is automation.  Now we have had automated vulnerability management tools for decades.  But please don’t think that running a Dynamic Application Security Testing Tool or DAST such as Web Inspect is the same thing as performing a full penetration test.  A penetration test usually takes about a month of work from a trained professional which is quite different from a 30-minute scan.  As a cyber industry we are starting to see innovative Penetration Testing companies build out Continuous and Automated Penetration Testing tooling.  Examples of this include Bishop Fox’s Cosmos, Pentera’s Automated Security Validation Platform, and Stage 2 Security Voodoo and Mage tooling.  Each of these companies are producing some really interesting tools and we think they will be a strong complement to penetration tests performed by actual teams.  This means that companies can perform more tests on more applications.  The other major advantage with these tools is repeatability.  Usually, a penetration test is a point in time assessment.  For example, once a year you schedule a penetration test on your application.  That means if a month later if you make changes, updates, or patches to your application then there can easily be new vulnerabilities introduced which were never assessed by your penetration test.  So having a continuous solution to identify common vulnerabilities is important because you always want to find your vulnerabilities first before bad actors.
 
Here’s one final tip.  Don’t rely on a single penetration testing company.  Remember we discussed that a penetration testing company is only as good as the tester and the toolbox.  So, try changing out the company who tests the same application each year.  For example, perhaps you have contracts with Bishop Fox, Stage 2 Security, and Black Hill Information Security where each company performs a number of penetration tests for your company each year.  You can alternate which company scans which application.  Therefore, have Bishop Fox perform a pentest of your public website in 2022, then Stage 2 Security test it in 2023, then Black Hills test it in 2024.  Every penetration tester looks for something different and they will bring different skills to the test.  If you leverage this methodology of changing penetration testing vendors each cycle, then you will get more findings which allows you to remediate and lower risk.  It allows you to know if a penetration testing vendor’s pricing is out of the norm.  You can cancel or renegotiate one contract if a penetration testing vendor wants to double their prices.  And watch the news -- even security companies have problems, and if a firm's best pentesters all leave to join a startup, that loss of talent may impact the quality of your report.
 
Thank you for listening to CISO Tradecraft, and we hope you have found this episode valuable in your security leadership journey.  As always, we encourage you to follow us on LinkedIn, and help us out by letting your podcast provider know you value this show.  This is your host, G. Mark Hardy, and until next time, stay safe.

I've been a fan of Sean Heritage for years when I first discovered his blog, "Connecting the Dots."  Today I have the privilege to listen to his thoughts on cybersecurity careers in both the military and the "real world," how to prioritize your life, what careers goals you should (and should NOT) aim for, and the importance of great leadership.
 
Book reference:
Connecting the Dots:  Deliberate Observations and Leadership Musings About Everyday Life
https://www.amazon.com/Connecting-Dots-Deliberate-Observations-Leadership/dp/1639373187?&_encoding=UTF8&tag=-0-0-20

This episode of CISO Tradecraft, Andy Ellis from Orca Security stops by to talk about three really hard problems that CISOs have struggled with for decades. 
How do we build a phishing program that works?
How do we build a 3rd party risk management program that isn't a paper exercise?
How do we actually get good at patch management?
Stick around for some great answers such as:
Human error is a system in need of redesign
How do we put every employee on an island protected from the company?
If we stopped doing this practice/process, then how would the world be different?
What data/transactions does this third party have access to?
What are all of the dangerous things customers can do in their configurations that my organization needs to know about?
What if we turned on auto-patching for the desktop?
What if we set SLA tripwires to alert senior leaders when their developers are unable to meet patching timelines?
References:
Vulnerabilities Don't Count Link

On this episode of CISO Tradecraft, Bryce Kunz from Stage 2 Security stops by to discuss how offensive cyber operations are evolving.  Come and learn how attackers are bypassing MFA and EDR solutions to target your cloud environment.  You can also hear what Bryce recommends to beat the bear that is Ransomware.
 
References:Link How Attackers Bypass MFA with Evilginx 2 
Link Stage 2 Security Black Hat Course

This episode features Rafeeq Rehman.  He discusses the need for a CISO Mindmap and 6 Focus Areas for 2022-2023:
1.  Re-evaluate ransomware defenses, detection and response capabilities, perform a business impact analysis and identify critical processes, applications and data.
2.  Reduce/consolidate security tools/technologies and vendors. More tools don’t necessarily reduce risk but do add the need for maintaining expertise on security teams.
3.  To serve your business better, train staff on business acumen, value creation, influencing and human experience.
4.  Take an inventory of open source software (standalone and libraries) and make it part of your vulnerability management program.
5.  Build team expertise in technology fields including machine learning (ML) models, model training, API security, service mesh, containers, DevSecOps.
6.  Maintain a centralized risk register. Even better: integrate into your enterprise risk management program. Track risk for technology, insiders, processes, third parties, compliance and skill gaps.
Links:
CISO MindMap Link
CISO MindMap 2022 Recommendations Link
Information Security Leaders Handbook Link
Cybersecurity Arm Wrestling Link

On this episode of CISO Tradecraft, we feature Helen Patton.
Helen shares many of her career experiences working across JP Morgan, The Ohio State University, and now Cisco.  
-Is technical acumen needed for CISOs?
-Surviving organizational politics
(34:45) Helen discusses The Fab 5 Security Outcomes study.
Volume 1 Study - Link 
Volume 2 Study - Link

On this episode of CISO Tradecraft we feature Robin Dreeke from People Formula.  Robin was the former head of the FBI Counterintelligence Behavioral Analysis Program and has an amazing background in learning how individuals think, build trust, and communicate.  Robin highlights 4 Pillars of Communicating:
Seek the thoughts and opinions of others
Talk in terms of priorities, pain points, and challenges of others
Use Nonjudgmental validation (ie seek to understand others without judging)
Empower others with choice and give them cause and effect of each choice
To learn more about Robin's way of thinking you can check out his podcast and books:
Forged By Trust Podcast
Sizing People Up 
The Code of Trust 
It's Not All About Me
The People Formula Workbook 2.0: Communication Style Inventory
 

This episode is sponsored by Varonis.  You can learn more on how to reduce your ransomware radius by performing a free ransomware readiness assessment Link
On this episode, Sounil Yu continues his discussion about his new book ("Cyber Defense Matrix").  Listen to learn more about:   
Pre-Event Structural Awareness vs Post-Event Situational Awareness
Environmental vs Contextual Awareness
Understanding Security Handoffs
Rationalizing Technologies
Portfolio Analysis
Responding to Emerging Buzzwords (Zero Trust and SASE)

This episode is sponsored by Varonis.  You can learn more on how to reduce your ransomware radius by performing a free ransomware readiness assessment Link
This episode of CISO Tradecraft has Sounil Yu talk about his new book, "Cyber Defense Matrix: The Essential Guide to Navigating the Cybersecurity Landscape". Sounil reviews the Cyber Defense Matrix in depth.  We discuss how the Cyber Defense Matrix can be used for: 
Capturing & Organizing Measurements & Metrics
Developing a Cyber Security Roadmap
Gaining Greater Situational & Structural Awareness
Understanding Organizational Responsibilities & Handoffs
Rationalizing Technologies & Finding Investment Opportunities
Deciphering the Latest Industry Buzzword
You can purchase Sounil's new book here Link
 
 

On this episode of CISO Tradecraft, John Hellickson from Coalfire talks about his career as a CISO.  Listen and learn about:
The evolving role of the CISO
How John got started as a CISO
Whis is a Field CISO and how does it differ from a traditional CISO role
Tips on getting your career to the next level by attending the right conferences and getting an executive coach
How to get Business Alignment
How the Security Advisor Alliance is helping the next generation of cyber talent
 

A respected journalist focusing on cybersecurity and our community of people for over 25 years, Deb Radcliff remains a trusted information source who checks and double-checks her sources before publication -- a refreshing change to the low signal - high noise world of social media.In this episode, we discuss where CISOs might turn for accurate information, how the industry has evolved in complexity, and take a look at the first of three fictional novels she's writing about a future world where hackers take on an oppressive digital state. What is really interesting is her explanation of how she went from book idea to published reality.
Breaking Backbones Information is Power may be purchased from the following Amazon Link

On this Episode of CISO Tradecraft we talk about the Top 10 areas of concern for the C Suite about Ransomware.  Note you can read the full ISC2 Study here (Link).
Cybersecurity professionals should keep the following golden rules in mind when communicating with the C-suite about ransomware.
Increase Communication and Reporting to Leadership
Temper Overconfidence as Needed
Tailor Your Message
Make the Case for New Staff and Other Investments
Make Clear that Ransomware Defense is Everyone’s Responsibility

On this episode of CISO Tradecraft, Christian Hyatt from risk3sixty stops by to discuss the 3 major Business Objectives for CISOs:
Risk Management
Cost Reduction
Revenue Generation
He also discusses the five CISO Archetypes.  
The Executive
The Engineer
The GRC Guru
The Technician
The Builder
References:The 5 CISO Archetypes Book Link
Designing the CISO Role Link

Chances are your organization has information that someone else wants.  If it's another nation state, their methods may not be friendly or even legal.  In this episode we address assessing risk, known "bad" actors, information targets, exfiltration, cyber security models, what the federal government is doing for contractors, and response strategies.  Listen now so you don't become a statistic later.
 
References:
https://www.fbi.gov/file-repository/china-exec-summary-risk-to-corporate-america-2019.pdf
https://nhglobalpartners.com/made-in-china-2025/
https://www.cybintsolutions.com/cyber-security-facts-stats/
http://www.secretservice.gov/ntac/final_it_sector_2008_0109.pdf
http://www.secretservice.gov/ntac/final_government_sector2008_0109.pdf
CIS Controls v8.0, Center for Internet Security, May 2021, https://www.cisecurity.org
https://owasp.org/www-project-threat-and-safeguard-matrix/
https://www.acq.osd.mil/cmmc/about-us.html

Our career has been growing like crazy with an estimated 3.5 million unfilled cybersecurity jobs within the next few years.  More certs, more quals, more money, right?  The sky’s the limit.  But what if we’re wrong?  AI, machine learning, security-by-design, outsourcing, and H-1B programs may put huge downward pressure on future job opportunities (and pay) in this country.  Of course, we don’t WANT this, but shouldn’t a wise professional prepare for possibilities?  [We did a ton of research looking at facts, figures, industry trends, and possible futures that might have us thinking that 2022 may have been “the good old days.”  No gloom-and-doom here; just an objective look with a fresh perspective, you know, just in case.]

On this episode of CISO Tradecraft, we discuss how to avoid Death By PowerPoint by creating cyber awareness training that involves and engages listeners. Specifically we discuss:
The EDGE method:  Explain, Demonstrate, Guide, and Enable
Escape Rooms
Tabletop Exercises
Polling During Presentations
Short videos from online resources
References:
https://blog.scoutingmagazine.org/2017/05/05/living-on-the-edge-this-is-the-correct-way-to-teach-someone-a-skill/
http://www.inquiry.net/ideals/scouting_game_purpose.htm
https://cisotradecraft.podbean.com/e/ciso-tradecraft-shall-we-play-a-game/
Escape Rooms
https://library.georgetown.org/virtual-escape-rooms/
https://research.fairfaxcounty.gov/unlimited/escape
Tabletop Exercises
From GCHQ
https://www.ncsc.gov.uk/information/exercise-in-a-box
From CISA
https://www.cisa.gov/cisa-tabletop-exercises-packages
Funny Videos on Cyber
https://staysafeonline.org/resource/security-awareness-episode/
 

On this episode of CISO Tradecraft, we focus on the Password Security and how it's evolving.  Tune in to learn about:
Why do we need passwords
Ways consumers login and authenticate
How bad actors attack passwords
How long does it take to break passwords
Different types of MFA 
The future of passwords with conditional access policies
Infographic:
 
References:
https://danielmiessler.com/blog/not-all-mfa-is-equal-and-the-differences-matter-a-lot/ 
https://www.hivesystems.io/blog/are-your-passwords-in-the-green?utm_source=tabletext 
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-cloud-apps
https://en.wikipedia.org/wiki/RockYou
https://cisotradecraft.podbean.com/e/ciso-tradecraft-active-directory-is-active-with-attacks/
https://docs.microsoft.com/en-us/azure/active-directory/authentication/how-to-mfa-number-match

Winn Schwartau is a well-recognized icon in the cybersecurity community, and also a dear friend for over 25 years.  Always one to stir the pot and offer radical ideas (many of which come true), we discuss Hacker Jeopardy, INFOWARCON, his books "Pearl Harbor Dot Com", "Time-Based Security", and his magnum opus "Analog Security."  We speculate on the future of our industry with respect to quantum and probabilistic computing, and after hanging up his pen, looks like he's doing a Tom Brady and writing one more amazing book. **Warning Adult Language**
Winn's Website Link

On this episode of CISO Tradecraft, Anton Chuvakin talks about Logging, Security Information & Event Management (SIEM) tooling, and Cloud Security.  Anton share’s fantastic points of view on:
How moving to the cloud is like moving to a space station (13:44)
How you may be one IAM mistake away from a breach (20:05)
How a SIEM is a logging based approach, whereas EDRs require agents at endpoints.  This becomes really interesting when cloud solutions don’t have an endpoint to install an agent (26:53)
Why you don’t want an on premises SIEM (32:35)
The 3 AM Test - Should you wake someone up for this alert at 3 AM (39:24)

On this special episode of CISO Tradecraft, we have Gary Hayslip talk about his lessons learned being a CISO.  He shares various tips and tricks he has used to work effectively as a CISO across multiple companies.  Everything from fish tacos and beer to how to look at an opportunity when your boss has no clue about cyber frameworks.  There's lots of great information to digest.  
 
Additionally, Gary has co-authored a number of amazing books on cyber security that we strongly recommend reading.  You can find them here on Gary's Amazon page.  

On this episode of CISO Tradecraft you can learn how to build relationships of trust with other executives by demonstrating executive skill & cyber security expertise.  You can learn what to say to each of the following executives to build common ground and meaningful work: 
CFO
Legal
Marketing
Business Units
CEO
CIO
HR
Note Robin Dreeke mentions 5 keys to building goals.: 
Learn… about their priorities, goals, and objectives.
Place… theirs ahead of yours
Allow them to talk…. suspend your own need to talk.
Seek their thoughts and opinions.
Ego suspension!!! Validate them unconditionally and non-judgmentally for who they are as a human being.
During this week's Monday Morning Email, CISO Tradecraft answers the question on how to craft a winning resume to land your first CISO role.
 
InfoGraphic

On this episode of CISO Tradecraft, we talk about how cyber can help the four business key objectives identified by InfoTech:
1.  Profit generation: The revenue generated from a business capability with a product that is enabled with modern technologies.
2.  Cost reduction: The cost reduction when performing business capabilities with a product that is enabled with modern technologies.
3.  Service enablement: The productivity and efficiency gains of internal business operations from products and capabilities enhanced with modern technologies.
4.  Customer and market reach: The improved reach and insights of the business in existing or new markets.
We also discuss Franklin Covey's 4 Disciplines of Execution (TM): 
Focus on the Wildly Important
Act on the lead measures
Keep a compelling scoreboard
Create a cadence of accountability
Please note references to Infotech and Franklin Covey Material can be found here:
https://www.infotech.com/research/ss/build-a-business-aligned-it-strategy
https://www.franklincovey.com/the-4-disciplines/
Infographic:

Today we speak with Richard Thieme, a man with a reputation for stretching your mind with his insights, who has spoken at 25 consecutive DEFCONs as well as keynoted BlackHat 1 and 2.  In a far-ranging discussion, we cover the concept of what it's like to be a heretic (hint:  it's one step beyond being a visionary), the thought that the singularity has already arrived, Pierre Teilhard de Chardin's noosphere, disinformation and cyber war, ethical decision-making in automated systems, and why there is convincing evidence we are not alone in this universe. 
 
References:https://thiemeworks.com/

On this episode of CISO Tradecraft we are going to talk about various Access Control & Authentication technologies.
Access Control Methodologies:
Mandatory Access Control or (MAC)
Discretionary Access Control or (DAC)
Role Based Access Control or (RBAC)
Privileged Access Management or (PAM)
Rule Based Access Control
Attribute Based Policy Control (ABAC) or Policy Based Access Control (PBAC)
Authentication Types:
Password-based authentication
Certificate-based authentication
Token-based authentication
Biometric authentication
Two-factor Authentication (2FA)
Multi-Factor Authentication (MFA)
Location-based authentication
Computer recognition authentication
Completely Automated Public Turing Test to Tell Computers & Humans Apart (CAPTCHA)
Single Sign On (SSO)
Risk Based authentication
References
https://riskbasedauthentication.org/
https://blog.identityautomation.com/what-is-risk-based-authentication-types-of-authentication-methods
https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-countermeasures 
https://www.n-able.com/blog/network-authentication-methods 
https://www.getgenea.com/blog/types-of-access-control/ 
https://www.twingate.com/blog/access-control-models/ 
https://csrc.nist.gov/glossary/term/authentication 
https://csrc.nist.gov/glossary/term/authorization 
https://www.techtarget.com/searchsecurity/definition/access-control 

On this episode of CISO Tradecraft, you can learn about supply chain vulnerabilities and the 6 important steps you can take to mitigate this attack within your organization:
Centralize your software code repository
Centralize your artifact repository
Scan open source software for malware
Scan software for vulnerabilities and vendor support
Run a Web Application Firewall (WAF)
Run a Runtime Application Self Protection (RASP)
References:
https://owasp.org/www-project-threat-and-safeguard-matrix/
https://slsa.dev/
Infographic: