CISO Tradecraft®

Gamification is a superpower that CISOs can use to change the culture of an organization.  On this episode of CISO Tradecraft we discuss how to use gamification concepts as a CISO. 
What’s in a Game?
Objective
Rules
Challenge/Competition
Randomness or unpredictability
Designed for fun and sometimes learning
What Makes a Game Fun?
Challenge requires reasonable level of difficulty
Fantasy compelling setting for game action; temporary suspension of reality
Curiosity random events so that play is not completely deterministic
Control learners are confronted with choices
What’s in a Learning Game?
Active participation
Immediate feedback
Dynamic interaction
Competition
Novelty
Goal direction
5 Gamification Concepts
Leaderboards
Badges & Achievements
Levels & Progression
Unlockables
Virtual Economy
4 Player Types
Killers are players motivated by leader boards and ranks.  These players focus on winning and peer to peer competition. Their focus is on acting on other players.
Achievers are players motivated by achievements and points.  These players focus on achieving present goals quickly and completely.  Their focus is on acting on the world.  
Socializers are players motivated by friends lists, chat, and news feeds.  These players focus on socializing and developing a network of friends. Their focus is on interacting with players
Explorers are players motivated by hidden content and levels.  These players focus on exploring and discovering the unknown.  Their focus is on interacting with the world.
References:
https://www.chaostheorygames.com/blog/serious-games-guide-everything-you-need-to-know-in-2021 
https://www.chaostheorygames.com/blog/what-is-gamification-2020-definition
https://directivecommunication.net/the-ultimate-guide-to-work-gamification/
https://yukaichou.com/gamificationnews/4-dominant-applications-of-gamification/
https://medium.com/@chow0531/actionable-gamification-fbe27f6cb2d6
https://www.capgemini.com/2020/06/gamification/
https://insights.lytho.com/translation-fails-advertising
http://timboileau.wordpress.com 
https://www.amazon.com/dp/1451611064/?coliid=I2J1XHCOBD5476&colid=2CQEH5MGKB5YX&psc=1&ref_=lv_ov_lig_dp_it 
Infographic:

On this episode of CISO Tradecraft, we feature Allan Alford from The Cyber Ranch Podcast.  Allan brings a wealth of knowledge as a CISO and shares the three things every CISO needs to bring to the table:
Use a Cyber Maturity Model such as CMMI to identify the current situation and build a roadmap of where the organization is headed 
Quantify Known Risks through a Risk Register which gets routinely briefed to Executives
Align Cyber to Business Objectives to enable the business
If you enjoy listening to Allan Alford, then please subscribe to The Cyber Ranch Podcast for more great content.
Infographic:

As a cyber executive you should expect disaster and disruption.  When these unfortunate events occur, you can protect the business by maintaining critical business functions, ensuring employees are able to access an alternate work facility, and providing vital records to perform business functions.
The secret to accomplishing these objectives can be found in three important documents.  Those being a Business Continuity Plan, Disaster Recovery Plan, & a Business Impact Analysis.  Enjoy the show as we walk you through them.
FEMA BCP Example https://arlingtonva.s3.amazonaws.com/wp-content/uploads/2019/08/COOP-Template-Business-Continuity.pdf
IBM Disaster Recovery Plan
https://www.ibm.com/docs/en/i/7.1?topic=system-example-disaster-recovery-plan
Fire Drillshttps://en.wikipedia.org/wiki/Fire_drill
Business Impact Analysishttps://www.ready.gov/sites/default/files/2020-03/business-impact-analysis-worksheet.pdf
Infographic:

On this episode,  we talk about the four types of skills you need to demonstrate in your career to climb through the ranks: (Technical Skills, Management Skills, Leadership Skills, & Political Skills)
We also highlight 6 crucial areas to improve your political skills
Social Astuteness - You need to get your cues right.  Socially astute managers are well-versed in social interaction.  In social settings they accurately assess their own behavior as well as that of others.  Their strong powers of discernment and high self-awareness contribute to their political effectiveness.
Interpersonal Influence - Managers who are effective influencers have good rapport with others and build strong interpersonal relationships.  They also tend to have a better understanding of broader situations and better judgment about when to assert themselves.
Networking Ability - Skilled networkers build friendships and working relationships by garnering support, negotiating, and managing conflict.  They know when to call on others and are seen as willing to reciprocate.
Apparent Sincerity - Be sincere.  Politically skilled individuals display high levels of integrity, authenticity, sincerity, and genuineness.  They really are--and also are viewed as--honest, open, and forthright, inspiring trust and confidence.
Think before you speak - Politically skilled managers are careful about expressing feelings.  They think about the timing and presentation of what they have to say.
Manage up and down - Leaders need to skillfully manage up by communicating with their bosses and keeping higher-ups informed.  But this can become a double-edged sword; research shows that the people who are most skilled at managing up tend not to invest enough energy in building and leading their teams.  True political skill involves relationships with teammates and direct reports as well as higher-ups.
References:
https://www.ckju.net/en/blog/6-behaviors-characterize-politically-skilled-individuals-organizations-how-learn-them/32148
https://en.wikipedia.org/wiki/Terry_Tate:_Office_Linebacker
https://hbr.org/2017/04/the-4-types-of-organizational-politics
https://www.forbes.com/2010/05/25/office-politics-psychology-leadership-managing-ccl.html
Ferris, G. R., Davidson, S. L., & Perrewe, P. L. (2005). Political skill at work: impact on work effectiveness. Mountain View, Calif. : Davies-Black Pub
Ferris, G. R., Treadway, D. C., Kolodinsky, R. W., Hochwarter, W. A., Kacmar, C. J., Douglas, C., & Frink, D. D. (2005). Development and Validation of the Political Skill Inventory. Journal of Management, 31(1), 126-152. doi: 10.1177/0149206304271386
Ferris, G. R., Berkson, H. M., Kaplan, D. M., Gilmore, D. C., Buckley, M. R., Hochwarter, W. A., et al. 1999. Development and initial validation of the political skill inventory. Paper presented at the 59th annual national meeting of the Academy of Management, Chicago.
Infographic: 

On this episode of CISO Tradecraft, we discuss how to give a great presentation.  
Starting with the Bottom Line Up Front (BLUF)
Using pictures to Capture Attention
Asking Thought Provoking Questions
Succinct Points to tell a story
Decision slides that show
The problem
The proposed solution
Cost to implement solution
Why alternatives are not as good
Next Steps after decision is made
We also discuss the Angels Cocktail which is a concept taken from a Ted Talk by JP Phillips
Dopamine is a neurotransmitter that stimulates focus, motivation, and memory.  If you want to use this chemical, then tell a story that has obstacles to build suspense and create cliffhangers 
Oxytocin is the hormone associated with generosity, trust, and bonding.  If you want to use this chemical,  tell a story that creates empathy or makes you vulnerable.  You can make the story more impactful by using the concept of delaying resolution of the story.
Endorphins are the last hormone which are associated with making people creative, relaxed, and focused.  If you want to use this chemical try making others laugh.  One way to do this is by being overly dramatic.  
References
https://www.verywellmind.com/glossophobia-2671860
https://hbr.org/2019/09/to-overcome-your-fear-of-public-speaking-stop-thinking-about-yourself
https://hbr.org/2013/06/how-to-give-a-killer-presentation
https://www.cnbc.com/id/100646197
https://www.youtube.com/watch?v=Nj-hdQMa3uA
https://www.resourcefulmanager.com/storytelling-as-a-leadership-tool/
https://hbr.org/2014/07/how-to-tell-a-great-story
Infographic:

One of the most common questions that we get asked on CISO Tradecraft is what do I need to learn to be a good CISO?  After a lot of reflection, CISO Tradecraft put together a Top 10 List of CISO knowledge domains that we believe are the core skills which produce really good CISOs.  This episode is a continuation from the previous episode and will go over the 6th -10th knowledge areas.
Product Security focuses on ensuring developers write secure code
Defensive Technologies focuses on creating multiple layers of defenses in an organization to protect against a multitude of attacks
Detection & Response Capabilities is about creating mechanisms to identify how attackers might circumvent your organization’s defensive technologies
Laws, Regulations, & Oversight is about ensuring compliance with appropriate laws and regulations
Enabling Technologies is about enabling businesses to create digital transformation
Risk Management is about effectively identifying what are the biggest risks to the company, what's the likelihood and magnitude of a potential attack, and how to estimate the cost of remediation
Governance is about understanding what technology your organization uses so you can effectively manage it through a process
Identity & Access Management is about limiting the scope of an attacker who could cause harm to your organization
Business Management & Leadership is an essential skill for executives to lead and influence others
Security Culture is about building an organization where the entire company becomes resilient
https://github.com/cisotradecraft/podcast
Infographic:

One of the most common questions that we get asked on CISO Tradecraft is what do I need to learn to be a good CISO?  After a lot of reflection, CISO Tradecraft has put together a Top 10 List of CISO knowledge domains that we believe are the core skills which produce really good CISOs.  This episode will go over just the first 5 knowledge areas with the remaining five on a future episode.
Product Security focuses on ensuring developers write secure code
Defensive Technologies focuses on creating multiple layers of defenses in an organization to protect against a multitude of attacks
Detection & Response Capabilities is about creating mechanisms to identify how attackers might circumvent your organization’s defensive technologies
Laws, Regulations, & Oversight is about ensuring compliance with appropriate laws and regulations
Enabling Technologies is about enabling businesses to create digital transformation
https://github.com/cisotradecraft/podcast

After bad actors gain an initial foothold into an organization, they often use active directory attacks to gain administrative privileges.  On this episode of CISO Tradecraft, we discuss Active Directory.  You can learn what it is, how it works, common attacks used against it, and ways you can secure it.  
References:
Stealthbits Active Directory Attacks
Wikipedia Active Directory
Wikipedia Directory Service
Wired Story on Not Petya
CIS Hardened Images
MS Domain Services 
Mimikatz
Kerberos
Indeed Active Directory Job Listing
Infographics:

You just got the news that the Cyber Organization is going to be audited.  Do you know what an audit is, how best to prepare for it, and how to respond to audit findings?  On this episode of CISO Tradecraft, we help you understand key auditing concepts such as:
Audit Subject
Audit Objective
Vulnerability
Threat
Risk & Impact
Audit Scope with Goals & Objectives
Audit Plan
Audit Response

Have you ever heard someone say our firewalls block this type of attack?  In this episode, you can increase your understanding of firewalls so it won’t just be another buzzword.  6 Basic categories of firewalls that we discuss on the show include:  
Packet Filters focus on IP and port blocking 
Stateful Inspection Firewall looks at active connections and consider context
Network Address Translation Firewalls tools that allow private networks to connect to public ones and create secure enclaves
Proxy Servers classify web traffic into topics that might be allowed or not allowed
Web Application Firewalls block Web Application Attacks (SQL Injection,Cross Site Scripting, …)
Next Generation Firewalls that try to do everything.
References - sitereview.bluecoat.com
Infographics:

On this episode of CISO Tradecraft you can learn all about Software Agents.  Specifically we discuss: What does an Agent do, Why is an Agent helpful, and the 7 common types of Software Agents you would expect to find in large IT organizations.  Also, if you stick to the end you can also learn about Secret Agents (ie Agentless).
 
7 Common Software Agents are:
Endpoint Configuration Agents - Tools like Microsoft Endpoint Manager or SCCM
Mobile Device Managers - Tools like Microsoft Intune or Google Endpoint Management
Vulnerability Agents - Tools like Qualys or Nessus
Antivirus Agents - Tools like McAfee or Symantec
Endpoint Detection & Response Agents - Tools like Crowdstrike or Carbon Black
Data Loss Prevention Agents - Tools like Forcepoint or GTB Technologies
Privilege Access Management Agents - Tools like BeyondTrust or CyberArk

The Great Resignation is upon us, and if some of your top talent hasn't given you their notice, it may be happening soon.  Or not, depending on what you choose to do.  With plenty of time to contemplate options, people are quitting jobs at a record pace.  But wise leaders learn how to listen to their people's needs and desires, create a sense of purpose that motivates far beyond a paycheck, and creates a safe working space by allowing people to be human and make the occasional mistake.  Keep your IT Security team intact with these concepts and much more.
For more great CISO content please subscribe to our LinkedIn Page
Thank you for listening to CISO Tradecraft
References:
https://www.bls.gov/news.release/archives/jolts_06082021.pdf
https://info.workinstitute.com/hubfs/2020%20Retention%20Report/Work%20Institutes%202020%20Retention%20Report.pdf
https://www.npr.org/2021/10/22/1048332481/the-great-resignation-why-people-are-leaving-their-jobs-in-growing-numbers
https://blog.trello.com/enterprise/how-to-retain-employees
https://hbr.org/2016/09/why-people-quit-their-jobs
https://www.mckinsey.com/business-functions/people-and-organizational-performance/our-insights/great-attrition-or-great-attraction-the-choice-is-yours
https://blog.trello.com/supportive-company-culture
https://www.statista.com/chart/19064/number-of-unused-vacation-days/
https://www.glassdoor.com/blog/vacation-realities-2017/
https://hbr.org/2016/03/two-thirds-of-managers-are-uncomfortable-communicating-with-employees
https://www.mckinsey.com/business-functions/people-and-organizational-performance/our-insights/igniting-individual-purpose-in-times-of-crisis
https://allthatsinteresting.com/myers-briggs-test
https://cybersecurityventures.com/jobs

In this episode, you can hear from Dr. Neal Krawetz, creator of Hacker Factor and FotoForensics. Neal's a long-time security practitioner who shares some fascinating insights in terms of how to identify potential bad actors early on (think reconnaissance interception), techniques for detecting bots and malicious entities, and ways to protect your team members from misattributed fake blog entries.

Special Thanks to our podcast Sponsor, Prevailion.
Some of the best C-level executives start in the technical ranks.  This episode features Nate Warfield, CTO of Prevailion, who differentiated himself by creating the CTI-League.com to assist healthcare companies with ransomware.  We'll cover some of that organization, how Nate got his first C-level job, and some lessons learned you might appreciate in your own CISO journey.
To learn more about Cyber Adversary Intelligence, please check out Prevailion who sponsored this episode.

When you first start a cybersecurity job, or hire someone into a cybersecurity job, there is a window of opportunity to see things with a new perspective.  In this episode, we’re privileged to share ideas with Rebecca Mossman, a successful cybersecurity leader who has led successfully a number of teams in her career.  We’ll examine relationships, stakeholders, setting priorities, communication, and knowing when to call something “done” and move on to the next task.

A Border Gateway Protocol (BGP) misconfiguration is what took out Facebook on 4 October.  Most IT folks don't understand how BGP works.  This episode helps you gain a better understanding of the protocol that creates routing tables to move information from one end of the Internet to the other.  We'll explain how Autonomous Systems (AS) share BGP route information, what should happen when things go right, and then examine what likely went wrong at Facebook and how you might be able to prepare for potential problems in advance before they occur.

This is a special treat.  On this episode of CISO Tradecraft you can hear Mark D. Rasch, JD, discuss legal and security topics that he's encountered in his more than 30 years of experience in cybersecurity law.  We look into ransomware, reportable breaches, the appropriateness (or lack thereof) of certain legal statues, and finish with some actionable advice for CISOs and security leaders that you really need to hear.

We've all suffered through horrible meetings that felt like a total waste of time.  As a security leader, you'll be convening your fair share of meetings with your staff.  Don't be "that boss" who can't run an effective meeting.  This episode shows ways you can ensure your meetings are both efficient and effective, result in actionable tasking, and keep people coming back for more because you showed respect for their time and their ideas.  And we even practice what we preach -- this episode ends early.
 
Harvard Meeting Cost Calculator Link
OSS Simple Sabotage Manual Link

In our 31 July 2021 Episode 42, Risky Business, we covered the basics of risk and risk assessment. This part 2 episode gets into the practical application of risk management using the FAIR model, or Factor Analysis of Information Risk. We explain key risk terminology and walk through examples of how to express risk using this model, as well as creating a meaningful way to explain to executives that is actionable.
 
Risk Matrix Example: Link
One Page FAIR Model: Link
Measuring & Managing Information Risk: Link
FAIR Wiki: Link

Have you ever faced a crisis?  How well did you do?  You should always want to improve your skills in case another happens.  On the 20th anniversary of 9/11, G. Mark Hardy shares some of his experiences as the on-scene commander for the military first responders at the World Trade Center, and expands that into a set of skills and attributes that you can cultivate to become a more effective crisis response leader in your role as a cybersecurity professional.
 
References:
5 Leadership Skills Link
How to Combat a Crisis Link
Manage a Crisis Link
Lessons in Crisis Leadership Link
Creative Leadership Guidebook Link
Financial Interest in Situations Link
G Mark Hardy Ground Zero Video 1 of 2 Link
G Mark Hardy Ground Zero Video 2 of 2 Link

Traditional risk models focus on calculating loss frequency and magnitude, but don't go far enough in terms of modeling the most important assets in our organization, known as "crown jewels." This episode of CISO Tradecraft is a fascinating interview with the CEO and founder of a startup focusing on crown jewel analysis -- Roselle Safran. We'll look into how making this a part of your portfolio helps put the "C" in CISO by showing your understanding of the business in which you work. We'll also extend our discussion to challenges faced by women in cybersecurity, and encouragement for women (and others) to enter our exciting profession.

Containers are a lightweight technology that allows applications to deploy to a number of different host Operating Systems without having to make any modifications at all to the code.  As a result, we're been seeing a big increase in the use of Docker, Kubernetes, and other tools deployed by enterprises.  In this episode, we'll cover the fundamentals of containers, Docker, orchestration tools such as Kubernetes, and provide you with knowledge to understand this environment, and maybe even tempt you to create your own container to test your skill.
Major links referenced in the show
Container Architecture Link
Kubernetes Diagrams Link
Kubernetes Glossary Link
Kubernetes Primer Link
Special Thanks to our podcast Sponsor, CyberGRX

Join CISO Tradecraft for a fascinating discussion on how to build cyber traps for the bad guys that really work.  By creating a deceptive environment that "booby-trap" your networks with fake services, enticing resources, and make-believe traffic, we can create a high-fidelity, low-noise intrusion sensor system -- no legitimate user would ever try these.  Improve your SOC efficiency by actively engaging with intruders rather than sifting through false positives.  There's a lot to learn here, and Kevin Fiscus offers a promise of more to come.  By listening to this episode you will learn:
What is cyber deception?
What problem does cyber deception solve?
How do cyber deception technologies work?
Why is deception more effective than other detection and response technologies?
If you would like to learn more about Cyber Deception, then be sure to check out these great resources:
Kevin’s YouTube channel, Take Back the Advantage Link
The Mitre Engage Matrix Link
SANS SEC 550 Link
Special Thanks to our podcast Sponsor, CyberGRX

Special Thanks to our podcast Sponsor, CyberGRX
On today’s episode, we bring in Scott Fairbrother to help tackle key questions with Third Party Risk Management:
How do you identify which vendors pose the highest risk to your business?
How do you see which vendor’s security controls protect against threats? 
How do you validate their risk profiles by scanning, dark web monitoring or other techniques to correlate what attackers are seeing and acting upon?
Do you have an understanding of how to improve risk mitigation in your third-party ecosystem?
Also please subscribe to to the CISO Tradecraft LinkedIn Page to get more relevant content

Cyber Threat Intelligence is an important part of an effective CISO arsenal, but many security leaders don’t fully understand how to optimize it for their benefit.  In this show, we examine why cyber threat intelligence is vital to fielding an effective defense, discuss the intelligence cycle, examine the four types of threat intelligence, and feature a special guest, Landon Winkelvoss of https://nisos.com, who has spent a career mastering this topic and shares a number of important insights you won’t want to miss.