CISO Tradecraft®
Welcome to CISO Tradecraft®, your guide to mastering the art of being a top-tier Chief Information Security Officer (CISO). Our podcast empowers you to elevate your information security skills to an executive level. Join us on this journey through the domains of effective CISO leadership. © Copyright 2024, National Security Corporation. All Rights Reserved
Episodes
Friday Jan 08, 2021
Friday Jan 08, 2021
Most organizations generate revenue by hosting online transactions. Cryptography is a key enabler to securing online transactions in untrusted spaces. Therefore it's important for CISOs to understand how it works. This episode discusses the fundamentals of cryptography:
What are the requirements for cryptography?
How long has cryptography been around?
Are there differences between legacy and modern cryptography?
Differences between symmetric and asymmetric encryption
Common use of encryption at rest
Encryption in transit
Friday Jan 01, 2021
Friday Jan 01, 2021
Understanding how to secure the cloud is a crucial piece of tradecraft that every CISO needs to understand. This episode provides an in depth discussion of AWS's 7 design principles for securing the cloud:
Implement a strong identity foundation
Enable traceability
Apply security at all layers
Automate security best practices
Protect data in transit and rest
Keep people away from data
Prepare for security events
Please note the AWS Well-Architected Framework Security Design Principles can be found here: https://wa.aws.amazon.com/wat.pillar.security.en.html
Chapters
00:00 Introduction
02:33 Seven design principles for securing the cloud
04:17 Multi Factor Authentication (MFA)
05:59 How to prevent password guessing attacks on the cloud
08:19 How to limit access to your applications
11:05 How to enable traceability in your environment
13:15 The importance of cloud infrastructure
14:47 How to monitor security in the cloud
17:09 How to automate monitoring, alerting, and auditing
19:09 Configuring a strong identity foundation
20:52 How to have an effective real time view of what your developers have produced
22:48 How to automate your security best practices
26:42 How to protect your data in the cloud
28:36 How to limit access to your data
31:36 How to scan your APIs to protect your data
33:41 The importance of permissions in a data science environment
36:06 The importance of identity in cloud computing
41:30 Review of the 7 design principles for securing the cloud
Friday Dec 25, 2020
Friday Dec 25, 2020
Have you ever wanted to learn the basic fundamentals of the cloud? This podcast provides a 50,000 foot view of the cloud. Specific discussions include:
What is the cloud?
What types of clouds are there and what are the differences?
What is the term shared responsibility model and what does that mean for securing the cloud?
Chapters
00:00 Introduction
02:10 The Basics of Cloud Computing
06:20 Cloud Computing and Infrastructure as a Service Model
10:17 The different levels of responsibility in an Elastic Compute Cloud Environment
13:18 How to host a server in the cloud
15:33 The differences between IaaS, PaaS, and SaaS
17:30 The consequences of committing to the cloud
19:15 The rise of AWS locations
21:21 The politics of Cloud Provider Infrastructure
24:15 The benefits of the cloud
26:30 AWS's share responsibility model
30:43 The impediments to a high level of security in the cloud
34:46 How to sleep soundly with your data n the cloud
37:18 How to run a hybrid cloud
39:46 The challenges of hybrid clouds
43:03 Seven design principles for securing the cloud
Friday Dec 18, 2020
Friday Dec 18, 2020
CISOs often encounter situations where everyone has a different opinion, it's a high stakes decision, and emotions are running high. These situations create crucial conversations opportunities where a CISO needs to be effective. This podcast discusses how to turn disagreement into dialogue, surface any subject, and make it safe to discuss. Please listen as G Mark Hardy and Ross Young discuss the 8 step process from the book, "Crucial Conversations."
Get Unstuck
Start With Heart
Master My Stories
State My Path
Learn To Look
Make IT Safe
Explore Others' Path
Move To Action
We recommend you visit the following Crucial Conversations Website to learn more https://www.vitalsmarts.com/crucial-conversations-training/
The Crucial Conversation Book can be found on Amazon https://www.amazon.com/dp/0071771328/ref=cm_sw_em_r_mt_dp_0Cj3FbY9KA429
Chapters
00:00 Introduction
02:13 How to have crucial conversations
06:14 How to make better decisions
09:54 The dangers of talking about business
14:26 The importance of clarifying what you really want
17:51 The importance of mutual respect
25:18 How to achieve a shared goal
29:11 How to partner together to stop terrorism
33:13 How to create a mutual purpose
37:08 How to speak your mind in a safe environment
40:52 The importance of being vulnerable
51:56 The importance of listening to people
54:56 How to be a successful CISO
Friday Dec 11, 2020
Friday Dec 11, 2020
On this Episode we will explore DevOps as a topic and discuss why you need to care as a CISO. Key discussions include:
What are the key principles behind DevOps?
What benefits does security see from DevOps?
What is a CI/CD pipeline?
What are common types of DevOps tools that I need to understand as a CISO?
Where does DevSecOps fit in?
What are 4 types of Application Security Testing tools we see in DevOps Pipelines?
What are 3 common ways to make DevOps / DevSecOps go viral in any organization?
Chapters
00:00 Introduction
04:56 DevOps - What are your thoughts?
08:57 Microsoft Super Patch Tuesday
13:03 DevOps - What's it all about?
14:22 What is CALMS (Culture, Automation, Lean, Measuring, & Sharing)
26:32 CI/CD
32:12 Containers & DevOps
33:45 Where does security fit in?
36:26 Application Security Testing
41:54 DevOps & DevSecOps - What are the tools?
Friday Dec 04, 2020
Friday Dec 04, 2020
If you want to make impact as a leader, then you need to understand how to lead change. This episode overviews Dr. John Kotter's 8-Step process to accelerating change.
Create a sense of urgency
Build a guiding coalition
Form a strategic vision and initiatives
Enlist a volunteer army
Enable action by removing barriers
Generate short-term wins
Sustain acceleration
Institute change
We highly recommend you read Kotter's ebook to learn more:
https://www.kotterinc.com/8-steps-process-for-leading-change/
Chapters
00:00 Introduction
04:25 Are you creating change without urgency?
07:16 How can we drive security into the mobile app experience?
10:55 How to build a guiding coalition to transform the organization
13:49 The one trick I've learned from public speaking
16:15 What's the 3rd step in creating a strategic vision and initiatives
19:12 A great strategic vision drives direction
20:50 How to accelerate the change in your organization
24:31 Creating partnerships to transform security
28:04 Identifying the barriers that are creating problems in your organization
33:01 How to document short term wins
36:13 The next step is sustained acceleration
39:28 How to anchor change in corporate culture
45:02 Leadership and management from a leadership perspective
Friday Nov 27, 2020
Friday Nov 27, 2020
Cyber Frameworks help CISOs build, measure, and execute top-notch information security programs. This podcast overviews the differences between Cyber Control Frameworks (CIS Controls & NIST 800-53), Program Frameworks (ISO 27001 & NIST CSF), and Risk Frameworks (FAIR, ISO 27005, & NIST 800-39) as well as provides useful tips on how to implement them.
Chapters
00:00 Introductions
03:29 Creating a Framework for Cyber Security Programs
06:48 What are the Most Important Controls
11:08 Having an Inventory of Your Network Assets
14:01 Patch Tuesday and Remediation
18:20 Penetration Testing - The Last of the 20 SANS Controls
20:58 What's the NIST Cyber Security Framework
29:17 The Evolution of Security Controls
35:03 ISO 27000 Series Gap Analysis
40:03 Cyber is in the Business of Revenue Protection
44:53 The Risk Matrix - Likelihood and Impact
49:32 Risk Management & Continuous Vulnerability Management
51:41 Your four options? (Accept, Mitigate, Avoid, or Assign)
Friday Nov 20, 2020
Friday Nov 20, 2020
If you want to assess your current level of security, then you should start with an asset management program. Asset management provides the basic building blocks to enable vulnerability management and remediation programs.
This podcast provides key lessons learned on what is required for effective asset management as well as discuss how asset management evolves with the cloud. Listeners will also learn important steps to take to create a world class asset management program.
Chapters
00:00 Introduction
02:00 The SANS Top 20 Controls
06:04 What if I don't have an Agent on my Endpoint?
09:08 Cloud Native CMDB Systems
11:35 Shadow IT in the Cloud
14:12 Software Bill of Materials for your Applications
19:33 What's the problem with older versions of software?
22:02 Is there a Vulnerability in Windows 10?
24:34 The Criticality of the Enterprise Patch Cycle
28:43 How do we have a Good Inventory?
31:34 Continuity of Operations & Disaster Recovery
33:17 Is your Asset Inventory Complete?
35:17 Is Asset Management Key for your Organization?
Friday Nov 13, 2020
Friday Nov 13, 2020
The ability to persuade others is a core tradecraft for every CISO. This podcast discusses the most common styles of executive decision making (Charismatics, Thinkers, Skeptics, Followers, and Controllers). After listening to this podcast, you will understand how to more effectively tailor your message to best influence each style of executive.
If you would like to learn more about this topic, we strongly recommend you read the Harvard Business Review article, “Change the Way You Persuade”, by Gary A. Williams and Robert B. Miller
https://hbr.org/2002/05/change-the-way-you-persuade
Chapters
00:00 Introductions
03:04 How to Persuade a Charismatic Leader
06:49 How do you use Visual Aids to Help Thinkers
10:39 What approaches do you take with Skeptics?
15:47 How do we overcome Skeptics?
17:24 Are Followers Leaders?
20:58 Can we do a Pilot Program?
22:59 Strategic Tools to be more Successful in your Career
24:47 Do you have any experiences with Controllers?
28:03 How to use your Egos and their Past Experiences to your Advantage
31:06 The Pointy Haired Boss
36:35 How to Adapt a Leader's Style
Friday Nov 06, 2020
Friday Nov 06, 2020
To become an effective CISO you need influence skills. On this episode we explore Robert Cialdini's book, "Influence" and discuss the psychology of persuasion. We will explore 6 key areas of influence:
Liking- If people like you - because they sense that you like them, or because of things you have in common - they're more apt to say yes to you
Reciprocity- People tend to return favors. If you help people, they'll help you. If you behave in a certain way (cooperatively, for example), they'll respond in kind
Social Proof- People will do things that they see other people doing- especially if those people seem similar to them
Commitment and Consistency- People want to be consistent, or at least to appear to be. If they make a public, voluntary commitment, they'll try to follow through
Authority- People defer to experts and to those in positions of authority (and typically underestimate their tendency to do so)
Scarcity- People value things more if they perceive them to be scarce
If you would like to more on this topic, then we recommend you read Cialdini's work:
Website https://www.influenceatwork.com/principles-of-persuasion/
Book https://www.amazon.com/Influence-Psychology-Persuasion-Robert-Cialdini/dp/006124189X
Chapters
00:00 Introduction
03:21 The Principles of Persuasion
05:27 How to be a Great Speaker and Get People to Like You
09:01 How to Win Friends and Influence People
13:45 How does a Mint Influence your Tipping?
15:04 Doing a Favor for Someone is a Good Thing
17:29 The Concept of Social Proof is Security
21:34 How to Defend against Audits
26:15 Getting Small Commitments Out of People Early On
29:20 The Importance of Consistency in Influencing
34:12 The Six Principles of Persuasion
38:57 Is there a Scarcity of Time?
43:13 The Six Chaldini Factors Recap
Friday Oct 30, 2020
Friday Oct 30, 2020
On this pilot episode you will get to meet the hosts of the show (G Mark Hardy & Ross Young) and learn a little bit about their backgrounds.
Chapters
00:00 Introductions
04:47 What is a CISO?
07:24 Enable the Rock Climber to Take Risks
13:32 What do CISOs need to know?
18:07 Compliance is a C-
21:23 What functions and services do CISOs oversee?
25:48 The importance of a Purple Team
29:45 Is your Security Office a Red Team or a Blue Team?
34:50 Which organization in security is most likely to produce a CISO
39:11 The Hidden Key to Success is Communication Skills
41:17 CISO Key Capabilities are Communication and Influence
46:57 What are the skills you need to focus on