All Episodes (122)

1. 1. #122 - Methodologies for Analysis (with Christopher Crowley)

   Sometimes you just need structure to the madness. Christopher Crowley stops by to talk about methodologies that can help security organizations. Come and see why you need them, how we get the scientific method wrong in cyber, and how to leverage a CIA analytical methodology that can help you. There's a lot more to check out so tune in.Analysis of Competing Hypothesis https://www.cia.gov/static/9a5f1162fd0932c29bfed1c030edf4ae/Pyschology-of-Intelligence-Analysis.pdf Christopher Crowley's Company 

   Mar 27,2023 43:57
2. 2. #121 - Legal Questions (with Evan Wolff)

   Have you ever wanted to get a legal perspective on cybersecurity?  On this episode of CISO Tradecraft, Evan Wolff stops by to discuss terms such as legal disclaimers, negligence, due care, and others.  He also provides important insights on how to structure your cyber policies, respond to regulators/auditors, and partner with general council.  Please enjoy. Full Transcripts: https://docs.google.com/document/d/1hbqB5GQfQsi0egPVdOtdfYEwLA3-1JnhChapters00:00 Introductions01:52 The Attorney Client P

   Mar 20,2023 38:29
3. 3. #120 - Negotiating Your Best CISO Package (with Michael Piacente)

   Have you ever wondered how to negotiate your best CISO compensation package?  On this episode, we invite Michael Piacente from Hitch Partners to discuss important parts of the compensation packages.  Examples include but are not limited to: - Base Salary,Bonuses (Annual, Relocation, & Hiring)Reserve Stock UnitsAnnual LeaveTitle (VP or SVP)Directors & Officers InsuranceAccelerated Vesting ClausesSeverance AgreementsYou can learn more about CISO compensations by Googling any of the following compe

   Mar 13,2023 39:41
4. 4. #119 - Ethics (with Stephen Northcutt)

   One of the most difficult things to do as a manager or leader is to take an ethical stance on something you believe in.  Sometimes ethical stances are clear and you know you are doing what’s right.  Others are blurry, messy, and really weigh on your mind.  So we thought we would take this episode to talk about various ethical models, tricky ethical scenarios you might encounter as a CISO, and finally we will look at the Federal Case where Joe Sullivan the Former Chief Security Officer of Uber wa

   Mar 06,2023 41:15
5. 5. #118 - Data Engineering (with Gal Shpantzer)

   Our systems generate fantastic amounts of information, but do we have a complete understanding of how we collect, analyze, manage, store, and retrieve possibly petabytes a day? Gal Shpantzer has been doing InfoSec for over 20 years and has managed some huge data engineering projects, and offers a lot of actionable insights in this CISO Tradecraft episode.Gal's LinkedIn Page - https://www.linkedin.com/in/riskmanagement/Gal's Twitter Page - https://twitter.com/ShpantzerFull Transcript - https://do

   Feb 27,2023 44:45
6. 6. #117 - Good Governance (with Sameer Sait)

   Has bad governance given you trauma, boring committees, and long speeches on irrelevant issues?  Today we are going to overcome that by talking about what good governance looks like.  We bring on the former CISO of Amazon Whole Foods (Sameer Sait) to discuss his lessons learned as a CISO.  We also highlight key topics of good governance found in the Cyber Security Profile from the Cyber Risk Institute.Cyber Risk Institute - Cyber Security Profile https://cyberriskinstitute.org/the-profile/Full T

   Feb 20,2023 39:34
7. 7. #116 - A European view of CISO responsibilities (with Michael Krausz)

   In the US we often focus on SOC-2, NIST Special Pubs, and the Cybersecurity Framework. In Europe (and most of the rest of the world), ISO 27001 is the primary standard. ISO concerns itself with policy, practice, and proof, whereas NIST often shows the method to follow. Michael points out that a CISO is responsible for governance, (internal) consulting, and audit. In early stages of growing a security function, a CISO needs to be technically-focused, but as a security department matures, the CISO

   Feb 13,2023 43:37
8. 8. #115 - The Business Case for a Global Lead of Field Cybersecurity (with Joye Purser)

   How can cyber best help the sales organization?  It's a great thought exercise that we bring on Joye Purser to discuss. Learn from her experience as we go over how cybersecurity is becoming an even closer business partner with the creation of a new important role.Full Transcript: https://docs.google.com/document/d/1Shd1Qldb8iKEHBgXJqFez81Iwfpl6JT-/Chapters00:00 Introduction02:58 How did you marry those two cultures?06:40 Building a Diverse Workforce08:23 Is this a new role based on Pain Points?1

   Feb 06,2023 41:38
9. 9. #114 - One Vendor to Secure Them All

   Did you ever wonder how much security you can implement with a single vendor?  We did and were surprised by how much you can do using the Australian Top Eight as a template.  We'll bet you can improve your security by using these tips, tools, and techniques that you might not have even known were there.Special thanks to our sponsor Praetorian for supporting this episode.https://www.praetorian.com/Full Transcripts:https://docs.google.com/document/d/12HsuOhY9an1QzIw9wOREPMX0pXe5hqkJHelpful LinksEs

   Jan 30,2023 24:06
10. 10. #113 - SAST Security (with John Steven)

    This episode provides a deep dive into Static Application Security Testing (SAST) tools.  Learn how they work, why they don't work as well as you think they will in certain use cases, and find some novel ways apply them to your organization.  Special thanks to John Steven for coming on the show to share his expertise.   Special thanks to our sponsor Praetorian for supporting this episode.https://www.praetorian.com/Full Transcript https://docs.google.com/document/d/1zoA70k78IjqyJky-2u7_-i2jlWke8_

    Jan 23,2023 42:51
11. 11. #112 - Attack Surface Management (with Richard Ford)

    How do you defend against automated attacks in an era of ChatGPT-formulated malware, coordinated nation-state actors, and a host of disgruntled laid-off security professionals? Want to find your vulnerabilities faster than the bad actors do? Come listen to Richard Ford to learn how to apply best practices in attack surface management and defend your crown jewels.Special thanks to our sponsor Praetorian for supporting this episode.A Full Transcript of this podcast can be found here:https://docs.g

    Jan 17,2023 41:57
12. 12. #111 - Leading with Style

    Have you ever wanted to be like Neo in "The Matrix" and learn things like Kung Fu in just a few minutes?  Well on today's episode, we try to do just that by cramming powerful leadership concepts into your head in just 45 minutes.  So sit back, relax, and enjoy CISO Tradecraft. Show Notes with Pictures & References:https://docs.google.com/document/d/1z5FwVwYlNiJlevQXP9IK48Z5kYqG-Ee_/edit?usp=sharing&ouid=104989998442085477687&rtpof=true&sd=trueFull Transcript:https://docs.google.com/document/d/11

    Jan 09,2023 44:52
13. 13. #110 - Predictions for 2023

    Want to know CISO Tradecraft's Top 10 cyber security predictions for 2023?  Listen to the episode to learn more about:Proactive Identity Management = Automated Provisioning of Access + Minimizing Digital Blast RadiusConvergence of Security ToolsCollaboration TechnologyEvolution of the Endpoint (Chromebooks or Browser Isolation)ChatbotsVague and unclear cyber lawsCISO liability increasesUmbrella IT general controls mappingCompanies will be less truthful during 3rd party questionnairesCyber defens

    Jan 02,2023 24:13
14. 14. #109 - The Right Stuff

    Success leaves clues, but sometimes we limit ourselves by only looking close by for them.  This week, we pondered what business skills are essential for a successful CISO, and then extended the search to some non-traditional sources to find some very relevant advice.  Take the time to listen and do a self-examination (you don't have to submit for a grade :) and see where you could boost your skills portfolio to increase your success as a security leader.  Some of the essential skills we discuss

    Dec 19,2022 45:39
15. 15. #108 - Show Me The Money (with Nick Vigier)

    There's a lot of things you need to know as a CISO, but one of the things least taught is budgeting best practices.  On today's episode, CISO Nick Vigier stops by to share his lessons learned on the topic.  His conversations focus on spends vs investments.  Remember spends = overhead, whereas investments = growth.  Here's a great point.[10:00] There are opportunities that we have to frame some of these things as investments versus framing them as risk mitigations. And so one of the mantras or th

    Dec 12,2022 43:03
16. 16. #107 - Consolidating Vulnerability Management (with Jeff Gouge)

    Special thanks to Jeff Gouge for sharing his thoughts on consolidating vulnerability management.  We also thank our sponsor Nucleus Security for supporting this episode.Consistently tracking and prioritizing vulnerabilities is a difficult problem.  This episode talks about it in detail and helps you increase your understanding in:Various application security scanning tools (SAST, DAST, SCA, Container, IoT, Secret Scanners, Cloud Security Scans, ...) and why companies need so manyHow CVSS base sc

    Dec 05,2022 42:43
17. 17. #106 - How to Win Your First CISO Role

    Are You Ready To Win Your First CISO role? Apply these techniques into your resume and interview process so both recruiters and hiring managers will offer you the job.  This show focuses on:Highlighting the Different Types of CISO RolesShowing how to progress from a Senior Director Role into a Fortune 100 CISOResume Tricks and Tips that get you noticed by recruitersHow to have a great interview with a recruiterWhat Hiring Managers want to see from CISOs during their interviewsPlease note the ful

    Nov 28,2022 29:31
18. 18. #105 - Start Me Up (with Bob Cousins)

    Would you like to hear a master class on what Technology professionals need to know about startups?  On this episode Bob Cousins stops by to share his knowledge and experience on working in technology companies, dealing with founders, and partnering with venture capitalists.  Listen and learn more about:What should a technology professional know about venture capital and dealing with venture capitalists?What is the role of marketing?What do engineers get wrong with helping businesses create prof

    Nov 21,2022 48:40
19. 19. #104 - Breach and Attack Simulation (with Dave Klein)

    Special Thanks to our podcast sponsor, Cymulate. On this episode, Dave Klein stops by to discuss the 3 Digital Challenges that organizations face:Cyber threats evolve on a daily basis and this constant threat to our environment appears to be only acceleratingThe level of vulnerabilities today is 30x what it was 10 years ago.  We have more IT infrastructure, complexity, and developers in our current environment.In the pursuit of digital innovation, we are changing our IT infrastructure by the hou

    Nov 14,2022 44:33
20. 20. #103 - Listening to the Wise (with Bill Cheswick)

    Have you ever just met someone that was so interesting that you just sat and gave them your full attention?  On this episode of CISO Tradecraft, we have Bill Cheswick come on the show.  Bill talks about his 50 years in computing.  From working with the pioneers of Unix at Bell Labs, inventing network visualization techniques for the DoD, and creating the early best practices in firewalls and perimeter defenses.  He was also the first person to co-author a book on Internet Security.  So listen in

    Nov 07,2022 44:55
21. 21. #102 - Mentorship, Sponsorship, and A Message to Garcia

    Hello, and welcome to another episode of CISO Tradecraft -- the podcast that provides you with the information, knowledge, and wisdom to be a more effective cybersecurity leader.  My name is G. Mark Hardy, and today's episode is about how to better mentor your people (and in doing so, improve yourself as well.)  Mentoring is an important part of being a leader, and I would venture that most listeners have achieved their current level of success with the insights of a mentor, along with a lot of

    Oct 31,2022 38:47
22. 22. #101 - SaaS Security Posture Management (with Ben Johnson)

    Special Thanks to our podcast sponsor, Obsidian Security.  We are really excited to share today’s show on SaaS Security Posture Management.  Please note we have Ben Johnson stopping by the show so please stick around and enjoy.  First let’s go back to the basics:Today most companies have already begun their journey to the cloud.  If you are in the midst of a cloud transformation, you should ask yourself three important questions:  How many clouds are we in?What data are we sending to the cloud t

    Oct 24,2022 40:07
23. 23. #100 - 7 Ways CISOs Setup for Success

    Referenceshttps://github.com/cisotradecraft/Podcasthttps://cisotradecraft.podbean.com/e/84-gaining-trust-with-robin-dreeke/https://www.youtube.com/shorts/vSART2mutwchttps://www.peopleformula.com/selfmasteryhttps://cisotradecraft.podbean.com/e/ciso-tradecraft-roses-buds-thorns/https://cisotradecraft.podbean.com/e/ciso-tradecraft-how-to-compare-software/https://cisotradecraft.podbean.com/e/ciso-tradecraft-shall-we-play-a-game/https://cisotradecraft.podbean.com/e/ciso-tradecraft-aligning-security-i

    Oct 17,2022 33:09
24. 24. #99 - Cyberwar and the Law of Armed Conflict (with Larry Dietz)

    Episode 99 - Cyberwar and the Law of Armed Conflict with Larry DietzWe bring you another episode from Naas, Ireland today speaking about cyberwar and the law of armed conflict with Larry Dietz, a retired US Army Colonel and practicing attorney. This is a follow-up to Episode 98, where we cover the Tallin Manual, discover a surprise resource on cyber conflict hosted by the Red Cross, examine what critical infrastructure might be legitimate targets, and the importance for CISOs to establish relati

    Oct 10,2022 37:29
25. 25. #98 - Outrunning the Bear

    Hello, and welcome to another episode of CISO Tradecraft -- the podcast that provides you with the information, knowledge, and wisdom to be a more effective cybersecurity leader.  My name is G. Mark Hardy, and today we are going to discuss how nation state conflict and sponsored cyberattacks can affect us as non-combatants, and what we should be doing about it.  Even if you don't have operations in a war zone, remember cyber has a global reach, so don't think that just because you may be half a

    Oct 03,2022 33:12
26. 26. #97 - Mobile Application Security (with Brian Reed)

    Special Thanks to our podcast sponsor, NowSecure.  On this episode, Brian Reed (Chief Mobility Officer at NowSecure) stops in to provide a world class education on Mobile Application Security.  It's incredible to think that 70% of internet traffic is coming over mobile devices.  Most of this traffic occurs via mobile applications so we need to understand mobile application security testing, before attackers show us how important it is. This episode will help you understand:What should you be doi

    Sep 26,2022 43:34
27. 27. #96 - The 9 Cs of Cyber

    Ahoy! and welcome to another episode of CISO Tradecraft -- the podcast that provides you with the information, knowledge, and wisdom to be a more effective cyber security leader.  My name is G. Mark Hardy, and today we’re going to -- talk like a pirate.  ARRRAs always, please follow us on LinkedIn, and make sure you subscribe so you can always get the latest updates.On today’s episode we are going to talk about the 9 Cs of Cyber Security.  Note these are not the 9 Seas that you might find today,

    Sep 19,2022 30:33
28. 28. #95 - Got any Data Security (with Brian Vecci)

    Special Thanks to our podcast Sponsor, Varonis.  Please check out Varonis's Webpage to learn more about their custom data security solutions and ransomware protection software. On this episode Brian Vecci (Field CTO of Varonis) stops by CISO Tradecraft to discuss all things Data Security.  He highlights the top 3 things every CISO needs to balance with regards to data security (Productivity, Convenience, and Security).  He also discusses the most important security questions we need to understan

    Sep 12,2022 45:35
29. 29. #94 - Easier, Better, Faster, & Cheaper Software

    Hello, and welcome to another episode of CISO Tradecraft, the podcast that provides you with the information, knowledge, and wisdom to be a more effective cybersecurity leader.  My name is G. Mark Hardy, and today we're going to try to balance the impossible equation of better, faster, and cheaper.  As always, please follow us on LinkedIn, and subscribe if you have not already done so.Shigeo Shingo, who lived from 1909-1990, helped to improve efficiency at Toyota by teaching thousands of enginee

    Sep 05,2022 23:28
30. 30. #93 - How to Become a Cyber Security Expert

    How do you become a Cyber Security Expert?Hello and welcome to another episode of CISO Tradecraft, the podcast that provides you with the information, knowledge, and wisdom to be a more effective cybersecurity leader.  My name is G. Mark Hardy, and today we're going to talk about how to provide advice and mentoring to help people understand how to become a cybersecurity expert.  As always, please follow us on LinkedIn, and subscribe to our podcasts.As a security leader, part of your role is to d

    Aug 29,2022 29:43
31. 31. #92 - Updating the Executive Leadership Team on Cyber

    Show NotesHello, and welcome to another episode of CISO Tradecraft -- the podcast that provides you with the information, knowledge, and wisdom to be a more effective cyber security leader.  My name is G. Mark Hardy, and today we're going to offer tips and tools for briefing your executive leadership team, including the four major topics that you need to cover.  As always, please follow us on LinkedIn, and make sure you subscribe so you can always get the latest updates.Imagine you have been in

    Aug 22,2022 26:15
32. 32. #91 - Hacker Summer Camp

    On this episode you can hear the tale of three conferences.  Listen and learn about the history of BSides, Black Hat, and DEF CON.  Learn what makes these conferences special and enjoy some of the untold history of each conference.  

    Aug 15,2022 32:19
33. 33. #90 - A CISO’s Guide to Pentesting

    A CISO’s Guide to PentestingReferenceshttps://en.wikipedia.org/wiki/Penetration_testhttps://partner-security.withgoogle.com/docs/pentest_guidelines#assessment-methodologyhttps://owasp.org/www-project-web-security-testing-guide/latest/3-The_OWASP_Testing_Framework/1-Penetration_Testing_Methodologieshttps://www.pcisecuritystandards.org/documents/Penetration_Testing_Guidance_March_2015.pdf https://pentest-standard.readthedocs.io/en/latest/https://www.isecom.org/OSSTMM.3.pdfhttps://s2.security/the-m

    Aug 08,2022 16:00
34. 34. #89 - Connecting the Dots (with Sean Heritage)

    I've been a fan of Sean Heritage for years when I first discovered his blog, "Connecting the Dots."  Today I have the privilege to listen to his thoughts on cybersecurity careers in both the military and the "real world," how to prioritize your life, what careers goals you should (and should NOT) aim for, and the importance of great leadership. Book reference:Connecting the Dots:  Deliberate Observations and Leadership Musings About Everyday Lifehttps://www.amazon.com/Connecting-Dots-Deliberate-

    Aug 01,2022 46:13
35. 35. #88 - Tackling 3 Really Hard Problems in Cyber (with Andy Ellis)

    This episode of CISO Tradecraft, Andy Ellis from Orca Security stops by to talk about three really hard problems that CISOs have struggled with for decades. How do we build a phishing program that works?How do we build a 3rd party risk management program that isn't a paper exercise?How do we actually get good at patch management?Stick around for some great answers such as:Human error is a system in need of redesignHow do we put every employee on an island protected from the company?If we stopped

    Jul 25,2022 47:11
36. 36. #87 - From Hunt Team to Hunter (with Bryce Kunz)

    On this episode of CISO Tradecraft, Bryce Kunz from Stage 2 Security stops by to discuss how offensive cyber operations are evolving.  Come and learn how attackers are bypassing MFA and EDR solutions to target your cloud environment.  You can also hear what Bryce recommends to beat the bear that is Ransomware. References:Link How Attackers Bypass MFA with Evilginx 2 Link Stage 2 Security Black Hat Course

    Jul 18,2022 43:47
37. 37. #86 - The CISO MindMap (with Rafeeq Rehman)

    This episode features Rafeeq Rehman.  He discusses the need for a CISO Mindmap and 6 Focus Areas for 2022-2023:1.  Re-evaluate ransomware defenses, detection and response capabilities, perform a business impact analysis and identify critical processes, applications and data.2.  Reduce/consolidate security tools/technologies and vendors. More tools don’t necessarily reduce risk but do add the need for maintaining expertise on security teams.3.  To serve your business better, train staff on busine

    Jul 11,2022 45:24
38. 38. #85 - The Fab 5 Security Outcomes Study (with Helen Patton)

    On this episode of CISO Tradecraft, we feature Helen Patton.Helen shares many of her career experiences working across JP Morgan, The Ohio State University, and now Cisco.  -Is technical acumen needed for CISOs?-Surviving organizational politics(34:45) Helen discusses The Fab 5 Security Outcomes study.Volume 1 Study - Link Volume 2 Study - Link

    Jul 04,2022 44:20
39. 39. #84 - Gaining Trust (with Robin Dreeke)

    On this episode of CISO Tradecraft we feature Robin Dreeke from People Formula.  Robin was the former head of the FBI Counterintelligence Behavioral Analysis Program and has an amazing background in learning how individuals think, build trust, and communicate.  Robin highlights 4 Pillars of Communicating:Seek the thoughts and opinions of othersTalk in terms of priorities, pain points, and challenges of othersUse Nonjudgmental validation (ie seek to understand others without judging)Empower other

    Jun 27,2022 45:41
40. 40. #83 - Cyber Defense Matrix Reloaded (with Sounil Yu)

    This episode is sponsored by Varonis.  You can learn more on how to reduce your ransomware radius by performing a free ransomware readiness assessment LinkOn this episode, Sounil Yu continues his discussion about his new book ("Cyber Defense Matrix").  Listen to learn more about:   Pre-Event Structural Awareness vs Post-Event Situational AwarenessEnvironmental vs Contextual AwarenessUnderstanding Security HandoffsRationalizing TechnologiesPortfolio AnalysisResponding to Emerging Buzzwords (Zero

    Jun 20,2022 48:06
41. 41. #82 - Cyber Defense Matrix (with Sounil Yu)

    This episode is sponsored by Varonis.  You can learn more on how to reduce your ransomware radius by performing a free ransomware readiness assessment LinkThis episode of CISO Tradecraft has Sounil Yu talk about his new book, "Cyber Defense Matrix: The Essential Guide to Navigating the Cybersecurity Landscape". Sounil reviews the Cyber Defense Matrix in depth.  We discuss how the Cyber Defense Matrix can be used for: Capturing & Organizing Measurements & MetricsDeveloping a Cyber Security Roadma

    Jun 13,2022 50:34
42. 42. #81- Career Lessons from a CISO (with John Hellickson)

    On this episode of CISO Tradecraft, John Hellickson from Coalfire talks about his career as a CISO.  Listen and learn about:The evolving role of the CISOHow John got started as a CISOWhis is a Field CISO and how does it differ from a traditional CISO roleTips on getting your career to the next level by attending the right conferences and getting an executive coachHow to get Business AlignmentHow the Security Advisor Alliance is helping the next generation of cyber talent 

    Jun 06,2022 41:27
43. 43. #80 - Breaking Backbones (with Deb Radcliff)

    A respected journalist focusing on cybersecurity and our community of people for over 25 years, Deb Radcliff remains a trusted information source who checks and double-checks her sources before publication -- a refreshing change to the low signal - high noise world of social media.In this episode, we discuss where CISOs might turn for accurate information, how the industry has evolved in complexity, and take a look at the first of three fictional novels she's writing about a future world where h

    May 30,2022 44:03
44. 44. #79 - Addressing the Top CEO Concerns

    On this Episode of CISO Tradecraft we talk about the Top 10 areas of concern for the C Suite about Ransomware.  Note you can read the full ISC2 Study here (Link).Cybersecurity professionals should keep the following golden rules in mind when communicating with the C-suite about ransomware.Increase Communication and Reporting to LeadershipTemper Overconfidence as NeededTailor Your MessageMake the Case for New Staff and Other InvestmentsMake Clear that Ransomware Defense is Everyone’s Responsibili

    May 23,2022 38:32
45. 45. #78 - Business Objectives & 5 CISO Archetypes (with Christian Hyatt)

    On this episode of CISO Tradecraft, Christian Hyatt from risk3sixty stops by to discuss the 3 major Business Objectives for CISOs:Risk ManagementCost ReductionRevenue GenerationHe also discusses the five CISO Archetypes.  The ExecutiveThe EngineerThe GRC GuruThe TechnicianThe BuilderReferences:The 5 CISO Archetypes Book LinkDesigning the CISO Role Link

    May 16,2022 45:16
46. 46. #77 - Countering Corporate Espionage

    Chances are your organization has information that someone else wants.  If it's another nation state, their methods may not be friendly or even legal.  In this episode we address assessing risk, known "bad" actors, information targets, exfiltration, cyber security models, what the federal government is doing for contractors, and response strategies.  Listen now so you don't become a statistic later. References:https://www.fbi.gov/file-repository/china-exec-summary-risk-to-corporate-america-2019.

    May 09,2022 46:39
47. 47. #76 - The Demise of the Cybersecurity Workforce

    Our career has been growing like crazy with an estimated 3.5 million unfilled cybersecurity jobs within the next few years.  More certs, more quals, more money, right?  The sky’s the limit.  But what if we’re wrong?  AI, machine learning, security-by-design, outsourcing, and H-1B programs may put huge downward pressure on future job opportunities (and pay) in this country.  Of course, we don’t WANT this, but shouldn’t a wise professional prepare for possibilities?  [We did a ton of research look

    May 02,2022 41:47
48. 48. #75 - Avoiding Death By PowerPoint

    On this episode of CISO Tradecraft, we discuss how to avoid Death By PowerPoint by creating cyber awareness training that involves and engages listeners. Specifically we discuss:The EDGE method:  Explain, Demonstrate, Guide, and EnableEscape RoomsTabletop ExercisesPolling During PresentationsShort videos from online resourcesReferences:https://blog.scoutingmagazine.org/2017/05/05/living-on-the-edge-this-is-the-correct-way-to-teach-someone-a-skill/http://www.inquiry.net/ideals/scouting_game_purpo

    Apr 25,2022 19:44
49. 49. #74 - Pass the Passwords

    On this episode of CISO Tradecraft, we focus on the Password Security and how it's evolving.  Tune in to learn about:Why do we need passwordsWays consumers login and authenticateHow bad actors attack passwordsHow long does it take to break passwordsDifferent types of MFA The future of passwords with conditional access policiesInfographic: References:https://danielmiessler.com/blog/not-all-mfa-is-equal-and-the-differences-matter-a-lot/ https://www.hivesystems.io/blog/are-your-passwords-in-the-gre

    Apr 18,2022 42:42
50. 50. #73 - Wonderful Winn Schwartau

    Winn Schwartau is a well-recognized icon in the cybersecurity community, and also a dear friend for over 25 years.  Always one to stir the pot and offer radical ideas (many of which come true), we discuss Hacker Jeopardy, INFOWARCON, his books "Pearl Harbor Dot Com", "Time-Based Security", and his magnum opus "Analog Security."  We speculate on the future of our industry with respect to quantum and probabilistic computing, and after hanging up his pen, looks like he's doing a Tom Brady and writi

    Apr 11,2022 47:18
51. 51. #72 - Logging In with SIEMs (with Anton Chuvakin)

    On this episode of CISO Tradecraft, Anton Chuvakin talks about Logging, Security Information & Event Management (SIEM) tooling, and Cloud Security.  Anton share’s fantastic points of view on:How moving to the cloud is like moving to a space station (13:44)How you may be one IAM mistake away from a breach (20:05)How a SIEM is a logging based approach, whereas EDRs require agents at endpoints.  This becomes really interesting when cloud solutions don’t have an endpoint to install an agent (26:53)W

    Apr 04,2022 48:28
52. 52. #71 - Lessons Learned as a CISO (with Gary Hayslip)

    On this special episode of CISO Tradecraft, we have Gary Hayslip talk about his lessons learned being a CISO.  He shares various tips and tricks he has used to work effectively as a CISO across multiple companies.  Everything from fish tacos and beer to how to look at an opportunity when your boss has no clue about cyber frameworks.  There's lots of great information to digest.   Additionally, Gary has co-authored a number of amazing books on cyber security that we strongly recommend reading.  Y

    Mar 28,2022 54:14
53. 53. #70 - Partnership is Key

    On this episode of CISO Tradecraft you can learn how to build relationships of trust with other executives by demonstrating executive skill & cyber security expertise.  You can learn what to say to each of the following executives to build common ground and meaningful work: CFOLegalMarketingBusiness UnitsCEOCIOHRNote Robin Dreeke mentions 5 keys to building goals.: Learn… about their priorities, goals, and objectives.Place… theirs ahead of yoursAllow them to talk…. suspend your own need to talk.

    Mar 21,2022 16:01
54. 54. #69 - Aligning Security Initiatives with Business Objectives

    On this episode of CISO Tradecraft, we talk about how cyber can help the four business key objectives identified by InfoTech:1.  Profit generation: The revenue generated from a business capability with a product that is enabled with modern technologies.2.  Cost reduction: The cost reduction when performing business capabilities with a product that is enabled with modern technologies.3.  Service enablement: The productivity and efficiency gains of internal business operations from products and ca

    Mar 14,2022 25:18
55. 55. #68 - Thought Provoking Discussions (with Richard Thieme)

    Today we speak with Richard Thieme, a man with a reputation for stretching your mind with his insights, who has spoken at 25 consecutive DEFCONs as well as keynoted BlackHat 1 and 2.  In a far-ranging discussion, we cover the concept of what it's like to be a heretic (hint:  it's one step beyond being a visionary), the thought that the singularity has already arrived, Pierre Teilhard de Chardin's noosphere, disinformation and cyber war, ethical decision-making in automated systems, and why there

    Mar 07,2022 01:03:21
56. 56. #67 - Knock, Knock? Who’s There and Whatcha Want?

    On this episode of CISO Tradecraft we are going to talk about various Access Control & Authentication technologies.Access Control Methodologies:Mandatory Access Control or (MAC)Discretionary Access Control or (DAC)Role Based Access Control or (RBAC)Privileged Access Management or (PAM)Rule Based Access ControlAttribute Based Policy Control (ABAC) or Policy Based Access Control (PBAC)Authentication Types:Password-based authenticationCertificate-based authenticationToken-based authenticationBiomet

    Feb 28,2022 29:43
57. 57. #66 - Working On The Supply Chain Gang

    On this episode of CISO Tradecraft, you can learn about supply chain vulnerabilities and the 6 important steps you can take to mitigate this attack within your organization:Centralize your software code repositoryCentralize your artifact repositoryScan open source software for malwareScan software for vulnerabilities and vendor supportRun a Web Application Firewall (WAF)Run a Runtime Application Self Protection (RASP)References:https://owasp.org/www-project-threat-and-safeguard-matrix/ https://s

    Feb 21,2022 20:40
58. 58. #65 - Shall We Play A Game?

    Gamification is a superpower that CISOs can use to change the culture of an organization.  On this episode of CISO Tradecraft we discuss how to use gamification concepts as a CISO. What’s in a Game? ObjectiveRulesChallenge/CompetitionRandomness or unpredictabilityDesigned for fun and sometimes learningWhat Makes a Game Fun? Challenge requires reasonable level of difficultyFantasy compelling setting for game action; temporary suspension of realityCuriosity random events so that play is not complet

    Feb 14,2022 43:31
59. 59. #64 - 3 Keys to Being a CISO (with Allan Alford)

    On this episode of CISO Tradecraft, we feature Allan Alford from The Cyber Ranch Podcast.  Allan brings a wealth of knowledge as a CISO and shares the three things every CISO needs to bring to the table:Use a Cyber Maturity Model such as CMMI to identify the current situation and build a roadmap of where the organization is headed Quantify Known Risks through a Risk Register which gets routinely briefed to ExecutivesAlign Cyber to Business Objectives to enable the businessIf you enjoy listening

    Feb 07,2022 44:14
60. 60. #63 - Flirting with Disaster

    As a cyber executive you should expect disaster and disruption.  When these unfortunate events occur, you can protect the business by maintaining critical business functions, ensuring employees are able to access an alternate work facility, and providing vital records to perform business functions.The secret to accomplishing these objectives can be found in three important documents.  Those being a Business Continuity Plan, Disaster Recovery Plan, & a Business Impact Analysis.  Enjoy the show as

    Jan 31,2022 26:22
61. 61. #62 - Promotion Through Politics

    On this episode,  we talk about the four types of skills you need to demonstrate in your career to climb through the ranks: (Technical Skills, Management Skills, Leadership Skills, & Political Skills)We also highlight 6 crucial areas to improve your political skillsSocial Astuteness - You need to get your cues right.  Socially astute managers are well-versed in social interaction.  In social settings they accurately assess their own behavior as well as that of others.  Their strong powers of dis

    Jan 24,2022 31:06
62. 62. #61 - Presentation Skills

    On this episode of CISO Tradecraft, we discuss how to give a great presentation.  Starting with the Bottom Line Up Front (BLUF)Using pictures to Capture AttentionAsking Thought Provoking QuestionsSuccinct Points to tell a storyDecision slides that showThe problemThe proposed solutionCost to implement solutionWhy alternatives are not as goodNext Steps after decision is madeWe also discuss the Angels Cocktail which is a concept taken from a Ted Talk by JP PhillipsDopamine is a neurotransmitter tha

    Jan 17,2022 32:34
63. 63. #60 - CISO Knowledge Domains Part 2

    One of the most common questions that we get asked on CISO Tradecraft is what do I need to learn to be a good CISO?  After a lot of reflection, CISO Tradecraft put together a Top 10 List of CISO knowledge domains that we believe are the core skills which produce really good CISOs.  This episode is a continuation from the previous episode and will go over the 6th -10th knowledge areas.Product Security focuses on ensuring developers write secure codeDefensive Technologies focuses on creating multi

    Jan 10,2022 17:44
64. 64. #59 - CISO Knowledge Domains Part 1

    One of the most common questions that we get asked on CISO Tradecraft is what do I need to learn to be a good CISO?  After a lot of reflection, CISO Tradecraft has put together a Top 10 List of CISO knowledge domains that we believe are the core skills which produce really good CISOs.  This episode will go over just the first 5 knowledge areas with the remaining five on a future episode.Product Security focuses on ensuring developers write secure codeDefensive Technologies focuses on creating mu

    Jan 03,2022 15:33
65. 65. #58 - Active Directory is Active with Attacks

    After bad actors gain an initial foothold into an organization, they often use active directory attacks to gain administrative privileges.  On this episode of CISO Tradecraft, we discuss Active Directory.  You can learn what it is, how it works, common attacks used against it, and ways you can secure it.  References:Stealthbits Active Directory AttacksWikipedia Active DirectoryWikipedia Directory ServiceWired Story on Not PetyaCIS Hardened ImagesMS Domain Services MimikatzKerberosIndeed Active D

    Dec 27,2021 26:52
66. 66. #57 - Brace for Audit

    You just got the news that the Cyber Organization is going to be audited.  Do you know what an audit is, how best to prepare for it, and how to respond to audit findings?  On this episode of CISO Tradecraft, we help you understand key auditing concepts such as:Audit SubjectAudit ObjectiveVulnerabilityThreatRisk & ImpactAudit Scope with Goals & ObjectivesAudit PlanAudit Response

    Dec 20,2021 15:12
67. 67. #56 - Say Firewall One More Time

    Have you ever heard someone say our firewalls block this type of attack?  In this episode, you can increase your understanding of firewalls so it won’t just be another buzzword.  6 Basic categories of firewalls that we discuss on the show include:  Packet Filters focus on IP and port blocking Stateful Inspection Firewall looks at active connections and consider contextNetwork Address Translation Firewalls tools that allow private networks to connect to public ones and create secure enclavesProxy

    Dec 13,2021 31:28
68. 68. #55 - I have more Agents than the FBI

    On this episode of CISO Tradecraft you can learn all about Software Agents.  Specifically we discuss: What does an Agent do, Why is an Agent helpful, and the 7 common types of Software Agents you would expect to find in large IT organizations.  Also, if you stick to the end you can also learn about Secret Agents (ie Agentless). 7 Common Software Agents are:Endpoint Configuration Agents - Tools like Microsoft Endpoint Manager or SCCMMobile Device Managers - Tools like Microsoft Intune or Google E

    Dec 03,2021 16:32
69. 69. #54 - The Great Resignation

    The Great Resignation is upon us, and if some of your top talent hasn't given you their notice, it may be happening soon.  Or not, depending on what you choose to do.  With plenty of time to contemplate options, people are quitting jobs at a record pace.  But wise leaders learn how to listen to their people's needs and desires, create a sense of purpose that motivates far beyond a paycheck, and creates a safe working space by allowing people to be human and make the occasional mistake.  Keep you

    Nov 19,2021 36:26
70. 70. #53 - Fun and Games to Stop Bad Actors (with Dr. Neal Krawetz)

    In this episode, you can hear from Dr. Neal Krawetz, creator of Hacker Factor and FotoForensics. Neal's a long-time security practitioner who shares some fascinating insights in terms of how to identify potential bad actors early on (think reconnaissance interception), techniques for detecting bots and malicious entities, and ways to protect your team members from misattributed fake blog entries.

    Nov 05,2021 44:17
71. 71. #52 - Welcome to the C-Level (with Nate Warfield)

    Special Thanks to our podcast Sponsor, Prevailion.Some of the best C-level executives start in the technical ranks.  This episode features Nate Warfield, CTO of Prevailion, who differentiated himself by creating the CTI-League.com to assist healthcare companies with ransomware.  We'll cover some of that organization, how Nate got his first C-level job, and some lessons learned you might appreciate in your own CISO journey.To learn more about Cyber Adversary Intelligence, please check out Prevail

    Oct 29,2021 47:31
72. 72. #51 - New Kid in Town (with Rebecca Mossman)

    When you first start a cybersecurity job, or hire someone into a cybersecurity job, there is a window of opportunity to see things with a new perspective.  In this episode, we’re privileged to share ideas with Rebecca Mossman, a successful cybersecurity leader who has led successfully a number of teams in her career.  We’ll examine relationships, stakeholders, setting priorities, communication, and knowing when to call something “done” and move on to the next task.

    Oct 18,2021 43:08
73. 73. #50 - Border Gateway Protocol (BGP)

    A Border Gateway Protocol (BGP) misconfiguration is what took out Facebook on 4 October.  Most IT folks don't understand how BGP works.  This episode helps you gain a better understanding of the protocol that creates routing tables to move information from one end of the Internet to the other.  We'll explain how Autonomous Systems (AS) share BGP route information, what should happen when things go right, and then examine what likely went wrong at Facebook and how you might be able to prepare for

    Oct 11,2021 31:25
74. 74. #49 - Cyberlaw Musings (with Mark Rasch)

    This is a special treat.  On this episode of CISO Tradecraft you can hear Mark D. Rasch, JD, discuss legal and security topics that he's encountered in his more than 30 years of experience in cybersecurity law.  We look into ransomware, reportable breaches, the appropriateness (or lack thereof) of certain legal statues, and finish with some actionable advice for CISOs and security leaders that you really need to hear.

    Oct 01,2021 43:35
75. 75. #48 - Effective Meetings

    We've all suffered through horrible meetings that felt like a total waste of time.  As a security leader, you'll be convening your fair share of meetings with your staff.  Don't be "that boss" who can't run an effective meeting.  This episode shows ways you can ensure your meetings are both efficient and effective, result in actionable tasking, and keep people coming back for more because you showed respect for their time and their ideas.  And we even practice what we preach -- this episode ends

    Sep 24,2021 33:24
76. 76. #47 - More Risky Business with FAIR

    In our 31 July 2021 Episode 42, Risky Business, we covered the basics of risk and risk assessment. This part 2 episode gets into the practical application of risk management using the FAIR model, or Factor Analysis of Information Risk. We explain key risk terminology and walk through examples of how to express risk using this model, as well as creating a meaningful way to explain to executives that is actionable. Risk Matrix Example: LinkOne Page FAIR Model: LinkMeasuring & Managing Information

    Sep 17,2021 42:53
77. 77. #46 - Crisis Leadership with G Mark Hardy‘s 9/11 Experience

    Have you ever faced a crisis?  How well did you do?  You should always want to improve your skills in case another happens.  On the 20th anniversary of 9/11, G. Mark Hardy shares some of his experiences as the on-scene commander for the military first responders at the World Trade Center, and expands that into a set of skills and attributes that you can cultivate to become a more effective crisis response leader in your role as a cybersecurity professional. References:5 Leadership Skills LinkHow

    Sep 10,2021 45:07
78. 78. #45 - Protecting your Crown Jewels (with Roselle Safran)

    Traditional risk models focus on calculating loss frequency and magnitude, but don't go far enough in terms of modeling the most important assets in our organization, known as "crown jewels." This episode of CISO Tradecraft is a fascinating interview with the CEO and founder of a startup focusing on crown jewel analysis -- Roselle Safran. We'll look into how making this a part of your portfolio helps put the "C" in CISO by showing your understanding of the business in which you work. We'll also

    Sep 03,2021 45:46
79. 79. #44 - Intro to Docker Containers and Kubernetes (K8s)

    Containers are a lightweight technology that allows applications to deploy to a number of different host Operating Systems without having to make any modifications at all to the code.  As a result, we're been seeing a big increase in the use of Docker, Kubernetes, and other tools deployed by enterprises.  In this episode, we'll cover the fundamentals of containers, Docker, orchestration tools such as Kubernetes, and provide you with knowledge to understand this environment, and maybe even tempt

    Aug 27,2021 31:19
80. 80. #43 - Cyber Deception (with Kevin Fiscus)

    Join CISO Tradecraft for a fascinating discussion on how to build cyber traps for the bad guys that really work.  By creating a deceptive environment that "booby-trap" your networks with fake services, enticing resources, and make-believe traffic, we can create a high-fidelity, low-noise intrusion sensor system -- no legitimate user would ever try these.  Improve your SOC efficiency by actively engaging with intruders rather than sifting through false positives.  There's a lot to learn here, and

    Aug 20,2021 44:55
81. 81. #42 - Third Party Risk Management (with Scott Fairbrother)

    Special Thanks to our podcast Sponsor, CyberGRXOn today’s episode, we bring in Scott Fairbrother to help tackle key questions with Third Party Risk Management:How do you identify which vendors pose the highest risk to your business?How do you see which vendor’s security controls protect against threats?  How do you validate their risk profiles by scanning, dark web monitoring or other techniques to correlate what attackers are seeing and acting upon?Do you have an understanding of how to improve

    Aug 13,2021 52:29
82. 82. #41 - Got any Threat Intelligence?

    Cyber Threat Intelligence is an important part of an effective CISO arsenal, but many security leaders don’t fully understand how to optimize it for their benefit.  In this show, we examine why cyber threat intelligence is vital to fielding an effective defense, discuss the intelligence cycle, examine the four types of threat intelligence, and feature a special guest, Landon Winkelvoss of https://nisos.com, who has spent a career mastering this topic and shares a number of important insights you

    Aug 06,2021 41:03
83. 83. #40 - Risky Business

    In this episode, we take a deep dive into that four-letter word RISK. Risk is measurable uncertainty. As a component of Governance, Risk, and Compliance (GRC), risk management is an important part of a security leader's responsibility. Risk assessment is conducted for a number of reasons, and measuring risk is an important component of effectively overseeing our IT investments. We'll look at NIST and ISO standards for risk, and define the different types of risk assessments. And, because there i

    Aug 01,2021 44:06
84. 84. #39 - Stressed Out? Find your Ikigai and 6 Invaluable Factors

    Being a CISO has been described as the "toughest job in the world."  It comes with a lot of stress, which can lead to early burnout as well as a number of health and relationship problems.  Well, we're going to tackle this elephant in the room and investigate some of the sources of stress and ways we can deal with it. 88% of CISOS report being "moderately or tremendously stressed"   We discuss eight everyday situations that can cause CISO stress, and then explore the way of Ikigai, Japanese for

    Jul 23,2021 29:46
85. 85. #38 - CMMC and Me

    This episode of CISO Tradecraft discusses CMMC.  The Cybersecurity Maturity Model Certification (CMMC), is the US government response to the massive amounts of defense-related information compromised over the years from contractors and third parties.  The program will be mandatory for all defense contractors by 2025, and has the potential to expand to the entire Federal government, affecting every entity that sells to Uncle Sam.  CMMC has five levels of progressively more rigorous certification

    Jul 18,2021 31:23
86. 86. #37 - Cyber Security Laws & Regulations

    On this episode of CISO Tradecraft, you will hear about the most prominent Cyber Security Laws and Regulations:The Health Insurance Portability and Accountability Act (HIPAA) advocates the security and privacy of personal health informationAdministrative SafeguardsPhysical SafeguardsTechnical SafeguardsThe Sarbanes-Oxley Act (SOX) is designed to provide transparency on anything that could cause material impact to the financials of a companyCyber Risk AssessmentIdentify Disclosure Controls and Po

    Jul 09,2021 43:00
87. 87. #36 - IPv6 Your Competitive Advantage (with Joe Klein)

    This episode of CISO Tradecraft is all about IPv6, featuring Joe Klein.  IPv6 is becoming the dominant protocol on the Internet, and CISOs should understand the implications of how their enterprise is potentially vulnerable to attacks that may come from that vector, as well as be aware of defenses that may originate from an effective IPv6 deployment.  This broadcast will cover the business cases for IPv6, the technical differences between IPv4 and IPv6, and the security implications of implement

    Jul 03,2021 44:16
88. 88. #35 - Setting Up an Application Security Program

    On this episode of CISO Tradecraft, you can learn how to build an Application Security program. Start with Key Questions forSecurityIT OperationsApplication Development/Engineering GroupsIdentify Key ActivitiesAsset DiscoveryAsset Risk PrioritizationMapping Assets Against Compliance RequirementsSetting up a Communications PlanPerform Application Security Testing ActivitiesSASTDASTVulnerability ScannersSoftware Composition AnalysisSecrets ScanningCloud Security ScanningMeasure and Improve Current

    Jun 25,2021 41:17
89. 89. #34 - Metrics that Matter

    What is measured gets done.  However before you measure you need to think about how best to measure.  On this episode of CISO Tradecraft, we provide you new insights into optimizing metrics that matter.  What is a Metric?Metrics drive outcomes.  Before picking a metric consider the following:What data is required?What stories can it tell?What questions does it invite?How sustainable is it?When you report metrics highlight three things:Status or Measure- Where is your company right now?Trends- Wh

    Jun 18,2021 41:31
90. 90. #33 - 10 Steps to Cyber Incident Response Playbooks

    On this episode of CISO Tradecraft, you can learn the 10 steps to Incident Response Planning:Establish a Cyber Incident Response TeamDevelop a 24/7 Contact list for Response PersonnelCompile Key Documentation of Business-Critical Networks and SystemsIdentify Response Partners and Establish Mutual Assistance AgreementsDevelop Technical Response Procedures for Incident Handling that your team can follow:External Media - An alert identifies someone plugged in a removable USB or external device Attr

    Jun 11,2021 43:59
91. 91. #32 - Brace for Incident (with Bryan Murphy)

    Special Thanks to our podcast Sponsor, CyberArk.  Experienced CISOs know that it's not a matter of if, but when.  Incidents happen, and there is an established response strategy nicknamed PICERL that works: (P)reparation (I)dentification (C)ontainment (E)radication (R)ecovery (L)essons LearnedIf we "shift left" with our incident planning, we can minimize our organizational risk -- thorough preparation, including establishing an environment of least privilege, significantly increases the challeng

    Jun 04,2021 44:10
92. 92. #31 - Executive Order on Improving the Nation’s Cybersecurity

    On this episode of CISO Tradecraft, you can learn about the new Executive Order on Improving the Nation's Cyber Security.  The episode provides a brief background on three security incidents which have influenced the Biden administration:SolarWindsMicrosoft Exchange ServersColonial Pipeline AttackThe episode then overviews the various sections of the new Executive Order:PolicyRemoving Barriers to Sharing Threat InformationModernizing Federal Government CybersecurityEnhancing Software Supply Chai

    May 28,2021 36:53
93. 93. #30 - Cloud Drift (with Yoni Leitersdorf)

    This episode is sponsored by Indeni.  On this episode of CISO Tradecraft, G Mark Hardy discusses with Yoni Leitersdorf (CEO and CISO of Indeni) the risks which can occur in a cloud environment after it has been provisioned. Essentially it's quite common for organizations to change their cloud environment from what was declared in a Terraform or Cloud Formation Script.  These unapproved cloud changes or Cloud Drift often create harmful misconfigurations and have the potential to create data loss

    May 21,2021 42:57
94. 94. #29 - Identity and Access Management is the New Perimeter

    Identity is the New Perimeter.  On this episode of CISO Tradecraft you will increase your understanding of Identity and Access Management.  Key topics include:Audit TrailAuthenticationAuthorizationIdentity CompromiseLeast PrivilegeMicrosegmentationMulti Factor Authentication (MFA)Privileged Access/Account Management (PAM)Role Based Access Control (RBAC)Single Sign On (SSO)

    May 14,2021 44:59
95. 95. #28 - AI and ML and How to Tell When Vendors Are Full of It

    Have you ever heard a vendor has software features such as Artificial Intelligence (AI) or Machine Learning (ML)?   What does that mean?  On this episode we answer those questions so you know when vendors are full of it. Common reasons to use Artificial IntelligenceTypes of Artificial IntelligenceWhat Machine Learning isHow Machine Learning worksHow to select the right algorithmReferencesHow to Select Machine Learning AlgorithmsML Algorithm Cheat Sheet63 Machine Learning Algorithms

    May 08,2021 44:22
96. 96. #27 - Roses, Buds, & Thorns

    Today, CISO Tradecraft hosts a 5 minute discussion to talk about reflection.  The concept is Roses, Buds, and Thorns.  It’s an exercise designed to identify opportunities to make positive change.Roses- What’s workingBuds - What are new ideasThorns- What do we need to stopIf you would like to learn more please check out the article from MITREWe would love to hear your feedback here. Thank you,CISO Tradecraft

    May 01,2021 05:06
97. 97. #26 - Blockchain for CISOs

    On this episode CISO Tradecraft we dive into the world of blockchain.  As a CISO you may be expected to explain to executives what the technology does and possibly how it works.  Here's your briefing to make you successful.  We'll cover:History of money and birth of bitcoinWhy blockchain uniquely solves an age-old trust problemPotential business uses of blockchain technologySmart contracts and why they workBlockchain variants such as private and permissionedhttps://www.cisotradecraft.com

    Apr 23,2021 44:43
98. 98. #25 - Slay the Dragon or Save the Princess?

    This episode CISO Tradecraft continues the Ransomware Discussion.  Do you slay the dragon (avoid the ransom) or save the princess (recover your files)? Talking points include:Background on RansomwareWhat if we choose to pay a ransom?Is the Ransomware on the sanctions list?Negotiation/PaymentsInvolving Law EnforcementInvolving Legal CouncilDealing with Cryptocurrencies

    Apr 16,2021 45:03
99. 99. #24 - Everything you wanted to know about Ransomware

    Would you like to know more about Ransomware?  On this episode of CISO Tradecraft, G Mark Hardy and Ross Young provide an in-depth discussion on Ransomware.  Key discussions include:What is ransomware?Why does it work?Ransomware Types (Client-Side, Server-Side, & Hybrid)How each of these enter a target environmentRansomware IncidentsThe Economics of RansomwareHow is Ransomware Evolving?Why Ransomware continues to work :(Ethical Issues to consider before payingRansomware DefensesPlease subscribe

    Apr 08,2021 45:50
100. 100. #23 - NSA’s Top 10 Cybersecurity Mitigation Strategies

     If there's one place that knows how Advanced Persistent Threat (APT) actors work, it's the National Security Agency (NSA).  On this episode of CISO Tradecraft G Mark Hardy and Ross Young discuss NSA's Top Ten Cybersecurity Mitigation Strategies and how to use them to secure your company.Since the mitigation strategies are ranked by effectiveness against known APT tactics, they can be used to set the priorities for organizations to minimize mission impact from cyber attacks.Update and Upgrade Sof

     Apr 02,2021 43:57
101. 101. #22 - Modern Software Development Practices

     Would you like to know the best practices in modern software development?  On this episode G Mark Hardy and Ross Young overview the 12 Factor App and its best practices:Codebase: One codebase tracked in revision control with many deploys.Dependencies: Explicitly declare and isolate dependencies.Config: Store configurations in the environment.Backing Services: Treat backing services as attached resourcesBuild, Release, Run: Strictly separate build and run stages Processes: Execute the app as one

     Mar 26,2021 45:37
102. 102. #21 - Your First 90 Days as a CISO (with Mark Egan)

     This special episode features Mark Egan (Former CIO of Symantec as well as VMWare).  Mark discusses what he looks for during interviews with CISOs, what executives need to demonstrate during their first 90 days to be successful, and how he helps the next generation of cyber professionals at Merritt College.Three Questions to ask during any interview:What do you like best about this role?What are the most challenging pieces of this role?What does success look like for this role one year into the

     Mar 19,2021 43:36
103. 103. #20 - Zero Trust

     Would you actually like to learn about what Zero Trust is without a bunch of marketing jargon?  On this week's episode G Mark Hardy and Ross Young provide a thoughtful discussion on Zero Trust from NIST and Microsoft:Microsoft's Zero Trust PrinciplesVerify ExplicitlyUse Least Privileged AccessAssume BreachNIST 800-207 Seven Tenets of Zero TrustAll data sources and computing services are considered resourcesAll communication is secured regardless of network locationAccess to individual enterprise

     Mar 12,2021 45:15
104. 104. #19 - Team Building

     Every leader needs to know how to lead and manage a team.  On this episode G Mark Hardy and Ross Young share tradecraft on team building.Pitfalls to team building with becoming a heroOrganizational Maturity Models (Levels 1-5)Tuckman Teaming Model (Forming, Storming, Norming, and Performing)Leadership Styles (Telling, Selling, Participating, & Delegating)Aligning your Team and Regaining former employees

     Mar 05,2021 44:54
105. 105. #18 - Executive Presence

     Having the ability to inspire confidence is crucial to lead others and allows you the opportunity to gain access to executive roles.  On this episode G Mark Hardy and Ross Young discuss executive presence:What is itWhy you need itHow to get itWe will discuss Gerry Valentine's 7 Key Steps to building Your executive presence:Have a vision, and articulate it wellUnderstand how others experience youBuild your communication skillsBecome an excellent listenerCultivate your network and build political

     Feb 26,2021 48:19
106. 106. #17 - Global War on Email

     If you use email, this episode is for you.  Attackers leverage email for ransomware, Business Email Compromise (BEC), account takeover, and other threats that can be reduced with effective technical controls (as well as user education.)These three tools all involve placing simple entries in your DNS records.  To work effectively, the recipient also needs to be checking entries.  They are:SPF = sender policy framework; designates only mail from designated IP address(es) or mail server(s) are vali

     Feb 19,2021 47:24
107. 107. #16 - The Essential Eight

     The Australian Cyber Security Center (ACSC) believes that not all cyber security controls are created equal.  The have assessed various strategies to mitigate cyber security incidents and determined there are eight essential cyber security controls which safeguard any organization more than another control. These controls are commonly known as, "The Essential Eight" are highly recommended.Application control to prevent execution of unapproved/malicious programs including .exe, DLL, scripts (e.g.

     Feb 12,2021 47:03
108. 108. #15 - IT Governance

     As a CISO, one of the key functions you will be responsible for is IT Governance.  On this episode we discuss what the intent is for a wide variety of cybersecurity documentation that you can leverage, influence, and enforce. Examples include:PoliciesControl ObjectivesStandardsGuidelinesControlsProcedures...Helpful visual from ComplianceForge which shows how various documentation standards can be integrated Link

     Feb 05,2021 46:08
109. 109. #14 - How to Compare Software

     At some point in time, a CISO will need to purchase new security technology.  Whether it's antivirus, firewalls, or SIEMs you need to understand how to choose a product that will benefit your organization for years to come.  This podcast discusses 5 different techniques that CISOs can apply to help with product selectionPerform Market Research to learn the players Gartner Magic QuadrantForrester WaveLeverage Vendor Comparison Tools to spot the featuresMitre ATT&CK EvaluationAV-ComparativesMoSCoW

     Jan 29,2021 47:46
110. 110. #13 - Executive Competencies

     Have you ever wanted to become an executive, but didn’t know what skills to focus on?  On this episode of CISO Tradecraft, G Mark Hardy and Ross Young provide guidance from the Office of Personnel Management (Chief Human Resources Agency and personnel policy manager for the US government).  The podcast discusses the 6 Fundamental Competencies and the 5 Executive Core Qualifications required by all federal executives. Fundamental Competencies:Interpersonal SkillsOral CommunicationIntegrity/Honest

     Jan 22,2021 47:11
111. 111. #12 - The Three Ways of DevOps

     Making things cheaper, faster, and better is the key to gaining competitive advantage. If you can gain a competitive advantage in cyber, then you will reduce risk to the business and protect key revenue streams. This episode discusses the three ways of DevOps and how you can use them to improve information security. The three ways of DevOps consist of:The First Way: Principles of FlowThe Second Way: Principles of FeedbackThe Third Way: Principles of Continuous LearningIf you would like to learn

     Jan 15,2021 45:04
112. 112. #11 - Cryptography

     Most organizations generate revenue by hosting online transactions.  Cryptography is a key enabler to securing online transactions in untrusted spaces.  Therefore it's important for CISOs to understand how it works.  This episode discusses the fundamentals of cryptography:What are the requirements for cryptography?How long has cryptography been around?Are there differences between legacy and modern cryptography?Differences between symmetric and asymmetric encryptionCommon use of encryption at re

     Jan 08,2021 49:00
113. 113. #10 - Securing the Cloud

     Understanding how to secure the cloud is a crucial piece of tradecraft that every CISO needs to understand.  This episode provides an in depth discussion of AWS's 7 design principles for securing the cloud:Implement a strong identity foundationEnable traceabilityApply security at all layersAutomate security best practicesProtect data in transit and restKeep people away from dataPrepare for security eventsPlease note the AWS Well-Architected Framework Security Design Principles can be found here:

     Jan 01,2021 45:16
114. 114. #9 - Introduction to the Cloud

     Have you ever wanted to learn the basic fundamentals of the cloud?  This podcast provides a 50,000 foot view of the cloud.  Specific discussions include:What is the cloud?What types of clouds are there and what are the differences?What is the term shared responsibility model and what does that mean for securing the cloud?Chapters00:00 Introduction02:10 The Basics of Cloud Computing06:20 Cloud Computing and Infrastructure as a Service Model10:17 The different levels of responsibility in an Elasti

     Dec 25,2020 44:37
115. 115. #8 - Crucial Conversations

     CISOs often encounter situations where everyone has a different opinion, it's a high stakes decision, and emotions are running high.  These situations create crucial conversations opportunities where a CISO needs to be effective.  This podcast discusses how to turn disagreement into dialogue, surface any subject, and make it safe to discuss. Please listen as G Mark Hardy and Ross Young discuss the 8 step process from the book, "Crucial Conversations."Get Unstuck Start With HeartMaster My Stories

     Dec 18,2020 56:47
116. 116. #7 - DevOps

     On this Episode we will explore DevOps as a topic and discuss why you need to care as a CISO.  Key discussions include:What are the key principles behind DevOps?What benefits does security see from DevOps?What is a CI/CD pipeline?What are common types of DevOps tools that I need to understand as a CISO?Where does DevSecOps fit in?What are 4 types of Application Security Testing tools we see in DevOps Pipelines?What are 3 common ways to make DevOps / DevSecOps go viral in any organization?Chapter

     Dec 11,2020 49:15
117. 117. #6 - Change Management

     If you want to make impact as a leader, then you need to understand how to lead change.  This episode overviews Dr. John Kotter's 8-Step process to accelerating change.Create a sense of urgencyBuild a guiding coalitionForm a strategic vision and initiativesEnlist a volunteer armyEnable action by removing barriersGenerate short-term winsSustain accelerationInstitute changeWe highly recommend you read Kotter's ebook to learn more:https://www.kotterinc.com/8-steps-process-for-leading-change/Chapter

     Dec 04,2020 49:38
118. 118. #5 - Cyber Frameworks

     Cyber Frameworks help CISOs build, measure, and execute top-notch information security programs. This podcast overviews the differences between Cyber Control Frameworks (CIS Controls & NIST 800-53), Program Frameworks (ISO 27001 & NIST CSF), and Risk Frameworks (FAIR, ISO 27005, & NIST 800-39) as well as provides useful tips on how to implement them.Chapters00:00 Introductions03:29 Creating a Framework for Cyber Security Programs06:48 What are the Most Important Controls11:08 Having an Inventory

     Nov 27,2020 57:33
119. 119. #4 - Asset Management

     If you want to assess your current level of security, then you should start with an asset management program. Asset management provides the basic building blocks to enable vulnerability management and remediation programs.  This podcast provides key lessons learned on what is required for effective asset management as well as discuss how asset management evolves with the cloud.  Listeners will also learn important steps to take to create a world class asset management program.Chapters00:00 Intro

     Nov 20,2020 38:45
120. 120. #3 - How to Read Your Boss

     The ability to persuade others is a core tradecraft for every CISO.  This podcast discusses the most common styles of executive decision making (Charismatics, Thinkers, Skeptics, Followers, and Controllers).  After listening to this podcast, you will understand how to more effectively tailor your message to best influence each style of executive. If you would like to learn more about this topic, we strongly recommend you read the Harvard Business Review article, “Change the Way You Persuade”, by

     Nov 13,2020 38:44
121. 121. #2 - Principles of Persuasion

     To become an effective CISO you need influence skills.  On this episode we explore Robert Cialdini's book, "Influence" and discuss the psychology of persuasion.  We will explore 6 key areas of influence:Liking- If people like you - because they sense that you like them, or because of things you have in common - they're more apt to say yes to youReciprocity- People tend to return favors.  If you help people, they'll help you.  If you behave in a certain way (cooperatively, for example), they'll r

     Nov 06,2020 46:29
122. 122. #1 - What is a CISO?

     On this pilot episode you will get to meet the hosts of the show (G Mark Hardy & Ross Young) and learn a little bit about their backgrounds.Chapters00:00 Introductions04:47 What is a CISO?07:24 Enable the Rock Climber to Take Risks13:32 What do CISOs need to know?18:07 Compliance is a C-21:23 What functions and services do CISOs oversee?25:48 The importance of a Purple Team29:45 Is your Security Office a Red Team or a Blue Team?34:50 Which organization in security is most likely to produce a CIS

     Oct 30,2020 50:46