CISO Tradecraft®

Welcome to CISO Tradecraft®. A podcast designed to take you through the adventure of becoming a Chief Information Security Officer (CISO) and learning about cyber security. This podcast was started because G Mark Hardy and Ross Young felt impressed to help others take their Information Security Skills to an executive level. We are thrilled to be your guides to lead you through the various domains of becoming a competent and effective CISO.

Listen on:

  • Apple Podcasts
  • Google Podcasts
  • Podbean App
  • Spotify
  • Amazon Music
  • Pandora
  • TuneIn + Alexa
  • iHeartRadio
  • PlayerFM
  • Listen Notes
  • Samsung
  • Podchaser
  • BoomPlay

Episodes

5 days ago

In this episode of CISO Tradecraft, host G. Mark Hardy delves into the crucial topic of the OWASP Top 10 Web Application Security Risks, offering insights on how attackers exploit vulnerabilities and practical advice on securing web applications. He introduces OWASP and its significant contributions to software security, then progresses to explain each of the OWASP Top 10 risks in detail, such as broken access control, injection flaws, and security misconfigurations. Through examples and recommendations, listeners are equipped with the knowledge to better protect their web applications and ultimately improve their cybersecurity posture.
OWASP Cheat Sheets: https://cheatsheetseries.owasp.org/
OWASP Top 10: https://owasp.org/www-project-top-ten/
Transcripts: https://docs.google.com/document/d/17Tzyd6i6qRqNfMJ8OOEOOGpGGW0S8w32
Chapters
00:00 Introduction
01:11 Introducing OWASP: A Pillar in Cybersecurity
02:28 The Evolution of Web Vulnerabilities
05:01 Exploring Web Application Security Risks
07:46 Diving Deep into OWASP Top 10 Risks
09:28 1) Broken Access Control
14:09 2) Cryptographic Failures
18:40 3) Injection Attacks
23:57 4) Insecure Design
25:15 5) Security Misconfiguration
29:27 6) Vulnerable and Outdated Software Components
32:31 7) Identification and Authentication Failures
36:49 8) Software and Data Integrity Failures
38:46 9) Security Logging and Monitoring Practices
40:32 10) Server Side Request Forgery (SSRF)
42:15 Recap and Conclusion: Mastering Web Application Security

Monday Mar 18, 2024

In this episode of CISO Tradecraft, host G Mark Hardy delves into the critical subject of vulnerability management for cybersecurity leaders. The discussion begins with defining the scope and importance of vulnerability management, referencing Park Foreman's comprehensive approach beyond mere patching, to include identification, classification, prioritization, remediation, and mitigation of software vulnerabilities. Hardy emphasizes the necessity of a strategic vulnerability management program to prevent exploitations by bad actors, illustrating how vulnerabilities are exploited using tools like ExploitDB, Metasploit, and Shodan. He advises on deploying a variety of scanning tools to uncover different types of vulnerabilities across operating systems, middleware applications, and application libraries. Highlighting the importance of prioritization, Hardy suggests focusing on internet-facing and high-severity vulnerabilities first and discusses establishing service level agreements for timely patching. He also covers optimizing the patching process, the significance of accurate metrics in measuring program effectiveness, and the power of gamification and executive buy-in to enhance security culture. To augment the listener's knowledge and toolkit, Hardy recommends further resources, including OWASP TASM and books on effective vulnerability management.
Transcripts: https://docs.google.com/document/d/13P8KsbTOZ6b7A7HDngk9Ek9FcS1JpQij
OWASP Threat and Safeguard Matrix - https://owasp.org/www-project-threat-and-safeguard-matrix/
Effective Vulnerability Management - https://www.amazon.com/Effective-Vulnerability-Management-Vulnerable-Ecosystem/dp/1394221207
Chapters
00:00 Introduction
00:56 Understanding Vulnerability Management
02:15 How Bad Actors Exploit Vulnerabilities
04:26 Building a Comprehensive Vulnerability Management Program
08:10 Prioritizing and Remediation of Vulnerabilities
13:09 Optimizing the Patching Process
15:28 Measuring and Improving Vulnerability Management Effectiveness
18:28 Gamifying Vulnerability Management for Better Results
20:38 Securing Executive Buy-In for Enhanced Security
21:15 Conclusion and Further Resources

#172 - Table Top Exercises

Monday Mar 11, 2024

Monday Mar 11, 2024

This episode of CISO Tradecraft, hosted by G Mark Hardy, delves into the concept, significance, and implementation of tabletop exercises in improving organizational security posture. Tabletop exercises are described as invaluable, informal training sessions that simulate hypothetical situations allowing teams to discuss and plan responses, thereby refining incident response plans and protocols. The podcast covers the advantages of conducting these exercises, highlighting their cost-effectiveness and the crucial role they play in crisis preparation and response. It also discusses various aspects of preparing for and executing a successful tabletop exercise, including setting objectives, selecting participants, creating scenarios, and the importance of a follow-up. Additionally, the episode touches on compliance aspects related to SOC 2 and the use of tabletop exercises to expose and address potential organizational weaknesses. The overall message underscores the importance of these exercises in preparing cybersecurity teams for real-world incidents.
Outline & References:
https://docs.google.com/document/d/13Qj4MOjPxWz9mhQCDQNBtoQwrXdTeIEf
Transcripts: https://docs.google.com/document/d/1yfmZALQfkhQCMfp9ao3151P9L2XcEXFm/
Chapters
00:00 Introduction
00:47 The Importance of Tabletop Exercises
01:53 The Benefits of Tabletop Exercises
03:06 How to Implement Tabletop Exercises
05:30 The Role of Tabletop Exercises in Compliance
08:24 The Participants in Tabletop Exercises
09:25 The Preparation for Tabletop Exercises
16:57 The Execution of Tabletop Exercises
21:58 Understanding Roles and Responsibilities in an Exercise
22:17 The Importance of a Hot Wash Up
23:36 Creating an After Action Report (AAR)
24:06 Implementing an Action Plan
24:34 Example Scenario: Network Administrator's Mistake
25:08 Formulating Targeted Questions for the Scenario
26:36 The Role of Innovation in Tabletop Exercises
27:11 The Connection Between Tabletop Exercises and Compliance
29:18 12 Key Steps to a Successful Exercise
30:43 The Importance of Realistic Scenarios
34:05 The Role of Communication in Crisis Management
37:33 The Impact of Cyber Attacks on Operations
39:57 The Importance of Tabletop Exercises and How to Get Started
40:35 Conclusion

Monday Mar 04, 2024

In this episode of CISO Tradecraft, host G Mark Hardy converses with Cassie Crossley, author of the book on software supply chain security. Hardy explores the importance of cybersecurity, the structure of software supply chains, and the potential risks they pose. Crossley shares her expert insights on different software source codes and the intricacies of secure development life cycle. She highlights the significance of Software Bill of Materials (SBOM) and the challenges in maintaining the integrity of software products. The discussion also covers the concept of counterfeits in the software world, stressing the need for continuous monitoring and a holistic approach towards cybersecurity.
Link to the Book: https://www.amazon.com/Software-Supply-Chain-Security-End/dp/1098133706?&_encoding=UTF8&tag=-0-0-20&linkCode=ur2
Transcripts: https://docs.google.com/document/d/1SJS2VzyMS-xLF0vlGIgrnn5cOP8feCV9
Chapters
00:00 Introduction
01:44 Discussion on Software Supply Chain Security
02:33 Insights into Secure Development Life Cycle
03:20 Understanding the Importance of Supplier Landscape
05:09 The Role of Security in Software Supply Chain
07:29 The Impact of Vulnerabilities in Software Supply Chain
09:06 The Importance of Secure Software Development Life Cycle
14:13 The Role of Frameworks and Standards in Software Supply Chain Security
17:39 Understanding the Importance of Business Continuity Plan
20:53 The Importance of Security in Agile Development
24:01 Understanding OWASP and Secure Coding
24:20 The Importance of API Security
24:50 The Concept of Shift Left in Software Development
25:20 The Role of Culture in Software Development
25:52 Exploring Different Source Code Types
26:19 The Rise of Low Code, No Code Platforms
28:53 The Potential Risks of Generative AI Source Code
34:24 Understanding Software Bill of Materials (SBOM)
41:07 The Challenge of Spotting Counterfeit Software
41:36 The Importance of Integrity Checks in Software Development
45:45 Closing Thoughts and the Importance of Cybersecurity Awareness

Monday Feb 26, 2024

In this episode of CISO Tradecraft, the host, G Mark Hardy, delves into the concepts of responsibility, accountability, and authority. These are considered critical domains in any leadership position but are also specifically applicable in the field of cybersecurity. The host emphasizes the need for a perfect balance between these areas to avoid putting one in a scapegoat position, which is often common for CISOs. Drawing on his military and cybersecurity experiences, he provides insights into how responsibility, accountability, and authority can be perfectly aligned for the efficient execution of duties. He also addresses how these concepts intertwine with various forms of power - positional, coercive, expert, informational, reward, referent, and connection. The host further empathizes with CISOs often put in tricky situations where they are held accountable but lack the authority or resources to execute their roles effectively and provides suggestions for culture change within organizations to overcome these challenges.
Transcripts: https://docs.google.com/document/d/1S8JIRztM6iaZonGv0qhtWY4vDyBfGhs-/
Chapters
00:00 Introduction
00:22 Understanding Responsibility, Accountability, and Authority
01:20 The Role of Leadership in Cybersecurity
02:47 Exploring the Concepts of Responsibility, Authority, and Accountability
03:08 Applying Responsibility, Authority, and Accountability to the CISO Role
04:20 The Interplay of Responsibility, Authority, and Accountability
11:57 Understanding Power and Its Forms
12:43 The Impact of Power on Leadership and Influence
24:04 The Role of Connection Power in Today's Digital Age
24:40 Understanding Different Sources of Power
25:13 The Power of Networking and Connections
26:49 The Challenges of Being a CISO
29:19 Understanding the Value of Your Role
33:56 The Importance of Expert Power
37:46 The Consequences of Ignoring Maintenance
43:40 Aligning Responsibility, Accountability, and Authority
44:39 The Importance of Legal Protections for CISOs
45:30 Wrapping Up: Balancing Responsibility, Authority, and Accountability

#169 - MFA Mishaps

Monday Feb 19, 2024

Monday Feb 19, 2024

In this episode of CISO Tradecraft, host G Mark Hardy discusses various mishaps that can occur with Multi-Factor Authentication (MFA) and how these can be exploited by attackers. The talk covers several scenarios such as the misuse of test servers, bypassing of MFA via malicious apps and phishing scams, violation of the Illinois Biometric Information Protection Act by using biometric data without proper consent, and potential future legal restrictions on biometric data usage. G Mark also highlights the significance of correct implementation of MFA to ensure optimum organizational security and how companies can fail to achieve this due to overlooking non-technical issues like legal consent for biometric data collection.
Transcripts: https://docs.google.com/document/d/1FPCFlFRV1S_5eaFmjp5ByU-FCAzg_1kO
References:
Evil Proxy Attack- https://www.resecurity.com/blog/article/evilproxy-phishing-as-a-service-with-mfa-bypass-emerged-in-dark-web
Microsoft Attack - https://www-bleepingcomputer-com.cdn.ampproject.org/c/s/www.bleepingcomputer.com/news/security/microsoft-reveals-how-hackers-breached-its-exchange-online-accounts/amp/
Illinois Biometric Law - https://www.ilga.gov/legislation/publicacts/fulltext.asp?Name=095-0994
Chapters
00:00 Introduction
00:43 Understanding Multi Factor Authentication
01:05 Exploring Different Levels of Authentication
03:30 The Risks of Multi Factor Authentication
03:51 The Importance of Password Management
04:27 Exploring the Use of Trusted Platform Module for Authentication
06:17 Understanding the Difference Between TPM and HSM
09:00 The Challenges of Implementing MFA in Enterprises
11:25 Exploring Real-World MFA Mishaps
15:30 The Risks of Overprivileged Test Systems
17:16 The Importance of Monitoring Non-Production Environments
19:02 Understanding Consent Phishing Scams
30:37 The Legal Implications of Biometric Data Collection
32:24 Conclusion and Final Thoughts

Monday Feb 12, 2024

In this episode of CISO Tradecraft, host G Mark Hardy is joined by special guest Rick Howard, Chief Security Officer, Chief Analyst and Senior Fellow at CyberWire. Rick shares his insights on first principles in cybersecurity, discussing how these form the foundations of any cybersecurity strategy. He emphasizes the importance of understanding materiality and integrating the concept of time bound risk assessment to achieve a resilient cybersecurity environment. The episode also delves into the value of Fermi estimates and Bayes algorithm for risk calculation. Amid humor and personal anecdotes, Rick and Mark also reflect on their experiences during 9/11. Rick introduces his book, 'Cybersecurity First Principles', elucidating the rationale behind its conception.
Link to the Cybersecurity First Principles Book: https://www.amazon.com/Cybersecurity-First-Principles-Strategy-Tactics/dp/B0CBVSX2H2/?&_encoding=UTF8&tag=-0-0-20&linkCode=ur2&linkId=1b3010fb678a109743f1fb564eb6d0fc&camp=1789&creative=9325
Transcripts: https://docs.google.com/document/d/1y8JPSzpmqDMd-1PZ-MWSqOuxgFTDVvre
Chapters
00:00 Introduction
02:00 Guest's Career Journey and Achievements
08:49 Discussion on Cybersecurity First Principles
15:27 Understanding Materiality in Cybersecurity
21:56 The Gap Between Security Teams and Business Leaders
22:21 The Importance of Speaking the Language of Business
23:03 The Art of the Elevator Pitch
24:04 The Impact of Cybersecurity on Business Value
25:10 The Importance of a Clear Cybersecurity Strategy
26:04 The Value of Business Fluency in Cybersecurity
27:44 The Role of Risk Calculation in Cybersecurity
29:41 The Power of Estimation in Risk Management
30:33 The Importance of Understanding Business Imperatives
41:25 The Role of Culture and Risk Appetite in Cybersecurity
45:39 The First Principle of Cybersecurity

Monday Feb 05, 2024

In this episode of CISO Tradecraft, host G Mark Hardy is joined by guest Craig Barber, the Chief Information Security Officer at SugarCRM. They discuss the increasingly critical topic of cybersecurity apprenticeships and Craig shares his personal journey from technical network engineer to CISO. They delve into the benefits of apprenticeships for both the individual and the organization, drawing parallels with guilds and trade schools of the past and incorporating real-world examples. They also look at the potential challenges and pitfalls of such programs, providing insights for organizations considering creating an apprenticeship scheme. Lastly, they examine the key attributes of successful apprentices and how these contribute to building stronger, more diverse cybersecurity teams.
Craig Barber's Profile: https://www.linkedin.com/in/craig-barber/
Transcripts https://docs.google.com/document/d/1J8nrhYCMBSmc0kLBasskBoY2RLIwR7Vb
Chapters
00:00 Introduction
00:23 Understanding Cybersecurity Apprenticeships
02:43 The Role of Mentorship in Cybersecurity
04:09 The Benefits of Cybersecurity Apprenticeships
07:17 The Evolution of Apprenticeships in the Tech Industry
10:00 The Value of Apprenticeships in Building Loyalty
11:08 The Difference Between Internships and Apprenticeships
15:32 The Role of Apprenticeships in Addressing the Skills Shortage
19:15 The Challenges of Implementing Apprenticeships
26:28 The Future of Cybersecurity Apprenticeships
44:32 Conclusion: The Value of Cybersecurity Apprenticeships

Monday Jan 29, 2024

This video introduces a newly proposed acronym in the world of cybersecurity known as the 'Cyber UPDATE'. The acronym breaks down into Unchanging, Perimeterizing, Distributing, Authenticating and Authorizing, Tracing, and Ephemeralizing. The video aims to explain each component of the acronym and its significance in enhancing cybersecurity. 
References:
https://www.watchguard.com/wgrd-news/blog/decrypting-cybersecurity-acronyms-0
https://computerhistory.org/profile/john-mccarthy/
https://owasp.org/www-community/Threat_Modeling_Process#stride
https://attack.mitre.org/att&ck 
https://d3fend.mitre.org/
https://fourcore.io/blogs/mitre-attack-mitre-defend-detection-engineering-threat-hunting  
https://cars.mclaren.com/us-en/legacy/mclaren-p1-gtr
https://csrc.nist.gov/glossary/term/confidentiality
https://csrc.nist.gov/glossary/term/integrity
https://csrc.nist.gov/glossary/term/availability
https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services
https://www.nytimes.com/2006/06/30/washington/va-laptop-is-recovered-its-data-intact.html
https://cloudscaling.com/blog/cloud-computing/the-history-of-pets-vs-cattle/
https://apps.dtic.mil/sti/tr/pdf/ADA221814.pdf 
Transcripts https://docs.google.com/document/d/16upm5bKTsIkDo3s-mvUMlgkX1uqUKnUH
Chapters
00:00 Introduction
01:34 Cybersecurity Acronyms: Pre-1990s
02:26 STRIDE and DREAD Models
02:39 PICERL and MITRE Models
05:04 Defining Cybersecurity
07:52 CIA Triad and Its Importance
09:00 Confidentiality, Integrity, and Availability
11:52 The Parkerian Hexad
17:30 D.I.E. Triad Concept
24:28 Cybersecurity UPDATE
24:51 Unchanging
25:46 Perimeterizing
29:36 Distributing
29:50 Authenticating
33:58 Tracing
36:07 Ephemeralizing 

Monday Jan 22, 2024

In this episode of CISO Tradecraft, host G Mark Hardy interviews JP Bourget about the security data pipeline and how modernizing SOC ingest can improve efficiency and outcomes. Featuring discussions on cybersecurity leadership, API integrations, and the role of AI and advanced model learning in future data lake architectures. They discuss how vendor policies can impact data accessibility. They also reflect on their shared Buffalo roots and because their professional journeys. Tune in for valuable insights from top cybersecurity experts.
Transcripts: https://docs.google.com/document/d/1evI2JTGg7S_Hjaf0sV-Nk_i0oiv8XNAr 
Chapters
00:00 Introduction
00:50 Guest's Background and Journey
05:27 Discussion on Security Data Pipeline
07:19 Introduction to SOAR
08:01 Benefits and Challenges of SOAR
12:40 Guest's Current Work and Company
14:04 Security Data Pipeline Modernization
22:20 Discussion on Vendor Integration
29:09 Security Pipeline Approach and AI
38:03 Closing Thoughts and Future Directions

#164 - The 7 Lies in Cyber

Monday Jan 15, 2024

Monday Jan 15, 2024

In this episode of CISO Tradecraft, we debunk seven common lies pervasive in the cybersecurity industry. From the fallacy of achieving a complete inventory before moving onto other controls, the misconception about the accuracy of AppSec tools, to the fear of being viewed as a cost center - we delve deep into these misconceptions, elucidating their roots and impacts. We also discuss how ISO and FAIR, audits and certifications, risk assessments, and mandatory cyber incident reporting may not always be as straightforward as they seem. The episode is not only an eye-opener but also provides insightful guidance on how to navigate these misconceptions and enhance the effectiveness of your cybersecurity measures.
CloudGoat EC2 SSRF- https://rhinosecuritylabs.com/cloud-security/cloudgoat-aws-scenario-ec2_ssrf/
OWASP Benchmark - https://owasp.org/www-project-benchmark/
Transcripts - https://docs.google.com/document/d/1yZZ4TLlC2sRfwPV7bQmar7LY4xk2HcIo
Chapters
00:12 Introduction
00:56 The Lie of Accurate Inventory
05:29 The Lie of Accurate Risk Assessment
08:41 The Lie of Shifting Left in DevSecOps
13:45 The Lie of Certifications Ensuring Security
18:33 The Lie of Reporting Cyber Incidents in 72 Hours
20:44 The Lie of Accurate Application Security Tools
22:07 The Lie of Cybersecurity Not Being a Cost Center
24:44 Conclusion and Recap of Cybersecurity Lies 

Monday Jan 08, 2024

Join G Mark Hardy in this episode of the CISO Tradecraft podcast where he details how cyber protects revenue. He clarifies how cybersecurity is seen as a cost center by most organizations, but stresses how it can become a protector of business profits. Concepts like Operational Resilience Framework (ORF) Version 2 by the Global Resilience Federation are discussed in depth. Hardy also outlines seven steps from ORF to operational resilience including implementing industry-recognized frameworks, understanding the organization's role in the ecosystem, defining viable service levels, and more. 
 
Link to the ORF - https://www.grf.org/orf
Transcripts - https://docs.google.com/document/d/1ckYj-UKDa-wlOVbalWvXOdEO4OYgjO0i
Chapters
00:12 Introduction
01:47 Introduction to Operational Resilience Framework
02:38 Understanding Resilience and Antifragility
03:32 Common Cybersecurity Attacks and How to Anticipate Them 06:22 Building Resilience in Cybersecurity
09:43 Operational Resilience Framework: Steps and Principles
17:50 Preserving Datasets and Implementing Recovery Processes
20:18 Evaluating and Testing Your Disaster Recovery Plan
21:11 Recap of Operational Resilience Framework Steps
22:04 CISO Tradecraft Services and Closing Remarks

Monday Jan 01, 2024

Looking for accurate predictions on what 2024 holds for cybersecurity? Tune into our latest episode of CISO Tradecraft for intriguing insights and industry trends. Listen now and boost your cybersecurity knowledge!
Earn CPEs: https://www.cisotradecraft.com/isaca
Transcripts: https://docs.google.com/document/d/11YX2bjhIVThSNPF6yEKaNWECErxjWA-R
Chapters
00:00 Introduction
02:11 1) CISOs flock to buy private liability and D&O insurance. It also becomes the norm for CISO hiring agreements.
05:25 2) CISO reporting structure changes. No more reporting to the CIO.
11:43 3) More CISOs get implicated in lawsuits, but the lawsuits rule in favor of the CISO.
13:36 4) Harder to find cyber talent since universities are not graduating as many students. This plus inflation increases result in major spike in cyber salaries
16:59 5) Cyber industry minimizes external consulting costs to weather reduced revenues during recession
19:44 6) AI-generated fraud will increase significantly
22:15 7) Shadow AI will result in Hidden Vulnerabilities
24:24 8) LLM attacks new vector for "AI-enabled" companies
27:23 9) Cyber insurance exclusions will tend to normalize and will prescribe activities that must be done if payout to occur
31:44 10) Self-driving cars will encounter regulatory setback
34:02 Review of Last Year's Predictions
41:03 Actionable Items for the Future
41:29 Closing Remarks and Invitation for 2024

Monday Dec 25, 2023

In the second half of the discussion about secure developer training programs, G Mark Hardy and Scott Russo delve deeper into how to engineer an effective cybersecurity course. They discuss the importance and impact of automation and shifting left, the customization needed for different programming languages and practices, and the role of gamification in engagement and learning. The conversation also touches upon anticipating secular trends, compliance with privacy and data protection regulations, different leaning styles and preferences, and effective strategies to enhance courses based on participant feedback. Scott highlights the lasting impacts and future implications of secure developer training, especially with the advent of generative AI in code generation.
ISACA Event (10 Jan 2024) With G Mark Hardy - https://www.cisotradecraft.com/isaca
Transcripts: https://docs.google.com/document/d/1zr09gVpJuZMUMmF9Y-Kc0DOy-1gH0cx-
Chapters
00:00 Introduction
01:08 Importance of Ongoing Support and Mentorship
01:46 The Role of Community in Training
03:03 Hands-on Exercises and Practical Experience
06:01 Success Stories and Testimonials
08:29 Incorporating Security Trends into Training
11:08 Balancing Security with Developer Productivity
18:17 Teaching Secure Coding Practices in Different Languages
20:27 Engaging and Motivating Participants
22:51 Promoting the Program: Engaging and Fun
23:37 Accommodating Different Learning Styles
24:16 Catering to Self-Paced Learners
26:19 Addressing Proficiency Levels and Remediation
28:55 Compliance with Privacy and Data Protection Regulations
30:48 Breaking Down Complex Security Concepts
32:05 Creating a Culture of Security Awareness
33:25 Partnerships and Collaborations in Secure Development
35:10 Feedback and Improvement of the Program
36:12 Cost Considerations for Secure Developer Training
39:20 Tracking Participants' Progress and Completion Rates
41:23 Trends in Secure Developer Training
43:42 Final Thoughts on Secure Developer Training

Monday Dec 18, 2023

In this episode of CISO Tradecraft, host G Mark Hardy invites Scott Russo, a cybersecurity and engineering expert for a deep dive into the creation and maintenance of secure developer training programs. Scott discusses the importance of hands-on engaging training and the intersection of cybersecurity with teaching and mentorship. Scott shares his experiences building a secure developer training program, emphasizing the importance of gamification, tiered training, showmanship, and real-world examples to foster engagement and efficient learning. Note this episode will continue in with a part two in the next episode
ISACA Event (10 Jan 2024) With G Mark Hardy - https://www.cisotradecraft.com/isaca
Scott Russo - https://www.linkedin.com/in/scott-russo/
HBR Balanced Scorecard - https://hbr.org/1992/01/the-balanced-scorecard-measures-that-drive-performance-2
Transcripts - https://docs.google.com/document/d/124IqIzBnG3tPj64O2mZeO-IDTx9wIIxJ
Youtube - https://youtu.be/NkrtTncAuBA 
Chapters
00:00 Introduction
03:00 Overview of Secure Developer Training Program
04:46 Motivation Behind Creating the Training Program
06:03 Objectives of the Secure Developer Training Program
07:45 Defining the Term 'Secure Developer'
14:49 Keeping the Training Program Current and Engaging
21:10 Real World Impact of the Training Program
21:46 Understanding the Cybersecurity Budget Argument
21:58 Incorporating Real World Examples into Training
22:26 Personal Experiences and Stories in Training
24:06 Industry Best Practices and Standards
24:18 Aligning with OWASP Top 10
25:53 Balancing OWASP Top 10 with Other Standards
26:12 The Importance of Good Stories in Training
26:32 Duration of the Training Program
28:37 Resources Required for the Training Program
32:23 Measuring the Effectiveness of the Training Program
36:07 Gamification and Certifications in Training
38:56 Tailoring Training to Different Levels of Experience
41:03 Conclusion and Final Thoughts
 

Monday Dec 11, 2023

In this episode of CISO Tradecraft, host G. Mark Hardy guides listeners on how to refresh their cybersecurity strategy. Starting with the essential assessments on the current state of your security, through to the creation of a comprehensive, one-page cyber plan. The discussion covers different approaches to upskilling the workforce, tools utilization, vulnerability management, relevant regulations, and selecting the best solution for your specific needs. The show also includes tips on building a roadmap, creating effective key performance indicators, and validation exercises or trap analysis to ensure the likelihood of success. At the end of the discussion, G. Mark Hardy invites listeners to reach out for any help needed for implementing these strategies.
Big Thanks to our Sponsors
Risk3Sixty - https://risk3sixty.com/
ISACA Event (10 Jan 2024) With G Mark Hardy https://www.cisotradecraft.com/isaca
CIO Wisdom Book - https://a.co/d/bmmZEAC
Transcripts - https://docs.google.com/document/d/1_bHsRtaRdlRJ9e9XXVh3GU7k3MbBLcHs
Chapters
00:00 Introduction
02:21 Building a Tactical and Strategic Plan
02:58 Assessing Your Current Cybersecurity Posture
03:11 Workforce Assessment and Rating
06:31 Understanding Your Cybersecurity Tools
08:29 Performing a Business Requirements Analysis
10:13 Defining the Desired Future State
12:03 Creating a Gap Analysis
14:14 Analyzing Current Options and Building a Roadmap
17:11 Presenting the New Plan to Management
21:36 Recap and Conclusion

Monday Dec 04, 2023

Discover the key to a more effective cybersecurity strategy in the newest episode of CISO Tradecraft! We're talking SOC tools, building a data lake for security, and more with guest Noam Brosh of Hunters. Don't miss it!
Big Thanks to our Sponsors
Risk3Sixty - https://risk3sixty.com/
Hunters - https://www.hunters.security/
Noam Brosh - https://www.linkedin.com/in/noam-brosh-5743938/
Transcripts: https://docs.google.com/document/d/1ArTixgEvRsVpLVdV2uVFAKCKSB2mBUKo
Youtube Link: https://youtu.be/ThEpI2_LpD8 
Chapters
00:00 Introduction and Welcome
01:20 Understanding the Role of SOC Tools
05:39 Challenges with Traditional SIEM Tools
08:48 The Shift to Data Lakes and the Impact on SIEMs
18:04 Understanding Different Cybersecurity Tools: SIEM, XDR, and SOC Platforms
19:25 The Role of Automation in Modern SOC Tools
26:01 The Importance of Third-Party Connection Tools in SOC Tools
27:27 Trends and Disruptions in the SIEM Space
28:09 Addressing False Positives in SOC Tools
31:14 Outsourcing Aspects of SOC and Staffing
36:28 Dealing with Multi-Cloud or Hybrid Cloud Environments
41:02 Reporting SOC Metrics to Executive Stakeholders

Monday Nov 27, 2023

In this episode of CISO Tradecraft, G Mark Hardy and Hasan Eksi from CyberNow Labs continue the discussion about the vital skills needed for an effective incident responder within a Security Operations Center (SOC). The skills highlighted in this episode include: incident triage, incident response frameworks, communication, collaboration, documentation, memory analysis, incident containment and eradication, scripting and automation, cloud security, and crisis management.
Big Thanks to our Sponsors
Risk3Sixty - https://risk3sixty.com/
Adlumin - https://adlumin.com/
Hasan Eksi's LinkedIn Profile: https://www.linkedin.com/in/eksihasan/
Transcripts: https://docs.google.com/document/d/1rWixzKgf_unanPlnoL6dt8qpEsbZj9lv
Chapters 
00:00 Introduction and Recap of the 10 Previous Skills
02:25 Skill #11) Incident Triage
04:21 Skill #12) Incident Response Frameworks
07:09 Skill #13) Communication
09:38 Skill #14) Collaboration
14:58 Skill #15) Documentation
19:35 Skill #16) Memory Analysis
22:36 Skill #17) Incident Containment and Eradication
25:31 Skill #18) Scripting and Automation
28:53 Skill #19) Cloud Security
31:10 Skill #20) Crisis Management
33:58 Recap of 20 SOC Skills and Conclusion

Monday Nov 20, 2023

In this episode of CISO Tradecraft, host G Mark Hardy talks to Kevin O'Connor, the Director of Threat Research at Adlumin. They discuss the importance of comprehensive cybersecurity for Small to Medium-sized Businesses (SMBs), including law firms and mid-sized banks. The conversation explores the complexities of managing security infrastructures, the role of managed security service providers, and the usefulness of managed detection and response systems. The discussion also delves into the increasing threat of ransomware and the critical importance of managing data vulnerabilities and providing security awareness training.
Big Thanks to our Sponsor: Adlumin - https://adlumin.com/
Transcripts: https://docs.google.com/document/d/1V_qkMFdGC4NRLCG-80gcsiSA8ikT8SwP
Youtube: https://youtu.be/diCZfWWB3z8
 
Chapters
00:12 Introduction and Sponsor Message
01:42 Guest Introduction: Kevin O'Connor
02:29 Discussion on Cybersecurity Roles and Challenges
03:20 The Importance of Defense in Cybersecurity
04:23 The Role of Managed Security Services for SMBs
07:26 The Cost and Staffing Challenges of In-House SOCs
14:41 The Value of Managed Security Services for Legal Firms
16:30 The Threat Landscape for Small and Mid-Sized Banks
18:19 The Difference Between Compliance and Security
20:08 Understanding the Reality of Cybersecurity
20:45 The Challenges of Building IT Infrastructure
21:08 Outsourcing vs In-house Security Management
21:55 The Importance of Understanding Your Data
22:43 Security Operations Center vs Security Operations Platform
24:21 The Role of Managed Detection and Response
24:54 The Importance of Quick Response in Security
28:07 The Threat of Ransomware and Data Breaches
34:31 The Role of Pen Testing in Cybersecurity
36:33 The Growing Threat of Ransomware
38:28 The Importance of Security Awareness Training
40:42 The Role of Incident Response and Forensics
42:11 Final Thoughts on Cybersecurity

Monday Nov 13, 2023

In this episode of CISO Tradecraft we have a detailed conversation with Hasan Eksi from CyberNow Labs. G Mark and Hasan discuss the top 20 skills required by incident responders, covering the first 10 in part 1 of this series. The discussion ranges from understanding cybersecurity fundamentals to incident detection, threat intelligence, and malware analysis. This episode aims to enhance listeners' understanding of incident response, its significance, the skills required, and strategies for effective training.
Big Thanks to our Sponsor
Adlumin - https://adlumin.com/
Hasan Eksi's LinkedIn Profile: https://www.linkedin.com/in/eksihasan/
Transcripts: https://docs.google.com/document/d/1lE9Tz-um1II2aNX4JU-bQ-BND7fPNteE/
Chapters
00:00 Introduction
14:15 Skill 1) IT/Cyber Fundamentals
17:17 Skill 2) Incident Detection
18:34 Skill 3) Threat Intelligence
20:11 Skill 4) Cybersecurity Tools
24:12 Skill 5) Network Analysis
25:55 Skill 6) Endpoint Analysis
28:33 Skill 7) Log Analysis
32:41 Skill 8) Malware Analysis
35:20 Skill 9) Forensics
38:30 Skill 10) Vulnerability Assessment

Monday Nov 06, 2023

In this episode of CISO Tradecraft, host G Mark Hardy welcomes special guest Amer Deeba, CEO and co-founder of Normalyze. They focus on the importance of data security in today's cloud-centric, multi-platform tech environment. Amer shares valuable insights on the need for a data security platform that offers a unified, holistic approach. The conversation also delves into the importance of understanding the value of your data, and how solutions such as Normalyze can accurately identify and classify sensitive data, measure its value, and mitigate risk of compromise. Ideal for CISOs and professionals navigating data security, this episode provides key recommendations for data visibility, security posture management, and response mechanisms, built around the principles of cybersecurity.
Big Thanks to our Sponsors
Normalyze - https://normalyze.ai/
Risk3Sixty - https://risk3sixty.com/whitepaper/
Transcripts: https://docs.google.com/document/d/1_z20Y5Xvs7qv6K9D2TUvM3ufLYSmXbvs
Chapters
00:00 Introduction
02:46 Understanding Data Security
03:58 The Importance of Data Security
04:21 The Challenges of Data Security
08:26 The Role of Data Security Posture Management
10:31 The Value of Data and Compliance
13:58 The Importance of Real-Time Data Protection
15:31 The Role of Encryption in Data Security
17:19 Understanding the Risks of Data Breaches
18:45 The Importance of Holistic Data Security
36:26 The Role of Anomaly Checks in Data Security
37:48 Understanding Generational Data
40:38 Conclusion and Contact Information

Monday Oct 30, 2023

On this episode we talk about the differences between Gamification and Game-Based Learning. We think you will enjoy hearing how Game-Based learning gets folks into the flow and creates novel training that resonates.  We also have a great discussion on how games can be applicable for Board Members and Techies.  You just need to get the right type of game for the right audience and let the magic happen.
Big Thanks to our Sponsors
Haiku - https://www.haikuinc.io/
Risk3Sixty - https://risk3sixty.com/whitepaper/
Transcripts
https://docs.google.com/document/d/1XmkMO7eJR3yAnXJPOCTaA5J9sakk639Q
Prefer to watch on YouTube?
https://www.youtube.com/watch?v=45eViHH_ktA 
Chapters
00:00 Introduction
03:38 What is Game-Based Learning?
07:55 Training Board of Directors
10:18 Gamification vs Game-Based Learning
14:30 Do Your Duties
21:09 Delaware Fiduciary Duties
22:54 Building a Forge
26:11 Tailored Game Types
33:35 Teaching Girl Scouts Linux Commands
40:17 Retaining Your Best People

Monday Oct 23, 2023

Learn the language of the board with Andrew Chrostowski. In this episode we discuss the 3 major risk categories of opportunity risk, cybersecurity risk and complex systems. We highlight intentional deficit and what to do about it. Finally, don't miss the part where we talk about the time for a digital strategy is past. What is needed today is a comprehensive strategy for a world of digital opportunities and existential cyber risks.
Big thanks to our sponsor:
Risk3Sixty - https://risk3sixty.com/iso-27001-certification/
Transcripts https://docs.google.com/document/d/15PnB1gYwt7vj-wRE4ABuEWxvB-H96rp0
Chapters
00:00 Introduction
04:22 Communication is a Requirement
09:34 How does cyber create value?
11:30 Culture and Operational Excellence
16:51 How does growth strategy align with cyber?
22:30 Intention Deficit Disorder
26:48 Accountability Loops
28:39 What's the evolution for a digital strategy?
32:02 Sharpen your axe
36:40 Digital Directors Network & Qualified Technical Experts

#151 - Cyber War

Monday Oct 16, 2023

Monday Oct 16, 2023

On this episode we do a master class on cyber warfare. Learn the terminology. Learn the differences and similarities between kinetic and cyber warfare. There's a lot of interesting discussion, so check it out.
Big thanks to our sponsor:
Risk3Sixty - https://risk3sixty.com/whitepaper/
Transcripts https://docs.google.com/document/d/1yJYoVs3pO4u_Zq8UC8YQmnYVGrsH93-H
Air Force Doctrine Publication 3-0 - Operations and Planning https://www.doctrine.af.mil/Portals/61/documents/AFDP_3-0/3-0-D15-OPS-Coercion-Continuum.pdf
Dykstra, J., Inglis, C., & Walcott, T. S. (Joint Forces Quarterly 99, October 2020) Differentiating Kinetic and Cyber Weapons to Improve Integrated Combat. https://ndupress.ndu.edu/Portals/68/Documents/jfq/jfq-99/jfq-99_116-123_Dykstra-Inglis-Walcott.pdf
Tallinn Manual 1.0 published April 2013; 2.0 in 2017 https://ccdcoe.org/research/tallinn-manual/
Version 3.0 under development; inputs solicited at https://ecv.microsoft.com/RRllEKKMJQ
https://www.csis.org/analysis/cyber-operations-during-russo-ukrainian-war
Chapters
00:00 Introduction
01:57 Definition of Cyber War
04:18 Kinetic vs Cyber War
07:02 Goal of Offensive Cyber Operations
10:06 International Law Applied to Cyber Operations (Sovereignty & Necessity)
11:33 Diplomatic, Information, Military, & Economic (DIME)
12:57 Proportionality
14:04 Law of Distinction
15:56 Tallinn Manual
18:15 Stuxnet, Sony Pictures, NotPetya, and SolarWinds attacks
23:47 Ukraine Cyber War
28:21 Comparing old tanks to old mainframes
39:55 Winning a Cyber War

#150 - Measuring Results

Monday Oct 09, 2023

Monday Oct 09, 2023

On this episode we discuss the measuring results cheat sheet from Justin Mecham.  Key focuses include:
Defining SMART Goals (Specific, Measurable, Achievable, Relevant, & Time-Bound)
Identifying KPIs (Key Performance Indicators)
Using the WOOP Model (Wish, Outcome, Obstacle, and Plan)
Using a Gap Analysis
Using the 5 Why Method
Using Plan, Do, Check, & Act.
Link to the Measuring Results Cheat Sheethttps://www.linkedin.com/posts/justinmecham_harvard-says-leaders-are-10x-more-likely-activity-7112050615576391681-Ro60/
Big thanks to our sponsor:
Risk3Sixty - https://risk3sixty.com/whitepaper/
Transcripts https://docs.google.com/document/d/1Ok9cFBdubI6M4ubhcR0HZzmauHiU7fsN
Chapters
00:00 Introduction
03:34 SMART Goals (Specific, Measurable, Achievable, Relevant, and Time Bound)
07:29 Key Performance Indicators
09:36 WOOP Model (Wish, Outcome, Obstacle, and Plan)
09:59 Gap Analysis
12:36 Root Cause Analysis and the 5 Whys
14:09 Plan, Do, Check, and Act

Copyright 2024 All rights reserved.

Podcast Powered By Podbean

Version: 20230822