CISO Tradecraft®

In this CISO Tradecraft episode, co-hosts G Mark Hardy and Ross Young discuss how large language models are transforming software development and shifting cybersecurity from buying Software as a Service to “Service as Software,” and ultimately to "Systems of AI agents". They explain how writing code in English enables rapid prototyping, changing cost models by reducing labor hours and increasing speed and scale, with metrics like shrinking a 40-hour threat model effort to a 10-minute agent output. Ross outlines three generations, SIEM (SaaS), SOAR (services as software), and systems of agents (AI SOC), highlighting broader, evolving detection coverage. They cover risks including underestimated maintenance, scope creep, automating bad processes, and insecure AI-generated code, and demo a prompt-built software composition analysis/SBOM tool using CycloneDX and OSV. Ross also introduces his company, Clear Capabilities, focused on agentic workforce automation for governance, privacy, architecture, and compliance.Cybersecurity's Dirty Secret: Why Most Budgets Go To Waste - https://www.amazon.com/Cybersecuritys-Dirty-Secret-Budgets-Tradecraft%C2%AE/dp/B0G26WHVTG/ Ross Young - https://www.linkedin.com/in/mrrossyoung/ Developer AI Threats - https://threats.backslash.security/

Brian Long, CEO and co-founder of Adaptive Security, protects orgs from AI-driven social engineering. He discusses deepfakes, OSINT-powered personalization, and real-time conversational attacks. Short, urgent red flags and why detection alone is insufficient are covered. Practical defenses include verification habits, tailored awareness training, AI-driven simulations, and stronger hiring and payment controls.

In this CISO Tradecraft episode, host G Mark Hardy interviews Shahar Man of Backslash Security about the rapidly expanding attack surface created by AI-driven “vibe coding” tools like Claude Code, Cursor, and Copilot. Shahar explains how prompting is shifting software creation, affecting education and hiring, and pushing security “further left” to the prompt, agent, MCP, skills, and rules level. He discuss risks such as loss of source integrity, excessive permissions, prompt injection, data leaks, use of unauthorized tools or accounts, and the spread of coding beyond engineering to teams like marketing and finance. Shahar argues AppSec work will transform toward securing the “sausage factory” and describes Backslash’s approach: enterprise-wide visibility, component vetting, endpoint monitoring via a local proxy, guardrails and blocking, and forwarding alerts to SOC/SIEM, with deployments scaling to thousands of workstations.Looking to get more secure on Vibe Coding? Check out the Ultimate 2026 Vibe Coding Security Buyer's Guide https://www.backslash.security/resources/vibe-coding-security-buyers-guide?utm_campaign=354642149-ciso-tradecraft&utm_source=ross-young&utm_medium=podcast-march-2026

In this CISO Tradecraft episode, host G Mark Hardy interviews Steve Shelton (https://www.linkedin.com/in/greenshoesteve/) of Green Shoe Consulting about the “State of Stress in Cybersecurity 2025” report and why burnout is widespread among cybersecurity leaders. Shelton explains the difference between beneficial stress (eustress) and chronic distress, how threat vs challenge interpretations shape performance, and why cybersecurity’s volatile, high-stakes environment amplifies stress, especially when CISOs have responsibility without authority and limited leadership training. They discuss systemic burnout drivers such as workload, autonomy, values alignment, recognition, and leadership behaviors like trust and delegation, plus different CISO leadership styles (strategic, adaptive, tactical, operational). Shelton describes efforts to build training and measurement tools for stress and energy, comments on AI-driven uncertainty, and shares the report download link at: https://www.greenshoeconsulting.com/stateofstressreport

Oren Saban, co-founder and CPO at Mate Security and product-focused security researcher. He discusses AI-driven, wisdom-led SOCs tackling alert overload. Short takes cover AI agents handling most investigations, building contextual security graphs, shifting metrics from volume to quality, and elevating humans to strategic judgment and governance.

Ross Young, a cybersecurity pro with banking experience focused on encryption and masking, and EJ Pappas, PKWARE Field CTO skilled in data discovery and protection. They discuss shifting to data-centric security, the blind spots caused by platform sprawl, differences between structured and unstructured data, AI as both accelerator and risk, and why encryption and DLP must work together.

Chris Inglis, former U.S. National Cyber Director and long-time public servant with Air Force and NSA roots. He recounts a life of service and leadership. Topics include shaping organizational culture, integrating security with business strategy, detecting insider threats, and the governance and risks of AI. He also reflects on purpose, accountability, and building institutions under constraint.

They explore how disinformation, deepfakes, and cyber deception deliberately erode trust online. Historical and modern deception tactics are compared, from wartime operations to bot farms and synthetic media. The conversation covers state tools like propaganda and censorship, hybrid amplification methods, and practical defenses such as verification strategies and tabletop drills.

Nate Lee, a former CISO and founder of TrustMind who builds smarter third-party risk tools. He talks about why bloated questionnaires slow deals and miss real risk. He explores automating assessments, using AI to surface meaningful gaps, and tailoring questions to data sensitivity. He highlights pushing vendors to fix critical controls and tracking commitments after contract signing.

Everyone talks about Zero Trust — but very few organizations actually know how to implement it successfully.In this episode of CISO Tradecraft, host G. Mark Hardy is joined by George Finney, a practicing CISO who literally wrote the book on Zero Trust and has implemented it in one of the most challenging environments imaginable: higher education.Together, they break down:Why Zero Trust is a strategy, not a productWhy most Zero Trust initiatives fail due to people and politics, not technologyHow attackers exploit trust and lateral movementHow to implement Zero Trust without destroying culture or productivityWhat changes when AI enters the trust modelWhy AI is effectively “100% trust” — and how to reduce the blast radiusHow CISOs should explain Zero Trust and AI risk to the boardGeorge also shares practical analogies (including his now-famous restaurant model for AI) that make Zero Trust and AI security understandable for executives, IT teams, and non-technical leaders alike.If you’re serious about:Preventing breaches instead of just responding to themLimiting lateral movementSecuring AI-driven systemsTurning Zero Trust from buzzword into business strategy👉 This episode is a must-watch.George's Books:Rise of the Machine: https://www.amazon.com/Rise-Machines-Project-Trust-Story/dp/1394303718Project Zero Trust: https://www.amazon.com/Project-Zero-Trust-Strategy-Aligning/dp/1119884845/