CISO Tradecraft®

In this episode of CISO Tradecraft, host G Mark Hardy is joined by special guest Rick Howard, Chief Security Officer, Chief Analyst and Senior Fellow at CyberWire. Rick shares his insights on first principles in cybersecurity, discussing how these form the foundations of any cybersecurity strategy. He emphasizes the importance of understanding materiality and integrating the concept of time bound risk assessment to achieve a resilient cybersecurity environment. The episode also delves into the value of Fermi estimates and Bayes algorithm for risk calculation. Amid humor and personal anecdotes, Rick and Mark also reflect on their experiences during 9/11. Rick introduces his book, 'Cybersecurity First Principles', elucidating the rationale behind its conception. Link to the Cybersecurity First Principles Book: https://www.amazon.com/Cybersecurity-First-Principles-Strategy-Tactics/dp/B0CBVSX2H2/?&_encoding=UTF8&tag=-0-0-20&linkCode=ur2&linkId=1b3010fb678a109743f1fb564eb6d0fc&camp=1789&creative=9325 Transcripts: https://docs.google.com/document/d/1y8JPSzpmqDMd-1PZ-MWSqOuxgFTDVvre Chapters 00:00 Introduction 02:00 Guest's Career Journey and Achievements 08:49 Discussion on Cybersecurity First Principles 15:27 Understanding Materiality in Cybersecurity 21:56 The Gap Between Security Teams and Business Leaders 22:21 The Importance of Speaking the Language of Business 23:03 The Art of the Elevator Pitch 24:04 The Impact of Cybersecurity on Business Value 25:10 The Importance of a Clear Cybersecurity Strategy 26:04 The Value of Business Fluency in Cybersecurity 27:44 The Role of Risk Calculation in Cybersecurity 29:41 The Power of Estimation in Risk Management 30:33 The Importance of Understanding Business Imperatives 41:25 The Role of Culture and Risk Appetite in Cybersecurity 45:39 The First Principle of Cybersecurity

In this episode of CISO Tradecraft, host G Mark Hardy is joined by guest Craig Barber, the Chief Information Security Officer at SugarCRM. They discuss the increasingly critical topic of cybersecurity apprenticeships and Craig shares his personal journey from technical network engineer to CISO. They delve into the benefits of apprenticeships for both the individual and the organization, drawing parallels with guilds and trade schools of the past and incorporating real-world examples. They also look at the potential challenges and pitfalls of such programs, providing insights for organizations considering creating an apprenticeship scheme. Lastly, they examine the key attributes of successful apprentices and how these contribute to building stronger, more diverse cybersecurity teams. Craig Barber's Profile: https://www.linkedin.com/in/craig-barber/ Transcripts https://docs.google.com/document/d/1J8nrhYCMBSmc0kLBasskBoY2RLIwR7Vb Chapters 00:00 Introduction 00:23 Understanding Cybersecurity Apprenticeships 02:43 The Role of Mentorship in Cybersecurity 04:09 The Benefits of Cybersecurity Apprenticeships 07:17 The Evolution of Apprenticeships in the Tech Industry 10:00 The Value of Apprenticeships in Building Loyalty 11:08 The Difference Between Internships and Apprenticeships 15:32 The Role of Apprenticeships in Addressing the Skills Shortage 19:15 The Challenges of Implementing Apprenticeships 26:28 The Future of Cybersecurity Apprenticeships 44:32 Conclusion: The Value of Cybersecurity Apprenticeships

This video introduces a newly proposed acronym in the world of cybersecurity known as the 'Cyber UPDATE'. The acronym breaks down into Unchanging, Perimeterizing, Distributing, Authenticating and Authorizing, Tracing, and Ephemeralizing. The video aims to explain each component of the acronym and its significance in enhancing cybersecurity.  References: https://www.watchguard.com/wgrd-news/blog/decrypting-cybersecurity-acronyms-0 https://computerhistory.org/profile/john-mccarthy/ https://owasp.org/www-community/Threat_Modeling_Process#stride https://attack.mitre.org/att&ck  https://d3fend.mitre.org/ https://fourcore.io/blogs/mitre-attack-mitre-defend-detection-engineering-threat-hunting   https://cars.mclaren.com/us-en/legacy/mclaren-p1-gtr https://csrc.nist.gov/glossary/term/confidentiality https://csrc.nist.gov/glossary/term/integrity https://csrc.nist.gov/glossary/term/availability https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services https://www.nytimes.com/2006/06/30/washington/va-laptop-is-recovered-its-data-intact.html https://cloudscaling.com/blog/cloud-computing/the-history-of-pets-vs-cattle/ https://apps.dtic.mil/sti/tr/pdf/ADA221814.pdf  Transcripts https://docs.google.com/document/d/16upm5bKTsIkDo3s-mvUMlgkX1uqUKnUH Chapters 00:00 Introduction 01:34 Cybersecurity Acronyms: Pre-1990s 02:26 STRIDE and DREAD Models 02:39 PICERL and MITRE Models 05:04 Defining Cybersecurity 07:52 CIA Triad and Its Importance 09:00 Confidentiality, Integrity, and Availability 11:52 The Parkerian Hexad 17:30 D.I.E. Triad Concept 24:28 Cybersecurity UPDATE 24:51 Unchanging 25:46 Perimeterizing 29:36 Distributing

In this episode of CISO Tradecraft, host G Mark Hardy interviews JP Bourget about the security data pipeline and how modernizing SOC ingest can improve efficiency and outcomes. Featuring discussions on cybersecurity leadership, API integrations, and the role of AI and advanced model learning in future data lake architectures. They discuss how vendor policies can impact data accessibility. They also reflect on their shared Buffalo roots and because their professional journeys. Tune in for valuable insights from top cybersecurity experts. Transcripts: https://docs.google.com/document/d/1evI2JTGg7S_Hjaf0sV-Nk_i0oiv8XNAr  Chapters 00:00 Introduction 00:50 Guest's Background and Journey 05:27 Discussion on Security Data Pipeline 07:19 Introduction to SOAR 08:01 Benefits and Challenges of SOAR 12:40 Guest's Current Work and Company 14:04 Security Data Pipeline Modernization 22:20 Discussion on Vendor Integration 29:09 Security Pipeline Approach and AI 38:03 Closing Thoughts and Future Directions

In this episode of CISO Tradecraft, we debunk seven common lies pervasive in the cybersecurity industry. From the fallacy of achieving a complete inventory before moving onto other controls, the misconception about the accuracy of AppSec tools, to the fear of being viewed as a cost center - we delve deep into these misconceptions, elucidating their roots and impacts. We also discuss how ISO and FAIR, audits and certifications, risk assessments, and mandatory cyber incident reporting may not always be as straightforward as they seem. The episode is not only an eye-opener but also provides insightful guidance on how to navigate these misconceptions and enhance the effectiveness of your cybersecurity measures. CloudGoat EC2 SSRF- https://rhinosecuritylabs.com/cloud-security/cloudgoat-aws-scenario-ec2_ssrf/ OWASP Benchmark - https://owasp.org/www-project-benchmark/ Transcripts - https://docs.google.com/document/d/1yZZ4TLlC2sRfwPV7bQmar7LY4xk2HcIo Chapters 00:12 Introduction 00:56 The Lie of Accurate Inventory 05:29 The Lie of Accurate Risk Assessment 08:41 The Lie of Shifting Left in DevSecOps 13:45 The Lie of Certifications Ensuring Security 18:33 The Lie of Reporting Cyber Incidents in 72 Hours 20:44 The Lie of Accurate Application Security Tools 22:07 The Lie of Cybersecurity Not Being a Cost Center 24:44 Conclusion and Recap of Cybersecurity Lies 

Join G Mark Hardy in this episode of the CISO Tradecraft podcast where he details how cyber protects revenue. He clarifies how cybersecurity is seen as a cost center by most organizations, but stresses how it can become a protector of business profits. Concepts like Operational Resilience Framework (ORF) Version 2 by the Global Resilience Federation are discussed in depth. Hardy also outlines seven steps from ORF to operational resilience including implementing industry-recognized frameworks, understanding the organization's role in the ecosystem, defining viable service levels, and more.    Link to the ORF - https://www.grf.org/orf Transcripts - https://docs.google.com/document/d/1ckYj-UKDa-wlOVbalWvXOdEO4OYgjO0i Chapters 00:12 Introduction 01:47 Introduction to Operational Resilience Framework 02:38 Understanding Resilience and Antifragility 03:32 Common Cybersecurity Attacks and How to Anticipate Them 06:22 Building Resilience in Cybersecurity 09:43 Operational Resilience Framework: Steps and Principles 17:50 Preserving Datasets and Implementing Recovery Processes 20:18 Evaluating and Testing Your Disaster Recovery Plan 21:11 Recap of Operational Resilience Framework Steps 22:04 CISO Tradecraft Services and Closing Remarks

Looking for accurate predictions on what 2024 holds for cybersecurity? Tune into our latest episode of CISO Tradecraft for intriguing insights and industry trends. Listen now and boost your cybersecurity knowledge! Earn CPEs: https://www.cisotradecraft.com/isaca Transcripts: https://docs.google.com/document/d/11YX2bjhIVThSNPF6yEKaNWECErxjWA-R Chapters 00:00 Introduction 02:11 1) CISOs flock to buy private liability and D&O insurance. It also becomes the norm for CISO hiring agreements. 05:25 2) CISO reporting structure changes. No more reporting to the CIO. 11:43 3) More CISOs get implicated in lawsuits, but the lawsuits rule in favor of the CISO. 13:36 4) Harder to find cyber talent since universities are not graduating as many students. This plus inflation increases result in major spike in cyber salaries 16:59 5) Cyber industry minimizes external consulting costs to weather reduced revenues during recession 19:44 6) AI-generated fraud will increase significantly 22:15 7) Shadow AI will result in Hidden Vulnerabilities 24:24 8) LLM attacks new vector for "AI-enabled" companies 27:23 9) Cyber insurance exclusions will tend to normalize and will prescribe activities that must be done if payout to occur 31:44 10) Self-driving cars will encounter regulatory setback 34:02 Review of Last Year's Predictions 41:03 Actionable Items for the Future 41:29 Closing Remarks and Invitation for 2024

In the second half of the discussion about secure developer training programs, G Mark Hardy and Scott Russo delve deeper into how to engineer an effective cybersecurity course. They discuss the importance and impact of automation and shifting left, the customization needed for different programming languages and practices, and the role of gamification in engagement and learning. The conversation also touches upon anticipating secular trends, compliance with privacy and data protection regulations, different leaning styles and preferences, and effective strategies to enhance courses based on participant feedback. Scott highlights the lasting impacts and future implications of secure developer training, especially with the advent of generative AI in code generation. ISACA Event (10 Jan 2024) With G Mark Hardy - https://www.cisotradecraft.com/isaca Transcripts: https://docs.google.com/document/d/1zr09gVpJuZMUMmF9Y-Kc0DOy-1gH0cx- Chapters 00:00 Introduction 01:08 Importance of Ongoing Support and Mentorship 01:46 The Role of Community in Training 03:03 Hands-on Exercises and Practical Experience 06:01 Success Stories and Testimonials 08:29 Incorporating Security Trends into Training 11:08 Balancing Security with Developer Productivity 18:17 Teaching Secure Coding Practices in Different Languages 20:27 Engaging and Motivating Participants 22:51 Promoting the Program: Engaging and Fun 23:37 Accommodating Different Learning Styles 24:16 Catering to Self-Paced Learners 26:19 Addressing Proficiency Levels and Remediation 28:55 Compliance with Privacy and Data Protection Regulations 30:48 Breaking Down Complex Security Concepts 32:05 Creating a Culture of Security Awareness 33:25 Partnerships and Collaborations in Secure Development 35:10 Feedback and Improvement of the Program 36:12 Cost Considerations for Secure Developer Training 39:20 Tracking Participants' Progress and Completion Rates 41:23 Trends in Secure Developer Training 43:42 Final Thoughts on Secure Developer Training

In this episode of CISO Tradecraft, host G Mark Hardy invites Scott Russo, a cybersecurity and engineering expert for a deep dive into the creation and maintenance of secure developer training programs. Scott discusses the importance of hands-on engaging training and the intersection of cybersecurity with teaching and mentorship. Scott shares his experiences building a secure developer training program, emphasizing the importance of gamification, tiered training, showmanship, and real-world examples to foster engagement and efficient learning. Note this episode will continue in with a part two in the next episode ISACA Event (10 Jan 2024) With G Mark Hardy - https://www.cisotradecraft.com/isaca Scott Russo - https://www.linkedin.com/in/scott-russo/ HBR Balanced Scorecard - https://hbr.org/1992/01/the-balanced-scorecard-measures-that-drive-performance-2 Transcripts - https://docs.google.com/document/d/124IqIzBnG3tPj64O2mZeO-IDTx9wIIxJ Youtube - https://youtu.be/NkrtTncAuBA  Chapters 00:00 Introduction 03:00 Overview of Secure Developer Training Program 04:46 Motivation Behind Creating the Training Program 06:03 Objectives of the Secure Developer Training Program 07:45 Defining the Term 'Secure Developer' 14:49 Keeping the Training Program Current and Engaging 21:10 Real World Impact of the Training Program 21:46 Understanding the Cybersecurity Budget Argument 21:58 Incorporating Real World Examples into Training 22:26 Personal Experiences and Stories in Training 24:06 Industry Best Practices and Standards 24:18 Aligning with OWASP Top 10 25:53 Balancing OWASP Top 10 with Other Standards 26:12 The Importance of Good Stories in Training 26:32 Duration of the Training Program 28:37 Resources Required for the Training Program 32:23 Measuring the Effectiveness of the Training Program 36:07 Gamification and Certifications in Training 38:56 Tailoring Training to Different Levels of Experience 41:03 Conclusion and Final Thoughts  

In this episode of CISO Tradecraft, host G. Mark Hardy guides listeners on how to refresh their cybersecurity strategy. Starting with the essential assessments on the current state of your security, through to the creation of a comprehensive, one-page cyber plan. The discussion covers different approaches to upskilling the workforce, tools utilization, vulnerability management, relevant regulations, and selecting the best solution for your specific needs. The show also includes tips on building a roadmap, creating effective key performance indicators, and validation exercises or trap analysis to ensure the likelihood of success. At the end of the discussion, G. Mark Hardy invites listeners to reach out for any help needed for implementing these strategies. Big Thanks to our Sponsors Risk3Sixty - https://risk3sixty.com/ ISACA Event (10 Jan 2024) With G Mark Hardy https://www.cisotradecraft.com/isaca CIO Wisdom Book - https://a.co/d/bmmZEAC Transcripts - https://docs.google.com/document/d/1_bHsRtaRdlRJ9e9XXVh3GU7k3MbBLcHs Chapters 00:00 Introduction 02:21 Building a Tactical and Strategic Plan 02:58 Assessing Your Current Cybersecurity Posture 03:11 Workforce Assessment and Rating 06:31 Understanding Your Cybersecurity Tools 08:29 Performing a Business Requirements Analysis 10:13 Defining the Desired Future State 12:03 Creating a Gap Analysis 14:14 Analyzing Current Options and Building a Roadmap 17:11 Presenting the New Plan to Management 21:36 Recap and Conclusion