CISO Tradecraft®

In this episode of "CISO Tradecraft," G. Mark Hardy defines the role of a CISO and discusses the Top 10 responsibilities of a Chief Information Security Officer Full Transcript: https://docs.google.com/document/d/1J_sCMkqEeIB7pUY4KmjCiS1sz7t6LX2F Chapters 00:00 Introduction 01:25 Defining the Role of the CISO 04:43 1) Developing and implementing a cybersecurity strategy 07:27 2) Overseeing the organization's cybersecurity key programs and initiatives 08:20 3) Ensuring that the organization's cybersecurity policies and procedures are up-to-date and in compliance 10:44 4) Collaborating with other departments and teams 12:06 5) Developing and implementing a cybersecurity budget 14:21 6) Maintaining a high level of awareness about emerging cybersecurity threats, vulnerabilities, and technologies 15:29 7) Building and maintaining relationships with external partners and networking groups 18:07 8) Providing education, guidance, and support to the organization's employees 21:34 9) Leading and managing a team of cybersecurity professionals 24:10 10) Conducting regular risk assessments

In this episode of CISO Tradecraft, G Mark Hardy and guest Kevin Fiscus discuss the challenges of cybersecurity and the importance of prioritizing security decisions. Fiscus emphasizes the need for effective protective controls and detection measures, as well as the limitations of protective controls and the importance of detection. He suggests a "Detection Oriented Security Architecture" (DOSA) that includes high-fidelity, low-noise detection, automated response, and continuous monitoring. Fiscus also discusses the concept of cyber deception and proposes a new approach to cybersecurity that involves redirecting attackers to a decoy environment. Kevin Fiscus: https://www.linkedin.com/in/kevinbfiscus/ Full Transcripts: https://docs.google.com/document/d/1zIph4r5u8UtuhsMSmIyi90bCtV52xnHv Chapters 00:00 Introduction 04:55 The Average Time to Identify Bad Actors is 28-207 days 07:11 Why Protective Controls Don't Always Work 08:32 Protective Controls Create Resistance 10:34 The Cost of Detecting Bad Guys on Your Network 12:40 The Effects of Resistance on Protective Controls 15:56 The Problem with False Positive Alerts 20:08 How to Define Bad Guy Activity with 100% Accuracy 22:09 The Four Components of Security 24:14 Four Components of Detection Oriented Security Architecture (DOSA) 26:17 Differentiating between Monitoring & Alerting 27:13 High Fidelity and Low Fidelity Alerts  33:06 Setting a Squelch for Radios 31:37 How to Deal with False Negatives 33:56 The Importance of Non Production Resources in Detection 37:56 How to Use Cyber Trapping to Deceive an Attacker 42:54 The Role of Environment Variability in Deception 47:08 Blowing Sunshine at Attackers

Have you heard about the latest trends in Generative Artificial Intelligence (GAI)? Listen to this episode of CISO Tradecraft to learn from Konstantinos Sgantzos and G Mark Hardy as they talk about the potential risks of GAI and how it generates new content. Show Notes with Links: https://docs.google.com/document/d/10eCg3L00GgnHmze14g_JUkBbfHEdGZ8HW0eAGMk4PPE Chapters 00:00 Introduction 01:37 The Future of Generative Artificial Intelligence (GAI) 06:08 The Implications of Hallucination in Generative AI 09:06 Hallucination Trivia Test for Large Language Models 10:48 The Consequences of Using Generative AI Models 12:39 The Importance of Education in Cybersecurity 14:45 The Future of Generative AI 16:17 The Importance of Understanding Large Language Models 19:47 The Differences Between Eliza and Machine Learning 24:26 How to Armorize Generative AI 29:39 The Future of Programming 31:23 The Future of Machines 33:53 The Future of Technology 37:52 The Future of CISOs 40:25 The Future of Generative AI

Are you worried about cyber threats and data breaches? Do you want to build a strong cybersecurity program to protect your organization? Look no further! In this episode of CISO Tradecraft, G Mark Hardy and Debbie Gordon discuss the three dimensions of an effective Information Security Management System: Policy, Practice, and Proof. G Mark emphasizes the importance of having a proper cybersecurity policy that references information security controls or outcome-driven statements. However, it's not enough to have policies on paper; organizations need to practice what's on paper to be prepared for cyber events. This is where ranges come in. Ranges are a full replica of an enterprise network with real tools, traffic, and malware. They allow teams to practice detecting and responding to attacks in a safe environment. Debbie Gordon, founder of Cloud Range, explains how ranges can help organizations accelerate experience and reduce risk in cybersecurity. She emphasizes the importance of educating an organization's user base to become the first and last lines of defense against cyber threats. By training non-technical executives to spot suspicious activity and bring it to the attention of the security team, organizations can minimize the damage caused by phishing attacks, ransomware, and other cyber threats. Gordon also highlights the importance of team training in cybersecurity because it's not just about individual skills, but also about how teams work together to respond to threats. By practicing together in a range environment, organizations can improve their processes, handoffs, and speed in detecting and responding to attacks. Special thanks to our sponsor Cloud Range Cyber for supporting this episode. Website: www.cloudrangecyber.com Email: info@cloudrangecyber.com Full Transcripts: https://docs.google.com/document/d/1yWenwauzfAiQYafFW0Iew33vbzvlO2BO Chapters 00:00 Polished Security Programs need Policy, Practice, and Proof 00:54 Policy 02:47 Practice 03:44 Proof 04:28 How to Apply the Concepts of Ranges to Help Organizations 06:05 The importance of Experiential Learning 07:48 The Importance of following Procedures 12:12 The Benefits of Team Training for Cyber Ranges 15:33 The Importance of Muscle Memory 20:22 How to Maximize Your Investment in Cybersecurity (KPIs & Measurable Results) 24:33 The Advantages of using the MITRE ATT&CK® Framework 27:41 The Advantages of Following ISO Standards 31:36 How to Improve your Cloud Range Exercises 33:22 How to use Cognitive Aptitude Assessments for Workforce Development 37:44 How to level the Playing field for Cyber Talent

Are you concerned about the security of your data? If so, you're in luck, because we have an incredible episode that has Brent Deterding discuss how to implement simple, easy, and cheap cybersecurity measures.  One of the key takeaways from the episode is the importance of understanding, managing, and mitigating the risk of critical data being exposed, altered, or denied. Brent Deterding shares his top four tips for CISOs, which include implementing multi-factor authentication, device posture management, endpoint detection and response, and external patching. He emphasizes the importance of keeping things simple, easy, and cheap. Overall, the episode emphasizes the importance of taking a proactive approach to cybersecurity and being prepared for potential cyber threats. Brett Dietrich shares his approach to reducing risk for his company when negotiating with underwriters.  Remember significant risk reduction is simple, easy, and cheap, so don't wait to implement these tools and strategies. 10 Immutable Laws of Security: https://learn.microsoft.com/en-us/security/zero-trust/ten-laws-of-security Transcripts: https://docs.google.com/document/d/1eP7F8pD3kcrbja2sfSwSKGnJ-ADHviUt Chapters: 00:00 Introduction 02:05 How to Protect Your Organization's Critical Data 01:43 Scenario of Protecting a Small Company 08:01 The 10 Immutable Laws of Security 14:26 Tips for CISOs 15:30 Simple, Easy, & Cheap is a Technology State 19:00 How Much Do You Care About Phishing Problems? 20:46 How to a be successful at RSA? 26:00 How to Enable the Business without Reducing Friction? 28:37 How to Adopt the Australian Essential 8 31:06 Team Platform vs Best of Bread 33:00 Those with a fear of vendor lock-in are retired 36:36 How to Save Money on Cyber Insurance 38:27 How to implement the Four Hills Strategy (MFA, EDR, Device Posture Management, & Patch Management) 40:57 How to Negotiate Effectively With Insurance Companies 42:48: Getting Material Risk Reduction is Simple, Easy, and Cheap

In this episode of "CISO Tradecraft," G Mark Hardy discusses how to build an effective cyber strategy that executives will appreciate. He breaks down the four questions (Who, What, Why, and How) that need to be answered to create a successful strategy and emphasizes the importance of understanding how the company makes money and what critical business processes and IT systems support the mission. Later in the episode, Branden Newman shares his career path to becoming a CISO and his approach to building an effective cyber strategy. Newman stresses the importance of communication skills and the ability to influence people as the most critical skills for a CISO. He also shares his advice on how to effectively influence executives as a CISO. Full Transcripts - https://docs.google.com/document/d/1nFxpOxVl6spkK-Y8GLU5q2f6R_4VD-a2 Chapters: 00:00 Introduction 01:06 The Four Questions (Who, What, Why, and How) 08:11 Building an accepted cyber strategy 09:19 Importance of communication skills for a CISO 10:19 Understanding financial statements 12:47 Following the money 14:09 Reputation and cybersecurity 15:24 Getting executive buy-in into cybersecurity 15:57 Building Trust with Executives 16:45 Security Enables New Elements of Business 17:13 Why Cybersecurity Gets Ignored 20:07 Framing Cybersecurity as a Competitive Advantage 21:19 Mistakes CISOs Make When Communicating with Executives 22:54 Telling Stories to Communicate with Executives 24:09 Using Business Cases and Examples 27:28 The Importance of Listening to the Executives 29:31 Making Informed Risk-Based Decisions 30:54 Building Trust and Champions 32:55 Building a Network of Trust 35:13 Being Pragmatic

Sometimes you just need structure to the madness. Christopher Crowley stops by to talk about methodologies that can help security organizations. Come and see why you need them, how we get the scientific method wrong in cyber, and how to leverage a CIA analytical methodology that can help you. There's a lot more to check out so tune in. Analysis of Competing Hypothesis https://www.cia.gov/static/9a5f1162fd0932c29bfed1c030edf4ae/Pyschology-of-Intelligence-Analysis.pdf Christopher Crowley's Company https://montance.com/  Full Transcripts: https://docs.google.com/document/d/1P4MI02fIw3y_u8RhLVDbB3iu0o7e27Fr Chapters 00:00 Introduction 02:30 The Morris Worm and the Internet 04:17 The Future of Cybersecurity 06:41 How to setup a shared drive for multitasking 10:26 The Evolution of Career Paths 12:02 The Importance of Methodology in Problem Solving 14:16 The Importance of Hypothesis in Cybersecurity 19:58 MITRE ATT&CK® Framework: A Two Dimensional Array 21:54 The Importance of a Foregone Conclusion Methodology 23:29 The Disruptor's Role in Hypothesis Brainstorming 25:18 The Importance of Resilience in Leadership 27:45 Methodologies and Threat Hunting 29:21 The Importance of Information Bias in Threat Hunting 34:31 How to Sort Hypothesis in a Spreadsheet 37:22 The Importance of Refining the Matrix 40:34 How to Automate Analysis of Competing Hypothesis

Have you ever wanted to get a legal perspective on cybersecurity?  On this episode of CISO Tradecraft, Evan Wolff stops by to discuss terms such as legal disclaimers, negligence, due care, and others.  He also provides important insights on how to structure your cyber policies, respond to regulators/auditors, and partner with general council.  Please enjoy.  Full Transcripts:  https://docs.google.com/document/d/1hbqB5GQfQsi0egPVdOtdfYEwLA3-1Jnh Chapters 00:00 Introductions 01:52 The Attorney Client Privilege 04:49 What's the Difference Between a Discovery Order and an Attorney Client Privilege 06:30 CISO Disclaimer 09:23 Security Is a Component of Government Contracts 11:59 What are the Borders Between Information Security and Legal Risk 15:31 Cyber Security - Is there a Standard of Care? 18:11 Do you have a Reasonable Best Effort? 21:27 CMMC 2.0 26:22 Is your Privacy Policy going to expire? 28:30 What is Reasonable Assurance? 33:41 Advice for Partnering with the General Counsel

Have you ever wondered how to negotiate your best CISO compensation package?  On this episode, we invite Michael Piacente from Hitch Partners to discuss important parts of the compensation packages.  Examples include but are not limited to: - Base Salary, Bonuses (Annual, Relocation, & Hiring) Reserve Stock Units Annual Leave Title (VP or SVP) Directors & Officers Insurance Accelerated Vesting Clauses Severance Agreements You can learn more about CISO compensations by Googling any of the following compensation surveys Hitch Partners CISO Compensation and Organizational Structure Survey Report: https://www.hitchpartners.com/ciso-security-leadership-survey-results-23 Heidrick & Struggles Global Chief Information Officer Survey: https://www.heidrick.com/en/insights/... IANS CISO Compensation and Budget Benchmark Study: https://www.iansresearch.com/ciso-com... Full Transcripts: https://docs.google.com/document/d/1e... Chapters: 00:00 Introduction 01:58 What's the Difference? 06:50 The Three-Legged Stool (Base Salary, Bonuses, & RSUs) 11:44 Is there a signing bonus? 13:56 What's the difference between RSUs & Options? 18:52 Private Companies - What's the Value of the Offer? 22:04 Double Triggers in Private Companies 26:38 Should you counter an offer? 28:17 Corporate Liability Insurance 29:50 Do you want to be extended on the Director and Officer Insurance Policy? 32:56 How to negotiate a severance agreement 36:00 Compensation Survey Reports

One of the most difficult things to do as a manager or leader is to take an ethical stance on something you believe in.  Sometimes ethical stances are clear and you know you are doing what’s right.  Others are blurry, messy, and really weigh on your mind.  So we thought we would take this episode to talk about various ethical models, tricky ethical scenarios you might encounter as a CISO, and finally we will look at the Federal Case where Joe Sullivan the Former Chief Security Officer of Uber was convicted of federal charges for covering up a data breach.  Thanks to Stephen Northcutt for coming on today's show. Full Transcript https://docs.google.com/document/d/1vin7gMBt9YvVGaVqT91ycPmacsKZe2T9 Chapters 00:00 Introduction 01:49 How to Make a Difference in Cybersecurity 03:34 Hackers and the Pursuit of Higher Principles 06:06 Is There a Use Case in Cybersecurity 10:56 Human Capital is the Most Important Asset That Any Organization Has 14:00 The Human Frailty Factor 18:21 Has Your Company Fully Embraced Diversity, Equity, and Inclusion 20:24 Do you have a Diversity of Experience 24:11 Getting Your EXO to Talk to Power and say you are wrong 27:40 CISOs and CISOs - Is this a Criminal Thing? 30:15 The Penalty of Crossing the Law 34:56 Pay the Ransom? 36:59 The Key to Resilience as a CISO