CISO Tradecraft®

There's a lot of things you need to know as a CISO, but one of the things least taught is budgeting best practices.  On today's episode, CISO Nick Vigier stops by to share his lessons learned on the topic.  His conversations focus on spends vs investments.  Remember spends = overhead, whereas investments = growth.  Here's a great point. [10:00] There are opportunities that we have to frame some of these things as investments versus framing them as risk mitigations. And so one of the mantras or things that I like to think about is the business has a limited appetite for risk management, but they have infinite appetite for profits and making money.  So if you're able to frame them as how they're actually going to help accelerate the business or improve the business that brings the CEO and the CFO along on the journey, that you're not just there to lock the doors, you might actually be there to help put another floor on the building and that's a very different conversation. We also thank our sponsor Nucleus Security for supporting this episode. Full Transcript: https://docs.google.com/document/d/1nURiml3BJFnszFRA8qov1CgO_VkDFaCY

Special thanks to Jeff Gouge for sharing his thoughts on consolidating vulnerability management.  We also thank our sponsor Nucleus Security for supporting this episode. Consistently tracking and prioritizing vulnerabilities is a difficult problem.  This episode talks about it in detail and helps you increase your understanding in: Various application security scanning tools (SAST, DAST, SCA, Container, IoT, Secret Scanners, Cloud Security Scans, ...) and why companies need so many How CVSS base scores are actually calculated so you can understand its strengths and weaknesses How Threat Intelligence Data improves CVSS scoring Knowing which vulnerabilities are being actively exploited by bad actors through the CISA Known Exploited Vulnerabilities Catalog Knowing with vulnerabilities are being exploited in your industry or organization Knowing how the Exploit Prediction Scoring System (EPSS) can predict which vulnerabilities will be exploited soon Learning about the Stakeholder-Specific Vulnerability Categorization Guide (SSVC) Note a Full Transcript of this podcast can be found here: https://docs.google.com/document/d/1dWDS8rd-iscZuZ28U27IBuPPfrlFAV69/

Are You Ready To Win Your First CISO role? Apply these techniques into your resume and interview process so both recruiters and hiring managers will offer you the job.  This show focuses on: Highlighting the Different Types of CISO Roles Showing how to progress from a Senior Director Role into a Fortune 100 CISO Resume Tricks and Tips that get you noticed by recruiters How to have a great interview with a recruiter What Hiring Managers want to see from CISOs during their interviews Please note the full show transcript can be found here https://docs.google.com/document/d/18Feg4eXbezHVPiNQ9qO6Pdht3P0eQ5nn

Would you like to hear a master class on what Technology professionals need to know about startups?  On this episode Bob Cousins stops by to share his knowledge and experience on working in technology companies, dealing with founders, and partnering with venture capitalists.  Listen and learn more about: What should a technology professional know about venture capital and dealing with venture capitalists? What is the role of marketing? What do engineers get wrong with helping businesses create profitable growth? What is the value of a product? Subscribe to the CISO Tradecraft LinkedIn Page

Special Thanks to our podcast sponsor, Cymulate.  On this episode, Dave Klein stops by to discuss the 3 Digital Challenges that organizations face: Cyber threats evolve on a daily basis and this constant threat to our environment appears to be only accelerating The level of vulnerabilities today is 30x what it was 10 years ago.  We have more IT infrastructure, complexity, and developers in our current environment. In the pursuit of digital innovation, we are changing our IT infrastructure by the hour.  For Example: Infrastructure as Code capabilities (Chef, Puppet, Terraform, etc.) allow developers to deploy faster and create more opportunities for misconfigured code at scale.   Breach and Attack Simulation tooling address these 3 digital challenges by focusing on Breach Attack Simulation, Vulnerability Prioritization, & Threat Exposure Management.  This combined approach allows a cyber organization to ensure its security is fully optimized and its risk exposure is minimized.  Key benefits of adopting Breach and Attack Simulation software include: Managing organizational cyber-risk end to end Rationalizing security spend Prioritizing mitigations based on validated risks Protecting against the latest threats in near real-time Preventing environmental drift   Welcome back listeners and thank you for continuing your education in CISO Tradecraft.  Today we are excited to share with you a great episode focused on Breach and Attack Simulation software.  To begin we will provide a solid background on Breach and Attack Simulation then we are going to bring on our special guest Dave Klein who will give us the pro tips that help CISOs maximize the value from Breach and Attack Simulation Software.   Starting from the beginning.  What is Breach and Attack Simulation software and why is this needed?  At the end of the day most companies are not on an island.  They need to connect to clients, partners, and vendors.  They need the ability for employees to visit websites.  They need to host public facing websites to sell products and services.  Each of these activities result in creating organizational assets such as IT equipment that has internet connectivity.  Now internet connectivity isn’t a bad thing.  Remember internet connectivity allows companies to generate income which allows the organization to exist.  This income goes to funding expenses like the cyber organization so that is a good thing.     If bad actors with the intent and capability to cause your company harm can find your company's internet connected assets which have vulnerabilities, then you have a risk to your organization.  So enter vulnerability assessment and penetration testing tools that companies can buy to identify and address this risk.  Now sometimes you will hear the terms Cyber Asset Attack Surface Management or (CAASM).  It’s also commonly referred to as continuous threat exposure management.  Essentially these two categories of tools are the latest evolution of vulnerability management tooling that have the additional benefit of ingesting data from multiple sources.  Essentially they are designed to address key questions such as:  How do we get an inventory of what we have? How do we know our vulnerabilities? and  How do we know which vulnerabilities might be exploited by threat actors?     Now if you want to take this line of questioning one step further, then you should consider adopting Breach and Attack Simulation software.  Note Breach and Attack Simulation software overlaps with

Have you ever just met someone that was so interesting that you just sat and gave them your full attention?  On this episode of CISO Tradecraft, we have Bill Cheswick come on the show.  Bill talks about his 50 years in computing.  From working with the pioneers of Unix at Bell Labs, inventing network visualization techniques for the DoD, and creating the early best practices in firewalls and perimeter defenses.  He was also the first person to co-author a book on Internet Security.  So listen in and enjoy. Also special thanks to our sponsor, Obsidian Security.  You can learn more about them at: https://www.obsidiansecurity.com/sspm/

Hello, and welcome to another episode of CISO Tradecraft -- the podcast that provides you with the information, knowledge, and wisdom to be a more effective cybersecurity leader.  My name is G. Mark Hardy, and today's episode is about how to better mentor your people (and in doing so, improve yourself as well.)  Mentoring is an important part of being a leader, and I would venture that most listeners have achieved their current level of success with the insights of a mentor, along with a lot of hard work.  Today we're going to give you a template for creating a personal development plan you can use with your team.  I also want to introduce you to a booklet that I keep on my desk.  It was written in 1899.  Do you have any idea what it might be?  Well, keep listening and you'll find out, and you may end up getting yourself a copy of your own. Let's take a moment to hear from today's sponsor Obsidian Security. Career success rarely happens independently -- it usually involves multiple milestones, promotions, and sometimes moves.  But success shouldn't be a secret.  As Tony Robbins said, "success leaves clues."  One of the best ways to achieve personal or professional success, or indeed help others do the same, is through mentoring and sponsorship.  But the right person rarely shows up at our doorstep offering us the key to the future -- we have to go out and make that relationship happen.  Today we're going to talk about mentors, protégés, sponsors, and that little booklet that has a repeatable secret for success. Definitions Let's start with what is a mentor - the dictionary definition is "an experienced and trusted adviser."  My definition is it's a person with more experience and WISDOM who is willing to provide guidance to someone else -- a protégé.  Notice I didn't say anything about careers -- you can have a spiritual mentor, an academic mentor, and if you're a new grandparent you want to pass along some tips to help raise your grandkids.  You may also hear the term "mentee" instead of protégé -- I see that used from time to time, but it makes me think of those big slow sea creatures that keep getting run over by speedboats. Mentor Let's talk about the who, what, when, why, and how of being a mentor.  The WHO part is someone with experience and wisdom willing to share insights.  Insights about WHAT, at least as far as we're concerned today, is usually career-related -- what jobs or assignments may be best, what personal characteristics are important, whom should you meet and why. The WHEN portion of mentoring is usually a condition of the type of relationship.  A traditional one-on-one mentor relationship may be established formally or informally.  We established a program at work where those willing to offer advice could volunteer as a mentor and those seeking advice could request the assistance of a mentor.  I was asked by our most senior technical security expert if I would serve as his mentor -- an assignment which I was pleased to accept, and we held mentoring sessions quarterly.  Of course, we worked together more frequently than that, but those sessions were specifically about what he could learn from me as a mentor, and what I could do to structure his experiences to help with his personal and career growth.  [Irish whiskey story] The WHY can be either because there is a mentorship program at your organization (and if there isn't one, do your homework and consider proposing one) or because someone reached out and requested assistance.  Mentoring is not like doing the dishes where anyone can do a competent job.  It requires empathy, communication skills, wisdom, and time commitment.  I'm at the point in my life and career where I actively try to help others who are not as old as I am.  Many times, that's appreciated, but some people seem to pref

Special Thanks to our podcast sponsor, Obsidian Security.   We are really excited to share today’s show on SaaS Security Posture Management.  Please note we have Ben Johnson stopping by the show so please stick around and enjoy.  First let’s go back to the basics: Today most companies have already begun their journey to the cloud.  If you are in the midst of a cloud transformation, you should ask yourself three important questions:   How many clouds are we in? What data are we sending to the cloud to help the business? How do we know the cloud environments we are using are properly configured? Let’s walk through each of these questions to understand the cyber risks we need to communicate to the business as well as focus on one Cloud type that might be forecasting a major event.  First let’s look at the first question.   How many clouds are we in?  It’s pretty common to find organizations still host data in on premises data centers.  This data is also likely backed up to a second location just in case a disaster event occurs and knocks out the main location.  Example if you live in Florida you can expect a hurricane.  When this happens you might expect the data center to lose power and internet connectivity.  Therefore it’s smart to have a backup location somewhere else that would be unlikely to be impacted by the same regional event.  We can think of our primary data center and our backup data center as an On-Premises cloud.  Therefore it’s the first cloud that we encounter.   The second cloud we are likely to encounter is external.  Most organizations have made the shift to using Cloud Computing Service providers such as Amazon Web Services, Azure, Google Cloud Platform, or Alibaba.  Each of these cloud providers has a multitude of offerings designed to help organizations reduce the need to host IT services on premises.  Now if you are using both on-premises and a cloud computing provider such as AWS, congratulations you are in what is known as a hybrid cloud environment.  If you use multiple cloud computing providers such as AWS and Azure then you are in a multi-cloud environment.  Notice the difference between terms.  Hybrid cloud means you host on premises and use an external cloud provider, whereas multi-cloud means you use multiple external cloud providers.  If you are using a Common Cloud platform like AWS, Azure, or GCP then you can look into a Gartner Magic Quadrant category known as Cloud Workload Protection Platforms.  Here you might encounter vendors like Palo Alto Prisma Cloud, Wiz, or Orca who will provide you with recommendations for your cloud configuration settings. So let’s say your organization uses on premises and AWS but not Azure or GCP.  Does that mean you only have two clouds?  Probably not.  You see there’s one more type of cloud hosted service that you need to understand how to defend.  The most common cloud model organizations leverage is Software as a Service commonly pronounced as (SaaS). Frankly we don’t hear about SaaS security being discussed much which is why we are doing a deep dive on its security in this episode.  We think there's a real danger of SaaS clouds turning from a nice cloud that gently cools down a hot summer day into a severe weather storm that can cause an event.  So let’s look at SaaS Security in more depth.   SaaS refers to cloud hosted solutions whereby vendors maintain most everything.  They run the application, they host the data, they host runtime environments, middleware, operating systems, virtualization technologies, servers, storage, and networking.  It can be a huge win to run SaaS soluti

References https://github.com/cisotradecraft/Podcast https://cisotradecraft.podbean.com/e/84-gaining-trust-with-robin-dreeke/ https://www.youtube.com/shorts/vSART2mutwc https://www.peopleformula.com/selfmastery https://cisotradecraft.podbean.com/e/ciso-tradecraft-roses-buds-thorns/ https://cisotradecraft.podbean.com/e/ciso-tradecraft-how-to-compare-software/ https://cisotradecraft.podbean.com/e/ciso-tradecraft-shall-we-play-a-game/ https://cisotradecraft.podbean.com/e/ciso-tradecraft-aligning-security-initiatives-with-business-objectives/ https://cisotradecraft.podbean.com/e/ciso-tradecraft-promotion-through-politics/ https://cisotradecraft.podbean.com/e/ciso-tradecraft-presentation-skills/ https://cisotradecraft.podbean.com/e/ciso-tradecraft-avoiding-death-by-powerpoint/ https://cisotradecraft.podbean.com/e/ciso-tradecraft-partnership-is-key/ Hello, and welcome to another episode of CISO Tradecraft -- the podcast that provides you with the information, knowledge, and wisdom to be a more effective cybersecurity leader.  My name is G. Mark Hardy, and today's episode is something special for us and we hope for you as well.  It’s hard to believe it but CISO Tradecraft has been producing episodes for about two years now.  This is our 100th episode!  We've covered quite a bit of ground over that time, and we thought we would do a little reflection on our previous episodes and highlight seven differentiators that set World Class CISOs apart from others.  So, stick around and learn these seven tips that will enable you to enhance your CISO Tradecraft and help you have a more successful career.   The first tip we want you to understand is that you must always help others to understand your viewpoints through Connection.  Now there is one thing to note:  the way you connect depends on the size of the audience.  We observe that there’s usually three different audience sizes that you will connect with: Individuals or 1:1, Small Teams (between 2 and 20), and Large Groups (more than 20).With Individuals it’s all about building the one-on-one connection.  An example of folks who excel at building connections are spies.  Spies have a mission to build connections with others and recruit them to share important information.  Now if you go back to Episode #84, we brought Robin Dreeke on the show to talk about Building Relationships of Trust.  Robin was a long time FBI agent who excelled in recruiting and turning Russian spies.  In the episode, Robin talked about the key to building relationships of trust.  He mentioned four key recommendations:Seek the thoughts and opinions of others; Talk in terms of priorities, pain poi

Episode 99 - Cyberwar and the Law of Armed Conflict with Larry Dietz We bring you another episode from Naas, Ireland today speaking about cyberwar and the law of armed conflict with Larry Dietz, a retired US Army Colonel and practicing attorney. This is a follow-up to Episode 98, where we cover the Tallin Manual, discover a surprise resource on cyber conflict hosted by the Red Cross, examine what critical infrastructure might be legitimate targets, and the importance for CISOs to establish relationships with law enforcement before things go bad.   References: https://ccdcoe.org/research/tallinn-manual/ https://www.icrc.org/en/war-and-law/conduct-hostilities/cyber-warfare https://www.cisa.gov/critical-infrastructure-sectors https://www.secretservice.gov/contact/ectf-fctf https://psyopregiment.blogspot.com/