CISO Tradecraft®

This episode of CISO Tradecraft, Andy Ellis from Orca Security stops by to talk about three really hard problems that CISOs have struggled with for decades.  How do we build a phishing program that works? How do we build a 3rd party risk management program that isn't a paper exercise? How do we actually get good at patch management? Stick around for some great answers such as: Human error is a system in need of redesign How do we put every employee on an island protected from the company? If we stopped doing this practice/process, then how would the world be different? What data/transactions does this third party have access to? What are all of the dangerous things customers can do in their configurations that my organization needs to know about? What if we turned on auto-patching for the desktop? What if we set SLA tripwires to alert senior leaders when their developers are unable to meet patching timelines? References: Vulnerabilities Don't Count Link

On this episode of CISO Tradecraft, Bryce Kunz from Stage 2 Security stops by to discuss how offensive cyber operations are evolving.  Come and learn how attackers are bypassing MFA and EDR solutions to target your cloud environment.  You can also hear what Bryce recommends to beat the bear that is Ransomware.   References: Link How Attackers Bypass MFA with Evilginx 2  Link Stage 2 Security Black Hat Course

This episode features Rafeeq Rehman.  He discusses the need for a CISO Mindmap and 6 Focus Areas for 2022-2023: 1.  Re-evaluate ransomware defenses, detection and response capabilities, perform a business impact analysis and identify critical processes, applications and data. 2.  Reduce/consolidate security tools/technologies and vendors. More tools don’t necessarily reduce risk but do add the need for maintaining expertise on security teams. 3.  To serve your business better, train staff on business acumen, value creation, influencing and human experience. 4.  Take an inventory of open source software (standalone and libraries) and make it part of your vulnerability management program. 5.  Build team expertise in technology fields including machine learning (ML) models, model training, API security, service mesh, containers, DevSecOps. 6.  Maintain a centralized risk register. Even better: integrate into your enterprise risk management program. Track risk for technology, insiders, processes, third parties, compliance and skill gaps. Links: CISO MindMap Link CISO MindMap 2022 Recommendations Link Information Security Leaders Handbook Link Cybersecurity Arm Wrestling Link

On this episode of CISO Tradecraft, we feature Helen Patton. Helen shares many of her career experiences working across JP Morgan, The Ohio State University, and now Cisco.   -Is technical acumen needed for CISOs? -Surviving organizational politics (34:45) Helen discusses The Fab 5 Security Outcomes study. Volume 1 Study - Link  Volume 2 Study - Link

On this episode of CISO Tradecraft we feature Robin Dreeke from People Formula.  Robin was the former head of the FBI Counterintelligence Behavioral Analysis Program and has an amazing background in learning how individuals think, build trust, and communicate.  Robin highlights 4 Pillars of Communicating: Seek the thoughts and opinions of others Talk in terms of priorities, pain points, and challenges of others Use Nonjudgmental validation (ie seek to understand others without judging) Empower others with choice and give them cause and effect of each choice To learn more about Robin's way of thinking you can check out his podcast and books: Forged By Trust Podcast Sizing People Up  The Code of Trust  It's Not All About Me The People Formula Workbook 2.0: Communication Style Inventory  

This episode is sponsored by Varonis.  You can learn more on how to reduce your ransomware radius by performing a free ransomware readiness assessment Link On this episode, Sounil Yu continues his discussion about his new book ("Cyber Defense Matrix").  Listen to learn more about:    Pre-Event Structural Awareness vs Post-Event Situational Awareness Environmental vs Contextual Awareness Understanding Security Handoffs Rationalizing Technologies Portfolio Analysis Responding to Emerging Buzzwords (Zero Trust and SASE)

This episode is sponsored by Varonis.  You can learn more on how to reduce your ransomware radius by performing a free ransomware readiness assessment Link This episode of CISO Tradecraft has Sounil Yu talk about his new book, "Cyber Defense Matrix: The Essential Guide to Navigating the Cybersecurity Landscape". Sounil reviews the Cyber Defense Matrix in depth.  We discuss how the Cyber Defense Matrix can be used for:  Capturing & Organizing Measurements & Metrics Developing a Cyber Security Roadmap Gaining Greater Situational & Structural Awareness Understanding Organizational Responsibilities & Handoffs Rationalizing Technologies & Finding Investment Opportunities Deciphering the Latest Industry Buzzword You can purchase Sounil's new book here Link    

On this episode of CISO Tradecraft, John Hellickson from Coalfire talks about his career as a CISO.  Listen and learn about: The evolving role of the CISO How John got started as a CISO Whis is a Field CISO and how does it differ from a traditional CISO role Tips on getting your career to the next level by attending the right conferences and getting an executive coach How to get Business Alignment How the Security Advisor Alliance is helping the next generation of cyber talent  

A respected journalist focusing on cybersecurity and our community of people for over 25 years, Deb Radcliff remains a trusted information source who checks and double-checks her sources before publication -- a refreshing change to the low signal - high noise world of social media. In this episode, we discuss where CISOs might turn for accurate information, how the industry has evolved in complexity, and take a look at the first of three fictional novels she's writing about a future world where hackers take on an oppressive digital state. What is really interesting is her explanation of how she went from book idea to published reality. Breaking Backbones Information is Power may be purchased from the following Amazon Link

On this Episode of CISO Tradecraft we talk about the Top 10 areas of concern for the C Suite about Ransomware.  Note you can read the full ISC2 Study here (Link). Cybersecurity professionals should keep the following golden rules in mind when communicating with the C-suite about ransomware. Increase Communication and Reporting to Leadership Temper Overconfidence as Needed Tailor Your Message Make the Case for New Staff and Other Investments Make Clear that Ransomware Defense is Everyone’s Responsibility