CISO Tradecraft®

On this episode of CISO Tradecraft, Christian Hyatt from risk3sixty stops by to discuss the 3 major Business Objectives for CISOs: Risk Management Cost Reduction Revenue Generation He also discusses the five CISO Archetypes.   The Executive The Engineer The GRC Guru The Technician The Builder References: The 5 CISO Archetypes Book Link Designing the CISO Role Link

Chances are your organization has information that someone else wants.  If it's another nation state, their methods may not be friendly or even legal.  In this episode we address assessing risk, known "bad" actors, information targets, exfiltration, cyber security models, what the federal government is doing for contractors, and response strategies.  Listen now so you don't become a statistic later.   References: https://www.fbi.gov/file-repository/china-exec-summary-risk-to-corporate-america-2019.pdf https://nhglobalpartners.com/made-in-china-2025/ https://www.cybintsolutions.com/cyber-security-facts-stats/ http://www.secretservice.gov/ntac/final_it_sector_2008_0109.pdf http://www.secretservice.gov/ntac/final_government_sector2008_0109.pdf CIS Controls v8.0, Center for Internet Security, May 2021, https://www.cisecurity.org https://owasp.org/www-project-threat-and-safeguard-matrix/ https://www.acq.osd.mil/cmmc/about-us.html

Our career has been growing like crazy with an estimated 3.5 million unfilled cybersecurity jobs within the next few years.  More certs, more quals, more money, right?  The sky’s the limit.  But what if we’re wrong?  AI, machine learning, security-by-design, outsourcing, and H-1B programs may put huge downward pressure on future job opportunities (and pay) in this country.  Of course, we don’t WANT this, but shouldn’t a wise professional prepare for possibilities?  [We did a ton of research looking at facts, figures, industry trends, and possible futures that might have us thinking that 2022 may have been “the good old days.”  No gloom-and-doom here; just an objective look with a fresh perspective, you know, just in case.]

On this episode of CISO Tradecraft, we discuss how to avoid Death By PowerPoint by creating cyber awareness training that involves and engages listeners. Specifically we discuss: The EDGE method:  Explain, Demonstrate, Guide, and Enable Escape Rooms Tabletop Exercises Polling During Presentations Short videos from online resources References: https://blog.scoutingmagazine.org/2017/05/05/living-on-the-edge-this-is-the-correct-way-to-teach-someone-a-skill/ http://www.inquiry.net/ideals/scouting_game_purpose.htm https://cisotradecraft.podbean.com/e/ciso-tradecraft-shall-we-play-a-game/ Escape Rooms https://library.georgetown.org/virtual-escape-rooms/ https://research.fairfaxcounty.gov/unlimited/escape Tabletop Exercises From GCHQ https://www.ncsc.gov.uk/information/exercise-in-a-box From CISA https://www.cisa.gov/cisa-tabletop-exercises-packages Funny Videos on Cyber https://staysafeonline.org/resource/security-awareness-episode/  

On this episode of CISO Tradecraft, we focus on the Password Security and how it's evolving.  Tune in to learn about: Why do we need passwords Ways consumers login and authenticate How bad actors attack passwords How long does it take to break passwords Different types of MFA  The future of passwords with conditional access policies Infographic:   References: https://danielmiessler.com/blog/not-all-mfa-is-equal-and-the-differences-matter-a-lot/  https://www.hivesystems.io/blog/are-your-passwords-in-the-green?utm_source=tabletext  https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-cloud-apps https://en.wikipedia.org/wiki/RockYou https://cisotradecraft.podbean.com/e/ciso-tradecraft-active-directory-is-active-with-attacks/ https://docs.microsoft.com/en-us/azure/active-directory/authentication/how-to-mfa-number-match

Winn Schwartau is a well-recognized icon in the cybersecurity community, and also a dear friend for over 25 years.  Always one to stir the pot and offer radical ideas (many of which come true), we discuss Hacker Jeopardy, INFOWARCON, his books "Pearl Harbor Dot Com", "Time-Based Security", and his magnum opus "Analog Security."  We speculate on the future of our industry with respect to quantum and probabilistic computing, and after hanging up his pen, looks like he's doing a Tom Brady and writing one more amazing book. **Warning Adult Language** Winn's Website Link

On this episode of CISO Tradecraft, Anton Chuvakin talks about Logging, Security Information & Event Management (SIEM) tooling, and Cloud Security.  Anton share’s fantastic points of view on: How moving to the cloud is like moving to a space station (13:44) How you may be one IAM mistake away from a breach (20:05) How a SIEM is a logging based approach, whereas EDRs require agents at endpoints.  This becomes really interesting when cloud solutions don’t have an endpoint to install an agent (26:53) Why you don’t want an on premises SIEM (32:35) The 3 AM Test - Should you wake someone up for this alert at 3 AM (39:24)

On this special episode of CISO Tradecraft, we have Gary Hayslip talk about his lessons learned being a CISO.  He shares various tips and tricks he has used to work effectively as a CISO across multiple companies.  Everything from fish tacos and beer to how to look at an opportunity when your boss has no clue about cyber frameworks.  There's lots of great information to digest.     Additionally, Gary has co-authored a number of amazing books on cyber security that we strongly recommend reading.  You can find them here on Gary's Amazon page.  

On this episode of CISO Tradecraft you can learn how to build relationships of trust with other executives by demonstrating executive skill & cyber security expertise.  You can learn what to say to each of the following executives to build common ground and meaningful work:  CFO Legal Marketing Business Units CEO CIO HR Note Robin Dreeke mentions 5 keys to building goals.:  Learn… about their priorities, goals, and objectives. Place… theirs ahead of yours Allow them to talk…. suspend your own need to talk. Seek their thoughts and opinions. Ego suspension!!! Validate them unconditionally and non-judgmentally for who they are as a human being. During this week's Monday Morning Email, CISO Tradecraft answers the question on how to craft a winning resume to land your first CISO role.   InfoGraphic

On this episode of CISO Tradecraft, we talk about how cyber can help the four business key objectives identified by InfoTech: 1.  Profit generation: The revenue generated from a business capability with a product that is enabled with modern technologies. 2.  Cost reduction: The cost reduction when performing business capabilities with a product that is enabled with modern technologies. 3.  Service enablement: The productivity and efficiency gains of internal business operations from products and capabilities enhanced with modern technologies. 4.  Customer and market reach: The improved reach and insights of the business in existing or new markets. We also discuss Franklin Covey's 4 Disciplines of Execution (TM):  Focus on the Wildly Important Act on the lead measures Keep a compelling scoreboard Create a cadence of accountability Please note references to Infotech and Franklin Covey Material can be found here: https://www.infotech.com/research/ss/build-a-business-aligned-it-strategy https://www.franklincovey.com/the-4-disciplines/ Infographic: