CISO Tradecraft®

Today we speak with Richard Thieme, a man with a reputation for stretching your mind with his insights, who has spoken at 25 consecutive DEFCONs as well as keynoted BlackHat 1 and 2.  In a far-ranging discussion, we cover the concept of what it's like to be a heretic (hint:  it's one step beyond being a visionary), the thought that the singularity has already arrived, Pierre Teilhard de Chardin's noosphere, disinformation and cyber war, ethical decision-making in automated systems, and why there is convincing evidence we are not alone in this universe.    References: https://thiemeworks.com/

On this episode of CISO Tradecraft we are going to talk about various Access Control & Authentication technologies. Access Control Methodologies: Mandatory Access Control or (MAC) Discretionary Access Control or (DAC) Role Based Access Control or (RBAC) Privileged Access Management or (PAM) Rule Based Access Control Attribute Based Policy Control (ABAC) or Policy Based Access Control (PBAC) Authentication Types: Password-based authentication Certificate-based authentication Token-based authentication Biometric authentication Two-factor Authentication (2FA) Multi-Factor Authentication (MFA) Location-based authentication Computer recognition authentication Completely Automated Public Turing Test to Tell Computers & Humans Apart (CAPTCHA) Single Sign On (SSO) Risk Based authentication References https://riskbasedauthentication.org/ https://blog.identityautomation.com/what-is-risk-based-authentication-types-of-authentication-methods https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-countermeasures  https://www.n-able.com/blog/network-authentication-methods  https://www.getgenea.com/blog/types-of-access-control/  https://www.twingate.com/blog/access-control-models/  https://csrc.nist.gov/glossary/term/authentication  https://csrc.nist.gov/glossary/term/authorization  https://www.techtarget.com/searchsecurity/definition/access-control 

On this episode of CISO Tradecraft, you can learn about supply chain vulnerabilities and the 6 important steps you can take to mitigate this attack within your organization: Centralize your software code repository Centralize your artifact repository Scan open source software for malware Scan software for vulnerabilities and vendor support Run a Web Application Firewall (WAF) Run a Runtime Application Self Protection (RASP) References: https://owasp.org/www-project-threat-and-safeguard-matrix/ https://slsa.dev/ Infographic:

Gamification is a superpower that CISOs can use to change the culture of an organization.  On this episode of CISO Tradecraft we discuss how to use gamification concepts as a CISO.  What’s in a Game? Objective Rules Challenge/Competition Randomness or unpredictability Designed for fun and sometimes learning What Makes a Game Fun? Challenge requires reasonable level of difficulty Fantasy compelling setting for game action; temporary suspension of reality Curiosity random events so that play is not completely deterministic Control learners are confronted with choices What’s in a Learning Game? Active participation Immediate feedback Dynamic interaction Competition Novelty Goal direction 5 Gamification Concepts Leaderboards Badges & Achievements Levels & Progression Unlockables Virtual Economy 4 Player Types Killers are players motivated by leader boards and ranks.  These players focus on winning and peer to peer competition. Their focus is on acting on other players. Achievers are players motivated by achievements and points.  These players focus on achieving present goals quickly and completely.  Their focus is on acting on the world.   Socializers are players motivated by friends lists, chat, and news feeds.  These players focus on socializing and developing a network of friends. Their focus is on interacting with players Explorers are players motivated by hidden content and levels.  These players focus on exploring and discovering the unknown.  Their focus is on interacting with the world. References: https://www.chaostheorygames.com/blog/serious-games-guide-everything-you-need-to-know-in-2021  https://www.chaostheorygames.com/blog/what-is-gamification-2020-definition https://directivecommunication.net/the-ultimate-guide-to-work-gamification/ https://yukaichou.com/gamificationnews/4-dominant-applications-of-gamification/ https://medium.com/@chow0531/actionable-gamification-fbe27f6cb2d6 https://www.capgemini.com/2020/06/gamification/ https://insights.lytho.com/translation-fails-advertising http://timboileau.wordpress.com  https://www.amazon.com/dp/1451611064/?coliid=I2J1XHCOBD5476&colid=2CQEH5MGKB5YX&psc=1&ref_=lv_ov_lig_dp_it  Infographic:

On this episode of CISO Tradecraft, we feature Allan Alford from The Cyber Ranch Podcast.  Allan brings a wealth of knowledge as a CISO and shares the three things every CISO needs to bring to the table: Use a Cyber Maturity Model such as CMMI to identify the current situation and build a roadmap of where the organization is headed  Quantify Known Risks through a Risk Register which gets routinely briefed to Executives Align Cyber to Business Objectives to enable the business If you enjoy listening to Allan Alford, then please subscribe to The Cyber Ranch Podcast for more great content. Infographic:

As a cyber executive you should expect disaster and disruption.  When these unfortunate events occur, you can protect the business by maintaining critical business functions, ensuring employees are able to access an alternate work facility, and providing vital records to perform business functions. The secret to accomplishing these objectives can be found in three important documents.  Those being a Business Continuity Plan, Disaster Recovery Plan, & a Business Impact Analysis.  Enjoy the show as we walk you through them. FEMA BCP Example https://arlingtonva.s3.amazonaws.com/wp-content/uploads/2019/08/COOP-Template-Business-Continuity.pdf IBM Disaster Recovery Plan https://www.ibm.com/docs/en/i/7.1?topic=system-example-disaster-recovery-plan Fire Drills https://en.wikipedia.org/wiki/Fire_drill Business Impact Analysis https://www.ready.gov/sites/default/files/2020-03/business-impact-analysis-worksheet.pdf Infographic:

On this episode,  we talk about the four types of skills you need to demonstrate in your career to climb through the ranks: (Technical Skills, Management Skills, Leadership Skills, & Political Skills) We also highlight 6 crucial areas to improve your political skills Social Astuteness - You need to get your cues right.  Socially astute managers are well-versed in social interaction.  In social settings they accurately assess their own behavior as well as that of others.  Their strong powers of discernment and high self-awareness contribute to their political effectiveness. Interpersonal Influence - Managers who are effective influencers have good rapport with others and build strong interpersonal relationships.  They also tend to have a better understanding of broader situations and better judgment about when to assert themselves. Networking Ability - Skilled networkers build friendships and working relationships by garnering support, negotiating, and managing conflict.  They know when to call on others and are seen as willing to reciprocate. Apparent Sincerity - Be sincere.  Politically skilled individuals display high levels of integrity, authenticity, sincerity, and genuineness.  They really are--and also are viewed as--honest, open, and forthright, inspiring trust and confidence. Think before you speak - Politically skilled managers are careful about expressing feelings.  They think about the timing and presentation of what they have to say. Manage up and down - Leaders need to skillfully manage up by communicating with their bosses and keeping higher-ups informed.  But this can become a double-edged sword; research shows that the people who are most skilled at managing up tend not to invest enough energy in building and leading their teams.  True political skill involves relationships with teammates and direct reports as well as higher-ups. References: https://www.ckju.net/en/blog/6-behaviors-characterize-politically-skilled-individuals-organizations-how-learn-them/32148 https://en.wikipedia.org/wiki/Terry_Tate:_Office_Linebacker https://hbr.org/2017/04/the-4-types-of-organizational-politics https://www.forbes.com/2010/05/25/office-politics-psychology-leadership-managing-ccl.html Ferris, G. R., Davidson, S. L., & Perrewe, P. L. (2005). Political skill at work: impact on work effectiveness. Mountain View, Calif. : Davies-Black Pub Ferris, G. R., Treadway, D. C., Kolodinsky, R. W., Hochwarter, W. A., Kacmar, C. J., Douglas, C., & Frink, D. D. (2005). Development and Validation of the Political Skill Inventory. Journal of Management, 31(1), 126-152. doi: 10.1177/0149206304271386 Ferris, G. R., Berkson, H. M., Kaplan, D. M., Gilmore, D. C., Buckley, M. R., Hochwarter, W. A., et al. 1999. Development and initial validation of the political skill inventory. Paper presented at the 59th annual national meeting of the Academy of Management, Chicago. Infographic: 

On this episode of CISO Tradecraft, we discuss how to give a great presentation.   Starting with the Bottom Line Up Front (BLUF) Using pictures to Capture Attention Asking Thought Provoking Questions Succinct Points to tell a story Decision slides that show The problem The proposed solution Cost to implement solution Why alternatives are not as good Next Steps after decision is made We also discuss the Angels Cocktail which is a concept taken from a Ted Talk by JP Phillips Dopamine is a neurotransmitter that stimulates focus, motivation, and memory.  If you want to use this chemical, then tell a story that has obstacles to build suspense and create cliffhangers  Oxytocin is the hormone associated with generosity, trust, and bonding.  If you want to use this chemical,  tell a story that creates empathy or makes you vulnerable.  You can make the story more impactful by using the concept of delaying resolution of the story. Endorphins are the last hormone which are associated with making people creative, relaxed, and focused.  If you want to use this chemical try making others laugh.  One way to do this is by being overly dramatic.   References https://www.verywellmind.com/glossophobia-2671860 https://hbr.org/2019/09/to-overcome-your-fear-of-public-speaking-stop-thinking-about-yourself https://hbr.org/2013/06/how-to-give-a-killer-presentation https://www.cnbc.com/id/100646197 https://www.youtube.com/watch?v=Nj-hdQMa3uA https://www.resourcefulmanager.com/storytelling-as-a-leadership-tool/ https://hbr.org/2014/07/how-to-tell-a-great-story Infographic:

One of the most common questions that we get asked on CISO Tradecraft is what do I need to learn to be a good CISO?  After a lot of reflection, CISO Tradecraft put together a Top 10 List of CISO knowledge domains that we believe are the core skills which produce really good CISOs.  This episode is a continuation from the previous episode and will go over the 6th -10th knowledge areas. Product Security focuses on ensuring developers write secure code Defensive Technologies focuses on creating multiple layers of defenses in an organization to protect against a multitude of attacks Detection & Response Capabilities is about creating mechanisms to identify how attackers might circumvent your organization’s defensive technologies Laws, Regulations, & Oversight is about ensuring compliance with appropriate laws and regulations Enabling Technologies is about enabling businesses to create digital transformation Risk Management is about effectively identifying what are the biggest risks to the company, what's the likelihood and magnitude of a potential attack, and how to estimate the cost of remediation Governance is about understanding what technology your organization uses so you can effectively manage it through a process Identity & Access Management is about limiting the scope of an attacker who could cause harm to your organization Business Management & Leadership is an essential skill for executives to lead and influence others Security Culture is about building an organization where the entire company becomes resilient https://github.com/cisotradecraft/podcast Infographic:

One of the most common questions that we get asked on CISO Tradecraft is what do I need to learn to be a good CISO?  After a lot of reflection, CISO Tradecraft has put together a Top 10 List of CISO knowledge domains that we believe are the core skills which produce really good CISOs.  This episode will go over just the first 5 knowledge areas with the remaining five on a future episode. Product Security focuses on ensuring developers write secure code Defensive Technologies focuses on creating multiple layers of defenses in an organization to protect against a multitude of attacks Detection & Response Capabilities is about creating mechanisms to identify how attackers might circumvent your organization’s defensive technologies Laws, Regulations, & Oversight is about ensuring compliance with appropriate laws and regulations Enabling Technologies is about enabling businesses to create digital transformation https://github.com/cisotradecraft/podcast