CISO Tradecraft®

We've all suffered through horrible meetings that felt like a total waste of time.  As a security leader, you'll be convening your fair share of meetings with your staff.  Don't be "that boss" who can't run an effective meeting.  This episode shows ways you can ensure your meetings are both efficient and effective, result in actionable tasking, and keep people coming back for more because you showed respect for their time and their ideas.  And we even practice what we preach -- this episode ends early.   Harvard Meeting Cost Calculator Link OSS Simple Sabotage Manual Link

In our 31 July 2021 Episode 42, Risky Business, we covered the basics of risk and risk assessment. This part 2 episode gets into the practical application of risk management using the FAIR model, or Factor Analysis of Information Risk. We explain key risk terminology and walk through examples of how to express risk using this model, as well as creating a meaningful way to explain to executives that is actionable.   Risk Matrix Example: Link One Page FAIR Model: Link Measuring & Managing Information Risk: Link FAIR Wiki: Link

Have you ever faced a crisis?  How well did you do?  You should always want to improve your skills in case another happens.  On the 20th anniversary of 9/11, G. Mark Hardy shares some of his experiences as the on-scene commander for the military first responders at the World Trade Center, and expands that into a set of skills and attributes that you can cultivate to become a more effective crisis response leader in your role as a cybersecurity professional.   References: 5 Leadership Skills Link How to Combat a Crisis Link Manage a Crisis Link Lessons in Crisis Leadership Link Creative Leadership Guidebook Link Financial Interest in Situations Link G Mark Hardy Ground Zero Video 1 of 2 Link G Mark Hardy Ground Zero Video 2 of 2 Link

Traditional risk models focus on calculating loss frequency and magnitude, but don't go far enough in terms of modeling the most important assets in our organization, known as "crown jewels." This episode of CISO Tradecraft is a fascinating interview with the CEO and founder of a startup focusing on crown jewel analysis -- Roselle Safran. We'll look into how making this a part of your portfolio helps put the "C" in CISO by showing your understanding of the business in which you work. We'll also extend our discussion to challenges faced by women in cybersecurity, and encouragement for women (and others) to enter our exciting profession.

Containers are a lightweight technology that allows applications to deploy to a number of different host Operating Systems without having to make any modifications at all to the code.  As a result, we're been seeing a big increase in the use of Docker, Kubernetes, and other tools deployed by enterprises.  In this episode, we'll cover the fundamentals of containers, Docker, orchestration tools such as Kubernetes, and provide you with knowledge to understand this environment, and maybe even tempt you to create your own container to test your skill. Major links referenced in the show Container Architecture Link Kubernetes Diagrams Link Kubernetes Glossary Link Kubernetes Primer Link Special Thanks to our podcast Sponsor, CyberGRX

Join CISO Tradecraft for a fascinating discussion on how to build cyber traps for the bad guys that really work.  By creating a deceptive environment that "booby-trap" your networks with fake services, enticing resources, and make-believe traffic, we can create a high-fidelity, low-noise intrusion sensor system -- no legitimate user would ever try these.  Improve your SOC efficiency by actively engaging with intruders rather than sifting through false positives.  There's a lot to learn here, and Kevin Fiscus offers a promise of more to come.  By listening to this episode you will learn: What is cyber deception? What problem does cyber deception solve? How do cyber deception technologies work? Why is deception more effective than other detection and response technologies? If you would like to learn more about Cyber Deception, then be sure to check out these great resources: Kevin’s YouTube channel, Take Back the Advantage Link The Mitre Engage Matrix Link SANS SEC 550 Link Special Thanks to our podcast Sponsor, CyberGRX

Special Thanks to our podcast Sponsor, CyberGRX On today’s episode, we bring in Scott Fairbrother to help tackle key questions with Third Party Risk Management: How do you identify which vendors pose the highest risk to your business? How do you see which vendor’s security controls protect against threats?  How do you validate their risk profiles by scanning, dark web monitoring or other techniques to correlate what attackers are seeing and acting upon? Do you have an understanding of how to improve risk mitigation in your third-party ecosystem? Also please subscribe to to the CISO Tradecraft LinkedIn Page to get more relevant content

Cyber Threat Intelligence is an important part of an effective CISO arsenal, but many security leaders don’t fully understand how to optimize it for their benefit.  In this show, we examine why cyber threat intelligence is vital to fielding an effective defense, discuss the intelligence cycle, examine the four types of threat intelligence, and feature a special guest, Landon Winkelvoss of https://nisos.com, who has spent a career mastering this topic and shares a number of important insights you won’t want to miss.

In this episode, we take a deep dive into that four-letter word RISK. Risk is measurable uncertainty. As a component of Governance, Risk, and Compliance (GRC), risk management is an important part of a security leader's responsibility. Risk assessment is conducted for a number of reasons, and measuring risk is an important component of effectively overseeing our IT investments. We'll look at NIST and ISO standards for risk, and define the different types of risk assessments. And, because there is risk inherent in many endeavors, this episode will be continued in a part 2, because we didn't allow for the risk of running over with this much great information.

Being a CISO has been described as the "toughest job in the world."  It comes with a lot of stress, which can lead to early burnout as well as a number of health and relationship problems.  Well, we're going to tackle this elephant in the room and investigate some of the sources of stress and ways we can deal with it.   88% of CISOS report being "moderately or tremendously stressed"   We discuss eight everyday situations that can cause CISO stress, and then explore the way of Ikigai, Japanese for "reason for being."  The intersection of what you love, what you are good at, what the world needs, and what you can be paid for represents this ideal state.  Mihaly Csikszentmihalyi describes this as "flow," when work comes seemingly effortlessly because we are in alignment with our actions.  We'll also explore Dave Crenshaw's factors to being invaluable, which can help us better meet the demands of our job by being the best possible fit.   Tune in and gain some ideas on how to help yourself. and your staff, deal with stress.   CISO Tradecraft By Topic on GitHub  Csikszentmihalyi Ikigai Invaluable: The Secret to Becoming Irreplaceable The Six Invaluable Factors by David Crenshaw