CISO Tradecraft®

CISOs often encounter situations where everyone has a different opinion, it's a high stakes decision, and emotions are running high.  These situations create crucial conversations opportunities where a CISO needs to be effective.  This podcast discusses how to turn disagreement into dialogue, surface any subject, and make it safe to discuss. Please listen as G Mark Hardy and Ross Young discuss the 8 step process from the book, "Crucial Conversations." Get Unstuck  Start With Heart Master My Stories State My Path Learn To Look Make IT Safe Explore Others' Path Move To Action We recommend you visit the following Crucial Conversations Website to learn more https://www.vitalsmarts.com/crucial-conversations-training/ The Crucial Conversation Book can be found on Amazon https://www.amazon.com/dp/0071771328/ref=cm_sw_em_r_mt_dp_0Cj3FbY9KA429 Chapters 00:00 Introduction 02:13 How to have crucial conversations 06:14 How to make better decisions 09:54 The dangers of talking about business 14:26 The importance of clarifying what you really want 17:51 The importance of mutual respect 25:18 How to achieve a shared goal 29:11 How to partner together to stop terrorism 33:13 How to create a mutual purpose 37:08 How to speak your mind in a safe environment 40:52 The importance of being vulnerable 51:56 The importance of listening to people 54:56 How to be a successful CISO

On this Episode we will explore DevOps as a topic and discuss why you need to care as a CISO.  Key discussions include: What are the key principles behind DevOps? What benefits does security see from DevOps? What is a CI/CD pipeline? What are common types of DevOps tools that I need to understand as a CISO? Where does DevSecOps fit in? What are 4 types of Application Security Testing tools we see in DevOps Pipelines? What are 3 common ways to make DevOps / DevSecOps go viral in any organization? Chapters 00:00 Introduction 04:56 DevOps - What are your thoughts? 08:57 Microsoft Super Patch Tuesday 13:03 DevOps - What's it all about? 14:22 What is CALMS (Culture, Automation, Lean, Measuring, & Sharing) 26:32 CI/CD 32:12 Containers & DevOps 33:45 Where does security fit in? 36:26 Application Security Testing 41:54 DevOps & DevSecOps - What are the tools?

If you want to make impact as a leader, then you need to understand how to lead change.  This episode overviews Dr. John Kotter's 8-Step process to accelerating change. Create a sense of urgency Build a guiding coalition Form a strategic vision and initiatives Enlist a volunteer army Enable action by removing barriers Generate short-term wins Sustain acceleration Institute change We highly recommend you read Kotter's ebook to learn more: https://www.kotterinc.com/8-steps-process-for-leading-change/ Chapters 00:00 Introduction 04:25 Are you creating change without urgency? 07:16 How can we drive security into the mobile app experience? 10:55 How to build a guiding coalition to transform the organization 13:49 The one trick I've learned from public speaking 16:15 What's the 3rd step in creating a strategic vision and initiatives 19:12 A great strategic vision drives direction 20:50 How to accelerate the change in your organization 24:31 Creating partnerships to transform security 28:04 Identifying the barriers that are creating problems in your organization 33:01 How to document short term wins 36:13 The next step is sustained acceleration 39:28 How to anchor change in corporate culture 45:02 Leadership and management from a leadership perspective

Cyber Frameworks help CISOs build, measure, and execute top-notch information security programs. This podcast overviews the differences between Cyber Control Frameworks (CIS Controls & NIST 800-53), Program Frameworks (ISO 27001 & NIST CSF), and Risk Frameworks (FAIR, ISO 27005, & NIST 800-39) as well as provides useful tips on how to implement them. Chapters 00:00 Introductions 03:29 Creating a Framework for Cyber Security Programs 06:48 What are the Most Important Controls 11:08 Having an Inventory of Your Network Assets 14:01 Patch Tuesday and Remediation 18:20 Penetration Testing - The Last of the 20 SANS Controls 20:58 What's the NIST Cyber Security Framework 29:17 The Evolution of Security Controls 35:03 ISO 27000 Series Gap Analysis 40:03 Cyber is in the Business of Revenue Protection 44:53 The Risk Matrix - Likelihood and Impact 49:32 Risk Management & Continuous Vulnerability Management 51:41 Your four options? (Accept, Mitigate, Avoid, or Assign)

If you want to assess your current level of security, then you should start with an asset management program. Asset management provides the basic building blocks to enable vulnerability management and remediation programs.   This podcast provides key lessons learned on what is required for effective asset management as well as discuss how asset management evolves with the cloud.  Listeners will also learn important steps to take to create a world class asset management program. Chapters 00:00 Introduction 02:00 The SANS Top 20 Controls 06:04 What if I don't have an Agent on my Endpoint? 09:08 Cloud Native CMDB Systems 11:35 Shadow IT in the Cloud 14:12 Software Bill of Materials for your Applications 19:33 What's the problem with older versions of software? 22:02 Is there a Vulnerability in Windows 10? 24:34 The Criticality of the Enterprise Patch Cycle 28:43 How do we have a Good Inventory? 31:34 Continuity of Operations & Disaster Recovery 33:17 Is your Asset Inventory Complete? 35:17 Is Asset Management Key for your Organization?

The ability to persuade others is a core tradecraft for every CISO.  This podcast discusses the most common styles of executive decision making (Charismatics, Thinkers, Skeptics, Followers, and Controllers).  After listening to this podcast, you will understand how to more effectively tailor your message to best influence each style of executive.  If you would like to learn more about this topic, we strongly recommend you read the Harvard Business Review article, “Change the Way You Persuade”, by Gary A. Williams and Robert B. Miller https://hbr.org/2002/05/change-the-way-you-persuade Chapters 00:00 Introductions 03:04 How to Persuade a Charismatic Leader 06:49 How do you use Visual Aids to Help Thinkers 10:39 What approaches do you take with Skeptics? 15:47 How do we overcome Skeptics? 17:24 Are Followers Leaders? 20:58 Can we do a Pilot Program? 22:59 Strategic Tools to be more Successful in your Career 24:47 Do you have any experiences with Controllers? 28:03 How to use your Egos and their Past Experiences to your Advantage 31:06 The Pointy Haired Boss 36:35 How to Adapt a Leader's Style

To become an effective CISO you need influence skills.  On this episode we explore Robert Cialdini's book, "Influence" and discuss the psychology of persuasion.  We will explore 6 key areas of influence: Liking- If people like you - because they sense that you like them, or because of things you have in common - they're more apt to say yes to you Reciprocity- People tend to return favors.  If you help people, they'll help you.  If you behave in a certain way (cooperatively, for example), they'll respond in kind Social Proof- People will do things that they see other people doing- especially if those people seem similar to them Commitment and Consistency- People want to be consistent, or at least to appear to be.  If they make a public, voluntary commitment, they'll try to follow through  Authority- People defer to experts and to those in positions of authority (and typically underestimate their tendency to do so) Scarcity- People value things more if they perceive them to be scarce If you would like to more on this topic, then we recommend you read Cialdini's work: Website https://www.influenceatwork.com/principles-of-persuasion/ Book https://www.amazon.com/Influence-Psychology-Persuasion-Robert-Cialdini/dp/006124189X Chapters 00:00 Introduction 03:21 The Principles of Persuasion 05:27 How to be a Great Speaker and Get People to Like You 09:01 How to Win Friends and Influence People 13:45 How does a Mint Influence your Tipping? 15:04 Doing a Favor for Someone is a Good Thing 17:29 The Concept of Social Proof is Security 21:34 How to Defend against Audits 26:15 Getting Small Commitments Out of People Early On 29:20 The Importance of Consistency in Influencing 34:12 The Six Principles of Persuasion 38:57 Is there a Scarcity of Time? 43:13 The Six Chaldini Factors Recap

On this pilot episode you will get to meet the hosts of the show (G Mark Hardy & Ross Young) and learn a little bit about their backgrounds. Chapters 00:00 Introductions 04:47 What is a CISO? 07:24 Enable the Rock Climber to Take Risks 13:32 What do CISOs need to know? 18:07 Compliance is a C- 21:23 What functions and services do CISOs oversee? 25:48 The importance of a Purple Team 29:45 Is your Security Office a Red Team or a Blue Team? 34:50 Which organization in security is most likely to produce a CISO 39:11 The Hidden Key to Success is Communication Skills 41:17 CISO Key Capabilities are Communication and Influence 46:57 What are the skills you need to focus on