CISO Tradecraft®

In this episode of CISO Tradecraft, host G. Mark Hardy sits down with Bill Dougherty, CISO of Omada Health, to discuss a groundbreaking threat model called 'Includes No Dirt'. This comprehensive model integrates security, privacy, and compliance considerations, aiming to streamline and enhance threat modeling processes. The conversation covers the origin and principles of the model, its applicability across different sectors, and the essential aspects of threat modeling. Listeners are also treated to insights on handling third-party risks and adapting to emerging AI challenges. The episode provides practical advice for cybersecurity leaders looking to effectively manage and mitigate risks while reducing redundancy.   Big Thanks to our Sponsors: ZeroPath - https://zeropath.com/ CruiseCon - Use code CISOTRADECRAFT10 at https://cruisecon.com/ for 10% off registration!   The No DIRT Threat Model can be found here: http://www.includesnodirt.com/nodirt.pdf   Transcripts: https://docs.google.com/document/d/1vWq4Zx7pzM_B65W933m8_TE0fLKaUw3X   Chapters 03:27 The Genesis of Includes No Dirt 05:05 Combining Security, Privacy, and Compliance 07:24 Implementing the No Dirt Model 11:42 Scoring and Evaluating Risks 17:41 Third-Party Risk Management 25:49 Evaluating SaaS Requests Based on Risk 27:55 Adapting Threat Models for AI 31:24 Principles of Minimum Necessary Data 33:42 General Applicability of Security Principles 35:12 Includes No Dirt: A Comprehensive Threat Model 40:15 Final Thoughts and Recommendations

Join G. Mark Hardy in a riveting episode of CISO Tradecraft as he sits down with Dustin Lehr to uncover strategies for creating security champions among developers. Explore effective techniques to inspire culture change, leverage AI tools for security, and discover the difference between leadership and management. This insightful discussion includes actionable steps to establish a robust security champions program, from defining a vision to executing with gamification. Whether you’re an aspiring champion or a seasoned cybersecurity leader, this episode is packed with valuable insights to elevate your organization’s security practices. Big Thanks to our Sponsors: ZeroPath - https://zeropath.com/ CruiseCon - Use code CISOTRADECRAFT10 at https://cruisecon.com/ for 10% off registration!   Transcripts - https://docs.google.com/document/d/1IgPbmnNaEF_1GIQTRxHStOoUKtZM4azH   Learn more about this topic by reading Justin's Website - https://securitychampionsuccessguide.org/ Justin Lehr's Company - https://www.katilyst.com/   Chapters 01:05 Meet Dustin Lair 04:05 Leadership vs. Management 06:17 The Role of Security Champions 17:20 Recruiting Security Champions 24:42 Exploring the Framework: Vision and Goals 26:25 Defining Participants and Their Roles 28:37 Understanding the Current Setting 33:27 Conceptualizing Ideal Actions 35:20 Designing with Gamification in Mind 40:30 Effective Delivery and Continuous Tuning 41:30 Overcoming Challenges and Final Thoughts

In this episode of CISO Tradecraft, host G Mark Hardy explores the top 10 cybersecurity predictions for 2025. From the rise of AI influencers to new standards in encryption, Hardy discusses significant trends and changes expected in the cybersecurity landscape. The episode delves into topics such as branding, application security, browser-based security, and post-quantum cryptography, aiming to prepare listeners for future challenges and advancements in the field.   Big Thanks to our Sponsor CruiseCon - https://cruisecon.com/ CruiseCon Discount Code: CISOTRADECRAFT10   Team8 Fixing AppSec Paper - https://bunny-wp-pullzone-pqzn4foj9c.b-cdn.net/wp-content/uploads/2024/11/Fixing-AppSec-Paper.pdf Terraform and Open Policy Agent Example - https://spacelift.io/blog/terraform-best-practices#8-introduce-policy-as-code Transcripts - https://docs.google.com/document/d/1u6B2PrkJ1D14d9HjQQHSg7Fan3M6n4dy Chapters 01:19 1) AI Influencers become normalized 03:17 2) The Importance of Production Quality in Branding 05:19 3) Google and Apple Collaboration for Enhanced Security 06:28 4) Consolidation in Application Security and Vulnerability Management 08:36 5) The Rise of Models Committees 09:09 6) Formalizing the CISO Role 11:03 7) Exclusive CISO Retreats: The New Trend 12:12 8) Automating Cybersecurity Tasks with Agentic AI 13:10 9) Browser-Based Security Solutions 14:22 10) Post-Quantum Cryptography: Preparing for the Future  

🔥 Hackers Beware! Cyber Deception is Changing the Game 🔥 In this must-hear episode of CISO Tradecraft, we expose a mind-blowing cybersecurity strategy that flips the script on attackers. Instead of waiting to be breached, cyber deception technology tricks hackers into revealing themselves—before they can do real damage. 🚨🎭 Imagine laying digital traps—fake credentials, bogus systems, and irresistible bait—that lead cybercriminals straight into a controlled maze where every move they make is tracked. Early threat detection? ✅ Real-time attacker intel? ✅ Fewer false positives? ✅ 🎙️ Featuring deception tech guru Yuriy Gatupov, we break down: ✅ How deception tech works & why it’s a game-changer ✅ How to expose and track hackers in real time ✅ How to prove ROI and make the case for your org Cyber deception isn’t just defense—it’s offense against cyber threats. Are you ready to fight back? Listen now!   Big thanks to our Sponsors ThreatLocker - https://hubs.ly/Q02_HRGK0  CruiseCon - https://cruisecon.com/   Contact Yuriy Gatupov -  info@labyrinth.tech  Yuri's LinkedIn - https://www.linkedin.com/in/yuriy-gatupov-373155281/    Transcripts: https://docs.google.com/document/d/1oyQzCBRoPLbDOCOCypJMGGXxcPI5w75o    Chapters  02:05 History of Cyber Deception 04:57 Advantages of Deception Technology 06:57 Engagement and Detection Strategies 10:18 How Deception Technology Works 16:13 Attack Scenarios and Detection 24:09 Decoys and Deception: A New Paradigm 24:56 Real-World Success Stories 33:30 Deception in OT and SCADA Systems 37:38 Calculating ROI for Deception Technologies

In this episode of CISO Tradecraft, host G Mark Hardy interviews Ross Haleliuk, author of 'Cyber for Builders: The Essential Guide to Building a Cybersecurity Startup.' Ross shares valuable insights on starting a cybersecurity company, and emphasizes the importance of understanding market needs, customer engagement, and trust in the industry. They discuss the role of angel investors, the differences between product and service companies, and the challenges founders face. The episode also includes an announcement about CISO Tradecraft's partnership with CruiseCon for an upcoming cybersecurity conference. Additionally, Ross provides a glimpse into his non-traditional background and journey into the cybersecurity space.   Thank you to our sponsors - ThreatLocker - https://hubs.ly/Q02_HRGK0 - CruiseCon - https://cruisecon.com/   Ross Haleliuk's Book - https://www.amazon.com/Cyber-Builders-Essential-Building-Cybersecurity/dp/173823410X/ Ross Haleliuk's LinkedIn Page - https://www.linkedin.com/in/rosshaleliuk/    Transcripts: https://docs.google.com/document/d/1b8UPolYvYWEYbmO7n_7NqrilObv-HNzo  Chapters 02:28 Ross Haleliuk's Background and Journey 04:32 Discussing the Book: Cyber for Builders 10:52 Insights on Cybersecurity and Business 15:54 Challenges and Realities of Cybersecurity Startups 22:19 Navigating Market Competition 23:15 Entering Established Markets 24:28 Challenges in Security Tool Adoption 25:11 Legacy Vendors and Market Entrenchment 27:35 Building a Company: Beyond the Product 30:02 Validating Market Needs 32:27 Funding Your Startup 35:25 The Role of Angel Investors 43:29 Conclusion and Next Steps

Join us on CISO Tradecraft as we explore the future of cybersecurity with Merritt Barrett, former Deputy CISO at AWS. Merritt, a Harvard Law graduate, shares her expert insights on the trends expected in the upcoming years, emphasizing the enduring aspects of cybersecurity, the implications of AI, and challenges in cloud security. Discover valuable strategies for managing security risks, the evolution of ransomware, and the integration of sustainable practices within the industry. Don't miss this episode filled with practical advice for current and aspiring CISOs! Thank you to our sponsors - ThreatLocker - https://hubs.ly/Q02_HRGK0 - CruiseCon - https://cruisecon.com/   Transcripts https://docs.google.com/document/d/1KRkN7jVZvAaYk1eSBde3GTiD-G9RPjXJ   Chapters 00:00 Introduction and Guest Overview 01:16 Future of Cybersecurity 02:18 AWS Security Insights 04:35 Shared Responsibility Model 09:59 AI in Cybersecurity 21:55 Security and Environmental Concerns 32:36 Predictions for 2025 and Beyond 42:46 Closing Remarks and Contact Information

In this episode of CISO Tradecraft, host G Mark Hardy discusses the history and evolution of endpoint protection with guest Kieran Human from ThreatLocker. Starting from the inception of antivirus software by John McAfee in the late 1980s, the episode delves into the advancements through Endpoint Detection and Response (EDR) and introduces the latest in endpoint security: allowlisting and ring fencing. The conversation highlights the limitations of traditional antivirus and EDR solutions in today's threat landscape, emphasizing the necessity of default-deny approaches to enhance cybersecurity. Kieran explains how ThreatLocker’s allowlisting and ring-fencing capabilities can block unauthorized applications and actions, thus significantly reducing the risk of malware and ransomware attacks. Practical insights, war stories, and deployment strategies are shared to help cybersecurity leaders implement these next-generation tools effectively.   Thank you to our sponsor ThreatLocker https://hubs.ly/Q02_HRGK0 Transcripts: https://docs.google.com/document/d/1UMrK44ysBjltNkddCkwx9ly6GJ14tIbC Chapters 00:00 Introduction to Endpoint Protection 00:41 Upcoming Event: CruiseCon 2025 01:18 History of Endpoint Protection 03:34 Evolution of Antivirus to EDR 05:25 Next-Gen Endpoint Protection: Allowlisting 06:44 Guest Introduction: Kieran Human from ThreatLocker 08:06 Benefits of Allowlisting and Ring Fencing 17:14 Challenges and Best Practices 26:19 Conclusion and Call to Action

In this crucial episode of CISO Tradecraft, host G Mark Hardy delves into the urgent topic of the 'Salt Typhoon' threat, with insights from experts Adam Isles and Andreas Kurland from the Chertoff Group. The episode covers the implications for corporate security using SMS text messages when Chinese actors are breaking into major telecommunication entities. The conversation focuses on encryption, secure communications, and measures to mitigate risks from vulnerabilities in telecommunications infrastructure. The discussion includes practical steps for securing messaging, voice calls, virtual meetings, and emails. Learn actionable strategies to bolster your organization’s cybersecurity posture and ensure robust defense against sophisticated state-level cyber threats. Thank you to our sponsor Threat Locker https://www.threatlocker.com/pages/essential-eight-fast-track?utm_source=ciso_tradecraft&utm_medium=sponsor&utm_campaign=essential-eight_q4_24&utm_content=essential-eight&utm_term=podcast Link to recommendations: https://chertoffgroup.com/end-to-end-encryption-is-essential/  Transcripts https://docs.google.com/document/d/13NKPUBU3c-qYQtX18NR08oYVRSSnHD_a Chapters: 00:00 Introduction to Salt Typhoon 01:31 Meet the Experts: Adam Isles and Andreas Kurland 02:03 Understanding the Salt Typhoon Threat 04:49 Telecommunications and Security Risks 07:37 Messaging Security: Risks and Recommendations 20:14 Voice Communication Security 28:44 Securing Virtual Meetings 34:45 Email Security: Challenges and Solutions 41:35 Conclusion and Contact Information

In this riveting episode of CISO Tradecraft, host G Mark Hardy welcomes back Richard Thieme, a thought leader in cybersecurity and technology, almost three years after his last appearance. Richard delves into the necessity of thinking like a hacker, provides insights into the AI singularity, and discusses the ethical and societal implications of emerging technologies. The conversation also touches on Richard's extensive body of work, including his books and views on cyber warfare, disinformation, and ethical decision-making. Tune in for a thought-provoking discussion that challenges conventional wisdom and explores the interconnectedness of technology, consciousness, and our future. Big Thanks to our Sponsor CruiseCon - https://cruisecon.com/ CruiseCon Discount Code: CISOTRADECRAFT10 Link to Richard’s home page (and links to Amazon for his books):              https://thiemeworks.com/ Link to the book, The Ending of Time:             https://store.kfa.org/products/the-ending-of-time-new-edition Transcripts: https://docs.google.com/document/d/1Q7CJkF7Spji2iAbV_mYEyYHnKWobzo6N Chapters  00:00 Introduction and Guest Announcement 00:56 Upcoming Cybersecurity Event: CruiseCon 01:41 Welcoming Back Richard Thieme 02:06 Reflecting on Past Discussions 02:59 The Necessity for Thinking Like a Hacker 03:10 Exploring Richard Thieme's Books 08:25 Understanding AI and Its Implications 18:28 Soft Power and Global Influence 24:01 The Power of Fiction in Revealing Truth 24:37 Ethical Frameworks Post 9/11 26:12 The Role of Empathy in Intelligence Work 26:37 The Blurring Line Between Fact and Fiction 29:52 The Isolation of Intelligence Work 31:18 The Interconnectedness of Everything 33:36 Exploring Remote Viewing and Consciousness 36:50 The Rise of AI and Ethical Considerations 39:43 The Evolution of Technology and Society 45:07 Final Thoughts and Reflections

This podcast episode of CISO Tradecraft features Shawnee Delaney, an insider threat expert, discussing insider threats in cybersecurity. Delaney, whose background includes espionage, explains how understanding human motivation and vulnerabilities is crucial for identifying and mitigating insider threats. The conversation highlights the importance of organizational culture, employee well-being, and proactive measures like employee lifecycle management and psychological testing in preventing such threats. Practical advice is offered for leaders to foster a supportive and communicative work environment to detect potential threats early. Finally, methods for creating effective insider threat programs and addressing cultural issues are explored. Shawnee Delaney's LinkedIn - https://www.linkedin.com/in/shawnee-delaney/ Vaillance Group - https://www.vaillancegroup.com/ Transcripts: https://docs.google.com/document/d/1xJiEMDL8CjNwwfBSvNHfnhfsrVgOMuk0 Chapters 00:00 Introduction to Insider Threat 00:26 Guest Introduction: Shawnee Delaney 00:58 CruiseCon 2025 Announcement 01:33 Shawnee's Career Journey 02:18 Understanding Espionage 03:43 Motivations Behind Espionage 07:46 Indicators of Insider Threat 10:48 Building a Positive Organizational Culture 18:21 Implementing an Insider Threat Program 21:05 Psychological Testing in Hiring 23:26 Assessing Organizational Culture 25:34 Core Values in the Navy and Marine Corps 26:16 A Commanding Officer's Story 28:32 Identifying Insider Threats 32:01 The Impact of Job Uncertainty 36:50 Gamifying Security Incentives 39:12 Building a Strong Security Culture 42:05 Final Thoughts and Recommendations