On this episode of CISO Tradecraft , you can learn about the new Executive Order on Improving the Nation's Cyber Security. The episode provides a brief background on three security incidents which have influenced the Biden administration: SolarWinds Microsoft Exchange Servers Colonial Pipeline Attack The episode then overviews the various sections of the new Executive Order: Policy Removing Barriers to Sharing Threat Information Modernizing Federal Government Cybersecurity Enhancing Software Sup...
May 28, 2021•37 min•Ep. 31
This episode is sponsored by Indeni. On this episode of CISO Tradecraft , G Mark Hardy discusses with Yoni Leitersdorf (CEO and CISO of Indeni) the risks which can occur in a cloud environment after it has been provisioned. Essentially it's quite common for organizations to change their cloud environment from what was declared in a Terraform or Cloud Formation Script. These unapproved cloud changes or Cloud Drift often create harmful misconfigurations and have the potential to create data loss e...
May 21, 2021•43 min•Ep. 30
Identity is the New Perimeter. On this episode of CISO Tradecraft you will increase your understanding of Identity and Access Management. Key topics include: Audit Trail Authentication Authorization Identity Compromise Least Privilege Microsegmentation Multi Factor Authentication (MFA) Privileged Access/Account Management (PAM) Role Based Access Control (RBAC) Single Sign On (SSO)...
May 14, 2021•45 min•Ep. 29
Have you ever heard a vendor has software features such as Artificial Intelligence (AI) or Machine Learning (ML)? What does that mean? On this episode we answer those questions so you know when vendors are full of it. Common reasons to use Artificial Intelligence Types of Artificial Intelligence What Machine Learning is How Machine Learning works How to select the right algorithm References How to Select Machine Learning Algorithms ML Algorithm Cheat Sheet 63 Machine Learning Algorithms...
May 08, 2021•44 min•Ep. 28
Today, CISO Tradecraft hosts a 5 minute discussion to talk about reflection. The concept is Roses, Buds, and Thorns. It’s an exercise designed to identify opportunities to make positive change. Roses- What’s working Buds - What are new ideas Thorns- What do we need to stop If you would like to learn more please check out the article from MITRE We would love to hear your feedback here . Thank you, CISO Tradecraft...
May 01, 2021•5 min•Ep. 27
On this episode CISO Tradecraft we dive into the world of blockchain. As a CISO you may be expected to explain to executives what the technology does and possibly how it works. Here's your briefing to make you successful. We'll cover: History of money and birth of bitcoin Why blockchain uniquely solves an age-old trust problem Potential business uses of blockchain technology Smart contracts and why they work Blockchain variants such as private and permissioned https://www.cisotradecraft.com...
Apr 23, 2021•45 min•Ep. 26
This episode CISO Tradecraft continues the Ransomware Discussion. Do you slay the dragon (avoid the ransom) or save the princess (recover your files)? Talking points include: Background on Ransomware What if we choose to pay a ransom? Is the Ransomware on the sanctions list? Negotiation/Payments Involving Law Enforcement Involving Legal Council Dealing with Cryptocurrencies...
Apr 16, 2021•45 min•Ep. 25
Would you like to know more about Ransomware? On this episode of CISO Tradecraft , G Mark Hardy and Ross Young provide an in-depth discussion on Ransomware. Key discussions include: What is ransomware? Why does it work? Ransomware Types (Client-Side, Server-Side, & Hybrid) How each of these enter a target environment Ransomware Incidents The Economics of Ransomware How is Ransomware Evolving? Why Ransomware continues to work :( Ethical Issues to consider before paying Ransomware Defenses Ple...
Apr 08, 2021•46 min•Ep. 24
If there's one place that knows how Advanced Persistent Threat (APT) actors work, it's the National Security Agency (NSA). On this episode of CISO Tradecraft G Mark Hardy and Ross Young discuss NSA's Top Ten Cybersecurity Mitigation Strategies and how to use them to secure your company. Since the mitigation strategies are ranked by effectiveness against known APT tactics, they can be used to set the priorities for organizations to minimize mission impact from cyber attacks. Update and Upgrade So...
Apr 02, 2021•44 min•Ep. 23
Would you like to know the best practices in modern software development? On this episode G Mark Hardy and Ross Young overview the 12 Factor App and its best practices: Codebase: One codebase tracked in revision control with many deploys. Dependencies: Explicitly declare and isolate dependencies. Config: Store configurations in the environment. Backing Services: Treat backing services as attached resources Build, Release, Run: Strictly separate build and run stages Processes: Execute the app as ...
Mar 26, 2021•46 min•Ep. 22
This special episode features Mark Egan (Former CIO of Symantec as well as VMWare). Mark discusses what he looks for during interviews with CISOs, what executives need to demonstrate during their first 90 days to be successful, and how he helps the next generation of cyber professionals at Merritt College. Three Questions to ask during any interview: What do you like best about this role? What are the most challenging pieces of this role? What does success look like for this role one year into t...
Mar 19, 2021•44 min•Ep. 21
Would you actually like to learn about what Zero Trust is without a bunch of marketing jargon? On this week's episode G Mark Hardy and Ross Young provide a thoughtful discussion on Zero Trust from NIST and Microsoft: Microsoft's Zero Trust Principles Verify Explicitly Use Least Privileged Access Assume Breach NIST 800-207 Seven Tenets of Zero Trust All data sources and computing services are considered resources All communication is secured regardless of network location Access to individual ent...
Mar 12, 2021•45 min•Ep. 20
Every leader needs to know how to lead and manage a team. On this episode G Mark Hardy and Ross Young share tradecraft on team building. Pitfalls to team building with becoming a hero Organizational Maturity Models (Levels 1-5) Tuckman Teaming Model (Forming, Storming, Norming, and Performing) Leadership Styles (Telling, Selling, Participating, & Delegating) Aligning your Team and Regaining former employees...
Mar 05, 2021•45 min•Ep. 19
Having the ability to inspire confidence is crucial to lead others and allows you the opportunity to gain access to executive roles. On this episode G Mark Hardy and Ross Young discuss executive presence: What is it Why you need it How to get it We will discuss Gerry Valentine's 7 Key Steps to building Your executive presence: Have a vision, and articulate it well Understand how others experience you Build your communication skills Become an excellent listener Cultivate your network and build po...
Feb 26, 2021•48 min•Ep. 18
If you use email, this episode is for you. Attackers leverage email for ransomware, Business Email Compromise (BEC), account takeover, and other threats that can be reduced with effective technical controls (as well as user education.) These three tools all involve placing simple entries in your DNS records. To work effectively, the recipient also needs to be checking entries. They are: SPF = sender policy framework; designates only mail from designated IP address(es) or mail server(s) are valid...
Feb 19, 2021•47 min•Ep. 17
The Australian Cyber Security Center (ACSC) believes that not all cyber security controls are created equal. The have assessed various strategies to mitigate cyber security incidents and determined there are eight essential cyber security controls which safeguard any organization more than another control. These controls are commonly known as, "The Essential Eight" are highly recommended. Application control to prevent execution of unapproved/malicious programs including .exe, DLL, scripts (e.g....
Feb 12, 2021•47 min•Ep. 16
As a CISO, one of the key functions you will be responsible for is IT Governance. On this episode we discuss what the intent is for a wide variety of cybersecurity documentation that you can leverage, influence, and enforce. Examples include: Policies Control Objectives Standards Guidelines Controls Procedures ... Helpful visual from ComplianceForge which shows how various documentation standards can be integrated Link...
Feb 05, 2021•46 min•Ep. 15
At some point in time, a CISO will need to purchase new security technology. Whether it's antivirus, firewalls, or SIEMs you need to understand how to choose a product that will benefit your organization for years to come. This podcast discusses 5 different techniques that CISOs can apply to help with product selection Perform Market Research to learn the players Gartner Magic Quadrant Forrester Wave Leverage Vendor Comparison Tools to spot the features Mitre ATT&CK Evaluation AV-Comparative...
Jan 29, 2021•48 min•Ep. 14
Have you ever wanted to become an executive, but didn’t know what skills to focus on? On this episode of CISO Tradecraft, G Mark Hardy and Ross Young provide guidance from the Office of Personnel Management (Chief Human Resources Agency and personnel policy manager for the US government). The podcast discusses the 6 Fundamental Competencies and the 5 Executive Core Qualifications required by all federal executives. Fundamental Competencies: Interpersonal Skills Oral Communication Integrity/Hones...
Jan 22, 2021•47 min•Ep. 13
Making things cheaper, faster, and better is the key to gaining competitive advantage. If you can gain a competitive advantage in cyber, then you will reduce risk to the business and protect key revenue streams. This episode discusses the three ways of DevOps and how you can use them to improve information security. The three ways of DevOps consist of: The First Way: Principles of Flow The Second Way: Principles of Feedback The Third Way: Principles of Continuous Learning If you would like to le...
Jan 15, 2021•45 min•Ep. 12
Most organizations generate revenue by hosting online transactions. Cryptography is a key enabler to securing online transactions in untrusted spaces. Therefore it's important for CISOs to understand how it works. This episode discusses the fundamentals of cryptography: What are the requirements for cryptography? How long has cryptography been around? Are there differences between legacy and modern cryptography? Differences between symmetric and asymmetric encryption Common use of encryption at ...
Jan 08, 2021•49 min•Ep. 11
Understanding how to secure the cloud is a crucial piece of tradecraft that every CISO needs to understand. This episode provides an in depth discussion of AWS's 7 design principles for securing the cloud: Implement a strong identity foundation Enable traceability Apply security at all layers Automate security best practices Protect data in transit and rest Keep people away from data Prepare for security events Please note the AWS Well-Architected Framework Security Design Principles can be foun...
Jan 01, 2021•45 min•Ep. 10
Have you ever wanted to learn the basic fundamentals of the cloud? This podcast provides a 50,000 foot view of the cloud. Specific discussions include: What is the cloud? What types of clouds are there and what are the differences? What is the term shared responsibility model and what does that mean for securing the cloud? Chapters 00:00 Introduction 02:10 The Basics of Cloud Computing 06:20 Cloud Computing and Infrastructure as a Service Model 10:17 The different levels of responsibility in an ...
Dec 25, 2020•45 min•Ep. 9
CISOs often encounter situations where everyone has a different opinion, it's a high stakes decision, and emotions are running high. These situations create crucial conversations opportunities where a CISO needs to be effective. This podcast discusses how to turn disagreement into dialogue, surface any subject, and make it safe to discuss. Please listen as G Mark Hardy and Ross Young discuss the 8 step process from the book, "Crucial Conversations." Get Unstuck Start With Heart Master My Stories...
Dec 18, 2020•57 min•Ep. 8
On this Episode we will explore DevOps as a topic and discuss why you need to care as a CISO. Key discussions include: What are the key principles behind DevOps? What benefits does security see from DevOps? What is a CI/CD pipeline? What are common types of DevOps tools that I need to understand as a CISO? Where does DevSecOps fit in? What are 4 types of Application Security Testing tools we see in DevOps Pipelines? What are 3 common ways to make DevOps / DevSecOps go viral in any organization? ...
Dec 11, 2020•49 min•Ep. 7
If you want to make impact as a leader, then you need to understand how to lead change. This episode overviews Dr. John Kotter's 8-Step process to accelerating change. Create a sense of urgency Build a guiding coalition Form a strategic vision and initiatives Enlist a volunteer army Enable action by removing barriers Generate short-term wins Sustain acceleration Institute change We highly recommend you read Kotter's ebook to learn more: https://www.kotterinc.com/8-steps-process-for-leading-chang...
Dec 04, 2020•50 min•Ep. 6
Cyber Frameworks help CISOs build, measure, and execute top-notch information security programs. This podcast overviews the differences between Cyber Control Frameworks (CIS Controls & NIST 800-53), Program Frameworks (ISO 27001 & NIST CSF), and Risk Frameworks (FAIR, ISO 27005, & NIST 800-39) as well as provides useful tips on how to implement them. Chapters 00:00 Introductions 03:29 Creating a Framework for Cyber Security Programs 06:48 What are the Most Important Controls 11:08 Ha...
Nov 27, 2020•58 min•Ep. 5
If you want to assess your current level of security, then you should start with an asset management program. Asset management provides the basic building blocks to enable vulnerability management and remediation programs. This podcast provides key lessons learned on what is required for effective asset management as well as discuss how asset management evolves with the cloud. Listeners will also learn important steps to take to create a world class asset management program. Chapters 00:00 Intro...
Nov 20, 2020•39 min•Ep. 4
The ability to persuade others is a core tradecraft for every CISO. This podcast discusses the most common styles of executive decision making (Charismatics, Thinkers, Skeptics, Followers, and Controllers). After listening to this podcast, you will understand how to more effectively tailor your message to best influence each style of executive. If you would like to learn more about this topic, we strongly recommend you read the Harvard Business Review article, “Change the Way You Persuade”, by G...
Nov 13, 2020•39 min•Ep. 3
To become an effective CISO you need influence skills. On this episode we explore Robert Cialdini's book, "Influence" and discuss the psychology of persuasion. We will explore 6 key areas of influence: Liking- If people like you - because they sense that you like them, or because of things you have in common - they're more apt to say yes to you Reciprocity- People tend to return favors. If you help people, they'll help you. If you behave in a certain way (cooperatively, for example), they'll res...
Nov 06, 2020•46 min•Ep. 2
