Join G. Mark Hardy on this exciting episode of CISO Tradecraft as he interviews J.C. Vega, the first cyber colonel in the United States Army. Vega shares his invaluable insights on leadership, team building, and success strategies that can transform your cybersecurity career. Plus, learn about CruiseCon 2025, Wee Dram, and how you can take your leadership skills to the next level. Don't miss out on this episode packed with wisdom, actionable advice, and some fun anecdotes. Subscribe, comment, and share with your peers! Big Thanks to our Sponsor CruiseCon - https://cruisecon.com/ CruiseCon Discount Code: CISOTRADECRAFT10   JC Vega - https://www.linkedin.com/in/jcvega-cyber-colonel/  Transcripts: https://docs.google.com/document/d/1ExuX-WVO4_qqLoIZDuT0QS2VAvN2resW   Chapters 00:00 Introduction and Special Guest Announcement 01:15 Meet J.C. Vega: The First Cyber Colonel 01:55 The Wee Dram Community 03:39 Building a Trusted Cybersecurity Community 09:12 Leadership Principles from Military to Civilian Life 12:31 Building and Leading Effective Teams 24:17 The Peter Principle and Career Progression 24:49 Creating a Shared Understanding in Cybersecurity 26:43 Commander's Intent: Defining Success 29:29 Empowering Teams and Accepting Prudent Risk 36:19 Rules to Live By: The Vega's Top Three 44:58 Final Thoughts and Farewell

In this special Halloween episode of CISO Tradecraft, host G Mark Hardy delves into the lurking dangers of Shadow IT and Zombie IT within organizations. Learn about the origins, risks, and impacts of these hidden threats, and discover proactive measures that CISOs can implement to safeguard their IT ecosystems. Strategies discussed include rigorous asset management, automation, and comprehensive compliance reviews. Tune in for insights to foster a secure, compliant, and efficient IT environment, and don't miss out on an exclusive opportunity to join a cybersecurity conference aboard a luxury cruise.   Big Thanks to our Sponsor CruiseCon - https://cruisecon.com/ CruiseCon Discount Code: CISOTRADECRAFT10     Transcripts: https://docs.google.com/document/d/1lh-TQhaSOIA2rITaXgTaqugl7FRGevnn   Chapters  00:00 Introduction to Shadow IT and Zombie IT 02:14 Defining Shadow IT 04:58 Risks of Shadow IT 07:29 Introduction to Zombie IT 09:35 Risks of Zombie IT 11:25 Shadows vs Zombies 11:25 Comparing Shadow IT and Zombie IT 19:11 Lifecycle Management Strategies 19:56 Summarizing the Threats and Solutions 22:32 Final Thoughts and Call to Action

Unlocking SOC Excellence: Master the SOC Capability Maturity Model Join host G Mark Hardy in this compelling episode of CISO Tradecraft as he explores the revolutionary SOC Capability Maturity Model (SOC CMM) authored by Rob van Os. This episode is a must-watch for CISOs, aspiring CISOs, and cybersecurity professionals aiming to optimize their Security Operations Center (SOC). Learn how to measure, evaluate, and enhance your SOC's maturity across key domains including Business, People, Process, Technology, and Services. Gain insights into leveraging radar charts for visualizing SOC capabilities and hear case studies such as a mid-sized financial company’s remarkable improvements. Discover why understanding your SOC's strengths and weaknesses and conducting risk-based improvement planning are crucial. Don't miss out—elevate your cyber resilience today, subscribe, and share with your network to set your SOC on the path to excellence! References: SOC-CMM - https://www.soc-cmm.com/products/soc-cmm/ Robert van Os - https://www.linkedin.com/in/socadvisor/ Transcripts: https://docs.google.com/document/d/1Fk6_t9FMyYXDF-7EfgpX_ZjLc0iPAgfN Chapters 00:12 Introduction to CISO Tradecraft and SOCs 01:20 Understanding SOC CMM: A Game-Changing Tool 02:29 Evaluating SOC Maturity and Capability 06:04 Benefits and Implementation of SOC CMM 07:56 Understanding SOC Assessments 08:55 Deep Dive into SOC CMM Domains 12:42 Benefits and Flexibility of SOC CMM 14:40 Real-World Application and Conclusion

In this episode of CISO Tradecraft, host G Mark Hardy explores the challenges and misconceptions facing the next generation of cybersecurity professionals. The discussion covers the myth of a talent shortage, the shortcomings of current educational and certification programs, and the significance of aligning curricula with real-world needs. Hardy emphasizes the importance of hands-on experience, developing soft skills, and fostering continuous learning. The episode also highlights strategies for retaining talent, promoting internal training, and creating leadership opportunities to cultivate a skilled and satisfied cybersecurity workforce. Transcripts: https://docs.google.com/document/d/12fI2efHXuHR4dS3cu7P0UIBCtjBdgREI Chapters 00:00 Introduction to the Cybersecurity Talent Crisis 00:40 Debunking the Talent Shortage Myth 02:23 The Real Talent Gap: Mid-Career Professionals 03:04 Outsourcing and Its Impact on Entry-Level Jobs 08:29 Challenges in Cybersecurity Education 16:13 The Importance of Practical Skills Over Theory 23:52 The Importance of Writing Skills 25:10 Continuous Learning and Self-Investment 26:07 Performance and Career Progression 28:40 Mentorship and Onboarding 29:51 Training and Development Challenges 32:32 Retention Strategies 33:44 Engaging Junior Employees 39:07 Technology and Innovation 40:54 Conclusion and Final Thoughts

In this episode of CISO Tradecraft, hosted by G Mark Hardy, you'll learn about four crucial tools in cloud security: CNAPP, CASB, CSPM, and CWPP. These tools serve various functions like protecting cloud-native applications, managing access security, maintaining cloud posture, and securing cloud workloads. The discussion covers their roles, benefits, key success metrics, and best practices for CISOs. As the cloud security landscape evolves, understanding and integrating these tools is vital for keeping your organization safe against cyber threats. Transcripts: https://docs.google.com/document/d/1Mx9qr30RuWrDUw1TLNkUDQ8xo4xvQdP_ Chapters  00:00 Introduction to Cloud Security Tools 02:24 Understanding CNAPP: The Comprehensive Cyber Defense 08:13 Exploring CASB: The Cloud Access Gatekeeper 11:12 Diving into CSPM: Ensuring Cloud Compliance 13:40 CWPP: Protecting Cloud Workloads 15:08 Best Practices for Cloud Security 15:54 Conclusion and Final Thoughts

In this episode of CISO Tradecraft, hosts G Mark Hardy and Mark Rasch discuss the intersection of artificial intelligence and the law. Recorded at the COSAC computer conference in Dublin, this episode covers the legal implications of AI, copyright issues, AI-generated content, privacy concerns, and ethical considerations. They explore the nuances between directed and undirected AI, the importance of training data, and the potential risks and liabilities associated with AI-driven systems. Tune in for a deep dive into how AI is reshaping cybersecurity and legal landscapes. Transcripts: https://docs.google.com/document/d/1s_eDwz-FPuyxYZRJaOknWi2Ozjqmodrl Chapters 00:00 Introductions 01:13 Diving into Artificial Intelligence 04:04 Directed vs. Undirected AI 11:02 Legal and Ethical Issues of AI 23:47 AI and Copyright: Who Owns the Creation? 26:59 The Role of AI in Information Security 32:51 Ethical Dilemmas in AI Decision-Making 39:18 Future Challenges and Recommendations for AI

Join G. Mark Hardy in Torremolinos, Spain, for a deep dive into the security of Generative AI. This episode of CISO Tradecraft explores the basics of generative AI, including large language models like ChatGPT, and discusses the key risks and mitigation strategies for securing AI tools in the workplace. G. Mark provides real-world examples, insights into the industry's major players, and practical steps for CISOs to balance innovation with security. Discover how to protect sensitive data, manage AI-driven hallucinations, and ensure compliance through effective governance and ethical guidelines. Plus, get a glimpse into the future of AI vulnerabilities and solutions in the ever-evolving tech landscape. References OWASP Top 10 LLM Risks https://genai.owasp.org/ Gartner CARE Standard - https://www.gartner.com/en/documents/3980890 Make sure your controls work consistently over time (Consistency) Make sure your controls meet the business needs (Adequacy) Make sure your controls are appropriate and fair (Reasonableness) Make sure your controls produce the desire outcome (Effectiveness) Transcripts: https://docs.google.com/document/d/1V2ar7JBO503MN0RZcH7Q7VBkQUW9MYk6 Chapters 00:00 Introduction from Spain 00:42 Understanding Generative AI 03:25 Major Players in Generative AI 05:02 Risks of Generative AI 15:14 Mitigating Generative AI Risks 18:23 Implementing Solutions 24:09 Conclusion and Call to Action

G Mark Hardy dives deep into effective strategies for securing your business. Learn why it's essential for cybersecurity leaders to communicate the real business impact of vulnerabilities and discover the importance of identifying and prioritizing critical business processes.  Gain insights from historical references and practical frameworks like the CIA triad (Confidentiality, Integrity, Availability) to bolster your organization's cybersecurity posture. Tune in as G Mark, broadcasting from Glasgow, Scotland, shares valuable lessons on proactive security measures, risk-based decision-making, and crisis recovery strategies. 7 critical business processes common to most organizations. Book  Order  Bill  Pay Ship  Close Communicate  Transcripts https://docs.google.com/document/d/1Ra3c0J5Wo6s2BSqhNoNyqm9D65ogT07h Chapters 00:00 Introduction to Securing the Business 00:12 Begin Podcast 01:08 Understanding Critical Business Processes 02:23 Identifying and Prioritizing Business Functions 03:00 Real-World Example: Restaurant Booking System 04:57 Decision Making in Crisis Situations 10:38 Mapping Confidentiality, Integrity, and Availability 19:42 Conclusion and Final Thoughts

Join host G Mark Hardy as he dives deep into the complexities of compliance and reporting, featuring special guests Brian Bradley and Josh Williams from FedShark. Discover a unique and streamlined approach to compliance using FedShark's innovative tools and AI-assisted systems. Learn about their exclusive offers for CISO Tradecraft listeners, including free downloads and discounted pre-assessment tools. Topics covered include CMMC, HIPAA, PCI, and more. Whether you're part of the Defense Industrial Base or dealing with multiple compliance frameworks, this episode is packed with practical advice to make your compliance journey smoother and more effective. Thanks to our podcast sponsor, Fedshark CISO Traderaft Promo & Link to CMMC White Papers: https://fedshark.com/ciso RapidAssess: https://fedshark.com/rapid-assess Company website: https://fedshark.com FedShark Blog: https://fedshark.com/blog Schedule a Demo: https://fedshark.com/contact-us LinkedIn Matt Beaghley: https://www.linkedin.com/in/mbeaghley/ LinkedIn Brian Bradley: https://www.linkedin.com/in/brian-bradley-97a82668/   Chapters  00:00 Introduction and Special Offer 03:18 Meet the Experts: Brian and Josh 06:49 Challenges in Compliance 16:23 Understanding CMMC 29:02 Understanding Scope in Compliance 30:22 Introducing the AI-Enhanced Compliance Solution 31:24 Streamlining Interviews and Documentation 42:19 Final Thoughts and Recommendations

G Mark Hardy and guest Deb Radcliff talk about experiences and takeaways from Black Hat, and delve into the dynamic world of cybersecurity. Deb shares her perspectives on the intersection of AI, DevSecOps, and cyber warfare, while highlighting insights from her 'Breaking Backbones' trilogy.  Transcripts: https://docs.google.com/document/d/1XN9HjdljJYKlUITrxZ10HTq9e91R8FNT Book 1: Breaking Backbones: Information Is Power         https://amzn.to/4dLSBxQ Book 2: Breaking Backbones: Information Should Be Free         https://amzn.to/4e3BRlB Book 3: Breaking Backbones: From Chaos to Order         https://amzn.to/3X8e4u2 Chapters 00:00 Introduction and Welcome Back 01:18 Black Hat and Security Leaders Dinner 04:39 The Evolution of Cybersecurity Conferences 10:59 AI and Cybersecurity Trends 22:01 The Chip Dilemma: Parenting in a Monitored Society 23:09 Crafting Characters: Inspirations and Transformations 25:58 Writing Process: From Drafts to Details 31:38 Future of Cybersecurity: Autonomous Systems and Legal Challenges

In this episode of CISO Tradecraft, host G Mark Hardy is joined by special guest Snehal Antani, co-founder of Horizon3.AI, to discuss the crucial interplay between offensive and defensive cybersecurity tactics. They explore the technical aspects of how observing attacker behavior can enhance defensive strategies, why traditional point-in-time pen testing may be insufficient, and how autonomous pen testing can offer continuous, scalable solutions. The conversation delves into Snehal’s extensive experience, the importance of readiness over compliance, and the future of cybersecurity tools designed with humans out of the loop. Tune in to learn how to elevate your cybersecurity posture in a rapidly evolving threat landscape. Horizon3 - https://www.horizon3.ai Snehal Antani - https://www.linkedin.com/in/snehalantani/ Transcripts: https://docs.google.com/document/d/1IFSQ8Uoca3I7TLqNHMkvm2X-RHk8SWpo Chapters: 00:00 Introduction and Guest Welcome 01:43 Background and Experience of Snehal Antani 03:09 Challenges and Limitations of Traditional Pen Testing 14:47 The Future of Pen Testing: Autonomous Systems 23:10 Leveraging Data for Cybersecurity Insights 24:02 Expanding the Attack Surface: Cloud and Supply Chain 24:46 Third-Party Risk Management Evolution 44:37 Future of Cyber Warfare: Algorithms vs. Humans

In this episode of CISO Tradecraft, host G Mark Hardy delves into the intricate world of Identity and Access Management (IAM). Learn the essentials and best practices of IAM, including user registration, identity proofing, directory services, identity federation, credential issuance, and much more. Stay informed about the latest trends like proximity-based MFA and behavioral biometrics. Understand the importance of effective IAM implementation for safeguarding sensitive data, compliance, and operational efficiency. Plus, hear real-world examples and practical advice on improving your IAM strategy for a secure digital landscape. Transcripts: https://docs.google.com/document/d/15zUupqhCQz9llwy21GW5cam8qXgK80JB Chapters 00:00 Introduction to CISO Tradecraft 01:24 Understanding Identity and Access Management (IAM) 01:54 Gartner's Magic Quadrant and IAM Vendors 03:29 The Importance of IAM in Enterprises 04:28 User Registration and Verification 06:48 Password Policies and Best Practices 09:53 Identity Proofing Techniques 14:53 Directory Services and Role Management 18:27 Identity Federation and Credential Issuance 22:22 Profile and Role Management 26:17 Identity Lifecycle Management 29:23 Access Management Essentials 35:05 Review and Conclusion

In this comprehensive episode of CISO Tradecraft, host G Mark Hardy sits down with Christian Hyatt, author of 'The Security Team Operating System'. Together, they delve into the five essential components needed to transform your cyber security team from reactive to unstoppable. From defining purpose and values to establishing clear roles, rhythms, and goals, this podcast offers practical insights and tools that can improve the efficacy and culture of your security team. If you're looking for strategic frameworks to align your team with business objectives and create a resilient security culture, you won't want to miss this episode! Christian Hyatt's LinkedIn Profile: https://www.linkedin.com/in/christianhyatt/ Link to the Book: https://a.co/d/aHpXXfr Transcripts: https://docs.google.com/document/d/1ogBdtJolBJTOVtqyFLO5onuLxBsfqqQP Chapters 00:00 Introduction and Guest Welcome 01:31 Overview of the Security Team Operating System 03:31 Deep Dive into the Five Elements 07:53 Aligning Security with Business Objectives 21:59 Defining Core Values for Security Teams 25:03 Aligning Organizational and Team Values 26:05 Establishing Clear Roles and Responsibilities 30:58 Implementing Effective Rhythms and Goals

Join host G Mark Hardy in this episode of CISO Tradecraft as he welcomes Olivia Rose, an experienced CISO and founder of the Rose CISO Group. Olivia discusses her journey in cybersecurity from her start in marketing to becoming a VCISO. They delve into key topics including the transition from CISO to VCISO, strategies for managing time and stress, the importance of understanding board dynamics, and practical advice on mentoring new entrants in the cybersecurity field. Olivia also shares her insights on maintaining business alignment, handling insurance as a contractor, and building a personal brand in the cybersecurity community. Olivia Rose: https://www.linkedin.com/in/oliviarosecybersecurity/ Transcripts: https://docs.google.com/document/d/1S42BepIh1QQHVWsdhhgx6x99U188q5eL Chapters 00:00 Introduction and Guest Welcome 01:14 Olivia Rose's Career Journey 06:42 Challenges in Cybersecurity Careers 15:47 Communicating with the Board 22:57 Navigating Compliance and Legal Challenges 24:10 Building Strategic Relationships 25:46 Aligning Security with Business Goals 35:05 The Importance of Reputation and Branding

In this episode of CISO Tradecraft, host G Mark Hardy continues an in-depth discussion with cybersecurity attorney Thomas Ritter on the legal considerations for cybersecurity leaders. The episode touches on essential topics such as immediate legal steps after a data breach, the importance of using correct terminology, understanding attorney-client privilege and discovery, GDPR's impact, data localization, and proactive measures CISOs should take. The conversation also explores the implications of evolving cybersecurity laws and regulations like the Digital Operations Resilience Act and the potential criminal liabilities for CISOs. Thomas Ritter: https://www.linkedin.com/in/thomas-ritter-2b91014a/ Transcripts: https://docs.google.com/document/d/15xQINUOdziGdcEFfh5SN8lS7svtK0JCT   Chapters 00:00 Introduction and Recap of Part 1 01:43 Starting the Discussion: Data Breaches 02:22 Legal Steps After a Data Breach 07:19 Understanding Attorney-Client Privilege 08:21 Discovery in Legal Cases 13:31 Staying Updated on Cybersecurity Laws 19:38 Impact of GDPR on Cybersecurity 32:00 Data Localization Challenges 34:55 Proactive Legal Preparedness 37:23 Final Thoughts and Conclusion

In this episode of CISO Tradecraft, host G Mark Hardy interviews cybersecurity lawyer Thomas Ritter. They discuss key legal topics for CISOs, including regulatory compliance, managing third-party risk, responding to data breaches, and recent legislative impacts. Thomas shares his journey into cybersecurity law and provides practical advice and real-world examples. Key points include the challenges of keeping up with evolving regulations, the intricacies of vendor management, and the implications of recent Supreme Court rulings. They also touch on major breaches like SolarWinds and Colonial Pipeline, exploring lessons learned and the importance of implementing essential security controls. Thomas Ritter - https://www.linkedin.com/in/thomas-ritter-2b91014a/ Transcripts: https://docs.google.com/document/d/1EvZ_dOpFOLCSSv5ffqxCoMnLZDOnUv_K Chapters 00:00 Introduction to CISO Tradecraft 00:48 Meet Thomas Ritter: Cybersecurity Lawyer 03:48 Legal Challenges for CISOs 04:54 Managing Third-Party Risks 13:01 Understanding Legal and Statutory Obligations 15:57 Supreme Court Rulings and Cybersecurity 32:57 Lessons from High-Profile Cyber Attacks 38:32 Ransomware Epidemic and Law Enforcement 43:30 Conclusion and Contact Information

Emotional Intelligence for Cybersecurity Leaders | CISO Tradecraft In this episode of CISO Tradecraft, host G Mark Hardy delves into the essential topic of emotional intelligence (EI) for cybersecurity leaders. He explores the difference between IQ and EI, the origins and significance of emotional intelligence, and its impact on leadership effectiveness. The episode covers various models of EI, including the Ability Model, the Trait Model, and the Mixed Model, and emphasizes practical actions to enhance EI, such as self-awareness, self-regulation, empathy, and social skills. Tune in to understand how developing emotional intelligence can significantly benefit your career, leadership performance, and personal life.    Transcripts: https://docs.google.com/document/d/15pyhXu3XVHJ_VE1OwKjSqM73Rybjbsm0   Chapters: 00:00 Introduction to CISO Tradecraft 00:53 Understanding IQ: The Basics 04:08 Introduction to Emotional Intelligence 07:38 Models of Emotional Intelligence 13:06 The Importance of Emotional Intelligence in Leadership 25:12 Practical Steps to Improve Emotional Intelligence 32:42 Conclusion and Final Thoughts

Securing Small Businesses: Essential Cybersecurity Tools and Strategies In this episode of CISO Tradecraft, host G Mark Hardy discusses cybersecurity challenges specific to small businesses. He provides insights into key tools and strategies needed for effective cybersecurity management in small enterprises, including endpoint management, patch management, EDR tools, secure web gateways, IAM solutions, email security gateways, MDR services, and password managers. Hardy also evaluates these tools against the CIS Critical Security Controls to highlight their significance in safeguarding small business operations. Transcripts: https://docs.google.com/document/d/1Hon3h950myI7A3jzGmj7YIwRXow5W1V5 Chapters 00:00 Introduction to CISO Tradecraft 00:40 Challenges of Cybersecurity in Small Businesses 01:15 Defining Small Business and Security Baselines 01:53 Top Cybersecurity Tools for Small Businesses 02:05 Hardware and Software Essentials 04:35 Patch Management Solutions 05:19 Endpoint Detection and Response (EDR) Tools 06:06 Secure Web Gateways and Website Security 11:21 Identity and Access Management (IAM) 12:57 Email Security Gateways 14:15 Managed Detection and Response (MDR) Solutions 14:54 Recap of Essential Cybersecurity Tools 15:41 Bonus Tool: Password Managers 18:33 Aligning with CIS Controls 24:48 Conclusion and Call to Action

Welcome to another episode of CISO Tradecraft with your host, G. Mark Hardy! In this episode, we dive into how CISOs can drive the profitable growth of their company's products and services. Breaking the traditional view of security as a cost center, Mark illustrates ways CISOs can support business objectives like customer outreach, service enablement, operational resilience, and cost reduction. Tune in for insightful strategies to improve your impact as a cybersecurity leader and a sneak peek at our upcoming CISO training class! If you would like to learn more about our class, drop us a comment: https://www.cisotradecraft.com/comment Transcripts: https://docs.google.com/document/d/19SDBdQSTLc58sP5ynwzhuedNHzk7QPKj Chapters 00:00 Introduction to Profitable Growth for CISOs 01:16 Understanding Profit and Business Objectives 03:24 Enhancing Customer Experience through Cybersecurity 08:51 Service Enablement and Upselling Strategies 11:39 Ensuring Operational Resilience 13:36 Cost Reduction and Efficiency Improvements 18:31 Recap and Final Thoughts 19:10 Exciting Announcement: CISO Training Course

Exploring AI in Cybersecurity: Insights from an Expert - CISO Tradecraft with Tom Bendien In this episode of CISO Tradecraft, host G Mark Hardy sits down with AI expert Tom Bendien to delve into the impact of artificial intelligence on cybersecurity. They discuss the basics of AI, large language models, and the differences between public and private AI models. Tom shares his journey from New Zealand to the U.S. and how he became involved in AI consulting. They also cover the importance of education in AI, from executive coaching to training programs for young people. Tune in to learn about AI governance, responsible use, and how to prepare for the future of AI in cybersecurity. Transcripts: https://docs.google.com/document/d/1x0UTLiQY7hWWUdfPE6sIx7l7B0ip7CZo Chapters 00:00 Introduction and Guest Welcome 00:59 Tom Bendien's Background and Journey 02:30 Diving into AI and ChatGPT 04:29 Understanding AI Models and Neural Networks 07:11 The Role of Agents in AI 10:10 Challenges and Ethical Considerations in AI 13:47 Open Source AI and Security Concerns 18:32 Apple's AI Integration and Compliance Issues 24:01 Navigating AI in Cybersecurity 25:09 Ethical Dilemmas in AI Usage 27:59 AI Coaching and Its Importance 32:20 AI in Education and Youth Engagement 35:55 Career Coaching in the Age of AI 39:20 The Future of AI and Its Saturation Point 42:07 Final Thoughts and Contact Information

In this episode of CISO Tradecraft, host G Mark Hardy delves into the complex intersection of ethics and artificial intelligence. The discussion covers the seven stages of AI, from rule-based systems to the potential future of artificial superintelligence. G Mark explores ethical frameworks, such as rights-based ethics, justice and fairness, utilitarianism, common good, and virtue ethics, and applies them to AI development and usage. The episode also highlights ethical dilemmas, including privacy concerns, bias, transparency, accountability, and the impacts of AI on societal norms and employment. Learn about the potential dangers of AI and how to implement and control AI systems ethically in your organization.    Transcripts: https://docs.google.com/document/d/10AhefqdhkT0PrEbh8qBZVn9wWS6wABO6 Chapters 00:00 Introduction to CISO Tradecraft 01:01 Stages of Artificial Intelligence 03:33 Ethical Implications of AI 05:24 Business Models and Data Security 13:52 Ethical Frameworks Explained 23:18 AI and Human Behavior 25:44 The TikTok Feedback Loop and Digital Addiction 26:54 AI's Unpredictable Capabilities 28:25 The Ethical Dilemmas of AI 30:57 Generative AI and Its Implications 42:10 The Role of Government and Society in AI Regulation 45:49 Conclusion and Ethical Considerations

In this episode of CISO Tradecraft, host G Mark Hardy explores the challenges complexity introduces to cybersecurity, debunking the myth that more complex systems are inherently more secure. Through examples ranging from IT support issues to the intricacies of developing a web application with Kubernetes, the discussion highlights how complexity can obscure vulnerabilities, increase maintenance costs, and expand the attack surface. The episode also offers strategies to tackle complexity, including standardization, minimization, automation, and feedback-driven improvements, aiming to guide cybersecurity leaders toward more effective and less complex security practices. Transcripts: https://docs.google.com/document/d/1J0rPr0HxULpeVJMIwXKXqHuCfnXn4gDu Chapters  00:00 Introduction 01:03 The Misconception of Complexity in Cybersecurity 02:41 Real-World Complexities and Their Impact on IT 10:06 Simplifying Cybersecurity: Strategies and Solutions 14:48 Conclusion: Embracing Simplicity in Cybersecurity

This episode of CISO Tradecraft features a conversation between host G. Mark Hardy and Chris Rothe, co-founder of Red Canary, focusing on cloud security, managed detection and response (MDR) services, and the evolution of cybersecurity practices. They discuss the genesis of Red Canary, the significance of their company name, and the distinctions between Managed Security Service Providers (MSSPs) and MDRs. The conversation also covers the importance of cloud security, the challenges of securing serverless and containerized environments, and leveraging open-source projects like Atomic Red Team for cybersecurity. They conclude with insights on the cybersecurity labor market, the value of threat detection reports, and the future of cloud security. Red Canary: https://redcanary.com/ Chris Rothe: https://www.linkedin.com/in/crothe/ Transcripts: https://docs.google.com/document/d/1XN4Bp7Sa2geGCVaHuqMRmJckms4q7_L6  

This episode of CISO Tradecraft, hosted by G Mark Hardy, features special guest Debbie Gordon. The discussion focuses on the critical role of Security Operations Centers (SOCs) in an organization's cybersecurity efforts, emphasizing the importance of personnel, skill development, and maintaining a high-performing team. It covers the essential aspects of building and managing a successful SOC, from hiring and retaining skilled incident responders to measuring their performance and productivity. The conversation also explores the benefits of simulation-based training with CloudRange Cyber, highlighting how such training can improve job satisfaction, reduce incident response times, and help organizations meet regulatory requirements. Through this in-depth discussion, listeners gain insights into best practices for enhancing their organization's cybersecurity posture and developing key skill sets to defend against evolving cyber threats. Cloud Range Cyber: https://www.cloudrangecyber.com/ Transcripts: https://docs.google.com/document/d/18ILhpOgHIFokMrkDAYaIEHK-f9hoy63u  Chapters 00:00 Introduction 01:04 The Indispensable Role of Security Operations Centers (SOCs) 02:07 Building an Effective SOC: Starting with People 03:04 Measuring Productivity and Performance in Your SOC 05:36 The Importance of Continuous Training and Simulation in Cybersecurity 09:00 Debbie Gordon on the Evolution of Cyber Training 11:54 Developing Cybersecurity Talent: The Importance of Simulation Training 14:46 The Critical Role of People in Cybersecurity 21:57 The Impact of Regulations on Cybersecurity Practices 24:36 The Importance of Proactive Cybersecurity Training 26:26 Redefining Cybersecurity Roles and Training Approaches 30:08 Leveraging Cyber Ranges for Real-World Cybersecurity Training 36:03 Evaluating and Enhancing Cybersecurity Skills and Team Dynamics 37:49 Maximizing Cybersecurity Training ROI and Employee Engagement 41:40 Exploring CloudRange Cyber's Training Solutions 43:28 Conclusion: The Future of Cybersecurity Training

In this episode of CISO Tradecraft, host G Mark Hardy discusses the findings of the 2024 Verizon Data Breach Investigations Report (DBIR), covering over 10,000 breaches. Beginning with a brief history of the DBIR's inception in 2008, Hardy highlights the evolution of cyber threats, such as the significance of patching vulnerabilities and the predominance of hacking and malware. The report identifies the top methods bad actors use for exploiting companies, including attacking VPNs, desktop sharing software, web applications, conducting phishing, and stealing credentials, emphasizing the growing sophistication of attacks facilitated by technology like ChatGPT for phishing and deepfake tech for social engineering. The episode touches on various cybersecurity measures, the omnipresence of multi-factor authentication (MFA) as a necessity rather than a best practice, and the surge in denial-of-service (DDoS) attacks. Hardy also discusses generative AI's role in enhancing social engineering attacks and the potential impact of deepfake content on elections and corporate reputations. Listeners are encouraged to download the DBIR for a deeper dive into its findings. Transcripts: https://docs.google.com/document/d/1HYHukTHr6uL6khGncR_YUJVOhikedjSE  Chapters 00:00 Welcome to CISO Tradecraft 00:35 Celebrating Milestones and Offering Services 01:39 Diving into the Verizon Data Breach Investigations Report 04:22 Top Attack Methods: VPNs and Desktop Sharing Software Vulnerabilities 09:24 The Rise of Phishing and Credential Theft 19:43 Advanced Threats: Deepfakes and Generative AI 23:23 Closing Thoughts and Recommendations

In this joint episode of the Security Break podcast and CISO Tradecraft podcast, hosts from both platforms come together to discuss a variety of current cybersecurity topics. They delve into the challenge of filtering relevant information in the cybersecurity sphere, elaborate on different interpretations of the same news based on the reader's background, and share a detailed analysis on specific cybersecurity news stories. The discussion covers topics such as the implications of data sharing without user consent by major wireless providers and the fines imposed by the FCC, the significance of increasing bug bounty payouts by tech companies like Google, and a comprehensive look at how edge devices are exploited by hackers to create botnets for various cyberattacks. The conversation addresses the complexity of the cybersecurity landscape, including how different actors with varied objectives can simultaneously compromise the same devices, making it difficult to attribute attacks and protect networks effectively. Transcripts: https://docs.google.com/document/d/1GtFIWtDf_DSIIgs_7CizcnAHGnFTTrs5 Chapters 00:00 Welcome to a Special Joint Episode: Security Break & CISO Tradecraft 01:27 The Challenge of Filtering Cybersecurity Information 04:23 Exploring the FCC's Fine on Wireless Providers for Privacy Breaches 06:41 The Complex Landscape of Data Privacy Regulations 16:00 The Economics of Data Breaches and Regulatory Fines 24:23 Bug Bounties and the Value of Security Research 33:21 Exploring the Economics of Cybersecurity 33:50 The Lucrative World of Bug Bounties 34:38 The Impact of Security Vulnerabilities on Businesses 35:50 Navigating the Complex Landscape of Cybersecurity 36:22 The Ethical Dilemma of Selling Exploit Information 37:32 Understanding the Market Dynamics of Cybersecurity 38:00 Focusing on Android Application Security 38:34 The Importance of Targeting in Cybersecurity Efforts 42:33 Exploring the Threat Landscape of Edge Devices 46:37 The Challenge of Securing Outdated Technology 49:28 The Role of Cybersecurity in Modern Warfare 53:15 Strategies for Enhancing Cybersecurity Defenses 01:05:25 Concluding Thoughts on Cybersecurity Challenges

In this episode of CISO Tradecraft, host G. Mark Hardy discusses seven critical issues facing the cybersecurity industry, offering a detailed analysis of each problem along with counterarguments. The concerns range from the lack of a unified cybersecurity license, the inefficiency and resource waste caused by auditors, to the need for a federal data privacy law. Hardy emphasizes the importance of evaluating policies, prioritizing effective controls, and examining current industry practices. He challenges the audience to think about solutions and encourages sharing opinions and additional concerns, aiming to foster a deeper understanding and improvement within the field of cybersecurity. Transcripts: https://docs.google.com/document/d/1H_kTbCG8n5f_d1ZHNr1QxsXf82xb08cG Chapters 00:00 Introduction 01:28 Introducing the Seven Broken Things in Cybersecurity 02:00 1. The Lack of a Unified Cybersecurity License 06:53 2. The Problem with Cybersecurity Auditors 10:09 3. The Issue with Treating All Controls as High Priority 14:12 4. The Obsession with New Cybersecurity Tools 19:23 5. Misplaced Accountability in Cybersecurity 22:38 6. Rethinking Degree Requirements for Cybersecurity Jobs 26:49 7. The Need for Federal Data Privacy Laws 30:53 Closing Thoughts and Call to Action

In this episode of CISO Tradecraft, hosts G Mark Hardy and guests Jeff Majka and Andrew Dutton discuss the vital role of competitive threat intelligence in cybersecurity. They explore how Security Bulldog's AI-powered platform helps enterprise cybersecurity teams efficiently remediate vulnerabilities by processing vast quantities of data, thereby saving time and enhancing productivity. The conversation covers the importance of diverse threat intelligence sources, including open-source intelligence and insider threat awareness, and the strategic value of AI in analyzing and prioritizing data to manage cybersecurity risks effectively. The discussion also touches on the challenges and potentials of AI in cybersecurity, including the risks of data poisoning and the ongoing battle between offensive and defensive cyber operations. The Security Bulldog: https://securitybulldog.com/contact/ Transcripts: https://docs.google.com/document/d/1D6yVMAxv16XWtRXalI5g-ZdepEMYmQCe Chapters 00:00 Introduction 00:56 Introducing the Experts: Insights from the Field 02:43 Unpacking Cybersecurity Intelligence: Definitions and Importance 04:02 Exploring Cyber Threat Intelligence (CTI): Applications and Strategies 13:11 The Role of AI in Enhancing Cybersecurity Efforts 16:43 Navigating the Complex Landscape of Cyber Threats and Defenses 19:07 The Future of AI in Cybersecurity: A Balancing Act 22:33 Exploring AI's Role in Cybersecurity 22:50 The Practical Application of AI in Cybersecurity 25:08 Challenges and Trust Issues with AI in Cybersecurity 26:52 Managing AI's Risks and Ensuring Reliability 31:00 The Evolution and Impact of AI Tools in Cyber Threat Intelligence 34:45 Choosing the Right AI Solution for Cybersecurity Needs 37:27 The Business Case for AI in Cybersecurity 41:22 Final Thoughts and the Future of AI in Cybersecurity  

This episode of CISO Tradecraft features a comprehensive discussion between host G Mark Hardy and guest Rafeeq Rehman, centered around the evolving role of CISOs, the impact of Generative AI, and strategies for effective cybersecurity leadership. Rafeeq shares insights on the CISO Mind Map, a tool for understanding the breadth of responsibilities in cybersecurity leadership, and discusses various focal areas for CISOs in 2024-2025, including the cautious adoption of Gen AI, tool consolidation, cyber resilience, branding for security teams, and maximizing the business value of security controls. The episode also addresses the importance of understanding and adapting to technological advancements, advocating for cybersecurity as a business-enabling function, and the significance of lifelong learning in information security. Cybersecurity Learning Saturday: https://www.linkedin.com/company/cybersecurity-learning-saturday/ 2024 CISO Mindmap: https://rafeeqrehman.com/2024/03/31/ciso-mindmap-2024-what-do-infosec-professionals-really-do/ Transcripts: https://docs.google.com/document/d/1axXQJoAdJI26ySKVfROI9rflvSe9Yz50 Chapters  00:00 Introduction 00:57 Rafeeq Rehman: Beyond the CISO MindMap 04:17 The Evolution of the CISO MindMap 08:30 AI and the Future of Cybersecurity Leadership 11:47 Embracing Change: The Role of AI in Cybersecurity 14:16 Generative AI: Hype, Reality, and Strategic Advice for CISOs 22:32 Navigating the Future Job Market with AI 22:53 Framing AI for Specific Roles 24:12 Harnessing Creativity with Generative AI 25:14 Consolidating Security Tools for Efficiency 28:31 Evaluating Security Tools: A Deep Dive 32:21 Cyber Resilience: Beyond Incident Response 35:51 Building a Business-Focused Security Strategy 39:39 Maximizing Business Value Through Security 43:15 Looking Ahead: Focus Areas for the Future 43:53 Concluding Thoughts and Future Predictions

In this episode of CISO Tradecraft, host G Mark Hardy welcomes Alex Dorr to discuss Reality-Based Leadership and its impact on reducing workplace drama and enhancing productivity. Alex shares his journey from professional basketball to becoming an evangelist of reality-based leadership, revealing how this approach helped him personally and professionally. They delve into the concepts of SBAR (Situation, Background, Analysis, Recommendation) for effective communication, toggling between low self and high self to manage personal reactions, and practical tools like 'thinking inside the box' to confront and solve workplace issues within given constraints. The conversation underscores the importance of focusing on actionable strategies over arguing with the drama and reality of workplace dynamics, aiming to foster a drama-free, engaged, and productive work environment. Alex Dorr's Linkedin: https://www.linkedin.com/in/alexmdorr/ Reality-Based Leadership Website: https://realitybasedleadership.com/  Transcripts: https://docs.google.com/document/d/1wge0pFLxE4MkS6neVp68bdz8h9mHrwje    Chapters 00:00 Introduction 00:57 Alex Dorr's Journey from Basketball to Leadership Expert 03:54 The Core Principles of Reality-Based Leadership 06:20 Understanding the Human Condition in the Workplace 09:19 Tackling Workplace Drama with Reality-Based Leadership 11:58 The Power of Positive Energy Management 17:42 Navigating Unpreferred Realities and Finding Impact 19:44 Reality-Based Leadership in Action: Techniques and Outcomes 23:12 The Importance of Skill Development Over Perfecting Reality 24:32 The Challenge of Employee Engagement 25:49 Secrets to Embracing Reality and Taking Action 25:58 Leadership vs. Management: Navigating Workplace Dynamics 28:28 Empowering Employees with the SBAR Framework 34:04 Addressing Venting and Negative Behaviors 36:17 Developing People: The Core of Leadership 37:50 Choosing Happiness Over Being Right 40:15 Integrating New Leadership Models and Making Them Stick 46:24 Concluding Thoughts and Contact Information

This episode of CISO Tradecraft dives deep into the New York Department of Financial Services Cybersecurity Regulation, known as Part 500. Hosted by G Mark Hardy, the podcast outlines the significance of this regulation for financial services companies and beyond. Hardy emphasizes that Part 500 serves as a high-level framework applicable not just in New York or the financial sector but across various industries globally due to its comprehensive cybersecurity requirements. The discussion includes an overview of the regulation's history, amendments to enhance governance and incident response, and a detailed analysis of key sections such as multi-factor authentication, audit trails, access privilege management, and incident response. Additionally, the need for written policies, designating a Chief Information Security Officer (CISO), and ensuring adequate resources for implementing a cybersecurity program are highlighted. The podcast also offers guidance on how to approach certain regulatory mandates, emphasizing the importance of teamwork between CISOs, legal teams, and executive management to comply with and benefit from the regulation's requirements. AuditScripts: https://www.auditscripts.com/free-resources/critical-security-controls/ NYDFS: https://www.dfs.ny.gov/industry_guidance/cybersecurity  Transcripts: https://docs.google.com/document/d/1CWrhNjHXG1rePtOQT-iHyhed2jfBaZud Chapters 00:00 Introduction 00:35 Why Part 500 Matters Beyond New York 01:48 The Evolution of Financial Cybersecurity Regulations 03:20 Understanding Part 500: Definitions and Amendments 08:44 The Importance of Multi-Factor Authentication 14:33 Navigating the Complexities of Cybersecurity Regulations 20:23 The Critical Role of Asset Management and Access Privileges 25:37 The Essentials of Application Security and Risk Assessment 31:11 Incident Response and Business Continuity Management 32:36 Concluding Thoughts on NYDFS Cybersecurity Regulation

In this episode of CISO Tradecraft, host G. Mark Hardy delves into the crucial topic of the OWASP Top 10 Web Application Security Risks, offering insights on how attackers exploit vulnerabilities and practical advice on securing web applications. He introduces OWASP and its significant contributions to software security, then progresses to explain each of the OWASP Top 10 risks in detail, such as broken access control, injection flaws, and security misconfigurations. Through examples and recommendations, listeners are equipped with the knowledge to better protect their web applications and ultimately improve their cybersecurity posture. OWASP Cheat Sheets: https://cheatsheetseries.owasp.org/ OWASP Top 10: https://owasp.org/www-project-top-ten/ Transcripts: https://docs.google.com/document/d/17Tzyd6i6qRqNfMJ8OOEOOGpGGW0S8w32 Chapters 00:00 Introduction 01:11 Introducing OWASP: A Pillar in Cybersecurity 02:28 The Evolution of Web Vulnerabilities 05:01 Exploring Web Application Security Risks 07:46 Diving Deep into OWASP Top 10 Risks 09:28 1) Broken Access Control 14:09 2) Cryptographic Failures 18:40 3) Injection Attacks 23:57 4) Insecure Design 25:15 5) Security Misconfiguration 29:27 6) Vulnerable and Outdated Software Components 32:31 7) Identification and Authentication Failures 36:49 8) Software and Data Integrity Failures 38:46 9) Security Logging and Monitoring Practices 40:32 10) Server Side Request Forgery (SSRF) 42:15 Recap and Conclusion: Mastering Web Application Security

In this episode of CISO Tradecraft, host G Mark Hardy delves into the critical subject of vulnerability management for cybersecurity leaders. The discussion begins with defining the scope and importance of vulnerability management, referencing Park Foreman's comprehensive approach beyond mere patching, to include identification, classification, prioritization, remediation, and mitigation of software vulnerabilities. Hardy emphasizes the necessity of a strategic vulnerability management program to prevent exploitations by bad actors, illustrating how vulnerabilities are exploited using tools like ExploitDB, Metasploit, and Shodan. He advises on deploying a variety of scanning tools to uncover different types of vulnerabilities across operating systems, middleware applications, and application libraries. Highlighting the importance of prioritization, Hardy suggests focusing on internet-facing and high-severity vulnerabilities first and discusses establishing service level agreements for timely patching. He also covers optimizing the patching process, the significance of accurate metrics in measuring program effectiveness, and the power of gamification and executive buy-in to enhance security culture. To augment the listener's knowledge and toolkit, Hardy recommends further resources, including OWASP TASM and books on effective vulnerability management. Transcripts: https://docs.google.com/document/d/13P8KsbTOZ6b7A7HDngk9Ek9FcS1JpQij OWASP Threat and Safeguard Matrix - https://owasp.org/www-project-threat-and-safeguard-matrix/ Effective Vulnerability Management - https://www.amazon.com/Effective-Vulnerability-Management-Vulnerable-Ecosystem/dp/1394221207 Chapters 00:00 Introduction 00:56 Understanding Vulnerability Management 02:15 How Bad Actors Exploit Vulnerabilities 04:26 Building a Comprehensive Vulnerability Management Program 08:10 Prioritizing and Remediation of Vulnerabilities 13:09 Optimizing the Patching Process 15:28 Measuring and Improving Vulnerability Management Effectiveness 18:28 Gamifying Vulnerability Management for Better Results 20:38 Securing Executive Buy-In for Enhanced Security 21:15 Conclusion and Further Resources

This episode of CISO Tradecraft, hosted by G Mark Hardy, delves into the concept, significance, and implementation of tabletop exercises in improving organizational security posture. Tabletop exercises are described as invaluable, informal training sessions that simulate hypothetical situations allowing teams to discuss and plan responses, thereby refining incident response plans and protocols. The podcast covers the advantages of conducting these exercises, highlighting their cost-effectiveness and the crucial role they play in crisis preparation and response. It also discusses various aspects of preparing for and executing a successful tabletop exercise, including setting objectives, selecting participants, creating scenarios, and the importance of a follow-up. Additionally, the episode touches on compliance aspects related to SOC 2 and the use of tabletop exercises to expose and address potential organizational weaknesses. The overall message underscores the importance of these exercises in preparing cybersecurity teams for real-world incidents. Outline & References: https://docs.google.com/document/d/13Qj4MOjPxWz9mhQCDQNBtoQwrXdTeIEf Transcripts: https://docs.google.com/document/d/1yfmZALQfkhQCMfp9ao3151P9L2XcEXFm/ Chapters 00:00 Introduction 00:47 The Importance of Tabletop Exercises 01:53 The Benefits of Tabletop Exercises 03:06 How to Implement Tabletop Exercises 05:30 The Role of Tabletop Exercises in Compliance 08:24 The Participants in Tabletop Exercises 09:25 The Preparation for Tabletop Exercises 16:57 The Execution of Tabletop Exercises 21:58 Understanding Roles and Responsibilities in an Exercise 22:17 The Importance of a Hot Wash Up 23:36 Creating an After Action Report (AAR) 24:06 Implementing an Action Plan 24:34 Example Scenario: Network Administrator's Mistake 25:08 Formulating Targeted Questions for the Scenario 26:36 The Role of Innovation in Tabletop Exercises 27:11 The Connection Between Tabletop Exercises and Compliance 29:18 12 Key Steps to a Successful Exercise 30:43 The Importance of Realistic Scenarios 34:05 The Role of Communication in Crisis Management 37:33 The Impact of Cyber Attacks on Operations 39:57 The Importance of Tabletop Exercises and How to Get Started 40:35 Conclusion

In this episode of CISO Tradecraft, host G Mark Hardy converses with Cassie Crossley, author of the book on software supply chain security. Hardy explores the importance of cybersecurity, the structure of software supply chains, and the potential risks they pose. Crossley shares her expert insights on different software source codes and the intricacies of secure development life cycle. She highlights the significance of Software Bill of Materials (SBOM) and the challenges in maintaining the integrity of software products. The discussion also covers the concept of counterfeits in the software world, stressing the need for continuous monitoring and a holistic approach towards cybersecurity. Link to the Book: https://www.amazon.com/Software-Supply-Chain-Security-End/dp/1098133706?&_encoding=UTF8&tag=-0-0-20&linkCode=ur2 Transcripts: https://docs.google.com/document/d/1SJS2VzyMS-xLF0vlGIgrnn5cOP8feCV9 Chapters 00:00 Introduction 01:44 Discussion on Software Supply Chain Security 02:33 Insights into Secure Development Life Cycle 03:20 Understanding the Importance of Supplier Landscape 05:09 The Role of Security in Software Supply Chain 07:29 The Impact of Vulnerabilities in Software Supply Chain 09:06 The Importance of Secure Software Development Life Cycle 14:13 The Role of Frameworks and Standards in Software Supply Chain Security 17:39 Understanding the Importance of Business Continuity Plan 20:53 The Importance of Security in Agile Development 24:01 Understanding OWASP and Secure Coding 24:20 The Importance of API Security 24:50 The Concept of Shift Left in Software Development 25:20 The Role of Culture in Software Development 25:52 Exploring Different Source Code Types 26:19 The Rise of Low Code, No Code Platforms 28:53 The Potential Risks of Generative AI Source Code 34:24 Understanding Software Bill of Materials (SBOM) 41:07 The Challenge of Spotting Counterfeit Software 41:36 The Importance of Integrity Checks in Software Development 45:45 Closing Thoughts and the Importance of Cybersecurity Awareness

In this episode of CISO Tradecraft, the host, G Mark Hardy, delves into the concepts of responsibility, accountability, and authority. These are considered critical domains in any leadership position but are also specifically applicable in the field of cybersecurity. The host emphasizes the need for a perfect balance between these areas to avoid putting one in a scapegoat position, which is often common for CISOs. Drawing on his military and cybersecurity experiences, he provides insights into how responsibility, accountability, and authority can be perfectly aligned for the efficient execution of duties. He also addresses how these concepts intertwine with various forms of power - positional, coercive, expert, informational, reward, referent, and connection. The host further empathizes with CISOs often put in tricky situations where they are held accountable but lack the authority or resources to execute their roles effectively and provides suggestions for culture change within organizations to overcome these challenges. Transcripts: https://docs.google.com/document/d/1S8JIRztM6iaZonGv0qhtWY4vDyBfGhs-/ Chapters 00:00 Introduction 00:22 Understanding Responsibility, Accountability, and Authority 01:20 The Role of Leadership in Cybersecurity 02:47 Exploring the Concepts of Responsibility, Authority, and Accountability 03:08 Applying Responsibility, Authority, and Accountability to the CISO Role 04:20 The Interplay of Responsibility, Authority, and Accountability 11:57 Understanding Power and Its Forms 12:43 The Impact of Power on Leadership and Influence 24:04 The Role of Connection Power in Today's Digital Age 24:40 Understanding Different Sources of Power 25:13 The Power of Networking and Connections 26:49 The Challenges of Being a CISO 29:19 Understanding the Value of Your Role 33:56 The Importance of Expert Power 37:46 The Consequences of Ignoring Maintenance 43:40 Aligning Responsibility, Accountability, and Authority 44:39 The Importance of Legal Protections for CISOs 45:30 Wrapping Up: Balancing Responsibility, Authority, and Accountability

In this episode of CISO Tradecraft, host G Mark Hardy discusses various mishaps that can occur with Multi-Factor Authentication (MFA) and how these can be exploited by attackers. The talk covers several scenarios such as the misuse of test servers, bypassing of MFA via malicious apps and phishing scams, violation of the Illinois Biometric Information Protection Act by using biometric data without proper consent, and potential future legal restrictions on biometric data usage. G Mark also highlights the significance of correct implementation of MFA to ensure optimum organizational security and how companies can fail to achieve this due to overlooking non-technical issues like legal consent for biometric data collection. Transcripts: https://docs.google.com/document/d/1FPCFlFRV1S_5eaFmjp5ByU-FCAzg_1kO References: Evil Proxy Attack- https://www.resecurity.com/blog/article/evilproxy-phishing-as-a-service-with-mfa-bypass-emerged-in-dark-web Microsoft Attack - https://www-bleepingcomputer-com.cdn.ampproject.org/c/s/www.bleepingcomputer.com/news/security/microsoft-reveals-how-hackers-breached-its-exchange-online-accounts/amp/ Illinois Biometric Law - https://www.ilga.gov/legislation/publicacts/fulltext.asp?Name=095-0994 Chapters 00:00 Introduction 00:43 Understanding Multi Factor Authentication 01:05 Exploring Different Levels of Authentication 03:30 The Risks of Multi Factor Authentication 03:51 The Importance of Password Management 04:27 Exploring the Use of Trusted Platform Module for Authentication 06:17 Understanding the Difference Between TPM and HSM 09:00 The Challenges of Implementing MFA in Enterprises 11:25 Exploring Real-World MFA Mishaps 15:30 The Risks of Overprivileged Test Systems 17:16 The Importance of Monitoring Non-Production Environments 19:02 Understanding Consent Phishing Scams 30:37 The Legal Implications of Biometric Data Collection 32:24 Conclusion and Final Thoughts

In this episode of CISO Tradecraft, host G Mark Hardy is joined by special guest Rick Howard, Chief Security Officer, Chief Analyst and Senior Fellow at CyberWire. Rick shares his insights on first principles in cybersecurity, discussing how these form the foundations of any cybersecurity strategy. He emphasizes the importance of understanding materiality and integrating the concept of time bound risk assessment to achieve a resilient cybersecurity environment. The episode also delves into the value of Fermi estimates and Bayes algorithm for risk calculation. Amid humor and personal anecdotes, Rick and Mark also reflect on their experiences during 9/11. Rick introduces his book, 'Cybersecurity First Principles', elucidating the rationale behind its conception. Link to the Cybersecurity First Principles Book: https://www.amazon.com/Cybersecurity-First-Principles-Strategy-Tactics/dp/B0CBVSX2H2/?&_encoding=UTF8&tag=-0-0-20&linkCode=ur2&linkId=1b3010fb678a109743f1fb564eb6d0fc&camp=1789&creative=9325 Transcripts: https://docs.google.com/document/d/1y8JPSzpmqDMd-1PZ-MWSqOuxgFTDVvre Chapters 00:00 Introduction 02:00 Guest's Career Journey and Achievements 08:49 Discussion on Cybersecurity First Principles 15:27 Understanding Materiality in Cybersecurity 21:56 The Gap Between Security Teams and Business Leaders 22:21 The Importance of Speaking the Language of Business 23:03 The Art of the Elevator Pitch 24:04 The Impact of Cybersecurity on Business Value 25:10 The Importance of a Clear Cybersecurity Strategy 26:04 The Value of Business Fluency in Cybersecurity 27:44 The Role of Risk Calculation in Cybersecurity 29:41 The Power of Estimation in Risk Management 30:33 The Importance of Understanding Business Imperatives 41:25 The Role of Culture and Risk Appetite in Cybersecurity 45:39 The First Principle of Cybersecurity

In this episode of CISO Tradecraft, host G Mark Hardy is joined by guest Craig Barber, the Chief Information Security Officer at SugarCRM. They discuss the increasingly critical topic of cybersecurity apprenticeships and Craig shares his personal journey from technical network engineer to CISO. They delve into the benefits of apprenticeships for both the individual and the organization, drawing parallels with guilds and trade schools of the past and incorporating real-world examples. They also look at the potential challenges and pitfalls of such programs, providing insights for organizations considering creating an apprenticeship scheme. Lastly, they examine the key attributes of successful apprentices and how these contribute to building stronger, more diverse cybersecurity teams. Craig Barber's Profile: https://www.linkedin.com/in/craig-barber/ Transcripts https://docs.google.com/document/d/1J8nrhYCMBSmc0kLBasskBoY2RLIwR7Vb Chapters 00:00 Introduction 00:23 Understanding Cybersecurity Apprenticeships 02:43 The Role of Mentorship in Cybersecurity 04:09 The Benefits of Cybersecurity Apprenticeships 07:17 The Evolution of Apprenticeships in the Tech Industry 10:00 The Value of Apprenticeships in Building Loyalty 11:08 The Difference Between Internships and Apprenticeships 15:32 The Role of Apprenticeships in Addressing the Skills Shortage 19:15 The Challenges of Implementing Apprenticeships 26:28 The Future of Cybersecurity Apprenticeships 44:32 Conclusion: The Value of Cybersecurity Apprenticeships

This video introduces a newly proposed acronym in the world of cybersecurity known as the 'Cyber UPDATE'. The acronym breaks down into Unchanging, Perimeterizing, Distributing, Authenticating and Authorizing, Tracing, and Ephemeralizing. The video aims to explain each component of the acronym and its significance in enhancing cybersecurity.  References: https://www.watchguard.com/wgrd-news/blog/decrypting-cybersecurity-acronyms-0 https://computerhistory.org/profile/john-mccarthy/ https://owasp.org/www-community/Threat_Modeling_Process#stride https://attack.mitre.org/att&ck  https://d3fend.mitre.org/ https://fourcore.io/blogs/mitre-attack-mitre-defend-detection-engineering-threat-hunting   https://cars.mclaren.com/us-en/legacy/mclaren-p1-gtr https://csrc.nist.gov/glossary/term/confidentiality https://csrc.nist.gov/glossary/term/integrity https://csrc.nist.gov/glossary/term/availability https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services https://www.nytimes.com/2006/06/30/washington/va-laptop-is-recovered-its-data-intact.html https://cloudscaling.com/blog/cloud-computing/the-history-of-pets-vs-cattle/ https://apps.dtic.mil/sti/tr/pdf/ADA221814.pdf  Transcripts https://docs.google.com/document/d/16upm5bKTsIkDo3s-mvUMlgkX1uqUKnUH Chapters 00:00 Introduction 01:34 Cybersecurity Acronyms: Pre-1990s 02:26 STRIDE and DREAD Models 02:39 PICERL and MITRE Models 05:04 Defining Cybersecurity 07:52 CIA Triad and Its Importance 09:00 Confidentiality, Integrity, and Availability 11:52 The Parkerian Hexad 17:30 D.I.E. Triad Concept 24:28 Cybersecurity UPDATE 24:51 Unchanging 25:46 Perimeterizing 29:36 Distributing 29:50 Authenticating 33:58 Tracing 36:07 Ephemeralizing 

In this episode of CISO Tradecraft, host G Mark Hardy interviews JP Bourget about the security data pipeline and how modernizing SOC ingest can improve efficiency and outcomes. Featuring discussions on cybersecurity leadership, API integrations, and the role of AI and advanced model learning in future data lake architectures. They discuss how vendor policies can impact data accessibility. They also reflect on their shared Buffalo roots and because their professional journeys. Tune in for valuable insights from top cybersecurity experts. Transcripts: https://docs.google.com/document/d/1evI2JTGg7S_Hjaf0sV-Nk_i0oiv8XNAr  Chapters 00:00 Introduction 00:50 Guest's Background and Journey 05:27 Discussion on Security Data Pipeline 07:19 Introduction to SOAR 08:01 Benefits and Challenges of SOAR 12:40 Guest's Current Work and Company 14:04 Security Data Pipeline Modernization 22:20 Discussion on Vendor Integration 29:09 Security Pipeline Approach and AI 38:03 Closing Thoughts and Future Directions

In this episode of CISO Tradecraft, we debunk seven common lies pervasive in the cybersecurity industry. From the fallacy of achieving a complete inventory before moving onto other controls, the misconception about the accuracy of AppSec tools, to the fear of being viewed as a cost center - we delve deep into these misconceptions, elucidating their roots and impacts. We also discuss how ISO and FAIR, audits and certifications, risk assessments, and mandatory cyber incident reporting may not always be as straightforward as they seem. The episode is not only an eye-opener but also provides insightful guidance on how to navigate these misconceptions and enhance the effectiveness of your cybersecurity measures. CloudGoat EC2 SSRF- https://rhinosecuritylabs.com/cloud-security/cloudgoat-aws-scenario-ec2_ssrf/ OWASP Benchmark - https://owasp.org/www-project-benchmark/ Transcripts - https://docs.google.com/document/d/1yZZ4TLlC2sRfwPV7bQmar7LY4xk2HcIo Chapters 00:12 Introduction 00:56 The Lie of Accurate Inventory 05:29 The Lie of Accurate Risk Assessment 08:41 The Lie of Shifting Left in DevSecOps 13:45 The Lie of Certifications Ensuring Security 18:33 The Lie of Reporting Cyber Incidents in 72 Hours 20:44 The Lie of Accurate Application Security Tools 22:07 The Lie of Cybersecurity Not Being a Cost Center 24:44 Conclusion and Recap of Cybersecurity Lies 

Join G Mark Hardy in this episode of the CISO Tradecraft podcast where he details how cyber protects revenue. He clarifies how cybersecurity is seen as a cost center by most organizations, but stresses how it can become a protector of business profits. Concepts like Operational Resilience Framework (ORF) Version 2 by the Global Resilience Federation are discussed in depth. Hardy also outlines seven steps from ORF to operational resilience including implementing industry-recognized frameworks, understanding the organization's role in the ecosystem, defining viable service levels, and more.    Link to the ORF - https://www.grf.org/orf Transcripts - https://docs.google.com/document/d/1ckYj-UKDa-wlOVbalWvXOdEO4OYgjO0i Chapters 00:12 Introduction 01:47 Introduction to Operational Resilience Framework 02:38 Understanding Resilience and Antifragility 03:32 Common Cybersecurity Attacks and How to Anticipate Them 06:22 Building Resilience in Cybersecurity 09:43 Operational Resilience Framework: Steps and Principles 17:50 Preserving Datasets and Implementing Recovery Processes 20:18 Evaluating and Testing Your Disaster Recovery Plan 21:11 Recap of Operational Resilience Framework Steps 22:04 CISO Tradecraft Services and Closing Remarks

Looking for accurate predictions on what 2024 holds for cybersecurity? Tune into our latest episode of CISO Tradecraft for intriguing insights and industry trends. Listen now and boost your cybersecurity knowledge! Earn CPEs: https://www.cisotradecraft.com/isaca Transcripts: https://docs.google.com/document/d/11YX2bjhIVThSNPF6yEKaNWECErxjWA-R Chapters 00:00 Introduction 02:11 1) CISOs flock to buy private liability and D&O insurance. It also becomes the norm for CISO hiring agreements. 05:25 2) CISO reporting structure changes. No more reporting to the CIO. 11:43 3) More CISOs get implicated in lawsuits, but the lawsuits rule in favor of the CISO. 13:36 4) Harder to find cyber talent since universities are not graduating as many students. This plus inflation increases result in major spike in cyber salaries 16:59 5) Cyber industry minimizes external consulting costs to weather reduced revenues during recession 19:44 6) AI-generated fraud will increase significantly 22:15 7) Shadow AI will result in Hidden Vulnerabilities 24:24 8) LLM attacks new vector for "AI-enabled" companies 27:23 9) Cyber insurance exclusions will tend to normalize and will prescribe activities that must be done if payout to occur 31:44 10) Self-driving cars will encounter regulatory setback 34:02 Review of Last Year's Predictions 41:03 Actionable Items for the Future 41:29 Closing Remarks and Invitation for 2024

In the second half of the discussion about secure developer training programs, G Mark Hardy and Scott Russo delve deeper into how to engineer an effective cybersecurity course. They discuss the importance and impact of automation and shifting left, the customization needed for different programming languages and practices, and the role of gamification in engagement and learning. The conversation also touches upon anticipating secular trends, compliance with privacy and data protection regulations, different leaning styles and preferences, and effective strategies to enhance courses based on participant feedback. Scott highlights the lasting impacts and future implications of secure developer training, especially with the advent of generative AI in code generation. ISACA Event (10 Jan 2024) With G Mark Hardy - https://www.cisotradecraft.com/isaca Transcripts: https://docs.google.com/document/d/1zr09gVpJuZMUMmF9Y-Kc0DOy-1gH0cx- Chapters 00:00 Introduction 01:08 Importance of Ongoing Support and Mentorship 01:46 The Role of Community in Training 03:03 Hands-on Exercises and Practical Experience 06:01 Success Stories and Testimonials 08:29 Incorporating Security Trends into Training 11:08 Balancing Security with Developer Productivity 18:17 Teaching Secure Coding Practices in Different Languages 20:27 Engaging and Motivating Participants 22:51 Promoting the Program: Engaging and Fun 23:37 Accommodating Different Learning Styles 24:16 Catering to Self-Paced Learners 26:19 Addressing Proficiency Levels and Remediation 28:55 Compliance with Privacy and Data Protection Regulations 30:48 Breaking Down Complex Security Concepts 32:05 Creating a Culture of Security Awareness 33:25 Partnerships and Collaborations in Secure Development 35:10 Feedback and Improvement of the Program 36:12 Cost Considerations for Secure Developer Training 39:20 Tracking Participants' Progress and Completion Rates 41:23 Trends in Secure Developer Training 43:42 Final Thoughts on Secure Developer Training

In this episode of CISO Tradecraft, host G Mark Hardy invites Scott Russo, a cybersecurity and engineering expert for a deep dive into the creation and maintenance of secure developer training programs. Scott discusses the importance of hands-on engaging training and the intersection of cybersecurity with teaching and mentorship. Scott shares his experiences building a secure developer training program, emphasizing the importance of gamification, tiered training, showmanship, and real-world examples to foster engagement and efficient learning. Note this episode will continue in with a part two in the next episode ISACA Event (10 Jan 2024) With G Mark Hardy - https://www.cisotradecraft.com/isaca Scott Russo - https://www.linkedin.com/in/scott-russo/ HBR Balanced Scorecard - https://hbr.org/1992/01/the-balanced-scorecard-measures-that-drive-performance-2 Transcripts - https://docs.google.com/document/d/124IqIzBnG3tPj64O2mZeO-IDTx9wIIxJ Youtube - https://youtu.be/NkrtTncAuBA  Chapters 00:00 Introduction 03:00 Overview of Secure Developer Training Program 04:46 Motivation Behind Creating the Training Program 06:03 Objectives of the Secure Developer Training Program 07:45 Defining the Term 'Secure Developer' 14:49 Keeping the Training Program Current and Engaging 21:10 Real World Impact of the Training Program 21:46 Understanding the Cybersecurity Budget Argument 21:58 Incorporating Real World Examples into Training 22:26 Personal Experiences and Stories in Training 24:06 Industry Best Practices and Standards 24:18 Aligning with OWASP Top 10 25:53 Balancing OWASP Top 10 with Other Standards 26:12 The Importance of Good Stories in Training 26:32 Duration of the Training Program 28:37 Resources Required for the Training Program 32:23 Measuring the Effectiveness of the Training Program 36:07 Gamification and Certifications in Training 38:56 Tailoring Training to Different Levels of Experience 41:03 Conclusion and Final Thoughts  

In this episode of CISO Tradecraft, host G. Mark Hardy guides listeners on how to refresh their cybersecurity strategy. Starting with the essential assessments on the current state of your security, through to the creation of a comprehensive, one-page cyber plan. The discussion covers different approaches to upskilling the workforce, tools utilization, vulnerability management, relevant regulations, and selecting the best solution for your specific needs. The show also includes tips on building a roadmap, creating effective key performance indicators, and validation exercises or trap analysis to ensure the likelihood of success. At the end of the discussion, G. Mark Hardy invites listeners to reach out for any help needed for implementing these strategies. Big Thanks to our Sponsors Risk3Sixty - https://risk3sixty.com/ ISACA Event (10 Jan 2024) With G Mark Hardy https://www.cisotradecraft.com/isaca CIO Wisdom Book - https://a.co/d/bmmZEAC Transcripts - https://docs.google.com/document/d/1_bHsRtaRdlRJ9e9XXVh3GU7k3MbBLcHs Chapters 00:00 Introduction 02:21 Building a Tactical and Strategic Plan 02:58 Assessing Your Current Cybersecurity Posture 03:11 Workforce Assessment and Rating 06:31 Understanding Your Cybersecurity Tools 08:29 Performing a Business Requirements Analysis 10:13 Defining the Desired Future State 12:03 Creating a Gap Analysis 14:14 Analyzing Current Options and Building a Roadmap 17:11 Presenting the New Plan to Management 21:36 Recap and Conclusion

Discover the key to a more effective cybersecurity strategy in the newest episode of CISO Tradecraft! We're talking SOC tools, building a data lake for security, and more with guest Noam Brosh of Hunters. Don't miss it! Big Thanks to our Sponsors Risk3Sixty - https://risk3sixty.com/ Hunters - https://www.hunters.security/ Noam Brosh - https://www.linkedin.com/in/noam-brosh-5743938/ Transcripts: https://docs.google.com/document/d/1ArTixgEvRsVpLVdV2uVFAKCKSB2mBUKo Youtube Link: https://youtu.be/ThEpI2_LpD8  Chapters 00:00 Introduction and Welcome 01:20 Understanding the Role of SOC Tools 05:39 Challenges with Traditional SIEM Tools 08:48 The Shift to Data Lakes and the Impact on SIEMs 18:04 Understanding Different Cybersecurity Tools: SIEM, XDR, and SOC Platforms 19:25 The Role of Automation in Modern SOC Tools 26:01 The Importance of Third-Party Connection Tools in SOC Tools 27:27 Trends and Disruptions in the SIEM Space 28:09 Addressing False Positives in SOC Tools 31:14 Outsourcing Aspects of SOC and Staffing 36:28 Dealing with Multi-Cloud or Hybrid Cloud Environments 41:02 Reporting SOC Metrics to Executive Stakeholders