CISO Tradecraft®

In this episode of CISO Tradecraft, host G. Mark Hardy discusses seven critical issues facing the cybersecurity industry, offering a detailed analysis of each problem along with counterarguments. The concerns range from the lack of a unified cybersecurity license, the inefficiency and resource waste caused by auditors, to the need for a federal data privacy law. Hardy emphasizes the importance of evaluating policies, prioritizing effective controls, and examining current industry practices. He challenges the audience to think about solutions and encourages sharing opinions and additional concerns, aiming to foster a deeper understanding and improvement within the field of cybersecurity. Transcripts: https://docs.google.com/document/d/1H_kTbCG8n5f_d1ZHNr1QxsXf82xb08cG Chapters 00:0001:2802:0006:5310:0914:1219:2322:3826:4930:53

In this episode of CISO Tradecraft, hosts G Mark Hardy and guests Jeff Majka and Andrew Dutton discuss the vital role of competitive threat intelligence in cybersecurity. They explore how Security Bulldog's AI-powered platform helps enterprise cybersecurity teams efficiently remediate vulnerabilities by processing vast quantities of data, thereby saving time and enhancing productivity. The conversation covers the importance of diverse threat intelligence sources, including open-source intelligence and insider threat awareness, and the strategic value of AI in analyzing and prioritizing data to manage cybersecurity risks effectively. The discussion also touches on the challenges and potentials of AI in cybersecurity, including the risks of data poisoning and the ongoing battle between offensive and defensive cyber operations. The Security Bulldog: https://securitybulldog.com/contact/ Transcripts: https://docs.google.com/document/d/1D6yVMAxv16XWtRXalI5g-ZdepEMYmQCe Chapters 00:0000:5602:4304:0213:1116:4319:0722:3322:5025:0826:5231:0034:4537:2741:22

This episode of CISO Tradecraft features a comprehensive discussion between host G Mark Hardy and guest Rafeeq Rehman, centered around the evolving role of CISOs, the impact of Generative AI, and strategies for effective cybersecurity leadership. Rafeeq shares insights on the CISO Mind Map, a tool for understanding the breadth of responsibilities in cybersecurity leadership, and discusses various focal areas for CISOs in 2024-2025, including the cautious adoption of Gen AI, tool consolidation, cyber resilience, branding for security teams, and maximizing the business value of security controls. The episode also addresses the importance of understanding and adapting to technological advancements, advocating for cybersecurity as a business-enabling function, and the significance of lifelong learning in information security. Cybersecurity Learning Saturday: https://www.linkedin.com/company/cybersecurity-learning-saturday/ 2024 CISO Mindmap: https://rafeeqrehman.com/2024/03/31/ciso-mindmap-2024-what-do-infosec-professionals-really-do/ Transcripts: https://docs.google.com/document/d/1axXQJoAdJI26ySKVfROI9rflvSe9Yz50 Chapters 00:0000:5704:1708:3011:4714:1622:3222:5324:1225:1428:3132:2135:5139:3943:1543:53

In this episode of CISO Tradecraft, host G Mark Hardy welcomes Alex Dorr to discuss Reality-Based Leadership and its impact on reducing workplace drama and enhancing productivity. Alex shares his journey from professional basketball to becoming an evangelist of reality-based leadership, revealing how this approach helped him personally and professionally. They delve into the concepts of SBAR (Situation, Background, Analysis, Recommendation) for effective communication, toggling between low self and high self to manage personal reactions, and practical tools like 'thinking inside the box' to confront and solve workplace issues within given constraints. The conversation underscores the importance of focusing on actionable strategies over arguing with the drama and reality of workplace dynamics, aiming to foster a drama-free, engaged, and productive work environment. Alex Dorr's Linkedin: https://www.linkedin.com/in/alexmdorr/ Reality-Based Leadership Website: https://realitybasedleadership.com/ Transcripts: https://docs.google.com/document/d/1wge0pFLxE4MkS6neVp68bdz8h9mHrwje Chapters 00:0000:5703:5406:2009:1911:5817:4219:4423:1224:3225:4925:5828:2834:0436:1737:5040:1546:24

This episode of CISO Tradecraft dives deep into the New York Department of Financial Services Cybersecurity Regulation, known as Part 500. Hosted by G Mark Hardy, the podcast outlines the significance of this regulation for financial services companies and beyond. Hardy emphasizes that Part 500 serves as a high-level framework applicable not just in New York or the financial sector but across various industries globally due to its comprehensive cybersecurity requirements. The discussion includes an overview of the regulation's history, amendments to enhance governance and incident response, and a detailed analysis of key sections such as multi-factor authentication, audit trails, access privilege management, and incident response. Additionally, the need for written policies, designating a Chief Information Security Officer (CISO), and ensuring adequate resources for implementing a cybersecurity program are highlighted. The podcast also offers guidance on how to approach certain regulatory mandates, emphasizing the importance of teamwork between CISOs, legal teams, and executive management to comply with and benefit from the regulation's requirements. AuditScripts: https://www.auditscripts.com/free-resources/critical-security-controls/ NYDFS: https://www.dfs.ny.gov/industry_guidance/cybersecurity Transcripts: https://docs.google.com/document/d/1CWrhNjHXG1rePtOQT-iHyhed2jfBaZud Chapters 00:0000:3501:4803:2008:4414:3320:2325:3731:1132:36

In this episode of CISO Tradecraft, host G. Mark Hardy delves into the crucial topic of the OWASP Top 10 Web Application Security Risks, offering insights on how attackers exploit vulnerabilities and practical advice on securing web applications. He introduces OWASP and its significant contributions to software security, then progresses to explain each of the OWASP Top 10 risks in detail, such as broken access control, injection flaws, and security misconfigurations. Through examples and recommendations, listeners are equipped with the knowledge to better protect their web applications and ultimately improve their cybersecurity posture. OWASP Cheat Sheets: https://cheatsheetseries.owasp.org/ OWASP Top 10: https://owasp.org/www-project-top-ten/ Transcripts: https://docs.google.com/document/d/17Tzyd6i6qRqNfMJ8OOEOOGpGGW0S8w32 Chapters 00:0001:1102:2805:0107:4609:2814:0918:4023:5725:1529:2732:3136:4938:4640:3242:15

In this episode of CISO Tradecraft, host G Mark Hardy delves into the critical subject of vulnerability management for cybersecurity leaders. The discussion begins with defining the scope and importance of vulnerability management, referencing Park Foreman's comprehensive approach beyond mere patching, to include identification, classification, prioritization, remediation, and mitigation of software vulnerabilities. Hardy emphasizes the necessity of a strategic vulnerability management program to prevent exploitations by bad actors, illustrating how vulnerabilities are exploited using tools like ExploitDB, Metasploit, and Shodan. He advises on deploying a variety of scanning tools to uncover different types of vulnerabilities across operating systems, middleware applications, and application libraries. Highlighting the importance of prioritization, Hardy suggests focusing on internet-facing and high-severity vulnerabilities first and discusses establishing service level agreements for timely patching. He also covers optimizing the patching process, the significance of accurate metrics in measuring program effectiveness, and the power of gamification and executive buy-in to enhance security culture. To augment the listener's knowledge and toolkit, Hardy recommends further resources, including OWASP TASM and books on effective vulnerability management. Transcripts: https://docs.google.com/document/d/13P8KsbTOZ6b7A7HDngk9Ek9FcS1JpQij OWASP Threat and Safeguard Matrix - https://owasp.org/www-project-threat-and-safeguard-matrix/ Effective Vulnerability Management - https://www.amazon.com/Effective-Vulnerability-Management-Vulnerable-Ecosystem/dp/1394221207 Chapters 00:0000:5602:1504:2608:1013:0915:2818:2820:3821:15

This episode of CISO Tradecraft, hosted by G Mark Hardy, delves into the concept, significance, and implementation of tabletop exercises in improving organizational security posture. Tabletop exercises are described as invaluable, informal training sessions that simulate hypothetical situations allowing teams to discuss and plan responses, thereby refining incident response plans and protocols. The podcast covers the advantages of conducting these exercises, highlighting their cost-effectiveness and the crucial role they play in crisis preparation and response. It also discusses various aspects of preparing for and executing a successful tabletop exercise, including setting objectives, selecting participants, creating scenarios, and the importance of a follow-up. Additionally, the episode touches on compliance aspects related to SOC 2 and the use of tabletop exercises to expose and address potential organizational weaknesses. The overall message underscores the importance of these exercises in preparing cybersecurity teams for real-world incidents. Outline & References: https://docs.google.com/document/d/13Qj4MOjPxWz9mhQCDQNBtoQwrXdTeIEf Transcripts: https://docs.google.com/document/d/1yfmZALQfkhQCMfp9ao3151P9L2XcEXFm/ Chapters 00:0000:4701:5303:0605:3008:2409:2516:5721:5822:1723:3624:0624:3425:0826:3627:1129:1830:4334:0537:3339:5740:35

In this episode of CISO Tradecraft, host G Mark Hardy converses with Cassie Crossley, author of the book on software supply chain security. Hardy explores the importance of cybersecurity, the structure of software supply chains, and the potential risks they pose. Crossley shares her expert insights on different software source codes and the intricacies of secure development life cycle. She highlights the significance of Software Bill of Materials (SBOM) and the challenges in maintaining the integrity of software products. The discussion also covers the concept of counterfeits in the software world, stressing the need for continuous monitoring and a holistic approach towards cybersecurity. Link to the Book: https://www.amazon.com/Software-Supply-Chain-Security-End/dp/1098133706?&_encoding=UTF8&tag=-0-0-20&linkCode=ur2 Transcripts: https://docs.google.com/document/d/1SJS2VzyMS-xLF0vlGIgrnn5cOP8feCV9 Chapters 00:0001:4402:3303:2005:0907:2909:0614:1317:3920:5324:0124:2024:5025:2025:5226:1928:5334:2441:0741:3645:45

In this episode of CISO Tradecraft, the host, G Mark Hardy, delves into the concepts of responsibility, accountability, and authority. These are considered critical domains in any leadership position but are also specifically applicable in the field of cybersecurity. The host emphasizes the need for a perfect balance between these areas to avoid putting one in a scapegoat position, which is often common for CISOs. Drawing on his military and cybersecurity experiences, he provides insights into how responsibility, accountability, and authority can be perfectly aligned for the efficient execution of duties. He also addresses how these concepts intertwine with various forms of power - positional, coercive, expert, informational, reward, referent, and connection. The host further empathizes with CISOs often put in tricky situations where they are held accountable but lack the authority or resources to execute their roles effectively and provides suggestions for culture change within organizations to overcome these challenges. Transcripts: https://docs.google.com/document/d/1S8JIRztM6iaZonGv0qhtWY4vDyBfGhs-/ Chapters 00:0000:2201:2002:4703:0804:2011:5712:4324:0424:4025:1326:4929:1933:5637:4643:4044:3945:30

In this episode of CISO Tradecraft, host G Mark Hardy discusses various mishaps that can occur with Multi-Factor Authentication (MFA) and how these can be exploited by attackers. The talk covers several scenarios such as the misuse of test servers, bypassing of MFA via malicious apps and phishing scams, violation of the Illinois Biometric Information Protection Act by using biometric data without proper consent, and potential future legal restrictions on biometric data usage. G Mark also highlights the significance of correct implementation of MFA to ensure optimum organizational security and how companies can fail to achieve this due to overlooking non-technical issues like legal consent for biometric data collection. Transcripts: https://docs.google.com/document/d/1FPCFlFRV1S_5eaFmjp5ByU-FCAzg_1kO References: https://www.resecurity.com/blog/article/evilproxy-phishing-as-a-service-with-mfa-bypass-emerged-in-dark-web https://www-bleepingcomputer-com.cdn.ampproject.org/c/s/www.bleepingcomputer.com/news/security/microsoft-reveals-how-hackers-breached-its-exchange-online-accounts/amp/ https://www.ilga.gov/legislation/publicacts/fulltext.asp?Name=095-0994 Chapters 00:0000:4301:0503:3003:5104:2706:1709:0011:2515:3017:1619:0230:3732:24

In this episode of CISO Tradecraft, host G Mark Hardy is joined by special guest Rick Howard, Chief Security Officer, Chief Analyst and Senior Fellow at CyberWire. Rick shares his insights on first principles in cybersecurity, discussing how these form the foundations of any cybersecurity strategy. He emphasizes the importance of understanding materiality and integrating the concept of time bound risk assessment to achieve a resilient cybersecurity environment. The episode also delves into the value of Fermi estimates and Bayes algorithm for risk calculation. Amid humor and personal anecdotes, Rick and Mark also reflect on their experiences during 9/11. Rick introduces his book, 'Cybersecurity First Principles', elucidating the rationale behind its conception. Link to the Cybersecurity First Principles Book: https://www.amazon.com/Cybersecurity-First-Principles-Strategy-Tactics/dp/B0CBVSX2H2/?&_encoding=UTF8&tag=-0-0-20&linkCode=ur2&linkId=1b3010fb678a109743f1fb564eb6d0fc&camp=1789&creative=9325 Transcripts: https://docs.google.com/document/d/1y8JPSzpmqDMd-1PZ-MWSqOuxgFTDVvre Chapters 00:0002:0008:4915:2721:5622:2123:0324:0425:1026:0427:4429:4130:3341:2545:39

In this episode of CISO Tradecraft, host G Mark Hardy is joined by guest Craig Barber, the Chief Information Security Officer at SugarCRM. They discuss the increasingly critical topic of cybersecurity apprenticeships and Craig shares his personal journey from technical network engineer to CISO. They delve into the benefits of apprenticeships for both the individual and the organization, drawing parallels with guilds and trade schools of the past and incorporating real-world examples. They also look at the potential challenges and pitfalls of such programs, providing insights for organizations considering creating an apprenticeship scheme. Lastly, they examine the key attributes of successful apprentices and how these contribute to building stronger, more diverse cybersecurity teams. Craig Barber's Profile: https://www.linkedin.com/in/craig-barber/ Transcripts https://docs.google.com/document/d/1J8nrhYCMBSmc0kLBasskBoY2RLIwR7Vb Chapters 00:0000:2302:4304:0907:1710:0011:0815:3219:1526:2844:32

This video introduces a newly proposed acronym in the world of cybersecurity known as the 'Cyber UPDATE'. The acronym breaks down into Unchanging, Perimeterizing, Distributing, Authenticating and Authorizing, Tracing, and Ephemeralizing. The video aims to explain each component of the acronym and its significance in enhancing cybersecurity. References: https://www.watchguard.com/wgrd-news/blog/decrypting-cybersecurity-acronyms-0https://computerhistory.org/profile/john-mccarthy/https://owasp.org/www-community/Threat_Modeling_Process#stridehttps://attack.mitre.org/att&ckhttps://d3fend.mitre.org/https://fourcore.io/blogs/mitre-attack-mitre-defend-detection-engineering-threat-huntinghttps://cars.mclaren.com/us-en/legacy/mclaren-p1-gtrhttps://csrc.nist.gov/glossary/term/confidentialityhttps://csrc.nist.gov/glossary/term/integrityhttps://csrc.nist.gov/glossary/term/availabilityhttps://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Serviceshttps://www.nytimes.com/2006/06/30/washington/va-laptop-is-recovered-its-data-intact.htmlhttps://cloudscaling.com/blog/cloud-computing/the-history-of-pets-vs-cattle/https://apps.dtic.mil/sti/tr/pdf/ADA221814.pdfTranscripts https://docs.google.com/document/d/16upm5bKTsIkDo3s-mvUMlgkX1uqUKnUH Chapters 00:0001:3402:2602:3905:0407:5209:0011:5217:3024:2824:5125:4629:3629:5033:5836:07

In this episode of CISO Tradecraft, host G Mark Hardy interviews JP Bourget about the security data pipeline and how modernizing SOC ingest can improve efficiency and outcomes. Featuring discussions on cybersecurity leadership, API integrations, and the role of AI and advanced model learning in future data lake architectures. They discuss how vendor policies can impact data accessibility. They also reflect on their shared Buffalo roots and because their professional journeys. Tune in for valuable insights from top cybersecurity experts. Transcripts: https://docs.google.com/document/d/1evI2JTGg7S_Hjaf0sV-Nk_i0oiv8XNAr Chapters 00:0000:5005:2707:1908:0112:4014:0422:2029:0938:03

In this episode of CISO Tradecraft, we debunk seven common lies pervasive in the cybersecurity industry. From the fallacy of achieving a complete inventory before moving onto other controls, the misconception about the accuracy of AppSec tools, to the fear of being viewed as a cost center - we delve deep into these misconceptions, elucidating their roots and impacts. We also discuss how ISO and FAIR, audits and certifications, risk assessments, and mandatory cyber incident reporting may not always be as straightforward as they seem. The episode is not only an eye-opener but also provides insightful guidance on how to navigate these misconceptions and enhance the effectiveness of your cybersecurity measures. CloudGoat EC2 SSRF- https://rhinosecuritylabs.com/cloud-security/cloudgoat-aws-scenario-ec2_ssrf/ OWASP Benchmark - https://owasp.org/www-project-benchmark/ Transcripts - https://docs.google.com/document/d/1yZZ4TLlC2sRfwPV7bQmar7LY4xk2HcIo Chapters 00:1200:5605:2908:4113:4518:3320:4422:0724:44

Join G Mark Hardy in this episode of the CISO Tradecraft podcast where he details how cyber protects revenue. He clarifies how cybersecurity is seen as a cost center by most organizations, but stresses how it can become a protector of business profits. Concepts like Operational Resilience Framework (ORF) Version 2 by the Global Resilience Federation are discussed in depth. Hardy also outlines seven steps from ORF to operational resilience including implementing industry-recognized frameworks, understanding the organization's role in the ecosystem, defining viable service levels, and more. Link to the ORF - https://www.grf.org/orf Transcripts - https://docs.google.com/document/d/1ckYj-UKDa-wlOVbalWvXOdEO4OYgjO0i Chapters 00:1201:4702:3803:3206:2209:4317:5020:1821:1122:04

Looking for accurate predictions on what 2024 holds for cybersecurity? Tune into our latest episode of CISO Tradecraft for intriguing insights and industry trends. Listen now and boost your cybersecurity knowledge! Earn CPEs: https://www.cisotradecraft.com/isaca Transcripts: https://docs.google.com/document/d/11YX2bjhIVThSNPF6yEKaNWECErxjWA-R Chapters 00:0002:1105:2511:4313:3616:5919:4422:1524:2427:2331:4434:0241:0341:29

In the second half of the discussion about secure developer training programs, G Mark Hardy and Scott Russo delve deeper into how to engineer an effective cybersecurity course. They discuss the importance and impact of automation and shifting left, the customization needed for different programming languages and practices, and the role of gamification in engagement and learning. The conversation also touches upon anticipating secular trends, compliance with privacy and data protection regulations, different leaning styles and preferences, and effective strategies to enhance courses based on participant feedback. Scott highlights the lasting impacts and future implications of secure developer training, especially with the advent of generative AI in code generation. ISACA Event (10 Jan 2024) With G Mark Hardy - https://www.cisotradecraft.com/isaca Transcripts: https://docs.google.com/document/d/1zr09gVpJuZMUMmF9Y-Kc0DOy-1gH0cx- Chapters 00:0001:0801:4603:0306:0108:2911:0818:1720:2722:5123:3724:1626:1928:5530:4832:0533:2535:1036:1239:2041:2343:42

In this episode of CISO Tradecraft, host G Mark Hardy invites Scott Russo, a cybersecurity and engineering expert for a deep dive into the creation and maintenance of secure developer training programs. Scott discusses the importance of hands-on engaging training and the intersection of cybersecurity with teaching and mentorship. Scott shares his experiences building a secure developer training program, emphasizing the importance of gamification, tiered training, showmanship, and real-world examples to foster engagement and efficient learning. Note this episode will continue in with a part two in the next episode ISACA Event (10 Jan 2024) With G Mark Hardy - https://www.cisotradecraft.com/isaca Scott Russo - https://www.linkedin.com/in/scott-russo/ HBR Balanced Scorecard - https://hbr.org/1992/01/the-balanced-scorecard-measures-that-drive-performance-2 Transcripts - https://docs.google.com/document/d/124IqIzBnG3tPj64O2mZeO-IDTx9wIIxJ Youtube - https://youtu.be/NkrtTncAuBA Chapters 00:0003:0004:4606:0307:4514:4921:1021:4621:5822:2624:0624:1825:5326:1226:3228:3732:2336:0738:5641:03