CISO Tradecraft® (CISO Tradecraft®)
Explore every episode of CISO Tradecraft®
| Pub. Date | Title | Duration | |
|---|---|---|---|
| 18 Nov 2024 | #207 - CISO Burnout (with Raghav Singh) | 00:46:06 | |
Welcome to another enlightening episode of CISO Tradecraft! In this episode, host G. Mark Hardy dives deep into the critical topic of CISO burnout with special guest Raghav Singh, a PhD candidate from the University of Buffalo. This is an eye-opening session for anyone in the cybersecurity field, especially those in or aspiring to the CISO role. Raghav shares valuable insights from his extensive research on the unique stresses faced by CISOs, the organizational factors contributing to burnout, and practical coping mechanisms. We also explore the evolutionary phases of CISOs, from technical experts to strategic business enablers. Whether you're dealing with resource limitations, seeking executive support, or managing ever-evolving cybersecurity threats, this episode offers actionable advice to navigate the demanding role of a CISO successfully. Don't forget to like, comment, and share to help other CISOs and cybersecurity leaders! Big Thanks to our Sponsor CruiseCon - https://cruisecon.com/
Transcripts: https://docs.google.com/document/d/1fhLkaj_JetlYFQ50Q69uMGmsw3fS3Wqa CISO Burnout - https://aisel.aisnet.org/amcis2023/sig_lead/sig_lead/4/ CISO-CIO Power Dynamics https://aisel.aisnet.org/amcis2024/is_leader/is_leader/6/ Cybersec professionals and AI integration https://aisel.aisnet.org/amcis2024/security/security/29/ Raghav can be reached on rsingh45@buffalo.edu Chapters | |||
| 01 Jan 2024 | #162 - CISO Predictions for 2024 | 00:42:47 | |
Looking for accurate predictions on what 2024 holds for cybersecurity? Tune into our latest episode of CISO Tradecraft for intriguing insights and industry trends. Listen now and boost your cybersecurity knowledge! Earn CPEs: https://www.cisotradecraft.com/isaca Transcripts: https://docs.google.com/document/d/11YX2bjhIVThSNPF6yEKaNWECErxjWA-R Chapters
| |||
| 23 May 2022 | #79 - Addressing the Top CEO Concerns | 00:38:32 | |
On this Episode of CISO Tradecraft we talk about the Top 10 areas of concern for the C Suite about Ransomware. Note you can read the full ISC2 Study here (Link). Cybersecurity professionals should keep the following golden rules in mind when communicating with the C-suite about ransomware.
| |||
| 07 Feb 2022 | #64 - 3 Keys to Being a CISO (with Allan Alford) | 00:44:14 | |
On this episode of CISO Tradecraft, we feature Allan Alford from The Cyber Ranch Podcast. Allan brings a wealth of knowledge as a CISO and shares the three things every CISO needs to bring to the table:
If you enjoy listening to Allan Alford, then please subscribe to The Cyber Ranch Podcast for more great content. Infographic: | |||
| 13 Feb 2023 | #116 - A European view of CISO responsibilities (with Michael Krausz) | 00:43:37 | |
In the US we often focus on SOC-2, NIST Special Pubs, and the Cybersecurity Framework. In Europe (and most of the rest of the world), ISO 27001 is the primary standard. ISO concerns itself with policy, practice, and proof, whereas NIST often shows the method to follow. Michael points out that a CISO is responsible for governance, (internal) consulting, and audit. In early stages of growing a security function, a CISO needs to be technically-focused, but as a security department matures, the CISO must be organizationally-focused. Also, to effectively grow your team, first determine what actions need to take place, how much effort it requires, and how often it needs to take place. Then, build an action sheet and collect data for three months. Finally, take that to your executives and document your requirements for more staff. Michael Krausz LinkedIn Profile: https://www.linkedin.com/in/michael-krausz-b55862/ Michael Krausz Website: https://i-s-c.co.at/ Full Transcript: https://docs.google.com/document/d/13fghym7IWyPvuRANQXUvmv-ulkSj93xv Chapters
| |||
| 21 Oct 2024 | #203 - Be SOCcessful with the SOC-CMM | 00:17:11 | |
Unlocking SOC Excellence: Master the SOC Capability Maturity Model Join host G Mark Hardy in this compelling episode of CISO Tradecraft as he explores the revolutionary SOC Capability Maturity Model (SOC CMM) authored by Rob van Os. This episode is a must-watch for CISOs, aspiring CISOs, and cybersecurity professionals aiming to optimize their Security Operations Center (SOC). Learn how to measure, evaluate, and enhance your SOC's maturity across key domains including Business, People, Process, Technology, and Services. Gain insights into leveraging radar charts for visualizing SOC capabilities and hear case studies such as a mid-sized financial company’s remarkable improvements. Discover why understanding your SOC's strengths and weaknesses and conducting risk-based improvement planning are crucial. Don't miss out—elevate your cyber resilience today, subscribe, and share with your network to set your SOC on the path to excellence! References:
Transcripts: https://docs.google.com/document/d/1Fk6_t9FMyYXDF-7EfgpX_ZjLc0iPAgfN Chapters
| |||
| 01 May 2021 | #27 - Roses, Buds, & Thorns | 00:05:06 | |
Today, CISO Tradecraft hosts a 5 minute discussion to talk about reflection. The concept is Roses, Buds, and Thorns. It’s an exercise designed to identify opportunities to make positive change.
If you would like to learn more please check out the article from MITRE We would love to hear your feedback here. Thank you, CISO Tradecraft | |||
| 02 Dec 2024 | #209 - AI Singularity (with Richard Thieme) | 00:48:32 | |
In this riveting episode of CISO Tradecraft, host G Mark Hardy welcomes back Richard Thieme, a thought leader in cybersecurity and technology, almost three years after his last appearance. Richard delves into the necessity of thinking like a hacker, provides insights into the AI singularity, and discusses the ethical and societal implications of emerging technologies. The conversation also touches on Richard's extensive body of work, including his books and views on cyber warfare, disinformation, and ethical decision-making. Tune in for a thought-provoking discussion that challenges conventional wisdom and explores the interconnectedness of technology, consciousness, and our future. Big Thanks to our Sponsor CruiseCon - https://cruisecon.com/ CruiseCon Discount Code: CISOTRADECRAFT10 Link to Richard’s home page (and links to Amazon for his books): Link to the book, The Ending of Time: https://store.kfa.org/products/the-ending-of-time-new-edition Transcripts: https://docs.google.com/document/d/1Q7CJkF7Spji2iAbV_mYEyYHnKWobzo6N Chapters
| |||
| 18 Mar 2024 | #173 - Mastering Vulnerability Management | 00:22:16 | |
In this episode of CISO Tradecraft, host G Mark Hardy delves into the critical subject of vulnerability management for cybersecurity leaders. The discussion begins with defining the scope and importance of vulnerability management, referencing Park Foreman's comprehensive approach beyond mere patching, to include identification, classification, prioritization, remediation, and mitigation of software vulnerabilities. Hardy emphasizes the necessity of a strategic vulnerability management program to prevent exploitations by bad actors, illustrating how vulnerabilities are exploited using tools like ExploitDB, Metasploit, and Shodan. He advises on deploying a variety of scanning tools to uncover different types of vulnerabilities across operating systems, middleware applications, and application libraries. Highlighting the importance of prioritization, Hardy suggests focusing on internet-facing and high-severity vulnerabilities first and discusses establishing service level agreements for timely patching. He also covers optimizing the patching process, the significance of accurate metrics in measuring program effectiveness, and the power of gamification and executive buy-in to enhance security culture. To augment the listener's knowledge and toolkit, Hardy recommends further resources, including OWASP TASM and books on effective vulnerability management. Transcripts: https://docs.google.com/document/d/13P8KsbTOZ6b7A7HDngk9Ek9FcS1JpQij OWASP Threat and Safeguard Matrix - https://owasp.org/www-project-threat-and-safeguard-matrix/ Effective Vulnerability Management - https://www.amazon.com/Effective-Vulnerability-Management-Vulnerable-Ecosystem/dp/1394221207 Chapters
| |||
| 26 Sep 2022 | #97 - Mobile Application Security (with Brian Reed) | 00:43:34 | |
Special Thanks to our podcast sponsor, NowSecure. On this episode, Brian Reed (Chief Mobility Officer at NowSecure) stops in to provide a world class education on Mobile Application Security. It's incredible to think that 70% of internet traffic is coming over mobile devices. Most of this traffic occurs via mobile applications so we need to understand mobile application security testing, before attackers show us how important it is. This episode will help you understand:
References:
| |||
| 28 Nov 2022 | #106 - How to Win Your First CISO Role | 00:29:31 | |
Are You Ready To Win Your First CISO role? Apply these techniques into your resume and interview process so both recruiters and hiring managers will offer you the job. This show focuses on:
Please note the full show transcript can be found here https://docs.google.com/document/d/18Feg4eXbezHVPiNQ9qO6Pdht3P0eQ5nn | |||
| 05 Nov 2021 | #53 - Fun and Games to Stop Bad Actors (with Dr. Neal Krawetz) | 00:44:17 | |
In this episode, you can hear from Dr. Neal Krawetz, creator of Hacker Factor and FotoForensics. Neal's a long-time security practitioner who shares some fascinating insights in terms of how to identify potential bad actors early on (think reconnaissance interception), techniques for detecting bots and malicious entities, and ways to protect your team members from misattributed fake blog entries. | |||
| 23 Jan 2023 | #113 - SAST Security (with John Steven) | 00:42:51 | |
This episode provides a deep dive into Static Application Security Testing (SAST) tools. Learn how they work, why they don't work as well as you think they will in certain use cases, and find some novel ways apply them to your organization. Special thanks to John Steven for coming on the show to share his expertise.
Special thanks to our sponsor Praetorian for supporting this episode. Full Transcripts - https://docs.google.com/document/d/1zoA70k78IjqyJky-2u7_-i2jlWke8_cb Chapters:
| |||
| 21 Mar 2022 | #70 - Partnership is Key | 00:16:01 | |
On this episode of CISO Tradecraft you can learn how to build relationships of trust with other executives by demonstrating executive skill & cyber security expertise. You can learn what to say to each of the following executives to build common ground and meaningful work:
Note Robin Dreeke mentions 5 keys to building goals.:
During this week's Monday Morning Email, CISO Tradecraft answers the question on how to craft a winning resume to land your first CISO role.
InfoGraphic | |||
| 11 Dec 2020 | #7 - DevOps | 00:49:15 | |
On this Episode we will explore DevOps as a topic and discuss why you need to care as a CISO. Key discussions include:
Chapters
| |||
| 15 Jan 2024 | #164 - The 7 Lies in Cyber | 00:29:02 | |
In this episode of CISO Tradecraft, we debunk seven common lies pervasive in the cybersecurity industry. From the fallacy of achieving a complete inventory before moving onto other controls, the misconception about the accuracy of AppSec tools, to the fear of being viewed as a cost center - we delve deep into these misconceptions, elucidating their roots and impacts. We also discuss how ISO and FAIR, audits and certifications, risk assessments, and mandatory cyber incident reporting may not always be as straightforward as they seem. The episode is not only an eye-opener but also provides insightful guidance on how to navigate these misconceptions and enhance the effectiveness of your cybersecurity measures. CloudGoat EC2 SSRF- https://rhinosecuritylabs.com/cloud-security/cloudgoat-aws-scenario-ec2_ssrf/ OWASP Benchmark - https://owasp.org/www-project-benchmark/ Transcripts - https://docs.google.com/document/d/1yZZ4TLlC2sRfwPV7bQmar7LY4xk2HcIo Chapters
| |||
| 13 Nov 2020 | #3 - How to Read Your Boss | 00:38:44 | |
The ability to persuade others is a core tradecraft for every CISO. This podcast discusses the most common styles of executive decision making (Charismatics, Thinkers, Skeptics, Followers, and Controllers). After listening to this podcast, you will understand how to more effectively tailor your message to best influence each style of executive. If you would like to learn more about this topic, we strongly recommend you read the Harvard Business Review article, “Change the Way You Persuade”, by Gary A. Williams and Robert B. Miller https://hbr.org/2002/05/change-the-way-you-persuade Chapters
| |||
| 06 Nov 2020 | #2 - Principles of Persuasion | 00:46:29 | |
To become an effective CISO you need influence skills. On this episode we explore Robert Cialdini's book, "Influence" and discuss the psychology of persuasion. We will explore 6 key areas of influence:
If you would like to more on this topic, then we recommend you read Cialdini's work: Website https://www.influenceatwork.com/principles-of-persuasion/ Book https://www.amazon.com/Influence-Psychology-Persuasion-Robert-Cialdini/dp/006124189X Chapters
| |||
| 28 Aug 2023 | #144 - Handling Regulatory Change | 00:24:09 | |
In this episode of CISO Tradecraft, we delve into the evolving landscape of cybersecurity regulations. From data incident notifications to required contract language, we uncover common trends and compliance challenges. Learn how to prepare, adapt, and network within your industry to stay ahead. Tune in for insights and tips! Thanks again to our Sponsors for supporting this episode:
References
Transcripts https://docs.google.com/document/d/1RplLpZCMw8foLu9oqkZs1_A2aIbYk1Xo/ Chapters | |||
| 13 Mar 2023 | #120 - Negotiating Your Best CISO Package (with Michael Piacente) | 00:39:41 | |
Have you ever wondered how to negotiate your best CISO compensation package? On this episode, we invite Michael Piacente from Hitch Partners to discuss important parts of the compensation packages. Examples include but are not limited to: - Base Salary,
You can learn more about CISO compensations by Googling any of the following compensation surveys
Full Transcripts: https://docs.google.com/document/d/1e... Chapters:
| |||
| 26 Jun 2023 | #135 - Board Decks (with Demetrios Lazarikos) | 00:43:33 | |
One of the most important activities a CISO must perform is presenting high quality presentations to the Board of Directors. Listen and learn from Demetrios Lazarikos (Laz) and G Mark Hardy as they discuss what CISOs are putting in their decks and how best to answer the board's questions. Special thanks to our sponsor Risk3Sixty for supporting this episode. Risk3sixty has created a presentation template that helps you structure your thoughts while telling a compelling story about where you want your security program to go. Download it today for free at: https://risk3sixty.com/whitepaper/security-program-maturity-presentation-template-for-cisos/?utm_source=cisotradecraft&utm_medium=podcast&utm_campaign=2023-ct&utm_term=1week&utm_content=ebook References
Transcripts: https://docs.google.com/document/d/1juM8MQUEtAZEDp1HpzkPdNw-D11O3ofq Chapters
| |||
| 15 Jan 2021 | #12 - The Three Ways of DevOps | 00:45:04 | |
Making things cheaper, faster, and better is the key to gaining competitive advantage. If you can gain a competitive advantage in cyber, then you will reduce risk to the business and protect key revenue streams. This episode discusses the three ways of DevOps and how you can use them to improve information security. The three ways of DevOps consist of:
If you would like to learn more about the three ways of DevOps, G Mark Hardy and Ross Young invite you to read The Phoenix Project by Gene Kim https://www.amazon.com/Phoenix-Project-DevOps-Helping-Business/dp/0988262592 | |||
| 12 Feb 2024 | #168 - Cybersecurity First Principles (with Rick Howard) | 00:47:14 | |
In this episode of CISO Tradecraft, host G Mark Hardy is joined by special guest Rick Howard, Chief Security Officer, Chief Analyst and Senior Fellow at CyberWire. Rick shares his insights on first principles in cybersecurity, discussing how these form the foundations of any cybersecurity strategy. He emphasizes the importance of understanding materiality and integrating the concept of time bound risk assessment to achieve a resilient cybersecurity environment. The episode also delves into the value of Fermi estimates and Bayes algorithm for risk calculation. Amid humor and personal anecdotes, Rick and Mark also reflect on their experiences during 9/11. Rick introduces his book, 'Cybersecurity First Principles', elucidating the rationale behind its conception. Link to the Cybersecurity First Principles Book: https://www.amazon.com/Cybersecurity-First-Principles-Strategy-Tactics/dp/B0CBVSX2H2/?&_encoding=UTF8&tag=-0-0-20&linkCode=ur2&linkId=1b3010fb678a109743f1fb564eb6d0fc&camp=1789&creative=9325 Transcripts: https://docs.google.com/document/d/1y8JPSzpmqDMd-1PZ-MWSqOuxgFTDVvre Chapters
| |||
| 02 Oct 2023 | #149 - Board Perspectives | 00:43:14 | |
On this episode we discuss the four key roles Boards play in cybersecurity.
Big thanks to our sponsor: Risk3Sixty - https://risk3sixty.com/whitepaper/ Transcripts - https://docs.google.com/document/d/1jarCcQYioT59jtIrppH4xZqyAy4Vn_tB/ Chapters
| |||
| 09 Jul 2021 | #37 - Cyber Security Laws & Regulations | 00:43:00 | |
On this episode of CISO Tradecraft, you will hear about the most prominent Cyber Security Laws and Regulations:
| |||
| 19 Mar 2021 | #21 - Your First 90 Days as a CISO (with Mark Egan) | 00:43:36 | |
This special episode features Mark Egan (Former CIO of Symantec as well as VMWare). Mark discusses what he looks for during interviews with CISOs, what executives need to demonstrate during their first 90 days to be successful, and how he helps the next generation of cyber professionals at Merritt College. Three Questions to ask during any interview:
Five Step Plan for New CISOs:
Merritt College Overview Link Volunteer to Help Merritt College Link Contact Merritt College Link Mark Egan LinkedIn Profile Link | |||
| 08 Jan 2024 | #163 - Operational Resilience | 00:23:09 | |
Join G Mark Hardy in this episode of the CISO Tradecraft podcast where he details how cyber protects revenue. He clarifies how cybersecurity is seen as a cost center by most organizations, but stresses how it can become a protector of business profits. Concepts like Operational Resilience Framework (ORF) Version 2 by the Global Resilience Federation are discussed in depth. Hardy also outlines seven steps from ORF to operational resilience including implementing industry-recognized frameworks, understanding the organization's role in the ecosystem, defining viable service levels, and more.
Link to the ORF - https://www.grf.org/orf Transcripts - https://docs.google.com/document/d/1ckYj-UKDa-wlOVbalWvXOdEO4OYgjO0i Chapters
| |||
| 14 Feb 2022 | #65 - Shall We Play A Game? | 00:43:31 | |
Gamification is a superpower that CISOs can use to change the culture of an organization. On this episode of CISO Tradecraft we discuss how to use gamification concepts as a CISO. What’s in a Game?
What Makes a Game Fun?
What’s in a Learning Game?
5 Gamification Concepts
4 Player Types
References: https://www.chaostheorygames.com/blog/serious-games-guide-everything-you-need-to-know-in-2021 https://www.chaostheorygames.com/blog/what-is-gamification-2020-definition https://directivecommunication.net/the-ultimate-guide-to-work-gamification/ https://yukaichou.com/gamificationnews/4-dominant-applications-of-gamification/ https://medium.com/@chow0531/actionable-gamification-fbe27f6cb2d6 https://www.capgemini.com/2020/06/gamification/ https://insights.lytho.com/translation-fails-advertising http://timboileau.wordpress.com Infographic: | |||
| 29 May 2023 | #131 - Framing Executive Discussions | 00:21:15 | |
How do we frame an executive discussion so we can structure and present information in a way that effectively engages and aligns with the needs and interests of the executive audience? On this episode we answer that question by discussing the 8 important elements of framing a discussion with executives:
Special thanks to our sponsor Risk3Sixty for supporting this episode. Be sure to check their Security Budget & Business Case Template: https://risk3sixty.com/whitepaper/security-budget-template/?utm_source=cisotradecraft&utm_medium=podcast&utm_campaign=2023-ct&utm_term=1week&utm_content=budget Full Transcripts: https://docs.google.com/document/d/1vhLmqEAy-yQ01ZY1y8Nf7y-u_swTYCm8 Chapters
| |||
| 19 Feb 2021 | #17 - Global War on Email | 00:47:24 | |
If you use email, this episode is for you. Attackers leverage email for ransomware, Business Email Compromise (BEC), account takeover, and other threats that can be reduced with effective technical controls (as well as user education.) These three tools all involve placing simple entries in your DNS records. To work effectively, the recipient also needs to be checking entries. They are:
Check your settings at MXToolbox Learn DMARC Link Implementing these protections require a small amount of work but can yield outsized benefits. In addition to allowing recipients of your mail to validate SPF, DKIM, and DMARC, ensure your incoming mail is checked for conformance as well, labeling, quarantining, or rejecting any that fail. Lastly, blocking top-level domains (TLDs) with which you do not do business can significantly improve your security by short-circuiting many ransomware, command-and-control, and malware URLs that will be unable to resolve through your DNS. Get the latest list from IANA Great Background Reading from Australian Signals Directorate Link Email Authenticity 101 Link | |||
| 13 Aug 2021 | #42 - Third Party Risk Management (with Scott Fairbrother) | 00:52:29 | |
Special Thanks to our podcast Sponsor, CyberGRX On today’s episode, we bring in Scott Fairbrother to help tackle key questions with Third Party Risk Management:
Also please subscribe to to the CISO Tradecraft LinkedIn Page to get more relevant content | |||
| 22 Jan 2024 | #165 - Modernizing Our SOC Ingest (with JP Bourget) | 00:44:34 | |
In this episode of CISO Tradecraft, host G Mark Hardy interviews JP Bourget about the security data pipeline and how modernizing SOC ingest can improve efficiency and outcomes. Featuring discussions on cybersecurity leadership, API integrations, and the role of AI and advanced model learning in future data lake architectures. They discuss how vendor policies can impact data accessibility. They also reflect on their shared Buffalo roots and because their professional journeys. Tune in for valuable insights from top cybersecurity experts. Transcripts: https://docs.google.com/document/d/1evI2JTGg7S_Hjaf0sV-Nk_i0oiv8XNAr Chapters
| |||
| 08 Aug 2022 | #90 - A CISO’s Guide to Pentesting | 00:16:00 | |
A CISO’s Guide to Pentesting
References
**************************** Hello, and welcome to another episode of CISO Tradecraft -- the podcast that provides you with the information, knowledge, and wisdom to be a more effective cyber security leader. My name is G. Mark Hardy, and today we're going to explore a number of things a CISO needs to know about pentesting. As always, please follow us on LinkedIn, and make sure you subscribe so you can always get the latest updates.
Now to get a good understanding of pentesting we are going over the basics every CISO needs to understand.
First of all, let's talk about what a pentest is NOT. It is not a simple vulnerability scan. That's something you can do yourself with any number of publicly available tools. However, performing a vulnerability scan, and then acting on remediating what you find, is an important prerequisite for a pentest. Why pay hundreds of dollars per hour for someone to point out what you can find yourself in your bunny slippers sipping a latte?
Now let’s start with providing a definition of a penetration test. According to Wikipedia a penetration test or pentest is an authorized simulated cyber-attack on a computer system performed to evaluate the security of a system. It’s really designed to show weaknesses in a system that can be exploited. Let’s think of things we want to test. It can be a website, an API, a mobile application, an endpoint, a firewall, etc. There’s really a lot of things you can test, but the thing to remember is you have to prioritize what has the highest likelihood or largest impact to cause the company harm. You need to focus on high likelihood and impact because professional penetration tests are not cheap. Usually, they will usually cost between $10,000-$30,000 but if you have a complex system, it’s not unheard of to go up to $100,000. As a CISO you need to be able to defend this expenditure of resources. So, you will usually define a clear standard that our company will perform penetration tests on customer facing applications, PCI applications, and Financially Significant Application or SOX applications once per year.
My friend John Strand, who founded Black Hills Information Security, pointed out in a recent webcast that sometimes you, the client, may not know what you mean by the term pentest. Sometimes clients want just a vulnerability scan, or sometimes an external scan of vulnerabilities to identify risk, or sometimes a compromise assessment where a tester has access to a workstation and tries to work laterally, or sometimes a red team where a tester acts like a threat actor and tries to bypass controls, or a collaborative effort involving both red teams and blue teams to document gaps and to help defenders do their job better. He goes on to state that your pentest objective should be to "provide evidence of the effectiveness of current defensive mechanisms and attack detection methodologies."
Please do not confuse a penetration test with a Red Team exercise. A red team exercise just wants to accomplish an objective like steal data from an application. A penetration test wants to enumerate vulnerabilities in a scoped target system so the developer can patch and remediate. It’s a subtle difference but consider that a red team only needs to find one vulnerability to declare success, whereas a penetration test keeps going to help identify potentially exploitable vulnerabilities. Now, is a pentest about finding ALL vulnerabilities? I would say no – there are vulnerabilities that might require a disproportionate amount of resources to exploit for little or no value – something with a CVSS score of 4.0 or the like. Those can often be left unpatched without consequence – the cost of remediating may exceed the value of the risk avoided. There really is a “good enough” standard of risk, and that is called “acceptable risk.” So, when scoping a pentest or reviewing results, make sure that any findings are both relevant and make economic sense to remediate.
Let’s take the example that you want to perform a web application pentest on your public website so you can fix the vulnerabilities before the bad actors find them. The first question you should consider is do you want an internal or an external penetration test. Well, the classic answer of "it depends" is appropriate. If this website is something of a service that you are selling to other companies, then chances are those companies are going to ask you for things like an ISO 27001 certification or SOC 2 Type 2 Report and both of those standards require, you guessed it, a penetration Test. In this case your company would be expected to document a pentest performed by an external provider. Now if your company has a website that is selling direct to a consumer, then chances are you don’t have the same level of requirement for an external pentest. So, you may be able to just perform an internal penetration test performed by your company’s employees.
I'd be remiss if I didn't mention the Center for Internet Security Critical Controls, formerly know as the SANS Top 20. The current version, eight, has 18 controls that are listed in order of importance, and they include pentesting. What is the priority of pentesting, you may ask? #18 of 18 -- dead last. Now, that doesn't mean pentests are not valuable, or not useful, or even not important. What it does mean is that pentests come at the end of building your security framework and implementing controls. Starting with a pentest makes no sense IMHO, although compliance-oriented organizations probably do this more often than they should. That approach makes the pen testers job one of filtering through noise -- there are probably a TON of vulnerabilities and weaknesses that should have been remediated in advance and could have been with very little effort. Think of a pentest as a final exam if you will. Otherwise, it's an expensive way to populate your security to-do list.
OK let’s say we want to have an external penetration test and we have the 10-30K on hand to pay an external vendor. Remember this, a penetration test is only as good as the conductor of the penetration test. Cyber is a very unregulated industry which means it can be tricky to know who is qualified. Compare this to the medical industry. If you go to a hospital, you will generally get referred to a Medical Doctor or Physician. This is usually someone who has a degree such as a MD or DO which proves their competency. They will also have a license from the state to practice medicine legally. Contrast this to the cyber security industry. There is no requirement for a degree to practice Cyber in the workforce. Also, there is no license issued by the state to practice cyber or develop software applications. Therefore, you need to look for relevant Cyber certifications to demonstrate competency to perform a Penetration Test. There’s a number of penetration testing certifications such as the Certified Ethical Hacker or CEH, Global Information Assurance Certification or GIAC GPEN or GWAP, and the Offensive Security Certified Professional or OSCP.
We strongly recommend anyone performing an actual penetration test have an OSCP. This certification is difficult to pass. A cyber professional must be able to perform an actual penetration test and produce a detailed report to get the actual certification. This is exactly what you want in a pentester, which is why we are big fans of this certification. This certification is a lot more complicated than remembering a bunch of textbook answers and filling in a multiple-choice test. Do yourself a favor and ask for individuals performing penetration tests at your company to possess this certification. It may mean your penetration tests cost more, but it’s a really good way to set a bar of qualified folks who can perform quality penetration tests to secure your company.
Now you have money, and you know you want to look for penetration tests from companies that have skilled cyber professionals with years of experience and an OSCP. What companies should you look at? Usually, we see three types of penetration testing companies. Companies that use their existing auditors to perform penetration tests – firms like KPMG, EY, PWC, or Deloitte (The Big 4 1/2). This is expensive but it’s easy to get them approved since most large companies already have contracts with at least one of these companies. The second type of company that we see are large penetration testing companies. Companies like Bishop Fox, Black Hills Information Security, NCC Group, and TrustedSec, focus largely on penetration testing and don't extend into other areas like financial auditing. They have at least 50+ penetration testers with experience from places like the CIA, NSA, and other large tech companies. Note they are often highly acclaimed so there is often a waitlist of a few months before you can get added as a new client. Finally, there are boutique shops that specialize in particular areas. For example, you might want to hire a company that specializes in testing mobile applications, Salesforce environments, embedded devices, or APIs. This is a more specialized skill and a bit harder to find so you have to find a relevant vendor. Remember if someone can pass the OSCP it means they know how to test and usually have a background in Web Application Penetration testing. Attacking a Web application means being an expert in using a tool like Burp Suite to look for OWASP Top 10 attacks like SQL injection or Cross Site Scripting. This is a very different set of skills from someone who can hack a Vehicle Controller Area Network (CAN) bus or John Deere Tractor that requires reverse engineering and C++ coding.
Once you pick your vendor and successfully negotiate a master license agreement be sure to check that you are continuing to get the talent you expect. It’s common for the first penetration test to have skilled testers but over time to have a vendor replace staff with cheaper labor who might not have the OSCP or same level of experience that you expect. Don’t let this happen to your company and review the labor and contract requirements in a recurring fashion.
Alright, let’s imagine you have a highly skilled vendor who meets these requirements. How should they perform a penetration test? Well, if you are looking for a quality penetration testing guide, we recommend following the one used by Google. Google, whose parent company is called Alphabet, has publicly shared their penetration testing guidelines and we have attached a link to it in our show notes. It’s a great read so please take a look. Now Google recommends that a good penetration test report should clearly follow an assessment methodology during the assessment. Usually, penetration testers will follow an industry recognized standard like the OWASP Web Security Testing Guide, the OWASP Mobile Security Testing Guide, the OWASP Firmware Security Testing Guide, the PCI DSS Penetration Testing Guide, The Penetration Testing Execution Standard, or the OSSTMM which stands for The Open Source Security Testing Methodology Manual. These assessment methodologies can be used to show that extensive evaluation was done, and a multitude of steps/attacks were carried out. They can also standardize the documentation of findings. Here you will want a list showing risk severity level, impact from a business/technical perspective, clear concise steps to reproduce the finding, screenshots showing evidence of the finding, and recommendations on how to resolve the finding. This will allow you to build a quality penetration test that you can reuse in an organization to improve your understanding of technical risks.
If I can get good penetration tests today, perhaps we should think about how penetration testing is changing in the future? The answer is automation. Now we have had automated vulnerability management tools for decades. But please don’t think that running a Dynamic Application Security Testing Tool or DAST such as Web Inspect is the same thing as performing a full penetration test. A penetration test usually takes about a month of work from a trained professional which is quite different from a 30-minute scan. As a cyber industry we are starting to see innovative Penetration Testing companies build out Continuous and Automated Penetration Testing tooling. Examples of this include Bishop Fox’s Cosmos, Pentera’s Automated Security Validation Platform, and Stage 2 Security Voodoo and Mage tooling. Each of these companies are producing some really interesting tools and we think they will be a strong complement to penetration tests performed by actual teams. This means that companies can perform more tests on more applications. The other major advantage with these tools is repeatability. Usually, a penetration test is a point in time assessment. For example, once a year you schedule a penetration test on your application. That means if a month later if you make changes, updates, or patches to your application then there can easily be new vulnerabilities introduced which were never assessed by your penetration test. So having a continuous solution to identify common vulnerabilities is important because you always want to find your vulnerabilities first before bad actors.
Here’s one final tip. Don’t rely on a single penetration testing company. Remember we discussed that a penetration testing company is only as good as the tester and the toolbox. So, try changing out the company who tests the same application each year. For example, perhaps you have contracts with Bishop Fox, Stage 2 Security, and Black Hill Information Security where each company performs a number of penetration tests for your company each year. You can alternate which company scans which application. Therefore, have Bishop Fox perform a pentest of your public website in 2022, then Stage 2 Security test it in 2023, then Black Hills test it in 2024. Every penetration tester looks for something different and they will bring different skills to the test. If you leverage this methodology of changing penetration testing vendors each cycle, then you will get more findings which allows you to remediate and lower risk. It allows you to know if a penetration testing vendor’s pricing is out of the norm. You can cancel or renegotiate one contract if a penetration testing vendor wants to double their prices. And watch the news -- even security companies have problems, and if a firm's best pentesters all leave to join a startup, that loss of talent may impact the quality of your report.
Thank you for listening to CISO Tradecraft, and we hope you have found this episode valuable in your security leadership journey. As always, we encourage you to follow us on LinkedIn, and help us out by letting your podcast provider know you value this show. This is your host, G. Mark Hardy, and until next time, stay safe. | |||
| 12 Jun 2023 | #133 - The Seesaw of Cyber Recruiting (with Lee Kushner) | 00:43:57 | |
This episode features Lee Kushner discussing various topics, including negotiating skills, the importance of degrees in the cybersecurity field, the need for diversity in the industry, challenges faced by cybersecurity professionals, starting a career in cybersecurity, and the value of technical skills. The conversation emphasizes the need for individuals to acquire technical skills, such as coding and networking, as they are in high demand and can differentiate them in the job market. It also mentions the importance of understanding the industry and its composition when seeking employment in cybersecurity. Special thanks to our sponsor Risk3Sixty for supporting this episode. Be sure to check their weekly thought leadership, webinars, and downloadable resources like budget and assessment templates at: https://risk3sixty.com/?utm_source=cisotradecraft&utm_medium=podcast&utm_campaign=2023-ct&utm_term=1week&utm_content=sponser Transcripts: https://docs.google.com/document/d/11askuaFcV_jYov2FklkbZXxVN3JSNu6y/ Chapters
| |||
| 27 Nov 2023 | #157 - SOC Skills (with Hasan Eksi) Part 2 | 00:36:06 | |
In this episode of CISO Tradecraft, G Mark Hardy and Hasan Eksi from CyberNow Labs continue the discussion about the vital skills needed for an effective incident responder within a Security Operations Center (SOC). The skills highlighted in this episode include: incident triage, incident response frameworks, communication, collaboration, documentation, memory analysis, incident containment and eradication, scripting and automation, cloud security, and crisis management. Big Thanks to our Sponsors
Hasan Eksi's LinkedIn Profile: https://www.linkedin.com/in/eksihasan/ Transcripts: https://docs.google.com/document/d/1rWixzKgf_unanPlnoL6dt8qpEsbZj9lv Chapters
| |||
| 12 Mar 2021 | #20 - Zero Trust | 00:45:15 | |
Would you actually like to learn about what Zero Trust is without a bunch of marketing jargon? On this week's episode G Mark Hardy and Ross Young provide a thoughtful discussion on Zero Trust from NIST and Microsoft:
| |||
| 25 Jun 2021 | #35 - Setting Up an Application Security Program | 00:41:17 | |
On this episode of CISO Tradecraft, you can learn how to build an Application Security program.
We also recommend reading the Microsoft Security Developer Life Cycle Practices Link For more great ideas on setting up an application security program please read this amazing guide from WhiteHat Security Link If you would like to improve cloud security scanning by automating Infrastructure as Code checks, then please check out Indeni CloudRail Link | |||
| 29 Apr 2024 | #179 - The 7 Broken Pillars of Cybersecurity | 00:32:03 | |
In this episode of CISO Tradecraft, host G. Mark Hardy discusses seven critical issues facing the cybersecurity industry, offering a detailed analysis of each problem along with counterarguments. The concerns range from the lack of a unified cybersecurity license, the inefficiency and resource waste caused by auditors, to the need for a federal data privacy law. Hardy emphasizes the importance of evaluating policies, prioritizing effective controls, and examining current industry practices. He challenges the audience to think about solutions and encourages sharing opinions and additional concerns, aiming to foster a deeper understanding and improvement within the field of cybersecurity. Transcripts: https://docs.google.com/document/d/1H_kTbCG8n5f_d1ZHNr1QxsXf82xb08cG Chapters
| |||
| 18 Apr 2022 | #74 - Pass the Passwords | 00:42:42 | |
On this episode of CISO Tradecraft, we focus on the Password Security and how it's evolving. Tune in to learn about:
Infographic:
References:
| |||
| 14 Aug 2023 | #142 - Powerful Questions | 00:33:55 | |
Join us at the heart of Hacker Summer Camp for insights into the cybersecurity world! Discover the art of asking powerful questions that can change your career and impact others. Learn how CISOs assess cyber solutions and how startups can win their attention. Uncover the secrets of building connections and value through meaningful inquiries. Don't miss this episode featuring expert advice on navigating the cybersecurity landscape. Special Thanks to our Sponsors:
Transcripts: https://docs.google.com/document/d/1qf9kH9a5rPlK8zaOWXGAp0-E6p7PNNuT/ Chapters
| |||
| 08 Jan 2021 | #11 - Cryptography | 00:49:00 | |
Most organizations generate revenue by hosting online transactions. Cryptography is a key enabler to securing online transactions in untrusted spaces. Therefore it's important for CISOs to understand how it works. This episode discusses the fundamentals of cryptography:
| |||
| 23 Oct 2023 | #152 - Speak My Language (with Andrew Chrostowski) | 00:45:08 | |
Learn the language of the board with Andrew Chrostowski. In this episode we discuss the 3 major risk categories of opportunity risk, cybersecurity risk and complex systems. We highlight intentional deficit and what to do about it. Finally, don't miss the part where we talk about the time for a digital strategy is past. What is needed today is a comprehensive strategy for a world of digital opportunities and existential cyber risks. Big thanks to our sponsor: Risk3Sixty - https://risk3sixty.com/iso-27001-certification/ Transcripts https://docs.google.com/document/d/15PnB1gYwt7vj-wRE4ABuEWxvB-H96rp0 Chapters
| |||
| 27 Mar 2023 | #122 - Methodologies for Analysis (with Christopher Crowley) | 00:43:57 | |
Sometimes you just need structure to the madness. Christopher Crowley stops by to talk about methodologies that can help security organizations. Come and see why you need them, how we get the scientific method wrong in cyber, and how to leverage a CIA analytical methodology that can help you. There's a lot more to check out so tune in. Analysis of Competing Hypothesis https://www.cia.gov/static/9a5f1162fd0932c29bfed1c030edf4ae/Pyschology-of-Intelligence-Analysis.pdf Christopher Crowley's Company https://montance.com/ Full Transcripts: https://docs.google.com/document/d/1P4MI02fIw3y_u8RhLVDbB3iu0o7e27Fr Chapters
| |||
| 20 May 2024 | #182 - Shaping the SOC of Tomorrow (with Debbie Gordon) | 00:44:30 | |
This episode of CISO Tradecraft, hosted by G Mark Hardy, features special guest Debbie Gordon. The discussion focuses on the critical role of Security Operations Centers (SOCs) in an organization's cybersecurity efforts, emphasizing the importance of personnel, skill development, and maintaining a high-performing team. It covers the essential aspects of building and managing a successful SOC, from hiring and retaining skilled incident responders to measuring their performance and productivity. The conversation also explores the benefits of simulation-based training with CloudRange Cyber, highlighting how such training can improve job satisfaction, reduce incident response times, and help organizations meet regulatory requirements. Through this in-depth discussion, listeners gain insights into best practices for enhancing their organization's cybersecurity posture and developing key skill sets to defend against evolving cyber threats. Cloud Range Cyber: https://www.cloudrangecyber.com/ Transcripts: https://docs.google.com/document/d/18ILhpOgHIFokMrkDAYaIEHK-f9hoy63u Chapters
| |||
| 21 Nov 2022 | #105 - Start Me Up (with Bob Cousins) | 00:48:40 | |
Would you like to hear a master class on what Technology professionals need to know about startups? On this episode Bob Cousins stops by to share his knowledge and experience on working in technology companies, dealing with founders, and partnering with venture capitalists. Listen and learn more about:
Subscribe to the CISO Tradecraft LinkedIn Page | |||
| 10 Jul 2023 | #137 - 1% Better Leadership (with Andy Ellis) | 00:49:19 | |
Imagine if you could get 1% better every day at something and do this for an entire year. Well, that's 365 days. And you go, okay, fine. 1%. 1%. That's going to be like 3.65%, right? No, because it compounds. And if you go ahead and open up your calculator and you take 1.01 and you raise it to the 365th power you're going to get 37.78. On today's show we have Andy Ellis discuss ways to get 1% better as a leader. Thanks to our two sponsors for this episode. 1) Prelude: https://www.preludesecurity.com/ 2) Risk3Sixty - Risk3Sixty is cyber security technology and consulting firm that works with high-growth technology firms to help leaders build, manage and certify security, privacy, and compliance programs. They publish weekly thought leadership, webinars, and downloadable resources like budget and assessment templates. https://risk3sixty.com/whitepaper/security-program-maturity-presentation-template-for-cisos/?utm_source=cisotradecraft&utm_medium=podcast&utm_campaign=2023-ct&utm_term=1week&utm_content=ebook Transcripts: https://docs.google.com/document/d/1Ul9N9cw579JMB_e7Vlk91_JpYxOBXQmx/ Chapters:
| |||
| 20 Feb 2023 | #117 - Good Governance (with Sameer Sait) | 00:39:34 | |
Has bad governance given you trauma, boring committees, and long speeches on irrelevant issues? Today we are going to overcome that by talking about what good governance looks like. We bring on the former CISO of Amazon Whole Foods (Sameer Sait) to discuss his lessons learned as a CISO. We also highlight key topics of good governance found in the Cyber Security Profile from the Cyber Risk Institute. Cyber Risk Institute - Cyber Security Profile https://cyberriskinstitute.org/the-profile/ Full Transcripts: https://docs.google.com/document/d/1vBM6A0utvhRFMA04wzrZvR8ktNwYo-li Chapters
| |||
| 13 Nov 2023 | #155 - SOC Skills (with Hasan Eksi) Part 1 | 00:43:31 | |
In this episode of CISO Tradecraft we have a detailed conversation with Hasan Eksi from CyberNow Labs. G Mark and Hasan discuss the top 20 skills required by incident responders, covering the first 10 in part 1 of this series. The discussion ranges from understanding cybersecurity fundamentals to incident detection, threat intelligence, and malware analysis. This episode aims to enhance listeners' understanding of incident response, its significance, the skills required, and strategies for effective training. Big Thanks to our Sponsor
Hasan Eksi's LinkedIn Profile: https://www.linkedin.com/in/eksihasan/ Transcripts: https://docs.google.com/document/d/1lE9Tz-um1II2aNX4JU-bQ-BND7fPNteE/ Chapters
| |||
| 10 Jan 2022 | #60 - CISO Knowledge Domains Part 2 | 00:17:44 | |
One of the most common questions that we get asked on CISO Tradecraft is what do I need to learn to be a good CISO? After a lot of reflection, CISO Tradecraft put together a Top 10 List of CISO knowledge domains that we believe are the core skills which produce really good CISOs. This episode is a continuation from the previous episode and will go over the 6th -10th knowledge areas.
https://github.com/cisotradecraft/podcast Infographic: | |||
| 25 Dec 2023 | #161 - Secure Developer Training Programs (with Scott Russo) Part 2 | 00:45:21 | |
In the second half of the discussion about secure developer training programs, G Mark Hardy and Scott Russo delve deeper into how to engineer an effective cybersecurity course. They discuss the importance and impact of automation and shifting left, the customization needed for different programming languages and practices, and the role of gamification in engagement and learning. The conversation also touches upon anticipating secular trends, compliance with privacy and data protection regulations, different leaning styles and preferences, and effective strategies to enhance courses based on participant feedback. Scott highlights the lasting impacts and future implications of secure developer training, especially with the advent of generative AI in code generation. ISACA Event (10 Jan 2024) With G Mark Hardy - https://www.cisotradecraft.com/isaca Transcripts: https://docs.google.com/document/d/1zr09gVpJuZMUMmF9Y-Kc0DOy-1gH0cx- Chapters
| |||
| 09 May 2022 | #77 - Countering Corporate Espionage | 00:46:39 | |
Chances are your organization has information that someone else wants. If it's another nation state, their methods may not be friendly or even legal. In this episode we address assessing risk, known "bad" actors, information targets, exfiltration, cyber security models, what the federal government is doing for contractors, and response strategies. Listen now so you don't become a statistic later.
References: https://www.fbi.gov/file-repository/china-exec-summary-risk-to-corporate-america-2019.pdf https://nhglobalpartners.com/made-in-china-2025/ https://www.cybintsolutions.com/cyber-security-facts-stats/ http://www.secretservice.gov/ntac/final_it_sector_2008_0109.pdf http://www.secretservice.gov/ntac/final_government_sector2008_0109.pdf CIS Controls v8.0, Center for Internet Security, May 2021, https://www.cisecurity.org | |||
| 05 Mar 2021 | #19 - Team Building | 00:44:54 | |
Every leader needs to know how to lead and manage a team. On this episode G Mark Hardy and Ross Young share tradecraft on team building.
| |||
| 02 May 2022 | #76 - The Demise of the Cybersecurity Workforce | 00:41:47 | |
Our career has been growing like crazy with an estimated 3.5 million unfilled cybersecurity jobs within the next few years. More certs, more quals, more money, right? The sky’s the limit. But what if we’re wrong? AI, machine learning, security-by-design, outsourcing, and H-1B programs may put huge downward pressure on future job opportunities (and pay) in this country. Of course, we don’t WANT this, but shouldn’t a wise professional prepare for possibilities? [We did a ton of research looking at facts, figures, industry trends, and possible futures that might have us thinking that 2022 may have been “the good old days.” No gloom-and-doom here; just an objective look with a fresh perspective, you know, just in case.] | |||
| 24 Jan 2022 | #62 - Promotion Through Politics | 00:31:06 | |
On this episode, we talk about the four types of skills you need to demonstrate in your career to climb through the ranks: (Technical Skills, Management Skills, Leadership Skills, & Political Skills) We also highlight 6 crucial areas to improve your political skills
References:
Infographic: | |||
| 08 May 2023 | #128 - How do CISOs spend their time? | 00:29:41 | |
In this episode of "CISO Tradecraft," G. Mark Hardy defines the role of a CISO and discusses the Top 10 responsibilities of a Chief Information Security Officer Full Transcript: https://docs.google.com/document/d/1J_sCMkqEeIB7pUY4KmjCiS1sz7t6LX2F Chapters
| |||
| 08 Apr 2021 | #24 - Everything you wanted to know about Ransomware | 00:45:50 | |
Would you like to know more about Ransomware? On this episode of CISO Tradecraft, G Mark Hardy and Ross Young provide an in-depth discussion on Ransomware. Key discussions include:
Please subscribe to the CISO Tradecraft LinkedIn Group to get even more great content CISA Ransomware Guide Link | |||
| 20 Mar 2023 | #121 - Legal Questions (with Evan Wolff) | 00:38:29 | |
Have you ever wanted to get a legal perspective on cybersecurity? On this episode of CISO Tradecraft, Evan Wolff stops by to discuss terms such as legal disclaimers, negligence, due care, and others. He also provides important insights on how to structure your cyber policies, respond to regulators/auditors, and partner with general council. Please enjoy. Full Transcripts: https://docs.google.com/document/d/1hbqB5GQfQsi0egPVdOtdfYEwLA3-1Jnh Chapters
| |||
| 12 Sep 2022 | #95 - Got any Data Security (with Brian Vecci) | 00:45:35 | |
Special Thanks to our podcast Sponsor, Varonis. Please check out Varonis's Webpage to learn more about their custom data security solutions and ransomware protection software. On this episode Brian Vecci (Field CTO of Varonis) stops by CISO Tradecraft to discuss all things Data Security. He highlights the top 3 things every CISO needs to balance with regards to data security (Productivity, Convenience, and Security). He also discusses the most important security questions we need to understand:
Enjoy the show and please share it with others. Also don't forget to follow the LinkedIn CISO Tradecraft Page to get more great content.
| |||
| 31 Jan 2022 | #63 - Flirting with Disaster | 00:26:22 | |
As a cyber executive you should expect disaster and disruption. When these unfortunate events occur, you can protect the business by maintaining critical business functions, ensuring employees are able to access an alternate work facility, and providing vital records to perform business functions. The secret to accomplishing these objectives can be found in three important documents. Those being a Business Continuity Plan, Disaster Recovery Plan, & a Business Impact Analysis. Enjoy the show as we walk you through them. FEMA BCP Example https://arlingtonva.s3.amazonaws.com/wp-content/uploads/2019/08/COOP-Template-Business-Continuity.pdf IBM Disaster Recovery Plan https://www.ibm.com/docs/en/i/7.1?topic=system-example-disaster-recovery-plan Fire Drills https://en.wikipedia.org/wiki/Fire_drill Business Impact Analysis https://www.ready.gov/sites/default/files/2020-03/business-impact-analysis-worksheet.pdf Infographic: | |||
| 04 Jul 2022 | #85 - The Fab 5 Security Outcomes Study (with Helen Patton) | 00:44:20 | |
On this episode of CISO Tradecraft, we feature Helen Patton. Helen shares many of her career experiences working across JP Morgan, The Ohio State University, and now Cisco. -Is technical acumen needed for CISOs? -Surviving organizational politics (34:45) Helen discusses The Fab 5 Security Outcomes study. Volume 1 Study - Link Volume 2 Study - Link | |||
| 17 Apr 2023 | #125 - Cyber Ranges (with Debbie Gordon) | 00:44:11 | |
Are you worried about cyber threats and data breaches? Do you want to build a strong cybersecurity program to protect your organization? Look no further! In this episode of CISO Tradecraft, G Mark Hardy and Debbie Gordon discuss the three dimensions of an effective Information Security Management System: Policy, Practice, and Proof. G Mark emphasizes the importance of having a proper cybersecurity policy that references information security controls or outcome-driven statements. However, it's not enough to have policies on paper; organizations need to practice what's on paper to be prepared for cyber events. This is where ranges come in. Ranges are a full replica of an enterprise network with real tools, traffic, and malware. They allow teams to practice detecting and responding to attacks in a safe environment. Debbie Gordon, founder of Cloud Range, explains how ranges can help organizations accelerate experience and reduce risk in cybersecurity. She emphasizes the importance of educating an organization's user base to become the first and last lines of defense against cyber threats. By training non-technical executives to spot suspicious activity and bring it to the attention of the security team, organizations can minimize the damage caused by phishing attacks, ransomware, and other cyber threats. Gordon also highlights the importance of team training in cybersecurity because it's not just about individual skills, but also about how teams work together to respond to threats. By practicing together in a range environment, organizations can improve their processes, handoffs, and speed in detecting and responding to attacks. Special thanks to our sponsor Cloud Range Cyber for supporting this episode. Website: www.cloudrangecyber.com Email: info@cloudrangecyber.com Full Transcripts: https://docs.google.com/document/d/1yWenwauzfAiQYafFW0Iew33vbzvlO2BO Chapters
| |||
| 05 Dec 2022 | #107 - Consolidating Vulnerability Management (with Jeff Gouge) | 00:42:43 | |
Special thanks to Jeff Gouge for sharing his thoughts on consolidating vulnerability management. We also thank our sponsor Nucleus Security for supporting this episode. Consistently tracking and prioritizing vulnerabilities is a difficult problem. This episode talks about it in detail and helps you increase your understanding in:
Note a Full Transcript of this podcast can be found here: https://docs.google.com/document/d/1dWDS8rd-iscZuZ28U27IBuPPfrlFAV69/ | |||
| 13 Jun 2022 | #82 - Cyber Defense Matrix (with Sounil Yu) | 00:50:34 | |
This episode is sponsored by Varonis. You can learn more on how to reduce your ransomware radius by performing a free ransomware readiness assessment Link This episode of CISO Tradecraft has Sounil Yu talk about his new book, "Cyber Defense Matrix: The Essential Guide to Navigating the Cybersecurity Landscape". Sounil reviews the Cyber Defense Matrix in depth. We discuss how the Cyber Defense Matrix can be used for:
You can purchase Sounil's new book here Link
| |||
| 28 Oct 2024 | #204 - Shadows and Zombies in the Data Center | 00:23:53 | |
In this special Halloween episode of CISO Tradecraft, host G Mark Hardy delves into the lurking dangers of Shadow IT and Zombie IT within organizations. Learn about the origins, risks, and impacts of these hidden threats, and discover proactive measures that CISOs can implement to safeguard their IT ecosystems. Strategies discussed include rigorous asset management, automation, and comprehensive compliance reviews. Tune in for insights to foster a secure, compliant, and efficient IT environment, and don't miss out on an exclusive opportunity to join a cybersecurity conference aboard a luxury cruise.
Big Thanks to our Sponsor CruiseCon - https://cruisecon.com/ CruiseCon Discount Code: CISOTRADECRAFT10
Transcripts: https://docs.google.com/document/d/1lh-TQhaSOIA2rITaXgTaqugl7FRGevnn
Chapters
| |||
| 15 May 2023 | #129 - Protecting Your Family | 00:45:09 | |
Are you looking for ways to protect your most valuable asset? In this episode, G Mark Hardy argues that our most valuable asset is our family, not the crown jewels or critical assets of a corporation. He emphasizes the importance of managing money, having an emergency fund, obtaining life insurance, building retirement savings, protecting against credit card fraud, and creating a plan for your children's digital life. Special thanks to our sponsor Risk3Sixty for supporting this episode. You can learn more about them from the Risk3Sixty Website: https://tinyurl.com/yc4xv7bj Full Transcript: https://docs.google.com/document/d/1vVASHmOV7n7Js0luDF1kWBF3qoytDnTy Chapters
| |||
| 13 May 2024 | #181 - Inside the 2024 Verizon Data Breach Investigations Report | 00:24:38 | |
In this episode of CISO Tradecraft, host G Mark Hardy discusses the findings of the 2024 Verizon Data Breach Investigations Report (DBIR), covering over 10,000 breaches. Beginning with a brief history of the DBIR's inception in 2008, Hardy highlights the evolution of cyber threats, such as the significance of patching vulnerabilities and the predominance of hacking and malware. The report identifies the top methods bad actors use for exploiting companies, including attacking VPNs, desktop sharing software, web applications, conducting phishing, and stealing credentials, emphasizing the growing sophistication of attacks facilitated by technology like ChatGPT for phishing and deepfake tech for social engineering. The episode touches on various cybersecurity measures, the omnipresence of multi-factor authentication (MFA) as a necessity rather than a best practice, and the surge in denial-of-service (DDoS) attacks. Hardy also discusses generative AI's role in enhancing social engineering attacks and the potential impact of deepfake content on elections and corporate reputations. Listeners are encouraged to download the DBIR for a deeper dive into its findings. Transcripts: https://docs.google.com/document/d/1HYHukTHr6uL6khGncR_YUJVOhikedjSE Chapters
| |||
| 18 Jul 2021 | #38 - CMMC and Me | 00:31:23 | |
This episode of CISO Tradecraft discusses CMMC. The Cybersecurity Maturity Model Certification (CMMC), is the US government response to the massive amounts of defense-related information compromised over the years from contractors and third parties. The program will be mandatory for all defense contractors by 2025, and has the potential to expand to the entire Federal government, affecting every entity that sells to Uncle Sam. CMMC has five levels of progressively more rigorous certification with up to 171 controls based on acquisition regulations, NIST standards, and Federal information processing standards. In addition, there will be an entire ecosystem of trainers, consultants, assessors, and the organizations that support them. We'll cover those in enough detail so that you can decide if expanding your career skill set into CMMC might make sense. | |||
| 22 May 2023 | #130 - Financial Planning (with Logan Jackson) | 00:50:55 | |
Learn how to unlock financial success with key strategies by Logan Jackson from Ray Capital Advisors. Logan highlights how to set clear goals, choose the right asset class, diversify your portfolio for stability and growth, build a well-diversified investment portfolio to create wealth and mitigate risk, take control of your financial future through retirement planning and goal setting, & leverage tax loss harvesting. He also discusses how to prioritize tax planning, understand the impact of behavioral finance, seek professional money management, navigate conflicts of interest in financial planning, and discover hidden wealth advisors for personalized guidance. Special thanks to our sponsor Risk3Sixty for supporting this episode. Be sure to check their Security Program Maturity Presentation for CISOs: https://risk3sixty.com/whitepaper/security-program-maturity-presentation-template-for-cisos/?utm_source=cisotradecraft&utm_medium=podcast&utm_campaign=2023-ct&utm_term=1week&utm_content=template Also if you would like to contact Logan Jackson please use his contact page at: https://www.raycapitaladvisors.com/ Full Transcripts: https://docs.google.com/document/d/1DLXnE5PTm4tDbONRSBarMa-1T8aduztf Chapters
| |||
| 18 Dec 2020 | #8 - Crucial Conversations | 00:56:47 | |
CISOs often encounter situations where everyone has a different opinion, it's a high stakes decision, and emotions are running high. These situations create crucial conversations opportunities where a CISO needs to be effective. This podcast discusses how to turn disagreement into dialogue, surface any subject, and make it safe to discuss. Please listen as G Mark Hardy and Ross Young discuss the 8 step process from the book, "Crucial Conversations."
We recommend you visit the following Crucial Conversations Website to learn more https://www.vitalsmarts.com/crucial-conversations-training/ The Crucial Conversation Book can be found on Amazon https://www.amazon.com/dp/0071771328/ref=cm_sw_em_r_mt_dp_0Cj3FbY9KA429 Chapters
| |||
| 31 Jul 2023 | #140 - Bobby the Intern | 00:38:48 | |
Don't let Bobby the Intern cause havoc in your network. On this episode of CISO Tradecraft, G Mark Hardy discusses the importance of training new hires in cybersecurity to create a strong security culture within an organization. The focus is on shaping employees' behavior and beliefs to enhance the overall cybersecurity posture. Special Thanks to our Two Sponsors: 1) The Chertoff Group: www.chertoffgroup.com 2) Prelude: https://www.preludesecurity.com/ Transcripts: https://docs.google.com/document/d/1Z4ftmqZdUMkxD6ATRRLp0EmO_DVluQ4n Chapters
| |||
| 06 May 2024 | #180 - There's Room For Everybody In Your Router (with Giorgio Perticone) | 01:06:55 | |
In this joint episode of the Security Break podcast and CISO Tradecraft podcast, hosts from both platforms come together to discuss a variety of current cybersecurity topics. They delve into the challenge of filtering relevant information in the cybersecurity sphere, elaborate on different interpretations of the same news based on the reader's background, and share a detailed analysis on specific cybersecurity news stories. The discussion covers topics such as the implications of data sharing without user consent by major wireless providers and the fines imposed by the FCC, the significance of increasing bug bounty payouts by tech companies like Google, and a comprehensive look at how edge devices are exploited by hackers to create botnets for various cyberattacks. The conversation addresses the complexity of the cybersecurity landscape, including how different actors with varied objectives can simultaneously compromise the same devices, making it difficult to attribute attacks and protect networks effectively. Transcripts: https://docs.google.com/document/d/1GtFIWtDf_DSIIgs_7CizcnAHGnFTTrs5 Chapters
| |||
| 07 Aug 2023 | #141 - Emerging Risks (with The Chertoff Group) | 00:41:30 | |
On this episode, David London and Adam Isles from the Chertoff Group stop by to discuss emerging risk topics such as AI, Supply Chain Attacks, and the new SEC regulations. Stick around and learn the tradecraft to better protect your company. Special Thanks to our Sponsors:
Transcripts: https://docs.google.com/document/d/1tW0kOYCURXgRF-z7UqeQGga0zAkwGuZ9/ Chapters
| |||
| 10 Jun 2024 | #185 - Ethics and Artificial Intelligence (AI) | 00:46:38 | |
In this episode of CISO Tradecraft, host G Mark Hardy delves into the complex intersection of ethics and artificial intelligence. The discussion covers the seven stages of AI, from rule-based systems to the potential future of artificial superintelligence. G Mark explores ethical frameworks, such as rights-based ethics, justice and fairness, utilitarianism, common good, and virtue ethics, and applies them to AI development and usage. The episode also highlights ethical dilemmas, including privacy concerns, bias, transparency, accountability, and the impacts of AI on societal norms and employment. Learn about the potential dangers of AI and how to implement and control AI systems ethically in your organization.
Transcripts: https://docs.google.com/document/d/10AhefqdhkT0PrEbh8qBZVn9wWS6wABO6 Chapters
| |||
| 31 Oct 2022 | #102 - Mentorship, Sponsorship, and A Message to Garcia | 00:38:47 | |
Hello, and welcome to another episode of CISO Tradecraft -- the podcast that provides you with the information, knowledge, and wisdom to be a more effective cybersecurity leader. My name is G. Mark Hardy, and today's episode is about how to better mentor your people (and in doing so, improve yourself as well.) Mentoring is an important part of being a leader, and I would venture that most listeners have achieved their current level of success with the insights of a mentor, along with a lot of hard work. Today we're going to give you a template for creating a personal development plan you can use with your team. I also want to introduce you to a booklet that I keep on my desk. It was written in 1899. Do you have any idea what it might be? Well, keep listening and you'll find out, and you may end up getting yourself a copy of your own. Let's take a moment to hear from today's sponsor Obsidian Security. Career success rarely happens independently -- it usually involves multiple milestones, promotions, and sometimes moves. But success shouldn't be a secret. As Tony Robbins said, "success leaves clues." One of the best ways to achieve personal or professional success, or indeed help others do the same, is through mentoring and sponsorship. But the right person rarely shows up at our doorstep offering us the key to the future -- we have to go out and make that relationship happen. Today we're going to talk about mentors, protégés, sponsors, and that little booklet that has a repeatable secret for success. DefinitionsLet's start with what is a mentor - the dictionary definition is "an experienced and trusted adviser." My definition is it's a person with more experience and WISDOM who is willing to provide guidance to someone else -- a protégé. Notice I didn't say anything about careers -- you can have a spiritual mentor, an academic mentor, and if you're a new grandparent you want to pass along some tips to help raise your grandkids. You may also hear the term "mentee" instead of protégé -- I see that used from time to time, but it makes me think of those big slow sea creatures that keep getting run over by speedboats. MentorLet's talk about the who, what, when, why, and how of being a mentor. The WHO part is someone with experience and wisdom willing to share insights. Insights about WHAT, at least as far as we're concerned today, is usually career-related -- what jobs or assignments may be best, what personal characteristics are important, whom should you meet and why. The WHEN portion of mentoring is usually a condition of the type of relationship. A traditional one-on-one mentor relationship may be established formally or informally. We established a program at work where those willing to offer advice could volunteer as a mentor and those seeking advice could request the assistance of a mentor. I was asked by our most senior technical security expert if I would serve as his mentor -- an assignment which I was pleased to accept, and we held mentoring sessions quarterly. Of course, we worked together more frequently than that, but those sessions were specifically about what he could learn from me as a mentor, and what I could do to structure his experiences to help with his personal and career growth. [Irish whiskey story] The WHY can be either because there is a mentorship program at your organization (and if there isn't one, do your homework and consider proposing one) or because someone reached out and requested assistance. Mentoring is not like doing the dishes where anyone can do a competent job. It requires empathy, communication skills, wisdom, and time commitment. I'm at the point in my life and career where I actively try to help others who are not as old as I am. Many times, that's appreciated, but some people seem to prefer to make all of their own mistakes and resist the effort. Oh, well. As my Latin teacher used to say, "suum quique" -- to each their own. Finally, the HOW. Mentors should prioritize their sessions by preparing in advance and setting aside time without interruptions. Establish an agenda based upon specific requirements -- not just what the protégé wants but what the mentor believes he needs. Martina Bretous published an article on HubSpot where she points out ten ways to be an amazing mentor:
In summary, if you want to be a mentor and seek out the right people in whom to invest your time, here's a short checklist. Look for protégés with a strong work ethic -- people who have built a reputation of delivering on time on budget. Select only those people of the proper character -- you don't want to be teaching a sociopath how to take over the organization. And you'll find you work better with others who share similar values. If you value hard work, honesty, humility, and perseverance, look for those characteristics, or at least the potential to develop those characteristics, in your potential mentee. We all know how hard it is to change ourselves. Think about how much harder it is to change someone else. In the end, you're just showing the way and it's up to the other person to take the appropriate actions, but you want to build a winning record of successful mentorships -- it doesn't help your own career if you're viewed as the incubator of failure. ProtegeAs listeners of this show, you are likely in a position to be a mentor. But that doesn't mean you can't benefit from having a mentor yourself. Let's look at the who, what, when, why, and how of being a protégé. The WHO is someone who can gain insight from a relationship with someone farther along in a given path. Mentees may be assigned a mentor relationship, or they may seek out that relationship on their own. Both are valid paths, and even if a formal program exists it's often up to the mentee to select from available mentors. It doesn't always work the other way around [Navy mentor story.] The WHAT is the reason for participating in this type of relationship. Usually, it's to gain insight into career and professional goals, but as I mentioned earlier, it can be about most anything where you could learn from someone who's not in the role of a teacher or supervisor. WHEN should you seek the advice of a mentor? Well, there's probably never a time NOT to seek advice, but if you're heads-down in a long project that you enjoy or find yourself in a position where you're content and soon winding down your career, then I suppose you're fine going it alone. Otherwise, after you've been in a position for a year or so and you've figured out your current role and how you fit in, that might be a suitable time to start looking for a mentor. I think the WHY is obvious, but let's address it. No one knows everything, but someone usually knows what you need. Seeking a mentor is a rational way of gaining insights that can help move your career along. And HOW do you become a protégé? You need to a-s-k to g-e-t. Potential mentors are usually busy people -- they don't go looking for more things to add to an already overwhelming calendar. That said, the saying "if you want something done, give it to a busy person" is often true, because busy people are in the business of making things happen. If your organization offers a mentorship program, jump at the opportunity. Just make sure that the person with whom you are paired has the time, the expertise, and the interest to help you in your career. When searching for a mentor, remember that you should have a clear goal in mind. "Hey, I need a mentor" isn't very specific, and the Mr. Rodger's "won't you be my mentor?" isn't very compelling. Rather, start with a specific objective. For example, it could be, "how do I become fully qualified to become a first-line manager?" or "what does this organization look for when selecting a C-level executive?" Once you have your goal, you can start your search, but remember that you need to stay professional. You're not seeking a drinking buddy -- a mentor rarely is a peer (although technically I have heard of peer-to-peer mentoring, but that runs the risk of the parable of the two blind men who both fall into a ditch.) You want someone with relevant knowledge and experience. And ideally first develop a working relationship before you pop the question. A busy mentor will feel more comfortable working with a known quantity than being left to wonder if this person represents a reputational risk. Let's turn our conversation now to sponsors. SponsorsExecutive coach May Busch recommends forming a career board of directors to advance your career. She points out that you need both mentors and sponsors -- sponsors are those in your organization with sufficient clout to put you into key assignments and can advocate behind closed doors for your career advancement. Wow -- sounds great; where do I sign up? The issue is that you typically can't recruit sponsors; they come looking for you. Like a mentee, a "sponsee" represents potential risk to sponsors -- they are putting their own credibility with peers on the line by advocating for you. If you crash and burn, you both lose. Like any sales effort, you shouldn't put all of your eggs in a single basket, so if you want to identify a potential sponsor, look for a couple of candidates. Now, where you work there may be exactly one person who controls the vertical and the horizontal, but in most matrixed organizations, there is a range of opportunities to find advocacy. Find out who is senior enough to influence the decisions that can affect your career and also whether they are "in on things" to ensure that recommendations move you in the right direction. There are people who continue to serve past their key roles -- often called "emeritus" as an honorary title, but they probably aren't keeping up with the details. Look for someone who is still actively "in the game." And, like finding a mentor, you must identify a natural link between their business interests and your interests. Now, the intersection of all these criteria might yield exactly zero people, and if so, it's up to you to figure out your own way forward. But if you do identify potential sponsors, you need to attract their attention. But how? Your potential sponsors need to see you in action. Find ways to deliver executive presentations where they are present or participate in working groups and let the quality of your work differentiate you from peers. Circulate innovative ideas that represent a step forward for your organization. The result of these efforts should be to get you noticed. Note also that you can do this for members of your team. You may want to sponsor them for bigger and better things but don't have the organizational capital to make it happen on your own initiative. By placing your best people in front of these more powerful decision-makers, you can facilitate their sponsorship when one of them decides this person should be going places. Now, it's not just about performance. During COVID, most of us got comfortable working in bunny slippers from home, but that's not going to differentiate you to a potential sponsor. If you want to convince executives that you're C-level material, then you need to consistently look the part. Check your appearance. Do you look like the other executives in your organization? I spent 30 years in the military, so part of that "look" was proper grooming, a pressed neat uniform, and being physically fit. I remember my last semiannual physical fitness test -- I scored 295 out of 300 points and the young Sailor taking scores remarked, "not bad for an old man." But looking the part is important if you are going to be present yourself as a leader. [story at CNL -- overweight memorandum.] Now, I suppose if you work in a dot com startup and the founders all wear t-shirts and jeans every day, then wearing a three-piece suit is not going to help. But find a way to align with the organization's senior leadership culture so that you don't look like an outsider, which translates into risk. Make sure your office space isn't full of junk and clutter and your home background on Zoom calls looks like a professional office space (or at least blur out the background.) Better yet, use a corporate-logo themed background which says, "I'm on the team." Okay, so let's say you've done all this and are now looking like you just came out of casting for The West Wing and you're sufficiently visible to senior executives. Beyond looking the part, you need to act the part. Sit up straight in meetings; don't fiddle with your phone when executives are in the room, no matter how boring the conversation may be at that moment. I remember back in 2000 when I was working at a startup, our CEO nearly lost our biggest client because she couldn't put down her Blackberry when we were briefing the client's head of security. He was a retired Navy captain and remarked to me privately (as a fellow Navy officer) how offended he was that this person couldn't be bothered to put down that phone for half an hour and focus on the conversation. Better yet? There is a superpower that few people have but you could master if you're a phone addict -- leave your phone on your desk when you go to a meeting. That's right -- separate yourself from your "life support unit." Now, in some circumstances you feel you need it because, "what if they ask who's available for a meeting next week and I don't have my calendar?" Bring your laptop or tablet instead, and only consult it when you're asked something that needs looking up to answer. Remember, even a CEO doesn't get a pass on distractions when your biggest client is in the room. In addition to looking the part and acting the part, you need to deliver. Make sure your work is exceptional and error-free. At the Pentagon we had a term -- "finished staff work." It means that what you turn in is correct, complete, and free of grammatical or typographical errors EVERY TIME. That's a tough discipline. I was a computer science and mathematics major at Northwestern, and there was nothing I wanted to avoid more than an English composition or writing class -- after all, I was going to be a technologist. Years later when I joined the staff of Booz|Allen, I saw the importance of mastering a professional writing style. As a consultant, you live or die by the pen -- how well you write proposals and deliverables. As I became more senior in both my civilian as well as my military career, I kept improving that ability to write well. A small but powerful book you should own and master is Strunk and White's The Elements of Style. It's the most succinct summary of writing rules I've read -- think of it as a syntax guide to the English language. Granted, some of these conventions are considered quaint or even obsolete -- the Oxford comma and two spaces after a sentence, but I still write that way. There's no reason if you can write a program that will compile (or if you're a Python programmer, not throw a Syntax Error) that you cannot write English with the same consistency. May Busch points out that there are four mistakes you can make that will ruin your attempts to attract a sponsor. One, which seems obvious, is that you're perceived as lacking potential. Note I said "perceived." I think all of us have slightly inflated expectations of ourselves -- that's called a healthy ego, but let's face it: some people are rightly classified as low potential, high achievers -- they work really hard to achieve mediocre results. "But I do consistently outstanding work at my current job!" Okay, I'll give you that. But remember -- we're talking about getting a sponsor for the NEXT job, and if you're not virtue signaling that you can perform at the next level, then a wise boss is likely to leave you where you are -- delivering consistently outstanding work. Remember my four-phase career model: technical, management, leadership, political? You can often move easily within one of those phases without sponsorship, but to get to the next level usually requires something or someone external to yourself. The second disqualifier is to be seen as "selectively motivated," meaning you only put forth full effort at the last minute. It's somewhat of a synonym for a procrastinator -- many of us know there's nothing like the last minute to make sure things get done. Sure, there are important things that are urgent, but if your MO is to goof off until just before a deadline and then rush out a finished product, that calls into question your long-term reliability for more responsible assignments. The third disqualifier is lack of self-confidence. If you present yourself as hesitant and uncertain, you do not inspire confidence. "Do you think, umm, maybe we might possibly consider doing this?" is not as reassuring as, "Here's what we're going to do." I'm not advocating for arrogancy here; but if you secretly worry about imposter syndrome or a belief that you're not as good as others perceive you to be, then that's likely to leak out in your words and actions and cause potential sponsors to pause. The fourth way you can discourage a potential sponsor is to be inappropriate. You say and do the wrong things at the wrong time to the wrong people. You put your feet up on the conference table or make inappropriate or even offensive jokes when no one was looking for that type of input. Walking up a senior executive and saying, "won't you be my sponsor?" is another example. It's fine for Mr. Rodgers to ask, "won't you be my neighbor?" but as you know by now, you have to become the one who attracts attention, not demands it. Being InspirationalOne of the best ways to help others move forward is to show them an example of what represents success. I mentioned earlier the booklet that sits on my desk -- have you figured out what it might be? It's "A Message to Garcia" written by Elbert Hubbard, the founder of the Roycrofters in East Aurora NY. Hubbard was a writer, publisher, artist, and philosopher, who wrote that he sat down and penned this essay after dinner in under an hour. What started as article in his magazine grew rapidly. After receiving requests for a thousand copies of that issue, he inquired as to the reason. "It's the stuff about Garcia." The New York Central Railroad reprinted over one million copies in booklet form. The Director of Russian Railways was in New York, was so impressed that when he returned to Moscow, ensured a translated copy was given to every railroad employee in Russia. Every Russian soldier in the Russo-Japanese war had a copy, and when the Japanese officials noted Russian prisoners of war all carried it, they concluded it must be a good thing, translated it into their language and gave copies to every employee of the Japanese government. By December 1913, over forty million copies of A Message to Garcia had been printed. Tragically, Hubbard died on the 7th of May 1915 as a passenger onboard RMS Lusitania, which was torpedoed by a German U-boat. I have a number of his publications, but this is the one that I reread the most. It's not that long -- less than fifteen hundred words, and if you haven't heard it before, you should, and if you have heard it before and you're like me, you'll want to hear it again. Remember, the context is 1899. Here is… A Message to Garcia By Elbert Hubbard In all this Cuban business there is one man stands out on the horizon of my memory like Mars at perihelion. When war broke out between Spain and the United States, it was very necessary to communicate quickly with the leader of the Insurgents. Garcia was somewhere in the mountain vastness of Cuba- no one knew where. No mail nor telegraph message could reach him. The President must secure his cooperation, and quickly. What to do! Some one said to the President, "There’s a fellow by the name of Rowan will find Garcia for you, if anybody can." Rowan was sent for and given a letter to be delivered to Garcia. How "the fellow by the name of Rowan" took the letter, sealed it up in an oil-skin pouch, strapped it over his heart, in four days landed by night off the coast of Cuba from an open boat, disappeared into the jungle, and in three weeks came out on the other side of the Island, having traversed a hostile country on foot, and delivered his letter to Garcia, are things I have no special desire now to tell in detail. The point I wish to make is this: McKinley gave Rowan a letter to be delivered to Garcia; Rowan took the letter and did not ask, "Where is he at?" By the Eternal! there is a man whose form should be cast in deathless bronze and the statue placed in every college of the land. It is not book-learning young men need, nor instruction about this and that, but a stiffening of the vertebrae which will cause them to be loyal to a trust, to act promptly, concentrate their energies: do the thing- "Carry a message to Garcia!" General Garcia is dead now, but there are other Garcias. No man, who has endeavored to carry out an enterprise where many hands were needed, but has been well nigh appalled at times by the imbecility of the average man- the inability or unwillingness to concentrate on a thing and do it. Slip-shod assistance, foolish inattention, dowdy indifference, and half-hearted work seem the rule; and no man succeeds, unless by hook or crook, or threat, he forces or bribes other men to assist him; or mayhap, God in His goodness performs a miracle, and sends him an Angel of Light for an assistant. You, reader, put this matter to a test: You are sitting now in your office- six clerks are within call. Summon any one and make this request: "Please look in the encyclopedia and make a brief memorandum for me concerning the life of Correggio". Will the clerk quietly say, "Yes, sir," and go do the task? On your life, he will not. He will look at you out of a fishy eye and ask one or more of the following questions: Who was he? Which encyclopedia? Where is the encyclopedia? Was I hired for that? Don’t you mean Bismarck? What’s the matter with Charlie doing it? Is he dead? Is there any hurry? Shan’t I bring you the book and let you look it up yourself? What do you want to know for? And I will lay you ten to one that after you have answered the questions, and explained how to find the information, and why you want it, the clerk will go off and get one of the other clerks to help him try to find Garcia- and then come back and tell you there is no such man. Of course I may lose my bet, but according to the Law of Average, I will not. Now if you are wise you will not bother to explain to your "assistant" that Correggio is indexed under the C’s, not in the K’s, but you will smile sweetly and say, "Never mind," and go look it up yourself. And this incapacity for independent action, this moral stupidity, this infirmity of the will, this unwillingness to cheerfully catch hold and lift, are the things that put pure Socialism so far into the future. If men will not act for themselves, what will they do when the benefit of their effort is for all? A first-mate with knotted club seems necessary; and the dread of getting "the bounce" Saturday night, holds many a worker to his place. Advertise for a stenographer, and nine out of ten who apply, can neither spell nor punctuate- and do not think it necessary to. Can such a one write a letter to Garcia? "You see that bookkeeper," said the foreman to me in a large factory. "Yes, what about him?" "Well he’s a fine accountant, but if I’d send him up town on an errand, he might accomplish the errand all right, and on the other hand, might stop at four saloons on the way, and when he got to Main Street, would forget what he had been sent for." Can such a man be entrusted to carry a message to Garcia? We have recently been hearing much maudlin sympathy expressed for the "downtrodden denizen of the sweat-shop" and the "homeless wanderer searching for honest employment," and with it all often go many hard words for the men in power. Nothing is said about the employer who grows old before his time in a vain attempt to get frowsy ne’er-do-wells to do intelligent work; and his long patient striving with "help" that does nothing but loaf when his back is turned. In every store and factory there is a constant weeding-out process going on. The employer is constantly sending away "help" that have shown their incapacity to further the interests of the business, and others are being taken on. No matter how good times are, this sorting continues, only if times are hard and work is scarce, the sorting is done finer- but out and forever out, the incompetent and unworthy go. It is the survival of the fittest. Self-interest prompts every employer to keep the best- those who can carry a message to Garcia. I know one man of really brilliant parts who has not the ability to manage a business of his own, and yet who is absolutely worthless to any one else, because he carries with him constantly the insane suspicion that his employer is oppressing, or intending to oppress him. He cannot give orders; and he will not receive them. Should a message be given him to take to Garcia, his answer would probably be, "Take it yourself." Tonight this man walks the streets looking for work, the wind whistling through his threadbare coat. No one who knows him dare employ him, for he is a regular fire-brand of discontent. He is impervious to reason, and the only thing that can impress him is the toe of a thick-soled No. 9 boot. Of course I know that one so morally deformed is no less to be pitied than a physical cripple; but in our pitying, let us drop a tear, too, for the men who are striving to carry on a great enterprise, whose working hours are not limited by the whistle, and whose hair is fast turning white through the struggle to hold in line dowdy indifference, slip-shod imbecility, and the heartless ingratitude, which, but for their enterprise, would be both hungry and homeless. Have I put the matter too strongly? Possibly I have; but when all the world has gone a-slumming I wish to speak a word of sympathy for the man who succeeds -- the man who, against great odds has directed the efforts of others, and having succeeded, finds there’s nothing in it: nothing but bare board and clothes. I have carried a dinner pail and worked for day’s wages, and I have also been an employer of labor, and I know there is something to be said on both sides. There is no excellence, per se, in poverty; rags are no recommendation; and all employers are not rapacious and high-handed, any more than all poor men are virtuous. My heart goes out to the man who does his work when the "boss" is away, as well as when he is at home. And the man who, when given a letter for Garcia, quietly take the missive, without asking any idiotic questions, and with no lurking intention of chucking it into the nearest sewer, or of doing aught else but deliver it, never gets "laid off," nor has to go on a strike for higher wages. Civilization is one long anxious search for just such individuals. Anything such a man asks shall be granted; his kind is so rare that no employer can afford to let him go. He is wanted in every city, town and village- in every office, shop, store and factory. The world cries out for such: he is needed, and needed badly- the man who can carry a message to Garcia. -THE END- In 2009 as president of the Association of the United States Navy, I wrote a short article entitled "A New Message to Garcia." There I called out the actions of a Sailor who went above and beyond what was expected without even being asked. I hope he went on to bigger and better things because he had the right stuff. Take ActionLet's put all of this together. One of the best ways to formalize mentoring is to create a written performance development plan. We've included a sample template in the show notes. This is a way to memorialize conversations with SMART goals -- you remember, specific, measurable, achievable, relevant, and time-bound? If you are a mentor, you can use this as a template for your counseling sessions. If you are a mentee and there is no template in your organization, feel free to introduce this to your mentor -- you're showing initiative and creating potential value for more people than just yourself. By putting goals in writing, they experience a magical transformation. It was Napoleon Hill who wrote that "a goal is a dream with a deadline." Until you write it down, it's easy to find other things that seem more important or urgent at the moment. In addition, a written set of goals offers accountability -- it's a commitment between mentor and mentee that can be honored like a contract. Start with the manager's organizational priorities and goals that provide a context for the session. For example, if you are in the cybersecurity organization, these could be things such as, "create a cyber vigilant organization," "enable cybersecurity controls and compliance," and "safeguard the organization against major threats." Each of these could have subgoals that get into a little more detail -- awareness training for users, secure coding training for developers, establishing a governance structure around cyber risk. This requires inside knowledge, and if the mentor is within the same organization, it shouldn't be too difficult to ascertain. In addition, if the mentor is the supervisor, then even better -- this shows how the protégé's goals fit in with the boss's vision of what should happen. Better to find out early on that an idea isn't practical then to spend a year working on it only to find out it will never be implemented. Next, the protégé lists individual development goals. Not too many, especially if you are meeting quarterly. Two or three may be sufficient. If there are too many things to work on, the natural tendency is to go for those that are easiest, which may not be the ones that are the most important. Next comes the BHAG -- the big, hairy, audacious goal -- the one that will represent a signature accomplishment. Chances are, this won't happen in a month or a quarter, but it's perfectly reasonable for an annual cycle to align with performance reviews to specify a stretch goal. And by doing it in writing and knowing someone is holding accountability, it's more likely to happen. When it comes to making progress, actions can be separated into experiences, relationships, and learning. Most of our progress is done through experience, so list multiple experiences that one expects to accomplish before the next session. It can be part of a larger goal -- work on the team deploying a SIEM or complete a particular phase of a larger project. This is where the majority of the accountability will reside -- did you complete what you set out to do? It's helpful to be a bit aspirational, but this isn't another set of stretch goals. List at least two relationship improvement opportunities -- these can be key relationships or even potential sponsors. For example, it could include the head of a particular business unit that has specific security requirements -- that meeting would help address those concerns and provide an opportunity for the person seeking visibility. Lastly, include learning opportunities. Not all of us are going to school full-time, but we all should be working on self-improvement. For example, you might set a goal to complete the next course in your degree program or take the exam that grants a particular certification. What you have is a template for action and professional growth. The action comes from the accountability of a written document, and the growth comes from the joint goal-setting that takes place under the guidance of a mentor. Don't just file it away with the rest of your paperwork -- put it where you'll see it every day and challenge yourself to check off another accomplishment by week's end. By encouraging this culture of accomplishment, you'll significantly increase the probability of success. ConclusionInside the front cover of my Garcia booklet is a short essay entitled "Initiative." Let me leave you with this as a final thought: The world bestows its big prizes, both in money and in honors, for but one thing. And that is Initiative. What is Initiative? I’ll tell you: it is doing the right thing without being told. But next to doing the thing without being told is to do it when you are told once. That is to say, carry the Message to Garcia: those who can carry a message get high honors, but their pay is not always in proportion. Next, there are those who never do a thing until they are told twice; such get no honors and small pay. Next, there are those who do the right thing only when necessity kicks them from behind, and these get indifference instead of honors, and a pittance for pay. This kind spends most of its time polishing a bench with a hard-luck story. Then, still lower down in the scale than this, we have fellow who will not do the right thing even when some one goes along to show him how and stays to see that he does it; he is always out of job, and receives the contempt he deserves, unless he happens to have a rich Pa, in which case Destiny patiently awaits around a corner with a stuffed club. To which class do you belong? Thank you for listening to CISO Tradecraft; we hope you've found this show valuable. If you learned something that you like, please help us by leaving us a 5-star review on your favorite podcast platform -- those ratings really help us reach other security leaders. The more CISOs we can help, the more businesses we can protect. This is your host, G. Mark Hardy. Thanks again for listening and stay safe out there. References:
Example: Individual Performance Plan Name: ________________________________ Date: ________________ Leadership's Cyber Priorities and Goals
Individual Development Goals
Signature Accomplishment
Actions I am taking this year (How)
Relationships (20%)
Learning (10%)
Support Needed from My Manager
| |||
| 13 Dec 2021 | #56 - Say Firewall One More Time | 00:31:28 | |
Have you ever heard someone say our firewalls block this type of attack? In this episode, you can increase your understanding of firewalls so it won’t just be another buzzword. 6 Basic categories of firewalls that we discuss on the show include:
References - sitereview.bluecoat.com Infographics: | |||
| 11 Apr 2022 | #73 - Wonderful Winn Schwartau | 00:47:18 | |
Winn Schwartau is a well-recognized icon in the cybersecurity community, and also a dear friend for over 25 years. Always one to stir the pot and offer radical ideas (many of which come true), we discuss Hacker Jeopardy, INFOWARCON, his books "Pearl Harbor Dot Com", "Time-Based Security", and his magnum opus "Analog Security." We speculate on the future of our industry with respect to quantum and probabilistic computing, and after hanging up his pen, looks like he's doing a Tom Brady and writing one more amazing book. **Warning Adult Language** Winn's Website Link | |||
| 13 Jan 2025 | #215 - CISO Predictions for 2025 | 00:18:35 | |
In this episode of CISO Tradecraft, host G Mark Hardy explores the top 10 cybersecurity predictions for 2025. From the rise of AI influencers to new standards in encryption, Hardy discusses significant trends and changes expected in the cybersecurity landscape. The episode delves into topics such as branding, application security, browser-based security, and post-quantum cryptography, aiming to prepare listeners for future challenges and advancements in the field.
Big Thanks to our Sponsor CruiseCon - https://cruisecon.com/ CruiseCon Discount Code: CISOTRADECRAFT10
Team8 Fixing AppSec Paper - https://bunny-wp-pullzone-pqzn4foj9c.b-cdn.net/wp-content/uploads/2024/11/Fixing-AppSec-Paper.pdf Terraform and Open Policy Agent Example - https://spacelift.io/blog/terraform-best-practices#8-introduce-policy-as-code Transcripts - https://docs.google.com/document/d/1u6B2PrkJ1D14d9HjQQHSg7Fan3M6n4dy Chapters
| |||
| 14 Oct 2024 | #202 - Cybersecurity Crisis: Are We Failing the Next Generation? | 00:45:09 | |
In this episode of CISO Tradecraft, host G Mark Hardy explores the challenges and misconceptions facing the next generation of cybersecurity professionals. The discussion covers the myth of a talent shortage, the shortcomings of current educational and certification programs, and the significance of aligning curricula with real-world needs. Hardy emphasizes the importance of hands-on experience, developing soft skills, and fostering continuous learning. The episode also highlights strategies for retaining talent, promoting internal training, and creating leadership opportunities to cultivate a skilled and satisfied cybersecurity workforce. Transcripts: https://docs.google.com/document/d/12fI2efHXuHR4dS3cu7P0UIBCtjBdgREI Chapters
| |||
| 26 Aug 2024 | #195 - Pentesting for Readiness not Compliance (with Snehal Antani) | 00:47:48 | |
In this episode of CISO Tradecraft, host G Mark Hardy is joined by special guest Snehal Antani, co-founder of Horizon3.AI, to discuss the crucial interplay between offensive and defensive cybersecurity tactics. They explore the technical aspects of how observing attacker behavior can enhance defensive strategies, why traditional point-in-time pen testing may be insufficient, and how autonomous pen testing can offer continuous, scalable solutions. The conversation delves into Snehal’s extensive experience, the importance of readiness over compliance, and the future of cybersecurity tools designed with humans out of the loop. Tune in to learn how to elevate your cybersecurity posture in a rapidly evolving threat landscape. Horizon3 - https://www.horizon3.ai Snehal Antani - https://www.linkedin.com/in/snehalantani/ Transcripts: https://docs.google.com/document/d/1IFSQ8Uoca3I7TLqNHMkvm2X-RHk8SWpo Chapters:
| |||
| 09 Sep 2024 | #197 - Fedshark's Blueprint for Cost Effective Risk Reduction | 00:46:27 | |
Join host G Mark Hardy as he dives deep into the complexities of compliance and reporting, featuring special guests Brian Bradley and Josh Williams from FedShark. Discover a unique and streamlined approach to compliance using FedShark's innovative tools and AI-assisted systems. Learn about their exclusive offers for CISO Tradecraft listeners, including free downloads and discounted pre-assessment tools. Topics covered include CMMC, HIPAA, PCI, and more. Whether you're part of the Defense Industrial Base or dealing with multiple compliance frameworks, this episode is packed with practical advice to make your compliance journey smoother and more effective. Thanks to our podcast sponsor, Fedshark CISO Traderaft Promo & Link to CMMC White Papers: https://fedshark.com/ciso RapidAssess: https://fedshark.com/rapid-assess Company website: https://fedshark.com FedShark Blog: https://fedshark.com/blog Schedule a Demo: https://fedshark.com/contact-us LinkedIn Matt Beaghley: https://www.linkedin.com/in/mbeaghley/ LinkedIn Brian Bradley: https://www.linkedin.com/in/brian-bradley-97a82668/
Chapters
| |||
| 21 May 2021 | #30 - Cloud Drift (with Yoni Leitersdorf) | 00:42:57 | |
This episode is sponsored by Indeni. On this episode of CISO Tradecraft, G Mark Hardy discusses with Yoni Leitersdorf (CEO and CISO of Indeni) the risks which can occur in a cloud environment after it has been provisioned. Essentially it's quite common for organizations to change their cloud environment from what was declared in a Terraform or Cloud Formation Script. These unapproved cloud changes or Cloud Drift often create harmful misconfigurations and have the potential to create data loss events. The podcast discusses the pros and cons of two key approaches to solve the Cloud Drift problem:
The podcast features Yoni Leitersdorf. Yoni founded a company (Indeni) to address Cloud Drift and discusses the business point of view of why this is a critical concern for the business. If you would like to learn more about what Yoni is working on please check out Indeni
Yoni Leitersdorf can also be found on: LinkedIn | |||
| 03 Jan 2022 | #59 - CISO Knowledge Domains Part 1 | 00:15:33 | |
One of the most common questions that we get asked on CISO Tradecraft is what do I need to learn to be a good CISO? After a lot of reflection, CISO Tradecraft has put together a Top 10 List of CISO knowledge domains that we believe are the core skills which produce really good CISOs. This episode will go over just the first 5 knowledge areas with the remaining five on a future episode.
| |||
| 01 Apr 2024 | #175 - Navigating NYDFS Cyber Regulation | 00:33:24 | |
This episode of CISO Tradecraft dives deep into the New York Department of Financial Services Cybersecurity Regulation, known as Part 500. Hosted by G Mark Hardy, the podcast outlines the significance of this regulation for financial services companies and beyond. Hardy emphasizes that Part 500 serves as a high-level framework applicable not just in New York or the financial sector but across various industries globally due to its comprehensive cybersecurity requirements. The discussion includes an overview of the regulation's history, amendments to enhance governance and incident response, and a detailed analysis of key sections such as multi-factor authentication, audit trails, access privilege management, and incident response. Additionally, the need for written policies, designating a Chief Information Security Officer (CISO), and ensuring adequate resources for implementing a cybersecurity program are highlighted. The podcast also offers guidance on how to approach certain regulatory mandates, emphasizing the importance of teamwork between CISOs, legal teams, and executive management to comply with and benefit from the regulation's requirements. AuditScripts: https://www.auditscripts.com/free-resources/critical-security-controls/ NYDFS: https://www.dfs.ny.gov/industry_guidance/cybersecurity Transcripts: https://docs.google.com/document/d/1CWrhNjHXG1rePtOQT-iHyhed2jfBaZud Chapters
| |||
| 30 Oct 2023 | #153 - Game-Based Learning (with Andy Serwin & Eric Basu) | 00:46:13 | |
On this episode we talk about the differences between Gamification and Game-Based Learning. We think you will enjoy hearing how Game-Based learning gets folks into the flow and creates novel training that resonates. We also have a great discussion on how games can be applicable for Board Members and Techies. You just need to get the right type of game for the right audience and let the magic happen. Big Thanks to our Sponsors
Transcripts Prefer to watch on YouTube? Chapters
| |||
| 04 Apr 2022 | #72 - Logging In with SIEMs (with Anton Chuvakin) | 00:48:28 | |
On this episode of CISO Tradecraft, Anton Chuvakin talks about Logging, Security Information & Event Management (SIEM) tooling, and Cloud Security. Anton share’s fantastic points of view on:
| |||
| 23 Sep 2024 | #199 - How to Secure Generative AI | 00:27:55 | |
Join G. Mark Hardy in Torremolinos, Spain, for a deep dive into the security of Generative AI. This episode of CISO Tradecraft explores the basics of generative AI, including large language models like ChatGPT, and discusses the key risks and mitigation strategies for securing AI tools in the workplace. G. Mark provides real-world examples, insights into the industry's major players, and practical steps for CISOs to balance innovation with security. Discover how to protect sensitive data, manage AI-driven hallucinations, and ensure compliance through effective governance and ethical guidelines. Plus, get a glimpse into the future of AI vulnerabilities and solutions in the ever-evolving tech landscape. References OWASP Top 10 LLM Risks https://genai.owasp.org/ Gartner CARE Standard - https://www.gartner.com/en/documents/3980890
Transcripts: https://docs.google.com/document/d/1V2ar7JBO503MN0RZcH7Q7VBkQUW9MYk6 Chapters | |||
| 01 Aug 2021 | #40 - Risky Business | 00:44:06 | |
In this episode, we take a deep dive into that four-letter word RISK. Risk is measurable uncertainty. As a component of Governance, Risk, and Compliance (GRC), risk management is an important part of a security leader's responsibility. Risk assessment is conducted for a number of reasons, and measuring risk is an important component of effectively overseeing our IT investments. We'll look at NIST and ISO standards for risk, and define the different types of risk assessments. And, because there is risk inherent in many endeavors, this episode will be continued in a part 2, because we didn't allow for the risk of running over with this much great information. | |||
| 11 Sep 2023 | #146 - Living in a Materiality World | 00:42:15 | |
Have you ever thought about what does it mean to say there has been a material incident? How is materiality determined? What is the history of how that term has been defined by U.S. Regulators. Listen to today's show and increase your CISO Tradecraft Big Thanks to our Sponsors
Transcripts https://docs.google.com/document/d/1h7IBZI27ZOg4nxec2fCBmrX0c-0O15Zr Link to FAIR-MAM https://www.fairinstitute.org/resources/fair-mam Chapters | |||
| 22 Apr 2024 | #178 - Cyber Threat Intelligence (with Jeff Majka & Andrew Dutton) | 00:45:33 | |
In this episode of CISO Tradecraft, hosts G Mark Hardy and guests Jeff Majka and Andrew Dutton discuss the vital role of competitive threat intelligence in cybersecurity. They explore how Security Bulldog's AI-powered platform helps enterprise cybersecurity teams efficiently remediate vulnerabilities by processing vast quantities of data, thereby saving time and enhancing productivity. The conversation covers the importance of diverse threat intelligence sources, including open-source intelligence and insider threat awareness, and the strategic value of AI in analyzing and prioritizing data to manage cybersecurity risks effectively. The discussion also touches on the challenges and potentials of AI in cybersecurity, including the risks of data poisoning and the ongoing battle between offensive and defensive cyber operations. The Security Bulldog: https://securitybulldog.com/contact/ Transcripts: https://docs.google.com/document/d/1D6yVMAxv16XWtRXalI5g-ZdepEMYmQCe Chapters
| |||
| 27 Jun 2022 | #84 - Gaining Trust (with Robin Dreeke) | 00:45:41 | |
On this episode of CISO Tradecraft we feature Robin Dreeke from People Formula. Robin was the former head of the FBI Counterintelligence Behavioral Analysis Program and has an amazing background in learning how individuals think, build trust, and communicate. Robin highlights 4 Pillars of Communicating:
To learn more about Robin's way of thinking you can check out his podcast and books: | |||
| 06 Jan 2025 | #214 - Deceive to Detect (with Yuriy Gatupov) | 00:45:47 | |
🔥 Hackers Beware! Cyber Deception is Changing the Game 🔥 In this must-hear episode of CISO Tradecraft, we expose a mind-blowing cybersecurity strategy that flips the script on attackers. Instead of waiting to be breached, cyber deception technology tricks hackers into revealing themselves—before they can do real damage. 🚨🎭 Imagine laying digital traps—fake credentials, bogus systems, and irresistible bait—that lead cybercriminals straight into a controlled maze where every move they make is tracked. Early threat detection? ✅ Real-time attacker intel? ✅ Fewer false positives? ✅ 🎙️ Featuring deception tech guru Yuriy Gatupov, we break down: ✅ How deception tech works & why it’s a game-changer ✅ How to expose and track hackers in real time ✅ How to prove ROI and make the case for your org Cyber deception isn’t just defense—it’s offense against cyber threats. Are you ready to fight back? Listen now!
Big thanks to our Sponsors ThreatLocker - https://hubs.ly/Q02_HRGK0 CruiseCon - https://cruisecon.com/
Contact Yuriy Gatupov - info@labyrinth.tech Yuri's LinkedIn - https://www.linkedin.com/in/yuriy-gatupov-373155281/
Transcripts: https://docs.google.com/document/d/1oyQzCBRoPLbDOCOCypJMGGXxcPI5w75o
Chapters
| |||
| 27 Jan 2025 | #217 - Includes No Dirt (with Bill Dougherty) | 00:44:59 | |
In this episode of CISO Tradecraft, host G. Mark Hardy sits down with Bill Dougherty, CISO of Omada Health, to discuss a groundbreaking threat model called 'Includes No Dirt'. This comprehensive model integrates security, privacy, and compliance considerations, aiming to streamline and enhance threat modeling processes. The conversation covers the origin and principles of the model, its applicability across different sectors, and the essential aspects of threat modeling. Listeners are also treated to insights on handling third-party risks and adapting to emerging AI challenges. The episode provides practical advice for cybersecurity leaders looking to effectively manage and mitigate risks while reducing redundancy.
Big Thanks to our Sponsors: ZeroPath - https://zeropath.com/ CruiseCon - Use code CISOTRADECRAFT10 at https://cruisecon.com/ for 10% off registration!
The No DIRT Threat Model can be found here: http://www.includesnodirt.com/nodirt.pdf
Transcripts: https://docs.google.com/document/d/1vWq4Zx7pzM_B65W933m8_TE0fLKaUw3X
Chapters
| |||
| 14 May 2021 | #29 - Identity and Access Management is the New Perimeter | 00:44:59 | |
Identity is the New Perimeter. On this episode of CISO Tradecraft you will increase your understanding of Identity and Access Management. Key topics include:
| |||
| 18 Oct 2021 | #51 - New Kid in Town (with Rebecca Mossman) | 00:43:08 | |
When you first start a cybersecurity job, or hire someone into a cybersecurity job, there is a window of opportunity to see things with a new perspective. In this episode, we’re privileged to share ideas with Rebecca Mossman, a successful cybersecurity leader who has led successfully a number of teams in her career. We’ll examine relationships, stakeholders, setting priorities, communication, and knowing when to call something “done” and move on to the next task. | |||
| 24 Oct 2022 | #101 - SaaS Security Posture Management (with Ben Johnson) | 00:40:07 | |
Special Thanks to our podcast sponsor, Obsidian Security. We are really excited to share today’s show on SaaS Security Posture Management. Please note we have Ben Johnson stopping by the show so please stick around and enjoy. First let’s go back to the basics: Today most companies have already begun their journey to the cloud. If you are in the midst of a cloud transformation, you should ask yourself three important questions:
Let’s walk through each of these questions to understand the cyber risks we need to communicate to the business as well as focus on one Cloud type that might be forecasting a major event. First let’s look at the first question. How many clouds are we in? It’s pretty common to find organizations still host data in on premises data centers. This data is also likely backed up to a second location just in case a disaster event occurs and knocks out the main location. Example if you live in Florida you can expect a hurricane. When this happens you might expect the data center to lose power and internet connectivity. Therefore it’s smart to have a backup location somewhere else that would be unlikely to be impacted by the same regional event. We can think of our primary data center and our backup data center as an On-Premises cloud. Therefore it’s the first cloud that we encounter. The second cloud we are likely to encounter is external. Most organizations have made the shift to using Cloud Computing Service providers such as Amazon Web Services, Azure, Google Cloud Platform, or Alibaba. Each of these cloud providers has a multitude of offerings designed to help organizations reduce the need to host IT services on premises. Now if you are using both on-premises and a cloud computing provider such as AWS, congratulations you are in what is known as a hybrid cloud environment. If you use multiple cloud computing providers such as AWS and Azure then you are in a multi-cloud environment. Notice the difference between terms. Hybrid cloud means you host on premises and use an external cloud provider, whereas multi-cloud means you use multiple external cloud providers. If you are using a Common Cloud platform like AWS, Azure, or GCP then you can look into a Gartner Magic Quadrant category known as Cloud Workload Protection Platforms. Here you might encounter vendors like Palo Alto Prisma Cloud, Wiz, or Orca who will provide you with recommendations for your cloud configuration settings. So let’s say your organization uses on premises and AWS but not Azure or GCP. Does that mean you only have two clouds? Probably not. You see there’s one more type of cloud hosted service that you need to understand how to defend. The most common cloud model organizations leverage is Software as a Service commonly pronounced as (SaaS). Frankly we don’t hear about SaaS security being discussed much which is why we are doing a deep dive on its security in this episode. We think there's a real danger of SaaS clouds turning from a nice cloud that gently cools down a hot summer day into a severe weather storm that can cause an event. So let’s look at SaaS Security in more depth. SaaS refers to cloud hosted solutions whereby vendors maintain most everything. They run the application, they host the data, they host runtime environments, middleware, operating systems, virtualization technologies, servers, storage, and networking. It can be a huge win to run SaaS solutions since it minimizes the need to have IT staff running all of these IT services. Example: Hiring HVAC folks to ensure we have proper heating and cooling for servers on premises won’t add new sales revenue to the business. Now that you understand why SaaS is important you should ask yourself. How many external SaaS providers are we sending sensitive data to? Every company is different but most can expect to find dozens to hundreds of SaaS based solutions. Examples of external SaaS solutions commonly encountered by most businesses include:
Once you build out an inventory of your third parties hosted SaaS solutions, you need to understand the second question. What kind of data is being sent to each service? Most likely it’s sensitive data. Customer PII and PCI data might be stored in Salesforce, Diversity or Medical information for employees is stored in Workday, Sensitive Algorithms and proprietary software code is stored in GitHub, etc. OK so if it is data that we care about then we need to ensure it doesn’t get into the wrong hands. We need to understand why we care about SaaS based security which is commonly known as SaaS Security Posture Management. Let’s consider the 4 major benefits of adopting this type of service.
OK so now that we talked about the 4 major drivers of SaaS Security Posture Management (detection of account compromise, improved detection and response times, improvements to configuration and compliance, and proper access and privilege management) let’s learn from our guest who can tell us some best practices with implementation. Now I’m excited to introduce today’s guest: Ben Johnson Live Interview Well thanks again for taking time to listen to our show today. We hoped you learning about the various clouds we are in (On Premises, Cloud Computing Vendors, and SaaS), Understanding the new Gartner Magic Quadrant category known as SaaS Security Posture Management. So if you want to improve your company’s ability on SaaS based services to:
Remember if you liked today’s show please take the 5 seconds to leave us a 5 star review with your podcast provider. Thanks again for your time and Stay Safe out there.
| |||
| 07 Nov 2022 | #103 - Listening to the Wise (with Bill Cheswick) | 00:44:55 | |
Have you ever just met someone that was so interesting that you just sat and gave them your full attention? On this episode of CISO Tradecraft, we have Bill Cheswick come on the show. Bill talks about his 50 years in computing. From working with the pioneers of Unix at Bell Labs, inventing network visualization techniques for the DoD, and creating the early best practices in firewalls and perimeter defenses. He was also the first person to co-author a book on Internet Security. So listen in and enjoy. Also special thanks to our sponsor, Obsidian Security. You can learn more about them at: https://www.obsidiansecurity.com/sspm/ | |||
| 24 Jun 2024 | #187 - Ensuring Profitable Growth | 00:20:16 | |
Welcome to another episode of CISO Tradecraft with your host, G. Mark Hardy! In this episode, we dive into how CISOs can drive the profitable growth of their company's products and services. Breaking the traditional view of security as a cost center, Mark illustrates ways CISOs can support business objectives like customer outreach, service enablement, operational resilience, and cost reduction. Tune in for insightful strategies to improve your impact as a cybersecurity leader and a sneak peek at our upcoming CISO training class! If you would like to learn more about our class, drop us a comment: https://www.cisotradecraft.com/comment Transcripts: https://docs.google.com/document/d/19SDBdQSTLc58sP5ynwzhuedNHzk7QPKj Chapters
| |||
| 28 Feb 2022 | #67 - Knock, Knock? Who’s There and Whatcha Want? | 00:29:43 | |
On this episode of CISO Tradecraft we are going to talk about various Access Control & Authentication technologies. Access Control Methodologies:
Authentication Types:
References
| |||
| 29 Oct 2021 | #52 - Welcome to the C-Level (with Nate Warfield) | 00:47:31 | |
Special Thanks to our podcast Sponsor, Prevailion. Some of the best C-level executives start in the technical ranks. This episode features Nate Warfield, CTO of Prevailion, who differentiated himself by creating the CTI-League.com to assist healthcare companies with ransomware. We'll cover some of that organization, how Nate got his first C-level job, and some lessons learned you might appreciate in your own CISO journey. To learn more about Cyber Adversary Intelligence, please check out Prevailion who sponsored this episode. | |||
| 22 Aug 2022 | #92 - Updating the Executive Leadership Team on Cyber | 00:26:15 | |
Show Notes Hello, and welcome to another episode of CISO Tradecraft -- the podcast that provides you with the information, knowledge, and wisdom to be a more effective cyber security leader. My name is G. Mark Hardy, and today we're going to offer tips and tools for briefing your executive leadership team, including the four major topics that you need to cover. As always, please follow us on LinkedIn, and make sure you subscribe so you can always get the latest updates. Imagine you have been in your role as the Chief Information Security Officer for a while and it is now time to perform your annual brief to the Executive Leadership Team. What should you talk about? How do you give high level strategic presentations in a way that provides value to executives like the CEO, the CIO, the CFO, and the Chief Legal Officer?
Let's first talk about how you make someone satisfied -- in this case your executives. Fredrick Herzberg (1923-2000) introduced Motivator-Hygiene theory, which was somewhat like Maslow's hierarchy of needs, but focused more on work, not life in general. What a hygiene factor basically means is people will be dissatisfied if something is NOT there but won't be motivated if that thing IS there, e.g., toilet paper in employee bathroom. Or, said more concisely, satisfaction and dissatisfaction are not opposites. The opposite of Satisfaction is No Satisfaction. The opposite of Dissatisfaction is No Dissatisfaction. According to Herzberg, the factors leading to job satisfaction are "separate and distinct from those that lead to job dissatisfaction." For example, if you have a hostile work environment, giving someone a promotion will not make him or her satisfied. So, what makes someone satisfied or dissatisfied? Factors for Satisfaction
So, what will make a board member satisfied? Today, cyber security IS a board-level concern. In the past, IT really was only an issue if something didn't work right – a hygiene problem. If we learn from Herzberg, we may not be able to make the board satisfied with the state of IT security, but we can try to ensure they are not dissatisfied. Hopefully you now have context for what might otherwise be considered splitting hairs on terminology – essentially, we want our executive audience to not think negatively of your IT security program and how you lead it. Remember, boards of directors generally come from a non-IT backgrounds . According to the 2021 U.S. Spencer Stuart Board Index, of the nearly 500 independent directors who joined S&P 500 boards in 2021, less than 4% have experience leading cybersecurity, IT, software engineering, or data analytics teams. And that 4% is mostly confined to tech-centric companies or businesses facing regulatory scrutiny. So, there is essentially a mismatch between a board member's background and a CISO's background. That extends to your choice of language and terminology as well. Never go geeky with your executives – unless you have the rare situation where your entire leadership team are all IT savvy. Otherwise, you will tune them out by talking about bits and bytes and packets and statistics. Instead, communicate by telling stories – show how other companies in similar industries have encountered security issues and what they did about them (either successfully or unsuccessfully). Show how your cybersecurity initiatives and efforts reduce multiple forms of risk: financial risk, reputational risk, regulatory risk, legal risk, operational risk, and strategic risk. You can show that the threat landscape has changed – nation states and organized crime has supplanted lone hackers and disgruntled employees as the major threats . Regulatory environment changes such as the California Consumer Privacy Act (CCPA) and ultimately the follow-on legislation from 49 other states will impact strategic business planning. Show your board how to avoid running afoul of these emerging requirements. And, of course, there is the ever-present threat of ransomware, which has evolved from denial-of-access attacks to loss of customer and internal data confidentiality. That threat requires top-level policy and response plans in advance of an incident -- it's too late to be making things up as you go along. Now, before we go into the Four Major Topics executives need to hear (after all, that's what I promised at the beginning of the show), let's ask, "Why are we briefing executives on our cyber program?" Any company that is publicly traded falls under the scope of the Securities and Exchange Commission or SEC. The SEC has published Cybersecurity Guidance that offers suggestions for investment companies and investment advisors. They recommend investment firms "create a strategy that is designed to prevent, detect, and respond to cybersecurity threats". The creation of a security strategy and education of employees on the strategy is at the core of what CISOs do. So, a translation of the SEC's guidance is to hire a CISO, have that individual create and execute a cybersecurity strategy. In fact, the SEC's quote above calls out three of the Five Functions of the NIST Cybersecurity Framework which are: (1) identify, (2) protect (prevent), (3) detect, (4) respond, and (5) recover. Our second question is, how often should we be updating the Executive leadership team? Since the SEC requires companies to disclose risks in their 10-K statements on a yearly basis then you should be briefing cyber updates to the Executive Leadership team at least on an annual basis. We recommend quarterly or semi-annual updates to give more touch points on important topics. You can draw parallels to quarterly financial statements. Let's say the Risk Committee chaired by the CEO has agreed to hear the status of the Cyber Program twice a year. What should we brief the executive leadership team? Let's look at what's required by law. The State of New York requires financial services organizations to follow New York Department of Financial Services (NYDFS) regulations. Section 500.04 provides additional information about CISOs. It states: Each Covered Entity shall designate a qualified individual responsible for overseeing and implementing the Covered Entity's cybersecurity program and enforcing its cybersecurity policy (for purposes of this Part, "Chief Information Security Officer" or "CISO"). The regulations also state: The CISO of each Covered Entity shall report in writing at least annually to the Covered Entity's board of directors or equivalent governing body. If no such board of directors or equivalent governing body exists, such report shall be timely presented to a Senior Officer of the Covered Entity responsible for the Covered Entity's cybersecurity program. The CISO shall report on the Covered Entity's cybersecurity program and material cybersecurity risks. These types of requirements aren't confined to Wall Street. The Bermuda Monetary Authority requires insurance companies to follow their Cyber Risk Management Code of Conduct. It states that: The board of directors and senior management team must have oversight of cyber risks. The board of directors must approve a cyber risk policy document at least on an annual basis. So, both the State of New York and the Bermuda Monetary Authority want CISOs to provide risk management and perform at least yearly reporting on material cyber security risks. Many more regulatory bodies do; these are just offered as examples. If you are going to function effectively as a leader, you should find some way to create a win-win from most any situation. You likely have a regulatory requirement to brief your board or leadership on a periodic basis. That's fine. But have you ever asked yourself, what do I want in return? Hmm. What you want is for your board to set the security culture from the top. Boards hold senior leadership (think C-level executives) accountable, and you want the board to ensure the CEO makes cybersecurity a priority for the organization. ISO 27001 has a nice tool – the Information Security Management System (ISMS) Policy Statement – which is senior leadership's declaration of the importance of cybersecurity within the organization. One example I found is that of GS1 India, a standards organization that helps Indian industry align with global best practices. Their ISMS Policy statement begins with: The Management of GS1 India recognizes the importance of developing and implementing an Information Security Management System (ISMS) and considers security of information and related assets as fundamental for the successful business operation. Therefore, GS1 India is committed towards securing the Confidentiality, Integrity, and availability of information for the day-to-day business and operations. If you can get a formal declaration of support from the top, your job is going to be a whole lot better. Otherwise, you might just end up being the Chief Scapegoat Officer. Now let's define the four things that an executive leadership team should hear from their security leader that will convey the message that you have a handle on your scope of authority and are executing your responsibilities correctly. Those four focuses are:
Let's dig in. With respect to "cyber risks and responses," create a slide for executives that shows the top cyber risks. Examples may include things like ransomware, business email compromise, phishing attacks, supply chain attacks, third party compromise, and data privacy issues. As a practical matter when briefing cyber risks, never just share a risk and walk away. Executives hate that. Be sure to talk about what you are doing as a CISO to mitigate this risk. Usually in Risk Meetings executives look for a few things about any risk.
However, this isn't a risk approval meeting where we need to go into that level of detail. So, let's keep our cyber risk reporting at an executive level by identifying our top three to five material risks and showing our cyber responses to each risk. For example, if you believe phishing is your number one cyber risk, then highlight it and talk about how you have created a phishing education program that lowers click rates and increases phishing reporting to the Cyber Incident Response Team. When phishing attacks are reported, your team has a Service Level Agreement (SLA) to respond to phishing reports within four hours to minimize any potential harm. You can also highlight that your organization also has email protection tools in place such as Proofpoint that stopped thousands of phishing attacks during the last quarter. In summary you are acknowledging that your company has Cyber Risks which can harm the organization. You are protecting the organization the best you can given the resources available to your team. If someone doesn't like your four-hour SLA, then you might offer up that you could decrease the response time to a one-hour SLA if you had one additional headcount. This creates a business decision to give you additional headcount, which is a great discussion to have. Once you have talked about the top three to five risks your organization faces, we recommend talking about key metrics to measure the Cyber Program. You could call these the metrics that matter. Essentially, they are tactical metrics that you measure month to month because they show risks that could result in major cyber-attacks. Our favorite place for metrics that matter is the OWASP Threat and Safeguard Matrix or TaSM (pronounced like Tasmanian Devil). Please note we have a link to it in our show notes. Please, please, please read about the OWASP Threat and Safeguard Matrix. It's a short five-minute read, and you will be glad that you did. What does the Threat and Safeguard Matrix teach us about cyber metrics? It says all good metrics show a status, a trend, and a goal.
The OWASP Threat and Safeguard Matrix then categorizes cyber metrics into four major areas: technology, people, process, and environment.
Well, that's a good overview on Cyber Metrics that you can look at each month, but we still have two more categories to go over in our cyber update. Remember if you want to learn more on cyber metrics, please look at the OWASP Threat and Safeguard Matrix. The third broad category of slides to include in your board deck is A Cyber Roadmap that Identifies High Profile Programs and Projects. Executives want to see the big picture on how you are evolving the program. So, show them a roadmap that says over the next three years here is the big picture. For example, in 2022 we are focusing on improving ransomware defenses by enhancing our backup and data recovery process. We will also improve our ability to prevent malware execution in our environment by adding new Windows group policies. In 2023, we will shift our focus towards improving our website security. We will be launching a bug bounty program that allows smart and ethical hackers to find vulnerabilities in our websites before malicious actors do. We will be upgrading our Web Application Firewall after we finish our three-year contract with our current vendor. We will also be adding a botnet protection tool to our internet-facing websites given the recent attacks we have been experiencing. In 2024, we will then shift our focus to improving our software development process. We will be purchasing a tool to gamify secure software development amongst developers. This should lower the cost of vulnerability management. We will also be building custom courses in house that teach developers our company's requirements to build, test, and retire applications correctly. When you present this type of Cyber Roadmap you might show a single slide with a Gantt chart view of when high profile projects occur with the executive summary of the points previously mentioned. The last major category is a Cyber Maturity Assessment. Essentially you want something that independently measures the effectiveness of the entire Cyber Program. For example, many organizations use the NIST Cybersecurity Framework, ISO 27001, the FFIEC Cyber Assessment Tool, or HiTrust to benchmark their program. Consider hiring an independent auditing company to measure your organization's security maturity. You will get something that says here's the top fifteen domains of cyber security. Today, on a scale of one to five, your organization measures between a two and four on most of the domains. Most companies in your same industry benchmark are at a level three compliance so you are currently underperforming vs your peers in four domains. You can take that independent assessment and say we really want to improve all level two scoring opportunities to be at least a three. This can be something you show in a spider graph or radar chart. You can show the top five activities needed to improve these measurements and provide timelines for when those will be fixed. This shows the executive leadership team that security is never perfect, how you benchmark against your peers, and provides them with the same confidence that they would get from an audit to confirm you are working effectively. So, let's summarize. We talked about Herzberg's hygiene factors, things that aren't perceived as satisfactory when present but are dissatisfactory when absent. Remember, satisfaction and dissatisfaction are not opposites. The opposite of dissatisfaction is no dissatisfaction. That helps us understand that when briefing management, we will not be able to delight them with the overall state of our cybersecurity program, but we can cause them not to worry about it. Focus on risk reduction, and how your program is helping your organization work toward that goal. We talked about why we need to brief management and how often. Different regulations require executive teams to articulate a cybersecurity strategy and empower the appropriate individuals to execute it. In addition, most rules require at least annual security briefings; you may want to strive for more frequent meetings to keep your leadership team well-informed. Your goal is to have your board set the security culture from the top and hold C-level executives accountable for funding and maintaining cybersecurity initiatives. We covered the four things you should include in your executive briefings: cyber risks and responses, cyber metrics, a cyber roadmap that identifies high-profile programs and projects, and a cyber maturity assessment. By addressing risk in multiple forms, showing that you can measure and track your progress toward your security goals, that you have a solid plan for the next couple of years, and that you can demonstrate your maturity relative to peer companies, you will go a long way toward keeping your board happy, or more precisely, not unhappy. Lastly, don't forget to look up the OWASP TaSM model. It's a really useful tool for mapping threat categories to the NIST cybersecurity framework and showing where you may have gaps in your program (represented by blank cells in the matrix.) The link to that is in our show notes. Well, we hope that you have enjoyed today's episode on Updating the Executive Leadership team on the Cyber Program and we thank you again for listening to us at CISO Tradecraft. Please leave us a review (hopefully five stars) if you enjoyed this podcast and share us with your peers on LinkedIn. We would love to help others with their cyber tradecraft. Thanks again and until next time, stay safe.
References
| |||