CISO Perspectives (public)

Rick Howard, N2K’s CSO and The CyberWire’s Chief Analyst and Senior Fellow, the cybersecurity workforce skills gap with N2K’s President, Simone Petrella regarding how security professionals might learn from the movie “Moneyball” about how to train their team in the aggregate about first principles. Learn more about your ad choices. Visit megaphone.fm/adchoices

Rick Howard, N2K’s CSO and The CyberWire’s Chief Analyst and Senior Fellow, interviews Dan Gardner about this 2023 Cybersecurity Canon Hall of Fame book: “Superforecasting: The Art and Science of Prediction.” Learn more about your ad choices. Visit megaphone.fm/adchoices

Rick Howard, N2K’s CSO and The CyberWire’s Chief Analyst and Senior Fellow, interviews Nicole Perlroth about her 2023 Cybersecurity Canon Hall of Fame book: “This Is How They Tell Me the World Ends.” Learn more about your ad choices. Visit megaphone.fm/adchoices

Rick Howard, N2K’s CSO and The Cyberwire’s Chief Analyst and Senior Fellow, and Andy Hall, Cybersecurity Canon Committee Member, discuss the 2023 Cybersecurity Canon Hall of Fame book inductee: “The Hacker and the State” by Ben Buchanan. Learn more about your ad choices. Visit megaphone.fm/adchoices

Chaos Engineering started in the mid 2000s. It was made famous by the Netflix engineering team under an internal app they developed, called Chaos Monkey, that randomly destroyed pieces of their customer-facing infrastructure, on purpose, so that their network architects could understand resilience engineering down deep in their core. But the concept is much more than simply destroying production systems to see what will happen. This elevates the idea of regression testing to the level of the scientific method designed to uncover potential and unknown architectural designs that may cause catastrophic failure. I make the case that the CSO should probably own that functionality. Learn more about your ad choices. Visit megaphone.fm/adchoices

The 2021 Colonial Pipeline ransomware attack: We can use cyber sand tables to enhance our cybersecurity first principle defenses since the concept, in various forms, have been used by military commanders, coaches, and athletes since the world was young. This show puts the Colonial Pipeline hack on the cyber sand table to see what might have been done differently. Learn more about your ad choices. Visit megaphone.fm/adchoices

Since the early 2000s, most infosec practitioners have agreed that a public/private partnership to share threat intelligence is a cybersecurity first principle tactic. Since the first CERT in the late 1980s to the CISA Shields Up program this year (2022), the community has come a long way but it's safe to say that there is much room for improvement. In this Rick the Toolman episode, we discuss the history and current state of information sharing and where it needs to go in the future. Learn more about your ad choices. Visit megaphone.fm/adchoices

Zero trust is a cybersecurity first principle strategy. Key to deploying a robust program is the Identity and Access Management tactic (IAM). The old perimeter defense model, designed in the 1990s, where network architects allowed good guys (and bad guys) through the perimeter to validate IAM policy seems ridiculous in hindsight. The new model, Software Defined Perimeter (SDP), is not as well known but is probably a better design. In this episode, Rick Howard discusses the history and current state. Learn more about your ad choices. Visit megaphone.fm/adchoices

In 1995, AT&T patented the idea of two-factor authentication (2FA). They said that to identify an authorized user, a system needed to check at least two of three factors: something they have, something they are, or something they know. But the early systems were clunky, hard to manage, and only used in environments that needed the most security. Today, the industry has come a long way and there are several different choices for 2FA with some more secure than others: SMS, Email, Authenticator Soft Tokens, Push, and Universal 2nd Factor (U2F). In this show, we talk about how each works and the relative security merits of each. Learn more about your ad choices. Visit megaphone.fm/adchoices

Single Sign-On (SSO) in the real world is complicated and messy and how we got there is a byzantine maze of innovation and standards that has taken years. But, if zero trust is the first principle strategy we are all trying to pursue, getting Identity and Access Management (IAM) right is the most important tactic. And, SSO is a piece of the entire Identity and Access Management puzzle. Rick summarizes the history and current state of Single Sign-On with some Rick the Toolman thrown in. Learn more about your ad choices. Visit megaphone.fm/adchoices