CISO Tradecraft®

Everyone talks about Zero Trust — but very few organizations actually know how to implement it successfully.In this episode of CISO Tradecraft, host G. Mark Hardy is joined by George Finney, a practicing CISO who literally wrote the book on Zero Trust and has implemented it in one of the most challenging environments imaginable: higher education.Together, they break down:Why Zero Trust is a strategy, not a productWhy most Zero Trust initiatives fail due to people and politics, not technologyHow attackers exploit trust and lateral movementHow to implement Zero Trust without destroying culture or productivityWhat changes when AI enters the trust modelWhy AI is effectively “100% trust” — and how to reduce the blast radiusHow CISOs should explain Zero Trust and AI risk to the boardGeorge also shares practical analogies (including his now-famous restaurant model for AI) that make Zero Trust and AI security understandable for executives, IT teams, and non-technical leaders alike.If you’re serious about:Preventing breaches instead of just responding to themLimiting lateral movementSecuring AI-driven systemsTurning Zero Trust from buzzword into business strategy👉 This episode is a must-watch.George's Books:Rise of the Machine: https://www.amazon.com/Rise-Machines-Project-Trust-Story/dp/1394303718Project Zero Trust: https://www.amazon.com/Project-Zero-Trust-Strategy-Aligning/dp/1119884845/

In this insightful discussion, Ross Young, a security leader and author of the 'Busy Is The New Stupid' framework, tackles the paradox of being busy yet unproductive. He outlines how distractions like excess meetings and multitasking undermine effectiveness. Young introduces techniques for defending time, such as calendar audits and task batching, while critiquing the always-on culture that erodes boundaries. He emphasizes prioritizing impactful work and invites the community to contribute to evolving the framework, offering new perspectives on productivity.

In this discussion, Richard Stiennon, an industry analyst and founder of IT Harvest, sheds light on the overwhelming challenges CISOs face amidst a rapidly evolving cybersecurity landscape. He explains how AI is accelerating vendor sprawl and complicating threat detection. Richard advocates for the use of peer networks and threat actor insights to better identify emerging risks. With nearly 4,000 vendors, he emphasizes the need for a strategic approach to vendor research and the importance of collecting proprietary data to outsmart the competition.

In this conversation, cybersecurity expert Ross Young, known for developing practical tools and templates, shares insights on his newly redesigned site featuring 12 free resources for CISOs. He delves into AI's role in coding and template creation, including budgeting and risk assessment tools. Ross also discusses the 'Cyber Six Pack' for tracking vulnerabilities, a CMMC compliance guide, and a personal values exercise aimed at optimizing team motivation. His innovative strategies offer invaluable support for enhancing cybersecurity without overspending.

Dr. Dustin Sachs, a former deputy CISO and expert in behavioral science, dives into the complexities of human decision-making in cybersecurity. He reveals how cognitive biases and stress alter employee behavior, often undermining security efforts. Dustin advocates for designing security strategies that align with real human behavior rather than strict policies. He highlights the necessity of integrating security into developer workflows and adapting best practices for organizational contexts, showing how small behavior changes can enhance security outcomes.

In this talk, Rajan Kapoor, VP of Security at Material Security, shares his valuable expertise in cloud workspace security. He discusses the expanding attack surfaces in cloud platforms like Google Workspace and Microsoft 365, emphasizing the need for robust protective measures. Rajan explains the importance of unified platforms to streamline investigations and reduce dwell time. He offers insights on using frameworks like MITRE to assess security maturity and addresses the risks posed by AI in data exposure, all while highlighting actionable steps for organizations to enhance their security posture.

In this enlightening discussion, AI practitioner Ross Young dives into the transformative role of AI in business. He emphasizes the critical involvement of cybersecurity leaders in AI deployments, highlighting the importance of setting clear goals and monitoring performance. The conversation covers the spectrum of AI—from traditional to agentic systems—and the risks associated with data quality and poisoning. Ross also shares insights on how to prioritize AI initiatives for maximum impact, making this a must-listen for cybersecurity professionals aiming to harness AI effectively.

Neatsun Ziv, founder of Ox Security and former executive at Check Point, shares his expertise on vibe coding and security. He highlights the balance between productivity and quality, discussing the risks of AI-generated code. Neatsun introduces VibeSec, a new approach to embedding security into development workflows, arguing that traditional methods are falling short. The conversation covers training data pitfalls, mitigating risks in AI models, and how modern tools must evolve to stay secure. Tune in for insights on protecting code and adapting to an AI-driven future!

Yuriy Tsibere, a seasoned product manager at ThreatLocker with deep expertise in IT and security, dives into the critical issue of Defense Against Configurations (DAC). He explains how misconfigurations can create vulnerabilities and shares insights into ThreatLocker's DAC tool that helps organizations mitigate these risks. Topics include the impact of proper endpoint configurations, integration with Zero Trust principles, and compliance with security frameworks. Yuriy emphasizes the importance of continuous monitoring and suggests actionable steps for enhancing cybersecurity posture.

Brian Carbaugh, a former CIA operations officer with 25 years of service, and William MacMillan, a former Air Force pilot and CIA cyber leader, delve into AI's transformative impact on Security Operations Centers (SOCs). They discuss how AI dramatically reduces alert fatigue and enhances threat detection by condensing investigative hours into mere seconds. The duo shares insights on the benefits of human AI SOCs over traditional SIEMs, emphasizing open interoperability and the importance of contextual data in strengthening security measures.