CISO Tradecraft®

Join host G Mark Hardy on CISO Tradecraft as he welcomes expert Scott Gicking to discuss the Center for Internet Security's (CIS) Controls Self-Assessment Tool (CSAT). Learn what CSAT is, how to effectively use it, and how it can enhance your career in cybersecurity. Stay tuned for insights on creating effective security frameworks, measuring maturity, and improving organizational security posture using the CSAT tool.   Scott Gicking - https://www.linkedin.com/in/scottgickingus/ CIS CSAT - https://www.cisecurity.org/controls/cis-controls-self-assessment-tool-cis-csat Transcripts: https://docs.google.com/document/d/1WAI9U0WEUSJH1ZVWM1HdtFEf-O9hLJBe   Chapters 01:16 Guest Introduction: Scott Gicking 02:49 Scott's Career Journey 04:03 The Hollywood Cybersecurity Incident 07:38 Introduction to CIS and Its Importance 09:49 Understanding the CIS CSAT Tool 10:13 Implementing CIS CSAT in a Real-World Scenario 13:00 Benefits of the CIS CSAT Tool 18:38 Developing a Three-Year Roadmap with CSAT 23:25 Scoring Policies and Controls 24:20 Control Implementation and Automation 25:22 CMMC Certification Levels 27:52 Honest Self-Assessment 30:01 Quick and Dirty Assessment Approach 33:07 Building Trust and Reporting 37:38 Business Impact Analysis Tool 40:02 Reputational Damage and CISO Challenges 42:55 Final Thoughts and Contact Information

Ever wonder how the CISO role went from obscure techie to boardroom MVP? In this episode of CISO Tradecraft, G Mark Hardy takes you on a journey through the evolution of the Chief Information Security Officer — from Steve Katz's groundbreaking appointment at Citibank in 1995 to the high-stakes, high-impact role CISOs play today. Transcripts: https://docs.google.com/document/d/1FlKBW6zlVBqLoSTQMGZIfz--ZLD_aS9t/edit   Chapters 00:00 Introduction to the Evolution of the CISO Role 00:58 The First CISO: Steve Katz's Pioneering Journey 03:58 Rise of Security Certifications 08:39 Regulatory Wake-Up Calls and Compliance 12:23 Cybersecurity in the Age of State-Sponsored Attacks 17:58 The Impact of Major Cyber Incidents 25:07 Modern Challenges and the Future of the CISO Role 27:51 Conclusion and Final Thoughts

In this episode of CISO Tradecraft, we host Chris Hughes, CEO of Aquia, cybersecurity consultant, and author. Chris shares insights on the evolving landscape of cybersecurity, discussing software supply chain threats, vulnerability management, relationships between security and development, and the future impacts of AI. Tune in to gain expert advice on becoming an effective cybersecurity leader. Chris Hughes - https://www.linkedin.com/in/resilientcyber/ Transcripts: https://docs.google.com/document/d/1j5ernS0Gk3LH-qcjhi6gOfojBqQljGhi Chapters  00:00 Introduction and Special Guest Announcement 00:55 Chris Hughes' Background and Career Journey 02:46 Government and Industry Engagement 03:42 Supply Chain Security Challenges 07:34 Vulnerability Management Insights 12:13 Navigating the Overwhelming Vulnerability Landscape 22:19 Building Positive Relationships in Cybersecurity 23:41 Empowering Risk-Informed Decisions 24:29 Aligning with Organizational Risk Appetite 25:33 Navigating Job Changes and Organizational Fit 26:32 The Role of Compliance in Security 33:27 The Impact of AI on Security 43:05 Balancing Build vs. Buy Decisions 45:05 Conclusion and Final Thoughts

In this episode of CSO Tradecraft, host G. Mark Hardy introduces 'The Full Irish,' a cybersecurity framework based on the '12 Steps to Cybersecurity' guidance from Ireland's National Cybersecurity Center. The episode covers comprehensive steps from governance and risk management to incident response and resilience, making it a valuable resource for cybersecurity professionals. G Mark also discusses the implications of multinational companies operating in Ireland, including tax strategies and notable GDPR fines. The episode provides pragmatic guidance and actionable insights to enhance your cybersecurity program. References: https://www.ncsc.gov.ie/pdfs/Cybersecurity_12_steps.pdf Transcripts: https://docs.google.com/document/d/1VLeRozClLZAkZsusYsUn4Q9_1v7WCoN0 Chapters  00:00 Introduction to the Full Irish 01:32 Why Ireland? 02:40 Tax Avoidance Schemes 04:25 GDPR Penalties and Data Protection 05:54 Overview of the 12 Steps to Cybersecurity 07:19 Step 1: Governance and Organization 09:24 Step 2: Identify What Matters Most 10:31 Step 3: Understanding the Threats 12:35 Step 4: Defining Risk Appetite 14:10 Step 5: Education and Awareness 16:00 Step 6: Implement Basic Protections 18:00 Step 7: Detect and Attack 19:37 Step 8: Be Prepared to React 21:24 Step 9: Risk-Based Approach to Resilience 22:52 Step 10: Automated Protections 23:58 Step 11: Challenge and Test Regularly 25:29 Step 12: Cyber Risk Management Lifecycle 26:29 Conclusion and Final Thoughts

In this episode of CISO Tradecraft, host G. Mark Hardy dives into the evolution, challenges, and solutions of Data Loss Prevention (DLP). From early methods like 'dirty word lists' in the military to advanced AI and machine learning models of today, discover how DLP technologies have developed to safeguard sensitive information. Learn about different DLP phases, regulatory impacts, and modern tools like Microsoft Purview that can help manage and classify data effectively. This episode is packed with valuable insights to help you tackle data security with confidence and efficiency. Transcripts https://docs.google.com/document/d/1u7owNI5P3WajJvRPIXbzrUYy-PCsRcfC References Crash course in Microsoft Purview: A guide to securing and managing your data estate Chapters 00:00 Introduction to Data Loss Prevention (DLP) 00:45 Early Days of DLP: Dirty Word Lists and Simple Networks 02:39 Evolution of DLP: Content Filtering and Endpoint Protection 06:05 Advanced Content Inspection and Policy Enforcement 09:19 Unified DLP and Cloud Adoption 16:04 Modern DLP: AI, Machine Learning, and Zero Trust 19:12 Implementing DLP with Microsoft Purview 28:59 Summary and Final Thoughts  

In this episode of CISO Tradecraft, G. Mark Hardy dives deep into the world of Agentic AI and its impact on cybersecurity. The discussion covers the definition and characteristics of Agentic AI, as well as expert insights on its feasibility. Learn about its primary functions—perception, cognition, and action—and explore practical cybersecurity applications. Discover the rapid advancements made by tech giants and potential risks involved. This episode is a comprehensive guide to understanding and securely implementing Agentic AI in your enterprise. Transcripts https://docs.google.com/document/d/1tIv2NKX0DL4NTnvqKV9rKrgrewa68m3W References Vladimir Putin - https://www.rt.com/news/401731-ai-rule-world-putin/ Minds and Machines - https://link.springer.com/article/10.1007/s44163-024-00216-2 Anthropic - https://www.cnbc.com/2024/10/22/anthropic-announces-ai-agents-for-complex-tasks-racing-openai.html Convergence AI - https://convergence.ai/training-web-agents-with-web-world-models-dec-2024/ OpenAI Operator - https://openai.com/index/introducing-operator/ ByteDance UITARS - https://venturebeat.com/ai/bytedances-ui-tars-can-take-over-your-computer-outperforms-gpt-4o-and-claude/ Zapier - https://www.linkedin.com/pulse/openai-bytedance-zapier-launch-ai-agents-getcoai-l6blf/ Microsoft OmniParser - https://www.microsoft.com/en-us/research/articles/omniparser-v2-turning-any-llm-into-a-computer-use-agent/ Google Project Mariner - https://deepmind.google/technologies/project-mariner/ Rajeev Sharma - Agentic AI Architecture - https://markovate.com/blog/agentic-ai-architecture/ NIST.AI.600-1 - https://doi.org/10.6028/NIST.AI.600-1 Mitre ATLAS - https://atlas.mitre.org/ OWASP Top 10 for LLMs - https://owasp.org/www-project-top-10-for-large-language-model-applications/ ISO 42001 - https://www.iso.org/standard/81230.html Chapters  00:00 Introduction and Intriguing Quote 01:10 Defining Agentic AI 02:01 Expert Insights on Agency 04:32 Agentic AI in Practice 06:54 Recent Developments in Agentic AI 08:20 Deep Dive into Agentic AI Infrastructure 15:35 Use Cases for Agentic AI 21:12 Challenges and Considerations 24:22 Conclusion and Recap

In this episode of CISO Tradecraft, G. Mark Hardy shares 15 crucial characteristics to help you succeed in your cybersecurity career and become an effective CISO. From knowing yourself and developing leadership skills to enhancing communications and staying current with trends, Hardy distills decades of wisdom into practical advice. Learn how to navigate career transitions, build technical credibility, become an effective storyteller, and master political skills essential for C-level success. Transcripts: https://docs.google.com/document/d/1MpjXD8LqnHS_Lj1S-6T7vxcclxzUjEhe   Chapters 01:30 Know Yourself: The First Step to Success 05:23 Develop Your Leadership Skills 07:09 Enhance Your Communication Skills 11:37 Gain Broad Experience 14:28 Pursue Advanced Education 18:13 Network with Other Professionals 20:47 The Importance of Mentorship 22:20 Building Valuable Connections 23:43 Aligning with Business Goals 25:38 Deepening Technical Expertise 26:59 Staying Current with Trends 28:03 Promoting a Security-First Culture 30:18 Addressing Skills Gaps 31:53 Becoming a Master Storyteller 33:35 Engaging with Executives 34:41 Strategic Thinking and Time Management 37:27 Mastering Political Skills 39:14 Conclusion and Final Thoughts

In this episode of CISO Tradecraft, host G Mark Hardy discusses Microsoft's groundbreaking announcement of their new quantum chip, the Majorana. The chip harnesses properties of a topological superconductor, making quantum computing promises more tangible. The episode delves into the technical aspects of quantum bits (qubits), cryptography, and the implications of topological quantum computing. With insights on competitor advancements by Google and potential challenges, this episode provides a comprehensive overview of quantum computing's future and its cyber security implications.   Transcripts: https://docs.google.com/document/d/1O2XG47o2_6jHBtPKL2PcwGRKPe69wFvi Link: https://azure.microsoft.com/en-us/blog/quantum/2025/02/19/microsoft-unveils-majorana-1-the-worlds-first-quantum-processor-powered-by-topological-qubits/   Chapters 00:00 Introduction to CISO Tradecraft 00:26 Microsoft's Quantum Chip Announcement 01:51 Understanding Quantum Bits 03:23 Quantum Computing and Cryptography 06:00 Microsoft's Quantum Leap 09:41 The Physics Behind Quantum Computing 16:48 Majorana Particle and Its Significance 20:29 Applications and Future of Quantum Computing 25:01 Conclusion and Final Thoughts  

In this CISO Tradecraft episode, host G. Mark Hardy delves into the recent U.S. presidential executive orders impacting AI and their implications for cybersecurity professionals. Learn about the evolution of AI policies from various administrations and how they influence national security, innovation, and the strategic decisions of CISOs. Discover key directives, deregulatory moves, and practical steps you can take to secure your AI systems in an era marked by rapidly changing regulations. Plus, explore the benefits of using AI tools like ZeroPath to bolster your cybersecurity efforts. Big Thanks to our Sponsors: ZeroPath - https://zeropath.com/ Transcripts: https://docs.google.com/document/d/1Nv27tpDQs2fjdOedJOi0LhlkyQ5N5dKt Links:  https://www.americanbar.org/groups/public_education/publications/teaching-legal-docs/what-is-an-executive-order-/  https://www.federalregister.gov/documents/2019/02/14/2019-02544/maintaining-american-leadership-in-artificial-intelligence https://www.csis.org/analysis/made-china-2025 https://www.researchgate.net/publication/242704112_China's_15-year_Science_and_Technology_Plan  https://www.federalregister.gov/documents/2020/12/08/2020-27065/promoting-the-use-of-trustworthy-artificial-intelligence-in-the-federal-government  https://www.federalregister.gov/documents/2021/05/17/2021-10460/improving-the-nations-cybersecurity https://www.federalregister.gov/documents/2023/11/01/2023-24283/safe-secure-and-trustworthy-development-and-use-of-artificial-intelligence  https://www.presidency.ucsb.edu/documents/executive-order-14148-initial-rescissions-harmful- executive-orders-and-actions https://www.federalregister.gov/documents/2025/01/17/2025-01470/strengthening-and-promoting- innovation-in-the-nations-cybersecurity https://www.federalregister.gov/documents/2025/01/17/2025-01470/strengthening-and-promoting- innovation-in-the-nations-cybersecurity  https://www.cisecurity.org/controls/cis-controls-list  Chapters  00:00 Introduction to AI Policy Shifts 00:23 AI Tool for Cybersecurity: ZeroPath 01:12 Understanding Executive Orders 02:44 EO 13859: Maintaining American Leadership in AI 05:42 EO 13960: Trustworthy AI in Federal Government 07:10 EO 14028: Strengthening U.S. Cybersecurity 09:38 EO 14110: Safe and Trustworthy AI Development 11:09 EO 14148: Rescinding AI Policies 12:21 EO 14179: Removing Barriers to AI Innovation 15:26 EO 14144: Strengthening Cybersecurity Innovation 37:19 Mapping Executive Orders to CIS Controls 40:15 Conclusion and Key Takeaways

This podcast episode discusses the formation of a professional association for CISOs, driven by increasing personal liability risks faced by these executives. The conversation centers on establishing a formal definition and accreditation process for the CISO role, moving beyond existing certifications to demonstrate operational and theoretical expertise. This professionalization effort aims to reduce personal liability through a tailored insurance product, negotiated collectively by the association, and preempt potentially ill-defined government regulations. Ultimately, the goal is to create a structured, respected profession for CISOs, offering benefits such as insurance, professional development, and a unified voice within the industry. Professional Association of CISOs - https://theciso.org/ Transcripts - https://docs.google.com/document/d/1BNeUzSyPYX-vAYwQl9qCi0GhknYhKnWF/  Chapters  00:00 Introduction to Professionalizing the CISO Role 00:52 The Genesis of a Professional Association 03:39 Challenges and Legal Liabilities for CISOs 04:43 The Value of Joining the Association 06:24 Accreditation and Certification Process 10:38 Insurance and Risk Management for CISOs 18:45 Future Directions and Getting Involved