CISO Tradecraft®

Explore the importance of password managers and secure secret management. Learn about the weaknesses of common passwords and the significance of strong, complex passwords. Discover the risks of storing passwords in browsers and inspecting login screen code. Understand the importance of using a commercial password manager to protect against security threats and breaches. Consider different factors when choosing a password manager for an enterprise.

Join us at the heart of Hacker Summer Camp for insights into the cybersecurity world! Discover the art of asking powerful questions that can change your career and impact others. Learn how CISOs assess cyber solutions and how startups can win their attention. Uncover the secrets of building connections and value through meaningful inquiries. Don't miss this episode featuring expert advice on navigating the cybersecurity landscape. Special Thanks to our Sponsors: The Chertoff Group: https://www.chertoffgroup.com CPrime: At work, bridging the gap between risk management, IT security, and departments like finance, product, and development can be daunting. Enter Cprime, specializing in harmonious integration through secure code training, DevSecOps implementation, and zero trust practices. We streamline, optimize, and drive innovation, empowering continuous security ops. Transform risk management at Cprime.com/train and use code 'cprimepod' for 15% off training. Unleash potential with us! Transcripts: https://docs.google.com/document/d/1qf9kH9a5rPlK8zaOWXGAp0-E6p7PNNuT/ Chapters 00:00 Introduction 01:49 How to Get More Sales at Blackhat 05:57 How to Differentiate Yourself From the Competition 10:05 How to Solve a Priority Problem 16:07 How to Achieve Bigger Goals Through Accelerating Teamwork 18:13 How to Find a CISO Job 20:30 How to follow a Rich Dad's Advice 22:59 How to Create an Opportunity Not Just for Yourself, but for Others 24:18 How to Create Value for Others 26:20 How to Provide Value to Others 28:21 The Power of Open-Ended Questions as a CISO 32:33 How to Ask Powerful Questions

On this episode, David London and Adam Isles from the Chertoff Group stop by to discuss emerging risk topics such as AI, Supply Chain Attacks, and the new SEC regulations. Stick around and learn the tradecraft to better protect your company. Special Thanks to our Sponsors: The Chertoff Group: https://www.chertoffgroup.com.Note you can read more about their thoughts on AI here: https://www.chertoffgroup.com/managing-ai-risks/ Prelude: https://www.preludesecurity.com/ CPrime: At work, bridging the gap between risk management, IT security, and departments like finance, product, and development can be daunting. Enter Cprime, specializing in harmonious integration through secure code training, DevSecOps implementation, and zero trust practices. We streamline, optimize, and drive innovation, empowering continuous security ops. Transform risk management at Cprime.com/train and use code 'cprimepod' for 15% off training. Unleash potential with us! Transcripts: https://docs.google.com/document/d/1tW0kOYCURXgRF-z7UqeQGga0zAkwGuZ9/ Chapters 00:00 Introduction 02:33 The SEC's Final Rule on Cybersecurity Disclosure 05:29 What is a Material Incident? 07:13 The Commission's Final Rule on Board Engagement in Cybersecurity Risk 10:03 The Four Day Rule for Incident Reporting 12:46 The Implications of the New Role of the CISO 15:46 The Ticking Clock on Disclosure 18:31 SolarWinds and the Software Chain Security Exposure 19:53 The Role of the Software Bill of Materials (SBOM) in the Software Supply Chain Security Challenges 21:29 The Rise of the SBOM 23:16 The Rise of Expectations in the U.S. Government 25:02 The Future of Software Security 27:22 The Progress of the CMMC Program 29:59 The SEC Disclosure Requirements: What to Expect From Your Board 31:57 How to Reduce Complexity in Your Software Development Lifecycle 34:05 How AI is Impacting Our Business and Cyber 37:32 How to Measure and Manage Cyber Risks Effectively 39:57 The SEC's Final Rule on Disclosure

Don't let Bobby the Intern cause havoc in your network. On this episode of CISO Tradecraft, G Mark Hardy discusses the importance of training new hires in cybersecurity to create a strong security culture within an organization. The focus is on shaping employees' behavior and beliefs to enhance the overall cybersecurity posture. Special Thanks to our Two Sponsors: 1) The Chertoff Group: www.chertoffgroup.com 2) Prelude: https://www.preludesecurity.com/  Transcripts: https://docs.google.com/document/d/1Z4ftmqZdUMkxD6ATRRLp0EmO_DVluQ4n Chapters 00:00 Introduction 03:57 How to Build a Security Culture 07:19 The Importance of a Good Username and Password 11:24 How to Use MFA to Protect Your Brand 12:50 How to Teach Your Employees About Phishing 17:07 How to Deal with External Email Addresses 20:30 How to Avoid a Business Email Compromise 22:42 How to Protect Your Website from Attackers 24:40 How to Secure Your Applications 26:46 The Importance of Threat Modeling 30:48 QR Codes and How to Use Them Effectively 32:34 Delaying Desktop Patches 34:36 How to Teach Your New Hires About Security 36:30 How to Orient Your New Employees

On this episode we bring on CIA Veteran James "Jim" Lawler to discuss how spies are recruited, how individuals are turned, and what makes them vulnerable to being turned. Learn what managers and executives can and should know about their people to help them better understand who's at risk and the types of programs that executives can put into place to stop insider threats. Special Thanks to our Two Sponsors: 1) Prelude: https://www.preludesecurity.com/ 2) Risk3Sixty is cyber security technology and consulting firm that works with high-growth technology firms to help leaders build, manage and certify security, privacy, and compliance programs. They publish weekly thought leadership, webinars, and downloadable resources like budget and assessment templates. Learn more at: https://risk3sixty.com/?utm_source=cisotradecraft&utm_medium=podcast&utm_campaign=2023-ct&utm_term=1week&utm_content=sponser Be sure to read Jim's books 1) Living Lies: A Novel of the Iranian Nuclear Weapons Program https://amzn.to/3Y5x2Sc 2) In the Twinkling of an Eye: A Novel of Biological Terror and Espionage https://amzn.to/43EkvpE  Chapters 00:00 Introduction 02:24 The Importance of Recruiting Insiders 08:06 How to Be a Successful Case Officer 11:09 The Importance of Identifying Vulnerabilities in Insider Threats 14:00 The Cockamamie Recruitment Pitch Scheme 18:50 The Importance of Rationality in Espionage 21:10 The Complex Motivations for Espionage 23:49 The Key to Stress in a Target Life 27:34 The Importance of Listening to Your People 30:02 How to Be a Good Leader 35:02 The Metaphysics of Recruitment 37:31 How to Firewall a Threat to Your Organization 41:00 Living Lies 44:49 How to Be a Better Writer 49:31 How to Be a Better Threat Manager

This week Rafeeq Rehman returns to discuss the 2023 updates to the CISO Mindmap. Note you can find his work here: https://rafeeqrehman.com/2023/03/25/ciso-mindmap-2023-what-do-infosec-professionals-really-do/ Thanks to our two sponsors for this episode. 1) Prelude: https://www.preludesecurity.com/ 2) Risk3Sixty - Get a free copy of The Five CISO Archetypes eBook from risk3sixty. By reading this eBook, you will discover your strengths, weaknesses, areas where you need support from your team, and the types of organizations you best fit. The eBook also provides the tools to analyze organizations to understand their security priorities better. You will be able to use these tools to identify organizations that would most benefit from your natural strengths as a security leader. Organizations that you will love to work with and that would love to have you as part of their team. The steps outlined in this book will make you a more effective security leader and more satisfied with your career. https://risk3sixty.com/whitepaper/five-ciso-archetypes-ebook/?utm_source=cisotradecraft&utm_medium=podcast&utm_campaign=2023-ct&utm_term=1week&utm_content=ebook Transcripts: https://docs.google.com/document/d/1tFhZ6DdzwG12dYXvuVpaZdmfNWBVFswx  Chapters 00:00 Introduction 03:36 How to Write a Book 05:32 How to Master a Security Tool 09:19 Updating the Mind Map for 2023 and 2024 13:12 How to Resiliently Respond to Ransomware Attacks 16:15 The Importance of Redundancy in Security 19:18 How to Manage Your Security Budget Effectively 22:43 Building a Brand for a Security Organization 26:10 Untangle the Application Web of Components 29:38 The Importance of Software Build of Materials 33:28 How to Automate Security Operations 36:31 The Six Importances of a Security Mind Map 38:43 The Future of Generative AI 40:47 The Future of CISO Tradecraft

Imagine if you could get 1% better every day at something and do this for an entire year. Well, that's 365 days. And you go, okay, fine. 1%. 1%. That's going to be like 3.65%, right? No, because it compounds. And if you go ahead and open up your calculator and you take 1.01 and you raise it to the 365th power you're going to get 37.78. On today's show we have Andy Ellis discuss ways to get 1% better as a leader. Thanks to our two sponsors for this episode. 1) Prelude: https://www.preludesecurity.com/ 2) Risk3Sixty - Risk3Sixty is cyber security technology and consulting firm that works with high-growth technology firms to help leaders build, manage and certify security, privacy, and compliance programs. They publish weekly thought leadership, webinars, and downloadable resources like budget and assessment templates. https://risk3sixty.com/whitepaper/security-program-maturity-presentation-template-for-cisos/?utm_source=cisotradecraft&utm_medium=podcast&utm_campaign=2023-ct&utm_term=1week&utm_content=ebook  1% Leadership Book: https://www.amazon.com/1-Leadership-Master-Improvements-Leaders-ebook/dp/B0B8YXJ2H1?&_encoding=UTF8&tag=cisotradecr05-20&linkCode=ur2&linkId=51e35f5bdcbe65e448e03d779143278c&camp=1789&creative=9325 Transcripts: https://docs.google.com/document/d/1Ul9N9cw579JMB_e7Vlk91_JpYxOBXQmx/ Chapters: 00:00 Introduction 02:09 Andy's career in cyber 04:04 The Butterfly Effect 06:06 How to Be 1% More Efficient at Cyber 09:01 The Importance of Uncloneability 10:57 The Importance of Personal Improvement in Leadership 14:21 The Importance of Commitment 16:10 The Importance of Feedback 20:23 Planning for a Sudden Change in Your Environment 26:51 How to Create Safety for Cyber Professionals 29:01 How to Face Adversity with Grace 30:36 The Importance of Culture in Email Security 32:11 The Importance of Delegation 33:55 Delegating vs Dumping 36:02 How to Reduce the Energy Cost of Inclusion 40:18 The Importance of Diversity in Organizations 42:07 Don't Borrow Evil 44:17 How to Build a Relationship with Business Leaders 46:49 How to Stop Hurting Your Team

Are you a Chief Information Security Officer (CISO) looking to share your knowledge and insights with the world? In this episode, we explore how CISOs can embark on their journey of writing their first book. Join us as we delve into valuable tips and advice, including learning from renowned author Bill Pollock, who has paved the way for aspiring CISO authors.   Risk3Sixty is cyber security technology and consulting firm that works with high-growth technology firms to help leaders build, manage and certify security, privacy, and compliance programs.  They publish weekly thought leadership, webinars, and downloadable resources like budget and assessment templates. https://risk3sixty.com/whitepaper/security-program-maturity-presentation-template-for-cisos/?utm_source=cisotradecraft&utm_medium=podcast&utm_campaign=2023-ct&utm_term=1week&utm_content=ebook   Transcripts: https://docs.google.com/document/d/1uxNgxe7ad9VBfRLeRH4nWY6tSkI-Kexd   Chapters 00:00 Introduction 04:37 How No Starch Press was Founded 07:24 The Rise and Fall of the Hacking Underground 11:41 How to be a Successful Hacker 14:11 How to Edit a Book 16:38 How to Be a Good Writer 18:14 How to Write a Book Proposal 23:50 How to Overclock Your Computer 26:31 The Future of AI 28:15 The Value of a Author Book Publishing Agreement 33:39 How to Make Money Writing a Book 37:34 The No Starch Press Foundation and the Hacker Initiative 40:30 Hacker Initiative: A Public Charity for Cyber Security

One of the most important activities a CISO must perform is presenting high quality presentations to the Board of Directors.  Listen and learn from Demetrios Lazarikos (Laz) and G Mark Hardy as they discuss what CISOs are putting in their decks and how best to answer the board's questions.  Special thanks to our sponsor Risk3Sixty for supporting this episode. Risk3sixty has created a presentation template that helps you structure your thoughts while telling a compelling story about where you want your security program to go. Download it today for free at: https://risk3sixty.com/whitepaper/security-program-maturity-presentation-template-for-cisos/?utm_source=cisotradecraft&utm_medium=podcast&utm_campaign=2023-ct&utm_term=1week&utm_content=ebook References RSAC ESAF Download: https://www.rsaconference.com/rsac-programs/executive-security-action-forum NACD 2023 Directors Handbook: https://www.nacdonline.org/insights/publications.cfm?ItemNumber=74777 Blue Lava: https://bluelava.io/cybersecurity-board-reporting/ Transcripts: https://docs.google.com/document/d/1juM8MQUEtAZEDp1HpzkPdNw-D11O3ofq Chapters 00:00 Introduction 05:17 The Importance of External Audits in Managing Risk 06:48 How to Help Your Business of Revenue Protection Reduce Risk 11:15 How to be a Successful CISO 12:52 How to Measure the Threat to Your Environment 15:04 How to Prepare for Cyber Threats and Incidents 18:49 The Importance of Understanding the Business's Critical Assets 22:28 OSINT and CSIRT.global Tools and Technologies 25:14 Building a Matrix of Good Intention, Bad Behavior, and Access Management 28:10 How to Create an Incident Response Plan 30:20 How to Keep Your Board of Directors Informed of Cybersecurity Incidents 31:50 How to Keep Track of the Latest Cyber Threats Coming Around the Corner 34:11 How to Achieve Cyber Insurance Coverage 37:06 Cyber Liability Insurance: A Necessary Component of Running Your Business in 2023 39:22 How to Measure the Effectiveness of a Company's Cybersecurity Program 40:54 The Importance of Business Alignment

A lot of times we focus on preventing ransomware, but we forget what we should do when we actually encounter it.  That's why we are bringing on Ricoh Danielson to talk about it.  Learn from him as he discusses tactics and techniques for businesses to follow then stuff hits the fan. Special thanks to our sponsor Risk3Sixty for supporting this episode. https://risk3sixty.com/whitepaper/security-program-maturity-presentation-template-for-cisos/?utm_source=cisotradecraft&utm_medium=podcast&utm_campaign=2023-ct&utm_term=1week&utm_content=ebook Ricoh Danielson - https://www.linkedin.com/in/ricoh-danielson-736a0715/ Transcript: https://docs.google.com/document/d/1R82dUBChC3URM6iaP3D7dds_2nh27DTs/ Chapters 00:00 Introduction 03:19 How to Help a Small Business Dig Out of Cybercrime 05:00 How to Negotiate with Your Cyber Insurance Company 08:58 How to Deal with a Threat Actor 12:57 The Importance of Treating Everything Equally 15:45 How to Use Microsoft Tools to Capture Information 17:25 How to Combat a Threat Actor with Microsoft Defender 22:41 Set up PGP Keys in Advance 25:26 How to Negotiate with an OFAC sanctioned organization 28:24 How to Deal with Ransomware 30:28 The Nature of Instant Response 32:25 How to Get Concurrency in your Organization 34:05 The Importance of a a Strong Relationship with a Client 37:34 The Importance of Breach Notifications 39:21 How to Hand Combat a Threat Actor