CISO Tradecraft®

On this episode we talk about the differences between Gamification and Game-Based Learning. We think you will enjoy hearing how Game-Based learning gets folks into the flow and creates novel training that resonates.  We also have a great discussion on how games can be applicable for Board Members and Techies.  You just need to get the right type of game for the right audience and let the magic happen. Big Thanks to our Sponsors Haiku - https://www.haikuinc.io/ Risk3Sixty - https://risk3sixty.com/whitepaper/ Transcripts https://docs.google.com/document/d/1XmkMO7eJR3yAnXJPOCTaA5J9sakk639Q Prefer to watch on YouTube? https://www.youtube.com/watch?v=45eViHH_ktA  Chapters 00:00 Introduction 03:38 What is Game-Based Learning? 07:55 Training Board of Directors 10:18 Gamification vs Game-Based Learning 14:30 Do Your Duties 21:09 Delaware Fiduciary Duties 22:54 Building a Forge 26:11 Tailored Game Types 33:35 Teaching Girl Scouts Linux Commands 40:17 Retaining Your Best People

Learn the language of the board with Andrew Chrostowski. In this episode we discuss the 3 major risk categories of opportunity risk, cybersecurity risk and complex systems. We highlight intentional deficit and what to do about it. Finally, don't miss the part where we talk about the time for a digital strategy is past. What is needed today is a comprehensive strategy for a world of digital opportunities and existential cyber risks. Big thanks to our sponsor: Risk3Sixty - https://risk3sixty.com/iso-27001-certification/ Transcripts https://docs.google.com/document/d/15PnB1gYwt7vj-wRE4ABuEWxvB-H96rp0 Chapters 00:00 Introduction 04:22 Communication is a Requirement 09:34 How does cyber create value? 11:30 Culture and Operational Excellence 16:51 How does growth strategy align with cyber? 22:30 Intention Deficit Disorder 26:48 Accountability Loops 28:39 What's the evolution for a digital strategy? 32:02 Sharpen your axe 36:40 Digital Directors Network & Qualified Technical Experts

On this episode we do a master class on cyber warfare. Learn the terminology. Learn the differences and similarities between kinetic and cyber warfare. There's a lot of interesting discussion, so check it out. Big thanks to our sponsor: Risk3Sixty - https://risk3sixty.com/whitepaper/ Transcripts https://docs.google.com/document/d/1yJYoVs3pO4u_Zq8UC8YQmnYVGrsH93-H Air Force Doctrine Publication 3-0 - Operations and Planning https://www.doctrine.af.mil/Portals/61/documents/AFDP_3-0/3-0-D15-OPS-Coercion-Continuum.pdf Dykstra, J., Inglis, C., & Walcott, T. S. (Joint Forces Quarterly 99, October 2020) Differentiating Kinetic and Cyber Weapons to Improve Integrated Combat. https://ndupress.ndu.edu/Portals/68/Documents/jfq/jfq-99/jfq-99_116-123_Dykstra-Inglis-Walcott.pdf Tallinn Manual 1.0 published April 2013; 2.0 in 2017 https://ccdcoe.org/research/tallinn-manual/ Version 3.0 under development; inputs solicited at https://ecv.microsoft.com/RRllEKKMJQ https://www.csis.org/analysis/cyber-operations-during-russo-ukrainian-war Chapters 00:00 Introduction 01:57 Definition of Cyber War 04:18 Kinetic vs Cyber War 07:02 Goal of Offensive Cyber Operations 10:06 International Law Applied to Cyber Operations (Sovereignty & Necessity) 11:33 Diplomatic, Information, Military, & Economic (DIME) 12:57 Proportionality 14:04 Law of Distinction 15:56 Tallinn Manual 18:15 Stuxnet, Sony Pictures, NotPetya, and SolarWinds attacks 23:47 Ukraine Cyber War 28:21 Comparing old tanks to old mainframes 39:55 Winning a Cyber War

On this episode we discuss the measuring results cheat sheet from Justin Mecham.  Key focuses include: Defining SMART Goals (Specific, Measurable, Achievable, Relevant, & Time-Bound) Identifying KPIs (Key Performance Indicators) Using the WOOP Model (Wish, Outcome, Obstacle, and Plan) Using a Gap Analysis Using the 5 Why Method Using Plan, Do, Check, & Act. Link to the Measuring Results Cheat Sheet https://www.linkedin.com/posts/justinmecham_harvard-says-leaders-are-10x-more-likely-activity-7112050615576391681-Ro60/ Big thanks to our sponsor: Risk3Sixty - https://risk3sixty.com/whitepaper/ Transcripts https://docs.google.com/document/d/1Ok9cFBdubI6M4ubhcR0HZzmauHiU7fsN Chapters 00:00 Introduction 03:34 SMART Goals (Specific, Measurable, Achievable, Relevant, and Time Bound) 07:29 Key Performance Indicators 09:36 WOOP Model (Wish, Outcome, Obstacle, and Plan) 09:59 Gap Analysis 12:36 Root Cause Analysis and the 5 Whys 14:09 Plan, Do, Check, and Act

On this episode we discuss the four key roles Boards play in cybersecurity. Setting the company's vision and risk strategy Reviewing assessment results Evaluating management cyber risk stance Approving risk management plans Big thanks to our sponsor: Risk3Sixty - https://risk3sixty.com/whitepaper/ Transcripts - https://docs.google.com/document/d/1jarCcQYioT59jtIrppH4xZqyAy4Vn_tB/ Chapters 00:00 Introduction 01:36 What is a Board of Directors and what do they do? 09:33 FFIEC requirements for Boards 16:51 Establishing an Information Security Culture 19:08 Vision and Risk Appetite 22:00 Reviewing Cyber Assessments 25:09 Are we secure? 32:44 Castle Walls and Attacks 33:37 Getting your budget requests approved 37:10 Using use or loose money and reserved funding

On this episode we bring on the leading expert of threat modeling (Adam Shostack) to discuss the four questions that every team should ask: What are we working on? What can go wrong? What are we going to do about it? Did we do a good enough job? Big thanks to our sponsor: Risk3Sixty - https://risk3sixty.com/whitepaper/ Adam Shostack's LinkedIn Profile - https://www.linkedin.com/in/shostack/ Learn more about threat modeling by checking out Adam's books on threat modeling Threats: What Every Engineer Should Learn From Star Wars https://amzn.to/3PFEv7L Threat Modeling: Designing for Security https://amzn.to/3ZmfLo7 Also check out the Threat Modeling Manifesto: https://www.threatmodelingmanifesto.org/ Transcripts: https://docs.google.com/document/d/1Tu0Xj9QTbVqbVJNMbNRam-FEUvfda3ZS Chapters 00:00 Introduction 06:02 The 4 Questions that allow you to measure twice cut once 09:29 How Data Flow Diagrams help teams 16:04 It's more than just looking at threats 19:23 Chasing the most fluid thing or the most worrisome thing 22:00 All models are wrong and some are useful 26:25 Actionable Remediation 31:05 LLMs and Threat Models

There's a lot of new cyber attacks occurring and today we are going to talk about them in more detail.  Many bad actors are using SMS spoofing and Social Engineering to get in.  Listen in an learn about how those attacks played out against the casino industry. You don't want to miss when we share what you can do to stop them.  Pro-tip: Good MFA is your friend.  Use it everywhere you can including on your employees and customers during phone calls.   Big Thanks to our Sponsor Risk3Sixty - https://risk3sixty.com/whitepaper/ Mandiant Post - https://www.mandiant.com/resources/blog/unc3944-sms-phishing-sim-swapping-ransomware Rachel Tobac Post - https://www.linkedin.com/feed/update/urn:li:activity:7108040643905474562  Transcripts: https://docs.google.com/document/d/186g8y_8wMcBPwdaiFjduhRiXC88ice0T/ Chapters 00:00 Introduction 01:06 Improving the Attacker Odds at the Casino 04:09 SEC 8-K filings 13:28 MGM Timeline of attack 16:55 What can we do against these attacks? 22:51 Upgrading your MFA 24:16 Custom Authentication Strength 27:11 New Social Engineering Attacks 32:31 OKTA attacks

Have you ever thought about what does it mean to say there has been a material incident? How is materiality determined? What is the history of how that term has been defined by U.S. Regulators. Listen to today's show and increase your CISO Tradecraft Big Thanks to our Sponsors Risk3Sixty - https://risk3sixty.com/whitepaper/ CPRIME - For those valuing leadership, policy, and governance in tech risk and security, Cprime is here to help. Enhance your skills with our training and workshops, ensuring effective policy design and strategy alignment. As a tech coaching firm, Cprime offers classes for teams and executives on security analytics and risk management. Led by a Cprime expert, align expectations, prioritize, and map tools for robust governance across your tech portfolio. Upgrade risk management at www.cprime.com/train and use code 'cprimepod' for 15% off training. Elevate your approach! Transcripts https://docs.google.com/document/d/1h7IBZI27ZOg4nxec2fCBmrX0c-0O15Zr  Link to FAIR-MAM https://www.fairinstitute.org/resources/fair-mam Chapters 00:00 Introduction 02:16 What is the concept of material? 07:08 Investors increasingly seek information 11:21 Title 17 of the US Code Part 242 17:38 Backup and Recovery that is Resilient and Geographically Diverse 22:10 The New SEC requirements 26:38 Reporting Cyber Incidents 31:40 FAIR-MAM

On this episode we overview the CIS Document titled, "The Cost of Cyber Defense". https://www.cisecurity.org/insights/white-papers/the-cost-of-cyber-defense-cis-controls-ig1 Big Thanks to our Sponsors Risk3Sixty - https://risk3sixty.com/whitepaper/ CPRIME - For those valuing leadership, policy, and governance in tech risk and security, Cprime is here to help. Enhance your skills with our training and workshops, ensuring effective policy design and strategy alignment. As a tech coaching firm, Cprime offers classes for teams and executives on security analytics and risk management. Led by a Cprime expert, align expectations, prioritize, and map tools for robust governance across your tech portfolio. Upgrade risk management at Cprime.com/train and use code 'cprimepod' for 15% off training. Elevate your approach! Transcripts https://docs.google.com/document/d/1TAltDwJxQg9MqVRNCCgwIJa1a3WKpep5---WVOUsdLE/  Chapters 00:00 Introduction 01:30 What are the CIS Critical Security Controls? 03:00 How have the CIS Critical Security Controls evolved over time? 05:30 What are the benefits of implementing the CIS Critical Security Controls? 07:30 The three crucial questions for implementing the CIS Critical Security Controls 10:30 How to prioritize the CIS Critical Security Controls 12:30 What are Implementation Groups? 13:37 Enterprise Profiles 14:00 Why are Implementation Groups important? 15:30 How to choose the right Implementation Group for your organization 19:46 Cost Breakdown 23:16 Thoughts on the CIS Study

In this episode of CISO Tradecraft, we delve into the evolving landscape of cybersecurity regulations. From data incident notifications to required contract language, we uncover common trends and compliance challenges. Learn how to prepare, adapt, and network within your industry to stay ahead. Tune in for insights and tips! Thanks again to our Sponsors for supporting this episode: Risk3Sixty: Check out Risk3Sixty's weekly thought leadership webinars and downloadable resources at https://risk3sixty.com/?utm_source=cisotradecraft&utm_medium=podcast&utm_campaign=2023-ct&utm_term=1week&utm_content=sponser CPrime: Today's "CISO Tradecraft" is sponsored by Cprime, offering advanced tech training for exceptional teams. Experience hands-on, lab-driven classes in just two days, enhancing your skills for immediate on-the-job impact. Discover our sought-after three-day Microsoft PowerBI training, empowering you to craft dashboards, integrate data, and perform swift statistical analysis. Visit Cprime.com/train, use code 'cprimepod' for 15% off, and elevate your expertise! References AuditScripts: https://www.auditscripts.com/free-resources/critical-security-controls/ Secure Controls Framework: https://securecontrolsframework.com/scf-download/ Transcripts https://docs.google.com/document/d/1RplLpZCMw8foLu9oqkZs1_A2aIbYk1Xo/ Chapters 00:00 Introduction 04:28 Meeting Cybersecurity Controls and Understanding Applicable Regulations 11:28 Ensuring Compliance with Laws and Regulations 15:42 Handling Regulatory Change: Mapping Controls & Tracking Requirements 22:02 Navigating Regulatory Changes and Ensuring Compliance