CISO Tradecraft®

In this episode of "CISO Tradecraft," G Mark Hardy discusses how to build an effective cyber strategy that executives will appreciate. He breaks down the four questions (Who, What, Why, and How) that need to be answered to create a successful strategy and emphasizes the importance of understanding how the company makes money and what critical business processes and IT systems support the mission. Later in the episode, Branden Newman shares his career path to becoming a CISO and his approach to building an effective cyber strategy. Newman stresses the importance of communication skills and the ability to influence people as the most critical skills for a CISO. He also shares his advice on how to effectively influence executives as a CISO. Full Transcripts - https://docs.google.com/document/d/1nFxpOxVl6spkK-Y8GLU5q2f6R_4VD-a2 Chapters: 00:00 Introduction 01:06 The Four Questions (Who, What, Why, and How) 08:11 Building an accepted cyber strategy 09:19 Importance of communication skills for a CISO 10:19 Understanding financial statements 12:47 Following the money 14:09 Reputation and cybersecurity 15:24 Getting executive buy-in into cybersecurity 15:57 Building Trust with Executives 16:45 Security Enables New Elements of Business 17:13 Why Cybersecurity Gets Ignored 20:07 Framing Cybersecurity as a Competitive Advantage 21:19 Mistakes CISOs Make When Communicating with Executives 22:54 Telling Stories to Communicate with Executives 24:09 Using Business Cases and Examples 27:28 The Importance of Listening to the Executives 29:31 Making Informed Risk-Based Decisions 30:54 Building Trust and Champions 32:55 Building a Network of Trust 35:13 Being Pragmatic

Sometimes you just need structure to the madness. Christopher Crowley stops by to talk about methodologies that can help security organizations. Come and see why you need them, how we get the scientific method wrong in cyber, and how to leverage a CIA analytical methodology that can help you. There's a lot more to check out so tune in. Analysis of Competing Hypothesis https://www.cia.gov/static/9a5f1162fd0932c29bfed1c030edf4ae/Pyschology-of-Intelligence-Analysis.pdf Christopher Crowley's Company https://montance.com/  Full Transcripts: https://docs.google.com/document/d/1P4MI02fIw3y_u8RhLVDbB3iu0o7e27Fr Chapters 00:00 Introduction 02:30 The Morris Worm and the Internet 04:17 The Future of Cybersecurity 06:41 How to setup a shared drive for multitasking 10:26 The Evolution of Career Paths 12:02 The Importance of Methodology in Problem Solving 14:16 The Importance of Hypothesis in Cybersecurity 19:58 MITRE ATT&CK® Framework: A Two Dimensional Array 21:54 The Importance of a Foregone Conclusion Methodology 23:29 The Disruptor's Role in Hypothesis Brainstorming 25:18 The Importance of Resilience in Leadership 27:45 Methodologies and Threat Hunting 29:21 The Importance of Information Bias in Threat Hunting 34:31 How to Sort Hypothesis in a Spreadsheet 37:22 The Importance of Refining the Matrix 40:34 How to Automate Analysis of Competing Hypothesis

Have you ever wanted to get a legal perspective on cybersecurity?  On this episode of CISO Tradecraft, Evan Wolff stops by to discuss terms such as legal disclaimers, negligence, due care, and others.  He also provides important insights on how to structure your cyber policies, respond to regulators/auditors, and partner with general council.  Please enjoy.  Full Transcripts:  https://docs.google.com/document/d/1hbqB5GQfQsi0egPVdOtdfYEwLA3-1Jnh Chapters 00:00 Introductions 01:52 The Attorney Client Privilege 04:49 What's the Difference Between a Discovery Order and an Attorney Client Privilege 06:30 CISO Disclaimer 09:23 Security Is a Component of Government Contracts 11:59 What are the Borders Between Information Security and Legal Risk 15:31 Cyber Security - Is there a Standard of Care? 18:11 Do you have a Reasonable Best Effort? 21:27 CMMC 2.0 26:22 Is your Privacy Policy going to expire? 28:30 What is Reasonable Assurance? 33:41 Advice for Partnering with the General Counsel

Have you ever wondered how to negotiate your best CISO compensation package?  On this episode, we invite Michael Piacente from Hitch Partners to discuss important parts of the compensation packages.  Examples include but are not limited to: - Base Salary, Bonuses (Annual, Relocation, & Hiring) Reserve Stock Units Annual Leave Title (VP or SVP) Directors & Officers Insurance Accelerated Vesting Clauses Severance Agreements You can learn more about CISO compensations by Googling any of the following compensation surveys Hitch Partners CISO Compensation and Organizational Structure Survey Report: https://www.hitchpartners.com/ciso-security-leadership-survey-results-23 Heidrick & Struggles Global Chief Information Officer Survey: https://www.heidrick.com/en/insights/... IANS CISO Compensation and Budget Benchmark Study: https://www.iansresearch.com/ciso-com... Full Transcripts: https://docs.google.com/document/d/1e... Chapters: 00:00 Introduction 01:58 What's the Difference? 06:50 The Three-Legged Stool (Base Salary, Bonuses, & RSUs) 11:44 Is there a signing bonus? 13:56 What's the difference between RSUs & Options? 18:52 Private Companies - What's the Value of the Offer? 22:04 Double Triggers in Private Companies 26:38 Should you counter an offer? 28:17 Corporate Liability Insurance 29:50 Do you want to be extended on the Director and Officer Insurance Policy? 32:56 How to negotiate a severance agreement 36:00 Compensation Survey Reports

One of the most difficult things to do as a manager or leader is to take an ethical stance on something you believe in.  Sometimes ethical stances are clear and you know you are doing what’s right.  Others are blurry, messy, and really weigh on your mind.  So we thought we would take this episode to talk about various ethical models, tricky ethical scenarios you might encounter as a CISO, and finally we will look at the Federal Case where Joe Sullivan the Former Chief Security Officer of Uber was convicted of federal charges for covering up a data breach.  Thanks to Stephen Northcutt for coming on today's show. Full Transcript https://docs.google.com/document/d/1vin7gMBt9YvVGaVqT91ycPmacsKZe2T9 Chapters 00:00 Introduction 01:49 How to Make a Difference in Cybersecurity 03:34 Hackers and the Pursuit of Higher Principles 06:06 Is There a Use Case in Cybersecurity 10:56 Human Capital is the Most Important Asset That Any Organization Has 14:00 The Human Frailty Factor 18:21 Has Your Company Fully Embraced Diversity, Equity, and Inclusion 20:24 Do you have a Diversity of Experience 24:11 Getting Your EXO to Talk to Power and say you are wrong 27:40 CISOs and CISOs - Is this a Criminal Thing? 30:15 The Penalty of Crossing the Law 34:56 Pay the Ransom? 36:59 The Key to Resilience as a CISO

Our systems generate fantastic amounts of information, but do we have a complete understanding of how we collect, analyze, manage, store, and retrieve possibly petabytes a day? Gal Shpantzer has been doing InfoSec for over 20 years and has managed some huge data engineering projects, and offers a lot of actionable insights in this CISO Tradecraft episode. Gal's LinkedIn Page - https://www.linkedin.com/in/riskmanagement/ Gal's Twitter Page - https://twitter.com/Shpantzer Full Transcript - https://docs.google.com/document/d/14RXnsVttvKlRi6VL94BTrItCjOAjgGem/ Chapters 00:00 Introduction 02:00 How do you Architect Big Data Data Infrastructure 03:33 Are you taking a look at Ransomware? 06:11 Web Scale Technologies are used mostly in Marketing & Fraud Detection 08:11 Data Engineering - The Mindset Shift 10:51 The Iron Triangle of Data Engineering 13:55 Can I Outsource My Logging Pipeline to a Vendor 15:37 Kafka & Flink - Data Engineering in the Pipeline 18:12 Streaming Analytics & Kafka 22:08 How to Enable Data Science Analytics with Streaming Analytics 26:33 Streaming Analytics 30:25 Data Engineering - Is there a Security Log 32:30 Streaming Analytics is a Weird Thing 35:50 How to Get a Handle on a Big Data Pipeline 39:11 Data Engineering Hacks for Big Data Analytics

Has bad governance given you trauma, boring committees, and long speeches on irrelevant issues?  Today we are going to overcome that by talking about what good governance looks like.  We bring on the former CISO of Amazon Whole Foods (Sameer Sait) to discuss his lessons learned as a CISO.  We also highlight key topics of good governance found in the Cyber Security Profile from the Cyber Risk Institute. Cyber Risk Institute - Cyber Security Profile https://cyberriskinstitute.org/the-profile/ Full Transcripts: https://docs.google.com/document/d/1vBM6A0utvhRFMA04wzrZvR8ktNwYo-li Chapters 00:00 Introduction 03:10 Good Governances is a Good Thing, Right? 05:08 Cyber Strategy & Framework 06:43 Is NIST the Same as ISO? 08:40 How to Convince the Executive Leadership Team to Buy In 11:19 The CEO's Challenge is Taking Measured Risk 20:05 Is there a Cybersecurity Policy 22:32 Culture eats Policy for Lunch 24:14 The Role of the CISO 27:52 How do you Convince the Leadership Team that you need extra resources 29:51 How do you Measure Cybersecurity? 32:22 How do we communicate Risk Findings to Senior Management 36:07 Are you Aligning with the Audit Committee

In the US we often focus on SOC-2, NIST Special Pubs, and the Cybersecurity Framework. In Europe (and most of the rest of the world), ISO 27001 is the primary standard. ISO concerns itself with policy, practice, and proof, whereas NIST often shows the method to follow. Michael points out that a CISO is responsible for governance, (internal) consulting, and audit. In early stages of growing a security function, a CISO needs to be technically-focused, but as a security department matures, the CISO must be organizationally-focused. Also, to effectively grow your team, first determine what actions need to take place, how much effort it requires, and how often it needs to take place. Then, build an action sheet and collect data for three months. Finally, take that to your executives and document your requirements for more staff. Michael Krausz LinkedIn Profile: https://www.linkedin.com/in/michael-krausz-b55862/ Michael Krausz Website: https://i-s-c.co.at/ Full Transcript: https://docs.google.com/document/d/13fghym7IWyPvuRANQXUvmv-ulkSj93xv  Chapters 00:00 Introduction 04:01 Is there a Gap Analysis in ISO 27001? 08:05 Is there a Requirement for ISO Standards? 10:57 What is ISO 27001? 13:11 Is there a Parallel Development between the US and EU? 16:57 Do you want to be a trooper? 21:17 What's the Oldest Operating System? 23:09 Is there a Legacy Operating Systems that you can't get away with? 24:11 The Most Important Class for a CISO 26:33 The Secrets of a Successful CISO 29:30 CISO - I need 6 people period 33:40 What's the Primary Skill Needed in a CISO? 37:41 How to Maximize the Number of FTEs

How can cyber best help the sales organization?  It's a great thought exercise that we bring on Joye Purser to discuss. Learn from her experience as we go over how cybersecurity is becoming an even closer business partner with the creation of a new important role. Full Transcript: https://docs.google.com/document/d/1Shd1Qldb8iKEHBgXJqFez81Iwfpl6JT-/ Chapters 00:00 Introduction 02:58 How did you marry those two cultures? 06:40 Building a Diverse Workforce 08:23 Is this a new role based on Pain Points? 10:27 Global Lead for Field Cyber Security 15:51 Is the Global Lead for Field Cybersecurity linked to sales numbers? 19:07 Is there a Global Lead for Field Cybersecurity? 24:46 Building Relationships in a Security Leadership Role 27:48 Do you have any lessons learned from your success at Global Management Consulting? 29:33 You need to schedule time to get things done 33:33 What about Due Diligence? 37:36 The Chief Technology Officer, CRO, & CTO

Did you ever wonder how much security you can implement with a single vendor?  We did and were surprised by how much you can do using the Australian Top Eight as a template.  We'll bet you can improve your security by using these tips, tools, and techniques that you might not have even known were there. Special thanks to our sponsor Praetorian for supporting this episode. https://www.praetorian.com/ Full Transcripts: https://docs.google.com/document/d/12HsuOhY9an1QzIw9wOREPMX0pXe5hqkJ Helpful Links Essential 8 https://www.microsoft.com/en-au/business/topic/security/essential-eight Blocking Macros https://ite8.com.au/the-essential-8/office-macros-explained/  Windows Defender Application Control or WDAC (available from Windows 10 or Server 2016 or newer) previously Windows had App Locker (Windows 7 / 8) https://docs.microsoft.com/en-us/mem/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control Windows Group Policies https://techexpert.tips/windows/gpo-block-website-url-google-chrome/ https://chromeenterprise.google/policies/#SafeBrowsingAllowlistDomains  https://data.iana.org/TLD/tlds-alpha-by-domain.txt  Software Restriction Policies http://woshub.com/how-to-block-viruses-and-ransomware-using-software-restriction-policies/ Blocking websites URL - only allow (.com, .org, .net, edu, .gov, .mil, and the countries you want).    Locking down Active Directory https://attack.stealthbits.com/tag/active-directory  File Service Resource Management http://woshub.com/using-fsrm-on-windows-file-server-to-prevent-ransomware/ Enable MFA for RDP https://docs.microsoft.com/en-us/azure/active-directory-domain-services/secure-remote-vm-access   https://duo.com/docs/rdp Enable MFA for SSH https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/auth-ssh https://docs.microsoft.com/en-us/azure/active-directory/devices/howto-vm-sign-in-azure-ad-linux  Windows Controlled Folder Access https://support.microsoft.com/en-us/topic/ransomware-protection-in-windows-security-445039d6-537a-488a-ad53-48906f346363 Use Windows File History to create backups to one drive. https://www.ubackup.com/windows-10/file-history-backup-to-onedrive-4348.html Storing your files to One Drive which has ransomware detection https://support.microsoft.com/en-us/office/ransomware-detection-and-recovering-your-files-0d90ec50-6bfd-40f4-acc7-b8c12c73637f Windows Update Select Start > Settings > Windows Update > Advanced options. Under Active hours, choose to update manually or automatically in Windows 11.  https://support.microsoft.com/en-us/windows/keep-your-pc-up-to-date-de79813c-7919-5fed-080f-0871c7bd9bde  Microsoft Conditional Policies- https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-policy-common  Microsoft Authenticator with Number Matching, Geo, & Additional Context https://docs.microsoft.com/en-us/azure/active-directory/authentication/how-to-mfa-additional-context  https://websetnet.net/microsoft-rolls-out-new-microsoft-authenticator-features-for-enterprise-users/ Application Approve List- https://www.bleepingcomputer.com/tutorials/create-an-application-whitelist-policy-in-windows/