CISO Tradecraft®

Hello, and welcome to another episode of CISO Tradecraft, the podcast that provides you with the information, knowledge, and wisdom to be a more effective cybersecurity leader.  My name is G. Mark Hardy, and today we're going to try to balance the impossible equation of better, faster, and cheaper.  As always, please follow us on LinkedIn, and subscribe if you have not already done so. Shigeo Shingo, who lived from 1909-1990, helped to improve efficiency at Toyota by teaching thousands of engineers the Toyota Production System, and even influenced the creation of Kaizen.  He wrote, "There are four purposes for improvement: easier, better, faster, cheaper. These four goals appear in order of priority." Satya Nadella, the CEO of Microsoft, stated that, “Every company is a software company.  You have to start thinking and operating like a digital company.  It’s no longer just about procuring one solution and deploying one solution… It’s really you yourself thinking of your own future as a digital company, building out what we refer to as systems of intelligence.” The first time I heard this I didn’t really fully understand it.  But after reflection it makes a ton of sense.  For example, let’s say your company couldn’t send email.  How much would that hurt the business?  What if your company couldn’t use Salesforce to look up customer information?  How might that impact future sales?  What if your core financial systems had database integrity issues?  Any of these examples would greatly impact most businesses.  So, getting high-quality software applications that enable the business is a huge win. If every company is a software or digital company, then the CISO has a rare opportunity.  That is, we can create one of the largest competitive advantages for our businesses. What if we could create an organization that builds software cheaper, faster, and better than all of our competitors? Sounds good right?  That is the focus of today’s show, and we are going to teach you how to excel in creating a world class organization through a focused program in Secure Software Development.  Now if you like the sound of better, faster, cheaper, as most executives do, you might be thinking, where can I buy that?  Let's start at the back and work our way forward. We can make our software development costs cheaper by increasing productivity from developers. We can make our software development practices faster by increasing convenience and reducing waste. We can make our software better by increasing security. Let’s first look at increasing productivity.  To increase productivity, we need to under    stand the Resistance Pyramid.  If you know how to change people and the culture within an organization, then you can significantly increase your productivity.  However, people and culture are difficult to change, and different people require different management approaches. At the bottom of the pyramid are people who are unknowing.  These individuals Don’t know what to do.  You can think of the interns in your company.  They just got to your company, but don't understand what practices and processes to follow.  If you want to change the interns, then you need to communicate what is best practice and what is expected from their performance.  Utilize an inquiry approach to decrease fear of not knowing, for example, "do you know to whom I should speak about such-and-such?" or "do you know how we do such-and-such here?"  An answer of "no" allows you to inform them of the missing knowledge in a conversational rather than a directional manner. The middle part of the pyramid is people who believe they are unable to adapt to change.  These are individuals that don’t know how to do the task at hand.  Here,

How do you become a Cyber Security Expert? Hello and welcome to another episode of CISO Tradecraft, the podcast that provides you with the information, knowledge, and wisdom to be a more effective cybersecurity leader.  My name is G. Mark Hardy, and today we're going to talk about how to provide advice and mentoring to help people understand how to become a cybersecurity expert.  As always, please follow us on LinkedIn, and subscribe to our podcasts. As a security leader, part of your role is to develop your people.  That may not be written anywhere in your job description and will probably never be on a formal interview or evaluation, but after years of being entrusted with leadership positions, I have learned what differentiates true leaders from those who just accomplish a great deal is the making of the effort to develop your people. Now, you may have heard the phrase, "take care of your people," but I'll take issue with that.  I take care of my dog.  I take care of a family member who is sick, injured, or incapacitated.  Why?  Because they are not capable of performing all of life's requirements on their own.  For the most part, your people can do this.  If you are constantly doing things for people who could have otherwise done it themselves, you run the risk of creating learned helplessness syndrome.  People, and even animals, can become conditioned to not do what they otherwise could do out of a belief that someone else will do it for them.  I am NOT going to get political here, so don't worry about that.  Rather, I want to point out that effective leaders develop their people so that they may become independent actors and eventually become effective leaders themselves.  In my opinion, you should measure your success by the promotion rate of the people entrusted to you, not by your own personal career advancement or financial success. That brings me to the subject of today's podcast -- how do you counsel and mentor others on how to become a cyber security expert?  If you are listening to this podcast, there's a very good chance that you already are an expert in our field, but if not, keep listening and imagine that you are mentoring yourself, because these lessons can apply to you without having seek out a mentor.  Some people figure it out, and when asked their secret, they're like Bill Murray in the movie Stripes, "We trained ourselves, sir!"  But most of the time, career mastery involves learning from a number of others. Today on CISO Tradecraft we are going to analyze the question, " How do you become a Cyber Security Expert?"  I'm going to address this topic as if I were addressing someone in search of an answer.  Don't tune out early because you feel you've already accomplished this.  Keep listening so you can get a sense of what more you could be doing for your direct reports and any proteges you may have. Let’s start at the beginning.  Imagine being a high school kid with absolutely zero work experience (other than maybe a paper route -- do kids still do that?)  You see someone that tells you they have a cool job where they get paid to ethically hack into computers.  Later on, you meet a second person that says they make really good money stopping bad actors from breaking into banks.  Somehow these ideas stick into your brain, and you start to say to yourself, you know both of those jobs sound pretty cool.  You begin to see yourself having a career in Cyber Security.  You definitely prefer it to jobs that require a lot of manual labor and start at a low pay.  So, you start thinking, "how I can gain the skills necessary to land a dream job in cyber security that also pays well?" At CISO Tradecraft we believe that there are really four building blocks that create subject matter experts in most jobs.  The four building blocks are:

Show Notes Hello, and welcome to another episode of CISO Tradecraft -- the podcast that provides you with the information, knowledge, and wisdom to be a more effective cyber security leader.  My name is G. Mark Hardy, and today we're going to offer tips and tools for briefing your executive leadership team, including the four major topics that you need to cover.  As always, please follow us on LinkedIn, and make sure you subscribe so you can always get the latest updates. Imagine you have been in your role as the Chief Information Security Officer for a while and it is now time to perform your annual brief to the Executive Leadership Team.  What should you talk about?  How do you give high level strategic presentations in a way that provides value to executives like the CEO, the CIO, the CFO, and the Chief Legal Officer? Story about Kim Jones at Vantiv – things have changed Let's first talk about how you make someone satisfied -- in this case your executives. Fredrick Herzberg (1923-2000) introduced Motivator-Hygiene theory, which was somewhat like Maslow's hierarchy of needs, but focused more on work, not life in general. What a hygiene factor basically means is people will be dissatisfied if something is NOT there but won't be motivated if that thing IS there, e.g., toilet paper in employee bathroom. Or, said more concisely, satisfaction and dissatisfaction are not opposites.  The opposite of Satisfaction is No Satisfaction.  The opposite of Dissatisfaction is No Dissatisfaction. According to Herzberg, the factors leading to job satisfaction are "separate and distinct from those that lead to job dissatisfaction." For example, if you have a hostile work environment, giving someone a promotion will not make him or her satisfied. So, what makes someone satisfied or dissatisfied? Factors for Satisfaction Achievement Recognition The work itself Responsibility Advancement Growth Factors for Dissatisfaction Company policies Supervision Relationship with supervisor and peers Work conditions Salary Status Security So, what will make a board member satisfied?  Today, cyber security IS a board-level concern.  In the past, IT really was only an issue if something didn't work right – a hygiene problem.  If we learn from Herzberg, we may not be able to make the board satisfied with the state of IT security, but we can try to ensure they are not dissatisfied.  Hopefully you now have context for what might otherwise be considered splitting hairs on terminology – essentially, we want our executive audience to not think negatively of your IT security program and how you lead it. Remember, boards of directors generally come from a non-IT backgrounds .  According to the 2021 U.S. Spencer Stuart Board Index, of the nearly 500 independent directors who joined S&P 500 boards in 2021, less than 4% have experience leading cybersecurity, IT, software engineering, or data analytics teams.  And that 4% is mostly confined to tech-centric companies or businesses facing regulatory scrutiny. So, there is essentially a mismatch between a board member's background and a CISO's background.  That extends to your choice of language and terminology as well.  Never go geeky with your executives – unless you have the rare situation where your entire leadership team are all IT savvy.  Otherwise, you will tune them out by talking about bits and bytes and packets and statistics. Instead, communicate by telling stories – show how other companies in similar industries have encountered security issues and what they did about them (either successfully or unsuccessfully).  Show how your cybersecurity initiatives and efforts reduce multiple forms of

On this episode you can hear the tale of three conferences.  Listen and learn about the history of BSides, Black Hat, and DEF CON.  Learn what makes these conferences special and enjoy some of the untold history of each conference.  

A CISO’s Guide to Pentesting References https://en.wikipedia.org/wiki/Penetration_test https://partner-security.withgoogle.com/docs/pentest_guidelines#assessment-methodology https://owasp.org/www-project-web-security-testing-guide/latest/3-The_OWASP_Testing_Framework/1-Penetration_Testing_Methodologies https://www.pcisecuritystandards.org/documents/Penetration_Testing_Guidance_March_2015.pdf  https://pentest-standard.readthedocs.io/en/latest/ https://www.isecom.org/OSSTMM.3.pdf https://s2.security/the-mage-platform/ https://bishopfox.com/platform https://www.pentera.io/ https://www.youtube.com/watch?v=g3yROAs-oAc    **************************** Hello, and welcome to another episode of CISO Tradecraft -- the podcast that provides you with the information, knowledge, and wisdom to be a more effective cyber security leader.  My name is G. Mark Hardy, and today we're going to explore a number of things a CISO needs to know about pentesting.  As always, please follow us on LinkedIn, and make sure you subscribe so you can always get the latest updates.   Now to get a good understanding of pentesting we are going over the basics every CISO needs to understand.   What is it Where are good places to order it What should I look for in a penetration testing provider What does a penetration testing provider need to provide What’s changing on this going forward First of all, let's talk about what a pentest is NOT.  It is not a simple vulnerability scan.  That's something you can do yourself with any number of publicly available tools.  However, performing a vulnerability scan, and then acting on remediating what you find, is an important prerequisite for a pentest.  Why pay hundreds of dollars per hour for someone to point out what you can find yourself in your bunny slippers sipping a latte?   Now let’s start with providing a definition of a penetration test.  According to Wikipedia a penetration test or pentest is an authorized simulated cyber-attack on a computer system performed to evaluate the security of a system.  It’s really designed to show weaknesses in a system that can be exploited.  Let’s think of things we want to test.  It can be a website, an API, a mobile application, an endpoint, a firewall, etc.  There’s really a lot of things you can test, but the thing to remember is you have to prioritize what has the highest likelihood or largest impact to cause the company harm.  You need to focus on high likelihood and impact because professional penetration tests are not cheap.  Usually, they will usually cost between $10,000-$30,000 but if you have a complex system, it’s not unheard of to go up to $100,000.  As a CISO you need to be able to defend this expenditure of resources.  So, you will usually define a clear standard that our company will perform penetration tests on customer facing applications, PCI applications, and Financially Significan

I've been a fan of Sean Heritage for years when I first discovered his blog, "Connecting the Dots."  Today I have the privilege to listen to his thoughts on cybersecurity careers in both the military and the "real world," how to prioritize your life, what careers goals you should (and should NOT) aim for, and the importance of great leadership.   Book reference: Connecting the Dots:  Deliberate Observations and Leadership Musings About Everyday Life https://www.amazon.com/Connecting-Dots-Deliberate-Observations-Leadership/dp/1639373187?&_encoding=UTF8&tag=-0-0-20

This episode of CISO Tradecraft, Andy Ellis from Orca Security stops by to talk about three really hard problems that CISOs have struggled with for decades.  How do we build a phishing program that works? How do we build a 3rd party risk management program that isn't a paper exercise? How do we actually get good at patch management? Stick around for some great answers such as: Human error is a system in need of redesign How do we put every employee on an island protected from the company? If we stopped doing this practice/process, then how would the world be different? What data/transactions does this third party have access to? What are all of the dangerous things customers can do in their configurations that my organization needs to know about? What if we turned on auto-patching for the desktop? What if we set SLA tripwires to alert senior leaders when their developers are unable to meet patching timelines? References: Vulnerabilities Don't Count Link

On this episode of CISO Tradecraft, Bryce Kunz from Stage 2 Security stops by to discuss how offensive cyber operations are evolving.  Come and learn how attackers are bypassing MFA and EDR solutions to target your cloud environment.  You can also hear what Bryce recommends to beat the bear that is Ransomware.   References: Link How Attackers Bypass MFA with Evilginx 2  Link Stage 2 Security Black Hat Course

This episode features Rafeeq Rehman.  He discusses the need for a CISO Mindmap and 6 Focus Areas for 2022-2023: 1.  Re-evaluate ransomware defenses, detection and response capabilities, perform a business impact analysis and identify critical processes, applications and data. 2.  Reduce/consolidate security tools/technologies and vendors. More tools don’t necessarily reduce risk but do add the need for maintaining expertise on security teams. 3.  To serve your business better, train staff on business acumen, value creation, influencing and human experience. 4.  Take an inventory of open source software (standalone and libraries) and make it part of your vulnerability management program. 5.  Build team expertise in technology fields including machine learning (ML) models, model training, API security, service mesh, containers, DevSecOps. 6.  Maintain a centralized risk register. Even better: integrate into your enterprise risk management program. Track risk for technology, insiders, processes, third parties, compliance and skill gaps. Links: CISO MindMap Link CISO MindMap 2022 Recommendations Link Information Security Leaders Handbook Link Cybersecurity Arm Wrestling Link

On this episode of CISO Tradecraft, we feature Helen Patton. Helen shares many of her career experiences working across JP Morgan, The Ohio State University, and now Cisco.   -Is technical acumen needed for CISOs? -Surviving organizational politics (34:45) Helen discusses The Fab 5 Security Outcomes study. Volume 1 Study - Link  Volume 2 Study - Link