CISO Tradecraft®

At some point in time, a CISO will need to purchase new security technology.  Whether it's antivirus, firewalls, or SIEMs you need to understand how to choose a product that will benefit your organization for years to come.  This podcast discusses 5 different techniques that CISOs can apply to help with product selection Perform Market Research to learn the players  Gartner Magic Quadrant Forrester Wave Leverage Vendor Comparison Tools to spot the features Mitre ATT&CK Evaluation AV-Comparatives MoSCoW Method (Must Have, Should Have, Could Have, & Will not Have) Pugh Matrix Use Predictive Analysis tools to see the trends Google Trends OpenHub.Net Stack Overflow DB-Engines Apply Problem Framing to understand the limitations and politics  Define the Problem: List the current problem you are facing. State the Intended Objective: Identify the goal an organization is trying to achieve so that a consensus can be made when the original problem has been solved Understand the Status Quo: If you take no action, does the current problem get worse, get better, or remain the same. List any Implied Solutions: List early solutions that appear to address the initial problem. Likely these solutions may come from your direct boss who has a certain way of doing things. Identify the Gap- The gap is roughly the difference between the intended objective and the status quo. Essentially this is the opportunity cost your organization must use when comparing this against other problems in the organization.  Identify the Trap- For each of the implied solutions imagine how you might build the product or service as directed and still not solve the intended objective. Explore Alternatives- Are there other solutions that avoid traps or gaps to address a problem that have not been previously evaluated? Execute an Analytical Hierarchy Process (AHP) to remove bias AHP is a structured process that helps remove politics or bias from decision-making.  It relies on creating relative weights among decision criteria, and possibly decomposing those into sub-criteria resulting in a weighted formula for all inputs.  Those become the equation that is used to evaluate alternatives; each alternative is scored on its sub-criteria then summed up by relative weight, resulting in a relative scoring based on numeric analysis.  For example, selecting a new product might involve evaluating three major criteria:  cost, functionality, and maintenance.  These are ranked pairwise on a relative scale of 1x-9x.  For this example, cost is twice as important as maintenance; functionality is twice as important as maintenance; cost is equally important to functionality.  From that comes a 40% - 40% - 20% ranking (all must sum to 100%).  Next, sub-criteria may be identified and weighted, e.g., initial cost is 1/3 the importance of ongoing cost.  Thus, the 40% global weighting for cost would consist of local weighting of 1 part initial cost [25%] to 3 parts ongoing cost [75%]

Have you ever wanted to become an executive, but didn’t know what skills to focus on?  On this episode of CISO Tradecraft, G Mark Hardy and Ross Young provide guidance from the Office of Personnel Management (Chief Human Resources Agency and personnel policy manager for the US government).  The podcast discusses the 6 Fundamental Competencies and the 5 Executive Core Qualifications required by all federal executives.   Fundamental Competencies: Interpersonal Skills Oral Communication Integrity/Honesty Written Communication Continual Learning Public Service Motivation Executive Core Qualifications Leading Change Leading People Results Driven Business Acumen Building Coalitions https://www.opm.gov/policy-data-oversight/senior-executive-service/executive-core-qualifications/#url=Overview  

Making things cheaper, faster, and better is the key to gaining competitive advantage. If you can gain a competitive advantage in cyber, then you will reduce risk to the business and protect key revenue streams. This episode discusses the three ways of DevOps and how you can use them to improve information security.  The three ways of DevOps consist of: The First Way: Principles of Flow The Second Way: Principles of Feedback The Third Way: Principles of Continuous Learning If you would like to learn more about the three ways of DevOps, G Mark Hardy and Ross Young invite you to read The Phoenix Project by Gene Kim https://www.amazon.com/Phoenix-Project-DevOps-Helping-Business/dp/0988262592

Most organizations generate revenue by hosting online transactions.  Cryptography is a key enabler to securing online transactions in untrusted spaces.  Therefore it's important for CISOs to understand how it works.  This episode discusses the fundamentals of cryptography: What are the requirements for cryptography? How long has cryptography been around? Are there differences between legacy and modern cryptography? Differences between symmetric and asymmetric encryption Common use of encryption at rest Encryption in transit

Understanding how to secure the cloud is a crucial piece of tradecraft that every CISO needs to understand.  This episode provides an in depth discussion of AWS's 7 design principles for securing the cloud: Implement a strong identity foundation Enable traceability Apply security at all layers Automate security best practices Protect data in transit and rest Keep people away from data Prepare for security events Please note the AWS Well-Architected Framework Security Design Principles can be found here: https://wa.aws.amazon.com/wat.pillar.security.en.html Chapters 00:00 Introduction 02:33 Seven design principles for securing the cloud 04:17 Multi Factor Authentication (MFA) 05:59 How to prevent password guessing attacks on the cloud 08:19 How to limit access to your applications 11:05 How to enable traceability in your environment 13:15 The importance of cloud infrastructure 14:47 How to monitor security in the cloud 17:09 How to automate monitoring, alerting, and auditing 19:09 Configuring a strong identity foundation 20:52 How to have an effective real time view of what your developers have produced 22:48 How to automate your security best practices 26:42 How to protect your data in the cloud 28:36 How to limit access to your data 31:36 How to scan your APIs to protect your data 33:41 The importance of permissions in a data science environment 36:06 The importance of identity in cloud computing 41:30 Review of the 7 design principles for securing the cloud

Have you ever wanted to learn the basic fundamentals of the cloud?  This podcast provides a 50,000 foot view of the cloud.  Specific discussions include: What is the cloud? What types of clouds are there and what are the differences? What is the term shared responsibility model and what does that mean for securing the cloud? Chapters 00:00 Introduction 02:10 The Basics of Cloud Computing 06:20 Cloud Computing and Infrastructure as a Service Model 10:17 The different levels of responsibility in an Elastic Compute Cloud Environment 13:18 How to host a server in the cloud 15:33 The differences between IaaS, PaaS, and SaaS 17:30 The consequences of committing to the cloud 19:15 The rise of AWS locations 21:21 The politics of Cloud Provider Infrastructure 24:15 The benefits of the cloud 26:30 AWS's share responsibility model 30:43 The impediments to a high level of security in the cloud 34:46 How to sleep soundly with your data n the cloud 37:18 How to run a hybrid cloud 39:46 The challenges of hybrid clouds 43:03 Seven design principles for securing the cloud

CISOs often encounter situations where everyone has a different opinion, it's a high stakes decision, and emotions are running high.  These situations create crucial conversations opportunities where a CISO needs to be effective.  This podcast discusses how to turn disagreement into dialogue, surface any subject, and make it safe to discuss. Please listen as G Mark Hardy and Ross Young discuss the 8 step process from the book, "Crucial Conversations." Get Unstuck  Start With Heart Master My Stories State My Path Learn To Look Make IT Safe Explore Others' Path Move To Action We recommend you visit the following Crucial Conversations Website to learn more https://www.vitalsmarts.com/crucial-conversations-training/ The Crucial Conversation Book can be found on Amazon https://www.amazon.com/dp/0071771328/ref=cm_sw_em_r_mt_dp_0Cj3FbY9KA429 Chapters 00:00 Introduction 02:13 How to have crucial conversations 06:14 How to make better decisions 09:54 The dangers of talking about business 14:26 The importance of clarifying what you really want 17:51 The importance of mutual respect 25:18 How to achieve a shared goal 29:11 How to partner together to stop terrorism 33:13 How to create a mutual purpose 37:08 How to speak your mind in a safe environment 40:52 The importance of being vulnerable 51:56 The importance of listening to people 54:56 How to be a successful CISO

On this Episode we will explore DevOps as a topic and discuss why you need to care as a CISO.  Key discussions include: What are the key principles behind DevOps? What benefits does security see from DevOps? What is a CI/CD pipeline? What are common types of DevOps tools that I need to understand as a CISO? Where does DevSecOps fit in? What are 4 types of Application Security Testing tools we see in DevOps Pipelines? What are 3 common ways to make DevOps / DevSecOps go viral in any organization? Chapters 00:00 Introduction 04:56 DevOps - What are your thoughts? 08:57 Microsoft Super Patch Tuesday 13:03 DevOps - What's it all about? 14:22 What is CALMS (Culture, Automation, Lean, Measuring, & Sharing) 26:32 CI/CD 32:12 Containers & DevOps 33:45 Where does security fit in? 36:26 Application Security Testing 41:54 DevOps & DevSecOps - What are the tools?

If you want to make impact as a leader, then you need to understand how to lead change.  This episode overviews Dr. John Kotter's 8-Step process to accelerating change. Create a sense of urgency Build a guiding coalition Form a strategic vision and initiatives Enlist a volunteer army Enable action by removing barriers Generate short-term wins Sustain acceleration Institute change We highly recommend you read Kotter's ebook to learn more: https://www.kotterinc.com/8-steps-process-for-leading-change/ Chapters 00:00 Introduction 04:25 Are you creating change without urgency? 07:16 How can we drive security into the mobile app experience? 10:55 How to build a guiding coalition to transform the organization 13:49 The one trick I've learned from public speaking 16:15 What's the 3rd step in creating a strategic vision and initiatives 19:12 A great strategic vision drives direction 20:50 How to accelerate the change in your organization 24:31 Creating partnerships to transform security 28:04 Identifying the barriers that are creating problems in your organization 33:01 How to document short term wins 36:13 The next step is sustained acceleration 39:28 How to anchor change in corporate culture 45:02 Leadership and management from a leadership perspective

Cyber Frameworks help CISOs build, measure, and execute top-notch information security programs. This podcast overviews the differences between Cyber Control Frameworks (CIS Controls & NIST 800-53), Program Frameworks (ISO 27001 & NIST CSF), and Risk Frameworks (FAIR, ISO 27005, & NIST 800-39) as well as provides useful tips on how to implement them. Chapters 00:00 Introductions 03:29 Creating a Framework for Cyber Security Programs 06:48 What are the Most Important Controls 11:08 Having an Inventory of Your Network Assets 14:01 Patch Tuesday and Remediation 18:20 Penetration Testing - The Last of the 20 SANS Controls 20:58 What's the NIST Cyber Security Framework 29:17 The Evolution of Security Controls 35:03 ISO 27000 Series Gap Analysis 40:03 Cyber is in the Business of Revenue Protection 44:53 The Risk Matrix - Likelihood and Impact 49:32 Risk Management & Continuous Vulnerability Management 51:41 Your four options? (Accept, Mitigate, Avoid, or Assign)