CISO Tradecraft®

Unlocking SOC Excellence: Master the SOC Capability Maturity Model Join host G Mark Hardy in this compelling episode of CISO Tradecraft as he explores the revolutionary SOC Capability Maturity Model (SOC CMM) authored by Rob van Os. This episode is a must-watch for CISOs, aspiring CISOs, and cybersecurity professionals aiming to optimize their Security Operations Center (SOC). Learn how to measure, evaluate, and enhance your SOC's maturity across key domains including Business, People, Process, Technology, and Services. Gain insights into leveraging radar charts for visualizing SOC capabilities and hear case studies such as a mid-sized financial company’s remarkable improvements. Discover why understanding your SOC's strengths and weaknesses and conducting risk-based improvement planning are crucial. Don't miss out—elevate your cyber resilience today, subscribe, and share with your network to set your SOC on the path to excellence! References: SOC-CMM - https://www.soc-cmm.com/products/soc-cmm/ Robert van Os - https://www.linkedin.com/in/socadvisor/ Transcripts: https://docs.google.com/document/d/1Fk6_t9FMyYXDF-7EfgpX_ZjLc0iPAgfN Chapters 00:12 Introduction to CISO Tradecraft and SOCs 01:20 Understanding SOC CMM: A Game-Changing Tool 02:29 Evaluating SOC Maturity and Capability 06:04 Benefits and Implementation of SOC CMM 07:56 Understanding SOC Assessments 08:55 Deep Dive into SOC CMM Domains 12:42 Benefits and Flexibility of SOC CMM 14:40 Real-World Application and Conclusion

In this episode of CISO Tradecraft, host G Mark Hardy explores the challenges and misconceptions facing the next generation of cybersecurity professionals. The discussion covers the myth of a talent shortage, the shortcomings of current educational and certification programs, and the significance of aligning curricula with real-world needs. Hardy emphasizes the importance of hands-on experience, developing soft skills, and fostering continuous learning. The episode also highlights strategies for retaining talent, promoting internal training, and creating leadership opportunities to cultivate a skilled and satisfied cybersecurity workforce. Transcripts: https://docs.google.com/document/d/12fI2efHXuHR4dS3cu7P0UIBCtjBdgREI Chapters 00:00 Introduction to the Cybersecurity Talent Crisis 00:40 Debunking the Talent Shortage Myth 02:23 The Real Talent Gap: Mid-Career Professionals 03:04 Outsourcing and Its Impact on Entry-Level Jobs 08:29 Challenges in Cybersecurity Education 16:13 The Importance of Practical Skills Over Theory 23:52 The Importance of Writing Skills 25:10 Continuous Learning and Self-Investment 26:07 Performance and Career Progression 28:40 Mentorship and Onboarding 29:51 Training and Development Challenges 32:32 Retention Strategies 33:44 Engaging Junior Employees 39:07 Technology and Innovation 40:54 Conclusion and Final Thoughts

In this episode of CISO Tradecraft, hosted by G Mark Hardy, you'll learn about four crucial tools in cloud security: CNAPP, CASB, CSPM, and CWPP. These tools serve various functions like protecting cloud-native applications, managing access security, maintaining cloud posture, and securing cloud workloads. The discussion covers their roles, benefits, key success metrics, and best practices for CISOs. As the cloud security landscape evolves, understanding and integrating these tools is vital for keeping your organization safe against cyber threats. Transcripts: https://docs.google.com/document/d/1Mx9qr30RuWrDUw1TLNkUDQ8xo4xvQdP_ Chapters  00:00 Introduction to Cloud Security Tools 02:24 Understanding CNAPP: The Comprehensive Cyber Defense 08:13 Exploring CASB: The Cloud Access Gatekeeper 11:12 Diving into CSPM: Ensuring Cloud Compliance 13:40 CWPP: Protecting Cloud Workloads 15:08 Best Practices for Cloud Security 15:54 Conclusion and Final Thoughts

In this episode of CISO Tradecraft, hosts G Mark Hardy and Mark Rasch discuss the intersection of artificial intelligence and the law. Recorded at the COSAC computer conference in Dublin, this episode covers the legal implications of AI, copyright issues, AI-generated content, privacy concerns, and ethical considerations. They explore the nuances between directed and undirected AI, the importance of training data, and the potential risks and liabilities associated with AI-driven systems. Tune in for a deep dive into how AI is reshaping cybersecurity and legal landscapes. Transcripts: https://docs.google.com/document/d/1s_eDwz-FPuyxYZRJaOknWi2Ozjqmodrl Chapters 00:00 Introductions 01:13 Diving into Artificial Intelligence 04:04 Directed vs. Undirected AI 11:02 Legal and Ethical Issues of AI 23:47 AI and Copyright: Who Owns the Creation? 26:59 The Role of AI in Information Security 32:51 Ethical Dilemmas in AI Decision-Making 39:18 Future Challenges and Recommendations for AI

Join G. Mark Hardy in Torremolinos, Spain, for a deep dive into the security of Generative AI. This episode of CISO Tradecraft explores the basics of generative AI, including large language models like ChatGPT, and discusses the key risks and mitigation strategies for securing AI tools in the workplace. G. Mark provides real-world examples, insights into the industry's major players, and practical steps for CISOs to balance innovation with security. Discover how to protect sensitive data, manage AI-driven hallucinations, and ensure compliance through effective governance and ethical guidelines. Plus, get a glimpse into the future of AI vulnerabilities and solutions in the ever-evolving tech landscape. References OWASP Top 10 LLM Risks https://genai.owasp.org/ Gartner CARE Standard - https://www.gartner.com/en/documents/3980890 Make sure your controls work consistently over time (Consistency) Make sure your controls meet the business needs (Adequacy) Make sure your controls are appropriate and fair (Reasonableness) Make sure your controls produce the desire outcome (Effectiveness) Transcripts: https://docs.google.com/document/d/1V2ar7JBO503MN0RZcH7Q7VBkQUW9MYk6 Chapters 00:00 Introduction from Spain 00:42 Understanding Generative AI 03:25 Major Players in Generative AI 05:02 Risks of Generative AI 15:14 Mitigating Generative AI Risks 18:23 Implementing Solutions 24:09 Conclusion and Call to Action

G Mark Hardy dives deep into effective strategies for securing your business. Learn why it's essential for cybersecurity leaders to communicate the real business impact of vulnerabilities and discover the importance of identifying and prioritizing critical business processes.  Gain insights from historical references and practical frameworks like the CIA triad (Confidentiality, Integrity, Availability) to bolster your organization's cybersecurity posture. Tune in as G Mark, broadcasting from Glasgow, Scotland, shares valuable lessons on proactive security measures, risk-based decision-making, and crisis recovery strategies. 7 critical business processes common to most organizations. Book  Order  Bill  Pay Ship  Close Communicate  Transcripts https://docs.google.com/document/d/1Ra3c0J5Wo6s2BSqhNoNyqm9D65ogT07h Chapters 00:00 Introduction to Securing the Business 00:12 Begin Podcast 01:08 Understanding Critical Business Processes 02:23 Identifying and Prioritizing Business Functions 03:00 Real-World Example: Restaurant Booking System 04:57 Decision Making in Crisis Situations 10:38 Mapping Confidentiality, Integrity, and Availability 19:42 Conclusion and Final Thoughts

Join host G Mark Hardy as he dives deep into the complexities of compliance and reporting, featuring special guests Brian Bradley and Josh Williams from FedShark. Discover a unique and streamlined approach to compliance using FedShark's innovative tools and AI-assisted systems. Learn about their exclusive offers for CISO Tradecraft listeners, including free downloads and discounted pre-assessment tools. Topics covered include CMMC, HIPAA, PCI, and more. Whether you're part of the Defense Industrial Base or dealing with multiple compliance frameworks, this episode is packed with practical advice to make your compliance journey smoother and more effective. Thanks to our podcast sponsor, Fedshark CISO Traderaft Promo & Link to CMMC White Papers: https://fedshark.com/ciso RapidAssess: https://fedshark.com/rapid-assess Company website: https://fedshark.com FedShark Blog: https://fedshark.com/blog Schedule a Demo: https://fedshark.com/contact-us LinkedIn Matt Beaghley: https://www.linkedin.com/in/mbeaghley/ LinkedIn Brian Bradley: https://www.linkedin.com/in/brian-bradley-97a82668/   Chapters  00:00 Introduction and Special Offer 03:18 Meet the Experts: Brian and Josh 06:49 Challenges in Compliance 16:23 Understanding CMMC 29:02 Understanding Scope in Compliance 30:22 Introducing the AI-Enhanced Compliance Solution 31:24 Streamlining Interviews and Documentation 42:19 Final Thoughts and Recommendations

G Mark Hardy and guest Deb Radcliff talk about experiences and takeaways from Black Hat, and delve into the dynamic world of cybersecurity. Deb shares her perspectives on the intersection of AI, DevSecOps, and cyber warfare, while highlighting insights from her 'Breaking Backbones' trilogy.  Transcripts: https://docs.google.com/document/d/1XN9HjdljJYKlUITrxZ10HTq9e91R8FNT Book 1: Breaking Backbones: Information Is Power         https://amzn.to/4dLSBxQ Book 2: Breaking Backbones: Information Should Be Free         https://amzn.to/4e3BRlB Book 3: Breaking Backbones: From Chaos to Order         https://amzn.to/3X8e4u2 Chapters 00:00 Introduction and Welcome Back 01:18 Black Hat and Security Leaders Dinner 04:39 The Evolution of Cybersecurity Conferences 10:59 AI and Cybersecurity Trends 22:01 The Chip Dilemma: Parenting in a Monitored Society 23:09 Crafting Characters: Inspirations and Transformations 25:58 Writing Process: From Drafts to Details 31:38 Future of Cybersecurity: Autonomous Systems and Legal Challenges

In this episode of CISO Tradecraft, host G Mark Hardy is joined by special guest Snehal Antani, co-founder of Horizon3.AI, to discuss the crucial interplay between offensive and defensive cybersecurity tactics. They explore the technical aspects of how observing attacker behavior can enhance defensive strategies, why traditional point-in-time pen testing may be insufficient, and how autonomous pen testing can offer continuous, scalable solutions. The conversation delves into Snehal’s extensive experience, the importance of readiness over compliance, and the future of cybersecurity tools designed with humans out of the loop. Tune in to learn how to elevate your cybersecurity posture in a rapidly evolving threat landscape. Horizon3 - https://www.horizon3.ai Snehal Antani - https://www.linkedin.com/in/snehalantani/ Transcripts: https://docs.google.com/document/d/1IFSQ8Uoca3I7TLqNHMkvm2X-RHk8SWpo Chapters: 00:00 Introduction and Guest Welcome 01:43 Background and Experience of Snehal Antani 03:09 Challenges and Limitations of Traditional Pen Testing 14:47 The Future of Pen Testing: Autonomous Systems 23:10 Leveraging Data for Cybersecurity Insights 24:02 Expanding the Attack Surface: Cloud and Supply Chain 24:46 Third-Party Risk Management Evolution 44:37 Future of Cyber Warfare: Algorithms vs. Humans

In this episode of CISO Tradecraft, host G Mark Hardy delves into the intricate world of Identity and Access Management (IAM). Learn the essentials and best practices of IAM, including user registration, identity proofing, directory services, identity federation, credential issuance, and much more. Stay informed about the latest trends like proximity-based MFA and behavioral biometrics. Understand the importance of effective IAM implementation for safeguarding sensitive data, compliance, and operational efficiency. Plus, hear real-world examples and practical advice on improving your IAM strategy for a secure digital landscape. Transcripts: https://docs.google.com/document/d/15zUupqhCQz9llwy21GW5cam8qXgK80JB Chapters 00:00 Introduction to CISO Tradecraft 01:24 Understanding Identity and Access Management (IAM) 01:54 Gartner's Magic Quadrant and IAM Vendors 03:29 The Importance of IAM in Enterprises 04:28 User Registration and Verification 06:48 Password Policies and Best Practices 09:53 Identity Proofing Techniques 14:53 Directory Services and Role Management 18:27 Identity Federation and Credential Issuance 22:22 Profile and Role Management 26:17 Identity Lifecycle Management 29:23 Access Management Essentials 35:05 Review and Conclusion