CISO Tradecraft®

On this episode we talk about the differences between Gamification and Game-Based Learning. We think you will enjoy hearing how Game-Based learning gets folks into the flow and creates novel training that resonates.  We also have a great discussion on how games can be applicable for Board Members and Techies.  You just need to get the right type of game for the right audience and let the magic happen. Big Thanks to our Sponsors Haiku - https://www.haikuinc.io/ Risk3Sixty - https://risk3sixty.com/whitepaper/ Transcripts https://docs.google.com/document/d/1XmkMO7eJR3yAnXJPOCTaA5J9sakk639Q Prefer to watch on YouTube? https://www.youtube.com/watch?v=45eViHH_ktA  Chapters 00:00 Introduction 03:38 What is Game-Based Learning? 07:55 Training Board of Directors 10:18 Gamification vs Game-Based Learning 14:30 Do Your Duties 21:09 Delaware Fiduciary Duties 22:54 Building a Forge 26:11 Tailored Game Types 33:35 Teaching Girl Scouts Linux Commands 40:17 Retaining Your Best People

Learn the language of the board with Andrew Chrostowski. In this episode we discuss the 3 major risk categories of opportunity risk, cybersecurity risk and complex systems. We highlight intentional deficit and what to do about it. Finally, don't miss the part where we talk about the time for a digital strategy is past. What is needed today is a comprehensive strategy for a world of digital opportunities and existential cyber risks. Big thanks to our sponsor: Risk3Sixty - https://risk3sixty.com/iso-27001-certification/ Transcripts https://docs.google.com/document/d/15PnB1gYwt7vj-wRE4ABuEWxvB-H96rp0 Chapters 00:00 Introduction 04:22 Communication is a Requirement 09:34 How does cyber create value? 11:30 Culture and Operational Excellence 16:51 How does growth strategy align with cyber? 22:30 Intention Deficit Disorder 26:48 Accountability Loops 28:39 What's the evolution for a digital strategy? 32:02 Sharpen your axe 36:40 Digital Directors Network & Qualified Technical Experts

On this episode we do a master class on cyber warfare. Learn the terminology. Learn the differences and similarities between kinetic and cyber warfare. There's a lot of interesting discussion, so check it out. Big thanks to our sponsor: Risk3Sixty - https://risk3sixty.com/whitepaper/ Transcripts https://docs.google.com/document/d/1yJYoVs3pO4u_Zq8UC8YQmnYVGrsH93-H Air Force Doctrine Publication 3-0 - Operations and Planning https://www.doctrine.af.mil/Portals/61/documents/AFDP_3-0/3-0-D15-OPS-Coercion-Continuum.pdf Dykstra, J., Inglis, C., & Walcott, T. S. (Joint Forces Quarterly 99, October 2020) Differentiating Kinetic and Cyber Weapons to Improve Integrated Combat. https://ndupress.ndu.edu/Portals/68/Documents/jfq/jfq-99/jfq-99_116-123_Dykstra-Inglis-Walcott.pdf Tallinn Manual 1.0 published April 2013; 2.0 in 2017 https://ccdcoe.org/research/tallinn-manual/ Version 3.0 under development; inputs solicited at https://ecv.microsoft.com/RRllEKKMJQ https://www.csis.org/analysis/cyber-operations-during-russo-ukrainian-war Chapters 00:00 Introduction 01:57 Definition of Cyber War 04:18 Kinetic vs Cyber War 07:02 Goal of Offensive Cyber Operations 10:06 International Law Applied to Cyber Operations (Sovereignty & Necessity) 11:33 Diplomatic, Information, Military, & Economic (DIME) 12:57 Proportionality 14:04 Law of Distinction 15:56 Tallinn Manual 18:15 Stuxnet, Sony Pictures, NotPetya, and SolarWinds attacks 23:47 Ukraine Cyber War 28:21 Comparing old tanks to old mainframes 39:55 Winning a Cyber War

This podcast discusses the importance of measuring results in cybersecurity and provides methods such as setting SMART goals, identifying KPIs, using the WOOP model, gap analysis, the 5 Why Method, and Plan-Do-Check-Act. It also explores the significance of metrics, accountability, continuous improvement, and seeking advice from peers and third parties.

This podcast episode explores the key roles of Boards in cybersecurity, including setting risk strategy, reviewing assessments, evaluating management's cyber risk stance, and approving risk management plans. It also discusses the importance of establishing an information security culture, getting budget requests approved, and using reserved funding for cybersecurity projects.

On this episode we bring on the leading expert of threat modeling (Adam Shostack) to discuss the four questions that every team should ask: What are we working on? What can go wrong? What are we going to do about it? Did we do a good enough job? Big thanks to our sponsor: Risk3Sixty - https://risk3sixty.com/whitepaper/ Adam Shostack's LinkedIn Profile - https://www.linkedin.com/in/shostack/ Learn more about threat modeling by checking out Adam's books on threat modeling Threats: What Every Engineer Should Learn From Star Wars https://amzn.to/3PFEv7L Threat Modeling: Designing for Security https://amzn.to/3ZmfLo7 Also check out the Threat Modeling Manifesto: https://www.threatmodelingmanifesto.org/ Transcripts: https://docs.google.com/document/d/1Tu0Xj9QTbVqbVJNMbNRam-FEUvfda3ZS Chapters 00:00 Introduction 06:02 The 4 Questions that allow you to measure twice cut once 09:29 How Data Flow Diagrams help teams 16:04 It's more than just looking at threats 19:23 Chasing the most fluid thing or the most worrisome thing 22:00 All models are wrong and some are useful 26:25 Actionable Remediation 31:05 LLMs and Threat Models

Learn about the recent cyber attacks involving SMS spoofing and Social Engineering in the casino industry. Find out how to stop these attacks and the importance of using good MFA. The podcast also discusses negotiating with ransomware attackers, duress security codes, vulnerabilities of multi-factor authentication, and the significance of executive support in cybersecurity.

Exploring the concept of materiality in relation to cybersecurity incidents and the importance of disclosing material facts. Discussing the economic cost of cyber attacks and the increasing demand for information about cybersecurity risks among investors. Delving into the relationship between risk and reward in investment and the role of the SEC in enhancing cybersecurity for financial system resiliency. Emphasizing the importance of infrastructure capacity planning, stress testing, and early detection and response to cybersecurity threats. Discussing the responsibility of boards in providing governance and cybersecurity, including new SEC requirements. Exploring the importance of effective communication and collaboration for cybersecurity leaders.

On this episode we overview the CIS Document titled, "The Cost of Cyber Defense". https://www.cisecurity.org/insights/white-papers/the-cost-of-cyber-defense-cis-controls-ig1 Big Thanks to our Sponsors Risk3Sixty - https://risk3sixty.com/whitepaper/ CPRIME - For those valuing leadership, policy, and governance in tech risk and security, Cprime is here to help. Enhance your skills with our training and workshops, ensuring effective policy design and strategy alignment. As a tech coaching firm, Cprime offers classes for teams and executives on security analytics and risk management. Led by a Cprime expert, align expectations, prioritize, and map tools for robust governance across your tech portfolio. Upgrade risk management at Cprime.com/train and use code 'cprimepod' for 15% off training. Elevate your approach! Transcripts https://docs.google.com/document/d/1TAltDwJxQg9MqVRNCCgwIJa1a3WKpep5---WVOUsdLE/  Chapters 00:00 Introduction 01:30 What are the CIS Critical Security Controls? 03:00 How have the CIS Critical Security Controls evolved over time? 05:30 What are the benefits of implementing the CIS Critical Security Controls? 07:30 The three crucial questions for implementing the CIS Critical Security Controls 10:30 How to prioritize the CIS Critical Security Controls 12:30 What are Implementation Groups? 13:37 Enterprise Profiles 14:00 Why are Implementation Groups important? 15:30 How to choose the right Implementation Group for your organization 19:46 Cost Breakdown 23:16 Thoughts on the CIS Study

Explore the evolving landscape of cybersecurity regulations, including data incident notifications and required contract language. Learn how to prepare, adapt, and network within your industry. Understand the importance of meeting cybersecurity controls and the potential consequences of non-compliance. Discover strategies for handling regulatory change, mapping controls, and tracking requirements. Navigate regulatory change by staying up to date with industry standards, engaging legal teams, investing in compliance tools, and promoting the episode and sponsors.