CISO Tradecraft®

G Mark Hardy and guest Deb Radcliff talk about experiences and takeaways from Black Hat, and delve into the dynamic world of cybersecurity. Deb shares her perspectives on the intersection of AI, DevSecOps, and cyber warfare, while highlighting insights from her 'Breaking Backbones' trilogy. 

Transcripts: https://docs.google.com/document/d/1XN9HjdljJYKlUITrxZ10HTq9e91R8FNT

Book 1: Breaking Backbones: Information Is Power
        https://amzn.to/4dLSBxQ
Book 2: Breaking Backbones: Information Should Be Free
        https://amzn.to/4e3BRlB
Book 3: Breaking Backbones: From Chaos to Order
        https://amzn.to/3X8e4u2

Chapters

• 00:00 Introduction and Welcome Back
• 01:18 Black Hat and Security Leaders Dinner
• 04:39 The Evolution of Cybersecurity Conferences
• 10:59 AI and Cybersecurity Trends
• 22:01 The Chip Dilemma: Parenting in a Monitored Society
• 23:09 Crafting Characters: Inspirations and Transformations
• 25:58 Writing Process: From Drafts to Details
• 31:38 Future of Cybersecurity: Autonomous Systems and Legal Challenges

In this episode of CISO Tradecraft, host G Mark Hardy is joined by special guest Snehal Antani, co-founder of Horizon3.AI, to discuss the crucial interplay between offensive and defensive cybersecurity tactics. They explore the technical aspects of how observing attacker behavior can enhance defensive strategies, why traditional point-in-time pen testing may be insufficient, and how autonomous pen testing can offer continuous, scalable solutions. The conversation delves into Snehal’s extensive experience, the importance of readiness over compliance, and the future of cybersecurity tools designed with humans out of the loop. Tune in to learn how to elevate your cybersecurity posture in a rapidly evolving threat landscape.

Horizon3 - https://www.horizon3.ai

Snehal Antani - https://www.linkedin.com/in/snehalantani/

Transcripts: https://docs.google.com/document/d/1IFSQ8Uoca3I7TLqNHMkvm2X-RHk8SWpo

Chapters:

• 00:00 Introduction and Guest Welcome
• 01:43 Background and Experience of Snehal Antani
• 03:09 Challenges and Limitations of Traditional Pen Testing
• 14:47 The Future of Pen Testing: Autonomous Systems
• 23:10 Leveraging Data for Cybersecurity Insights
• 24:02 Expanding the Attack Surface: Cloud and Supply Chain
• 24:46 Third-Party Risk Management Evolution
• 44:37 Future of Cyber Warfare: Algorithms vs. Humans

In this episode of CISO Tradecraft, host G Mark Hardy delves into the intricate world of Identity and Access Management (IAM). Learn the essentials and best practices of IAM, including user registration, identity proofing, directory services, identity federation, credential issuance, and much more. Stay informed about the latest trends like proximity-based MFA and behavioral biometrics. Understand the importance of effective IAM implementation for safeguarding sensitive data, compliance, and operational efficiency. Plus, hear real-world examples and practical advice on improving your IAM strategy for a secure digital landscape.

Transcripts: https://docs.google.com/document/d/15zUupqhCQz9llwy21GW5cam8qXgK80JB

Chapters

• 00:00 Introduction to CISO Tradecraft
• 01:24 Understanding Identity and Access Management (IAM)
• 01:54 Gartner's Magic Quadrant and IAM Vendors
• 03:29 The Importance of IAM in Enterprises
• 04:28 User Registration and Verification
• 06:48 Password Policies and Best Practices
• 09:53 Identity Proofing Techniques
• 14:53 Directory Services and Role Management
• 18:27 Identity Federation and Credential Issuance
• 22:22 Profile and Role Management
• 26:17 Identity Lifecycle Management
• 29:23 Access Management Essentials
• 35:05 Review and Conclusion

In this comprehensive episode of CISO Tradecraft, host G Mark Hardy sits down with Christian Hyatt, author of 'The Security Team Operating System'. Together, they delve into the five essential components needed to transform your cyber security team from reactive to unstoppable. From defining purpose and values to establishing clear roles, rhythms, and goals, this podcast offers practical insights and tools that can improve the efficacy and culture of your security team. If you're looking for strategic frameworks to align your team with business objectives and create a resilient security culture, you won't want to miss this episode!

Christian Hyatt's LinkedIn Profile: https://www.linkedin.com/in/christianhyatt/

Link to the Book: https://a.co/d/aHpXXfr

Transcripts: https://docs.google.com/document/d/1ogBdtJolBJTOVtqyFLO5onuLxBsfqqQP

Chapters

• 00:00 Introduction and Guest Welcome
• 01:31 Overview of the Security Team Operating System
• 03:31 Deep Dive into the Five Elements
• 07:53 Aligning Security with Business Objectives
• 21:59 Defining Core Values for Security Teams
• 25:03 Aligning Organizational and Team Values
• 26:05 Establishing Clear Roles and Responsibilities
• 30:58 Implementing Effective Rhythms and Goals

Join host G Mark Hardy in this episode of CISO Tradecraft as he welcomes Olivia Rose, an experienced CISO and founder of the Rose CISO Group. Olivia discusses her journey in cybersecurity from her start in marketing to becoming a VCISO. They delve into key topics including the transition from CISO to VCISO, strategies for managing time and stress, the importance of understanding board dynamics, and practical advice on mentoring new entrants in the cybersecurity field. Olivia also shares her insights on maintaining business alignment, handling insurance as a contractor, and building a personal brand in the cybersecurity community.

Olivia Rose: https://www.linkedin.com/in/oliviarosecybersecurity/

Transcripts: https://docs.google.com/document/d/1S42BepIh1QQHVWsdhhgx6x99U188q5eL

Chapters

• 00:00 Introduction and Guest Welcome
• 01:14 Olivia Rose's Career Journey
• 06:42 Challenges in Cybersecurity Careers
• 15:47 Communicating with the Board
• 22:57 Navigating Compliance and Legal Challenges
• 24:10 Building Strategic Relationships
• 25:46 Aligning Security with Business Goals
• 35:05 The Importance of Reputation and Branding

In this episode of CISO Tradecraft, host G Mark Hardy continues an in-depth discussion with cybersecurity attorney Thomas Ritter on the legal considerations for cybersecurity leaders. The episode touches on essential topics such as immediate legal steps after a data breach, the importance of using correct terminology, understanding attorney-client privilege and discovery, GDPR's impact, data localization, and proactive measures CISOs should take. The conversation also explores the implications of evolving cybersecurity laws and regulations like the Digital Operations Resilience Act and the potential criminal liabilities for CISOs.

Thomas Ritter: https://www.linkedin.com/in/thomas-ritter-2b91014a/

Transcripts: https://docs.google.com/document/d/15xQINUOdziGdcEFfh5SN8lS7svtK0JCT

Chapters

• 00:00 Introduction and Recap of Part 1
• 01:43 Starting the Discussion: Data Breaches
• 02:22 Legal Steps After a Data Breach
• 07:19 Understanding Attorney-Client Privilege
• 08:21 Discovery in Legal Cases
• 13:31 Staying Updated on Cybersecurity Laws
• 19:38 Impact of GDPR on Cybersecurity
• 32:00 Data Localization Challenges
• 34:55 Proactive Legal Preparedness
• 37:23 Final Thoughts and Conclusion

In this episode of CISO Tradecraft, host G Mark Hardy interviews cybersecurity lawyer Thomas Ritter. They discuss key legal topics for CISOs, including regulatory compliance, managing third-party risk, responding to data breaches, and recent legislative impacts. Thomas shares his journey into cybersecurity law and provides practical advice and real-world examples. Key points include the challenges of keeping up with evolving regulations, the intricacies of vendor management, and the implications of recent Supreme Court rulings. They also touch on major breaches like SolarWinds and Colonial Pipeline, exploring lessons learned and the importance of implementing essential security controls.

Thomas Ritter - https://www.linkedin.com/in/thomas-ritter-2b91014a/ Transcripts: https://docs.google.com/document/d/1EvZ_dOpFOLCSSv5ffqxCoMnLZDOnUv_K

Chapters

• 00:00 Introduction to CISO Tradecraft
• 00:48 Meet Thomas Ritter: Cybersecurity Lawyer
• 03:48 Legal Challenges for CISOs
• 04:54 Managing Third-Party Risks
• 13:01 Understanding Legal and Statutory Obligations
• 15:57 Supreme Court Rulings and Cybersecurity
• 32:57 Lessons from High-Profile Cyber Attacks
• 38:32 Ransomware Epidemic and Law Enforcement
• 43:30 Conclusion and Contact Information

Emotional Intelligence for Cybersecurity Leaders | CISO Tradecraft In this episode of CISO Tradecraft, host G Mark Hardy delves into the essential topic of emotional intelligence (EI) for cybersecurity leaders. He explores the difference between IQ and EI, the origins and significance of emotional intelligence, and its impact on leadership effectiveness. The episode covers various models of EI, including the Ability Model, the Trait Model, and the Mixed Model, and emphasizes practical actions to enhance EI, such as self-awareness, self-regulation, empathy, and social skills. Tune in to understand how developing emotional intelligence can significantly benefit your career, leadership performance, and personal life. 

Transcripts: https://docs.google.com/document/d/15pyhXu3XVHJ_VE1OwKjSqM73Rybjbsm0

Chapters:

• 00:00 Introduction to CISO Tradecraft
• 00:53 Understanding IQ: The Basics
• 04:08 Introduction to Emotional Intelligence
• 07:38 Models of Emotional Intelligence
• 13:06 The Importance of Emotional Intelligence in Leadership
• 25:12 Practical Steps to Improve Emotional Intelligence
• 32:42 Conclusion and Final Thoughts

Securing Small Businesses: Essential Cybersecurity Tools and Strategies In this episode of CISO Tradecraft, host G Mark Hardy discusses cybersecurity challenges specific to small businesses. He provides insights into key tools and strategies needed for effective cybersecurity management in small enterprises, including endpoint management, patch management, EDR tools, secure web gateways, IAM solutions, email security gateways, MDR services, and password managers. Hardy also evaluates these tools against the CIS Critical Security Controls to highlight their significance in safeguarding small business operations.

Transcripts: https://docs.google.com/document/d/1Hon3h950myI7A3jzGmj7YIwRXow5W1V5

Chapters

• 00:00 Introduction to CISO Tradecraft
• 00:40 Challenges of Cybersecurity in Small Businesses
• 01:15 Defining Small Business and Security Baselines
• 01:53 Top Cybersecurity Tools for Small Businesses
• 02:05 Hardware and Software Essentials
• 04:35 Patch Management Solutions
• 05:19 Endpoint Detection and Response (EDR) Tools
• 06:06 Secure Web Gateways and Website Security
• 11:21 Identity and Access Management (IAM)
• 12:57 Email Security Gateways
• 14:15 Managed Detection and Response (MDR) Solutions
• 14:54 Recap of Essential Cybersecurity Tools
• 15:41 Bonus Tool: Password Managers
• 18:33 Aligning with CIS Controls
• 24:48 Conclusion and Call to Action

Welcome to another episode of CISO Tradecraft with your host, G. Mark Hardy! In this episode, we dive into how CISOs can drive the profitable growth of their company's products and services. Breaking the traditional view of security as a cost center, Mark illustrates ways CISOs can support business objectives like customer outreach, service enablement, operational resilience, and cost reduction. Tune in for insightful strategies to improve your impact as a cybersecurity leader and a sneak peek at our upcoming CISO training class! If you would like to learn more about our class, drop us a comment: https://www.cisotradecraft.com/comment

Transcripts: https://docs.google.com/document/d/19SDBdQSTLc58sP5ynwzhuedNHzk7QPKj

Chapters

• 00:00 Introduction to Profitable Growth for CISOs
• 01:16 Understanding Profit and Business Objectives
• 03:24 Enhancing Customer Experience through Cybersecurity
• 08:51 Service Enablement and Upselling Strategies
• 11:39 Ensuring Operational Resilience
• 13:36 Cost Reduction and Efficiency Improvements
• 18:31 Recap and Final Thoughts
• 19:10 Exciting Announcement: CISO Training Course

Exploring AI in Cybersecurity: Insights from an Expert - CISO Tradecraft with Tom Bendien In this episode of CISO Tradecraft, host G Mark Hardy sits down with AI expert Tom Bendien to delve into the impact of artificial intelligence on cybersecurity. They discuss the basics of AI, large language models, and the differences between public and private AI models. Tom shares his journey from New Zealand to the U.S. and how he became involved in AI consulting. They also cover the importance of education in AI, from executive coaching to training programs for young people. Tune in to learn about AI governance, responsible use, and how to prepare for the future of AI in cybersecurity.

Transcripts: https://docs.google.com/document/d/1x0UTLiQY7hWWUdfPE6sIx7l7B0ip7CZo

Chapters

• 00:00 Introduction and Guest Welcome
• 00:59 Tom Bendien's Background and Journey
• 02:30 Diving into AI and ChatGPT
• 04:29 Understanding AI Models and Neural Networks
• 07:11 The Role of Agents in AI
• 10:10 Challenges and Ethical Considerations in AI
• 13:47 Open Source AI and Security Concerns
• 18:32 Apple's AI Integration and Compliance Issues
• 24:01 Navigating AI in Cybersecurity
• 25:09 Ethical Dilemmas in AI Usage
• 27:59 AI Coaching and Its Importance
• 32:20 AI in Education and Youth Engagement
• 35:55 Career Coaching in the Age of AI
• 39:20 The Future of AI and Its Saturation Point
• 42:07 Final Thoughts and Contact Information

In this episode of CISO Tradecraft, host G Mark Hardy delves into the complex intersection of ethics and artificial intelligence. The discussion covers the seven stages of AI, from rule-based systems to the potential future of artificial superintelligence. G Mark explores ethical frameworks, such as rights-based ethics, justice and fairness, utilitarianism, common good, and virtue ethics, and applies them to AI development and usage. The episode also highlights ethical dilemmas, including privacy concerns, bias, transparency, accountability, and the impacts of AI on societal norms and employment. Learn about the potential dangers of AI and how to implement and control AI systems ethically in your organization. 

Transcripts: https://docs.google.com/document/d/10AhefqdhkT0PrEbh8qBZVn9wWS6wABO6

Chapters

• 00:00 Introduction to CISO Tradecraft
• 01:01 Stages of Artificial Intelligence
• 03:33 Ethical Implications of AI
• 05:24 Business Models and Data Security
• 13:52 Ethical Frameworks Explained
• 23:18 AI and Human Behavior
• 25:44 The TikTok Feedback Loop and Digital Addiction
• 26:54 AI's Unpredictable Capabilities
• 28:25 The Ethical Dilemmas of AI
• 30:57 Generative AI and Its Implications
• 42:10 The Role of Government and Society in AI Regulation
• 45:49 Conclusion and Ethical Considerations

In this episode of CISO Tradecraft, host G Mark Hardy explores the challenges complexity introduces to cybersecurity, debunking the myth that more complex systems are inherently more secure. Through examples ranging from IT support issues to the intricacies of developing a web application with Kubernetes, the discussion highlights how complexity can obscure vulnerabilities, increase maintenance costs, and expand the attack surface. The episode also offers strategies to tackle complexity, including standardization, minimization, automation, and feedback-driven improvements, aiming to guide cybersecurity leaders toward more effective and less complex security practices.

Transcripts: https://docs.google.com/document/d/1J0rPr0HxULpeVJMIwXKXqHuCfnXn4gDu

Chapters 

• 00:00 Introduction
• 01:03 The Misconception of Complexity in Cybersecurity
• 02:41 Real-World Complexities and Their Impact on IT
• 10:06 Simplifying Cybersecurity: Strategies and Solutions
• 14:48 Conclusion: Embracing Simplicity in Cybersecurity

This episode of CISO Tradecraft features a conversation between host G. Mark Hardy and Chris Rothe, co-founder of Red Canary, focusing on cloud security, managed detection and response (MDR) services, and the evolution of cybersecurity practices. They discuss the genesis of Red Canary, the significance of their company name, and the distinctions between Managed Security Service Providers (MSSPs) and MDRs. The conversation also covers the importance of cloud security, the challenges of securing serverless and containerized environments, and leveraging open-source projects like Atomic Red Team for cybersecurity. They conclude with insights on the cybersecurity labor market, the value of threat detection reports, and the future of cloud security.

Red Canary: https://redcanary.com/

Chris Rothe: https://www.linkedin.com/in/crothe/

Transcripts: https://docs.google.com/document/d/1XN4Bp7Sa2geGCVaHuqMRmJckms4q7_L6

This episode of CISO Tradecraft, hosted by G Mark Hardy, features special guest Debbie Gordon. The discussion focuses on the critical role of Security Operations Centers (SOCs) in an organization's cybersecurity efforts, emphasizing the importance of personnel, skill development, and maintaining a high-performing team. It covers the essential aspects of building and managing a successful SOC, from hiring and retaining skilled incident responders to measuring their performance and productivity. The conversation also explores the benefits of simulation-based training with CloudRange Cyber, highlighting how such training can improve job satisfaction, reduce incident response times, and help organizations meet regulatory requirements. Through this in-depth discussion, listeners gain insights into best practices for enhancing their organization's cybersecurity posture and developing key skill sets to defend against evolving cyber threats.

Cloud Range Cyber: https://www.cloudrangecyber.com/

Transcripts: https://docs.google.com/document/d/18ILhpOgHIFokMrkDAYaIEHK-f9hoy63u 

Chapters

• 00:00 Introduction
• 01:04 The Indispensable Role of Security Operations Centers (SOCs)
• 02:07 Building an Effective SOC: Starting with People
• 03:04 Measuring Productivity and Performance in Your SOC
• 05:36 The Importance of Continuous Training and Simulation in Cybersecurity
• 09:00 Debbie Gordon on the Evolution of Cyber Training
• 11:54 Developing Cybersecurity Talent: The Importance of Simulation Training
• 14:46 The Critical Role of People in Cybersecurity
• 21:57 The Impact of Regulations on Cybersecurity Practices
• 24:36 The Importance of Proactive Cybersecurity Training
• 26:26 Redefining Cybersecurity Roles and Training Approaches
• 30:08 Leveraging Cyber Ranges for Real-World Cybersecurity Training
• 36:03 Evaluating and Enhancing Cybersecurity Skills and Team Dynamics
• 37:49 Maximizing Cybersecurity Training ROI and Employee Engagement
• 41:40 Exploring CloudRange Cyber's Training Solutions
• 43:28 Conclusion: The Future of Cybersecurity Training

In this episode of CISO Tradecraft, host G Mark Hardy discusses the findings of the 2024 Verizon Data Breach Investigations Report (DBIR), covering over 10,000 breaches. Beginning with a brief history of the DBIR's inception in 2008, Hardy highlights the evolution of cyber threats, such as the significance of patching vulnerabilities and the predominance of hacking and malware. The report identifies the top methods bad actors use for exploiting companies, including attacking VPNs, desktop sharing software, web applications, conducting phishing, and stealing credentials, emphasizing the growing sophistication of attacks facilitated by technology like ChatGPT for phishing and deepfake tech for social engineering. The episode touches on various cybersecurity measures, the omnipresence of multi-factor authentication (MFA) as a necessity rather than a best practice, and the surge in denial-of-service (DDoS) attacks. Hardy also discusses generative AI's role in enhancing social engineering attacks and the potential impact of deepfake content on elections and corporate reputations. Listeners are encouraged to download the DBIR for a deeper dive into its findings.

Transcripts: https://docs.google.com/document/d/1HYHukTHr6uL6khGncR_YUJVOhikedjSE 

Chapters

• 00:00 Welcome to CISO Tradecraft
• 00:35 Celebrating Milestones and Offering Services
• 01:39 Diving into the Verizon Data Breach Investigations Report
• 04:22 Top Attack Methods: VPNs and Desktop Sharing Software Vulnerabilities
• 09:24 The Rise of Phishing and Credential Theft
• 19:43 Advanced Threats: Deepfakes and Generative AI
• 23:23 Closing Thoughts and Recommendations

In this joint episode of the Security Break podcast and CISO Tradecraft podcast, hosts from both platforms come together to discuss a variety of current cybersecurity topics. They delve into the challenge of filtering relevant information in the cybersecurity sphere, elaborate on different interpretations of the same news based on the reader's background, and share a detailed analysis on specific cybersecurity news stories. The discussion covers topics such as the implications of data sharing without user consent by major wireless providers and the fines imposed by the FCC, the significance of increasing bug bounty payouts by tech companies like Google, and a comprehensive look at how edge devices are exploited by hackers to create botnets for various cyberattacks. The conversation addresses the complexity of the cybersecurity landscape, including how different actors with varied objectives can simultaneously compromise the same devices, making it difficult to attribute attacks and protect networks effectively.

Transcripts: https://docs.google.com/document/d/1GtFIWtDf_DSIIgs_7CizcnAHGnFTTrs5

Chapters

• 00:00 Welcome to a Special Joint Episode: Security Break & CISO Tradecraft
• 01:27 The Challenge of Filtering Cybersecurity Information
• 04:23 Exploring the FCC's Fine on Wireless Providers for Privacy Breaches
• 06:41 The Complex Landscape of Data Privacy Regulations
• 16:00 The Economics of Data Breaches and Regulatory Fines
• 24:23 Bug Bounties and the Value of Security Research
• 33:21 Exploring the Economics of Cybersecurity
• 33:50 The Lucrative World of Bug Bounties
• 34:38 The Impact of Security Vulnerabilities on Businesses
• 35:50 Navigating the Complex Landscape of Cybersecurity
• 36:22 The Ethical Dilemma of Selling Exploit Information
• 37:32 Understanding the Market Dynamics of Cybersecurity
• 38:00 Focusing on Android Application Security
• 38:34 The Importance of Targeting in Cybersecurity Efforts
• 42:33 Exploring the Threat Landscape of Edge Devices
• 46:37 The Challenge of Securing Outdated Technology
• 49:28 The Role of Cybersecurity in Modern Warfare
• 53:15 Strategies for Enhancing Cybersecurity Defenses
• 01:05:25 Concluding Thoughts on Cybersecurity Challenges

In this episode of CISO Tradecraft, host G. Mark Hardy discusses seven critical issues facing the cybersecurity industry, offering a detailed analysis of each problem along with counterarguments. The concerns range from the lack of a unified cybersecurity license, the inefficiency and resource waste caused by auditors, to the need for a federal data privacy law. Hardy emphasizes the importance of evaluating policies, prioritizing effective controls, and examining current industry practices. He challenges the audience to think about solutions and encourages sharing opinions and additional concerns, aiming to foster a deeper understanding and improvement within the field of cybersecurity.

Transcripts: https://docs.google.com/document/d/1H_kTbCG8n5f_d1ZHNr1QxsXf82xb08cG

Chapters

• 00:00 Introduction
• 01:28 Introducing the Seven Broken Things in Cybersecurity
• 02:00 1. The Lack of a Unified Cybersecurity License
• 06:53 2. The Problem with Cybersecurity Auditors
• 10:09 3. The Issue with Treating All Controls as High Priority
• 14:12 4. The Obsession with New Cybersecurity Tools
• 19:23 5. Misplaced Accountability in Cybersecurity
• 22:38 6. Rethinking Degree Requirements for Cybersecurity Jobs
• 26:49 7. The Need for Federal Data Privacy Laws
• 30:53 Closing Thoughts and Call to Action

In this episode of CISO Tradecraft, hosts G Mark Hardy and guests Jeff Majka and Andrew Dutton discuss the vital role of competitive threat intelligence in cybersecurity. They explore how Security Bulldog's AI-powered platform helps enterprise cybersecurity teams efficiently remediate vulnerabilities by processing vast quantities of data, thereby saving time and enhancing productivity. The conversation covers the importance of diverse threat intelligence sources, including open-source intelligence and insider threat awareness, and the strategic value of AI in analyzing and prioritizing data to manage cybersecurity risks effectively. The discussion also touches on the challenges and potentials of AI in cybersecurity, including the risks of data poisoning and the ongoing battle between offensive and defensive cyber operations.

The Security Bulldog: https://securitybulldog.com/contact/

Transcripts: https://docs.google.com/document/d/1D6yVMAxv16XWtRXalI5g-ZdepEMYmQCe

Chapters

• 00:00 Introduction
• 00:56 Introducing the Experts: Insights from the Field
• 02:43 Unpacking Cybersecurity Intelligence: Definitions and Importance
• 04:02 Exploring Cyber Threat Intelligence (CTI): Applications and Strategies
• 13:11 The Role of AI in Enhancing Cybersecurity Efforts
• 16:43 Navigating the Complex Landscape of Cyber Threats and Defenses
• 19:07 The Future of AI in Cybersecurity: A Balancing Act
• 22:33 Exploring AI's Role in Cybersecurity
• 22:50 The Practical Application of AI in Cybersecurity
• 25:08 Challenges and Trust Issues with AI in Cybersecurity
• 26:52 Managing AI's Risks and Ensuring Reliability
• 31:00 The Evolution and Impact of AI Tools in Cyber Threat Intelligence
• 34:45 Choosing the Right AI Solution for Cybersecurity Needs
• 37:27 The Business Case for AI in Cybersecurity
• 41:22 Final Thoughts and the Future of AI in Cybersecurity

This episode of CISO Tradecraft features a comprehensive discussion between host G Mark Hardy and guest Rafeeq Rehman, centered around the evolving role of CISOs, the impact of Generative AI, and strategies for effective cybersecurity leadership. Rafeeq shares insights on the CISO Mind Map, a tool for understanding the breadth of responsibilities in cybersecurity leadership, and discusses various focal areas for CISOs in 2024-2025, including the cautious adoption of Gen AI, tool consolidation, cyber resilience, branding for security teams, and maximizing the business value of security controls. The episode also addresses the importance of understanding and adapting to technological advancements, advocating for cybersecurity as a business-enabling function, and the significance of lifelong learning in information security.

Cybersecurity Learning Saturday: https://www.linkedin.com/company/cybersecurity-learning-saturday/

2024 CISO Mindmap: https://rafeeqrehman.com/2024/03/31/ciso-mindmap-2024-what-do-infosec-professionals-really-do/

Transcripts: https://docs.google.com/document/d/1axXQJoAdJI26ySKVfROI9rflvSe9Yz50

Chapters 

• 00:00 Introduction
• 00:57 Rafeeq Rehman: Beyond the CISO MindMap
• 04:17 The Evolution of the CISO MindMap
• 08:30 AI and the Future of Cybersecurity Leadership
• 11:47 Embracing Change: The Role of AI in Cybersecurity
• 14:16 Generative AI: Hype, Reality, and Strategic Advice for CISOs
• 22:32 Navigating the Future Job Market with AI
• 22:53 Framing AI for Specific Roles
• 24:12 Harnessing Creativity with Generative AI
• 25:14 Consolidating Security Tools for Efficiency
• 28:31 Evaluating Security Tools: A Deep Dive
• 32:21 Cyber Resilience: Beyond Incident Response
• 35:51 Building a Business-Focused Security Strategy
• 39:39 Maximizing Business Value Through Security
• 43:15 Looking Ahead: Focus Areas for the Future
• 43:53 Concluding Thoughts and Future Predictions

In this episode of CISO Tradecraft, host G Mark Hardy welcomes Alex Dorr to discuss Reality-Based Leadership and its impact on reducing workplace drama and enhancing productivity. Alex shares his journey from professional basketball to becoming an evangelist of reality-based leadership, revealing how this approach helped him personally and professionally. They delve into the concepts of SBAR (Situation, Background, Analysis, Recommendation) for effective communication, toggling between low self and high self to manage personal reactions, and practical tools like 'thinking inside the box' to confront and solve workplace issues within given constraints. The conversation underscores the importance of focusing on actionable strategies over arguing with the drama and reality of workplace dynamics, aiming to foster a drama-free, engaged, and productive work environment.

Alex Dorr's Linkedin: https://www.linkedin.com/in/alexmdorr/

Reality-Based Leadership Website: https://realitybasedleadership.com/ 

Transcripts: https://docs.google.com/document/d/1wge0pFLxE4MkS6neVp68bdz8h9mHrwje 

Chapters

• 00:00 Introduction
• 00:57 Alex Dorr's Journey from Basketball to Leadership Expert
• 03:54 The Core Principles of Reality-Based Leadership
• 06:20 Understanding the Human Condition in the Workplace
• 09:19 Tackling Workplace Drama with Reality-Based Leadership
• 11:58 The Power of Positive Energy Management
• 17:42 Navigating Unpreferred Realities and Finding Impact
• 19:44 Reality-Based Leadership in Action: Techniques and Outcomes
• 23:12 The Importance of Skill Development Over Perfecting Reality
• 24:32 The Challenge of Employee Engagement
• 25:49 Secrets to Embracing Reality and Taking Action
• 25:58 Leadership vs. Management: Navigating Workplace Dynamics
• 28:28 Empowering Employees with the SBAR Framework
• 34:04 Addressing Venting and Negative Behaviors
• 36:17 Developing People: The Core of Leadership
• 37:50 Choosing Happiness Over Being Right
• 40:15 Integrating New Leadership Models and Making Them Stick
• 46:24 Concluding Thoughts and Contact Information

This episode of CISO Tradecraft dives deep into the New York Department of Financial Services Cybersecurity Regulation, known as Part 500. Hosted by G Mark Hardy, the podcast outlines the significance of this regulation for financial services companies and beyond. Hardy emphasizes that Part 500 serves as a high-level framework applicable not just in New York or the financial sector but across various industries globally due to its comprehensive cybersecurity requirements. The discussion includes an overview of the regulation's history, amendments to enhance governance and incident response, and a detailed analysis of key sections such as multi-factor authentication, audit trails, access privilege management, and incident response. Additionally, the need for written policies, designating a Chief Information Security Officer (CISO), and ensuring adequate resources for implementing a cybersecurity program are highlighted. The podcast also offers guidance on how to approach certain regulatory mandates, emphasizing the importance of teamwork between CISOs, legal teams, and executive management to comply with and benefit from the regulation's requirements.

AuditScripts: https://www.auditscripts.com/free-resources/critical-security-controls/

NYDFS: https://www.dfs.ny.gov/industry_guidance/cybersecurity 

Transcripts: https://docs.google.com/document/d/1CWrhNjHXG1rePtOQT-iHyhed2jfBaZud

Chapters

• 00:00 Introduction
• 00:35 Why Part 500 Matters Beyond New York
• 01:48 The Evolution of Financial Cybersecurity Regulations
• 03:20 Understanding Part 500: Definitions and Amendments
• 08:44 The Importance of Multi-Factor Authentication
• 14:33 Navigating the Complexities of Cybersecurity Regulations
• 20:23 The Critical Role of Asset Management and Access Privileges 25:37 The Essentials of Application Security and Risk Assessment
• 31:11 Incident Response and Business Continuity Management
• 32:36 Concluding Thoughts on NYDFS Cybersecurity Regulation

In this episode of CISO Tradecraft, host G. Mark Hardy delves into the crucial topic of the OWASP Top 10 Web Application Security Risks, offering insights on how attackers exploit vulnerabilities and practical advice on securing web applications. He introduces OWASP and its significant contributions to software security, then progresses to explain each of the OWASP Top 10 risks in detail, such as broken access control, injection flaws, and security misconfigurations. Through examples and recommendations, listeners are equipped with the knowledge to better protect their web applications and ultimately improve their cybersecurity posture.

OWASP Cheat Sheets: https://cheatsheetseries.owasp.org/

OWASP Top 10: https://owasp.org/www-project-top-ten/

Transcripts: https://docs.google.com/document/d/17Tzyd6i6qRqNfMJ8OOEOOGpGGW0S8w32

Chapters

• 00:00 Introduction
• 01:11 Introducing OWASP: A Pillar in Cybersecurity
• 02:28 The Evolution of Web Vulnerabilities
• 05:01 Exploring Web Application Security Risks
• 07:46 Diving Deep into OWASP Top 10 Risks
• 09:28 1) Broken Access Control
• 14:09 2) Cryptographic Failures
• 18:40 3) Injection Attacks
• 23:57 4) Insecure Design
• 25:15 5) Security Misconfiguration
• 29:27 6) Vulnerable and Outdated Software Components
• 32:31 7) Identification and Authentication Failures
• 36:49 8) Software and Data Integrity Failures
• 38:46 9) Security Logging and Monitoring Practices
• 40:32 10) Server Side Request Forgery (SSRF)
• 42:15 Recap and Conclusion: Mastering Web Application Security

In this episode of CISO Tradecraft, host G Mark Hardy delves into the critical subject of vulnerability management for cybersecurity leaders. The discussion begins with defining the scope and importance of vulnerability management, referencing Park Foreman's comprehensive approach beyond mere patching, to include identification, classification, prioritization, remediation, and mitigation of software vulnerabilities. Hardy emphasizes the necessity of a strategic vulnerability management program to prevent exploitations by bad actors, illustrating how vulnerabilities are exploited using tools like ExploitDB, Metasploit, and Shodan. He advises on deploying a variety of scanning tools to uncover different types of vulnerabilities across operating systems, middleware applications, and application libraries. Highlighting the importance of prioritization, Hardy suggests focusing on internet-facing and high-severity vulnerabilities first and discusses establishing service level agreements for timely patching. He also covers optimizing the patching process, the significance of accurate metrics in measuring program effectiveness, and the power of gamification and executive buy-in to enhance security culture. To augment the listener's knowledge and toolkit, Hardy recommends further resources, including OWASP TASM and books on effective vulnerability management.

Transcripts: https://docs.google.com/document/d/13P8KsbTOZ6b7A7HDngk9Ek9FcS1JpQij

OWASP Threat and Safeguard Matrix - https://owasp.org/www-project-threat-and-safeguard-matrix/

Effective Vulnerability Management - https://www.amazon.com/Effective-Vulnerability-Management-Vulnerable-Ecosystem/dp/1394221207

Chapters

• 00:00 Introduction
• 00:56 Understanding Vulnerability Management
• 02:15 How Bad Actors Exploit Vulnerabilities
• 04:26 Building a Comprehensive Vulnerability Management Program
• 08:10 Prioritizing and Remediation of Vulnerabilities
• 13:09 Optimizing the Patching Process
• 15:28 Measuring and Improving Vulnerability Management Effectiveness
• 18:28 Gamifying Vulnerability Management for Better Results
• 20:38 Securing Executive Buy-In for Enhanced Security
• 21:15 Conclusion and Further Resources

This episode of CISO Tradecraft, hosted by G Mark Hardy, delves into the concept, significance, and implementation of tabletop exercises in improving organizational security posture. Tabletop exercises are described as invaluable, informal training sessions that simulate hypothetical situations allowing teams to discuss and plan responses, thereby refining incident response plans and protocols. The podcast covers the advantages of conducting these exercises, highlighting their cost-effectiveness and the crucial role they play in crisis preparation and response. It also discusses various aspects of preparing for and executing a successful tabletop exercise, including setting objectives, selecting participants, creating scenarios, and the importance of a follow-up. Additionally, the episode touches on compliance aspects related to SOC 2 and the use of tabletop exercises to expose and address potential organizational weaknesses. The overall message underscores the importance of these exercises in preparing cybersecurity teams for real-world incidents.

Outline & References:

https://docs.google.com/document/d/13Qj4MOjPxWz9mhQCDQNBtoQwrXdTeIEf

Transcripts: https://docs.google.com/document/d/1yfmZALQfkhQCMfp9ao3151P9L2XcEXFm/

Chapters

• 00:00 Introduction
• 00:47 The Importance of Tabletop Exercises
• 01:53 The Benefits of Tabletop Exercises
• 03:06 How to Implement Tabletop Exercises
• 05:30 The Role of Tabletop Exercises in Compliance
• 08:24 The Participants in Tabletop Exercises
• 09:25 The Preparation for Tabletop Exercises
• 16:57 The Execution of Tabletop Exercises
• 21:58 Understanding Roles and Responsibilities in an Exercise
• 22:17 The Importance of a Hot Wash Up
• 23:36 Creating an After Action Report (AAR)
• 24:06 Implementing an Action Plan
• 24:34 Example Scenario: Network Administrator's Mistake
• 25:08 Formulating Targeted Questions for the Scenario
• 26:36 The Role of Innovation in Tabletop Exercises
• 27:11 The Connection Between Tabletop Exercises and Compliance
• 29:18 12 Key Steps to a Successful Exercise
• 30:43 The Importance of Realistic Scenarios
• 34:05 The Role of Communication in Crisis Management
• 37:33 The Impact of Cyber Attacks on Operations
• 39:57 The Importance of Tabletop Exercises and How to Get Started
• 40:35 Conclusion

In this episode of CISO Tradecraft, host G Mark Hardy converses with Cassie Crossley, author of the book on software supply chain security. Hardy explores the importance of cybersecurity, the structure of software supply chains, and the potential risks they pose. Crossley shares her expert insights on different software source codes and the intricacies of secure development life cycle. She highlights the significance of Software Bill of Materials (SBOM) and the challenges in maintaining the integrity of software products. The discussion also covers the concept of counterfeits in the software world, stressing the need for continuous monitoring and a holistic approach towards cybersecurity.

Link to the Book: https://www.amazon.com/Software-Supply-Chain-Security-End/dp/1098133706?&_encoding=UTF8&tag=-0-0-20&linkCode=ur2

Transcripts: https://docs.google.com/document/d/1SJS2VzyMS-xLF0vlGIgrnn5cOP8feCV9

Chapters

• 00:00 Introduction
• 01:44 Discussion on Software Supply Chain Security
• 02:33 Insights into Secure Development Life Cycle
• 03:20 Understanding the Importance of Supplier Landscape
• 05:09 The Role of Security in Software Supply Chain
• 07:29 The Impact of Vulnerabilities in Software Supply Chain
• 09:06 The Importance of Secure Software Development Life Cycle
• 14:13 The Role of Frameworks and Standards in Software Supply Chain Security
• 17:39 Understanding the Importance of Business Continuity Plan
• 20:53 The Importance of Security in Agile Development
• 24:01 Understanding OWASP and Secure Coding
• 24:20 The Importance of API Security
• 24:50 The Concept of Shift Left in Software Development
• 25:20 The Role of Culture in Software Development
• 25:52 Exploring Different Source Code Types
• 26:19 The Rise of Low Code, No Code Platforms
• 28:53 The Potential Risks of Generative AI Source Code
• 34:24 Understanding Software Bill of Materials (SBOM)
• 41:07 The Challenge of Spotting Counterfeit Software
• 41:36 The Importance of Integrity Checks in Software Development
• 45:45 Closing Thoughts and the Importance of Cybersecurity Awareness

In this episode of CISO Tradecraft, the host, G Mark Hardy, delves into the concepts of responsibility, accountability, and authority. These are considered critical domains in any leadership position but are also specifically applicable in the field of cybersecurity. The host emphasizes the need for a perfect balance between these areas to avoid putting one in a scapegoat position, which is often common for CISOs. Drawing on his military and cybersecurity experiences, he provides insights into how responsibility, accountability, and authority can be perfectly aligned for the efficient execution of duties. He also addresses how these concepts intertwine with various forms of power - positional, coercive, expert, informational, reward, referent, and connection. The host further empathizes with CISOs often put in tricky situations where they are held accountable but lack the authority or resources to execute their roles effectively and provides suggestions for culture change within organizations to overcome these challenges.

Transcripts: https://docs.google.com/document/d/1S8JIRztM6iaZonGv0qhtWY4vDyBfGhs-/

Chapters

• 00:00 Introduction
• 00:22 Understanding Responsibility, Accountability, and Authority
• 01:20 The Role of Leadership in Cybersecurity
• 02:47 Exploring the Concepts of Responsibility, Authority, and Accountability
• 03:08 Applying Responsibility, Authority, and Accountability to the CISO Role
• 04:20 The Interplay of Responsibility, Authority, and Accountability
• 11:57 Understanding Power and Its Forms
• 12:43 The Impact of Power on Leadership and Influence
• 24:04 The Role of Connection Power in Today's Digital Age
• 24:40 Understanding Different Sources of Power
• 25:13 The Power of Networking and Connections
• 26:49 The Challenges of Being a CISO
• 29:19 Understanding the Value of Your Role
• 33:56 The Importance of Expert Power
• 37:46 The Consequences of Ignoring Maintenance
• 43:40 Aligning Responsibility, Accountability, and Authority
• 44:39 The Importance of Legal Protections for CISOs
• 45:30 Wrapping Up: Balancing Responsibility, Authority, and Accountability

In this episode of CISO Tradecraft, host G Mark Hardy discusses various mishaps that can occur with Multi-Factor Authentication (MFA) and how these can be exploited by attackers. The talk covers several scenarios such as the misuse of test servers, bypassing of MFA via malicious apps and phishing scams, violation of the Illinois Biometric Information Protection Act by using biometric data without proper consent, and potential future legal restrictions on biometric data usage. G Mark also highlights the significance of correct implementation of MFA to ensure optimum organizational security and how companies can fail to achieve this due to overlooking non-technical issues like legal consent for biometric data collection.

Transcripts: https://docs.google.com/document/d/1FPCFlFRV1S_5eaFmjp5ByU-FCAzg_1kO

References:

• Evil Proxy Attack- https://www.resecurity.com/blog/article/evilproxy-phishing-as-a-service-with-mfa-bypass-emerged-in-dark-web
• Microsoft Attack - https://www-bleepingcomputer-com.cdn.ampproject.org/c/s/www.bleepingcomputer.com/news/security/microsoft-reveals-how-hackers-breached-its-exchange-online-accounts/amp/
• Illinois Biometric Law - https://www.ilga.gov/legislation/publicacts/fulltext.asp?Name=095-0994

Chapters

• 00:00 Introduction
• 00:43 Understanding Multi Factor Authentication
• 01:05 Exploring Different Levels of Authentication
• 03:30 The Risks of Multi Factor Authentication
• 03:51 The Importance of Password Management
• 04:27 Exploring the Use of Trusted Platform Module for Authentication
• 06:17 Understanding the Difference Between TPM and HSM
• 09:00 The Challenges of Implementing MFA in Enterprises
• 11:25 Exploring Real-World MFA Mishaps
• 15:30 The Risks of Overprivileged Test Systems
• 17:16 The Importance of Monitoring Non-Production Environments
• 19:02 Understanding Consent Phishing Scams
• 30:37 The Legal Implications of Biometric Data Collection
• 32:24 Conclusion and Final Thoughts

In this episode of CISO Tradecraft, host G Mark Hardy is joined by special guest Rick Howard, Chief Security Officer, Chief Analyst and Senior Fellow at CyberWire. Rick shares his insights on first principles in cybersecurity, discussing how these form the foundations of any cybersecurity strategy. He emphasizes the importance of understanding materiality and integrating the concept of time bound risk assessment to achieve a resilient cybersecurity environment. The episode also delves into the value of Fermi estimates and Bayes algorithm for risk calculation. Amid humor and personal anecdotes, Rick and Mark also reflect on their experiences during 9/11. Rick introduces his book, 'Cybersecurity First Principles', elucidating the rationale behind its conception.

Link to the Cybersecurity First Principles Book: https://www.amazon.com/Cybersecurity-First-Principles-Strategy-Tactics/dp/B0CBVSX2H2/?&_encoding=UTF8&tag=-0-0-20&linkCode=ur2&linkId=1b3010fb678a109743f1fb564eb6d0fc&camp=1789&creative=9325

Transcripts: https://docs.google.com/document/d/1y8JPSzpmqDMd-1PZ-MWSqOuxgFTDVvre

Chapters

• 00:00 Introduction
• 02:00 Guest's Career Journey and Achievements
• 08:49 Discussion on Cybersecurity First Principles
• 15:27 Understanding Materiality in Cybersecurity
• 21:56 The Gap Between Security Teams and Business Leaders
• 22:21 The Importance of Speaking the Language of Business
• 23:03 The Art of the Elevator Pitch
• 24:04 The Impact of Cybersecurity on Business Value
• 25:10 The Importance of a Clear Cybersecurity Strategy
• 26:04 The Value of Business Fluency in Cybersecurity
• 27:44 The Role of Risk Calculation in Cybersecurity
• 29:41 The Power of Estimation in Risk Management
• 30:33 The Importance of Understanding Business Imperatives
• 41:25 The Role of Culture and Risk Appetite in Cybersecurity
• 45:39 The First Principle of Cybersecurity

In this episode of CISO Tradecraft, host G Mark Hardy is joined by guest Craig Barber, the Chief Information Security Officer at SugarCRM. They discuss the increasingly critical topic of cybersecurity apprenticeships and Craig shares his personal journey from technical network engineer to CISO. They delve into the benefits of apprenticeships for both the individual and the organization, drawing parallels with guilds and trade schools of the past and incorporating real-world examples. They also look at the potential challenges and pitfalls of such programs, providing insights for organizations considering creating an apprenticeship scheme. Lastly, they examine the key attributes of successful apprentices and how these contribute to building stronger, more diverse cybersecurity teams.

Craig Barber's Profile: https://www.linkedin.com/in/craig-barber/

Transcripts https://docs.google.com/document/d/1J8nrhYCMBSmc0kLBasskBoY2RLIwR7Vb

Chapters

• 00:00 Introduction
• 00:23 Understanding Cybersecurity Apprenticeships
• 02:43 The Role of Mentorship in Cybersecurity
• 04:09 The Benefits of Cybersecurity Apprenticeships
• 07:17 The Evolution of Apprenticeships in the Tech Industry
• 10:00 The Value of Apprenticeships in Building Loyalty
• 11:08 The Difference Between Internships and Apprenticeships
• 15:32 The Role of Apprenticeships in Addressing the Skills Shortage
• 19:15 The Challenges of Implementing Apprenticeships
• 26:28 The Future of Cybersecurity Apprenticeships
• 44:32 Conclusion: The Value of Cybersecurity Apprenticeships

This video introduces a newly proposed acronym in the world of cybersecurity known as the 'Cyber UPDATE'. The acronym breaks down into Unchanging, Perimeterizing, Distributing, Authenticating and Authorizing, Tracing, and Ephemeralizing. The video aims to explain each component of the acronym and its significance in enhancing cybersecurity. 

References:

1. https://www.watchguard.com/wgrd-news/blog/decrypting-cybersecurity-acronyms-0
2. https://computerhistory.org/profile/john-mccarthy/
3. https://owasp.org/www-community/Threat_Modeling_Process#stride
4. https://attack.mitre.org/att&ck 
5. https://d3fend.mitre.org/
6. https://fourcore.io/blogs/mitre-attack-mitre-defend-detection-engineering-threat-hunting  
7. https://cars.mclaren.com/us-en/legacy/mclaren-p1-gtr
8. https://csrc.nist.gov/glossary/term/confidentiality
9. https://csrc.nist.gov/glossary/term/integrity
10. https://csrc.nist.gov/glossary/term/availability
11. https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services
12. https://www.nytimes.com/2006/06/30/washington/va-laptop-is-recovered-its-data-intact.html
13. https://cloudscaling.com/blog/cloud-computing/the-history-of-pets-vs-cattle/
14. https://apps.dtic.mil/sti/tr/pdf/ADA221814.pdf 

Transcripts https://docs.google.com/document/d/16upm5bKTsIkDo3s-mvUMlgkX1uqUKnUH

Chapters

• 00:00 Introduction
• 01:34 Cybersecurity Acronyms: Pre-1990s
• 02:26 STRIDE and DREAD Models
• 02:39 PICERL and MITRE Models
• 05:04 Defining Cybersecurity
• 07:52 CIA Triad and Its Importance
• 09:00 Confidentiality, Integrity, and Availability
• 11:52 The Parkerian Hexad
• 17:30 D.I.E. Triad Concept
• 24:28 Cybersecurity UPDATE
• 24:51 Unchanging
• 25:46 Perimeterizing
• 29:36 Distributing
• 29:50 Authenticating
• 33:58 Tracing
• 36:07 Ephemeralizing 

In this episode of CISO Tradecraft, host G Mark Hardy interviews JP Bourget about the security data pipeline and how modernizing SOC ingest can improve efficiency and outcomes. Featuring discussions on cybersecurity leadership, API integrations, and the role of AI and advanced model learning in future data lake architectures. They discuss how vendor policies can impact data accessibility. They also reflect on their shared Buffalo roots and because their professional journeys. Tune in for valuable insights from top cybersecurity experts.

Transcripts: https://docs.google.com/document/d/1evI2JTGg7S_Hjaf0sV-Nk_i0oiv8XNAr 

Chapters

• 00:00 Introduction
• 00:50 Guest's Background and Journey
• 05:27 Discussion on Security Data Pipeline
• 07:19 Introduction to SOAR
• 08:01 Benefits and Challenges of SOAR
• 12:40 Guest's Current Work and Company
• 14:04 Security Data Pipeline Modernization
• 22:20 Discussion on Vendor Integration
• 29:09 Security Pipeline Approach and AI
• 38:03 Closing Thoughts and Future Directions

In this episode of CISO Tradecraft, we debunk seven common lies pervasive in the cybersecurity industry. From the fallacy of achieving a complete inventory before moving onto other controls, the misconception about the accuracy of AppSec tools, to the fear of being viewed as a cost center - we delve deep into these misconceptions, elucidating their roots and impacts. We also discuss how ISO and FAIR, audits and certifications, risk assessments, and mandatory cyber incident reporting may not always be as straightforward as they seem. The episode is not only an eye-opener but also provides insightful guidance on how to navigate these misconceptions and enhance the effectiveness of your cybersecurity measures.

CloudGoat EC2 SSRF- https://rhinosecuritylabs.com/cloud-security/cloudgoat-aws-scenario-ec2_ssrf/

OWASP Benchmark - https://owasp.org/www-project-benchmark/

Transcripts - https://docs.google.com/document/d/1yZZ4TLlC2sRfwPV7bQmar7LY4xk2HcIo

Chapters

• 00:12 Introduction
• 00:56 The Lie of Accurate Inventory
• 05:29 The Lie of Accurate Risk Assessment
• 08:41 The Lie of Shifting Left in DevSecOps
• 13:45 The Lie of Certifications Ensuring Security
• 18:33 The Lie of Reporting Cyber Incidents in 72 Hours
• 20:44 The Lie of Accurate Application Security Tools
• 22:07 The Lie of Cybersecurity Not Being a Cost Center
• 24:44 Conclusion and Recap of Cybersecurity Lies 

Join G Mark Hardy in this episode of the CISO Tradecraft podcast where he details how cyber protects revenue. He clarifies how cybersecurity is seen as a cost center by most organizations, but stresses how it can become a protector of business profits. Concepts like Operational Resilience Framework (ORF) Version 2 by the Global Resilience Federation are discussed in depth. Hardy also outlines seven steps from ORF to operational resilience including implementing industry-recognized frameworks, understanding the organization's role in the ecosystem, defining viable service levels, and more. 

Link to the ORF - https://www.grf.org/orf

Transcripts - https://docs.google.com/document/d/1ckYj-UKDa-wlOVbalWvXOdEO4OYgjO0i

Chapters

• 00:12 Introduction
• 01:47 Introduction to Operational Resilience Framework
• 02:38 Understanding Resilience and Antifragility
• 03:32 Common Cybersecurity Attacks and How to Anticipate Them 06:22 Building Resilience in Cybersecurity
• 09:43 Operational Resilience Framework: Steps and Principles
• 17:50 Preserving Datasets and Implementing Recovery Processes
• 20:18 Evaluating and Testing Your Disaster Recovery Plan
• 21:11 Recap of Operational Resilience Framework Steps
• 22:04 CISO Tradecraft Services and Closing Remarks

Looking for accurate predictions on what 2024 holds for cybersecurity? Tune into our latest episode of CISO Tradecraft for intriguing insights and industry trends. Listen now and boost your cybersecurity knowledge!

Earn CPEs: https://www.cisotradecraft.com/isaca

Transcripts: https://docs.google.com/document/d/11YX2bjhIVThSNPF6yEKaNWECErxjWA-R

Chapters

• 00:00 Introduction
• 02:11 1) CISOs flock to buy private liability and D&O insurance. It also becomes the norm for CISO hiring agreements.
• 05:25 2) CISO reporting structure changes. No more reporting to the CIO.
• 11:43 3) More CISOs get implicated in lawsuits, but the lawsuits rule in favor of the CISO.
• 13:36 4) Harder to find cyber talent since universities are not graduating as many students. This plus inflation increases result in major spike in cyber salaries
• 16:59 5) Cyber industry minimizes external consulting costs to weather reduced revenues during recession
• 19:44 6) AI-generated fraud will increase significantly
• 22:15 7) Shadow AI will result in Hidden Vulnerabilities
• 24:24 8) LLM attacks new vector for "AI-enabled" companies
• 27:23 9) Cyber insurance exclusions will tend to normalize and will prescribe activities that must be done if payout to occur
• 31:44 10) Self-driving cars will encounter regulatory setback
• 34:02 Review of Last Year's Predictions
• 41:03 Actionable Items for the Future
• 41:29 Closing Remarks and Invitation for 2024

In the second half of the discussion about secure developer training programs, G Mark Hardy and Scott Russo delve deeper into how to engineer an effective cybersecurity course. They discuss the importance and impact of automation and shifting left, the customization needed for different programming languages and practices, and the role of gamification in engagement and learning. The conversation also touches upon anticipating secular trends, compliance with privacy and data protection regulations, different leaning styles and preferences, and effective strategies to enhance courses based on participant feedback. Scott highlights the lasting impacts and future implications of secure developer training, especially with the advent of generative AI in code generation.

ISACA Event (10 Jan 2024) With G Mark Hardy - https://www.cisotradecraft.com/isaca

Transcripts: https://docs.google.com/document/d/1zr09gVpJuZMUMmF9Y-Kc0DOy-1gH0cx-

Chapters

• 00:00 Introduction
• 01:08 Importance of Ongoing Support and Mentorship
• 01:46 The Role of Community in Training
• 03:03 Hands-on Exercises and Practical Experience
• 06:01 Success Stories and Testimonials
• 08:29 Incorporating Security Trends into Training
• 11:08 Balancing Security with Developer Productivity
• 18:17 Teaching Secure Coding Practices in Different Languages
• 20:27 Engaging and Motivating Participants
• 22:51 Promoting the Program: Engaging and Fun
• 23:37 Accommodating Different Learning Styles
• 24:16 Catering to Self-Paced Learners
• 26:19 Addressing Proficiency Levels and Remediation
• 28:55 Compliance with Privacy and Data Protection Regulations
• 30:48 Breaking Down Complex Security Concepts
• 32:05 Creating a Culture of Security Awareness
• 33:25 Partnerships and Collaborations in Secure Development
• 35:10 Feedback and Improvement of the Program
• 36:12 Cost Considerations for Secure Developer Training
• 39:20 Tracking Participants' Progress and Completion Rates
• 41:23 Trends in Secure Developer Training
• 43:42 Final Thoughts on Secure Developer Training

In this episode of CISO Tradecraft, host G Mark Hardy invites Scott Russo, a cybersecurity and engineering expert for a deep dive into the creation and maintenance of secure developer training programs. Scott discusses the importance of hands-on engaging training and the intersection of cybersecurity with teaching and mentorship. Scott shares his experiences building a secure developer training program, emphasizing the importance of gamification, tiered training, showmanship, and real-world examples to foster engagement and efficient learning. Note this episode will continue in with a part two in the next episode

ISACA Event (10 Jan 2024) With G Mark Hardy - https://www.cisotradecraft.com/isaca

Scott Russo - https://www.linkedin.com/in/scott-russo/

HBR Balanced Scorecard - https://hbr.org/1992/01/the-balanced-scorecard-measures-that-drive-performance-2

Transcripts - https://docs.google.com/document/d/124IqIzBnG3tPj64O2mZeO-IDTx9wIIxJ

Youtube - https://youtu.be/NkrtTncAuBA 

Chapters

• 00:00 Introduction
• 03:00 Overview of Secure Developer Training Program
• 04:46 Motivation Behind Creating the Training Program
• 06:03 Objectives of the Secure Developer Training Program
• 07:45 Defining the Term 'Secure Developer'
• 14:49 Keeping the Training Program Current and Engaging
• 21:10 Real World Impact of the Training Program
• 21:46 Understanding the Cybersecurity Budget Argument
• 21:58 Incorporating Real World Examples into Training
• 22:26 Personal Experiences and Stories in Training
• 24:06 Industry Best Practices and Standards
• 24:18 Aligning with OWASP Top 10
• 25:53 Balancing OWASP Top 10 with Other Standards
• 26:12 The Importance of Good Stories in Training
• 26:32 Duration of the Training Program
• 28:37 Resources Required for the Training Program
• 32:23 Measuring the Effectiveness of the Training Program
• 36:07 Gamification and Certifications in Training
• 38:56 Tailoring Training to Different Levels of Experience
• 41:03 Conclusion and Final Thoughts

In this episode of CISO Tradecraft, host G. Mark Hardy guides listeners on how to refresh their cybersecurity strategy. Starting with the essential assessments on the current state of your security, through to the creation of a comprehensive, one-page cyber plan. The discussion covers different approaches to upskilling the workforce, tools utilization, vulnerability management, relevant regulations, and selecting the best solution for your specific needs. The show also includes tips on building a roadmap, creating effective key performance indicators, and validation exercises or trap analysis to ensure the likelihood of success. At the end of the discussion, G. Mark Hardy invites listeners to reach out for any help needed for implementing these strategies.

Big Thanks to our Sponsors

• Risk3Sixty - https://risk3sixty.com/

ISACA Event (10 Jan 2024) With G Mark Hardy https://www.cisotradecraft.com/isaca

CIO Wisdom Book - https://a.co/d/bmmZEAC

Transcripts - https://docs.google.com/document/d/1_bHsRtaRdlRJ9e9XXVh3GU7k3MbBLcHs

Chapters

• 00:00 Introduction
• 02:21 Building a Tactical and Strategic Plan
• 02:58 Assessing Your Current Cybersecurity Posture
• 03:11 Workforce Assessment and Rating
• 06:31 Understanding Your Cybersecurity Tools
• 08:29 Performing a Business Requirements Analysis
• 10:13 Defining the Desired Future State
• 12:03 Creating a Gap Analysis
• 14:14 Analyzing Current Options and Building a Roadmap
• 17:11 Presenting the New Plan to Management
• 21:36 Recap and Conclusion

Discover the key to a more effective cybersecurity strategy in the newest episode of CISO Tradecraft! We're talking SOC tools, building a data lake for security, and more with guest Noam Brosh of Hunters. Don't miss it!

Big Thanks to our Sponsors

• Risk3Sixty - https://risk3sixty.com/
• Hunters - https://www.hunters.security/

Noam Brosh - https://www.linkedin.com/in/noam-brosh-5743938/

Transcripts: https://docs.google.com/document/d/1ArTixgEvRsVpLVdV2uVFAKCKSB2mBUKo

Youtube Link: https://youtu.be/ThEpI2_LpD8 

Chapters

• 00:00 Introduction and Welcome
• 01:20 Understanding the Role of SOC Tools
• 05:39 Challenges with Traditional SIEM Tools
• 08:48 The Shift to Data Lakes and the Impact on SIEMs
• 18:04 Understanding Different Cybersecurity Tools: SIEM, XDR, and SOC Platforms
• 19:25 The Role of Automation in Modern SOC Tools
• 26:01 The Importance of Third-Party Connection Tools in SOC Tools
• 27:27 Trends and Disruptions in the SIEM Space
• 28:09 Addressing False Positives in SOC Tools
• 31:14 Outsourcing Aspects of SOC and Staffing
• 36:28 Dealing with Multi-Cloud or Hybrid Cloud Environments
• 41:02 Reporting SOC Metrics to Executive Stakeholders

In this episode of CISO Tradecraft, G Mark Hardy and Hasan Eksi from CyberNow Labs continue the discussion about the vital skills needed for an effective incident responder within a Security Operations Center (SOC). The skills highlighted in this episode include: incident triage, incident response frameworks, communication, collaboration, documentation, memory analysis, incident containment and eradication, scripting and automation, cloud security, and crisis management.

Big Thanks to our Sponsors

• Risk3Sixty - https://risk3sixty.com/
• Adlumin - https://adlumin.com/

Hasan Eksi's LinkedIn Profile: https://www.linkedin.com/in/eksihasan/

Transcripts: https://docs.google.com/document/d/1rWixzKgf_unanPlnoL6dt8qpEsbZj9lv

Chapters 

• 00:00 Introduction and Recap of the 10 Previous Skills
• 02:25 Skill #11) Incident Triage
• 04:21 Skill #12) Incident Response Frameworks
• 07:09 Skill #13) Communication
• 09:38 Skill #14) Collaboration
• 14:58 Skill #15) Documentation
• 19:35 Skill #16) Memory Analysis
• 22:36 Skill #17) Incident Containment and Eradication
• 25:31 Skill #18) Scripting and Automation
• 28:53 Skill #19) Cloud Security
• 31:10 Skill #20) Crisis Management
• 33:58 Recap of 20 SOC Skills and Conclusion

In this episode of CISO Tradecraft, host G Mark Hardy talks to Kevin O'Connor, the Director of Threat Research at Adlumin. They discuss the importance of comprehensive cybersecurity for Small to Medium-sized Businesses (SMBs), including law firms and mid-sized banks. The conversation explores the complexities of managing security infrastructures, the role of managed security service providers, and the usefulness of managed detection and response systems. The discussion also delves into the increasing threat of ransomware and the critical importance of managing data vulnerabilities and providing security awareness training.

Big Thanks to our Sponsor: Adlumin - https://adlumin.com/

Transcripts: https://docs.google.com/document/d/1V_qkMFdGC4NRLCG-80gcsiSA8ikT8SwP

Youtube: https://youtu.be/diCZfWWB3z8

Chapters

• 00:12 Introduction and Sponsor Message
• 01:42 Guest Introduction: Kevin O'Connor
• 02:29 Discussion on Cybersecurity Roles and Challenges
• 03:20 The Importance of Defense in Cybersecurity
• 04:23 The Role of Managed Security Services for SMBs
• 07:26 The Cost and Staffing Challenges of In-House SOCs
• 14:41 The Value of Managed Security Services for Legal Firms
• 16:30 The Threat Landscape for Small and Mid-Sized Banks
• 18:19 The Difference Between Compliance and Security
• 20:08 Understanding the Reality of Cybersecurity
• 20:45 The Challenges of Building IT Infrastructure
• 21:08 Outsourcing vs In-house Security Management
• 21:55 The Importance of Understanding Your Data
• 22:43 Security Operations Center vs Security Operations Platform
• 24:21 The Role of Managed Detection and Response
• 24:54 The Importance of Quick Response in Security
• 28:07 The Threat of Ransomware and Data Breaches
• 34:31 The Role of Pen Testing in Cybersecurity
• 36:33 The Growing Threat of Ransomware
• 38:28 The Importance of Security Awareness Training
• 40:42 The Role of Incident Response and Forensics
• 42:11 Final Thoughts on Cybersecurity

In this episode of CISO Tradecraft we have a detailed conversation with Hasan Eksi from CyberNow Labs. G Mark and Hasan discuss the top 20 skills required by incident responders, covering the first 10 in part 1 of this series. The discussion ranges from understanding cybersecurity fundamentals to incident detection, threat intelligence, and malware analysis. This episode aims to enhance listeners' understanding of incident response, its significance, the skills required, and strategies for effective training.

Big Thanks to our Sponsor

• Adlumin - https://adlumin.com/

Hasan Eksi's LinkedIn Profile: https://www.linkedin.com/in/eksihasan/

Transcripts: https://docs.google.com/document/d/1lE9Tz-um1II2aNX4JU-bQ-BND7fPNteE/

Chapters

• 00:00 Introduction
• 14:15 Skill 1) IT/Cyber Fundamentals
• 17:17 Skill 2) Incident Detection
• 18:34 Skill 3) Threat Intelligence
• 20:11 Skill 4) Cybersecurity Tools
• 24:12 Skill 5) Network Analysis
• 25:55 Skill 6) Endpoint Analysis
• 28:33 Skill 7) Log Analysis
• 32:41 Skill 8) Malware Analysis
• 35:20 Skill 9) Forensics
• 38:30 Skill 10) Vulnerability Assessment

In this episode of CISO Tradecraft, host G Mark Hardy welcomes special guest Amer Deeba, CEO and co-founder of Normalyze. They focus on the importance of data security in today's cloud-centric, multi-platform tech environment. Amer shares valuable insights on the need for a data security platform that offers a unified, holistic approach. The conversation also delves into the importance of understanding the value of your data, and how solutions such as Normalyze can accurately identify and classify sensitive data, measure its value, and mitigate risk of compromise. Ideal for CISOs and professionals navigating data security, this episode provides key recommendations for data visibility, security posture management, and response mechanisms, built around the principles of cybersecurity.

Big Thanks to our Sponsors

• Normalyze - https://normalyze.ai/
• Risk3Sixty - https://risk3sixty.com/whitepaper/

Transcripts: https://docs.google.com/document/d/1_z20Y5Xvs7qv6K9D2TUvM3ufLYSmXbvs

Chapters

• 00:00 Introduction
• 02:46 Understanding Data Security
• 03:58 The Importance of Data Security
• 04:21 The Challenges of Data Security
• 08:26 The Role of Data Security Posture Management
• 10:31 The Value of Data and Compliance
• 13:58 The Importance of Real-Time Data Protection
• 15:31 The Role of Encryption in Data Security
• 17:19 Understanding the Risks of Data Breaches
• 18:45 The Importance of Holistic Data Security
• 36:26 The Role of Anomaly Checks in Data Security
• 37:48 Understanding Generational Data
• 40:38 Conclusion and Contact Information

On this episode we talk about the differences between Gamification and Game-Based Learning. We think you will enjoy hearing how Game-Based learning gets folks into the flow and creates novel training that resonates.  We also have a great discussion on how games can be applicable for Board Members and Techies.  You just need to get the right type of game for the right audience and let the magic happen.

Big Thanks to our Sponsors

• Haiku - https://www.haikuinc.io/
• Risk3Sixty - https://risk3sixty.com/whitepaper/

Transcripts

• https://docs.google.com/document/d/1XmkMO7eJR3yAnXJPOCTaA5J9sakk639Q

Prefer to watch on YouTube?

• https://www.youtube.com/watch?v=45eViHH_ktA 

Chapters

• 00:00 Introduction
• 03:38 What is Game-Based Learning?
• 07:55 Training Board of Directors
• 10:18 Gamification vs Game-Based Learning
• 14:30 Do Your Duties
• 21:09 Delaware Fiduciary Duties
• 22:54 Building a Forge
• 26:11 Tailored Game Types
• 33:35 Teaching Girl Scouts Linux Commands
• 40:17 Retaining Your Best People

Learn the language of the board with Andrew Chrostowski. In this episode we discuss the 3 major risk categories of opportunity risk, cybersecurity risk and complex systems. We highlight intentional deficit and what to do about it. Finally, don't miss the part where we talk about the time for a digital strategy is past. What is needed today is a comprehensive strategy for a world of digital opportunities and existential cyber risks.

Big thanks to our sponsor:

Risk3Sixty - https://risk3sixty.com/iso-27001-certification/

Transcripts https://docs.google.com/document/d/15PnB1gYwt7vj-wRE4ABuEWxvB-H96rp0

Chapters

• 00:00 Introduction
• 04:22 Communication is a Requirement
• 09:34 How does cyber create value?
• 11:30 Culture and Operational Excellence
• 16:51 How does growth strategy align with cyber?
• 22:30 Intention Deficit Disorder
• 26:48 Accountability Loops
• 28:39 What's the evolution for a digital strategy?
• 32:02 Sharpen your axe
• 36:40 Digital Directors Network & Qualified Technical Experts

On this episode we do a master class on cyber warfare. Learn the terminology. Learn the differences and similarities between kinetic and cyber warfare. There's a lot of interesting discussion, so check it out.

Big thanks to our sponsor:

Risk3Sixty - https://risk3sixty.com/whitepaper/

Transcripts https://docs.google.com/document/d/1yJYoVs3pO4u_Zq8UC8YQmnYVGrsH93-H

Air Force Doctrine Publication 3-0 - Operations and Planning https://www.doctrine.af.mil/Portals/61/documents/AFDP_3-0/3-0-D15-OPS-Coercion-Continuum.pdf

Dykstra, J., Inglis, C., & Walcott, T. S. (Joint Forces Quarterly 99, October 2020) Differentiating Kinetic and Cyber Weapons to Improve Integrated Combat. https://ndupress.ndu.edu/Portals/68/Documents/jfq/jfq-99/jfq-99_116-123_Dykstra-Inglis-Walcott.pdf

Tallinn Manual 1.0 published April 2013; 2.0 in 2017 https://ccdcoe.org/research/tallinn-manual/

Version 3.0 under development; inputs solicited at https://ecv.microsoft.com/RRllEKKMJQ

https://www.csis.org/analysis/cyber-operations-during-russo-ukrainian-war

Chapters

• 00:00 Introduction
• 01:57 Definition of Cyber War
• 04:18 Kinetic vs Cyber War
• 07:02 Goal of Offensive Cyber Operations
• 10:06 International Law Applied to Cyber Operations (Sovereignty & Necessity)
• 11:33 Diplomatic, Information, Military, & Economic (DIME)
• 12:57 Proportionality
• 14:04 Law of Distinction
• 15:56 Tallinn Manual
• 18:15 Stuxnet, Sony Pictures, NotPetya, and SolarWinds attacks
• 23:47 Ukraine Cyber War
• 28:21 Comparing old tanks to old mainframes
• 39:55 Winning a Cyber War

On this episode we discuss the measuring results cheat sheet from Justin Mecham.  Key focuses include:

• Defining SMART Goals (Specific, Measurable, Achievable, Relevant, & Time-Bound)
• Identifying KPIs (Key Performance Indicators)
• Using the WOOP Model (Wish, Outcome, Obstacle, and Plan)
• Using a Gap Analysis
• Using the 5 Why Method
• Using Plan, Do, Check, & Act.

Link to the Measuring Results Cheat Sheet
https://www.linkedin.com/posts/justinmecham_harvard-says-leaders-are-10x-more-likely-activity-7112050615576391681-Ro60/

Big thanks to our sponsor:

Risk3Sixty - https://risk3sixty.com/whitepaper/

Transcripts https://docs.google.com/document/d/1Ok9cFBdubI6M4ubhcR0HZzmauHiU7fsN

Chapters

• 00:00 Introduction
• 03:34 SMART Goals (Specific, Measurable, Achievable, Relevant, and Time Bound)
• 07:29 Key Performance Indicators
• 09:36 WOOP Model (Wish, Outcome, Obstacle, and Plan)
• 09:59 Gap Analysis
• 12:36 Root Cause Analysis and the 5 Whys
• 14:09 Plan, Do, Check, and Act

On this episode we discuss the four key roles Boards play in cybersecurity.

1. Setting the company's vision and risk strategy
2. Reviewing assessment results
3. Evaluating management cyber risk stance
4. Approving risk management plans

Big thanks to our sponsor:

Risk3Sixty - https://risk3sixty.com/whitepaper/

Transcripts - https://docs.google.com/document/d/1jarCcQYioT59jtIrppH4xZqyAy4Vn_tB/

Chapters

• 00:00 Introduction
• 01:36 What is a Board of Directors and what do they do?
• 09:33 FFIEC requirements for Boards
• 16:51 Establishing an Information Security Culture
• 19:08 Vision and Risk Appetite
• 22:00 Reviewing Cyber Assessments
• 25:09 Are we secure?
• 32:44 Castle Walls and Attacks
• 33:37 Getting your budget requests approved
• 37:10 Using use or loose money and reserved funding

On this episode we bring on the leading expert of threat modeling (Adam Shostack) to discuss the four questions that every team should ask:

1. What are we working on?
2. What can go wrong?
3. What are we going to do about it?
4. Did we do a good enough job?

Big thanks to our sponsor:

Risk3Sixty - https://risk3sixty.com/whitepaper/

Adam Shostack's LinkedIn Profile - https://www.linkedin.com/in/shostack/

Learn more about threat modeling by checking out Adam's books on threat modeling Threats: What Every Engineer Should Learn From Star Wars https://amzn.to/3PFEv7L

Threat Modeling: Designing for Security https://amzn.to/3ZmfLo7 Also check out the Threat Modeling Manifesto: https://www.threatmodelingmanifesto.org/

Transcripts: https://docs.google.com/document/d/1Tu0Xj9QTbVqbVJNMbNRam-FEUvfda3ZS

Chapters

• 00:00 Introduction
• 06:02 The 4 Questions that allow you to measure twice cut once
• 09:29 How Data Flow Diagrams help teams
• 16:04 It's more than just looking at threats
• 19:23 Chasing the most fluid thing or the most worrisome thing
• 22:00 All models are wrong and some are useful
• 26:25 Actionable Remediation
• 31:05 LLMs and Threat Models

There's a lot of new cyber attacks occurring and today we are going to talk about them in more detail.  Many bad actors are using SMS spoofing and Social Engineering to get in.  Listen in an learn about how those attacks played out against the casino industry. You don't want to miss when we share what you can do to stop them.  Pro-tip: Good MFA is your friend.  Use it everywhere you can including on your employees and customers during phone calls.  

Big Thanks to our Sponsor

• Risk3Sixty - https://risk3sixty.com/whitepaper/

Mandiant Post - https://www.mandiant.com/resources/blog/unc3944-sms-phishing-sim-swapping-ransomware

Rachel Tobac Post - https://www.linkedin.com/feed/update/urn:li:activity:7108040643905474562 

Transcripts: https://docs.google.com/document/d/186g8y_8wMcBPwdaiFjduhRiXC88ice0T/

Chapters

• 00:00 Introduction
• 01:06 Improving the Attacker Odds at the Casino
• 04:09 SEC 8-K filings
• 13:28 MGM Timeline of attack
• 16:55 What can we do against these attacks?
• 22:51 Upgrading your MFA
• 24:16 Custom Authentication Strength
• 27:11 New Social Engineering Attacks
• 32:31 OKTA attacks

Have you ever thought about what does it mean to say there has been a material incident? How is materiality determined? What is the history of how that term has been defined by U.S. Regulators. Listen to today's show and increase your CISO Tradecraft

Big Thanks to our Sponsors

• Risk3Sixty - https://risk3sixty.com/whitepaper/
• CPRIME - For those valuing leadership, policy, and governance in tech risk and security, Cprime is here to help. Enhance your skills with our training and workshops, ensuring effective policy design and strategy alignment. As a tech coaching firm, Cprime offers classes for teams and executives on security analytics and risk management. Led by a Cprime expert, align expectations, prioritize, and map tools for robust governance across your tech portfolio. Upgrade risk management at www.cprime.com/train and use code 'cprimepod' for 15% off training. Elevate your approach!

Transcripts https://docs.google.com/document/d/1h7IBZI27ZOg4nxec2fCBmrX0c-0O15Zr 

Link to FAIR-MAM

https://www.fairinstitute.org/resources/fair-mam

Chapters

• 00:00 Introduction
• 02:16 What is the concept of material?
• 07:08 Investors increasingly seek information
• 11:21 Title 17 of the US Code Part 242
• 17:38 Backup and Recovery that is Resilient and Geographically Diverse
• 22:10 The New SEC requirements
• 26:38 Reporting Cyber Incidents
• 31:40 FAIR-MAM

On this episode we overview the CIS Document titled, "The Cost of Cyber Defense". https://www.cisecurity.org/insights/white-papers/the-cost-of-cyber-defense-cis-controls-ig1

Big Thanks to our Sponsors

• Risk3Sixty - https://risk3sixty.com/whitepaper/
• CPRIME - For those valuing leadership, policy, and governance in tech risk and security, Cprime is here to help. Enhance your skills with our training and workshops, ensuring effective policy design and strategy alignment. As a tech coaching firm, Cprime offers classes for teams
  and executives on security analytics and risk management. Led by a Cprime expert, align expectations, prioritize, and map tools for robust governance across your tech portfolio. Upgrade risk management at Cprime.com/train and use code 'cprimepod' for 15% off
  training. Elevate your approach!

Transcripts https://docs.google.com/document/d/1TAltDwJxQg9MqVRNCCgwIJa1a3WKpep5---WVOUsdLE/ 

Chapters

• 00:00 Introduction
• 01:30 What are the CIS Critical Security Controls?
• 03:00 How have the CIS Critical Security Controls evolved over time?
• 05:30 What are the benefits of implementing the CIS Critical Security Controls?
• 07:30 The three crucial questions for implementing the CIS Critical Security Controls
• 10:30 How to prioritize the CIS Critical Security Controls
• 12:30 What are Implementation Groups?
• 13:37 Enterprise Profiles
• 14:00 Why are Implementation Groups important?
• 15:30 How to choose the right Implementation Group for your organization
• 19:46 Cost Breakdown
• 23:16 Thoughts on the CIS Study

In this episode of CISO Tradecraft, we delve into the evolving landscape of cybersecurity regulations. From data incident notifications to required contract language, we uncover common trends and compliance challenges. Learn how to prepare, adapt, and network within your industry to stay ahead. Tune in for insights and tips!

Thanks again to our Sponsors for supporting this episode:

• Risk3Sixty: Check out Risk3Sixty's weekly thought leadership webinars and downloadable resources at https://risk3sixty.com/?utm_source=cisotradecraft&utm_medium=podcast&utm_campaign=2023-ct&utm_term=1week&utm_content=sponser
• CPrime: Today's "CISO Tradecraft" is sponsored by Cprime, offering advanced tech training for exceptional teams. Experience hands-on, lab-driven classes in just two days, enhancing your skills for immediate on-the-job impact. Discover our sought-after three-day Microsoft PowerBI training, empowering you to craft dashboards, integrate data, and perform swift statistical analysis. Visit Cprime.com/train, use code 'cprimepod' for 15% off, and elevate your expertise!

References

• AuditScripts: https://www.auditscripts.com/free-resources/critical-security-controls/
• Secure Controls Framework: https://securecontrolsframework.com/scf-download/

Transcripts https://docs.google.com/document/d/1RplLpZCMw8foLu9oqkZs1_A2aIbYk1Xo/

Chapters

• 00:00 Introduction
• 04:28 Meeting Cybersecurity Controls and Understanding Applicable Regulations
• 11:28 Ensuring Compliance with Laws and Regulations
• 15:42 Handling Regulatory Change: Mapping Controls & Tracking Requirements
• 22:02 Navigating Regulatory Changes and Ensuring Compliance

Here's a nice overview of cybersecurity on passwords, authentication, rainbow tables, and password managers. Enjoy the show and check out our other podcasts.

Special Thanks to our Sponsors:

• Risk3Sixty: Being able to clearly articulate your vision for your security program to the board and other executives within your firm is critical to obtaining the buy in you need for your program's success. Risk3Sixty has created a presentation template that helps you structure your thoughts while telling a compelling story about where you want your security program to go. Download it today for free at: https://risk3sixty.com/?utm_source=cisotradecraft&utm_medium=podcast&utm_campaign=2023-ct&utm_term=1week&utm_content=sponser
• CPrime: Today's "CISO Tradecraft" is sponsored by Cprime, offering advanced tech training for exceptional teams. Experience hands-on, lab-driven classes in just two days, enhancing your skills for immediate on-the-job impact. Discover our sought-after three-day Microsoft PowerBI training, empowering you to craft dashboards, integrate data, and perform swift statistical analysis. Visit Cprime.com/train, use code 'cprimepod' for 15% off, and elevate your expertise!

Transcripts: https://docs.google.com/document/d/1BD6LnITOpq6wrM2CsJzCHefN0Dw4hFp9 

Chapters

• 00:00 Introduction
• 02:02 Evaluating Password Management Solutions and Design-Making Approaches
• 05:36 Password Security and Authentication Methods
• 27:25 Background Sanitization, Password Storage, and Login Screen Risks
• 28:52 The Importance of Commercial Password Managers and Security Threats
• 31:27 Considerations for Choosing a Password Manager

Join us at the heart of Hacker Summer Camp for insights into the cybersecurity world! Discover the art of asking powerful questions that can change your career and impact others. Learn how CISOs assess cyber solutions and how startups can win their attention. Uncover the secrets of building connections and value through meaningful inquiries. Don't miss this episode featuring expert advice on navigating the cybersecurity landscape.

Special Thanks to our Sponsors:

• The Chertoff Group: https://www.chertoffgroup.com
• CPrime: At work, bridging the gap between risk management, IT security, and departments like finance, product, and development can be daunting. Enter Cprime, specializing in harmonious integration through secure code training, DevSecOps implementation, and
  zero trust practices. We streamline, optimize, and drive innovation, empowering continuous security ops. Transform risk management at Cprime.com/train and use code 'cprimepod' for 15% off training. Unleash potential with us!

Transcripts: https://docs.google.com/document/d/1qf9kH9a5rPlK8zaOWXGAp0-E6p7PNNuT/

Chapters

• 00:00 Introduction
• 01:49 How to Get More Sales at Blackhat
• 05:57 How to Differentiate Yourself From the Competition
• 10:05 How to Solve a Priority Problem
• 16:07 How to Achieve Bigger Goals Through Accelerating Teamwork
• 18:13 How to Find a CISO Job
• 20:30 How to follow a Rich Dad's Advice
• 22:59 How to Create an Opportunity Not Just for Yourself, but for Others
• 24:18 How to Create Value for Others
• 26:20 How to Provide Value to Others
• 28:21 The Power of Open-Ended Questions as a CISO
• 32:33 How to Ask Powerful Questions

On this episode, David London and Adam Isles from the Chertoff Group stop by to discuss emerging risk topics such as AI, Supply Chain Attacks, and the new SEC regulations. Stick around and learn the tradecraft to better protect your company.

Special Thanks to our Sponsors:

• The Chertoff Group: https://www.chertoffgroup.com.Note you can read more about their thoughts on AI here: https://www.chertoffgroup.com/managing-ai-risks/
• Prelude: https://www.preludesecurity.com/
• CPrime: At work, bridging the gap between risk management, IT security, and departments like finance, product, and development can be daunting. Enter Cprime, specializing in harmonious integration through secure code training, DevSecOps implementation, and
  zero trust practices. We streamline, optimize, and drive innovation, empowering continuous security ops. Transform risk management at Cprime.com/train and use code 'cprimepod' for 15% off training. Unleash potential with us!

Transcripts: https://docs.google.com/document/d/1tW0kOYCURXgRF-z7UqeQGga0zAkwGuZ9/

Chapters

• 00:00 Introduction
• 02:33 The SEC's Final Rule on Cybersecurity Disclosure
• 05:29 What is a Material Incident?
• 07:13 The Commission's Final Rule on Board Engagement in Cybersecurity Risk
• 10:03 The Four Day Rule for Incident Reporting
• 12:46 The Implications of the New Role of the CISO
• 15:46 The Ticking Clock on Disclosure
• 18:31 SolarWinds and the Software Chain Security Exposure
• 19:53 The Role of the Software Bill of Materials (SBOM) in the Software Supply Chain Security Challenges
• 21:29 The Rise of the SBOM
• 23:16 The Rise of Expectations in the U.S. Government
• 25:02 The Future of Software Security
• 27:22 The Progress of the CMMC Program
• 29:59 The SEC Disclosure Requirements: What to Expect From Your Board
• 31:57 How to Reduce Complexity in Your Software Development Lifecycle
• 34:05 How AI is Impacting Our Business and Cyber
• 37:32 How to Measure and Manage Cyber Risks Effectively
• 39:57 The SEC's Final Rule on Disclosure

Don't let Bobby the Intern cause havoc in your network. On this episode of CISO Tradecraft, G Mark Hardy discusses the importance of training new hires in cybersecurity to create a strong security culture within an organization. The focus is on shaping employees' behavior and beliefs to enhance the overall cybersecurity posture.

Special Thanks to our Two Sponsors:

1) The Chertoff Group: www.chertoffgroup.com

2) Prelude: https://www.preludesecurity.com/ 

Transcripts: https://docs.google.com/document/d/1Z4ftmqZdUMkxD6ATRRLp0EmO_DVluQ4n

Chapters

• 00:00 Introduction
• 03:57 How to Build a Security Culture
• 07:19 The Importance of a Good Username and Password
• 11:24 How to Use MFA to Protect Your Brand
• 12:50 How to Teach Your Employees About Phishing
• 17:07 How to Deal with External Email Addresses
• 20:30 How to Avoid a Business Email Compromise
• 22:42 How to Protect Your Website from Attackers
• 24:40 How to Secure Your Applications
• 26:46 The Importance of Threat Modeling
• 30:48 QR Codes and How to Use Them Effectively
• 32:34 Delaying Desktop Patches
• 34:36 How to Teach Your New Hires About Security
• 36:30 How to Orient Your New Employees

On this episode we bring on CIA Veteran James "Jim" Lawler to discuss how spies are recruited, how individuals are turned, and what makes them vulnerable to being turned. Learn what managers and executives can and should know about their people to help them better understand who's at risk and the types of programs that executives can put into place to stop insider threats.

Special Thanks to our Two Sponsors:

1) Prelude: https://www.preludesecurity.com/

2) Risk3Sixty is cyber security technology and consulting firm that works with high-growth technology firms to help leaders build, manage and certify security, privacy, and compliance programs. They publish weekly thought leadership, webinars, and downloadable resources like budget and assessment templates. Learn more at: https://risk3sixty.com/?utm_source=cisotradecraft&utm_medium=podcast&utm_campaign=2023-ct&utm_term=1week&utm_content=sponser

Be sure to read Jim's books

1) Living Lies: A Novel of the Iranian Nuclear Weapons Program https://amzn.to/3Y5x2Sc

2) In the Twinkling of an Eye: A Novel of Biological Terror and Espionage https://amzn.to/43EkvpE 

Chapters

• 00:00 Introduction
• 02:24 The Importance of Recruiting Insiders
• 08:06 How to Be a Successful Case Officer
• 11:09 The Importance of Identifying Vulnerabilities in Insider Threats
• 14:00 The Cockamamie Recruitment Pitch Scheme
• 18:50 The Importance of Rationality in Espionage
• 21:10 The Complex Motivations for Espionage
• 23:49 The Key to Stress in a Target Life
• 27:34 The Importance of Listening to Your People
• 30:02 How to Be a Good Leader
• 35:02 The Metaphysics of Recruitment
• 37:31 How to Firewall a Threat to Your Organization
• 41:00 Living Lies
• 44:49 How to Be a Better Writer
• 49:31 How to Be a Better Threat Manager

This week Rafeeq Rehman returns to discuss the 2023 updates to the CISO Mindmap. Note you can find his work here: https://rafeeqrehman.com/2023/03/25/ciso-mindmap-2023-what-do-infosec-professionals-really-do/

Thanks to our two sponsors for this episode.

1) Prelude: https://www.preludesecurity.com/

2) Risk3Sixty - Get a free copy of The Five CISO Archetypes eBook from risk3sixty. By reading this eBook, you will discover your strengths, weaknesses, areas where you need support from your team, and the types of organizations you best fit. The eBook also provides the tools to analyze organizations to understand their security priorities better. You will be able to use these tools to identify organizations that would most benefit from your natural strengths as a security leader. Organizations that you will love to work with and that would love to have you as part of their team. The steps outlined in this book will make you a more effective security leader and more satisfied with your career.

https://risk3sixty.com/whitepaper/five-ciso-archetypes-ebook/?utm_source=cisotradecraft&utm_medium=podcast&utm_campaign=2023-ct&utm_term=1week&utm_content=ebook

Transcripts: https://docs.google.com/document/d/1tFhZ6DdzwG12dYXvuVpaZdmfNWBVFswx 

Chapters

• 00:00 Introduction
• 03:36 How to Write a Book
• 05:32 How to Master a Security Tool
• 09:19 Updating the Mind Map for 2023 and 2024
• 13:12 How to Resiliently Respond to Ransomware Attacks
• 16:15 The Importance of Redundancy in Security
• 19:18 How to Manage Your Security Budget Effectively
• 22:43 Building a Brand for a Security Organization
• 26:10 Untangle the Application Web of Components
• 29:38 The Importance of Software Build of Materials
• 33:28 How to Automate Security Operations
• 36:31 The Six Importances of a Security Mind Map
• 38:43 The Future of Generative AI
• 40:47 The Future of CISO Tradecraft

Imagine if you could get 1% better every day at something and do this for an entire year. Well, that's 365 days. And you go, okay, fine. 1%. 1%. That's going to be like 3.65%, right? No, because it compounds. And if you go ahead and open up your calculator and you take 1.01 and you raise it to the 365th power you're going to get 37.78. On today's show we have Andy Ellis discuss ways to get 1% better as a leader.

Thanks to our two sponsors for this episode.

1) Prelude: https://www.preludesecurity.com/

2) Risk3Sixty - Risk3Sixty is cyber security technology and consulting firm that works with high-growth technology firms to help leaders build, manage and certify security, privacy, and compliance programs. They publish weekly thought leadership, webinars, and downloadable resources like budget and assessment templates. https://risk3sixty.com/whitepaper/security-program-maturity-presentation-template-for-cisos/?utm_source=cisotradecraft&utm_medium=podcast&utm_campaign=2023-ct&utm_term=1week&utm_content=ebook 

1% Leadership Book: https://www.amazon.com/1-Leadership-Master-Improvements-Leaders-ebook/dp/B0B8YXJ2H1?&_encoding=UTF8&tag=cisotradecr05-20&linkCode=ur2&linkId=51e35f5bdcbe65e448e03d779143278c&camp=1789&creative=9325

Transcripts: https://docs.google.com/document/d/1Ul9N9cw579JMB_e7Vlk91_JpYxOBXQmx/

Chapters:

• 00:00 Introduction
• 02:09 Andy's career in cyber
• 04:04 The Butterfly Effect
• 06:06 How to Be 1% More Efficient at Cyber
• 09:01 The Importance of Uncloneability
• 10:57 The Importance of Personal Improvement in Leadership
• 14:21 The Importance of Commitment
• 16:10 The Importance of Feedback
• 20:23 Planning for a Sudden Change in Your Environment
• 26:51 How to Create Safety for Cyber Professionals
• 29:01 How to Face Adversity with Grace
• 30:36 The Importance of Culture in Email Security
• 32:11 The Importance of Delegation
• 33:55 Delegating vs Dumping
• 36:02 How to Reduce the Energy Cost of Inclusion
• 40:18 The Importance of Diversity in Organizations
• 42:07 Don't Borrow Evil
• 44:17 How to Build a Relationship with Business Leaders
• 46:49 How to Stop Hurting Your Team

Are you a Chief Information Security Officer (CISO) looking to share your knowledge and insights with the world? In this episode, we explore how CISOs can embark on their journey of writing their first book. Join us as we delve into valuable tips and advice, including learning from renowned author Bill Pollock, who has paved the way for aspiring CISO authors.

Risk3Sixty is cyber security technology and consulting firm that works with high-growth technology firms to help leaders build, manage and certify security, privacy, and compliance programs.  They publish weekly thought leadership, webinars, and downloadable resources like budget and assessment templates.

https://risk3sixty.com/whitepaper/security-program-maturity-presentation-template-for-cisos/?utm_source=cisotradecraft&utm_medium=podcast&utm_campaign=2023-ct&utm_term=1week&utm_content=ebook

Transcripts: https://docs.google.com/document/d/1uxNgxe7ad9VBfRLeRH4nWY6tSkI-Kexd

Chapters

• 00:00 Introduction
• 04:37 How No Starch Press was Founded
• 07:24 The Rise and Fall of the Hacking Underground
• 11:41 How to be a Successful Hacker
• 14:11 How to Edit a Book
• 16:38 How to Be a Good Writer
• 18:14 How to Write a Book Proposal
• 23:50 How to Overclock Your Computer
• 26:31 The Future of AI
• 28:15 The Value of a Author Book Publishing Agreement
• 33:39 How to Make Money Writing a Book
• 37:34 The No Starch Press Foundation and the Hacker Initiative
• 40:30 Hacker Initiative: A Public Charity for Cyber Security

One of the most important activities a CISO must perform is presenting high quality presentations to the Board of Directors.  Listen and learn from Demetrios Lazarikos (Laz) and G Mark Hardy as they discuss what CISOs are putting in their decks and how best to answer the board's questions. 

Special thanks to our sponsor Risk3Sixty for supporting this episode. Risk3sixty has created a presentation template that helps you structure your thoughts while telling a compelling story about where you want your security program to go. Download it today for free at: https://risk3sixty.com/whitepaper/security-program-maturity-presentation-template-for-cisos/?utm_source=cisotradecraft&utm_medium=podcast&utm_campaign=2023-ct&utm_term=1week&utm_content=ebook

References

• RSAC ESAF Download: https://www.rsaconference.com/rsac-programs/executive-security-action-forum
• NACD 2023 Directors Handbook: https://www.nacdonline.org/insights/publications.cfm?ItemNumber=74777
• Blue Lava: https://bluelava.io/cybersecurity-board-reporting/

Transcripts: https://docs.google.com/document/d/1juM8MQUEtAZEDp1HpzkPdNw-D11O3ofq

Chapters

• 00:00 Introduction
• 05:17 The Importance of External Audits in Managing Risk
• 06:48 How to Help Your Business of Revenue Protection Reduce Risk
• 11:15 How to be a Successful CISO
• 12:52 How to Measure the Threat to Your Environment
• 15:04 How to Prepare for Cyber Threats and Incidents
• 18:49 The Importance of Understanding the Business's Critical Assets
• 22:28 OSINT and CSIRT.global Tools and Technologies
• 25:14 Building a Matrix of Good Intention, Bad Behavior, and Access Management
• 28:10 How to Create an Incident Response Plan
• 30:20 How to Keep Your Board of Directors Informed of Cybersecurity Incidents
• 31:50 How to Keep Track of the Latest Cyber Threats Coming Around the Corner
• 34:11 How to Achieve Cyber Insurance Coverage
• 37:06 Cyber Liability Insurance: A Necessary Component of Running Your Business in 2023
• 39:22 How to Measure the Effectiveness of a Company's Cybersecurity Program
• 40:54 The Importance of Business Alignment

A lot of times we focus on preventing ransomware, but we forget what we should do when we actually encounter it.  That's why we are bringing on Ricoh Danielson to talk about it.  Learn from him as he discusses tactics and techniques for businesses to follow then stuff hits the fan.

Special thanks to our sponsor Risk3Sixty for supporting this episode. https://risk3sixty.com/whitepaper/security-program-maturity-presentation-template-for-cisos/?utm_source=cisotradecraft&utm_medium=podcast&utm_campaign=2023-ct&utm_term=1week&utm_content=ebook

Ricoh Danielson - https://www.linkedin.com/in/ricoh-danielson-736a0715/

Transcript: https://docs.google.com/document/d/1R82dUBChC3URM6iaP3D7dds_2nh27DTs/

Chapters

• 00:00 Introduction
• 03:19 How to Help a Small Business Dig Out of Cybercrime
• 05:00 How to Negotiate with Your Cyber Insurance Company
• 08:58 How to Deal with a Threat Actor
• 12:57 The Importance of Treating Everything Equally
• 15:45 How to Use Microsoft Tools to Capture Information
• 17:25 How to Combat a Threat Actor with Microsoft Defender
• 22:41 Set up PGP Keys in Advance
• 25:26 How to Negotiate with an OFAC sanctioned organization
• 28:24 How to Deal with Ransomware
• 30:28 The Nature of Instant Response
• 32:25 How to Get Concurrency in your Organization
• 34:05 The Importance of a a Strong Relationship with a Client
• 37:34 The Importance of Breach Notifications
• 39:21 How to Hand Combat a Threat Actor

This episode features Lee Kushner discussing various topics, including negotiating skills, the importance of degrees in the cybersecurity field, the need for diversity in the industry, challenges faced by cybersecurity professionals, starting a career in cybersecurity, and the value of technical skills. The conversation emphasizes the need for individuals to acquire technical skills, such as coding and networking, as they are in high demand and can differentiate them in the job market. It also mentions the importance of understanding the industry and its composition when seeking employment in cybersecurity.

Special thanks to our sponsor Risk3Sixty for supporting this episode. Be sure to check their weekly thought leadership, webinars, and downloadable resources like budget and assessment templates at: https://risk3sixty.com/?utm_source=cisotradecraft&utm_medium=podcast&utm_campaign=2023-ct&utm_term=1week&utm_content=sponser

Transcripts: https://docs.google.com/document/d/11askuaFcV_jYov2FklkbZXxVN3JSNu6y/

Chapters

• 00:00 Introduction
• 07:56 The Importance of Professional First Mindset in the Staffing Industry
• 09:33 The Importance of Perception in a Staffing Environment
• 11:36 The Role of the Research Professional in a Hiring Process
• 16:03 How to Overcome Barriers in the Recruitment Process
• 18:09 The Importance of Education in Executive Search
• 20:41 The Importance of Diversity in Cyber Talent
• 25:25 How to Get a Job in Cyber Security
• 27:48 The Importance of a Technical Foundation in Careers
• 32:08 How to Become a Cybersecurity Professional
• 34:06 The Future of Cybersecurity Career Paths
• 35:56 The Future of Security
• 41:24 How to Get in Touch With Your Clients

On this episode we bring in Cyndi and Ron Gula from Gula Tech (https://www.gula.tech/) to talk about their cyber security experiences. Listen and enjoy as they tell their stories about leaving the NSA, creating the first commercial network Intrusion Detection System (IDS), Founding Tenable Network Security, and investing in multiple cybersecurity startups.

Special thanks to our sponsor Risk3Sixty for supporting this episode. Be sure to check their weekly thought leadership, webinars, and downloadable resources like budget and assessment templates at: https://risk3sixty.com/?utm_source=cisotradecraft&utm_medium=podcast&utm_campaign=2023-ct&utm_term=1week&utm_content=sponser

Transcripts: https://docs.google.com/document/d/1zdJwzJUXHBLlQvOGYWtWVQqmxFzmAe5Z 

Chapters

• 00:00 Introduction
• 02:30 The Importance of Computer Security
• 04:46 The Career Path to the National Security Agency
• 07:39 The Importance of Compatibility
• 10:40 How to Get Your First Customer Off the Ground
• 14:28 How to Make your First Hire as a Beginning Entrepreneur
• 16:10 The Transition to Network Security Wizards
• 18:35 The Origins of Tenable
• 21:38 How to to Survive Contact with the Enemy
• 24:45 The Importance of Culture in the Military
• 29:31 Gula Tech Adventures
• 33:24 The Future of Venture Investing
• 36:13 Secrets of Working Together as Spouses
• 39:33 The Future of Venture Capital
• 42:21 Google Tech Adventures: How to Learn Startups

How do we frame an executive discussion so we can structure and present information in a way that effectively engages and aligns with the needs and interests of the executive audience?  On this episode we answer that question by discussing the 8 important elements of framing a discussion with executives:

1. Clearly define the objective
2. Start with the big picture
3. Identify key issues
4. Highlight impacts and benefits
5. Use visually compelling data and metrics
6. Be able to anticipate questions and concerns
7. Provide actionable recommendations
8. Seek alignment with existing perspectives of the organization

Special thanks to our sponsor Risk3Sixty for supporting this episode.  Be sure to check their Security Budget & Business Case Template: https://risk3sixty.com/whitepaper/security-budget-template/?utm_source=cisotradecraft&utm_medium=podcast&utm_campaign=2023-ct&utm_term=1week&utm_content=budget

Full Transcripts: https://docs.google.com/document/d/1vhLmqEAy-yQ01ZY1y8Nf7y-u_swTYCm8

Chapters

• 00:00 Introduction
• 02:42 How should we frame an executive discussion?
• 05:30 Start with the Bottom Line Up Front (BLUF)
• 07:11 1) Clearly Define the Objective
• 08:13 2) Start with the Big Picture
• 09:46 3) Identify Key Issues
• 10:47 4) Highlight Impact and Benefits
• 12:17 5) Use Visually Compelling Data and Metrics
• 13:07 6) Be able to Anticipate Questions and Concerns
• 15:06 7) Provide Actionable Recommendations
• 17:35 8) Seek Alignment with Existing Perspectives of the Organization

Learn how to unlock financial success with key strategies by Logan Jackson from Ray Capital Advisors.  Logan highlights how to set clear goals, choose the right asset class, diversify your portfolio for stability and growth, build a well-diversified investment portfolio to create wealth and mitigate risk, take control of your financial future through retirement planning and goal setting, & leverage tax loss harvesting. He also discusses how to prioritize tax planning, understand the impact of behavioral finance, seek professional money management, navigate conflicts of interest in financial planning, and discover hidden wealth advisors for personalized guidance.

Special thanks to our sponsor Risk3Sixty for supporting this episode.  Be sure to check their Security Program Maturity Presentation for CISOs: https://risk3sixty.com/whitepaper/security-program-maturity-presentation-template-for-cisos/?utm_source=cisotradecraft&utm_medium=podcast&utm_campaign=2023-ct&utm_term=1week&utm_content=template

Also if you would like to contact Logan Jackson please use his contact page at: https://www.raycapitaladvisors.com/ 

Full Transcripts: https://docs.google.com/document/d/1DLXnE5PTm4tDbONRSBarMa-1T8aduztf

Chapters

• 00:00 Introduction
• 02:37 The Importance of Financial Goal Setting
• 06:48 How to Choose the Right Asset Class for Your Family
• 11:17 How to Diversify Your Portfolio
• 12:56 How to Build a Diversified Investment Portfolio
• 15:22 How to Diversify a Portfolio and Build Wealth
• 19:48 How to Take Risk Off the Table
• 22:47 The Importance of Diversifying Your Portfolio
• 24:13 The Importance of Retirement Planning
• 28:56 The Importance of Goal Setting
• 30:35 The Importance of Tax Planning
• 33:10 How to Maximize Your Tax Implications in Taxable Investment Accounts
• 35:20 How to Use Tax Loss Harvesting to Avoid Tax Losses
• 39:51 The Importance of Behavioral Finance in Investing
• 43:39 The Importance of Professional Money Management
• 45:55 The Conflicts of Interest in Financial Planning
• 47:50 How to Find a Hidden Wealth Advisor

Are you looking for ways to protect your most valuable asset? In this episode, G Mark Hardy argues that our most valuable asset is our family, not the crown jewels or critical assets of a corporation. He emphasizes the importance of managing money, having an emergency fund, obtaining life insurance, building retirement savings, protecting against credit card fraud, and creating a plan for your children's digital life.  

Special thanks to our sponsor Risk3Sixty for supporting this episode. You can learn more about them from the Risk3Sixty Website: https://tinyurl.com/yc4xv7bj

Full Transcript:  https://docs.google.com/document/d/1vVASHmOV7n7Js0luDF1kWBF3qoytDnTy

Chapters

• 00:00 Introduction
• 02:01 How to Manage Your Money
• 05:54 The Millionaire Next Door
• 10:28 How to Diversity your Investments
• 12:35 The Importance of Paying Yourself First
• 15:41 How to Buy Paper I Bonds for Yourself
• 17:39 How to Choose the Right Life Insurance for You
• 21:28 The Cost of Life Insurance
• 23:12 The Importance of Retirement Savings
• 26:51 How to Optimize Your Retirement Income
• 28:47 How to Protect Yourself From Credit Card Fraud
• 30:40 How to Manage Your Credit
• 33:34 How to Avoid a Data Breach
• 35:44 How to Manage Your Passwords Effectively
• 37:36 How to Protect Your Children from the Risks of Online Content
• 41:23 How to Get Out of Dodge Quickly

In this episode of "CISO Tradecraft," G. Mark Hardy defines the role of a CISO and discusses the Top 10 responsibilities of a Chief Information Security Officer

Full Transcript: https://docs.google.com/document/d/1J_sCMkqEeIB7pUY4KmjCiS1sz7t6LX2F

Chapters

• 00:00 Introduction
• 01:25 Defining the Role of the CISO
• 04:43 1) Developing and implementing a cybersecurity strategy
• 07:27 2) Overseeing the organization's cybersecurity key programs and initiatives
• 08:20 3) Ensuring that the organization's cybersecurity policies and procedures are up-to-date and in compliance
• 10:44 4) Collaborating with other departments and teams
• 12:06 5) Developing and implementing a cybersecurity budget
• 14:21 6) Maintaining a high level of awareness about emerging cybersecurity threats, vulnerabilities, and technologies
• 15:29 7) Building and maintaining relationships with external partners and networking groups
• 18:07 8) Providing education, guidance, and support to the organization's employees
• 21:34 9) Leading and managing a team of cybersecurity professionals
• 24:10 10) Conducting regular risk assessments

In this episode of CISO Tradecraft, G Mark Hardy and guest Kevin Fiscus discuss the challenges of cybersecurity and the importance of prioritizing security decisions. Fiscus emphasizes the need for effective protective controls and detection measures, as well as the limitations of protective controls and the importance of detection. He suggests a "Detection Oriented Security Architecture" (DOSA) that includes high-fidelity, low-noise detection, automated response, and continuous monitoring. Fiscus also discusses the concept of cyber deception and proposes a new approach to cybersecurity that involves redirecting attackers to a decoy environment.

Kevin Fiscus: https://www.linkedin.com/in/kevinbfiscus/

Full Transcripts: https://docs.google.com/document/d/1zIph4r5u8UtuhsMSmIyi90bCtV52xnHv

Chapters

• 00:00 Introduction
• 04:55 The Average Time to Identify Bad Actors is 28-207 days
• 07:11 Why Protective Controls Don't Always Work
• 08:32 Protective Controls Create Resistance
• 10:34 The Cost of Detecting Bad Guys on Your Network
• 12:40 The Effects of Resistance on Protective Controls
• 15:56 The Problem with False Positive Alerts
• 20:08 How to Define Bad Guy Activity with 100% Accuracy
• 22:09 The Four Components of Security
• 24:14 Four Components of Detection Oriented Security Architecture (DOSA)
• 26:17 Differentiating between Monitoring & Alerting
• 27:13 High Fidelity and Low Fidelity Alerts 
• 33:06 Setting a Squelch for Radios
• 31:37 How to Deal with False Negatives
• 33:56 The Importance of Non Production Resources in Detection
• 37:56 How to Use Cyber Trapping to Deceive an Attacker
• 42:54 The Role of Environment Variability in Deception
• 47:08 Blowing Sunshine at Attackers

Have you heard about the latest trends in Generative Artificial Intelligence (GAI)? Listen to this episode of CISO Tradecraft to learn from Konstantinos Sgantzos and G Mark Hardy as they talk about the potential risks of GAI and how it generates new content.

Show Notes with Links: https://docs.google.com/document/d/10eCg3L00GgnHmze14g_JUkBbfHEdGZ8HW0eAGMk4PPE

Chapters

• 00:00 Introduction
• 01:37 The Future of Generative Artificial Intelligence (GAI)
• 06:08 The Implications of Hallucination in Generative AI
• 09:06 Hallucination Trivia Test for Large Language Models
• 10:48 The Consequences of Using Generative AI Models
• 12:39 The Importance of Education in Cybersecurity
• 14:45 The Future of Generative AI
• 16:17 The Importance of Understanding Large Language Models
• 19:47 The Differences Between Eliza and Machine Learning
• 24:26 How to Armorize Generative AI
• 29:39 The Future of Programming
• 31:23 The Future of Machines
• 33:53 The Future of Technology
• 37:52 The Future of CISOs
• 40:25 The Future of Generative AI

Are you worried about cyber threats and data breaches? Do you want to build a strong cybersecurity program to protect your organization? Look no further! In this episode of CISO Tradecraft, G Mark Hardy and Debbie Gordon discuss the three dimensions of an effective Information Security Management System: Policy, Practice, and Proof. G Mark emphasizes the importance of having a proper cybersecurity policy that references information security controls or outcome-driven statements. However, it's not enough to have policies on paper; organizations need to practice what's on paper to be prepared for cyber events. This is where ranges come in. Ranges are a full replica of an enterprise network with real tools, traffic, and malware. They allow teams to practice detecting and responding to attacks in a safe environment. Debbie Gordon, founder of Cloud Range, explains how ranges can help organizations accelerate experience and reduce risk in cybersecurity. She emphasizes the importance of educating an organization's user base to become the first and last lines of defense against cyber threats. By training non-technical executives to spot suspicious activity and bring it to the attention of the security team, organizations can minimize the damage caused by phishing attacks, ransomware, and other cyber threats. Gordon also highlights the importance of team training in cybersecurity because it's not just about individual skills, but also about how teams work together to respond to threats. By practicing together in a range environment, organizations can improve their processes, handoffs, and speed in detecting and responding to attacks.

Special thanks to our sponsor Cloud Range Cyber for supporting this episode.

Website: www.cloudrangecyber.com

Email: [email protected]

Full Transcripts: https://docs.google.com/document/d/1yWenwauzfAiQYafFW0Iew33vbzvlO2BO

Chapters

• 00:00 Polished Security Programs need Policy, Practice, and Proof
• 00:54 Policy
• 02:47 Practice
• 03:44 Proof
• 04:28 How to Apply the Concepts of Ranges to Help Organizations
• 06:05 The importance of Experiential Learning
• 07:48 The Importance of following Procedures
• 12:12 The Benefits of Team Training for Cyber Ranges
• 15:33 The Importance of Muscle Memory
• 20:22 How to Maximize Your Investment in Cybersecurity (KPIs & Measurable Results)
• 24:33 The Advantages of using the MITRE ATT&CK® Framework
• 27:41 The Advantages of Following ISO Standards
• 31:36 How to Improve your Cloud Range Exercises
• 33:22 How to use Cognitive Aptitude Assessments for Workforce Development
• 37:44 How to level the Playing field for Cyber Talent
• 39:39 The Importance of Degrees in Cyber Security
• 41:03 Making the CISO's job easier

Are you concerned about the security of your data? If so, you're in luck, because we have an incredible episode that has Brent Deterding discuss how to implement simple, easy, and cheap cybersecurity measures. 

One of the key takeaways from the episode is the importance of understanding, managing, and mitigating the risk of critical data being exposed, altered, or denied. Brent Deterding shares his top four tips for CISOs, which include implementing multi-factor authentication, device posture management, endpoint detection and response, and external patching. He emphasizes the importance of keeping things simple, easy, and cheap.

Overall, the episode emphasizes the importance of taking a proactive approach to cybersecurity and being prepared for potential cyber threats. Brett Dietrich shares his approach to reducing risk for his company when negotiating with underwriters.  Remember significant risk reduction is simple, easy, and cheap, so don't wait to implement these tools and strategies.

10 Immutable Laws of Security: https://learn.microsoft.com/en-us/security/zero-trust/ten-laws-of-security

Transcripts: https://docs.google.com/document/d/1eP7F8pD3kcrbja2sfSwSKGnJ-ADHviUt

Chapters:

• 00:00 Introduction
• 02:05 How to Protect Your Organization's Critical Data
• 01:43 Scenario of Protecting a Small Company
• 08:01 The 10 Immutable Laws of Security
• 14:26 Tips for CISOs
• 15:30 Simple, Easy, & Cheap is a Technology State
• 19:00 How Much Do You Care About Phishing Problems?
• 20:46 How to a be successful at RSA?
• 26:00 How to Enable the Business without Reducing Friction?
• 28:37 How to Adopt the Australian Essential 8
• 31:06 Team Platform vs Best of Bread
• 33:00 Those with a fear of vendor lock-in are retired
• 36:36 How to Save Money on Cyber Insurance
• 38:27 How to implement the Four Hills Strategy (MFA, EDR, Device Posture Management, & Patch Management)
• 40:57 How to Negotiate Effectively With Insurance Companies
• 42:48: Getting Material Risk Reduction is Simple, Easy, and Cheap

In this episode of "CISO Tradecraft," G Mark Hardy discusses how to build an effective cyber strategy that executives will appreciate. He breaks down the four questions (Who, What, Why, and How) that need to be answered to create a successful strategy and emphasizes the importance of understanding how the company makes money and what critical business processes and IT systems support the mission. Later in the episode, Branden Newman shares his career path to becoming a CISO and his approach to building an effective cyber strategy. Newman stresses the importance of communication skills and the ability to influence people as the most critical skills for a CISO. He also shares his advice on how to effectively influence executives as a CISO.

Full Transcripts - https://docs.google.com/document/d/1nFxpOxVl6spkK-Y8GLU5q2f6R_4VD-a2

Chapters:

• 00:00 Introduction
• 01:06 The Four Questions (Who, What, Why, and How)
• 08:11 Building an accepted cyber strategy
• 09:19 Importance of communication skills for a CISO
• 10:19 Understanding financial statements
• 12:47 Following the money
• 14:09 Reputation and cybersecurity
• 15:24 Getting executive buy-in into cybersecurity
• 15:57 Building Trust with Executives
• 16:45 Security Enables New Elements of Business
• 17:13 Why Cybersecurity Gets Ignored
• 20:07 Framing Cybersecurity as a Competitive Advantage
• 21:19 Mistakes CISOs Make When Communicating with Executives
• 22:54 Telling Stories to Communicate with Executives
• 24:09 Using Business Cases and Examples
• 27:28 The Importance of Listening to the Executives
• 29:31 Making Informed Risk-Based Decisions
• 30:54 Building Trust and Champions
• 32:55 Building a Network of Trust
• 35:13 Being Pragmatic

Sometimes you just need structure to the madness. Christopher Crowley stops by to talk about methodologies that can help security organizations. Come and see why you need them, how we get the scientific method wrong in cyber, and how to leverage a CIA analytical methodology that can help you. There's a lot more to check out so tune in.

Analysis of Competing Hypothesis https://www.cia.gov/static/9a5f1162fd0932c29bfed1c030edf4ae/Pyschology-of-Intelligence-Analysis.pdf

Christopher Crowley's Company https://montance.com/ 

Full Transcripts: https://docs.google.com/document/d/1P4MI02fIw3y_u8RhLVDbB3iu0o7e27Fr

Chapters

• 00:00 Introduction
• 02:30 The Morris Worm and the Internet
• 04:17 The Future of Cybersecurity
• 06:41 How to setup a shared drive for multitasking
• 10:26 The Evolution of Career Paths
• 12:02 The Importance of Methodology in Problem Solving
• 14:16 The Importance of Hypothesis in Cybersecurity
• 19:58 MITRE ATT&CK® Framework: A Two Dimensional Array
• 21:54 The Importance of a Foregone Conclusion Methodology
• 23:29 The Disruptor's Role in Hypothesis Brainstorming
• 25:18 The Importance of Resilience in Leadership
• 27:45 Methodologies and Threat Hunting
• 29:21 The Importance of Information Bias in Threat Hunting
• 34:31 How to Sort Hypothesis in a Spreadsheet
• 37:22 The Importance of Refining the Matrix
• 40:34 How to Automate Analysis of Competing Hypothesis

Have you ever wanted to get a legal perspective on cybersecurity?  On this episode of CISO Tradecraft, Evan Wolff stops by to discuss terms such as legal disclaimers, negligence, due care, and others.  He also provides important insights on how to structure your cyber policies, respond to regulators/auditors, and partner with general council.  Please enjoy. 

Full Transcripts: 
https://docs.google.com/document/d/1hbqB5GQfQsi0egPVdOtdfYEwLA3-1Jnh

Chapters

• 00:00 Introductions
• 01:52 The Attorney Client Privilege
• 04:49 What's the Difference Between a Discovery Order and an Attorney Client Privilege
• 06:30 CISO Disclaimer
• 09:23 Security Is a Component of Government Contracts
• 11:59 What are the Borders Between Information Security and Legal Risk
• 15:31 Cyber Security - Is there a Standard of Care?
• 18:11 Do you have a Reasonable Best Effort?
• 21:27 CMMC 2.0
• 26:22 Is your Privacy Policy going to expire?
• 28:30 What is Reasonable Assurance?
• 33:41 Advice for Partnering with the General Counsel

Have you ever wondered how to negotiate your best CISO compensation package?  On this episode, we invite Michael Piacente from Hitch Partners to discuss important parts of the compensation packages.  Examples include but are not limited to: - Base Salary,

• Bonuses (Annual, Relocation, & Hiring)
• Reserve Stock Units
• Annual Leave
• Title (VP or SVP)
• Directors & Officers Insurance
• Accelerated Vesting Clauses
• Severance Agreements

You can learn more about CISO compensations by Googling any of the following compensation surveys

• Hitch Partners CISO Compensation and Organizational Structure Survey Report: https://www.hitchpartners.com/ciso-security-leadership-survey-results-23
• Heidrick & Struggles Global Chief Information Officer Survey: https://www.heidrick.com/en/insights/...
• IANS CISO Compensation and Budget Benchmark Study: https://www.iansresearch.com/ciso-com...

Full Transcripts: https://docs.google.com/document/d/1e...

Chapters:

• 00:00 Introduction
• 01:58 What's the Difference?
• 06:50 The Three-Legged Stool (Base Salary, Bonuses, & RSUs)
• 11:44 Is there a signing bonus?
• 13:56 What's the difference between RSUs & Options?
• 18:52 Private Companies - What's the Value of the Offer?
• 22:04 Double Triggers in Private Companies
• 26:38 Should you counter an offer?
• 28:17 Corporate Liability Insurance
• 29:50 Do you want to be extended on the Director and Officer Insurance Policy?
• 32:56 How to negotiate a severance agreement
• 36:00 Compensation Survey Reports

One of the most difficult things to do as a manager or leader is to take an ethical stance on something you believe in.  Sometimes ethical stances are clear and you know you are doing what’s right.  Others are blurry, messy, and really weigh on your mind.  So we thought we would take this episode to talk about various ethical models, tricky ethical scenarios you might encounter as a CISO, and finally we will look at the Federal Case where Joe Sullivan the Former Chief Security Officer of Uber was convicted of federal charges for covering up a data breach.  Thanks to Stephen Northcutt for coming on today's show.

Full Transcript https://docs.google.com/document/d/1vin7gMBt9YvVGaVqT91ycPmacsKZe2T9

Chapters

• 00:00 Introduction
• 01:49 How to Make a Difference in Cybersecurity
• 03:34 Hackers and the Pursuit of Higher Principles
• 06:06 Is There a Use Case in Cybersecurity
• 10:56 Human Capital is the Most Important Asset That Any Organization Has
• 14:00 The Human Frailty Factor
• 18:21 Has Your Company Fully Embraced Diversity, Equity, and Inclusion
• 20:24 Do you have a Diversity of Experience
• 24:11 Getting Your EXO to Talk to Power and say you are wrong
• 27:40 CISOs and CISOs - Is this a Criminal Thing?
• 30:15 The Penalty of Crossing the Law
• 34:56 Pay the Ransom?
• 36:59 The Key to Resilience as a CISO

Our systems generate fantastic amounts of information, but do we have a complete understanding of how we collect, analyze, manage, store, and retrieve possibly petabytes a day? Gal Shpantzer has been doing InfoSec for over 20 years and has managed some huge data engineering projects, and offers a lot of actionable insights in this CISO Tradecraft episode.

Gal's LinkedIn Page - https://www.linkedin.com/in/riskmanagement/

Gal's Twitter Page - https://twitter.com/Shpantzer

Full Transcript - https://docs.google.com/document/d/14RXnsVttvKlRi6VL94BTrItCjOAjgGem/

Chapters

• 00:00 Introduction
• 02:00 How do you Architect Big Data Data Infrastructure
• 03:33 Are you taking a look at Ransomware?
• 06:11 Web Scale Technologies are used mostly in Marketing & Fraud Detection
• 08:11 Data Engineering - The Mindset Shift
• 10:51 The Iron Triangle of Data Engineering
• 13:55 Can I Outsource My Logging Pipeline to a Vendor
• 15:37 Kafka & Flink - Data Engineering in the Pipeline
• 18:12 Streaming Analytics & Kafka
• 22:08 How to Enable Data Science Analytics with Streaming Analytics
• 26:33 Streaming Analytics
• 30:25 Data Engineering - Is there a Security Log
• 32:30 Streaming Analytics is a Weird Thing
• 35:50 How to Get a Handle on a Big Data Pipeline
• 39:11 Data Engineering Hacks for Big Data Analytics

Has bad governance given you trauma, boring committees, and long speeches on irrelevant issues?  Today we are going to overcome that by talking about what good governance looks like.  We bring on the former CISO of Amazon Whole Foods (Sameer Sait) to discuss his lessons learned as a CISO.  We also highlight key topics of good governance found in the Cyber Security Profile from the Cyber Risk Institute.

Cyber Risk Institute - Cyber Security Profile https://cyberriskinstitute.org/the-profile/
Full Transcripts: https://docs.google.com/document/d/1vBM6A0utvhRFMA04wzrZvR8ktNwYo-li

Chapters

• 00:00 Introduction
• 03:10 Good Governances is a Good Thing, Right?
• 05:08 Cyber Strategy & Framework
• 06:43 Is NIST the Same as ISO?
• 08:40 How to Convince the Executive Leadership Team to Buy In
• 11:19 The CEO's Challenge is Taking Measured Risk
• 20:05 Is there a Cybersecurity Policy
• 22:32 Culture eats Policy for Lunch
• 24:14 The Role of the CISO
• 27:52 How do you Convince the Leadership Team that you need extra resources
• 29:51 How do you Measure Cybersecurity?
• 32:22 How do we communicate Risk Findings to Senior Management
• 36:07 Are you Aligning with the Audit Committee

In the US we often focus on SOC-2, NIST Special Pubs, and the Cybersecurity Framework. In Europe (and most of the rest of the world), ISO 27001 is the primary standard. ISO concerns itself with policy, practice, and proof, whereas NIST often shows the method to follow. Michael points out that a CISO is responsible for governance, (internal) consulting, and audit. In early stages of growing a security function, a CISO needs to be technically-focused, but as a security department matures, the CISO must be organizationally-focused. Also, to effectively grow your team, first determine what actions need to take place, how much effort it requires, and how often it needs to take place. Then, build an action sheet and collect data for three months. Finally, take that to your executives and document your requirements for more staff.

Michael Krausz LinkedIn Profile: https://www.linkedin.com/in/michael-krausz-b55862/

Michael Krausz Website: https://i-s-c.co.at/

Full Transcript: https://docs.google.com/document/d/13fghym7IWyPvuRANQXUvmv-ulkSj93xv 

Chapters

• 00:00 Introduction
• 04:01 Is there a Gap Analysis in ISO 27001?
• 08:05 Is there a Requirement for ISO Standards?
• 10:57 What is ISO 27001?
• 13:11 Is there a Parallel Development between the US and EU?
• 16:57 Do you want to be a trooper?
• 21:17 What's the Oldest Operating System?
• 23:09 Is there a Legacy Operating Systems that you can't get away with?
• 24:11 The Most Important Class for a CISO
• 26:33 The Secrets of a Successful CISO
• 29:30 CISO - I need 6 people period
• 33:40 What's the Primary Skill Needed in a CISO?
• 37:41 How to Maximize the Number of FTEs

How can cyber best help the sales organization?  It's a great thought exercise that we bring on Joye Purser to discuss. Learn from her experience as we go over how cybersecurity is becoming an even closer business partner with the creation of a new important role.

Full Transcript: https://docs.google.com/document/d/1Shd1Qldb8iKEHBgXJqFez81Iwfpl6JT-/

Chapters

• 00:00 Introduction
• 02:58 How did you marry those two cultures?
• 06:40 Building a Diverse Workforce
• 08:23 Is this a new role based on Pain Points?
• 10:27 Global Lead for Field Cyber Security
• 15:51 Is the Global Lead for Field Cybersecurity linked to sales numbers?
• 19:07 Is there a Global Lead for Field Cybersecurity?
• 24:46 Building Relationships in a Security Leadership Role
• 27:48 Do you have any lessons learned from your success at Global Management Consulting?
• 29:33 You need to schedule time to get things done
• 33:33 What about Due Diligence?
• 37:36 The Chief Technology Officer, CRO, & CTO

Did you ever wonder how much security you can implement with a single vendor?  We did and were surprised by how much you can do using the Australian Top Eight as a template.  We'll bet you can improve your security by using these tips, tools, and techniques that you might not have even known were there.

Special thanks to our sponsor Praetorian for supporting this episode.

https://www.praetorian.com/

Full Transcripts:

https://docs.google.com/document/d/12HsuOhY9an1QzIw9wOREPMX0pXe5hqkJ

Helpful Links

1. Essential 8 https://www.microsoft.com/en-au/business/topic/security/essential-eight
2. Blocking Macros https://ite8.com.au/the-essential-8/office-macros-explained/ 
3. Windows Defender Application Control or WDAC (available from Windows 10 or Server 2016 or newer) previously Windows had App Locker (Windows 7 / 8)
   • https://docs.microsoft.com/en-us/mem/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager
   • https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control
4. Windows Group Policies
   • https://techexpert.tips/windows/gpo-block-website-url-google-chrome/
   • https://chromeenterprise.google/policies/#SafeBrowsingAllowlistDomains 
   • https://data.iana.org/TLD/tlds-alpha-by-domain.txt 
   • Software Restriction Policies http://woshub.com/how-to-block-viruses-and-ransomware-using-software-restriction-policies/
   • Blocking websites URL - only allow (.com, .org, .net, edu, .gov, .mil, and the countries you want).   
   • Locking down Active Directory https://attack.stealthbits.com/tag/active-directory 
5. File Service Resource Management
   • http://woshub.com/using-fsrm-on-windows-file-server-to-prevent-ransomware/
6. Enable MFA for RDP
   • https://docs.microsoft.com/en-us/azure/active-directory-domain-services/secure-remote-vm-access  
   • https://duo.com/docs/rdp
7. Enable MFA for SSH
   • https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/auth-ssh
   • https://docs.microsoft.com/en-us/azure/active-directory/devices/howto-vm-sign-in-azure-ad-linux 
8. Windows Controlled Folder Access
   • https://support.microsoft.com/en-us/topic/ransomware-protection-in-windows-security-445039d6-537a-488a-ad53-48906f346363
9. Use Windows File History to create backups to one drive.
   • https://www.ubackup.com/windows-10/file-history-backup-to-onedrive-4348.html
10. Storing your files to One Drive which has ransomware detection
    • https://support.microsoft.com/en-us/office/ransomware-detection-and-recovering-your-files-0d90ec50-6bfd-40f4-acc7-b8c12c73637f
11. Windows Update
    • Select Start > Settings > Windows Update > Advanced options. Under Active hours, choose to update manually or automatically in Windows 11. 
    • https://support.microsoft.com/en-us/windows/keep-your-pc-up-to-date-de79813c-7919-5fed-080f-0871c7bd9bde 
12. Microsoft Conditional Policies- https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-policy-common 
13. Microsoft Authenticator with Number Matching, Geo, & Additional Context
    • https://docs.microsoft.com/en-us/azure/active-directory/authentication/how-to-mfa-additional-context 
    • https://websetnet.net/microsoft-rolls-out-new-microsoft-authenticator-features-for-enterprise-users/
14. Application Approve List- https://www.bleepingcomputer.com/tutorials/create-an-application-whitelist-policy-in-windows/

This episode provides a deep dive into Static Application Security Testing (SAST) tools.  Learn how they work, why they don't work as well as you think they will in certain use cases, and find some novel ways apply them to your organization.  Special thanks to John Steven for coming on the show to share his expertise.  

Special thanks to our sponsor Praetorian for supporting this episode.

https://www.praetorian.com/

Full Transcripts - https://docs.google.com/document/d/1zoA70k78IjqyJky-2u7_-i2jlWke8_cb

Chapters:

• 00:00 Introduction
• 02:51 Source Code Analyzers
• 04:22 The three bears of Static Analysis
• 06:01 Do Linters work Better?
• 08:00 The Value of Full Programming Analysis Tools over Linters
• 11:30 The Impact of a Developer's Analysis on a Developer Environment
• 13:05 SAST Testing
• 15:47 OWASP Benchmarking
• 19:13 The First Static Analysis Tools
• 20:53 Can you break up that worry about Automated Testing?
• 22:44 Using Static Analysis for Defect Discovery
• 24:18 Using Static Analysis to Improve Web Security
• 31:37 Using Static Analysis to Drive Cloud Security
• 33:15 The Second Thing to Look Out for When Choosing a Static Analysis Tool
• 34:55 Using Static Analysis to Build a Vulnerability Management Practice
• 37:35 Can you use Static Analysis to Find Insider Threat?

How do you defend against automated attacks in an era of ChatGPT-formulated malware, coordinated nation-state actors, and a host of disgruntled laid-off security professionals? Want to find your vulnerabilities faster than the bad actors do? Come listen to Richard Ford to learn how to apply best practices in attack surface management and defend your crown jewels.

Special thanks to our sponsor Praetorian for supporting this episode.

Full Transcripts - https://docs.google.com/document/d/18QyrN-7V91nxOyRQ0KsNeJU0-k-bTlqj

Chapters:

• 00:00 Introduction
• 04:22 The Impact of Continuous Attack Surface Mapping on Security Responses
• 07:48 What's the Difference between a CTO and a CIO?
• 10:24 What attracted you to the problem space?
• 12:53 Is the Attack Surface really exposed?
• 16:12 Shadow IT - The Unknown Unknowns that could Bite You
• 19:56 Is there a Shadow IT problem?
• 23:24 How to get management on board with Shadow IT?
• 26:38 Building an Attack Surface Management Program
• 29:57 You Get What You Measure, Right?
• 33:27 Do I Have Vulnerable Assets?
• 39:24 Attack Surface Management
  

Have you ever wanted to be like Neo in "The Matrix" and learn things like Kung Fu in just a few minutes?  Well on today's episode, we try to do just that by cramming powerful leadership concepts into your head in just 45 minutes.  So sit back, relax, and enjoy CISO Tradecraft.

Show Notes with Pictures & References:

https://docs.google.com/document/d/1z5FwVwYlNiJlevQXP9IK48Z5kYqG-Ee_/edit?usp=sharing&ouid=104989998442085477687&rtpof=true&sd=true

Full Transcript:
https://docs.google.com/document/d/11iTdKRxtg1UYiQeUn-mdgM7zKqafTq34/edit?usp=sharing&ouid=104989998442085477687&rtpof=true&sd=true

Want to know CISO Tradecraft's Top 10 cyber security predictions for 2023?  Listen to the episode to learn more about:

1. Proactive Identity Management = Automated Provisioning of Access + Minimizing Digital Blast Radius
2. Convergence of Security Tools
3. Collaboration Technology
4. Evolution of the Endpoint (Chromebooks or Browser Isolation)
5. Chatbots
6. Vague and unclear cyber laws
7. CISO liability increases
8. Umbrella IT general controls mapping
9. Companies will be less truthful during 3rd party questionnaires
10. Cyber defense will become more difficult because of people

Be sure to also check out G Mark Hardy's annual ISACA talk at
http://isaca-cmc.org/ 

Link to full transcripts of the podcast can be found here:
https://docs.google.com/document/d/1RkrtkuunBn-qaU-Y9HvgHJzAKoIIszcW/edit?usp=sharing&ouid=104989998442085477687&rtpof=true&sd=true

Success leaves clues, but sometimes we limit ourselves by only looking close by for them.  This week, we pondered what business skills are essential for a successful CISO, and then extended the search to some non-traditional sources to find some very relevant advice.  Take the time to listen and do a self-examination (you don't have to submit for a grade :) and see where you could boost your skills portfolio to increase your success as a security leader.  Some of the essential skills we discuss on this episode of CISO Tradecraft are:

• Be a leader
• Manage money and resources
• Differentiate yourself and your message
• Communicate with clarity and emphasis
• Delegate and hold subordinates accountable
• Build a personal network
• Mentor your team
• Be adaptable
• Be sensitive to cultural and political issues
• Watch the details and ensure your management makes informed risk-based decisions &
• Know your limitations

We thank our sponsor Nucleus Security for supporting this episode

Full Transcript: https://docs.google.com/document/d/1C357cX_4wKTRmhRUsGh_2d9vIMX5LspL/

Show links:

  https://www.smallbusiness.wa.gov.au/starting-and-growing/essential-business-skills

  https://cisotradecraft.podbean.com/e/108-budgeting-for-cisos-with-nick-vigier/

  https://nativeintelligence.com/

  https://github.com/cisotradecraft/Podcast#business-management--leadership

  https://www.ef.com/wwen/blog/efacademyblog/skills-for-success/

  https://www.criticalthinking.org/pages/defining-critical-thinking/766

  https://your.yale.edu/learn-and-grow-what-adaptability-workplace

  https://openai.com/blog/chatgpt/

  https://openai.com/dall-e-2/

There's a lot of things you need to know as a CISO, but one of the things least taught is budgeting best practices.  On today's episode, CISO Nick Vigier stops by to share his lessons learned on the topic.  His conversations focus on spends vs investments.  Remember spends = overhead, whereas investments = growth.  Here's a great point.

[10:00] There are opportunities that we have to frame some of these things as investments versus framing them as risk mitigations. And so one of the mantras or things that I like to think about is the business has a limited appetite for risk management, but they have infinite appetite for profits and making money. 

So if you're able to frame them as how they're actually going to help accelerate the business or improve the business that brings the CEO and the CFO along on the journey, that you're not just there to lock the doors, you might actually be there to help put another floor on the building and that's a very different conversation.

We also thank our sponsor Nucleus Security for supporting this episode.

Full Transcript: https://docs.google.com/document/d/1nURiml3BJFnszFRA8qov1CgO_VkDFaCY

Special thanks to Jeff Gouge for sharing his thoughts on consolidating vulnerability management.  We also thank our sponsor Nucleus Security for supporting this episode.

Consistently tracking and prioritizing vulnerabilities is a difficult problem.  This episode talks about it in detail and helps you increase your understanding in:

• Various application security scanning tools (SAST, DAST, SCA, Container, IoT, Secret Scanners, Cloud Security Scans, ...) and why companies need so many
• How CVSS base scores are actually calculated so you can understand its strengths and weaknesses
• How Threat Intelligence Data improves CVSS scoring
  • Knowing which vulnerabilities are being actively exploited by bad actors through the CISA Known Exploited Vulnerabilities Catalog
  • Knowing with vulnerabilities are being exploited in your industry or organization
  • Knowing how the Exploit Prediction Scoring System (EPSS) can predict which vulnerabilities will be exploited soon
    
• Learning about the Stakeholder-Specific Vulnerability Categorization Guide (SSVC)

Note a Full Transcript of this podcast can be found here:

https://docs.google.com/document/d/1dWDS8rd-iscZuZ28U27IBuPPfrlFAV69/

Are You Ready To Win Your First CISO role? Apply these techniques into your resume and interview process so both recruiters and hiring managers will offer you the job.  This show focuses on:

1. Highlighting the Different Types of CISO Roles
2. Showing how to progress from a Senior Director Role into a Fortune 100 CISO
3. Resume Tricks and Tips that get you noticed by recruiters
4. How to have a great interview with a recruiter
5. What Hiring Managers want to see from CISOs during their interviews

Please note the full show transcript can be found here
https://docs.google.com/document/d/18Feg4eXbezHVPiNQ9qO6Pdht3P0eQ5nn

Would you like to hear a master class on what Technology professionals need to know about startups?  On this episode Bob Cousins stops by to share his knowledge and experience on working in technology companies, dealing with founders, and partnering with venture capitalists.  Listen and learn more about:

• What should a technology professional know about venture capital and dealing with venture capitalists?
• What is the role of marketing?
• What do engineers get wrong with helping businesses create profitable growth?
• What is the value of a product?

Subscribe to the CISO Tradecraft LinkedIn Page

Special Thanks to our podcast sponsor, Cymulate. 

On this episode, Dave Klein stops by to discuss the 3 Digital Challenges that organizations face:

1. Cyber threats evolve on a daily basis and this constant threat to our environment appears to be only accelerating
2. The level of vulnerabilities today is 30x what it was 10 years ago.  We have more IT infrastructure, complexity, and developers in our current environment.
3. In the pursuit of digital innovation, we are changing our IT infrastructure by the hour.  For Example: Infrastructure as Code capabilities (Chef, Puppet, Terraform, etc.) allow developers to deploy faster and create more opportunities for misconfigured code at scale.  

Breach and Attack Simulation tooling address these 3 digital challenges by focusing on Breach Attack Simulation, Vulnerability Prioritization, & Threat Exposure Management.  This combined approach allows a cyber organization to ensure its security is fully optimized and its risk exposure is minimized.  Key benefits of adopting Breach and Attack Simulation software include:

• Managing organizational cyber-risk end to end
• Rationalizing security spend
• Prioritizing mitigations based on validated risks
• Protecting against the latest threats in near real-time
• Preventing environmental drift

Welcome back listeners and thank you for continuing your education in CISO Tradecraft.  Today we are excited to share with you a great episode focused on Breach and Attack Simulation software.  To begin we will provide a solid background on Breach and Attack Simulation then we are going to bring on our special guest Dave Klein who will give us the pro tips that help CISOs maximize the value from Breach and Attack Simulation Software.

Starting from the beginning.  What is Breach and Attack Simulation software and why is this needed?  At the end of the day most companies are not on an island.  They need to connect to clients, partners, and vendors.  They need the ability for employees to visit websites.  They need to host public facing websites to sell products and services.  Each of these activities result in creating organizational assets such as IT equipment that has internet connectivity.  Now internet connectivity isn’t a bad thing.  Remember internet connectivity allows companies to generate income which allows the organization to exist.  This income goes to funding expenses like the cyber organization so that is a good thing.  

If bad actors with the intent and capability to cause your company harm can find your company's internet connected assets which have vulnerabilities, then you have a risk to your organization.  So enter vulnerability assessment and penetration testing tools that companies can buy to identify and address this risk.  Now sometimes you will hear the terms Cyber Asset Attack Surface Management or (CAASM).  It’s also commonly referred to as continuous threat exposure management.  Essentially these two categories of tools are the latest evolution of vulnerability management tooling that have the additional benefit of ingesting data from multiple sources.  Essentially they are designed to address key questions such as: 

• How do we get an inventory of what we have?
• How do we know our vulnerabilities? and 
• How do we know which vulnerabilities might be exploited by threat actors?  

Now if you want to take this line of questioning one step further, then you should consider adopting Breach and Attack Simulation software.  Note Breach and Attack Simulation software overlaps with many of the CAASM capabilities, but it does something unique.  Breach and Attack Simulation software allows you to pose as bad actors on your network and perform red team exercises.  Essentially you learn how bad actors can bypass your cyber tooling and safeguards.  This means you go from knowing where you are vulnerable to actually seeing how well your incident response activities perform.  Example if I can take a normal user's laptop and spawn a Powershell Script or run a tool like MimiKatz to gain Domain Admin level privileges, then I want to know if the Cyber Security Incident Response team was alerted to that activity.  I also want to know if the Incident Response team blocked or disabled this account in a timely manner.  According to the 2022 Microsoft Digital Defense Report the median time it takes for an attacker to access your private data if you fall victim to a phishing email is 1 hour 12 minutes.  The report also stated that the median time for an attacker to begin moving laterally within your corporate network once a device is compromised is 1 hour 42 minutes.  Remember the difference to responding to these attacks in minutes vs hours can be the difference between how much files get encrypted when ransomware actors get into your environment.  

Another thing that CISOs need to ensure is that vulnerabilities get fixed.  How do you test that?  You have to replay the attack.  

You can think of fire drills as the comparison.  If an organization only did one fire drill every 24 months, then chances are the company’s time to exit the building isn’t going to decrease all that much.  It’s likely to stay the same.  Now if an organization does 8-12 fire drills over the course of 24 months, then you would generally see a good decrease in departure times as people get familiar with knowing how to leave the building in a timely fashion.  The good thing on Breach and Attack Simulation tools is they have the ability to replay numerous attacks with the click of a button.  This can save your penetration testing team hours over manual exploitation activities which would have to be repeated to confirm successful patches and mitigations.

If we look at Breach and Attack Simulation software the tools have typically come in two flavors.  One is an agent based approach.  Example.  A company might install an attack agent on a laptop inside the corporate environment that runs Data Loss Protection software.  The attack agent might look at how much data it can exfiltrate which is not stopped by the DLP tool.  The attack agent could also run similar attacks with how much malware the Antivirus detects, how much sensitive email it send outside the company despite there being an email protection solution.  These attack agents can also be placed on servers to determine how effective web applications firewalls are at stopping attacks.

Essentially having an attack agent on the internal side of a trusted network and one on the outside allows an organization to evaluate the effectiveness of various cyber tools.  Now there’s a few concerns with this type of approach.  One, companies don't want to add more agents across their network because it steals critical system resources and makes things slower.  Two, the time it takes to install and test agents means the value you can get out of these tools is delayed because cyber needs approvals from the desktop team, the network team, the firewall team, etc. before these solutions can be deployed.  Three, by having an agent you don’t always truly simulate what an attacker would do since you don't have to live off the land and gain permissions the attacker did.  Your agent may not be know to antivirus or EDR tools, but using windows libraries to gain access does. 

Now let’s compare this with an agentless approach.  This approach is quite popular since labs where agents are run don’t always look like a production environment.  Example they lack the amount of traffic, don’t possess the same amount of production data, or contain last month’s versions of software.  

Here attacker software may start with the premise what happens if someone from the Accounting Team opens an Excel document containing a malicious macro.  Let’s see how we can automate an attack after that initial compromise step occurs.  Then let’s walk through every attack identified by the Mitre Attack Framework and see what gets caught and what doesn’t.  The tooling can then look at the technical safeguards in the organization that should have been applied and provide recommendations on how to increase their effectiveness.  This might be something simple like adding a Windows Group Policy to stop an attack.  Also breach and attack simulation tools can provide alerting recommendations to the SIEM that help identify when an endpoint attack occurred.  Example: Instead of knowing that bad actors can run an attack, the Breach and Attack Simulation software actually gives you the Splunk Signature that your SOC team can leverage.  That’s a great add to minimize the amount of time to improve your alerting capabilities.  

Now when the breach and attack simulation software replays attacks each month, cyber leadership can look at how fast the Incident Response team detected and remediated the attack.  It might be as simple as we stopped this attack before it could happen by applying the new Windows Group Policy or it took the team 4 hours to determine XYZ account had been taken over.  These metrics allow you to know how well your Response plans work.  So you get the value of a penetration test with the automation & scaling of vulnerability management tools.  

What’s even more impressive is how these tools are evolving to meet the larger mission of cyber organizations.  

Example: Most Financial and Health Care organizations have to demonstrate evidence that IT controls are working effectively.  Generally this is a manual process done in the Governance Risk and Compliance (GRC) team within a cyber organization.  GRC teams have to ask developers to provide evidence to various IT controls such as are you monitoring and alerting to privilege activity.  Now imagine if you had an automated tool that showed evidence that monitoring tools are installed on 99% of endpoints and these tools actually stopped various MITRE attacks immediately.  That evidence would minimize the data call which takes time from the developer teams. 

Have you ever just met someone that was so interesting that you just sat and gave them your full attention?  On this episode of CISO Tradecraft, we have Bill Cheswick come on the show.  Bill talks about his 50 years in computing.  From working with the pioneers of Unix at Bell Labs, inventing network visualization techniques for the DoD, and creating the early best practices in firewalls and perimeter defenses.  He was also the first person to co-author a book on Internet Security.  So listen in and enjoy.

Also special thanks to our sponsor, Obsidian Security.  You can learn more about them at: https://www.obsidiansecurity.com/sspm/

Hello, and welcome to another episode of CISO Tradecraft -- the podcast that provides you with the information, knowledge, and wisdom to be a more effective cybersecurity leader.  My name is G. Mark Hardy, and today's episode is about how to better mentor your people (and in doing so, improve yourself as well.)  Mentoring is an important part of being a leader, and I would venture that most listeners have achieved their current level of success with the insights of a mentor, along with a lot of hard work.  Today we're going to give you a template for creating a personal development plan you can use with your team.  I also want to introduce you to a booklet that I keep on my desk.  It was written in 1899.  Do you have any idea what it might be?  Well, keep listening and you'll find out, and you may end up getting yourself a copy of your own.

Let's take a moment to hear from today's sponsor Obsidian Security.

Career success rarely happens independently -- it usually involves multiple milestones, promotions, and sometimes moves.  But success shouldn't be a secret.  As Tony Robbins said, "success leaves clues."  One of the best ways to achieve personal or professional success, or indeed help others do the same, is through mentoring and sponsorship.  But the right person rarely shows up at our doorstep offering us the key to the future -- we have to go out and make that relationship happen.  Today we're going to talk about mentors, protégés, sponsors, and that little booklet that has a repeatable secret for success.

Let's start with what is a mentor - the dictionary definition is "an experienced and trusted adviser."  My definition is it's a person with more experience and WISDOM who is willing to provide guidance to someone else -- a protégé.  Notice I didn't say anything about careers -- you can have a spiritual mentor, an academic mentor, and if you're a new grandparent you want to pass along some tips to help raise your grandkids.  You may also hear the term "mentee" instead of protégé -- I see that used from time to time, but it makes me think of those big slow sea creatures that keep getting run over by speedboats.

Let's talk about the who, what, when, why, and how of being a mentor.  The WHO part is someone with experience and wisdom willing to share insights.  Insights about WHAT, at least as far as we're concerned today, is usually career-related -- what jobs or assignments may be best, what personal characteristics are important, whom should you meet and why.

The WHEN portion of mentoring is usually a condition of the type of relationship.  A traditional one-on-one mentor relationship may be established formally or informally.  We established a program at work where those willing to offer advice could volunteer as a mentor and those seeking advice could request the assistance of a mentor.  I was asked by our most senior technical security expert if I would serve as his mentor -- an assignment which I was pleased to accept, and we held mentoring sessions quarterly.  Of course, we worked together more frequently than that, but those sessions were specifically about what he could learn from me as a mentor, and what I could do to structure his experiences to help with his personal and career growth.  [Irish whiskey story]

The WHY can be either because there is a mentorship program at your organization (and if there isn't one, do your homework and consider proposing one) or because someone reached out and requested assistance.  Mentoring is not like doing the dishes where anyone can do a competent job.  It requires empathy, communication skills, wisdom, and time commitment.  I'm at the point in my life and career where I actively try to help others who are not as old as I am.  Many times, that's appreciated, but some people seem to prefer to make all of their own mistakes and resist the effort.  Oh, well.  As my Latin teacher used to say, "suum quique" -- to each their own.

Finally, the HOW.  Mentors should prioritize their sessions by preparing in advance and setting aside time without interruptions.  Establish an agenda based upon specific requirements -- not just what the protégé wants but what the mentor believes he needs.  Martina Bretous published an article on HubSpot where she points out ten ways to be an amazing mentor:

1. Understand what you want out of the relationship.
2. Set expectations together in the very beginning.
3. Take a genuine interest in your mentee as a person.
4. Build trust.
5. Know when to give advice.
6. Don’t assume anything about your mentee – ask.
7. Share your journey.
8. Celebrate their achievements.
9. Seek out resources to help your mentee grow.
10. Be sure you have the bandwidth.

In summary, if you want to be a mentor and seek out the right people in whom to invest your time, here's a short checklist.  Look for protégés with a strong work ethic -- people who have built a reputation of delivering on time on budget.  Select only those people of the proper character -- you don't want to be teaching a sociopath how to take over the organization.  And you'll find you work better with others who share similar values.  If you value hard work, honesty, humility, and perseverance, look for those characteristics, or at least the potential to develop those characteristics, in your potential mentee.  We all know how hard it is to change ourselves.  Think about how much harder it is to change someone else.  In the end, you're just showing the way and it's up to the other person to take the appropriate actions, but you want to build a winning record of successful mentorships -- it doesn't help your own career if you're viewed as the incubator of failure.

As listeners of this show, you are likely in a position to be a mentor.  But that doesn't mean you can't benefit from having a mentor yourself.  Let's look at the who, what, when, why, and how of being a protégé.  The WHO is someone who can gain insight from a relationship with someone farther along in a given path.  Mentees may be assigned a mentor relationship, or they may seek out that relationship on their own.  Both are valid paths, and even if a formal program exists it's often up to the mentee to select from available mentors.  It doesn't always work the other way around [Navy mentor story.]

The WHAT is the reason for participating in this type of relationship.  Usually, it's to gain insight into career and professional goals, but as I mentioned earlier, it can be about most anything where you could learn from someone who's not in the role of a teacher or supervisor.

WHEN should you seek the advice of a mentor?  Well, there's probably never a time NOT to seek advice, but if you're heads-down in a long project that you enjoy or find yourself in a position where you're content and soon winding down your career, then I suppose you're fine going it alone.  Otherwise, after you've been in a position for a year or so and you've figured out your current role and how you fit in, that might be a suitable time to start looking for a mentor.

I think the WHY is obvious, but let's address it.  No one knows everything, but someone usually knows what you need.  Seeking a mentor is a rational way of gaining insights that can help move your career along.

And HOW do you become a protégé?  You need to a-s-k to g-e-t.  Potential mentors are usually busy people -- they don't go looking for more things to add to an already overwhelming calendar.  That said, the saying "if you want something done, give it to a busy person" is often true, because busy people are in the business of making things happen.  If your organization offers a mentorship program, jump at the opportunity.  Just make sure that the person with whom you are paired has the time, the expertise, and the interest to help you in your career.

When searching for a mentor, remember that you should have a clear goal in mind.  "Hey, I need a mentor" isn't very specific, and the Mr. Rodger's "won't you be my mentor?" isn't very compelling.  Rather, start with a specific objective.  For example, it could be, "how do I become fully qualified to become a first-line manager?" or "what does this organization look for when selecting a C-level executive?"  Once you have your goal, you can start your search, but remember that you need to stay professional.  You're not seeking a drinking buddy -- a mentor rarely is a peer (although technically I have heard of peer-to-peer mentoring, but that runs the risk of the parable of the two blind men who both fall into a ditch.)  You want someone with relevant knowledge and experience.  And ideally first develop a working relationship before you pop the question.  A busy mentor will feel more comfortable working with a known quantity than being left to wonder if this person represents a reputational risk.

Let's turn our conversation now to sponsors.

Executive coach May Busch recommends forming a career board of directors to advance your career.  She points out that you need both mentors and sponsors -- sponsors are those in your organization with sufficient clout to put you into key assignments and can advocate behind closed doors for your career advancement.  Wow -- sounds great; where do I sign up?  The issue is that you typically can't recruit sponsors; they come looking for you.  Like a mentee, a "sponsee" represents potential risk to sponsors -- they are putting their own credibility with peers on the line by advocating for you.  If you crash and burn, you both lose.

Like any sales effort, you shouldn't put all of your eggs in a single basket, so if you want to identify a potential sponsor, look for a couple of candidates.  Now, where you work there may be exactly one person who controls the vertical and the horizontal, but in most matrixed organizations, there is a range of opportunities to find advocacy.  Find out who is senior enough to influence the decisions that can affect your career and also whether they are "in on things" to ensure that recommendations move you in the right direction.  There are people who continue to serve past their key roles -- often called "emeritus" as an honorary title, but they probably aren't keeping up with the details.  Look for someone who is still actively "in the game."  And, like finding a mentor, you must identify a natural link between their business interests and your interests.  Now, the intersection of all these criteria might yield exactly zero people, and if so, it's up to you to figure out your own way forward.  But if you do identify potential sponsors, you need to attract their attention.  But how?

Your potential sponsors need to see you in action.  Find ways to deliver executive presentations where they are present or participate in working groups and let the quality of your work differentiate you from peers.  Circulate innovative ideas that represent a step forward for your organization.  The result of these efforts should be to get you noticed.  Note also that you can do this for members of your team.  You may want to sponsor them for bigger and better things but don't have the organizational capital to make it happen on your own initiative.  By placing your best people in front of these more powerful decision-makers, you can facilitate their sponsorship when one of them decides this person should be going places.

Now, it's not just about performance.  During COVID, most of us got comfortable working in bunny slippers from home, but that's not going to differentiate you to a potential sponsor.  If you want to convince executives that you're C-level material, then you need to consistently look the part.  Check your appearance.  Do you look like the other executives in your organization?  I spent 30 years in the military, so part of that "look" was proper grooming, a pressed neat uniform, and being physically fit.  I remember my last semiannual physical fitness test -- I scored 295 out of 300 points and the young Sailor taking scores remarked, "not bad for an old man."  But looking the part is important if you are going to be present yourself as a leader.  [story at CNL -- overweight memorandum.]  Now, I suppose if you work in a dot com startup and the founders all wear t-shirts and jeans every day, then wearing a three-piece suit is not going to help.  But find a way to align with the organization's senior leadership culture so that you don't look like an outsider, which translates into risk.

Make sure your office space isn't full of junk and clutter and your home background on Zoom calls looks like a professional office space (or at least blur out the background.)  Better yet, use a corporate-logo themed background which says, "I'm on the team."

Okay, so let's say you've done all this and are now looking like you just came out of casting for The West Wing and you're sufficiently visible to senior executives.  Beyond looking the part, you need to act the part.  Sit up straight in meetings; don't fiddle with your phone when executives are in the room, no matter how boring the conversation may be at that moment.  I remember back in 2000 when I was working at a startup, our CEO nearly lost our biggest client because she couldn't put down her Blackberry when we were briefing the client's head of security.  He was a retired Navy captain and remarked to me privately (as a fellow Navy officer) how offended he was that this person couldn't be bothered to put down that phone for half an hour and focus on the conversation.  Better yet?  There is a superpower that few people have but you could master if you're a phone addict -- leave your phone on your desk when you go to a meeting.  That's right -- separate yourself from your "life support unit."  Now, in some circumstances you feel you need it because, "what if they ask who's available for a meeting next week and I don't have my calendar?"  Bring your laptop or tablet instead, and only consult it when you're asked something that needs looking up to answer.  Remember, even a CEO doesn't get a pass on distractions when your biggest client is in the room.

In addition to looking the part and acting the part, you need to deliver.  Make sure your work is exceptional and error-free.  At the Pentagon we had a term -- "finished staff work."  It means that what you turn in is correct, complete, and free of grammatical or typographical errors EVERY TIME.  That's a tough discipline.  I was a computer science and mathematics major at Northwestern, and there was nothing I wanted to avoid more than an English composition or writing class -- after all, I was going to be a technologist.  Years later when I joined the staff of Booz|Allen, I saw the importance of mastering a professional writing style.  As a consultant, you live or die by the pen -- how well you write proposals and deliverables.  As I became more senior in both my civilian as well as my military career, I kept improving that ability to write well.  

A small but powerful book you should own and master is Strunk and White's The Elements of Style.  It's the most succinct summary of writing rules I've read -- think of it as a syntax guide to the English language.  Granted, some of these conventions are considered quaint or even obsolete -- the Oxford comma and two spaces after a sentence, but I still write that way.  There's no reason if you can write a program that will compile (or if you're a Python programmer, not throw a Syntax Error) that you cannot write English with the same consistency.

May Busch points out that there are four mistakes you can make that will ruin your attempts to attract a sponsor.  One, which seems obvious, is that you're perceived as lacking potential.  Note I said "perceived."  I think all of us have slightly inflated expectations of ourselves -- that's called a healthy ego, but let's face it:  some people are rightly classified as low potential, high achievers -- they work really hard to achieve mediocre results.  "But I do consistently outstanding work at my current job!"  Okay, I'll give you that.  But remember -- we're talking about getting a sponsor for the NEXT job, and if you're not virtue signaling that you can perform at the next level, then a wise boss is likely to leave you where you are -- delivering consistently outstanding work.  Remember my four-phase career model:  technical, management, leadership, political?  You can often move easily within one of those phases without sponsorship, but to get to the next level usually requires something or someone external to yourself.

The second disqualifier is to be seen as "selectively motivated," meaning you only put forth full effort at the last minute.  It's somewhat of a synonym for a procrastinator -- many of us know there's nothing like the last minute to make sure things get done.  Sure, there are important things that are urgent, but if your MO is to goof off until just before a deadline and then rush out a finished product, that calls into question your long-term reliability for more responsible assignments.

The third disqualifier is lack of self-confidence.  If you present yourself as hesitant and uncertain, you do not inspire confidence.  "Do you think, umm, maybe we might possibly consider doing this?" is not as reassuring as, "Here's what we're going to do."  I'm not advocating for arrogancy here; but if you secretly worry about imposter syndrome or a belief that you're not as good as others perceive you to be, then that's likely to leak out in your words and actions and cause potential sponsors to pause.

The fourth way you can discourage a potential sponsor is to be inappropriate.  You say and do the wrong things at the wrong time to the wrong people.  You put your feet up on the conference table or make inappropriate or even offensive jokes when no one was looking for that type of input.  Walking up a senior executive and saying, "won't you be my sponsor?" is another example.  It's fine for Mr. Rodgers to ask, "won't you be my neighbor?" but as you know by now, you have to become the one who attracts attention, not demands it.

One of the best ways to help others move forward is to show them an example of what represents success.  I mentioned earlier the booklet that sits on my desk -- have you figured out what it might be?  It's "A Message to Garcia" written by Elbert Hubbard, the founder of the Roycrofters in East Aurora NY.  Hubbard was a writer, publisher, artist, and philosopher, who wrote that he sat down and penned this essay after dinner in under an hour.  What started as article in his magazine grew rapidly.  After receiving requests for a thousand copies of that issue, he inquired as to the reason.  "It's the stuff about Garcia."  The New York Central Railroad reprinted over one million copies in booklet form.  The Director of Russian Railways was in New York, was so impressed that when he returned to Moscow, ensured a translated copy was given to every railroad employee in Russia.  Every Russian soldier in the Russo-Japanese war had a copy, and when the Japanese officials noted Russian prisoners of war all carried it, they concluded it must be a good thing, translated it into their language and gave copies to every employee of the Japanese government.  By December 1913, over forty million copies of A Message to Garcia had been printed.  Tragically, Hubbard died on the 7th of May 1915 as a passenger onboard RMS Lusitania, which was torpedoed by a German U-boat.  I have a number of his publications, but this is the one that I reread the most.  It's not that long -- less than fifteen hundred words, and if you haven't heard it before, you should, and if you have heard it before and you're like me, you'll want to hear it again.  Remember, the context is 1899.  Here is…

A Message to Garcia By Elbert Hubbard

In all this Cuban business there is one man stands out on the horizon of my memory like Mars at perihelion. When war broke out between Spain and the United States, it was very necessary to communicate quickly with the leader of the Insurgents. Garcia was somewhere in the mountain vastness of Cuba- no one knew where. No mail nor telegraph message could reach him. The President must secure his cooperation, and quickly.

What to do!

Some one said to the President, "There’s a fellow by the name of Rowan will find Garcia for you, if anybody can."

Rowan was sent for and given a letter to be delivered to Garcia. How "the fellow by the name of Rowan" took the letter, sealed it up in an oil-skin pouch, strapped it over his heart, in four days landed by night off the coast of Cuba from an open boat, disappeared into the jungle, and in three weeks came out on the other side of the Island, having traversed a hostile country on foot, and delivered his letter to Garcia, are things I have no special desire now to tell in detail. The point I wish to make is this: McKinley gave Rowan a letter to be delivered to Garcia; Rowan took the letter and did not ask, "Where is he at?" By the Eternal! there is a man whose form should be cast in deathless bronze and the statue placed in every college of the land. It is not book-learning young men need, nor instruction about this and that, but a stiffening of the vertebrae which will cause them to be loyal to a trust, to act promptly, concentrate their energies: do the thing- "Carry a message to Garcia!" General Garcia is dead now, but there are other Garcias.

No man, who has endeavored to carry out an enterprise where many hands were needed, but has been well nigh appalled at times by the imbecility of the average man- the inability or unwillingness to concentrate on a thing and do it. Slip-shod assistance, foolish inattention, dowdy indifference, and half-hearted work seem the rule; and no man succeeds, unless by hook or crook, or threat, he forces or bribes other men to assist him; or mayhap, God in His goodness performs a miracle, and sends him an Angel of Light for an assistant. You, reader, put this matter to a test: You are sitting now in your office- six clerks are within call. Summon any one and make this request: "Please look in the encyclopedia and make a brief memorandum for me concerning the life of Correggio". Will the clerk quietly say, "Yes, sir," and go do the task?

On your life, he will not. He will look at you out of a fishy eye and ask one or more of the following questions: 

 Who was he?

 Which encyclopedia?

 Where is the encyclopedia?

 Was I hired for that?

 Don’t you mean Bismarck?

 What’s the matter with Charlie doing it?

 Is he dead?

 Is there any hurry?

 Shan’t I bring you the book and let you look it up yourself?

 What do you want to know for?

And I will lay you ten to one that after you have answered the questions, and explained how to find the information, and why you want it, the clerk will go off and get one of the other clerks to help him try to find Garcia- and then come back and tell you there is no such man. Of course I may lose my bet, but according to the Law of Average, I will not.

Now if you are wise you will not bother to explain to your "assistant" that Correggio is indexed under the C’s, not in the K’s, but you will smile sweetly and say, "Never mind," and go look it up yourself.

And this incapacity for independent action, this moral stupidity, this infirmity of the will, this unwillingness to cheerfully catch hold and lift, are the things that put pure Socialism so far into the future. If men will not act for themselves, what will they do when the benefit of their effort is for all? A first-mate with knotted club seems necessary; and the dread of getting "the bounce" Saturday night, holds many a worker to his place. Advertise for a stenographer, and nine out of ten who apply, can neither spell nor punctuate- and do not think it necessary to.

Can such a one write a letter to Garcia?

"You see that bookkeeper," said the foreman to me in a large factory.

"Yes, what about him?"

"Well he’s a fine accountant, but if I’d send him up town on an errand, he might accomplish the errand all right, and on the other hand, might stop at four saloons on the way, and when he got to Main Street, would forget what he had been sent for."

Can such a man be entrusted to carry a message to Garcia?

We have recently been hearing much maudlin sympathy expressed for the "downtrodden denizen of the sweat-shop" and the "homeless wanderer searching for honest employment," and with it all often go many hard words for the men in power.

Nothing is said about the employer who grows old before his time in a vain attempt to get frowsy ne’er-do-wells to do intelligent work; and his long patient striving with "help" that does nothing but loaf when his back is turned. In every store and factory there is a constant weeding-out process going on. The employer is constantly sending away "help" that have shown their incapacity to further the interests of the business, and others are being taken on. No matter how good times are, this sorting continues, only if times are hard and work is scarce, the sorting is done finer- but out and forever out, the incompetent and unworthy go. It is the survival of the fittest. Self-interest prompts every employer to keep the best- those who can carry a message to Garcia.

I know one man of really brilliant parts who has not the ability to manage a business of his own, and yet who is absolutely worthless to any one else, because he carries with him constantly the insane suspicion that his employer is oppressing, or intending to oppress him. He cannot give orders; and he will not receive them. Should a message be given him to take to Garcia, his answer would probably be, "Take it yourself."

Tonight this man walks the streets looking for work, the wind whistling through his threadbare coat. No one who knows him dare employ him, for he is a regular fire-brand of discontent. He is impervious to reason, and the only thing that can impress him is the toe of a thick-soled No. 9 boot.

Of course I know that one so morally deformed is no less to be pitied than a physical cripple; but in our pitying, let us drop a tear, too, for the men who are striving to carry on a great enterprise, whose working hours are not limited by the whistle, and whose hair is fast turning white through the struggle to hold in line dowdy indifference, slip-shod imbecility, and the heartless ingratitude, which, but for their enterprise, would be both hungry and homeless.

Have I put the matter too strongly? Possibly I have; but when all the world has gone a-slumming I wish to speak a word of sympathy for the man who succeeds -- the man who, against great odds has directed the efforts of others, and having succeeded, finds there’s nothing in it: nothing but bare board and clothes. I have carried a dinner pail and worked for day’s wages, and I have also been an employer of labor, and I know there is something to be said on both sides. There is no excellence, per se, in poverty; rags are no recommendation; and all employers are not rapacious and high-handed, any more than all poor men are virtuous.

My heart goes out to the man who does his work when the "boss" is away, as well as when he is at home. And the man who, when given a letter for Garcia, quietly take the missive, without asking any idiotic questions, and with no lurking intention of chucking it into the nearest sewer, or of doing aught else but deliver it, never gets "laid off," nor has to go on a strike for higher wages. Civilization is one long anxious search for just such individuals. Anything such a man asks shall be granted; his kind is so rare that no employer can afford to let him go. He is wanted in every city, town and village- in every office, shop, store and factory. The world cries out for such: he is needed, and needed badly- the man who can carry a message to Garcia.

-THE END- 

In 2009 as president of the Association of the United States Navy, I wrote a short article entitled "A New Message to Garcia."  There I called out the actions of a Sailor who went above and beyond what was expected without even being asked.  I hope he went on to bigger and better things because he had the right stuff.

Let's put all of this together.  One of the best ways to formalize mentoring is to create a written performance development plan.  We've included a sample template in the show notes.  This is a way to memorialize conversations with SMART goals -- you remember, specific, measurable, achievable, relevant, and time-bound?  If you are a mentor, you can use this as a template for your counseling sessions.  If you are a mentee and there is no template in your organization, feel free to introduce this to your mentor -- you're showing initiative and creating potential value for more people than just yourself.

By putting goals in writing, they experience a magical transformation.  It was Napoleon Hill who wrote that "a goal is a dream with a deadline."  Until you write it down, it's easy to find other things that seem more important or urgent at the moment.  In addition, a written set of goals offers accountability -- it's a commitment between mentor and mentee that can be honored like a contract.

Start with the manager's organizational priorities and goals that provide a context for the session.  For example, if you are in the cybersecurity organization, these could be things such as, "create a cyber vigilant organization," "enable cybersecurity controls and compliance," and "safeguard the organization against major threats."  Each of these could have subgoals that get into a little more detail -- awareness training for users, secure coding training for developers, establishing a governance structure around cyber risk.  This requires inside knowledge, and if the mentor is within the same organization, it shouldn't be too difficult to ascertain.  In addition, if the mentor is the supervisor, then even better -- this shows how the protégé's goals fit in with the boss's vision of what should happen.  Better to find out early on that an idea isn't practical then to spend a year working on it only to find out it will never be implemented.

Next, the protégé lists individual development goals.  Not too many, especially if you are meeting quarterly.  Two or three may be sufficient.  If there are too many things to work on, the natural tendency is to go for those that are easiest, which may not be the ones that are the most important.  Next comes the BHAG -- the big, hairy, audacious goal -- the one that will represent a signature accomplishment.  Chances are, this won't happen in a month or a quarter, but it's perfectly reasonable for an annual cycle to align with performance reviews to specify a stretch goal.  And by doing it in writing and knowing someone is holding accountability, it's more likely to happen.

When it comes to making progress, actions can be separated into experiences, relationships, and learning.  Most of our progress is done through experience, so list multiple experiences that one expects to accomplish before the next session.  It can be part of a larger goal -- work on the team deploying a SIEM or complete a particular phase of a larger project.  This is where the majority of the accountability will reside -- did you complete what you set out to do?  It's helpful to be a bit aspirational, but this isn't another set of stretch goals.

List at least two relationship improvement opportunities -- these can be key relationships or even potential sponsors.  For example, it could include the head of a particular business unit that has specific security requirements -- that meeting would help address those concerns and provide an opportunity for the person seeking visibility.

Lastly, include learning opportunities.  Not all of us are going to school full-time, but we all should be working on self-improvement.  For example, you might set a goal to complete the next course in your degree program or take the exam that grants a particular certification.

What you have is a template for action and professional growth.  The action comes from the accountability of a written document, and the growth comes from the joint goal-setting that takes place under the guidance of a mentor.  Don't just file it away with the rest of your paperwork -- put it where you'll see it every day and challenge yourself to check off another accomplishment by week's end.  By encouraging this culture of accomplishment, you'll significantly increase the probability of success.

Inside the front cover of my Garcia booklet is a short essay entitled "Initiative."  Let me leave you with this as a final thought:

The world bestows its big prizes, both in money and in honors, for but one thing. And that is Initiative.

What is Initiative?

I’ll tell you: it is doing the right thing without being told.

But next to doing the thing without being told is to do it when you are told once. That is to say, carry the Message to Garcia: those who can carry a message get high honors, but their pay is not always in proportion.

Next, there are those who never do a thing until they are told twice; such get no honors and small pay.

Next, there are those who do the right thing only when necessity kicks them from behind, and these get indifference instead of honors, and a pittance for pay. This kind spends most of its time polishing a bench with a hard-luck story.

Then, still lower down in the scale than this, we have fellow who will not do the right thing even when some one goes along to show him how and stays to see that he does it; he is always out of job, and receives the contempt he deserves, unless he happens to have a rich Pa, in which case Destiny patiently awaits around a corner with a stuffed club.

To which class do you belong?

Thank you for listening to CISO Tradecraft; we hope you've found this show valuable.  If you learned something that you like, please help us by leaving us a 5-star review on your favorite podcast platform -- those ratings really help us reach other security leaders.  The more CISOs we can help, the more businesses we can protect.  This is your host, G. Mark Hardy.  Thanks again for listening and stay safe out there.

References:

• https://blog.hubspot.com/marketing/mentor-tips-positive-impact
• https://www.businessnewsdaily.com/6248-how-to-find-mentor.html
• https://www.businessnewsdaily.com/3504-how-to-mentor.html
• https://maybusch.com/career-board-of-directors-advance-career/
• https://maybusch.com/find-sponsor/
• https://www.amazon.com/Elements-Style-4th-William-Strunk/dp/0205313426?&_encoding=UTF8&tag=-0-0-20&linkCode=ur2
• https://www.nato.int/nrdc-it/about/message_to_garcia.pdf
• https://gmarkhardy.com/Navy_Articles/NRA-0909%20A%20New%20Message%20to%20Garcia.pdf

Example: Individual Performance Plan

Name: ________________________________ Date:  ________________

Leadership's Cyber Priorities and Goals

1.       Create a Cyber Vigilant Organization

• Cyber Awareness Training, Secure Developer Training, and Proper Risk Approval and Governance

2.       Enable Compliance, Controls, and Cyber Security 

• Controls (IT General Controls & SOX), Audits, and Cyber Maturity Frameworks (ISO 27001, NIST CSF, or FFIEC)

3.       Safeguard the Business against Key Threats

• Phishing and Ransomware, Software Vulnerabilities, and Third-Party Risks

Individual Development Goals

1. Goal:
2. Goal:

Signature Accomplishment

•  My Big Goal is to accomplish …

Actions I am taking this year (How)

•  Experiences (70%)
  • Experience 1
  • Experience 2
  • Experience 3
  • …

Relationships (20%)

• Relationship Improvement Opportunity 1
• Relationship Improvement Opportunity 2

Learning (10%)

• Learning Opportunity

Support Needed from My Manager

• I need help with …

Special Thanks to our podcast sponsor, Obsidian Security.  

We are really excited to share today’s show on SaaS Security Posture Management.  Please note we have Ben Johnson stopping by the show so please stick around and enjoy.  First let’s go back to the basics:

Today most companies have already begun their journey to the cloud.  If you are in the midst of a cloud transformation, you should ask yourself three important questions:  

1. How many clouds are we in?
2. What data are we sending to the cloud to help the business?
3. How do we know the cloud environments we are using are properly configured?

Let’s walk through each of these questions to understand the cyber risks we need to communicate to the business as well as focus on one Cloud type that might be forecasting a major event.  First let’s look at the first question.  

How many clouds are we in?  It’s pretty common to find organizations still host data in on premises data centers.  This data is also likely backed up to a second location just in case a disaster event occurs and knocks out the main location.  Example if you live in Florida you can expect a hurricane.  When this happens you might expect the data center to lose power and internet connectivity.  Therefore it’s smart to have a backup location somewhere else that would be unlikely to be impacted by the same regional event.  We can think of our primary data center and our backup data center as an On-Premises cloud.  Therefore it’s the first cloud that we encounter.  

The second cloud we are likely to encounter is external.  Most organizations have made the shift to using Cloud Computing Service providers such as Amazon Web Services, Azure, Google Cloud Platform, or Alibaba.  Each of these cloud providers has a multitude of offerings designed to help organizations reduce the need to host IT services on premises.  Now if you are using both on-premises and a cloud computing provider such as AWS, congratulations you are in what is known as a hybrid cloud environment.  If you use multiple cloud computing providers such as AWS and Azure then you are in a multi-cloud environment.  Notice the difference between terms.  Hybrid cloud means you host on premises and use an external cloud provider, whereas multi-cloud means you use multiple external cloud providers.  If you are using a Common Cloud platform like AWS, Azure, or GCP then you can look into a Gartner Magic Quadrant category known as Cloud Workload Protection Platforms.  Here you might encounter vendors like Palo Alto Prisma Cloud, Wiz, or Orca who will provide you with recommendations for your cloud configuration settings.

So let’s say your organization uses on premises and AWS but not Azure or GCP.  Does that mean you only have two clouds?  Probably not.  You see there’s one more type of cloud hosted service that you need to understand how to defend.  The most common cloud model organizations leverage is Software as a Service commonly pronounced as (SaaS). Frankly we don’t hear about SaaS security being discussed much which is why we are doing a deep dive on its security in this episode.  We think there's a real danger of SaaS clouds turning from a nice cloud that gently cools down a hot summer day into a severe weather storm that can cause an event.  So let’s look at SaaS Security in more depth.  

SaaS refers to cloud hosted solutions whereby vendors maintain most everything.  They run the application, they host the data, they host runtime environments, middleware, operating systems, virtualization technologies, servers, storage, and networking.  It can be a huge win to run SaaS solutions since it minimizes the need to have IT staff running all of these IT services.  Example: Hiring HVAC folks to ensure we have proper heating and cooling for servers on premises won’t add new sales revenue to the business.  

Now that you understand why SaaS is important you should ask yourself.  How many external SaaS providers are we sending sensitive data to?  Every company is different but most can expect to find dozens to hundreds of SaaS based solutions.  Examples of external SaaS solutions commonly encountered by most businesses include: 

• Service Now or Jira in use as a ticketing service, 
• Salesforce for customer relationship management
• Workday for HR information
• G Suite or Microsoft Office 365 in use to send emails and create important documents
• Github as a source code repository for developers
• Zoom for virtual teleconferences
• Slack for instant messaging like conversations
• Okta for Identity and Access Management

Once you build out an inventory of your third parties hosted SaaS solutions, you need to understand the second question.  What kind of data is being sent to each service?  Most likely it’s sensitive data.  Customer PII and PCI data might be stored in Salesforce, Diversity or Medical information for employees is stored in Workday, Sensitive Algorithms and proprietary software code is stored in GitHub, etc. 

OK so if it is data that we care about then we need to ensure it doesn’t get into the wrong hands.  We need to understand why we care about SaaS based security which is commonly known as SaaS Security Posture Management.  Let’s consider the 4 major benefits of adopting this type of service.  

1. Detection of Account Compromise.  Today bad actors use man in the middle attacks to trick users to give their passwords and MFA tokens to them.  These attacks also provide the session cookie credentials that allow a website to know a user has already been authenticated.  If attackers replay these session cookie credentials there’s no malware on the endpoints.  This means that Antivirus and EDR tools don’t have the telemetry they need to detect account compromise.  Therefore, you need log data from the SaaS providers to see anomalous activity such as changing IP addresses on the application.  Note we talked about this attack in much more detail on episode 87 From Hunt Team to Hunter with Bryce Kunze.  
2. In addition to detecting account compromises, we see that SaaS security posture management solutions also improve detection times and response capabilities.  Let’s just say that someone in your organization has their login credentials to Office 365 publicly available on the dark web.  So a bad actor finds those credentials and logs into your Office 365 environment.  Next the bad actor begins downloading every sensitive file and folder they can find.  Do you have a solution that monitors Office 365 activity for Data Loss Prevention?  If not, then you are probably going to miss that data breach.  So be sure to implement solutions that both log and monitor your SaaS providers so you can improve your SaaS incident detection and response capabilities.
3. A third benefit we have seen is improvements to configuration and compliance.  You can think of news articles where companies were publicly shamed when they lost sensitive data by leaving it in a Public Amazon S3 bucket when it should have been private.  Similarly there are settings by most SaaS solutions that need to be configured properly.  The truth is many of these settings are not secure by default.  So if you are not looking at your SaaS configurations then access to sensitive data can become a real issue.  Here’s an all too common scenario.  Let’s say your company hires an intern to write a custom Salesforce page that shows customer documents containing PII.  The new intern releases updates to that webpage every two weeks.  Unfortunately the intern was never trained on all of the Salesforce best practices and creates a misconfiguration that allows customer invoices to be discovered by other customers.  How long would this vulnerability be in production before it’s detected by a bad actor?  If you think the answer is < 90 days, then performing yearly penetration tests is probably too slow to address the brand damage your company is likely to incur.  You need to implement a control that finds vulnerabilities in hours or days not months.  This control might notify you of compliance drift in real time when your Salesforce configuration stopped meeting a CIS benchmark.  Now you could pay a penetration testing provider thousands of dollars each week to continually assess your Salesforce environment, but that would become too cost prohibitive.  So focus on being proactive by switching from manual processes such as penetration testing to things that can be automated via tooling
4. The fourth major benefit that we observe is proper access and privilege management. Here’s one example.  For critical business applications you often need to enforce least privilege and prevent the harm that one person can cause.  Therefore, it’s common to require two or more people to perform a function.  Example: One developer writes the new code for a customer facing website, another developer reviews the code to detect if there’s any major bugs or glaring issues that might cause brand damage.  Having a solution that helps mitigate privilege creep ensures that developers don’t increase their access.  Another example of the importance to proper access management occurs when bad employees are fired.  When a bad employee is fired, then the company needs to immediately remove their access to sensitive data and applications.  This is pretty easy when you control access via a Single Sign On solution.  Just disable their account in one place.  However many SaaS providers don’t integrate with SSO/SAML.  Additionally the SaaS website is generally internet accessible so people can work from home even if they are not on a corporate VPN.  Therefore it’s common to encounter scenarios where bad employees are fired and their account access isn’t removed in a timely manner.  The manager probably doesn’t remember the 15 SaaS accounts they granted to an employee over a 3 year time frame.  When fired employees are terminated and access isn’t removed you can generally expect an audit finding, especially if it’s on a SOX application.  

OK so now that we talked about the 4 major drivers of SaaS Security Posture Management (detection of account compromise, improved detection and response times, improvements to configuration and compliance, and proper access and privilege management) let’s learn from our guest who can tell us some best practices with implementation.

Now I’m excited to introduce today’s guest:  Ben Johnson
Live Interview

Well thanks again for taking time to listen to our show today.  We hoped you learning about the various clouds we are in (On Premises, Cloud Computing Vendors, and SaaS), Understanding the new Gartner Magic Quadrant category known as SaaS Security Posture Management.  So if you want to improve your company’s ability on SaaS based services to:

1. detect account compromise, 
2. improve detection and response times, 
3. improve configuration and compliance, and 
4. proper access and privilege management 

Remember if you liked today’s show please take the 5 seconds to leave us a 5 star review with your podcast provider.  Thanks again for your time and Stay Safe out there.

References

• https://github.com/cisotradecraft/Podcast
• https://cisotradecraft.podbean.com/e/84-gaining-trust-with-robin-dreeke/
• https://www.youtube.com/shorts/vSART2mutwc
• https://www.peopleformula.com/selfmastery
• https://cisotradecraft.podbean.com/e/ciso-tradecraft-roses-buds-thorns/
• https://cisotradecraft.podbean.com/e/ciso-tradecraft-how-to-compare-software/
• https://cisotradecraft.podbean.com/e/ciso-tradecraft-shall-we-play-a-game/
• https://cisotradecraft.podbean.com/e/ciso-tradecraft-aligning-security-initiatives-with-business-objectives/
• https://cisotradecraft.podbean.com/e/ciso-tradecraft-promotion-through-politics/
• https://cisotradecraft.podbean.com/e/ciso-tradecraft-presentation-skills/
• https://cisotradecraft.podbean.com/e/ciso-tradecraft-avoiding-death-by-powerpoint/
• https://cisotradecraft.podbean.com/e/ciso-tradecraft-partnership-is-key/
  
  

Hello, and welcome to another episode of CISO Tradecraft -- the podcast that provides you with the information, knowledge, and wisdom to be a more effective cybersecurity leader.  My name is G. Mark Hardy, and today's episode is something special for us and we hope for you as well.  It’s hard to believe it but CISO Tradecraft has been producing episodes for about two years now.  This is our 100th episode!  We've covered quite a bit of ground over that time, and we thought we would do a little reflection on our previous episodes and highlight seven differentiators that set World Class CISOs apart from others.  So, stick around and learn these seven tips that will enable you to enhance your CISO Tradecraft and help you have a more successful career.

1. The first tip we want you to understand is that you must always help others to understand your viewpoints through Connection.  Now there is one thing to note:  the way you connect depends on the size of the audience.  We observe that there’s usually three different audience sizes that you will connect with: Individuals or 1:1, Small Teams (between 2 and 20), and Large Groups (more than 20).
   1. With Individuals it’s all about building the one-on-one connection.  An example of folks who excel at building connections are spies.  Spies have a mission to build connections with others and recruit them to share important information.  Now if you go back to Episode #84, we brought Robin Dreeke on the show to talk about Building Relationships of Trust.  Robin was a long time FBI agent who excelled in recruiting and turning Russian spies.  In the episode, Robin talked about the key to building relationships of trust.  He mentioned four key recommendations:
      1. Seek the thoughts and opinions of others;
      2. Talk in terms of priorities, pain points, and challenges of others;
      3. Use nonjudgmental validation (i.e., seek to understand others without judging); and
      4. Empower others with choices and give them the cause and effect of each choice.

There’s a lot more detail in that episode, so be sure to check it out if you haven't yet listened to it.  We would like to add one more key point to these thoughts from Robin.  It’s about seeking the thoughts and opinions of others.  You might be thinking to yourself, how do I connect with others, so they actually tell me their unfiltered opinions?  Jim Lawler, a 25-year veteran CIA operations officer came on Robin’s Dreeke’s Forging Trust podcast and provided a very interesting quote, “You don’t recruit people when you are in transmit mode.  You recruit people by listening.”  Therefore, find ways to listen with great questions.  Imagine if you asked these three powerful questions from Andy Ellis:

1. What is the stupidest risk that we are not taking care of that no one has dealt with?
2. What is the dumbest security control that gets in your way?
3. What is something that you wish we did better in security?

Now after you ask those three questions, take Jim’s advice, and just listen.  We mean to actively listen to every word coming off of the other person’s lips.  Don’t just listen for the purpose of responding right away and providing your opinion and guidance.  Remember, good listeners are very hard to come by.  It’s uncommon to find people who really take an interest in others.  So, listen with the purpose of understanding what the other person wants, not what you intend to say back.  When you care enough to truly listen, people feel heard, which generates a connection.

1. Small Teams - In addition to listening with others you will often need to connect with small teams.  This might be your executive leadership team.  It might be your boss and your peers.  To build connections with small groups you must enable Conversations of Candor.  If you haven’t heard of the word candor it means the quality of being open and honest in expression or frankness.  Here’s two examples of doing that:
   1. On Episode #27, we talked about how the Boy Scouts use the concept of Roses, Buds, and Thorns.  For those who were scouting leaders, after each campout you would talk about what’s going well (i.e., roses), what new ideas are working (i.e., buds) and what are the things you want to stop (i.e., thorns).  By consistently asking these questions in each of your staff meetings, you enable everyone the opportunity to speak their mind.  They have a venue to speak up.  Now if you really want to connect with small groups and build trust, then please act on their guidance.  If someone says a particular person isn’t responding, reach out to that other individual and say, "I would appreciate if you could assist so-and-so with this problem."  You're using the power of your leadership position to influence this other person.  When you step in for your team and work to help them, they will consider you as a good leader who helps his or her people.  [Navy story] By doing this, you enable trust and strengthen connections.
   2. Another example of creating conversations of candor is problem framing.  Note you can learn about all the steps in problem framing from Episode #14, How to Compare Software.  Now in today's discussion we're not talking about software but about people, but in that episode, we talked about the importance of applying problem framing to understand limitations and politics.  The first two steps of the seven in that methodology were defining the problem and stating the intended objective.  To best solve problems in an organization, it’s important everyone agrees that something is a real problem worth focusing on.  If each person has a different problem in mind, then there really isn’t going to be any meaningful agreement.  Start by getting consensus -- we all agree this is the exact problem we are solving today.  Once the room agrees on a problem, you need everyone to agree on an intended objective.  You can think of these as SMART goals.  You know the acronym: specific, measurable, achievable, relevant (or realistic), and time bound.  For example, let's say that today our organization is unable to retain quality talent.  We see many of our best and brightest going to other companies for more money.  So, your organization creates an intended objective.  For next year, we will seek to retain 80% of our employee population throughout the year that are not retiring.  This metric will enable our company to measure ourselves each month to see if we are successful and will allow everyone to connect by working together on the same issue.  Naturally, there needs to be resources allocated to achieve this goal; but if you have this stated objective in place, you're much more likely to set up your organization for success.
2. Large Groups- The last audience size is large groups.  In large groups you don’t have the opportunity to connect with everyone and have detailed conversations.  Additionally, with over twenty folks it becomes very difficult to have a conversation with everyone being able to provide their opinions and feedback.  So, for this audience, we recommend using gamification techniques to build connections.  Most executives are competitive.  We have all been involved in friendly competitions growing up as well as many of us have played some type of organized sport.  So, if we can create a game that increases active participation, provides immediate feedback, includes dynamic interaction, has competition or novelty, and improves a company’s ability to achieve a goal, then you are on to something truly special.  If you would like to learn more about gamification concepts and the four player types that you need to support, please check out Episode #65 which is entitled, "Shall We Play a Game?"

1. The second differentiator of the seven used by World-Class CISOs involves understanding how to build an effective metrics program that drives ownership and accountability.  If there isn’t someone accountable, then chances are the project is going to fail.  So, we need to have an accountable party and a good metric to show progress.  Remember, that which gets measured gets done; that which gets done well gets funded again.  To create good metrics, we want to you use the 4 Lines Approach.  Every metric needs a start line, a trend line, a goal line, and a timeline.
   1. A metric needs to have a Start Line to show the current status of where the organization is right now.  This allows the accountable parties to have a scoreboard.  You can think of playing a pick-up game of basketball.  If you are just playing for fun, people might not play their best.  However, if you put up a scoreboard, suddenly it becomes competitive, and players put forth a little more effort.  This helpful competition increases individual as well as team productivity.
   2. A metric should have a Trend Line to show how things have gone over the past four months.  Are things getting better, getting worse, or staying the same?  This tells management when something is going wrong, because negative trends indicate we need to change our course of action.  For example, if we see that the number of high and critical vulnerabilities on our SOX applications continues to increase, then we need to identify the root cause.  Are there enough resources on those teams, is something wrong from an architecture perspective, are our vendors not giving us the support we need, and so on?  If you are not watching the trend line, you will miss identifying when things are forecasted to go bad and end up taking corrective action much later than you could have.
   3. Metrics need a Finish   Line- This is a goal that the organization is targeting.  It has a clearly defined definition of done.  For example, let’s say we really care about ransomware and being able to restore critical applications from offline backups.  We need to be specific on our restoration capabilities.  If a server goes down do we have 4 hours, 8 hours, 24 hours, or more before it catastrophically impacts the business?  This matters since the business is going to have to both recreate all of the data lost in that amount of time as well as account for loss of operational efficiencies when key IT systems are down.  Compliance can have a big impact on this as well, so make sure you know your requirements.
   4. Metrics also need a Timeline- We need to set a time to which we hold people accountable for reaching the finish line.  Goals or definition of "done" might go on forever, which isn’t what you want.  You want results and that comes from accountability.  Therefore, ensure every task has a clear owner with a clear deadline.  Note if you want to hear more about these four lines, please check out Episode #69 on aligning security initiatives with business objectives.

1. The third differentiator of seven for World-Class CISOs is understanding the shift between being competent versus being effective.  On Episode #62 entitled Promotion Through Politics, we talked about the four major phases in your career and the different skillsets you must display to get promoted.  At first you are an individual contributor.  In this role you get promoted by demonstrating technical skills.  This phase usually lasts several years, and if you are proficient in your area of expertise, you'll get promoted to first line manager.  [If we use the Navy as an example, if you're a skilled pilot you'll compete well for promotion to Lieutenant Commander, or Major in the non-sea services.]  Here you must demonstrate your management skills -- executing to budget, managing paperwork effectively, meeting deadlines.  If you learn and do all this well, you get to become a manager of managers and are welcomed into middle management.  [Back to the Navy, if you do well as a department head, you'll be a strong candidate to promote to Commander (or Lieutenant Colonel) and select for Executive Officer or Commanding Officer.]  This is where you must demonstrate leadership skills -- inspiring and strengthening your team, setting and achieving stretch goals, accomplishing your mission through innovation.  [Today, less than half of those officers will be offered a promotion to Captain (or Colonel.)]  If you've seen the Top Gun Maverick movie, you'll see that Tom Cruise's character as a Captain does all of these things -- he portrays a seasoned leader building a team, teaching teamwork skills, inspiring confidence, and leading by example rather than just playing a hotshot pilot competing against his peers as he did in the first movie (although he still is the best of the best in the cockpit, but I don't want to spoil any of the plot if you still want to see it.)  This is where you get some of the most rewarding opportunities in your career -- leading men and women in accomplishing great tasks.  Many careers top out here.  Brigadier General Jeremy Horn writes in his article, The 10 Secret Rules of the Colonel, "Colonel is the last rank that you can make through personal effort.  Everything from here on out is luck and timing."  He's right.  Invitations to the executive suite, known in the military as Flag Officer, requires excellence in your record, your reputation, and your relationships.  If you want to read some more of my thoughts on that topic, look up my article on Running Up the Flagpole.  Finally, if you are lucky and haven’t burned too many bridges you get welcomed into the executive level.  [In the Navy, that would be promotion to Rear Admiral (Brigadier General), a selection rate by the way that was less than 1% in my community.  Think about that -- 99% of Navy captains retire as captain.  Essentially, you can consider this as your terminal pay grade.  That realization does one of three things -- there are a few that hit cruise control and are on what we call the ROAD program -- retired on active duty.  The majority work well in their roles and serve honorably and effectively while looking for a good civilian job to transition out of the military.  But for a handful of us, it became "no fear" -- leadership couldn't hold not getting your promotion over your head if you took a risk and lost, so you go for things that are considered impossible and make them happen.  [pin on story]  If you consider some of the names you might remember from the military -- Colonel John Boyd's OODA Loop -- observe, orient, decide, and act; Colonel David Hackworth, the most decorated officer from the Korean War and the Vietnam War with two Distinguished Service Crosses, ten Silver Stars, and eight Bronze Stars -- they retired as Colonels, not Generals].  In this final career phase at the very top, it's not about leadership, it's all about politics.  Leaders show their political acumen to get recognized as being able to serve at this level.  Those who do not understand this think they're just brown-nosing, but it really is a manner of virtue-signaling, IF done at the right point in one's career.

Now as you are moving between levels in your career there’s one subtle thing that we want to you understand about executives.  It’s this concept of being competent versus being effective.  When you are in an individual contributor and first line manager roles, you must be competent.  For example, a pentester who can’t go hands-on to the keyboard to find vulnerabilities isn’t providing much value.  A firewall engineer who can’t change the access control rules isn’t helping.  You must display competence.  However, by the time you are a manager of managers you aren’t touching a keyboard much anymore.  So, your competence isn’t as important.  It’s important you know what good looks like so you can provide your team guidance.  However, your ability to troubleshoot a firewall is probably behind you.  You need to make the shift to focus on effectiveness.  Instead of improving only yourself, you need to improve the effectiveness of the people assigned to you.  If you could make everyone 100% more productive, then that is like having twice as many people on your team.  Here’s another example.  There was a company that hired a CISO who wasn’t technical.  He had never had traditional cyber security roles such as running a Security Operations Center, building a compliance organization to keep auditors happy, or implementing antivirus and firewalls.  However, this CISO was really good at connecting with others and getting resources.  After meeting with all the technical experts within the cyber organization, he learns they needed funding.  So, he plays a round of golf with the CEO and gets the resources necessary to increase the team size to the appropriate levels.  Later on, he gets asked technical questions by the CIO about why the application security tools have so many false positives.  He responds that he will discuss this concern with his technical experts.  Later on, he brings those experts into a meeting where they brief the CIO on why the AppSec tools have issues and the recommended way forward to fix them.  This resolves the CIO's concerns.  We mention this story because the CISO was not competent as an application security expert.  However, he was extremely effective in his role.  Of course, competent CISOs can do more, but the main point we want you to understand is at the executive level you need to spend your time learning how to get things done more effectively, and you do this by enabling (or coercing) others to accomplish the work, not by becoming increasingly competent as a technical contributor.

1. The fourth differentiator of World-Class CISOs is they are amazing communicators.  Who wants to listen to a boring presentation?  The answer is no one.  So don’t be that type of speaker.  Imagine you are a world class communicator that your CXO peers love hearing from.  That type of speaker is going to get invited to talk again and again.  When that happens, you get the opportunity to influence, to change behavior, to discuss high priority risks, and to be seen.  This is all goodness.  On Episode #61, we talk about presentation skills and how to give great presentations.  We discuss a JP Phillips Ted Talk that explains if you want listeners to remember your talk, try adding a cliffhanger.  If you want to build trust with a team, then tell something vulnerable about yourself.  Finally, if you want people to be focused and relaxed, try being overly dramatic or funny.  Also don’t just try to communicate via email and PowerPoint.  On Episode #75, Avoiding Death by PowerPoint, we talk about using escape rooms, tabletop exercises, and polls to create unique experiences that others will enjoy.  Mix it up a little and you'll improve your ability to influence others.

1. The fifth differentiator that sets up World-Class CISOs for success is they align security initiatives with business objectives.  In Episode #69 we talk about profit generation, cost reduction, service enablement, and customer and market outreach as the four key objectives that build profitable growth for businesses.  To best learn the business objectives and build relationships of trust with the C Suite, you need to learn how to partner.  We give detailed explanations of this process in Episode #70, Partnership Is Key.  One example is the marketing department.  They often direct where the IT organization needs to build its next webpage or widget.  However, marketing folks are often not technical.  Now imagine if you are the CISO that really gets on well with them.  So, you and they both partner together to identify a way to send marketing material via text and social media platforms such as TikTok, WeChat, and others.  Marketing estimates this will create millions of dollars of new sales.  So, the marketing team, the CIO, and the CISO brief the CEO and CFO to ask for an additional budget to perform this effort.  The CEO and CFO hear the business case and listen to the CIO saying this can be built in a six-month time frame.  The CEO and CFO also hear from the CISO that this can be done securely.  After due consideration, they approve the funding request.  Guess what?  That’s a big win for the company.  Since you were involved early with marketing, you also have the greatest opportunity to design security correctly on the new solution, versus being asked to approve something the week before going live.  So, find ways to connect through partnership and always focus on enabling business objectives.

1. The sixth differentiator that sets CISOs up for success is they can create effective risk governance and management processes within an organization.  The business must see that cyber is a business risk and not just an IT risk.  For example, when system XYZ is unavailable, how does that affect each of the users of that IT system?  What business processes fail?  What are the potential impacts on revenue and customer service?  This is why cyber risks need to be acknowledged by both the business owners who can identify the consequences of downtime and the IT maintainers who can actually remediate the findings.

Now one important thing to remember is approval authorities.  For example, who in the organization has purchasing authority for two million dollars of software?  Can any manager do this, or does it need to receive approval from a director, vice president, or senior vice-president?  A quick conversation with the CFO can confirm spending levels.  Once you know the spending authorities, then you can make a comparison that accepting two million dollars in cyber risk is the same as approving two million dollars in additional spending.  If a third-party risk assessment identifies two million dollars in new software risk, then the business must acknowledge the risk by either moving forward, rejecting the software, or finding a way to remediate the vulnerability before using the software.  Remember, the purpose of cyber isn’t to say "no."  The purpose of cyber is to be in the business of revenue protection.  Cyber protects revenue when the business owners can make business decisions in their best interest.  Most business executives will not understand the likelihood of a system being compromised, but that’s where cyber can show real value.  Cyber can communicate the vulnerabilities within systems to the business in risk committees and governance boards.  This allows cyber and the business to document the risk decisions being made.  When you document discussions and decisions based on risks and money, then you are acting like an executive.  This is the way to success.

1. The last world class differentiator for CISOs is they are successful in their jobs.  Want to know how to set up for success in any job?  If so, then please follow this piece of advice.  You must accomplish three things:
   1. First you need to get the job done.  If others refer to you as a "closer" for finishing the job, then you build trust.  When leadership knows they can trust you with little things, you get bigger responsibilities.  Mission accomplishment is the coin of the realm.
   2. The second thing to being successful in any job is you must cover all the angles.  Never let an overlooked detail derail you.  Good executives run efficient programs and projects that finish on time and within budget.  When things don’t go as forecasted there should not be big surprises to anyone since you keep a close watch of the details.  If you keep track of the details and think things through, then you can be successful.  You can succeed in this area by creating a culture of no-fear, specifically of not shooting messengers.  Are your people confident they can come to you early with potential issues for situational awareness, consideration, or possible resolution?  Can even your most junior person speak up and point out what might be a problem?  If it isn't, don't  cut them down, but patiently point out that that issue is already covered, but thank you for keeping your eyes open, and if you see other potential problems, continue to speak up.  You make better decisions when you don't have people afraid to bring you bad news.  I think we can all imagine a global leader today that none of us would want to approach saying things aren't going well and according to plan.  Don't be that kind of boss.
   3. The final and most important thing to succeed in any job is to keep the customer happy.  Remember, if the customer isn’t happy, then it doesn’t matter what you have done.  The key thing to remember is determining who is the customer with every project.  Sometimes it’s your boss, sometimes it’s the business, sometimes it’s actually an external corporate customer.  If you know who that is and you keep them happy, then you usually have a high probability that you will stay gainfully employed.

Well, we hope you have enjoyed listening to the seven ways world class CISOs set themselves up for success.  Let's recap:

1. They focus on building connections;
2. They leverage effective metrics programs that drive ownership and accountability;
3. They know effectiveness is more valuable than being competent at the executive level;
4. They are great communicators;
5. They align security initiatives with business objectives;
6. They create effective risk governance and management processes; and finally,
7. They practice the three tips to be successful in any job.

If you want to learn more great tips on being an effective CISO, please take a look at our GitHub Page which lists each of our podcast episodes under ten high-level topics.  Also note there’s a link to each of the episodes we mentioned in our show notes.   And finally, if you learned something that you like, please help us celebrate one hundred episodes of CISO Tradecraft by leaving us a 5-star review on your favorite podcast platform -- those ratings really help us reach other security leaders.  The more CISOs we can help, the more businesses we can protect.  This is your host, G. Mark Hardy.  Thanks again for listening and stay safe out there.

Episode 99 - Cyberwar and the Law of Armed Conflict with Larry Dietz

We bring you another episode from Naas, Ireland today speaking about cyberwar and the law of armed conflict with Larry Dietz, a retired US Army Colonel and practicing attorney. This is a follow-up to Episode 98, where we cover the Tallin Manual, discover a surprise resource on cyber conflict hosted by the Red Cross, examine what critical infrastructure might be legitimate targets, and the importance for CISOs to establish relationships with law enforcement before things go bad.

References:

• https://ccdcoe.org/research/tallinn-manual/
• https://www.icrc.org/en/war-and-law/conduct-hostilities/cyber-warfare
• https://www.cisa.gov/critical-infrastructure-sectors
• https://www.secretservice.gov/contact/ectf-fctf
• https://psyopregiment.blogspot.com/

Hello, and welcome to another episode of CISO Tradecraft -- the podcast that provides you with the information, knowledge, and wisdom to be a more effective cybersecurity leader.  My name is G. Mark Hardy, and today we are going to discuss how nation state conflict and sponsored cyberattacks can affect us as non-combatants, and what we should be doing about it.  Even if you don't have operations in a war zone, remember cyber has a global reach, so don't think that just because you may be half a world away from the battlefield that someone is not going to reach out and touch you in a bad way.  So, listen for what I think will be a fascinating episode, and please do us a small favor and give us a "like" or a 5-star review on your favorite podcast platform -- those ratings really help us reach our peers.  It only takes a click -- thank you for helping out our security leadership community.

I'm not going to get into any geopolitics here; I'm going to try to ensure that this episode remains useful for quite some time.  However, since the conflict in Ukraine has been ongoing for over two hundred days, I will draw examples from that.

The ancient Chinese military strategist Sun Tzu wrote:

“If you know the enemy and know yourself, you need not fear the result of a hundred battles.  If you know yourself but not the enemy, for every victory gained you will also suffer a defeat.  If you know neither the enemy nor yourself, you will succumb in every battle.”

That's a little more detailed than the classic Greek aphorism, "know thyself," but the intent is the same even today.  Let me add one more quote and we'll get into the material.  Over 20 years ago, when he was Secretary of Defense, Donald Rumsfeld said:

"As we know, there are known knowns; there are things we know we know.  We also know there are known unknowns; that is to say we know there are some things we do not know.  But there are also unknown unknowns—the ones we don't know we don't know.  And if one looks throughout the history of our country and other free countries, it is the latter category that tends to be the difficult ones.

So, knowledge seems extremely important throughout the ages.  Modern governments know that, and as a result all have their own intelligence agencies.  Let's look at an example.  If we go to the CIA's website, we will see the fourfold mission of the Central Intelligence Agency:

1. Collecting foreign intelligence that matters
2. Producing objective all-source analysis
3. Conducting effective covert action as directed by the President
4. Safeguarding the secrets that help keep our nation safe.

Why do we mention this?  Most governments around the world have similar Nation State objectives and mission statements.  Additionally, it’s particularly important to understand what is wanted by "state actors" (note, I'll use that term for government and contract intelligence agents.).

What are typical goals for State Actors?  Let's look at a couple:

• Goal 1: Steal targeting data to enable future operations.  Data such as cell phone records, banking statements or emails allow countries to better target individuals and companies when they know that identifying information.  Additionally, targeting data allows Nation state organizations to understand how individuals are connected.  This can be key when we are looking for key influencers for targets of interest.  All targeting data should not be considered equal.  Generally, Banking and Telecom Data are considered the best for collecting so be mindful if that is the type of company that you protect.  State Actors target these organizations because of two factors:
  • The Importance of the Data is the first factor.  If one party sends a second party an email, that means there is a basic level of connection.  However, it’s not automatically a strong connection since we all receive emails from spammers.  If one party calls someone and talks for 10 minutes to them on a phone call, that generally means a closer connection than an email.  Finally, if one party sends money to another party that either means a really strong connection exists, or someone just got scammed.
  • The Accuracy of the Data is the second factor.  Many folks sign up for social media accounts with throw away credentials (i.e., fake names and phone numbers).  Others use temporary emails to attend conferences, so they don’t get marketing spam when they get home.  However, because of Anti Money Laundering (or AML) laws, people generally provide legitimate data to financial services firms.  If they don’t, then they risk not being able to take the money out of a bank -- which would be a big problem.
• A second goal in addition to collecting targeting data, is that State Actors are interested in collecting Foreign Intelligence.  Foreign Intelligence which drives policy-making decisions is very impactful.  Remember, stealing secrets that no one cares about is generally just a waste of government tax dollars.  If governments collect foreign intelligence on sanctioned activity, then they can inform policy makers on the effectiveness of current sanctions, which is highly useful.  By reporting sanctioned activity, the government can know when current sanctions are being violated and when to update current sanctions.  This can result in enabling new intelligence collection objectives.  Examples of this include:
  • A country may sanction a foreign air carrier that changes ownership or goes out of business.  In that case, sanctions may be added against different airlines.  This occurred when the US sanctioned Mahan Air, an Iran’s airline.  Currently the US enforces sanctions on more than half of Iran's civilian airlines.
  • A country may place sanctions on a foreign bank to limit its ability to trade in certain countries or currencies.  However, if sanctioned banks circumvent controls by trading with smaller banks which are not sanctioned, then current sanctions are likely ineffective.  Examples of sanctioning bank activity by the US against Russia during the current war with Ukraine include:
    • On February 27th sanctions were placed against Russian Banks using the SWIFT international payment systems
    • On February 28th, the Russian Central Bank was sanctioned
    • On March 24th, the Russian Bank Sberbank CEO was sanctioned
    • On April 5th, the US IRS suspended information exchanges with the Russian tax authorities to hamper Moscow’s ability to collect taxes.
    • On April 6th, the US sanctioned additional Russian banks.
  • These sanctions didn't just start with the onset of hostilities on 24 February 2022.  They date back to Russia's invasion of Crimea.  It's just that the US has turned up the volume this time.
  • If sanctions are placed against a country’s nuclear energy practices, then knowing what companies are selling or trading goods into the sanctioned country becomes important.  Collecting information from transportation companies that identify goods being imported and exported into the country can also identify sanction effectiveness.
• A third goal or activity taken by State Actors is covert action.  Covert Action is generally intended to cause harm to another state without attribution.  However, anonymity is often hard to maintain.
  • If we look at Russia in its previous history with Ukraine, we have seen the use of cyber attacks as a form of covert action.  The devastating NotPetya malware (which has been generally accredited to Russia) was launched as a supply chain attack.  Russian agents compromised the software update mechanism of Ukrainian accounting software M.E. Doc, which was used by nearly 400,000 clients to manage financial documents and file tax returns.  This update did much more than the intended choking off of Ukrainian government tax revenue -- Maersk shipping estimates a loss of $300 million.  FedEx around $400 million.  The total global damage to companies is estimated at around $10 billion.
  • The use of cyberattacks hasn’t been limited to just Russia.  Another example is Stuxnet.  This covert action attack against Iranian nuclear facilities that destroyed nearly one thousand centrifuges is generally attributed to the U.S. and Israel.

Changing topics a little bit, we can think of the story of two people encountering a bear.

Two friends are in the woods, having a picnic.  They spot a bear running at them.  One friend gets up and starts running away from the bear.  The other friend opens his backpack, takes out his running shoes, changes out of his hiking boots, and starts stretching.  “Are you crazy?” the first friend shouts, looking over his shoulder as the bear closes in on his friend.  “You can’t outrun a bear!”  “I don’t have to outrun the bear,” said the second friend.  “I only have to outrun you.”

So how can we physically outrun the Cyber Bear?

• We need to anticipate where the Bear is likely to be encountered.  Just as national park signs warn tourists of animals, there’s intelligence information that can inform the general public.  If you are looking for physical safety intelligence you might consider:
  • The US Department of State Bureau of Consular Affairs.  The State Department hosts a travel advisory list.  This list allows anyone to know if a country has issues such as Covid Outbreaks, Civil Unrest, Kidnappings, Violent Crime, and other issues that would complicate having an office for most businesses.
  • Another example is the CIA World Factbook.  The World Factbook provides basic intelligence on the history, people, government, economy, energy, geography, environment, communications, transportation, military, terrorism, and transnational issues for 266 world entities.
  • Additionally you might also consider data sources from the World Health Organization and The World Bank
• If we believe that one of our remote offices is now at risk, then we need to establish a good communications plan.  Good communications plans generally require at least four forms of communication.  The acronym PACE or Primary, Alternate, Contingency, and Emergency is often used
  • Primary Communication: We will first try to email folks in the office.
  • Alternate Communication: If we are unable to communicate via email, then we will try calling their work phones.
  • Contingency Communication: If we are unable to reach individuals via their work phones, then we will send a Text message to their personal cell phones.
  • Emergency Communication: If we are unable to reach them by texting their personal devices, then we will send an email to their personal emails and next of kin.
• Additionally, we might purchase satellite phones for a country manager.  Satellite phones can be generally purchased for under $1,000 and can be used with commercial satellite service providers such as Inmarsat, Globalstar, and Thuraya.  One popular plan is Inmarsat’s BGAN.  BGAN can usually be obtained from resellers for about $100 per month with text messaging costing about fifty cents each and calls costing about $1.50 per minute.  This usually translates to a yearly cost of $1,500-2K per device.  Is $2K worth the price of communicating to save lives in a high-risk country during high political turmoil?  Let your company decide.  Note a great time to bring this up may be during use-or-lose money discussions at the end of the year.
• We should also consider preparing egress locations.  For example, before a fire drill most companies plan a meetup location outside of their building so they can perform a headcount.  This location such as a vacant parking lot across the street allows teams to identify missing personnel which can later be communicated to emergency personnel.  If your company has offices in thirty-five countries, you should think about the same thing, but not assembling across the street but across the border.  Have you identified an egress office for each overseas country?  If you had operations in Ukraine, then you might have chosen a neighboring country such as Poland, Romania, or Hungary to facilitate departures.  When things started going bad, that office could begin creating support networks to find local housing for your corporate refugees.  Additionally, finding job opportunities for family members can also be extremely helpful when language is a barrier in new countries.

If we anticipate the Bear is going to attack our company digitally, then we should also look for the warning signs.  Good examples of this include following threat intelligence information from:

• Your local ISAC organization.  ISAC or Information Sharing Analysis Centers are great communities where you can see if your vertical sector is coming under attack and share your experiences/threats.  The National Council of ISACs lists twenty-five different members across a wide range of industries.  An example is the Financial Services ISAC or FS-ISAC which has a daily and weekly feed where subscribers can find situational reports on cyber threats from State Actors and criminal groups.
• InfraGard™ is a partnership between the Federal Bureau of Investigation and members of the private sector for the protection of US Critical Infrastructure.  Note you generally need to be a US citizen without a criminal history to join
• AlienVault offers a Threat Intelligence Community called Open Threat Exchange which grants users free access to over nineteen million threat indicators.  Note AlienVault currently hosts over 100,000 global participants, so it’s a great place to connect with fellow professionals.
• The Cybersecurity & Infrastructure Security Agency or CISA also routinely issues cybersecurity advisories to stop harmful malware, ransomware, and nation state attacks.  Helpful pages on their websites include the following:
  • Shields Up which provides updates on cyber threats, guidance for organizations, recommendations for corporate Leaders and CEOs, ransomware responses, free tooling, and steps that you can take to protect your families.
  • There’s even a Shields Technical Guidance page with more detailed recommendations.
  • CISA routinely puts out Alerts which identify threat actor tactics and techniques.  For example, Alert AA22-011A identifies how to understand and mitigate Russian State Sponsored Cyber Threats to US Critical Infrastructure.  This alert tells you what CVEs the Russian government is using as well as the documented TTPs which map to the MITRE ATT&CK™ Framework.  Note if you want to see more on the MITRE ATT&CK mapped to various intrusion groups we recommend going to attack.mitre.org slant groups.
  • CISA also has notifications that organizations can sign up for to receive timely information on security issues, vulnerabilities, and high impact activity.
  • Another page to note on CISA’s website is US Cert.  Here you can report cyber incidents, report phishing, report malware, report vulnerabilities, share indicators, or contact US Cert.  One helpful page to consider is the Cyber Resilience Review Assessment.  Most organizations have an IT Control to conduct yearly risk assessments, and this can help identify weaknesses in your controls.

Now that we have seen a bear in the woods, what can we do to put running shoes on to run faster than our peers?  If we look at the CISA Shield Technical Guidance Page we can find shields up recommendations such as remediating vulnerabilities, enforcing MFA, running antivirus, enabling strong spam filters to prevent phishing attacks, disabling ports and protocols that are not essential, and strengthening controls for cloud services.  Let’s look at this in more detail to properly fasten our running shoes.

• If we are going to remediate vulnerabilities let’s focus on the highest priority.  I would argue those are high/critical vulnerabilities with known exploits being used in the wild.  You can go to CISA’s Known Exploited Vulnerabilities Catalog page for a detailed list.  Each time a new vulnerability gets added, run a vulnerability scan on your environment to prioritize patching.
• Next is Multi Factor Authentication (MFA).  Routinely we see organizations require MFA access to websites and use Single Sign On.  This is great -- please don’t stop doing this.  However, we would also recommend MFA enhancements in two ways.  One, are you using MFA on RDP/SSH logins by administrators?  If not, then please enable immediately.  You never know when one developer will get phished, and the attacker can pull his SSH keys.  Having MFA means even when those keys are lost, bad actor propagation can be minimized.  Another enhancement is to increase the security within your MFA functionality.  For example, if you use Microsoft Authenticator today try changing from a 6 digit rotating pin to using security features such as number matching that displays the location of their IP Address.  You can also look at GPS conditional policies to block all access from countries in which you don’t have a presence.
• Running antivirus is another important safeguard.  Here’s the kicker -- do you actually know what percentage of your endpoints are running AV and EDR agents?  Do you have coverage on both your Windows and Linux Server environments?  Of the agents running, what portion have signatures updates that are not current?  How about more than 30 days old.  We find a lot of companies just check the box saying they have antivirus, but if you look behind the scenes you can see that antivirus isn’t as effective as you think when it’s turned off or outdated.
• Enabling Strong Spam Filters is another forgotten exercise.  Yes, companies buy solutions like Proofpoint to secure email, but there’s more that can be done.  One example is implementing DMARC to properly authenticate and block spoofed emails.  It’s the standard now and prevents brand impersonation.  Also please consider restricting email domains.  You can do this at the very top.  Today, the vast majority of legitimate correspondents still utilize one of the original seven top-level domains:  .com, .org, .net, .edu, .mil, .gov, and .int, as well as two-letter country code top-level domains (called ccTLDs).  However, you should look carefully at your business correspondence to determine if communicating with all 1,487 top-level domains is really necessary.  Let’s say your business is located entirely in the UK.  Do you really want to allow emails from Country codes such as .RU, .CN, and others?  Do you do business with .hair, or .lifestyle, or .xxx?  If you don’t have a business reason for conducting commerce with these TLDs, block them and minimize both spam and harmful attacks.  It won’t stop bad actors from using Gmail to send phishing attacks, but you might be surprised at just how much restricting TLDs in your email can help.  Note that you have to be careful not to create a self-inflicted denial of service, so make sure that emails from suspect TLDs get evaluated before deletion.
• Disabling Ports and Protocols is key since you don’t want bad actors having easy targets.  One thing to consider is using Amazon Inspector.  Amazon Inspector has rules in the network reachability package to analyze your network configurations to find security vulnerabilities in your EC2 Instances.  This can highlight and provide guidance about restricting access that is not secure such as network configurations that allow for potentially malicious access such as mismanaged security groups, Access Control Lists, Internet Gateways, etc.
• Strengthening Cloud Security- We won’t go into this topic too much as you could spend a whole talk on strengthening cloud security.  Companies should consider purchasing a cloud security solution like Wiz, Orca, or Prisma for help in this regard.  One tip we don’t see often is using geo-fencing and IP allow-lists.  For example, one new feature that AWS recently created is to enable Web Application Firewall protections for Amazon Cognito.  This makes it easier to protect user pools and hosted UIs from common web exploits.

Once we notice there’s likely been a bear attack on our peers or our infrastructure, we should report it.  This can be done by reporting incidents to local governments such as CISA or a local FBI field office, paid sharing organizations such as ISAC, or free communities such as AlienVault OTX.

Let's walk through a notional example of what we might encounter as collateral damage in a cyberwar.  However, to keeps this out of current geopolitics, we'll use the fictitious countries Blue and Orange.

Imagine that you work at the Acme Widget Corporation which is a Fortune 500 company with a global presence.  Because Acme manufactures large scale widgets in their factory in the nation of Orange, they are also sold to the local Orange economy.  Unfortunately for Acme, Orange has just invaded their neighboring country Blue.  Given that Orange is viewed as the aggressor, various countries have imposed sanctions against Orange.  Not wanting to attract the attention of the Orange military or the U.S. Treasury department, your company produces an idea that might just be crazy enough to work.  Your company is going to form a new company within Orange that is not affiliated with the parent company for the entirety of the war.  This means that the parent company won’t provide services to the Orange company.  Additionally, since there is no affiliation between the companies then the legal department advises that there will not be sanction evasion activity which could put the company at risk.  There’s just one problem.  Your company has to evict the newly created Orange company (Acme Orange LLC) from its network and ensure it has the critical IT services to enable its success.

So where do we start?  Let’s consider a few things.  First, what is the lifeblood of a company?  Every company really needs laptops and Collaboration Software like Office 365 or GSuite.  So, if we have five hundred people in the new Acme Orange company, that's five hundred new laptops and a new server that will host Microsoft Exchange, a NAS drive, and other critical Microsoft on premises services.

Active Directory: Once you obtain the server, you realize a few things.  Previous Acme admin credentials were used to troubleshoot desktops in the Orange environment.  Since exposed passwords are always a bad thing, you get your first incident to refresh all passwords that may have been exposed.  Also, you ensure a new Active Directory server is created for your Orange environment.  This should leverage best practices such as MFA since Orange Companies will likely come under attack.

Let’s talk about other things that companies need to survive:

• Customer relations management (CRM) services like Salesforce
• Accounting and Bookkeeping applications such as QuickBooks
• Payment Software such as PayPal or Stripe
• File Storage such as Google Drive or Drop Box
• Video Conferencing like Zoom
• Customer Service Software like Zendesk
• Contract Management software like DocuSign
• HR Software like Bamboo or My Workday
• Antivirus & EDR software

Standing up a new company’s IT infrastructure in a month is never a trivial task.  However, if ACME Orange is able to survive for 2-3 years it can then return to the parent company after the sanctions are lifted.

Let’s look at some discussion topics.

• What IT services will be the hardest to transfer?
• Can new IT equipment for Acme Orange be procured in a month during a time of conflict?
• Which services are likely to only have a SaaS offering and not enable on premises during times of conflicts?
• Could your company actually close a procurement request in a one-month timeline?

If we believe we can transfer IT services and get the office up and running, we might look at our cyber team's role in providing recommendations to a new office that will be able to survive a time of turmoil.

• All laptops shall have Antivirus and EDR enabled from Microsoft.
• Since the Acme Orange office is isolated from the rest of the world, all firewalls will block IP traffic not originating from Orange.
• SSO and MFA will be required on all logins
• Backups will be routinely required.

Note if you are really looking for effective strategies to mitigate cyber security incidents, we highly recommend the Australian Essential Eight.  We have a link in our show notes if you want more details.

Additionally, the ACME Orange IT department will need to create its own Incident Response Plan (IRP).  One really good guide for building Cyber Incident Response Playbooks comes from the American Public Power Association.  (I'll put the link in our show notes.)  The IRP recommends creating incident templates that can be used for common attacks such as:

• Denial of Service (DoS)
• Malware
• Web Application Attack (SQL Injection, XSS, Directory Traversal, …)
• Cyber-Physical Attack
• Phishing
• Man in the middle attack
• Zero Day Exploit

This Incident Response Template can identify helpful information such as

• Detection: Record how the attack was identified
• Reporting: Provide a list of POCs and contact information for the IT help desk to contact during an event
• Triage: List the activities that need to be performed during Incident Response.  Typically, teams follow the PICERL model.  (Preparation - Identification - Containment - Eradication - Recovery - Lessons Learned)
• Classification: Depending on the severity level of the event, identify additional actions that need to occur
• Communications: Identify how to notify local law enforcement, regulatory agencies, and insurance carriers during material cyber incidents.  Additionally describe the process on how communications will be relayed to customers, employees, media, and state/local leaders.

As you can see, there is much that would have to be done in response to a nation state aggression or regional conflict that would likely fall in your lap.  If you didn't think about it before, you now have plenty of material to work with.  Figure out your own unique requirements, do some tabletop exercises where you identify your most relevant Orange and Blue future conflict, and practice, practice, practice.  We learned from COVID that companies that were well prepared with a disaster response plan rebranded as a pandemic response plan fared much better in the early weeks of the 2020 lockdown.  I know my office transitioned to remote work for over sixty consecutive weeks without any serious IT issues because we had a written plan and had practiced it.  Here's another one for you to add to your arsenal.  Take the time and be prepared -- you'll be a hero "when the bubble goes up."  (There -- you've learned an obscure term that nearly absent from a Google search but well-known in the Navy and the Marine Corps.)

Okay, that's it for today's episode on Outrunning the Bear.  Let's recap:

• Know yourself
• Know what foreign adversaries want
• Know what information, processes, or people you need to protect
• Know the goals of state actors:
  • steal targeting data
  • collect foreign intelligence
  • covert action
• Know how to establish a good communications plan (PACE)
  • Primary
  • Alternate
  • Contingency
  • Emergency
• Know how to get out of Dodge
• Know where to find private and government threat intelligence
• Know your quick wins for protection
  • remediate vulnerabilities
  • implement MFA everywhere
  • run current antivirus
  • enable strong spam filters
  • restrict top level domains
  • disable vulnerable or unused ports and protocols
  • strengthen cloud security
• Know how to partition your business logically to isolate your IT environments in the event of a sudden requirement.

Thanks again for listening to CISO Tradecraft.  Please remember to like us on your favorite podcast provider and tell your peers about us.  Don't forget to follow us on LinkedIn too -- you can find our regular stream of low-noise, high-value postings.  This is your host G. Mark Hardy, and until next time, stay safe.

References

• https://www.goodreads.com/quotes/17976-if-you-know-the-enemy-and-know-yourself-you-need

• https://en.wikipedia.org/wiki/There_are_known_knowns 

• https://www.cia.gov/about/mission-vision/ 
• https://www.cybersecurity-insiders.com/ukraines-accounting-software-firm-refuses-to-take-cyber-attack-blame/ 

• https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/ 

• https://www.nationalisacs.org/member-isacs-3 

• https://attack.mitre.org/groups/ 

• https://data.iana.org/TLD/tlds-alpha-by-domain.txt 

• https://www.publicpower.org/system/files/documents/Public-Power-Cyber-Incident-Response-Playbook.pdf 

Special Thanks to our podcast sponsor, NowSecure.  On this episode, Brian Reed (Chief Mobility Officer at NowSecure) stops in to provide a world class education on Mobile Application Security.  It's incredible to think that 70% of internet traffic is coming over mobile devices.  Most of this traffic occurs via mobile applications so we need to understand mobile application security testing, before attackers show us how important it is. This episode will help you understand:

• What should you be doing to secure your mobile applications?
• Why managing a mobile device doesn't secure your application layer?
• How should you vet your mobile applications according to recommendations from OWASP

References:

• NowSecure Academy provides free mobile application security training and certificate programs- https://academy.nowsecure.com/ 
  Mobile app growth trends and security issues in the news-  https://www.nowsecure.com/mobile-app-breach-news/ 
• Snapshot of the current risk profile for mobile apps in your industry- https://mobilerisktracker.nowsecure.com/
• App Defense Alliance https://appdefensealliance.dev/ 
• Google Play Data Safety- https://blog.google/products/google-play/data-safety/  
• OWASP CycloneDX- https://owasp.org/www-project-cyclonedx/ 
• OWASP MASVS- https://github.com/OWASP/owasp-masvs 

Ahoy! and welcome to another episode of CISO Tradecraft -- the podcast that provides you with the information, knowledge, and wisdom to be a more effective cyber security leader.  My name is G. Mark Hardy, and today we’re going to -- talk like a pirate.  ARRR

As always, please follow us on LinkedIn, and make sure you subscribe so you can always get the latest updates.

On today’s episode we are going to talk about the 9 Cs of Cyber Security.  Note these are not the 9 Seas that you might find today, the 19th of September, which happens to be the 20th annual International Talk like a Pirate Day.  They are the nine words that begin with the letter C (but not the letter ARRR):

1. Controls,
2. Compliance,
3. Continuity,
4. Coverage,
5. Complexity,
6. Competency,
7. Communication,
8. Convenience,
9. Consistency.

Please note that this talk is inspired by an article by Mark Wojtasiak from Vectra, but we have modified the content to be more aligned with our thoughts at CISO Tradecraft.

Now before we go into the 9 Cs, it’s important to understand that the 9 Cs represent three equal groups of three.  Be sure to look at the show notes which will link to our CISO Tradecraft website that shows a 9-box picture which should make this easier to understand.  But if you're listening, imagine a three-by-three grid where each row corresponds to a different stakeholder.  Each stakeholder is going to be concerned with different things, and by identifying three important priorities for each, we have our grid.  Make sense?  Okay, let's dig in.

• The first row in our grid is the focus of Executive Leaders. First, this group of executives such as the CEO, CIO, and CISO ensure that the IT controls and objectives are working as desired.  Next, these executives want attestations and audits to ensure that compliance is being achieved and the organization is not just paying lip service to those requirements.  Thirdly, they also want business continuity.  IT systems must be constantly available despite attacks from ransomware, hardware failures, and power outages.
• The second row in our grid is the focus of Software Development shops. This group consists of Architects, Developers, Engineers, and Administrators.  First, they need to ensure they understand the Coverage of their IT systems in asset inventories -- can we account for all hardware and software.  Next, developers should be concerned with how Complexity in their environment can reduce security, as these tend to work at cross-purposes.  Lastly, developers care about Competency of their teams to build software correctly; that competency is a key predictor of the end quality of what is ultimately produced.
• The third and final row in our grid is the focus of Security Operations Centers. This group consists of Incident Handlers and Responders, Threat Intelligence Teams, and Business Information System Officers commonly known as BISOs.  They need to provide clear communication that informs others what they need to do, they need processes and tools that enable convenience so as to reduce friction.  Finally, they need to be consistent.  No one wants a fire department that only shows up 25% of the time.

So now that we have a high-level overview of the 9 C’s let’s start going into detail on each one of them.  We'll start with the focus of executive leaders.  Again, that is controls, compliance, and continuity.

1. Controls- According to James Hall's book on Accounting Information Systems[i], General Computer Controls are "specific activities performed by persons or systems designed to ensure that business objectives are met." Three common control frameworks that we see inside of organizations today are COBIT, COSO, and ITIL.

1. COBIT®, which stands for The Control Objectives for Information Technology was built by the IT Governance Institute and the Information Systems Audit and Controls Organization, better known as ISACA®.  COBIT® is primarily focused on IT compliance, audit issues, and IT service, which should not be a surprise given its roots from ISACA® which is an Audit and Controls organization.  Overall, COBIT® 2019, the latest version, is based on the following six principles[ii] (note that the prior version, COBIT® 5[iii], had five):
1. Provide stakeholder value
2. Holistic approach
3. Dynamic governance system
4. Governance distinct from management
5. Tailored to enterprise needs
6. End-to-end governance system
2. COSO  stands for The Committee of Sponsoring Organizations of the Treadway Commission.  Their latest version is the 2017 Enterprise Risk Management - Integrated Framework, which is designed to address "enterprise risk management and the need for organizations to improve their approach to managing risk to meet the demands of an evolving business environment.[iv]"  COSO states that internal controls are a PROCESS, effected by leadership, to provide reasonable assurance with respect to effectiveness, reliability, and compliance[v].  The framework consists of five interrelated principles[vi]:
1. Governance and culture
2. Strategy and objective-setting
3. Performance
4. Review and revision, and
5. Information, communication, and reporting

To support these principles, COSO defines internal controls as consisting of five interrelated components:

1. 1. 1. Control environments,
      2. Risk Assessments,
      3. Control Activities,
      4. Information and Communication, and
      5. Monitoring Activities.
   2. The third framework is ITIL®, which stands for Information Technology Infrastructure Library. First published in 1989 (the latest update is 2019/2020), ITIL® is managed and maintained by AXELOS, a joint venture between the Government of the United Kingdom and PeopleCert, which acquired AXELOS in 2021. According to their website[vii],
      "ITIL 4 is an adaptable framework for managing services within the digital era.  Through our best practice modules, ITIL 4 helps to optimize digital technologies to co-create value with consumers, drive business strategy, and embrace digital transformation." (Talk about buzzword compliance). 
      ITIL® 4 focuses on process and service management through service strategy, service design, service transition, service operation, and continual service improvement.  What is interesting is that there is no third-party assessment of ITIL® compliance in an organization, only individual certification.

      At the end of the day an organization needs to pick one of these popular control frameworks and show controls are being followed.  This isn’t just a best practice; it’s also required by Sarbanes Oxley.  SOX has two sections that require control attestations that impact cyber.  Section 302 requires corporate management, executives, and financial officers to perform quarterly assessments which:

      1. Evaluate the effectiveness of disclosure controls,
      2. Evaluate changes in internal controls over financial reporting,
      3. Disclose all known control deficiencies and weaknesses, and
      4. Disclose acts of fraud.

      Since financial services run on IT applications, cybersecurity is generally in scope for showing weaknesses and deficiencies.  SOX Section 404 requires an annual assessment by both management and independent auditors.  This requires organizations to:

      1. Evaluate design and operating effectiveness of internal controls over financial reporting,
      2. Disclose all known controls and significant deficiencies, and
      3. disclose acts of fraud.
      4. Once we understand the requirements for controls, we need to be Compliant. Compliance is the second C we are discussing today.  Remember the CFO and CEO need to produce annual and quarterly reports to regulators such as the SEC.  So, if you as a CISO can help them obtain a clean bill of health or fix previous audit findings, you help the business.

      A useful tool to consult in terms of compliance is a concept from the Institute of Internal Auditors known as the three lines model or three lines of defense[viii].  This model has as a foundation six principles:

      1. Governance
      2. Governing body roles
      3. Management and first- and second-line roles
      4. Third line roles
      5. Third line independence, and
      6. Creating and protecting value

      The first line of defense is the business and process owners who maintain internal controls.  You can think of a software developer who should write secure software because there is an IT Control that says so.  That developer is expected to run application security scans and vulnerability scans to find bugs in their code.  They are also expected to fix these issues before releasing to production. 

      The second line of defense are elements of an organization that focus on risk management and compliance.  Your cyber team is a perfect example of this.  If the developer doesn’t fix the application vulnerabilities before sending code to production, then the company is at risk.  Cyber teams generally track and report vulnerability findings to the business units to ensure better compliance with IT controls.

      Finally, the third line of defense is internal audit.  Internal audit might assess an IT control on secure software development and say we have an issue.  The developers push out bad code with vulnerabilities.  Cyber tells the developers to fix, yet we are observing trends that the total vulnerabilities are only increasing.  This systemic risk is problematic, and we recommend management comply with the IT controls by making immediate fixes to this risky situation.

      Now, other than the observation that the ultimate line of defense (internal auditors) is defined by the Institute of Internal Auditors (no conflict of interest there), note that internal auditors can report directly to the board.  Developers and CISOs typically cannot.  One of the most powerful weapons in an auditor's toolbox is the "finding."  The U.S. Code defines what represents a finding[ix] in the context of federal awards, to include:

      • Significant deficiencies and material weaknesses in internal control and significant instances of abuse
      • Material noncompliance with the provisions of Federal statutes or regulations
      • Known questioned costs, specifically identified by the auditor, greater than $25,000 for a type of compliance requirement

      Internal auditors have both a mandate from and access to the board to ensure that the organization meets compliance requirements.  So, if you've been unsuccessful in getting funding for what you consider a critical security asset, maybe, just maybe, you casually point that out to the auditors so that it ends up in a finding.  After all, findings get funded.  Don't get caught, though, or you'll have some explaining to do to your boss who previously turned you down.

      3. Management cares a lot about Continuity. Remember, if the business is down, then it’s not making money, and it's probably losing money by the hour.  If the business isn’t making money, then they can’t pay for the cyber department.  So, among your goals as a cyber executive is to ensure the continuity of revenue-generation services.  To start, you must identify what those activities are and find ways to protect the services by reducing the likelihood of vulnerabilities found in those systems.  You also need to ensure regular backup activities are occurring, disaster recovery exercises are performed, Business Continuity Plans are tested, and tabletops are executed.  Each of these activities has the potential to identify gaps which cause harm to the continuity that executives care about.

      How do you identify revenue-generating elements of the business?  Ask.  But do your homework first.  If you're a publicly traded company, the annual report will often break out lines of business showing profit and loss for each.  Even if it's losing money today, it still may be vital to the organization.  Think, ahem, about your department -- you're probably not making a profit for the company in the security suite, but your services are definitely important.  Look at the IT systems that support each line of business and assess their criticality to the success of that business component.  In today's digitized workplace, the answer will almost always be "yes," but since you don't have unlimited resources, you need to rack and stack what has to be protected first.  A Business Impact Analysis, or BIA, involves meeting with key executives throughout the organization, assessing the importance and value of IT-supported business processes, ranking them in the order in which they need to be assured, and then acting on that knowledge.  [I thought we had done an episode on BIA, but I checked back and couldn’t find one.  So, expect to learn more about that in a future episode.]

      Backups and disaster recovery exercises are a must in today's world of ransomware and surprise risks, but make sure that you're not just hand-waving and assuming that what you think is working really is working.  Do what I call "core sampling" -- get with your team and dig way down until you reach some individual file from a particular date or can observe all logs collected for some arbitrary 5-minute period.  It's not that that information is critical in and of itself, but your team's ability to get to that information quickly and accurately should increase your confidence that they could do the same thing when a true outage occurs.

      Lastly, tabletop exercises are a great way to ensure that your team (as well as others from around the organization, up to and including senior leadership) know what to do when certain circumstances occur.  The advantage of tabletops is that they don't require much time and effort from the participants to go through emergency response procedures.  The disadvantage of tabletops is that you risk groupthink when everyone thinks someone else took care of that "assumed" item.  Companies have been caught flat-footed when the emergency diesel generator doesn't kick in because no one in the tabletop tests ever thought to check it for fuel, and the tank was empty.  Things change, and there's nothing like a full-scale test where people have to physically go to or do the things they would in a true emergency.  That's a reason why kids in school don't discuss what to do in a fire drill, they actually do what needs to be done -- get out of the building.  Be careful here you don't have a paper tiger for a continuity plan -- it's too late when things start to come apart to realize you hadn't truly done your homework.

      Those are the three Cs for executives -- controls, compliance, and continuity.  Now let's move on to developers.

      If you remember, the three Cs for developers are coverage, complexity, and competency.

      4. Developers need to care about Coverage. When we talk about coverage, we want to ensure that we know everything that is in our environment.  That includes having a complete and up-to-date asset inventory, knowing our processes are free from security oversight, as well as ensuring that our security controls are deployed across all of our potential attack surfaces.  "We've got your covered" is usually considered reassuring -- it's a statement that someone has thought of what needs to be protected.

      Specifically, our technical team members are the only ones who can generally tell if the IT asset inventory is correct.  They are the ones who run the tools, update the agents (assuming we're not agentless), and push the reporting.  If the scanning tools we use are missing hardware or software, then those gaps represent potential landing zones for enemy forces.  The Center for Internet Security's Critical Controls start with these two imperatives.  Essentially, if you don't know what you have, how can you secure it?

      Knowing our processes is key.  For developers today, it's much more likely that they're using a DevOps continuous integration / continuous delivery, or CI/CD process, rather than the classic waterfall methodology.  Agile is often an important part of what we do, and that continuous feedback loop between developer and customer helps to ensure that we cover requirements correctly (while being careful to avoid scope creep.)  Throughout our development cycle, there are numerous places where security belongs -- the art we call DevSecOps.  By putting all of our security processes into version control -- essentially automating the work and moving away from paper-based processes, we create a toolchain that automates our security functionality from pre-commit to commit to acceptance to production to operations.  Doing this right ensures that security in our development environment is covered.

      Beyond just the development pipeline, we need to cover our production environment.  Now that we've identified all hardware and software and secured our development pipeline, we need to ensure that our security tools are deployed effectively throughout the enterprise to provide protective coverage.  We may know how many servers we have, but if we don't scan continuously to ensure that the defenses are running and up to date, we are effectively outsourcing that work to bad actors, who fundamentally charge higher billing rates than developers when they take down critical systems via ransomware.

      5. In his book Data and Goliath, Bruce Schnier wrote, "Complexity is the worst enemy of security, and our systems are getting more complex all the time.[x]" Complexity is inversely correlated to security. If there are two hundred settings that you need to configure properly to make containers secure, that’s a big deal.  It becomes a bigger deal when the team only understands how to apply 150 of those settings.  Essentially, your company is left with fifty opportunities for misconfiguration to be abused by bad actors.  Therefore, when possible, focus your understanding on how to minimize complexity.  For example, instead of running your own containers on premises with Kubernetes, try using Amazon Elastic Container Services.  There’s a significant amount of configuration complexity decrease.  In addition, using cloud-based services give us a lot of capabilities -- elastic scaling, load balancers, multiple regions and availability zones, and even resistance to DDoS attacks.  That’s a lot of overhead to ensure in a high-availability application running on servers in your data center.  Consider using AWS lambda where all of that is already handled as a service for our company.  Remember that complexity makes security more difficult and generally increases the costs of maintenance.  So only increase complexity when the business benefit exceeds the costs.

      From a business connectivity perspective, consider the complexity of relationships.  Many years ago, data centers were self-contained with 3270 green screens (or punched card readers if you go back far enough) as input and fan-fold line printer generated paper as output.  Essentially, the only connection that mattered was reliable electrical power.

      Today, we have to be aware of what's going on in our industry, our customers, our suppliers, consumers, service providers, and if we have them, joint ventures or partners.[xi]  This complex web of competing demands stretches our existing strategies, and sometimes rends holes in our coverage.  I would add to that awareness, complexity in our workforce.  How did COVID-19 affect your coverage of endpoints, for example?  Most work-from-home arrangements lost the benefit of the protection of the enterprise security bubble, with firewalls, scanners, and closely-manage endpoints.  Just issuing a VPN credential to a developer working from home doesn't do much when junior sits down at mom's computer to play some online game and downloads who-knows-what.  Consider standardizing your endpoints for manageability -- remove the complexity.  When I was in the Navy, we had exactly two endpoint configurations from which to choose, even though the Navy-Marine Corps Intranet, or NMCI, was the largest intranet in the world at the time.  Although frustrating when you have to explain to the admiral why his staff can't get fancier computers, the offsetting benefit is that when an emergency patch has to get pushed, you know it's going to "take" everywhere.

      6. Number six is Competency -- another crucial skill for developers. If your organization doesn’t have competent developers, then more vulnerabilities are going to emerge.  So how do most other industries show competencies?  They use a licensure and certification process.  For example, teenagers in the United States must obtain a driver’s license before they are legally approved to drive on their own.  Nearly all of us have been through the process -- get a manual when you get a learner's permit, go to a driving school to learn the basics, practice with your terrified parents, and after you reach the minimum age, try not to terrify the DMV employee in the passenger seat.  In the UK, the Driver and Vehicle Standards Agency recommends a minimum of 47 hours of lessons before taking the driving test, which still has only a 52% pass rate on the first attempt[xii].

      Now ask yourself, is developing and deploying apps riskier than driving a car?  If so, consider creating a Developer Driver’s License exam that identifies when developers are competent before your company gives them the SSH keys to your servers.  Before your new developer sits for the exam you also need to provide the training that identifies the Rules of the Road.  For example, ask:

      When a new application is purchased, what processes should be followed?

      When are third party vendor assessments needed? 

      How does one document applications into asset inventory systems and Configuration Management Databases?

      If you can build the Driver’s Education Training equivalent for developer and measure competency via an exam, you can reduce the risk that comes from bad development and create a sense of accomplishment among your team.

      So, to summarize so far, for executives we have controls, compliance, and continuity, and for developers we have coverage, complexity, and competency.  It's now time to move to the last three for our security operations center:  clarity, context, and community.

      7. The seventh C is Communication. Let’s learn from a couple quotes on effective communication.
      1. Peter Drucker said, “The most important thing in communication is hearing what isn’t said.”  When you share an idea do you look at the person you are informing to see if they understand the idea?  What body language are you seeing?  Are they bored and not facing you, are they engaged and leaning in and paying close attention, or are they closed off with arms crossed?  We've probably all heard the term "active listening."  If you want to ensure the other party understands what you're saying (or if you're trying to show them you understand what they are saying), ask the listener to repeat back in their own words what the speaker has just said.  You'd be amazed how few people are needed to play the game of "telegraph" and distort a message to the point it is no longer recognizable.
      2. George Bernard Shaw said, “The single biggest problem in communication is the illusion that it has taken place.”  When you present a technical topic on a new risk to executives, ask questions to ensure they understand what you just shared.  If you don't do so, how do you know when you might be overwhelming them with information that goes right over their heads.  There's always the danger that someone will not want to look stupid and will just nod along like a bobblehead pretending to understand something about which they have absolutely no clue.  Richard Feynman had said, "If you can't explain it to a six-year-old, you don't understand it yourself."  Well, let me offer G Mark's corollary to that quote:  "If you can't explain it to a six-year-old, you can't explain it to your board."  And sometimes the big boss.  And sometimes your manager.  And sometimes your co-worker.  Ask for feedback; make sure the message is understood.
      3. Earl Wilson said, “Science may never come up with a better office communication system than the coffee break.”  When you want to launch a really important initiative that needs group buy-in, did you first have one-on-ones to solicit feedback?  Did you have an ear at the water cooler to understand when people say yes but really mean no?  Do you know how to connect with people so you can ask for a favor when you really don’t have the resources necessary to make something happen?  Unless you are in the military, you can't issue lawful orders to your subordinates and demand that they carry them out.  You have to structure your communication in such a way that expectations are made clear, but also have to allow for some push-back, depending on the maturity of the relationship you've developed with your team. 

      [War story:  Just this past week, Apple upgraded to iOS 16.  We use iPhones exclusively as corporate-issued handsets, so I sent a single sentence message to my senior IT team member:  "Please prepare and send an email to all who have an iPhone with steps on how to update the OS soonest.  Thank you."  To me, that seemed like clear communication.  The next day I get a response, "People are slowly updating to 16.0 on their own and as the phone prompts them."  After a second request where I point out "slowly" has not been our strategy for responding to exploitable security vulnerabilities, I get a long explanation of how Apple upgrades work, how he's never been questioned in his long career -- essentially the person spent five times as much time explaining why he will NOT do the task rather than just doing it.  And today 80% of the devices are still not updated.  At times like this I'm reminded of Strother Martin in Cool Hand Luke:  "What we have here is failure to communicate."  So, my lesson for everyone is even though you think your communications are crystal clear, they may not be perceived as such.]

      1. Our last quote is from Walt Disney who said, “Of all our inventions for mass communication, pictures still speak the most universally understood language.”  If you believe that pictures are more effective than words, think about how you can create the best pictures in your emails and slide decks to communicate effectively.  I remember a British officer who had visited the Pentagon years ago who commented, "PowerPoint is the language of the US military."  I think he's right, at least in that context.  Ask yourself, are pictures part of your language?
      8. Convenience is our eighth C that we are going to talk about. How do we make something convenient?  We do it by automating the routine and removing the time wasters.  In terms of a SOC, we see technology in this space emerging with the use of Security Orchestration, Automation, and Response, or SOAR technologies.  Convenience can come in a lot of ways.  Have we created helpful playbooks that identify a process to follow?  If so, we can save time during a crisis when we don’t have a minute to spare.  Have we created simple processes that work via forms versus emails?  It’s a lot easier to track how many forms have been submitted and filter on field data versus aggregating unstructured emails.  One thing you might consider as a way to improve convenience are Chatbots.  What if someone could ask a Chatbot a Frequently Asked Question and get a quick, automated, and accurate response?  That convenience helps people, and it saves the SOC time.  If you go that route, as new questions get asked, do you have a way to rank them by frequency and add them as new logic to the chatbot?  If you do, your chatbot gets more useful and provides even greater convenience to the workforce.  How great would it be to hear your colleagues saying it was so convenient to report an incident and see that it was handled in such a timely manner.  Find ways to build that experience and you will become the partner the business wants.
      9. Last, but not least, is the 9th C of Consistency. Want to know how to create an audit finding?  Try not being consistent.  Auditors hate that and love to point out inconsistencies in systems.  I’m sure there are auditors right now listening to this podcast smiling with joy saying, "yup, that’s me."  Want to know how to pass every audit standard?  Try passing the CARE Standard for cyber security.  CARE is a Gartner acronym that means Consistent, Adequate, Reasonable and Effective.  Auditors look at the Consistency of controls by performing tests to determine if the control is working the same way over time across the organization.  Auditors also look for Adequacy to determine if you have satisfactory controls in line with business needs.  Auditors ensure that your practices are Reasonable by identifying if there exist appropriate, fair, and moderate controls.  Finally, auditors look at Effectiveness to ensure the controls are producing the desired or intended outcomes.  So, in a nutshell, show Auditors that you CARE about cyber security.

      Okay, let's review.  Our nine Cs are for executives, developers, and SOC teams.  Executives should master controls, compliance, and continuity; developers should master coverage, complexity, and competency; and SOC teams should focus on clarity, communications, and consistency.  If you paid careful attention, I think you would find lessons for security leaders in all nine boxes across the model.  Essentially, don't conclude because boxes four through nine are not for executives that you don't need to master them -- all of this is important to being successful in your security leadership career.

      Well thanks again for listening to the CISO Tradecraft podcast as we discussed the 9 C’s.  And for International Talk Like a Pirate Day, I do have a rrr-request:  if you like our show, please take a few seconds to rate us five stars on your favorite podcast provider.  Another CISO pointed out to me this past week that we came up first on Spotify when searching for C-I-S-O, and that's because those rankings are crowd-sourced.  It's a great way to say thank you for the time and effort we put into our show, and I thank you in advance.  This is your host G. Marrrrk Hardy, and please remember to stay safe out there as you continually practice your CISO Trrrradecraft.

      References

      • https://www.vectra.ai/blogpost/the-9-cs-of-cybersecurity-value
      • https://en.wikipedia.org/wiki/Information_technology_controls
      • https://www.isaca.org/resources/cobit
      • https://www.apexgloballearning.com/cobit-vs-itil-governance-framework-company-choose-infographic/
      • https://www.slideshare.net/alfid/it-control-objectives-framework-a-relationship-between-coso-cobit-and-itil
      • https://internalaudit.olemiss.edu/the-three-lines-of-defense/
      • https://www.linkedin.com/pulse/15-quotes-effective-communication-jim-dent-lssbb-dtm/

      https://www.gartner.com/en/articles/4-metrics-that-prove-your-cybersecurity-program-works?utm_medium=socialandutm_source=facebookandutm_campaign=SM_GB_YOY_GTR_SOC_SF1_SM-SWGandutm_content=andsf249612431=1andfbclid=IwAR1dnx-9BqaO8ahzs1HHcO2KAVWzYmY6FH-PmNoh1P4r0689unQuJ4CeQNk

       

      [i] Hall, James A. (1996).  Accounting Information Systems.  Cengage Learning, 754

      [ii] https://www.isaca.org/resources/news-and-trends/industry-news/2020/cobit-2019-and-cobit-5-comparison

      [iii] https://www.itgovernance.co.uk/cobit

      [iv] https://www.coso.org/SitePages/Enterprise-Risk-Management-Integrating-with-Strategy-and-Performance-2017.aspx

      [v] https://www.marquette.edu/riskunit/internalaudit/coso_model.shtml

      [vi] https://www.coso.org/Shared%20Documents/2017-COSO-ERM-Integrating-with-Strategy-and-Performance-Executive-Summary.pdf

      [vii] https://www.axelos.com/certifications/itil-service-management/what-is-itil

      [viii] https://www.theiia.org/globalassets/site/about-us/advocacy/three-lines-model-updated.pdf

      [ix] https://www.law.cornell.edu/cfr/text/2/200.516

      [x] https://www.goodreads.com/quotes/7441842-complexity-is-the-worst-enemy-of-security-and-our-systems

      [xi] https://www.pwc.com/gx/en/issues/reinventing-the-future/take-on-tomorrow/simplifying-cybersecurity.html

      [xii] https://www.moneyshake.com/shaking-news/car-how-tos/how-to-pass-your-uk-driving-test

Special Thanks to our podcast Sponsor, Varonis.  Please check out Varonis's Webpage to learn more about their custom data security solutions and ransomware protection software. 

On this episode Brian Vecci (Field CTO of Varonis) stops by CISO Tradecraft to discuss all things Data Security.  He highlights the top 3 things every CISO needs to balance with regards to data security (Productivity, Convenience, and Security).  He also discusses the most important security questions we need to understand:

• What is Data Security and how does it fit into Data Protection?
• How do we understand where our company’s data resides?
• How do we know if our data is exposed?
• How do we reduce the risk of data exposure without harming the business?

Enjoy the show and please share it with others.  Also don't forget to follow the LinkedIn CISO Tradecraft Page to get more great content.

Hello, and welcome to another episode of CISO Tradecraft, the podcast that provides you with the information, knowledge, and wisdom to be a more effective cybersecurity leader.  My name is G. Mark Hardy, and today we're going to try to balance the impossible equation of better, faster, and cheaper.  As always, please follow us on LinkedIn, and subscribe if you have not already done so.

Shigeo Shingo, who lived from 1909-1990, helped to improve efficiency at Toyota by teaching thousands of engineers the Toyota Production System, and even influenced the creation of Kaizen.  He wrote, "There are four purposes for improvement: easier, better, faster, cheaper. These four goals appear in order of priority."

Satya Nadella, the CEO of Microsoft, stated that, “Every company is a software company.  You have to start thinking and operating like a digital company.  It’s no longer just about procuring one solution and deploying one solution… It’s really you yourself thinking of your own future as a digital company, building out what we refer to as systems of intelligence.”

The first time I heard this I didn’t really fully understand it.  But after reflection it makes a ton of sense.  For example, let’s say your company couldn’t send email.  How much would that hurt the business?  What if your company couldn’t use Salesforce to look up customer information?  How might that impact future sales?  What if your core financial systems had database integrity issues?  Any of these examples would greatly impact most businesses.  So, getting high-quality software applications that enable the business is a huge win.

If every company is a software or digital company, then the CISO has a rare opportunity.  That is, we can create one of the largest competitive advantages for our businesses.

What if we could create an organization that builds software cheaper, faster, and better than all of our competitors?

Sounds good right?  That is the focus of today’s show, and we are going to teach you how to excel in creating a world class organization through a focused program in Secure Software Development.  Now if you like the sound of better, faster, cheaper, as most executives do, you might be thinking, where can I buy that?  Let's start at the back and work our way forward.

• We can make our software development costs cheaper by increasing productivity from developers.
• We can make our software development practices faster by increasing convenience and reducing waste.
• We can make our software better by increasing security.

Let’s first look at increasing productivity.  To increase productivity, we need to under    stand the Resistance Pyramid.  If you know how to change people and the culture within an organization, then you can significantly increase your productivity.  However, people and culture are difficult to change, and different people require different management approaches.

• At the bottom of the pyramid are people who are unknowing.  These individuals Don’t know what to do.  You can think of the interns in your company.  They just got to your company, but don't understand what practices and processes to follow.  If you want to change the interns, then you need to communicate what is best practice and what is expected from their performance.  Utilize an inquiry approach to decrease fear of not knowing, for example, "do you know to whom I should speak about such-and-such?" or "do you know how we do such-and-such here?"  An answer of "no" allows you to inform them of the missing knowledge in a conversational rather than a directional manner.
• The middle part of the pyramid is people who believe they are unable to adapt to change.  These are individuals that don’t know how to do the task at hand.  Here, communications are important, but also skills training.  Compare your team members here to an unskilled labor force -- they're willing to work but need an education to move forward.  If you give them that, then the unskilled can become skilled. However, if you never invest in them, then you will not increase your company’s productivity and lowers your costs.
• At the Top of the resistance pyramid are the people who are unwilling.  These individuals Don’t Want to Change.  We might call these folks the curmudgeons that say we tried it before, and it doesn’t work.  Or I’m too old to learn that.  If you want to change these individuals and the culture of an organization, then you need to create motivation.

As leaders, our focus to stimulate change will be to focus on communicating, educating, and motivating.  The first thing that we need to communicate is the Why.  Why is Secure Software Development important?  The answer is money.  There are a variety of studies that have found that when software vulnerabilities get detected in the early development processes, they are cheaper than later in the production phases.  Research from the Ponemon Institute in 2017 found that the average cost to address a defect in the development phase was $80, in the build phase was $240, in the QA/Test Phase was $960, and in the Production phase was $7,600.  Think of that difference.  $80 is about 1% of $7,600.  So if a developer finds bugs in the development code then they don’t just save their time, they save the time of second developer who doesn’t have to do a failed code review, they save the time of an infrastructure engineer who has to put the failed code on a server, they save the time of another tester who has to create regression tests which fail, they save the time of a wasted change approval board on a failed release, and they save the customer representatives time who will respond to customers when the software is detected as having issues.  As you see there’s a lot of time to be saved by increasing productivity, as well as a 99% cost savings for what has to be done anyway.  Saving their own time is something that will directly appeal to every development team member.

To do this we need to do something called Shift Left Testing.  The term shift left refers to finding vulnerabilities earlier in development.  To properly shift left we need to create two secure software development programs.

• The first program needs to focus on is the processes that an organization needs to follow to build software the right way.  This is something you have to build in house.  For example, think about how you want software to create a network diagram that architects can look at in your organization.  Think about the proper way to register an application into a Configuration Management Database so that there is a POC who can answer questions when an application is down.  Think about how a developer needs to get a DNS entry created for new websites.  Think about how someone needs to get a website into the various security scanning tools that your organization requires (SAST, DAST, Vuln Management, Container Scanning, etc.)  Think about how developers should retire servers at the end of life.  These practices are unique to your company.  They may require a help desk ticket to make something happen or if you don't have a ticketing system, an email.  We need to document all of these into one place where they can be communicated to the staff members who will be following the processes.  Then our employee has a checklist of activities they can follow.  Remember if it’s not in the checklist, then it won’t get done.  If it doesn’t get done, then bad security outcomes are more likely happen.  So, work with your architects and security gurus to document all of the required practices for Secure Software Development in your company.  You can place this knowledge into a Wikipedia article, a SharePoint site, a Confluence Page, or some kind of website.  Make sure to communicate this frequently.  For example, have the CIO or CISO share it at the IT All Hands meeting.  Send it out in monthly newsletters.  Refer to it in security discussions and architecture review boards.  The more it’s communicated the more unknowing employees will hear about it and change their behavior.
• The second program that you should consider building is a secure code training platform.  You can think of things such as Secure Code Warrior, HackEDU (now known as Security Journey), or Checkmarx Code Bashing.  These secure code training solutions are usually bought by organizations instead of being created in-house.  They teach developers how to write more secure code.  For example, "How do I write JavaScript code that validates user input, sanitizes database queries, and avoids risky program calls that could create vulnerabilities in an application?"  If developers gain an education in secure programming, then they are less likely to introduce vulnerabilities into their code.  Make these types of training programs available to every developer in your company.
• Lastly, we need to find a way to motivate the curmudgeons.  One way to do that is the following:
  • Let’s say you pick one secure coding platform and create an initial launch.  The first two hundred people in the organization that pass the secure developer training get a one-time bonus of $200.  This perk might get a lot of people interested in the platform.  You might even get 10-20% of your organization taking the training in the first quarter of the program.  The second quarter your organization announces that during performance reviews anyone who passed the secure software training will be viewed more favorable than their peers.  Guess what?  You will see more and more people taking the training class.  Perhaps you see that 50% of your developer population becomes certified.  Then the following year you say since so many developers are now certified, to achieve the rank of Senior Developer within the organization, it is now expected to pass this training.  It becomes something HR folks look for during promotion panels.  This gradual approach to move the ball in training can work and has been proven to increase the secure developer knowledgebase.
  • Here's a pro tip:  Be sure to create some kind of badges or digital certificates that employees can share.  You might even hand out stickers upon completion that developers can proudly place on their laptops.  Simple things like this can increase visibility.  They can also motivate people you didn't think would change.

Now that we have increased productivity from the two development programs (building software the right way and a secure code training platform), it’s time to increase convenience and reduce waste.  Do you know what developers hate?  Well, other than last-minute change requests.  They hate inefficiencies.  Imagine if you get a vulnerability that says you have a bug on line 242 in your code.  So you go to the code, and find there really isn’t a bug, it's just a false positive in the tool.  This false bug detection really, well, bugs developers.  So, when your organization picks a new SAST, DAST, or IAST tool, be sure to test the true and false positive rates of the tool.  One way to do this is to run the tools you are considering against the OWASP Benchmark.  (We have a link to the OWASP Benchmark in our show notes.)  The OWASP Benchmark allows companies to test tools against a deliberately vulnerable website with vulnerable code.  In reality, testing tools find both good code and bad code.  These results should be compared against the ground truth data to determine how many true/false positives were found.  For example, if the tool you choose has a 90% True Positive Rate and a 90% False Positive Rate then that means the tool pretty much reports everything is vulnerable.  This means valuable developer time is wasted and they will hate the tool despite its value.  If the tool has a 50% True Positive Rate and a 50% False positive rate, then the tool is essentially reporting randomly.  Once again, this results in lost developer confidence in the tool.  You really want tools that have high True Positive Rates and low False Positive Rates.  Optimize accordingly.

Another developer inefficiency is the amount of tools developers need to leverage.  If a developer has to log into multiple tools such as Checkmarx for SAST findings, Qualys for Vulnerability Management findings, Web Inspect for DAST findings, Prisma for Container Findings, Truffle Hog for Secrets scanning, it becomes a burden.  If ten systems require two minutes of logging in and setup each that's twenty minutes of unproductive time.  Multiply that time the number of developers in your organization and you can see just how much time is lost by your team just to get setup to perform security checks.  Let's provide convenience and make development faster.  We can do that by centralizing the security scanning results into one tool.  We recommend putting all the security findings into a Source Code Repository such as GitHub  or GitLab.  This allows a developer to log into GitHub every day and see code scanning vulnerabilities, dependency vulnerabilities, and secret findings in one place.  This means that they are more likely to make those fixes since they actually see them.  You can provide this type of view to developers by buying tools such as GitHub Advanced Security.  Now this won’t provide all of your security tools in one place by itself.  You still might need to show container or cloud findings which are not in GitHub Advanced Security.  But this is where you can leverage your Source Code Repository’s native CI/CD tooling.  GitHub has Actions and GitLab has Runners.  With this CI/CD function developers don’t need to go to Jenkins and other security tools.  They can use a GitHub Actions to integrate Container and Cloud findings from a tool like Prisma.  This means that developers have even fewer tools from CI/CD perspectives as well less logging into security tools.  Therefore, convenience improves.  Now look at it from a longer perspective.  If we get all of our developers integrating with these tools in one place, then we can look in our GitHub repositories to determine what vulnerabilities a new software release will introduce.  This could be reviewed at Change Approval Board.  You could also fast track developer who are coding securely.  If a developer has zero findings observed in GitHub, then that code can be auto approved for the Change Approval.  However, if you have high/critical findings then you need manager approvals first.  These approvals can be codified using GitHub code scanning, which has subsumed the tool Looks Good To Me (LGTM), which stopped accepting new user sign-ups last week (31 August 2022).  This process can be streamlined into DevSecOps pipelines that improve speed and convenience when folks can skip change approval meetings.

Another key way we can make software faster is by performing value stream mapping exercises.  Here’s an example of how that reduces waste.  Let’s say from the time Nessus finds a vulnerability there’s actually fifteen steps that need to occur within an organization to fix the vulnerability.  For example, the vulnerability needs to be assigned to the right team, the team needs to look at the vulnerability to confirm it’s a legitimate finding, a patch needs to be available, a patch needs to be tested, a change window needs to be available, etc.  Each of these fifteen steps take time and often require different handoffs between teams.  These activities often mean that things sit in queues.  This can result in waste and inefficiencies.  Have your team meet with the various stakeholders and identify two time durations.  One is the best-case time for how long something should go through in an optimal process.  The second is the average time it takes things to go through in the current process.  At the end of it you might see that the optimal case is that it takes twenty days to complete the fifteen activities whereas the average case takes ninety days.  This insight can show you where you are inefficient.  You can identify ways to speed up from ninety to twenty days.  If you can do this faster, then developer time is gained.  Now, developers don’t have to wait for things to happen.  Making it convenient and less wasteful through value stream mapping exercises allows your teams to deploy faster, patch faster, and perform faster.

OK last but not least is making software better by increasing security.   At the end of the day, there are many software activities that we do which provide zero value to the business.  For example, patching operating systems on servers does not increase sales.  What makes the sales team sell more products?  The answer is more features on a website such as product recommendations, more analysis of the data to better target consumers, and more recommendations from the reporting to identify better widgets to sell.  Now, I know you are thinking, did CISO Tradecraft just say to not patch your operating systems?  No, we did not.  We are saying patching operating systems is not a value-add exercise.  Here’s what we do recommend.  Ask every development team to identify what ike patching.  Systems that have a plethora of maintenance activities are wasteful and should be shortlisted for replacement.  You know the ones: solutions still running via on-premises VMWare software, software needing monthly java patching, and software if the wind blows the wrong way you have an unknown error.  These systems are ripe for replacement.  It can also be a compelling sell to executives.  For example, imagine going to the CIO and CEO of Acme corporation.  You highlight the Acme app is run by a staff of ten developers which fully loaded cost us about $250K each.  Therefore, developing, debugging, and maintaining that app costs our organization roughly $2,500,000 in developer time alone plus hosting fees.  You have analyzed this application and found that roughly 80% of the time, or $2,000,000, is spent on maintenance activities such as patching. You believe if the team were to rewrite the application in a modern programming language using a serverless technology approach the team could lower maintenance activities from 80% to 30%.  This means that the maintenance costs would decrease from $2 million to $750K each year.  Therefore, you can build a financial case that leadership fund a $1.25 million initiative to rewrite the application in a more supportable language and environment, which will pay for itself at the end of the second year.  No, I didn't get my math wrong -- don't forget that you're still paying the old costs while developing the new system.)

Now if you just did a lift and shift to AWS and ran the servers on EC-2 or ECS, then you still have to patch the instance operating systems, middle ware, and software -- all of which is a non-value add.  This means that you won’t reduce the maintenance activities from 80% to 30%.  Don't waste developer time on these expensive transition activities; you're not going to come out ahead.  Now let’s instead look at how to make that maintenance go away by switching to a serverless approach.  Imagine if the organization rewrote the VMware application to run on either:

• A third party hosted SaaS platform such as Salesforce or Office 365

or

• A serverless AWS application consisting of Amazon S3 buckets to handle front-end code, an Amazon API Gateway to make REST API calls to endpoints, AWS Lambda to run code to retrieve information from a Database, and Dynamo DB to store data by the application

This new software shift to a serverless architecture means you no longer have to worry about patching operating systems or middleware.  It also means developers don’t spend time fixing misconfigurations and vulnerabilities at the operating system or middleware level.  This means you made the software more secure and gave the developers more time to write new software features which can impact the business profitability.  This serverless approach truly is better and more secure.  There’s a great story from Capital One you can look up in our show notes that discusses how they moved from EC-2 Servers to Lambda for their Credit Offers Application Interface.  The executive summary states that the switch to serverless resulted in 70% performance gains, 90% cost savings, and increased team velocity by 30% since time was not spent patching, fixing, and taking care of servers.  Capital One uses this newfound developer time to innovate, create, and expand on business requirements.  So, if you want to make cheaper, faster, and better software, then focus on reducing maintenance activities that don’t add value to the business.

Let's recap.  World class CISOs create a world class software development organization.  They do this by focusing on cheaper, faster, and better software. To perform this function CISOs increase productivity from developers by creating documentation that teaches developers how to build software the right way as well as creating a training program that promotes secure coding practices.  World Class CISOs increase the convenience to developers by bringing high-confidence vulnerability lists to developers which means time savings in not weeding out false positives.  Developers live in Source Code Repositories such as GitHub or GitLab, not the ten different software security tools that security organizations police.  World Class CISOs remove waste by performing value stream exercises to lean out processes and make it easier for developers to be more efficient.  Finally, World Class CISOs make software better by changing the legacy architecture with expensive maintenance activities to something that is a winnable game.  These CISOs partner with the business to focus on finding systems that when re-architected to become serverless increase performance gains, promote cost savings, and increase developer velocity.

We appreciate your time listening to today’s episode.  If this sparks a new idea in your head. please write it down, share it on LinkedIn and tag CISO Tradecraft in the comment.  We would love to see how you are taking these cyber lessons into your organization to make better software for all of us.

Thanks again for listening to CISO Tradecraft.  This is G. Mark Hardy, and until next time, stay safe out there.

References

• https://www.sixsigmadaily.com/who-was-shigeo-shingo-and-why-is-he-important-to-process-improvement/

• https://news.microsoft.com/speeches/satya-nadella-and-chris-capossela-envision-2016/ 

• Galpin, T.J. (1996).  The Human Side of Change: A Practical Guide to Organization Redesign.  Jossey-Bass 

• https://www.businesscoaching.co.uk/news/blog/how-to-break-down-barriers-to-change 

• Ponemon Institute and IBM. (2017) The State of Vulnerability Management in the Cloud and On-Premises 

• https://www.bmc.com/blogs/what-is-shift-left-shift-left-testing-explained/ 

• https://www.securecodewarrior.com/ 

• https://www.securityjourney.com/ 

• https://checkmarx.com/product/codebashing-secure-code-training/ 

• https://owasp.org/www-project-benchmark/ 

• https://docs.github.com/en/get-started/learning-about-github/about-github-advanced-security 

• https://medium.com/capital-one-tech/a-serverless-and-go-journey-credit-offers-api-74ef1f9fde7f 

How do you become a Cyber Security Expert?

Hello and welcome to another episode of CISO Tradecraft, the podcast that provides you with the information, knowledge, and wisdom to be a more effective cybersecurity leader.  My name is G. Mark Hardy, and today we're going to talk about how to provide advice and mentoring to help people understand how to become a cybersecurity expert.  As always, please follow us on LinkedIn, and subscribe to our podcasts.

As a security leader, part of your role is to develop your people.  That may not be written anywhere in your job description and will probably never be on a formal interview or evaluation, but after years of being entrusted with leadership positions, I have learned what differentiates true leaders from those who just accomplish a great deal is the making of the effort to develop your people.

Now, you may have heard the phrase, "take care of your people," but I'll take issue with that.  I take care of my dog.  I take care of a family member who is sick, injured, or incapacitated.  Why?  Because they are not capable of performing all of life's requirements on their own.  For the most part, your people can do this.  If you are constantly doing things for people who could have otherwise done it themselves, you run the risk of creating learned helplessness syndrome.  People, and even animals, can become conditioned to not do what they otherwise could do out of a belief that someone else will do it for them.  I am NOT going to get political here, so don't worry about that.  Rather, I want to point out that effective leaders develop their people so that they may become independent actors and eventually become effective leaders themselves.  In my opinion, you should measure your success by the promotion rate of the people entrusted to you, not by your own personal career advancement or financial success.

That brings me to the subject of today's podcast -- how do you counsel and mentor others on how to become a cyber security expert?  If you are listening to this podcast, there's a very good chance that you already are an expert in our field, but if not, keep listening and imagine that you are mentoring yourself, because these lessons can apply to you without having seek out a mentor.  Some people figure it out, and when asked their secret, they're like Bill Murray in the movie Stripes, "We trained ourselves, sir!"  But most of the time, career mastery involves learning from a number of others.

Today on CISO Tradecraft we are going to analyze the question, " How do you become a Cyber Security Expert?"  I'm going to address this topic as if I were addressing someone in search of an answer.  Don't tune out early because you feel you've already accomplished this.  Keep listening so you can get a sense of what more you could be doing for your direct reports and any proteges you may have.

Let’s start at the beginning.  Imagine being a high school kid with absolutely zero work experience (other than maybe a paper route -- do kids still do that?)  You see someone that tells you they have a cool job where they get paid to ethically hack into computers.  Later on, you meet a second person that says they make really good money stopping bad actors from breaking into banks.  Somehow these ideas stick into your brain, and you start to say to yourself, you know both of those jobs sound pretty cool.  You begin to see yourself having a career in Cyber Security.  You definitely prefer it to jobs that require a lot of manual labor and start at a low pay.  So, you start thinking, "how I can gain the skills necessary to land a dream job in cyber security that also pays well?"

At CISO Tradecraft we believe that there are really four building blocks that create subject matter experts in most jobs.  The four building blocks are:

• Getting an education
• Getting certifications
• Getting relevant job experience, and
• Building your personal brand

So, let’s explore these in detail.

Number 1:  Getting an education.  When most people think about getting an education after high school, they usually talk about getting an associate's or a bachelor's degree.  If you were to look at most Chief Information Security Officers, you will see the majority of them earn a bachelor’s degree in Computer Science, an Information Systems or Technology degree from a college of business such as a BS in Management of Information Systems (MIS) or Computer Information Systems, or more recently a related discipline such as a degree in Cyber Security.

An associate degree is a great start for many, particularly if you don't have the money to pay for a four-year university degree right out of high school.  Tuition and debt can rack up pretty quickly, leaving some students deeply in debt, and for some, that huge bill is a non-starter.  Fortunately, community colleges offer quality educational opportunities at very competitive rates relative to four-year degree institutions.  For example, Baltimore County Community College charges $122 per credit hour for in-county residents.  A couple of miles away, Johns Hopkins University charges $2,016 per credit hour.  Now, that's a HUGE difference -- over 16 times if you do the math.  Now, Hopkins does have some wonderful facilities and excellent faculty, but when it comes to first- and second-year undergraduate studies, is the quality and content of the education THAT different?  Well, that's up to you to decide.

The important take-away is, no one should decide NOT to pursue a cybersecurity education because of lack of money.  You can get started at any age on an associate degree, and that may give you enough to go on to get your first job.  However, if you want to continue on to bachelor's degree, don't give up.  Later I'll explain about a program that has been around since 2000 and has provided over 3,300 students with scholarships AND job placement after graduation.

Back to those going directly for a bachelor's degree.  Now, the good news is that your chosen profession is likely to pay quite well, so not only are you likely to be able to pay off the investment you make in your education, but it will return dividends many times that which you paid, for the rest of your career.  Think of financing a degree like financing a house.  In exchange for your monthly mortgage payment, you get to enjoy a roof over your head and anything else you do with your home.  As a cybersecurity professional, in exchange for your monthly student loan payment, you get to earn well-above average incomes relative to your non-security peers, and hopefully enjoy a rewarding career.  And, like the right house, the value of your career should increase over time making your investment in your own education one of your best performing assets.

Does this mean that you 100% need a bachelor’s degree to get a job in cyber?  No, it does not.  There are plenty of cyber professionals that speak at Blackhat and DEF CON who have never obtained a college degree.  However, if ten applicants are going for an extremely competitive job and only seven of the ten applicants have a college degree in IT or Cyber, you shouldn’t be surprised when HR shortens the list of qualified applicants to only the top five applicants all having college degrees.  It may not be fair, but it’s common.  Plus, a U.S. Census Bureau study showed that folks who have a bachelor's degree make half a million dollars more over a career than those with an associate degree, and 1.6 times what a high school diploma holder may earn over a lifetime.  So, if you want more career opportunities and want to monetize your future, get past that HR checkbox that looks for a 4-year degree.

Now, some people (usually those who don't want to do academic work) will say that a formal education isn't necessary for success.  After all, Bill Gates and Mark Zuckerberg were college dropouts, and they're both worth billions.  True, but that's a false argument that there's a cause-and-effect relationship there.  Both were undergraduates at Harvard University when they developed their business ideas.  So, if someone wants to assert a degree isn't necessary, counter with you'll agree once they are accepted into Harvard, and they produce a viable business plan as a teenager while attending classes.

You see, completing four years of education in a field of study proves a few things.  I've interviewed candidates that said they took all of the computer science and cybersecurity courses they wanted and didn't feel a need to "waste time" with fuzzy studies such as history and English composition.  Okay, I'll accept that that person had a more focused education.  But consider the precedent here.  When a course looked uninteresting or difficult, that candidate just passed on the opportunity.  In the world of jobs and careers, there are going to be tasks that are uninteresting or difficult, and no one wants to do them, but they have to get done.  As a boss, do you want someone who has shown the pe  d completed it with an A (or maybe even a B), or do you want someone who passed when the going got a little rough?  The business world isn't academia where you're free to pick and choose whether to complete requirements.  Stuff has to get done, and someone who has a modified form of learned helplessness will most likely not follow through when that boring task comes due.  

Remember I said I was going to tell you how to deal with the unfortunate situation where a prospective student doesn't have enough money to pay for college?  There are a couple of ways to meet that challenge.  It’s time to talk to your rich uncle about paying for college.  That uncle is Uncle Sam.  Uncle Sam can easily finance your college so you can earn your degrees in Cyber Security.  However, Uncle Sam will want you to work for the government in return for paying for your education.  Two example scholarships that you could look into are the Reserve Officer Training Corps (ROTC) and Scholarship for Service (SFS).  ROTC is an officer accession program offered at more than 1,700 colleges and universities   across the United States to prepare young adults to become officers in the U.S. Military.  For scholarship students, ROTC pays 100% of tuition, fees, books, and a modest stipend for living expenses.  A successful degree program can qualify an Army second lieutenant for a Military Occupation Specialty (or MOS) such as a 17A Cyber Operations Officer, a 17B Cyber and Electronic Warfare Officer, or a 17D Cyber Capabilities Development Officer, a great start to a cybersecurity career.

For the Navy, a graduating Ensign may commission as an 1810 Cryptologic Warfare Officer, 1820 Information Professional Officer, 1830 Intelligence Officer, or an 1840 Cyber Warfare Engineer.  The Navy uses designators rather than MOS's to delineate career patterns.  These designators have changed significantly over the last dozen years and may continue to evolve.  The Marine Corps has a 1702 cyberspace officer MOS.  Note that the Navy and the Marine Corps share a commissioning source in NROTC (Navy ROTC), and unlike the Army that has over 1,000 schools that participate in AROTC and the Air Force that has 1,100 associated universities in 145 detachments, there are only 63 Navy ROTC units or consortiums, although cross-town affiliates include nearly one hundred more colleges and universities.

There are a lot of details that pertain to ROTC, and if you're serious about entering upon a military officer career, it's well worth the time and effort to do your research.  Not all ROTC students receive a scholarship; some receive military instruction throughout their four years and are offered a commission upon graduation.  Three- and four-year scholarship students incur a military obligation at the beginning of sophomore year, two-year scholarship students at the beginning of junior year, and one-year scholarship students at the start of senior year.  The military obligation today is eight years, usually the first four of which are on active duty; the rest may be completed in the reserves.  If you flunk out of school, you are rewarded with an enlistment rather than a commission.  These numbers were different when I was in ROTC, and they may have changed since this podcast was recorded, so make sure you get the latest information to make an informed decision.

What if you want to serve your country but you're not inclined to serve in the military, or have some medical condition that may keep you from vigorous physical activity, or had engaged in recreational chemical use or other youthful indiscretions that may have disqualified you from further ROTC consideration?  There is another program worth investigating.  

The National Science Foundation provides educational grants through the Scholarship For Service program or SFS for short.  SFS is a government scholarship that will pay up to 3 years of costs for undergraduate and even graduate (MS or PhD) educational degree programs.  It's understood that government agencies do not have the flexibility to match private sector salaries in cyber security.  However, by offering scholarships up front, qualified professionals may choose to stay in government service; hence SFS continues as a sourcing engine for Federal employees.  Unlike ROTC, a participant in SFS will incur an obligation to work in a non-DoD branch of the Federal government for a duration equal to the number of years of scholarship provided.

In addition to tuition and education-related fees, undergraduate scholarship recipients receive $25,000 in annual academic stipends, while graduate students receive $34,000 per year.  In addition, an additional $6,000 is provided for certifications, and even travel to the SFS Job Fair in Washington DC.

That job fair is an interesting affair.  I was honored to be the keynote speaker at the SFS job fair back in 2008.  I saw entities and agencies of the Federal government that I didn't even know existed, but they all had a cybersecurity requirement, and they all were actively hiring.  SFS students qualify for "excepted service" appointments, which means they can be hired through an expedited process.  These have been virtual the last couple of years due to COVID-19 but expect in-person events to resume in the future.

I wrote a recommendation for a young lady whom I've known since she was born (her mom is a childhood friend of mine), and as an electrical engineering student in her sophomore year, she was selected for a two-year SFS scholarship.  A good way to make mom and dad happy knowing they're not going to be working until 80 to pay off their kid's education bills.

In exchange for a two-year scholarship, SFS will usually require a student to complete a summer internship between the first and second years of school and then work two years in a government agency after graduation.  The biggest benefit to the Scholarship for Service is you can work at a variety of places.  So, if your dream is to be a nation state hacker for the NSA, CIA, or the FBI then this offers a great chance of getting in.  These three-letter agencies heavily recruit from these programs.  As I mentioned, there are a lot of other agencies as well.  You could find work at the State Department, Department of Health and Human Services, the Department of Education, the Federal Reserve Board, and I think I remember the United States Agency for International Development (USAID).  Federal executive agencies, Congress, interstate agencies, and even state, local, or tribal governments can satisfy the service requirement.  So, you can get paid to go to college and have a rewarding job in the government that builds a nice background for your career.

How would you put all this together?  I spent nine years as an advisor to the National CyberWatch Center.  Founded as CyberWatch I in 2005, it started as a Washington D.C. and Mid-Atlantic regional effort to increase the quantity and quality of the information assurance workforce.  In 2009, we received a National Science Foundation award and grants that allowed the program to go nationwide.  Today, over 370 colleges and universities are in the program.  So why the history lesson?

What we did was align curriculum between two-year colleges and four-year universities, such that a student who took the designated courses in an associate degree program would have 100% of those credits transfer to the four-year university.  That is HUGE.  Without getting into the boring details, schools would certify to the Committee on National Security Systems (CNSS) (formerly known as the National Security Telecommunications and Information Systems Security Committee or NSTISSC) national training standard for INFOSEC professionals known as NSTISSI 4011.  Now with the help of an SFS scholarship, a student with little to no financial resources can earn an associate degree locally, proceed to a bachelor's degree from a respected university, have a guaranteed job coming out of school, and HAVE NO STUDENT DEBT.  Parents, are you listening carefully?  Successfully following that advice can save $100,000 and place your child on course for success.

OK, so let’s fast forward 3 years and say that you are getting closer to finishing a degree in Cyber Security or Computer Science.  Is there anything else that you can do while performing a summer internship?    That brings us to our second building block.  Getting certifications.  

Number Two:  Getting a Certification 

Earning certifications are another key step to demonstrate that you have technical skills in cyber security.  Usually, technology changes rapidly.  That means that universities typically don’t provide specialized training in Windows 11, Oracle Databases, Amazon Web Services, or the latest programming language.  Thus, while you may come out of a computer science degree with knowledge on how to write C++ and JavaScript, there are a lot of skills that you often lack to be quite knowledgeable in the workforce.  Additionally, most colleges teach only the free version of software.  In class you don’t expect to learn how to deploy Antivirus software to thousands of endpoints from a vendor that would be in a Gartner Magic quadrant, yet that is exactly what you might encounter in the workplace.  So, let’s look at some certifications that can help you establish your expertise as a cyber professional.  We usually recommend entry level certifications from CompTIA as a great starting point.  CompTIA has some good certifications that can teach you the basics in technology.  For example:

• CompTIA A+ can teach you how to work an IT Help Desk. 
• CompTIA Network+ can teach you about troubleshooting, configuring, and managing networks
• CompTIA Linux+ can help you learn how to perform as a system administrator supporting Linux Systems
• CompTIA Server+ ensures you have the skills to work in data centers as well as on-premises or hybrid environments.

Remember it’s really hard to protect a technology that you know nothing about so these are easy ways to get great experience in a technology.  If you want a certification such as these from CompTIA, we recommend going to a bookstore such as Amazon, buying the official study guidebook, and setting a goal to read every day.  Once you have read the official study guide go and buy a set of practice exam questions from a site like Whiz Labs or Udemy.  Note this usually retails for about $10.  So far this represents a total cost of about $50 ($40 dollars to buy a book and $10 to buy practice exams.)  For that small investment, you can gain the knowledge base to pass a certification.  You just need to pay for the exam and meet eligibility requirements.

Now after you get a good grasp of important technologies such as Servers, Networks, and Operating Systems, we recommend adding several types of certifications to your resume.  The first is a certification in the Cloud.  One notable example of that is AWS Certified Solutions Architect - Associate.  Note you can find solution architect certifications from Azure and GCP, but AWS is the most popular cloud provider, so we recommend starting there.  Learning how the cloud works is extremely important.  Chances are you will be asked to defend it and you need to understand what an EC-2 server is, types of storage to make backups, and how to provide proper access control.  So, spend the time and get certified.  One course author who provides a great course is Adrian Cantrill.  You can find his course link for AWS Solutions Architect in our show notes or by visiting learn.cantrill.io.  The course costs $40 and has some of the best diagrams you will ever see in IT.  Once again go through a course like this and supplement with practice exam questions before going for the official certification.

The last type of certifications we will mention is an entry cyber security certification.  We usually see college students pick up a Security+ or Certified Ethical Hacker as a foundation to establish their knowledge in cyber security.  Now the one thing that you really gain out of Security+ is a list of technical terms and concepts in cyber security.  You need to be able to understand the difference between Access Control, Authentication, and Authorization if you are to consult with a developer on what is needed before allowing access to a site.  These types of certifications will help you to speak fluently as a cyber professional.  That means you get more job offers, better opportunities, and interesting work.  It’s next to impossible to establish yourself as a cyber expert if you don’t even understand the technical jargon correctly.

Number Three:  Getting Relevant Job Experience

OK, so you have a college degree and an IT certification or two. What's next?  At this point in time, you are eligible for most entry level jobs.  So, let’s find interesting work in Cyber Security.  If you are looking for jobs in cyber security, there are two places we recommend.  The first is LinkedIn.  Almost all companies post there and there’s a wealth of opportunities.  Build out an interesting profile and look professional.  Then apply, apply, apply.  It will take a while to find the role you want.  Also post that you are looking for opportunities and need help finding your first role.  You will be surprised at how helpful the cyber community is.  Here's a pro tip:  add some hashtags with your post to increase its visibility.

Another interesting place to consider is your local government.  The government spends a lot of time investing in their employees.  So go there, work a few years, and gain valuable experience.  You can start by going to your local government webpage such as USAJobs.Gov  and search for the Career Codes that map to cyber security.  For example, search using the keyword “2210” to find the job family of Information Technology Management where most cyber security opportunities can be found.  If you find that you get one of these government jobs, be sure to look into college repayment programs.  Most government jobs will help you pay off student loans, finance master's degrees in Cyber Security, or pay for your certifications.  It’s a great win-win to learn the trade.

Once you get into an organization and begin working your first job out of college, you then generally get one big opportunity to set the direction of your career.  What type of cyber professional do you want to be?  Usually, we see most Cyber Careerists fall into one of three basic paths.  

1. Offensive Security
2. Defensive Security
3. Security Auditing

The reason these three are the most common is they have the largest amount of job opportunities.  So, from a pure numbers game it’s likely where you are to spend the bulk of your career.  Although we do recommend cross training.  Mike Miller who is the vCISO for Appalachia Technologies put out a great LinkedIn post on this where he goes into more detail.  Note we have a link to it in our show notes.  Here’s some of our own thoughts on these three common cyber pathways:

Offensive Security is for those that like to find vulnerabilities in things before the bad guys do.  It’s fun to learn how to hack and take jobs in penetration testing and the red team.  Usually if you choose this career, you will spend time learning offensive tools like Nmap, Kali Linux, Metasploit, Burp Suite, and others.  You need to know how technology works, common flaws such as the OWASP Top Ten web application security risks, and how to find those vulnerabilities in technology.  Once you do, there's a lot of interesting work awaiting.  Note if these roles interest you then try to obtain the Offensive Security Certified Professional (OSCP) certification to gain relevant skill sets that you can use at work.

Defensive Security is for the protectors.  These are the people who work in the Security Operations Center (SOC) or Incident Response Teams.  They look for anomalies, intrusions, and signals across the whole IT network.  If something is wrong, they need to find it and identify how to fix it.  Similar to Offensive Security professionals they need to understand technology, but they differ in the types of tools they need to look at.  You can find a defender looking at logs.  Logs can come from an Intrusion Detection System, a Firewall, a SIEM, Antivirus, Data Loss Prevention Tools, an EDR, and many other sources.  Defenders will become an expert in one of these tools that needs to be constantly monitored.  Note if you are interested in these types of opportunities look for cyber certifications such as the MITRE ATT&CK Defender (MAD) or SANS GIAC Certified Incident Handler GCIH to gain relevant expertise.

Security Auditing is a third common discipline.  Usually reporting to the Governance, Risk, and Compliance organization, this role is usually the least technical.  This discipline is about understanding a relevant standard or regulation and making sure the organization follows the intent of the standard/regulation.  You will spend a lot of time learning the standards, policies, and best practices of an industry.  You will perform risk assessments and third-party reviews to understand how we certify as an industry.  If you would like to learn about the information systems auditing process, governance and management of IT systems, business processes such as Disaster Recovery and Business Continuity Management, and compliance activities, then we recommend obtaining the Certified Information Systems Auditor (CISA) certification from ISACA.  

Ok, so you have a degree, you have certifications, you are in a promising job role, WHAT’s Next?  If you want to really become an expert, we recommend you focus on…

Number Four: Building your personal brand.  

Essentially find a way to give back to the industry by blogging, writing open-source software, creating a podcast, building cybersecurity tutorials, creating YouTube videos, or presenting a lecture topic to your local OWASP chapter on cyber security.  Every time you do you will get smarter on a subject.  Imagine spending three hours a week reading books in cyber security.  If you did that for ten years, think of how many books you could read and how much smarter you would become.  Now as you share that knowledge with others two things happen:  

• People begin to recognize you as an industry expert.  You will get invited to opportunities to connect with other smart people which allows you to become even smarter.  If you spend your time listening to smart people and reading their works, it rubs off.  You will absorb knowledge from them that will spark new ideas and increase your understanding
• The second thing is when you present your ideas to others you often get feedback.  Sometimes you learn that you are actually misunderstanding something.  Other times you get different viewpoints.  Yes, this works in the financial sector, but it doesn’t work in the government sector or in the university setting.  This feedback also helps you become smarter as you understand more angles of approaching a problem.

Trust us, the greatest minds in cyber spend a lot of time researching, learning, and teaching others.  They all know G Mark's law, which I wrote nearly twenty years ago:  "Half of what you know about security will be obsolete in eighteen months."

OK so let’s recap a bit.  If you want to become an expert in something, then you should do four things. 1) Get a college education so that you have the greatest amount of opportunities open to you, 2) get certifications to build up your technical knowledge base, 3) find relevant job experiences that allow you to grow your skill sets, and 4) finally share what you know and build your personal brand.  All of these make you smarter and will help you become a cyber expert.  

Thanks again for listening to us at CISO Tradecraft.  We wish you the best on your journey as you Learn to Earn.  If you enjoyed the show, tell one person about it this week.  It could be your child, a friend looking to get into cyber security, or even a coworker.  We would love to help more people and we need your help to reach a larger audience.  This is your host, G. Mark Hardy, and thanks again for listening and stay safe out there.

References:

• https://www.todaysmilitary.com/education-training/rotc-programs 
• www.sfs.opm.gov 
• https://www.comptia.org/home 
• https://www.whizlabs.com/
• https://www.udemy.com/
• https://learn.cantrill.io/p/aws-certified-solutions-architect-associate-saa-c03 
• https://www.linkedin.com/feed/update/urn:li:activity:6965305453987737600/
• https://www.offensive-security.com/pwk-oscp/ 
• https://mitre-engenuity.org/cybersecurity/mad/
• https://www.giac.org/certifications/certified-incident-handler-gcih/ 

• https://www.ccbcmd.edu/Costs-and-Paying-for-College/Tuition-and-fees/In-County-tuition-and-fees.aspx

• https://www.educationcorner.com/value-of-a-college-degree.html

•  https://www.collegexpress.com/lists/list/us-colleges-with-army-rotc/2580/

•  https://www.af.mil/About-Us/Fact-Sheets/Display/Article/104478/air-force-reserve-officer-training-corps/

• https://www.netc.navy.mil/Commands/Naval-Service-Training-Command/NROTC

• https://armypubs.army.mil/pub/eforms/DR_a/NOCASE-DA_FORM_597-3-000-EFILE-2.pdf

• https://niccs.cisa.gov/sites/default/files/documents/SFS%20Flyer%20FINAL.pdf

• https://www.nationalcyberwatch.org/

•  

Show Notes

Hello, and welcome to another episode of CISO Tradecraft -- the podcast that provides you with the information, knowledge, and wisdom to be a more effective cyber security leader.  My name is G. Mark Hardy, and today we're going to offer tips and tools for briefing your executive leadership team, including the four major topics that you need to cover.  As always, please follow us on LinkedIn, and make sure you subscribe so you can always get the latest updates.

Imagine you have been in your role as the Chief Information Security Officer for a while and it is now time to perform your annual brief to the Executive Leadership Team.  What should you talk about?  How do you give high level strategic presentations in a way that provides value to executives like the CEO, the CIO, the CFO, and the Chief Legal Officer?

• Story about Kim Jones at Vantiv – things have changed

Let's first talk about how you make someone satisfied -- in this case your executives.

Fredrick Herzberg (1923-2000) introduced Motivator-Hygiene theory, which was somewhat like Maslow's hierarchy of needs, but focused more on work, not life in general.

What a hygiene factor basically means is people will be dissatisfied if something is NOT there but won't be motivated if that thing IS there, e.g., toilet paper in employee bathroom.

Or, said more concisely, satisfaction and dissatisfaction are not opposites.  The opposite of Satisfaction is No Satisfaction.  The opposite of Dissatisfaction is No Dissatisfaction.

According to Herzberg, the factors leading to job satisfaction are "separate and distinct from those that lead to job dissatisfaction."

For example, if you have a hostile work environment, giving someone a promotion will not make him or her satisfied.

So, what makes someone satisfied or dissatisfied?

• Achievement
• Recognition
• The work itself
• Responsibility
• Advancement
• Growth

• Company policies
• Supervision
• Relationship with supervisor and peers
• Work conditions
• Salary
• Status
• Security

So, what will make a board member satisfied?  Today, cyber security IS a board-level concern.  In the past, IT really was only an issue if something didn't work right – a hygiene problem.  If we learn from Herzberg, we may not be able to make the board satisfied with the state of IT security, but we can try to ensure they are not dissatisfied.  Hopefully you now have context for what might otherwise be considered splitting hairs on terminology – essentially, we want our executive audience to not think negatively of your IT security program and how you lead it.

Remember, boards of directors generally come from a non-IT backgrounds .  According to the 2021 U.S. Spencer Stuart Board Index, of the nearly 500 independent directors who joined S&P 500 boards in 2021, less than 4% have experience leading cybersecurity, IT, software engineering, or data analytics teams.  And that 4% is mostly confined to tech-centric companies or businesses facing regulatory scrutiny.

So, there is essentially a mismatch between a board member's background and a CISO's background.  That extends to your choice of language and terminology as well.  Never go geeky with your executives – unless you have the rare situation where your entire leadership team are all IT savvy.  Otherwise, you will tune them out by talking about bits and bytes and packets and statistics.

Instead, communicate by telling stories – show how other companies in similar industries have encountered security issues and what they did about them (either successfully or unsuccessfully).  Show how your cybersecurity initiatives and efforts reduce multiple forms of risk:  financial risk, reputational risk, regulatory risk, legal risk, operational risk, and strategic risk.  You can show that the threat landscape has changed – nation states and organized crime has supplanted lone hackers and disgruntled employees as the major threats  .  Regulatory environment changes such as the California Consumer Privacy Act (CCPA) and ultimately the follow-on legislation from 49 other states will impact strategic business planning.  Show your board how to avoid running afoul of these emerging requirements.  And, of course, there is the ever-present threat of ransomware, which has evolved from denial-of-access attacks to loss of customer and internal data confidentiality.  That threat requires top-level policy and response plans in advance of an incident -- it's too late to be making things up as you go along.

Now, before we go into the Four Major Topics executives need to hear (after all, that's what I promised at the beginning of the show), let's ask, "Why are we briefing executives on our cyber program?"  Any company that is publicly traded falls under the scope of the Securities and Exchange Commission or SEC.

The SEC has published Cybersecurity Guidance that offers suggestions for investment companies and investment advisors.  They recommend investment firms "create a strategy that is designed to prevent, detect, and respond to cybersecurity threats".

The creation of a security strategy and education of employees on the strategy is at the core of what CISOs do.  So, a translation of the SEC's guidance is to hire a CISO, have that individual create and execute a cybersecurity strategy.  In fact, the SEC's quote above calls out three of the Five Functions of the NIST Cybersecurity Framework which are: (1) identify, (2) protect (prevent), (3) detect, (4) respond, and (5) recover.

Our second question is, how often should we be updating the Executive leadership team?  Since the SEC requires companies to disclose risks in their 10-K statements on a yearly basis then you should be briefing cyber updates to the Executive Leadership team at least on an annual basis.  We recommend quarterly or semi-annual updates to give more touch points on important topics.  You can draw parallels to quarterly financial statements.

Let's say the Risk Committee chaired by the CEO has agreed to hear the status of the Cyber Program twice a year.  What should we brief the executive leadership team?

Let's look at what's required by law.

The State of New York requires financial services organizations to follow New York Department of Financial Services (NYDFS) regulations.  Section 500.04 provides additional information about CISOs.  It states:

Each Covered Entity shall designate a qualified individual responsible for overseeing and implementing the Covered Entity's cybersecurity program and enforcing its cybersecurity policy (for purposes of this Part, "Chief Information Security Officer" or "CISO").

The regulations also state:

The CISO of each Covered Entity shall report in writing at least annually to the Covered Entity's board of directors or equivalent governing body. If no such board of directors or equivalent governing body exists, such report shall be timely presented to a Senior Officer of the Covered Entity responsible for the Covered Entity's cybersecurity program. The CISO shall report on the Covered Entity's cybersecurity program and material cybersecurity risks.

These types of requirements aren't confined to Wall Street.  The Bermuda Monetary Authority requires insurance companies to follow their Cyber Risk Management Code of Conduct.  It states that:

The board of directors and senior management team must have oversight of cyber risks. The board of directors must approve a cyber risk policy document at least on an annual basis.

So, both the State of New York and the Bermuda Monetary Authority want CISOs to provide risk management and perform at least yearly reporting on material cyber security risks.  Many more regulatory bodies do; these are just offered as examples.

If you are going to function effectively as a leader, you should find some way to create a win-win from most any situation.  You likely have a regulatory requirement to brief your board or leadership on a periodic basis.  That's fine.  But have you ever asked yourself, what do I want in return?

Hmm.

What you want is for your board to set the security culture from the top.  Boards hold senior leadership (think C-level executives) accountable, and you want the board to ensure the CEO makes cybersecurity a priority for the organization.  ISO 27001 has a nice tool – the Information Security Management System (ISMS) Policy Statement – which is senior leadership's declaration of the importance of cybersecurity within the organization.

One example I found is that of GS1 India, a standards organization that helps Indian industry align with global best practices.  Their ISMS Policy statement begins with:

The Management of GS1 India recognizes the importance of developing and implementing an Information Security Management System (ISMS) and considers security of information and related assets as fundamental for the successful business operation. Therefore, GS1 India is committed towards securing the Confidentiality, Integrity, and availability of information for the day-to-day business and operations.

If you can get a formal declaration of support from the top, your job is going to be a whole lot better.  Otherwise, you might just end up being the Chief Scapegoat Officer.

Now let's define the four things that an executive leadership team should hear from their security leader that will convey the message that you have a handle on your scope of authority and are executing your responsibilities correctly.  Those four focuses are:

1. Cyber Risks and Responses
2. Cyber Metrics
3. A Cyber Roadmap that Identifies High Profile Programs and Projects
4. Cyber Maturity Assessment

Let's dig in.  With respect to "cyber risks and responses," create a slide for executives that shows the top cyber risks.  Examples may include things like ransomware, business email compromise, phishing attacks, supply chain attacks, third party compromise, and data privacy issues.

As a practical matter when briefing cyber risks, never just share a risk and walk away.  Executives hate that.  Be sure to talk about what you are doing as a CISO to mitigate this risk.  Usually in Risk Meetings executives look for a few things about any risk.

• What is it?
• What is the likelihood of it to occur?
• What is the impact if it does occur?
• What are we doing about it?
• How much does it cost to fix?

However, this isn't a risk approval meeting where we need to go into that level of detail.  So, let's keep our cyber risk reporting at an executive level by identifying our top three to five material risks and showing our cyber responses to each risk.

For example, if you believe phishing is your number one cyber risk, then highlight it and talk about how you have created a phishing education program that lowers click rates and increases phishing reporting to the Cyber Incident Response Team.  When phishing attacks are reported, your team has a Service Level Agreement (SLA) to respond to phishing reports within four hours to minimize any potential harm.  You can also highlight that your organization also has email protection tools in place such as Proofpoint that stopped thousands of phishing attacks during the last quarter.

In summary you are acknowledging that your company has Cyber Risks which can harm the organization.  You are protecting the organization the best you can given the resources available to your team.  If someone doesn't like your four-hour SLA, then you might offer up that you could decrease the response time to a one-hour SLA if you had one additional headcount.  This creates a business decision to give you additional headcount, which is a great discussion to have.

Once you have talked about the top three to five risks your organization faces, we recommend talking about key metrics to measure the Cyber Program.  You could call these the metrics that matter.  Essentially, they are tactical metrics that you measure month to month because they show risks that could result in major cyber-attacks.  Our favorite place for metrics that matter is the OWASP Threat and Safeguard Matrix or TaSM (pronounced like Tasmanian Devil).  Please note we have a link to it in our show notes.  Please, please, please read about the OWASP Threat and Safeguard Matrix.  It's a short five-minute read, and you will be glad that you did.

What does the Threat and Safeguard Matrix teach us about cyber metrics?  It says all good metrics show a status, a trend, and a goal.

• Status shows where we are right now
• Trends show if the project, program, or company is getting better or worse
• Goals show the end state so we know when we are done and if we should be happy with our current progress

The OWASP Threat and Safeguard Matrix then categorizes cyber metrics into four major areas:  technology, people, process, and environment.

• Technology-based metrics show things like how fast we are patching devices and how well are our servers and laptops configured.  Think about it, if you have servers that are internet-facing which are not patched then it's just a matter of time until bad actors will cause your company (and you) a really bad day.  This isn't something that you can wait on.  So, your organization needs to continually track progress and burn these numbers down as quickly as possible.  So, let's do something about it.  Start by looking at your company's security policy that defines the patch timelines for high and critical vulnerabilities.  It might say something such as we require critical vulnerabilities to be patched in 15 days and high vulnerabilities to be patched in 30 days.  From that security policy you create a Service Level Agreement for the IT department to meet.  So, you measure the percentage of your servers that have zero high and critical vulnerabilities greater than that 15 or 30-day window.  Yeah, it's going to look terrible in the beginning when your IT department shows that only 30% of its servers are patched according to the enterprise service level agreements.  But transparency brings reform.  When the CIO sees that these metrics are routinely being briefed to the CEO and executive leadership team, then things will change.  The CIO will say "not on my watch" and usually lead the IT team to make the changes needed to improve patching.
• Another metric category we see from the OWASP TaSM is People.  When we think about cyber threats to people we usually think about phishing.  So, during your monthly phishing exercises record your click rates and your reporting rates.  Since each phishing exercise is different you should benchmark your organization against other organizations who took the same phishing exercise.  You can say we had 5% click-through compared to our industry vertical that scored 7%.  If you are doing better than your peers, then you can show you are following best practices and meeting the legal term of due care.  These metrics might lower your cyber insurance costs.  These metrics could also be extremely helpful if your company were sued as a result of a data breach that begin with successful phishing attacks.  So, measure them each month and make good progress.
• The third metric category is Process-based metrics.  Here you can monitor things like your third-party risks by looking at your processes that track how many of your third parties pass a review, have active ISO 27001 or SOC 2 Type 2 reports, and have recently passed penetration tests.  Another process you might look at is what percentage of your critical applications performed adequately during both a Disaster Recovery exercise and a Business Continuity Plan exercise.  These metrics are helpful during Sarbanes-Oxley (SOX) attestations and other regulatory reviews.
• The fourth and last metric category defined by the OWASP TaSM is Environment-based metrics.  This refers to things outside of your organization that you don't control.  Even though you don't control them they can have a substantial impact on your organization.  You can think of countries passing new cyber or data privacy laws, regulators asking for new information and compliance activities, and malicious actors and fraudsters taking interest in your company all as examples of environment-based factors.  Please don't confuse environmental factors with saving the Earth.  This is not the context you are looking for.  Environment metrics could be used to show how many legitimate phishing attacks your organization stopped when someone reported a phishing attack, and the Incident Response Team confirmed it wasn't a false positive.  Note these are actual phishing attacks not phishing exercises.  This is an important metric because it shows that despite email protection tools in place, things got passed it.  If you notice a 500% increase in confirmed phishing attacks you might need to buy additional tooling to interdict them.  Another metric you might look at is how many reported help-desk tickets your organization responded to that were caused by a cyber incident.  These types of metrics can help inform management just how big the malicious attacker threat is and can be used by you to justify additional resources.

Well, that's a good overview on Cyber Metrics that you can look at each month, but we still have two more categories to go over in our cyber update.  Remember if you want to learn more on cyber metrics, please look at the OWASP Threat and Safeguard Matrix.

The third broad category of slides to include in your board deck is A Cyber Roadmap that Identifies High Profile Programs and Projects.  Executives want to see the big picture on how you are evolving the program.  So, show them a roadmap that says over the next three years here is the big picture.

For example, in 2022 we are focusing on improving ransomware defenses by enhancing our backup and data recovery process.  We will also improve our ability to prevent malware execution in our environment by adding new Windows group policies.

In 2023, we will shift our focus towards improving our website security.  We will be launching a bug bounty program that allows smart and ethical hackers to find vulnerabilities in our websites before malicious actors do.  We will be upgrading our Web Application Firewall after we finish our three-year contract with our current vendor.  We will also be adding a botnet protection tool to our internet-facing websites given the recent attacks we have been experiencing.

In 2024, we will then shift our focus to improving our software development process.  We will be purchasing a tool to gamify secure software development amongst developers.  This should lower the cost of vulnerability management.  We will also be building custom courses in house that teach developers our company's requirements to build, test, and retire applications correctly.

When you present this type of Cyber Roadmap you might show a single slide with a Gantt chart view of when high profile projects occur with the executive summary of the points previously mentioned.

The last major category is a Cyber Maturity Assessment.  Essentially you want something that independently measures the effectiveness of the entire Cyber Program.  For example, many organizations use the NIST Cybersecurity Framework, ISO 27001, the FFIEC Cyber Assessment Tool, or HiTrust to benchmark their program.  Consider hiring an independent auditing company to measure your organization's security maturity.  You will get something that says here's the top fifteen domains of cyber security.  Today, on a scale of one to five, your organization measures between a two and four on most of the domains.  Most companies in your same industry benchmark are at a level three compliance so you are currently underperforming vs your peers in four domains.  You can take that independent assessment and say we really want to improve all level two scoring opportunities to be at least a three.  This can be something you show in a spider graph or radar chart.  You can show the top five activities needed to improve these measurements and provide timelines for when those will be fixed.  This shows the executive leadership team that security is never perfect, how you benchmark against your peers, and provides them with the same confidence that they would get from an audit to confirm you are working effectively.

So, let's summarize.

We talked about Herzberg's hygiene factors, things that aren't perceived as satisfactory when present but are dissatisfactory when absent.  Remember, satisfaction and dissatisfaction are not opposites.  The opposite of dissatisfaction is no dissatisfaction.

That helps us understand that when briefing management, we will not be able to delight them with the overall state of our cybersecurity program, but we can cause them not to worry about it.  Focus on risk reduction, and how your program is helping your organization work toward that goal.

We talked about why we need to brief management and how often.  Different regulations require executive teams to articulate a cybersecurity strategy and empower the appropriate individuals to execute it.  In addition, most rules require at least annual security briefings; you may want to strive for more frequent meetings to keep your leadership team well-informed.

Your goal is to have your board set the security culture from the top and hold C-level executives accountable for funding and maintaining cybersecurity initiatives.

We covered the four things you should include in your executive briefings:  cyber risks and responses, cyber metrics, a cyber roadmap that identifies high-profile programs and projects, and a cyber maturity assessment.

By addressing risk in multiple forms, showing that you can measure and track your progress toward your security goals, that you have a solid plan for the next couple of years, and that you can demonstrate your maturity relative to peer companies, you will go a long way toward keeping your board happy, or more precisely, not unhappy.

Lastly, don't forget to look up the OWASP TaSM model.  It's a really useful tool for mapping threat categories to the NIST cybersecurity framework and showing where you may have gaps in your program (represented by blank cells in the matrix.)  The link to that is in our show notes.

Well, we hope that you have enjoyed today's episode on Updating the Executive Leadership team on the Cyber Program and we thank you again for listening to us at CISO Tradecraft.  Please leave us a review (hopefully five stars) if you enjoyed this podcast and share us with your peers on LinkedIn.  We would love to help others with their cyber tradecraft.

Thanks again and until next time, stay safe.

References

• https://www.mindtools.com/pages/article/herzberg-motivators-hygiene-factors.htm 

• https://threataware.com/a-cisos-guide-to-cybersecurity-briefings-to-the-board/ 

• https://www.spencerstuart.com/-/media/2021/october/ssbi2021/us-spencer-stuart-board-index-2021.pdf

• https://www.spencerstuart.com/research-and-insight/cybersecurity-and-the-board 

• https://www.sec.gov/investment/im-guidance-2015-02.pdf 

• https://piregcompliance.com/ciso-as-a-service/what-regulations-require-the-designation-of-a-chief-information-security-officer-ciso/ 

• https://proteuscyber.com/privacy-database/ny-dfs-section-50004-chief-information-security-officer 

• https://www.bma.bm/viewPDF/documents/2020-10-06-09-27-29-Insurance-Sector-Cyber-Risk-Management-Code-of-Conduct.pdf 

• https://www.gs1india.org/media/isms-policy-statement.pdf 

• https://owasp.org/www-project-threat-and-safeguard-matrix/ 

On this episode you can hear the tale of three conferences.  Listen and learn about the history of BSides, Black Hat, and DEF CON.  Learn what makes these conferences special and enjoy some of the untold history of each conference.  

References

• https://en.wikipedia.org/wiki/Penetration_test
• https://partner-security.withgoogle.com/docs/pentest_guidelines#assessment-methodology
• https://owasp.org/www-project-web-security-testing-guide/latest/3-The_OWASP_Testing_Framework/1-Penetration_Testing_Methodologies
• https://www.pcisecuritystandards.org/documents/Penetration_Testing_Guidance_March_2015.pdf 
• https://pentest-standard.readthedocs.io/en/latest/
• https://www.isecom.org/OSSTMM.3.pdf
• https://s2.security/the-mage-platform/
• https://bishopfox.com/platform
• https://www.pentera.io/
• https://www.youtube.com/watch?v=g3yROAs-oAc 

****************************

Hello, and welcome to another episode of CISO Tradecraft -- the podcast that provides you with the information, knowledge, and wisdom to be a more effective cyber security leader.  My name is G. Mark Hardy, and today we're going to explore a number of things a CISO needs to know about pentesting.  As always, please follow us on LinkedIn, and make sure you subscribe so you can always get the latest updates.

Now to get a good understanding of pentesting we are going over the basics every CISO needs to understand.  

• What is it
• Where are good places to order it
• What should I look for in a penetration testing provider
• What does a penetration testing provider need to provide
• What’s changing on this going forward

First of all, let's talk about what a pentest is NOT.  It is not a simple vulnerability scan.  That's something you can do yourself with any number of publicly available tools.  However, performing a vulnerability scan, and then acting on remediating what you find, is an important prerequisite for a pentest.  Why pay hundreds of dollars per hour for someone to point out what you can find yourself in your bunny slippers sipping a latte?

Now let’s start with providing a definition of a penetration test.  According to Wikipedia a penetration test or pentest is an authorized simulated cyber-attack on a computer system performed to evaluate the security of a system.  It’s really designed to show weaknesses in a system that can be exploited.  Let’s think of things we want to test.  It can be a website, an API, a mobile application, an endpoint, a firewall, etc.  There’s really a lot of things you can test, but the thing to remember is you have to prioritize what has the highest likelihood or largest impact to cause the company harm.  You need to focus on high likelihood and impact because professional penetration tests are not cheap.  Usually, they will usually cost between $10,000-$30,000 but if you have a complex system, it’s not unheard of to go up to $100,000.  As a CISO you need to be able to defend this expenditure of resources.  So, you will usually define a clear standard that our company will perform penetration tests on customer facing applications, PCI applications, and Financially Significant Application or SOX applications once per year.

My friend John Strand, who founded Black Hills Information Security, pointed out in a recent webcast that sometimes you, the client, may not know what you mean by the term pentest.  Sometimes clients want just a vulnerability scan, or sometimes an external scan of vulnerabilities to identify risk, or sometimes a compromise assessment where a tester has access to a workstation and tries to work laterally, or sometimes a red team where a tester acts like a threat actor and tries to bypass controls, or a collaborative effort involving both red teams and blue teams to document gaps and to help defenders do their job better.  He goes on to state that your pentest objective should be to "provide evidence of the effectiveness of current defensive mechanisms and attack detection methodologies."

Please do not confuse a penetration test with a Red Team exercise.  A red team exercise just wants to accomplish an objective like steal data from an application.  A penetration test wants to enumerate vulnerabilities in a scoped target system so the developer can patch and remediate.  It’s a subtle difference but consider that a red team only needs to find one vulnerability to declare success, whereas a penetration test keeps going to help identify potentially exploitable vulnerabilities.  Now, is a pentest about finding ALL vulnerabilities?  I would say no – there are vulnerabilities that might require a disproportionate amount of resources to exploit for little or no value – something with a CVSS score of 4.0 or the like.  Those can often be left unpatched without consequence – the cost of remediating may exceed the value of the risk avoided.  There really is a “good enough” standard of risk, and that is called “acceptable risk.”  So, when scoping a pentest or reviewing results, make sure that any findings are both relevant and make economic sense to remediate.