CISO Tradecraft® G Mark Hardy & Ross Young
-
- Technology
Welcome to CISO Tradecraft®. A podcast designed to take you through the adventure of becoming a CISO. This podcast was started because G Mark Hardy and Ross Young felt impressed to help others take their Information Security Skills to an executive level. We are thrilled to be your guides to lead you through the various domains of becoming a competent and effective CISO.
-
#177 - 2024 CISO Mindmap (with Rafeeq Rehman)
This episode of CISO Tradecraft features a comprehensive discussion between host G Mark Hardy and guest Rafeeq Rehman, centered around the evolving role of CISOs, the impact of Generative AI, and strategies for effective cybersecurity leadership. Rafeeq shares insights on the CISO Mind Map, a tool for understanding the breadth of responsibilities in cybersecurity leadership, and discusses various focal areas for CISOs in 2024-2025, including the cautious adoption of Gen AI, tool consolidation, cyber resilience, branding for security teams, and maximizing the business value of security controls. The episode also addresses the importance of understanding and adapting to technological advancements, advocating for cybersecurity as a business-enabling function, and the significance of lifelong learning in information security.
Cybersecurity Learning Saturday: https://www.linkedin.com/company/cybersecurity-learning-saturday/
2024 CISO Mindmap: https://rafeeqrehman.com/2024/03/31/ciso-mindmap-2024-what-do-infosec-professionals-really-do/
Transcripts: https://docs.google.com/document/d/1axXQJoAdJI26ySKVfROI9rflvSe9Yz50
Chapters
00:00 Introduction
00:57 Rafeeq Rehman: Beyond the CISO MindMap
04:17 The Evolution of the CISO MindMap
08:30 AI and the Future of Cybersecurity Leadership
11:47 Embracing Change: The Role of AI in Cybersecurity
14:16 Generative AI: Hype, Reality, and Strategic Advice for CISOs
22:32 Navigating the Future Job Market with AI
22:53 Framing AI for Specific Roles
24:12 Harnessing Creativity with Generative AI
25:14 Consolidating Security Tools for Efficiency
28:31 Evaluating Security Tools: A Deep Dive
32:21 Cyber Resilience: Beyond Incident Response
35:51 Building a Business-Focused Security Strategy
39:39 Maximizing Business Value Through Security
43:15 Looking Ahead: Focus Areas for the Future
43:53 Concluding Thoughts and Future Predictions -
#176 - Reality-Based Leadership (with Alex Dorr)
In this episode of CISO Tradecraft, host G Mark Hardy welcomes Alex Dorr to discuss Reality-Based Leadership and its impact on reducing workplace drama and enhancing productivity. Alex shares his journey from professional basketball to becoming an evangelist of reality-based leadership, revealing how this approach helped him personally and professionally. They delve into the concepts of SBAR (Situation, Background, Analysis, Recommendation) for effective communication, toggling between low self and high self to manage personal reactions, and practical tools like 'thinking inside the box' to confront and solve workplace issues within given constraints. The conversation underscores the importance of focusing on actionable strategies over arguing with the drama and reality of workplace dynamics, aiming to foster a drama-free, engaged, and productive work environment.
Alex Dorr's Linkedin: https://www.linkedin.com/in/alexmdorr/
Reality-Based Leadership Website: https://realitybasedleadership.com/
Transcripts: https://docs.google.com/document/d/1wge0pFLxE4MkS6neVp68bdz8h9mHrwje
Chapters
00:00 Introduction
00:57 Alex Dorr's Journey from Basketball to Leadership Expert
03:54 The Core Principles of Reality-Based Leadership
06:20 Understanding the Human Condition in the Workplace
09:19 Tackling Workplace Drama with Reality-Based Leadership
11:58 The Power of Positive Energy Management
17:42 Navigating Unpreferred Realities and Finding Impact
19:44 Reality-Based Leadership in Action: Techniques and Outcomes
23:12 The Importance of Skill Development Over Perfecting Reality
24:32 The Challenge of Employee Engagement
25:49 Secrets to Embracing Reality and Taking Action
25:58 Leadership vs. Management: Navigating Workplace Dynamics
28:28 Empowering Employees with the SBAR Framework
34:04 Addressing Venting and Negative Behaviors
36:17 Developing People: The Core of Leadership
37:50 Choosing Happiness Over Being Right
40:15 Integrating New Leadership Models and Making Them Stick
46:24 Concluding Thoughts and Contact Information -
#175 - Navigating NYDFS Cyber Regulation
This episode of CISO Tradecraft dives deep into the New York Department of Financial Services Cybersecurity Regulation, known as Part 500. Hosted by G Mark Hardy, the podcast outlines the significance of this regulation for financial services companies and beyond. Hardy emphasizes that Part 500 serves as a high-level framework applicable not just in New York or the financial sector but across various industries globally due to its comprehensive cybersecurity requirements. The discussion includes an overview of the regulation's history, amendments to enhance governance and incident response, and a detailed analysis of key sections such as multi-factor authentication, audit trails, access privilege management, and incident response. Additionally, the need for written policies, designating a Chief Information Security Officer (CISO), and ensuring adequate resources for implementing a cybersecurity program are highlighted. The podcast also offers guidance on how to approach certain regulatory mandates, emphasizing the importance of teamwork between CISOs, legal teams, and executive management to comply with and benefit from the regulation's requirements.
AuditScripts: https://www.auditscripts.com/free-resources/critical-security-controls/
NYDFS: https://www.dfs.ny.gov/industry_guidance/cybersecurity
Transcripts: https://docs.google.com/document/d/1CWrhNjHXG1rePtOQT-iHyhed2jfBaZud
Chapters
00:00 Introduction
00:35 Why Part 500 Matters Beyond New York
01:48 The Evolution of Financial Cybersecurity Regulations
03:20 Understanding Part 500: Definitions and Amendments
08:44 The Importance of Multi-Factor Authentication
14:33 Navigating the Complexities of Cybersecurity Regulations
20:23 The Critical Role of Asset Management and Access Privileges 25:37 The Essentials of Application Security and Risk Assessment
31:11 Incident Response and Business Continuity Management
32:36 Concluding Thoughts on NYDFS Cybersecurity Regulation -
#174 - OWASP Top 10 Web Application Attacks
In this episode of CISO Tradecraft, host G. Mark Hardy delves into the crucial topic of the OWASP Top 10 Web Application Security Risks, offering insights on how attackers exploit vulnerabilities and practical advice on securing web applications. He introduces OWASP and its significant contributions to software security, then progresses to explain each of the OWASP Top 10 risks in detail, such as broken access control, injection flaws, and security misconfigurations. Through examples and recommendations, listeners are equipped with the knowledge to better protect their web applications and ultimately improve their cybersecurity posture.
OWASP Cheat Sheets: https://cheatsheetseries.owasp.org/
OWASP Top 10: https://owasp.org/www-project-top-ten/
Transcripts: https://docs.google.com/document/d/17Tzyd6i6qRqNfMJ8OOEOOGpGGW0S8w32
Chapters
00:00 Introduction
01:11 Introducing OWASP: A Pillar in Cybersecurity
02:28 The Evolution of Web Vulnerabilities
05:01 Exploring Web Application Security Risks
07:46 Diving Deep into OWASP Top 10 Risks
09:28 1) Broken Access Control
14:09 2) Cryptographic Failures
18:40 3) Injection Attacks
23:57 4) Insecure Design
25:15 5) Security Misconfiguration
29:27 6) Vulnerable and Outdated Software Components
32:31 7) Identification and Authentication Failures
36:49 8) Software and Data Integrity Failures
38:46 9) Security Logging and Monitoring Practices
40:32 10) Server Side Request Forgery (SSRF)
42:15 Recap and Conclusion: Mastering Web Application Security -
#173 - Mastering Vulnerability Management
In this episode of CISO Tradecraft, host G Mark Hardy delves into the critical subject of vulnerability management for cybersecurity leaders. The discussion begins with defining the scope and importance of vulnerability management, referencing Park Foreman's comprehensive approach beyond mere patching, to include identification, classification, prioritization, remediation, and mitigation of software vulnerabilities. Hardy emphasizes the necessity of a strategic vulnerability management program to prevent exploitations by bad actors, illustrating how vulnerabilities are exploited using tools like ExploitDB, Metasploit, and Shodan. He advises on deploying a variety of scanning tools to uncover different types of vulnerabilities across operating systems, middleware applications, and application libraries. Highlighting the importance of prioritization, Hardy suggests focusing on internet-facing and high-severity vulnerabilities first and discusses establishing service level agreements for timely patching. He also covers optimizing the patching process, the significance of accurate metrics in measuring program effectiveness, and the power of gamification and executive buy-in to enhance security culture. To augment the listener's knowledge and toolkit, Hardy recommends further resources, including OWASP TASM and books on effective vulnerability management.
Transcripts: https://docs.google.com/document/d/13P8KsbTOZ6b7A7HDngk9Ek9FcS1JpQij
OWASP Threat and Safeguard Matrix - https://owasp.org/www-project-threat-and-safeguard-matrix/
Effective Vulnerability Management - https://www.amazon.com/Effective-Vulnerability-Management-Vulnerable-Ecosystem/dp/1394221207
Chapters
00:00 Introduction
00:56 Understanding Vulnerability Management
02:15 How Bad Actors Exploit Vulnerabilities
04:26 Building a Comprehensive Vulnerability Management Program
08:10 Prioritizing and Remediation of Vulnerabilities
13:09 Optimizing the Patching Process
15:28 Measuring and Improving Vulnerability Management Effectiveness
18:28 Gamifying Vulnerability Management for Better Results
20:38 Securing Executive Buy-In for Enhanced Security
21:15 Conclusion and Further Resources -
#172 - Table Top Exercises
This episode of CISO Tradecraft, hosted by G Mark Hardy, delves into the concept, significance, and implementation of tabletop exercises in improving organizational security posture. Tabletop exercises are described as invaluable, informal training sessions that simulate hypothetical situations allowing teams to discuss and plan responses, thereby refining incident response plans and protocols. The podcast covers the advantages of conducting these exercises, highlighting their cost-effectiveness and the crucial role they play in crisis preparation and response. It also discusses various aspects of preparing for and executing a successful tabletop exercise, including setting objectives, selecting participants, creating scenarios, and the importance of a follow-up. Additionally, the episode touches on compliance aspects related to SOC 2 and the use of tabletop exercises to expose and address potential organizational weaknesses. The overall message underscores the importance of these exercises in preparing cybersecurity teams for real-world incidents.
Outline & References:
https://docs.google.com/document/d/13Qj4MOjPxWz9mhQCDQNBtoQwrXdTeIEf
Transcripts: https://docs.google.com/document/d/1yfmZALQfkhQCMfp9ao3151P9L2XcEXFm/
Chapters
00:00 Introduction
00:47 The Importance of Tabletop Exercises
01:53 The Benefits of Tabletop Exercises
03:06 How to Implement Tabletop Exercises
05:30 The Role of Tabletop Exercises in Compliance
08:24 The Participants in Tabletop Exercises
09:25 The Preparation for Tabletop Exercises
16:57 The Execution of Tabletop Exercises
21:58 Understanding Roles and Responsibilities in an Exercise
22:17 The Importance of a Hot Wash Up
23:36 Creating an After Action Report (AAR)
24:06 Implementing an Action Plan
24:34 Example Scenario: Network Administrator's Mistake
25:08 Formulating Targeted Questions for the Scenario
26:36 The Role of Innovation in Tabletop Exercises
27:11 The Connection Between Tabletop Exercises and Compliance
29:18 12 Key Steps to a Successful Exercise
30:43 The Importance of Realistic Scenarios
34:05 The Role of Communication in Crisis Management
37:33 The Impact of Cyber Attacks on Operations
39:57 The Importance of Tabletop Exercises and How to Get Started
40:35 Conclusion