39 episodes

Welcome to CISO Tradecraft. A podcast designed to take you through the adventure of becoming a CISO. This podcast was started because G Mark Hardy and Ross Young felt impressed to help others take their Information Security Skills to an executive level. We are thrilled to be your guides to lead you through the various domains of becoming a competent and effective CISO.

CISO Tradecraft G Mark Hardy & Ross Young

    • Technology
    • 4.7 • 13 Ratings

Welcome to CISO Tradecraft. A podcast designed to take you through the adventure of becoming a CISO. This podcast was started because G Mark Hardy and Ross Young felt impressed to help others take their Information Security Skills to an executive level. We are thrilled to be your guides to lead you through the various domains of becoming a competent and effective CISO.

    CISO Tradecraft: Stressed Out? Find your Ikigai and 6 Invaluable Factors

    CISO Tradecraft: Stressed Out? Find your Ikigai and 6 Invaluable Factors

    Being a CISO has been described as the "toughest job in the world."  It comes with a lot of stress, which can lead to early burnout as well as a number of health and relationship problems.  Well, we're going to tackle this elephant in the room and investigate some of the sources of stress and ways we can deal with it.


     


    88% of CISOS report being "moderately or tremendously stressed"   We discuss eight everyday situations that can cause CISO stress, and then explore the way of Ikigai, Japanese for "reason for being."  The intersection of what you love, what you are good at, what the world needs, and what you can be paid for represents this ideal state.  Mihaly Csikszentmihalyi describes this as "flow," when work comes seemingly effortlessly because we are in alignment with our actions.  We'll also explore Dave Crenshaw's factors to being invaluable, which can help us better meet the demands of our job by being the best possible fit.


     


    Tune in and gain some ideas on how to help yourself. and your staff, deal with stress.


     


    CISO Tradecraft By Topic on GitHub 


    Csikszentmihalyi


    Ikigai


    Invaluable: The Secret to Becoming Irreplaceable


    The Six Invaluable Factors by David Crenshaw

    • 29 min
    CISO Tradecraft: CMMC and Me

    CISO Tradecraft: CMMC and Me

    This episode of CISO Tradecraft discusses CMMC.  The Cybersecurity Maturity Model Certification (CMMC), is the US government response to the massive amounts of defense-related information compromised over the years from contractors and third parties.  The program will be mandatory for all defense contractors by 2025, and has the potential to expand to the entire Federal government, affecting every entity that sells to Uncle Sam.  CMMC has five levels of progressively more rigorous certification with up to 171 controls based on acquisition regulations, NIST standards, and Federal information processing standards. In addition, there will be an entire ecosystem of trainers, consultants, assessors, and the organizations that support them.  We'll cover those in enough detail so that you can decide if expanding your career skill set into CMMC might make sense.

    • 31 min
    CISO Tradecraft: Cyber Security Laws & Regulations

    CISO Tradecraft: Cyber Security Laws & Regulations

    On this episode of CISO Tradecraft, you will hear about the most prominent Cyber Security Laws and Regulations:


    The Health Insurance Portability and Accountability Act (HIPAA) advocates the security and privacy of personal health information
    Administrative Safeguards

    Physical Safeguards

    Technical Safeguards




    The Sarbanes-Oxley Act (SOX) is designed to provide transparency on anything that could cause material impact to the financials of a company
    Cyber Risk Assessment

    Identify Disclosure Controls and Policies

    Implementing Cyber Security Controls Using a Reliable Framework (NIST CSF / ISO 27001)

    Monitor and Test SOX Controls




    The Gramm Leach Bliley Act (GLBA) requires Financial Institutions to protect Personally Identifiable Information (PII) 

    The Federal Information Security Management Act (FISMA) requires executive agencies in the federal government to address cyber security concerns
    Plan for security

    Assign responsibility

    Periodically review security controls on systems

    Authorize systems to Operate




    The Payment Card Industry Data Security Standards (PCI-DSS) is a framework required to protect payment card information

    The General Data Protection Regulation (GDPR) - Data Compliance and Privacy law for European citizens
    Consent

    Data Minimization

    Individual Rights




    The California Consumer Protection Act (CCPA) - Data Compliance and Privacy law for California residents.  This law provides Californians the right to know what data is collected or sold, the right to access data, the ability to request its deletion, and the ability to opt out of it being collected or sold.

    The Cybersecurity Maturity Model Certification (CMMC)- combines various cybersecurity standards and best practices and maps these controls and processes across maturity levels for Department of Defense contractors.

    • 43 min
    CISO Tradecraft: IPv6 Your Competitive Advantage

    CISO Tradecraft: IPv6 Your Competitive Advantage

    This episode of CISO Tradecraft is all about IPv6, featuring Joe Klein.  IPv6 is becoming the dominant protocol on the Internet, and CISOs should understand the implications of how their enterprise is potentially vulnerable to attacks that may come from that vector, as well as be aware of defenses that may originate from an effective IPv6 deployment.  This broadcast will cover the business cases for IPv6, the technical differences between IPv4 and IPv6, and the security implications of implementing this protocol correctly and incorrectly.

    • 44 min
    CISO Tradecraft: Setting Up an Application Security Program

    CISO Tradecraft: Setting Up an Application Security Program

    On this episode of CISO Tradecraft, you can learn how to build an Application Security program.


     Start with Key Questions for
    Security

    IT Operations

    Application Development/Engineering Groups




    Identify Key Activities
    Asset Discovery

    Asset Risk Prioritization

    Mapping Assets Against Compliance Requirements

    Setting up a Communications Plan




    Perform Application Security Testing Activities
    SAST

    DAST

    Vulnerability Scanners

    Software Composition Analysis

    Secrets Scanning

    Cloud Security Scanning




    Measure and Improve Current Vulnerability Posture through metrics
    The number of vulnerabilities present in an application

    The time to fix vulnerabilities

    The remediation rate of vulnerabilities

    The time vulnerabilities remain open

    Defect Density - number of vulnerabilities per server




    We also recommend reading the Microsoft Security Developer Life Cycle Practices Link


    For more great ideas on setting up an application security program please read this amazing guide from WhiteHat Security Link


    If you would like to improve cloud security scanning by automating Infrastructure as Code checks, then please check out Indeni CloudRail Link

    • 41 min
    CISO Tradecraft: Metrics that Matter

    CISO Tradecraft: Metrics that Matter

    What is measured gets done.  However before you measure you need to think about how best to measure.  On this episode of CISO Tradecraft, we provide you new insights into optimizing metrics that matter.  


    What is a Metric?


    Metrics drive outcomes.  Before picking a metric consider the following:


    What data is required?

    What stories can it tell?

    What questions does it invite?

    How sustainable is it?


    When you report metrics highlight three things:


    Status or Measure- Where is your company right now?

    Trends- What direction is your company headed?

    Goals- A description of where your company wants to be

    Goals or Metrics should be SMART:


    Specific, Measurable, Achievable, Realistic, and Time-based


    For a helpful list of metrics that you might consider please check out the following list from Security Scorecard Link


    Thank you again to our sponsor CyberArk, please check out their CISO Reports.

    • 41 min

Customer Reviews

4.7 out of 5
13 Ratings

13 Ratings

Financialadventure ,

Really interesting podcast for people wanting to be a CISO

There are a lot of podcasts on cyber security. This one has something unique. The creators have a natural energy that resonates well and I enjoy their thoughts. What is most impressive is learning how to become a ciso. There is no silver bullet but the points they bring up are really interesting. I look forward to hearing more episodes

Top Podcasts In Technology