122 episodes

Welcome to CISO Tradecraft. A podcast designed to take you through the adventure of becoming a CISO. This podcast was started because G Mark Hardy and Ross Young felt impressed to help others take their Information Security Skills to an executive level. We are thrilled to be your guides to lead you through the various domains of becoming a competent and effective CISO.

CISO Tradecraft‪®‬ G Mark Hardy & Ross Young

    • Technology
    • 4.9 • 31 Ratings

Welcome to CISO Tradecraft. A podcast designed to take you through the adventure of becoming a CISO. This podcast was started because G Mark Hardy and Ross Young felt impressed to help others take their Information Security Skills to an executive level. We are thrilled to be your guides to lead you through the various domains of becoming a competent and effective CISO.

    #122 - Methodologies for Analysis (with Christopher Crowley)

    #122 - Methodologies for Analysis (with Christopher Crowley)

    Sometimes you just need structure to the madness. Christopher Crowley stops by to talk about methodologies that can help security organizations. Come and see why you need them, how we get the scientific method wrong in cyber, and how to leverage a CIA analytical methodology that can help you. There's a lot more to check out so tune in.
    Analysis of Competing Hypothesis https://www.cia.gov/static/9a5f1162fd0932c29bfed1c030edf4ae/Pyschology-of-Intelligence-Analysis.pdf
    Christopher Crowley's Company https://montance.com/ 
    Full Transcripts https://docs.google.com/document/d/1P4MI02fIw3y_u8RhLVDbB3iu0o7e27Fr
    00:00 Introduction
    02:30 The Morris Worm and the Internet
    04:17 The Future of Cybersecurity
    06:41 How to setup a shared drive for multitasking
    10:26 The Evolution of Career Paths
    12:02 The Importance of Methodology in Problem Solving
    14:16 The Importance of Hypothesis in Cybersecurity
    19:58 MITRE ATT&CK® Framework: A Two Dimensional Array
    21:54 The Importance of a Foregone Conclusion Methodology
    23:29 The Disruptor's Role in Hypothesis Brainstorming
    25:18 The Importance of Resilience in Leadership
    27:45 Methodologies and Threat Hunting
    29:21 The Importance of Information Bias in Threat Hunting
    34:31 How to Sort Hypothesis in a Spreadsheet
    37:22 The Importance of Refining the Matrix
    40:34 How to Automate Analysis of Competing Hypothesis

    • 43 min
    #121 - Legal Questions (with Evan Wolff)

    #121 - Legal Questions (with Evan Wolff)

    Have you ever wanted to get a legal perspective on cybersecurity?  On this episode of CISO Tradecraft, Evan Wolff stops by to discuss terms such as legal disclaimers, negligence, due care, and others.  He also provides important insights on how to structure your cyber policies, respond to regulators/auditors, and partner with general council.  Please enjoy. 
    Full Transcripts: https://docs.google.com/document/d/1hbqB5GQfQsi0egPVdOtdfYEwLA3-1Jnh
    00:00 Introductions
    01:52 The Attorney Client Privilege
    04:49 What's the Difference Between a Discovery Order and an Attorney Client Privilege
    06:30 CISO Disclaimer
    09:23 Security Is a Component of Government Contracts
    11:59 What are the Borders Between Information Security and Legal Risk
    15:31 Cyber Security - Is there a Standard of Care?
    18:11 Do you have a Reasonable Best Effort?
    21:27 CMMC 2.0
    26:22 Is your Privacy Policy going to expire?
    28:30 What is Reasonable Assurance?
    33:41 Advice for Partnering with the General Counsel

    • 38 min
    #120 - Negotiating Your Best CISO Package (with Michael Piacente)

    #120 - Negotiating Your Best CISO Package (with Michael Piacente)

    Have you ever wondered how to negotiate your best CISO compensation package?  On this episode, we invite Michael Piacente from Hitch Partners to discuss important parts of the compensation packages.  Examples include but are not limited to: - Base Salary,
    Bonuses (Annual, Relocation, & Hiring)
    Reserve Stock Units
    Annual Leave
    Title (VP or SVP)
    Directors & Officers Insurance
    Accelerated Vesting Clauses
    Severance Agreements
    You can learn more about CISO compensations by Googling any of the following compensation surveys
    Hitch Partners CISO Compensation and Organizational Structure Survey Report: https://www.hitchpartners.com/ciso-security-leadership-survey-results-23
    Heidrick & Struggles Global Chief Information Officer Survey: https://www.heidrick.com/en/insights/...
    IANS CISO Compensation and Budget Benchmark Study: https://www.iansresearch.com/ciso-com...
    Full Transcripts: https://docs.google.com/document/d/1e...
    00:00 Introduction
    01:58 What's the Difference?
    06:50 The Three-Legged Stool (Base Salary, Bonuses, RSUs)
    11:44 Is there a signing bonus?
    13:56 What's the difference between RSUs & Options?
    18:52 Private Companies - What's the Value of the Offer?
    22:04 Double Triggers in Private Companies
    26:38 Should you counter an offer?
    28:17 Corporate Liability Insurance
    29:50 Do you want to be extended on the Director and Officer Insurance Policy?
    32:56 How to negotiate a severance agreement
    36:00 Compensation Survey Reports

    • 39 min
    #119 - Ethics (with Stephen Northcutt)

    #119 - Ethics (with Stephen Northcutt)

    One of the most difficult things to do as a manager or leader is to take an ethical stance on something you believe in.  Sometimes ethical stances are clear and you know you are doing what’s right.  Others are blurry, messy, and really weigh on your mind.  So we thought we would take this episode to talk about various ethical models, tricky ethical scenarios you might encounter as a CISO, and finally we will look at the Federal Case where Joe Sullivan the Former Chief Security Officer of Uber was convicted of federal charges for covering up a data breach.  Thanks to Stephen Northcutt for coming on today's show.
    Full Transcript https://docs.google.com/document/d/1vin7gMBt9YvVGaVqT91ycPmacsKZe2T9
    00:00 Introduction
    01:49 How to Make a Difference in Cybersecurity
    03:34 Hackers and the Pursuit of Higher Principles
    06:06 Is There a Use Case in Cybersecurity
    10:56 Human Capital is the Most Important Asset That Any Organization Has
    14:00 The Human Frailty Factor
    18:21 Has Your Company Fully Embraced Diversity, Equity, and Inclusion
    20:24 Do you have a Diversity of Experience
    24:11 Getting Your EXO to Talk to Power and say you are wrong
    27:40 CISOs and CISOs - Is this a Criminal Thing?
    30:15 The Penalty of Crossing the Law
    34:56 Pay the Ransom?
    36:59 The Key to Resilience as a CISO

    • 41 min
    #118 - Data Engineering (with Gal Shpantzer)

    #118 - Data Engineering (with Gal Shpantzer)

    Our systems generate fantastic amounts of information, but do we have a complete understanding of how we collect, analyze, manage, store, and retrieve possibly petabytes a day? Gal Shpantzer has been doing InfoSec for over 20 years and has managed some huge data engineering projects, and offers a lot of actionable insights in this CISO Tradecraft episode.
    Gal's LinkedIn Page - https://www.linkedin.com/in/riskmanagement/
    Gal's Twitter Page - https://twitter.com/Shpantzer
    Full Transcript - https://docs.google.com/document/d/14RXnsVttvKlRi6VL94BTrItCjOAjgGem/
    00:00 Introduction
    02:00 How do you Architect Big Data Data Infrastructure
    03:33 Are you taking a look at Ransomware?
    06:11 Web Scale Technologies are used mostly in Marketing & Fraud Detection
    08:11 Data Engineering - The Mindset Shift
    10:51 The Iron Triangle of Data Engineering
    13:55 Can I Outsource My Logging Pipeline to a Vendor
    15:37 Kafka & Flink - Data Engineering in the Pipeline
    18:12 Streaming Analytics & Kafka
    22:08 How to Enable Data Science Analytics with Streaming Analytics
    26:33 Streaming Analytics
    30:25 Data Engineering - Is there a Security Log
    32:30 Streaming Analytics is a Weird Thing
    35:50 How to Get a Handle on a Big Data Pipeline
    39:11 Data Engineering Hacks for Big Data Analytics

    • 44 min
    #117 - Good Governance (with Sameer Sait)

    #117 - Good Governance (with Sameer Sait)

    Has bad governance given you trauma, boring committees, and long speeches on irrelevant issues?  Today we are going to overcome that by talking about what good governance looks like.  We bring on the former CISO of Amazon Whole Foods (Sameer Sait) to discuss his lessons learned as a CISO.  We also highlight key topics of good governance found in the Cyber Security Profile from the Cyber Risk Institute.Cyber Risk Institute - Cyber Security Profile https://cyberriskinstitute.org/the-profile/Full Transcripts: https://docs.google.com/document/d/1vBM6A0utvhRFMA04wzrZvR8ktNwYo-li
    00:00 Introduction
    03:10 Good Governances is a Good Thing, Right?
    05:08 Cyber Strategy & Framework
    06:43 Is NIST the Same as ISO?
    08:40 How to Convince the Executive Leadership Team to Buy In
    11:19 The CEO's Challenge is Taking Measured Risk
    20:05 Is there a Cybersecurity Policy
    22:32 Culture eats Policy for Lunch
    24:14 The Role of the CISO
    27:52 How do you Convince the Leadership Team that you need extra resources
    29:51 How do you Measure Cybersecurity?
    32:22 How do we communicate Risk Findings to Senior Management
    36:07 Are you Aligning with the Audit Committee

    • 39 min

Customer Reviews

4.9 out of 5
31 Ratings

31 Ratings

JoshSommers ,

So informative and logically organized

This podcast has been instrumental in transforming how I think about cyber and business risk. There’s not a lot of other podcasts that I’ve seen or heard from that enables you to go wider or deeper in your understanding. Thank you for the effort y’all put into these and what you’re doing for our community.

PerryBorenstein ,

Critical Information for Our Critical Infrastructure

The nature of the internet makes it incumbent on every organization to prevent intrusions, be they foreign or domestic. Corporate cybersecurity is not a business concern. It is a national Security concern.

For this reason, the information conveyed in this podcast should be on every cybersecurity professional’s listening list , from CISO to entry level security associateS just beginning their career.

There is no unimportant person when it comes to cybersecurity. Anyone who uses a computer connected to the internet can reign down catastrophe on an organization. It is up to cybersecurity personnel to prevent that from happening. G. Mark Hardy seems almost chosen to be the one that helps corporations stay safe.

It doesn’t hurt that he has a calm, reassuring, voice that conveys a message that this is doable, and that you are the one who can do it.

idavis7 ,

A great resource for those in the cyber world

This is such a great casual podcast for those looking to work their way into management in the cyber world. I recommend this to anyone who is interested!!

Top Podcasts In Technology

Lex Fridman
Jason Calacanis
The New York Times
Boston Consulting Group BCG
Ben Gilbert and David Rosenthal

You Might Also Like

David Spark, Mike Johnson, and Andy Ellis
CISO Series
CyberWire, Inc.
Johannes B. Ullrich
Steve Moore