CISO Tradecraft®

G Mark Hardy & Ross Young

You are not years away from accomplishing your career goals, you are skills away. Learn the Tradecraft to Take Your Cybersecurity Skills to the Executive Level. © Copyright 2025, National Security Corporation. All Rights Reserved

  1. #286 - AI-Native Security (with Nishant Doshi & Saro Subbiah)

    3d ago

    #286 - AI-Native Security (with Nishant Doshi & Saro Subbiah)

    What if your next breach isn't caused by a human... but by an AI agent acting exactly as instructed? Cyberhaven's CEO (Nishant Doshi) and SVP of Engineering (Saro Subbiah) reveal why AI is a true zero-to-one shift, why every employee is building agents, and why traditional security controls are struggling to keep up with machine-speed workflows. The most interesting question for CISOs isn't whether AI will be adopted, it's which security control breaks first when thousands of human-plus-agent workflows start operating across your enterprise? Watch the episode and weigh in: What do you believe will be the first major failure point of enterprise AI adoption, identity, code review, third-party dependencies, data security, audit trails, or something else entirely? Big thanks to our Sponsor Cyberhaven - https://www.cyberhaven.com/product

    46 min
  2. #285 - Passwordless Authentication (with Nishant Kaushik)

    May 25

    #285 - Passwordless Authentication (with Nishant Kaushik)

    In this discussion, G. Mark Hardy and Nishant Kaushik explore the necessity of moving beyond traditional passwords, which they define as the original sin of cybersecurity due to their vulnerability to credential stuffing and phishing attacks. Kaushik explains that the FIDO Alliance promotes a passwordless future by replacing shared secrets with asymmetric cryptography, utilizing private keys stored on smartphones or hardware tokens like YubiKeys to ensure phishing-resistant authentication. The conversation highlights that identity is the new perimeter, shifting the focus from human-memorized codes to biometric verification and device-bound passkeys that verify user presence. Ultimately, the experts warn that a secure transition must include robust account recovery flows, as failing to secure the "back door" renders even the most advanced cryptographic-based authentication vulnerable to exploitation. FIDO Alliance - https://fidoalliance.org/

    42 min
  3. #284 - Lessons Learned from SQL Slammer to AI Agents (with Aaron Turner)

    May 18

    #284 - Lessons Learned from SQL Slammer to AI Agents (with Aaron Turner)

    What can today’s CISOs learn from the chaos of Code Red and SQL Slammer? In this episode, G Mark Hardy interviews Aaron Turner about what it was like responding inside Microsoft during two of the most infamous cyber outbreaks in history. Aaron shares firsthand stories from the era when SQL Slammer infected at least 75,000 systems in roughly 10 minutes, exposing massive gaps in patch management, security QA, firewall design, and enterprise readiness. He explains how Microsoft’s early security culture operated, how major incidents and source-code theft forced change, and why many of the same mistakes are now reappearing in enterprise AI adoption. The conversation connects the lessons of Code Red and Slammer directly to today’s AI security challenges, including: Unauthenticated MCP servers and weak authorization modelsAI accelerating exploit development and vulnerability discoveryWhy the traditional “patching game” no longer scalesThe growing importance of identity security, ITDR, SASE, and developer controlsHow CISOs should think about technical debt and legacy modernizationWhy serverless and cloud-native architectures may become security necessitiesIf you’re a CISO, deputy CISO, security architect, or aspiring security leader navigating the risks of AI-driven attacks, this episode provides practical lessons from one of the most important eras in cybersecurity history and why those lessons matter even more today. Aaron Turner's Linkedin - https://www.linkedin.com/in/aaronrturner/

    46 min
  4. #283 - Leadership Lessons and the Art of the Performance (with Chris Brogan)

    May 11

    #283 - Leadership Lessons and the Art of the Performance (with Chris Brogan)

    In this episode of the CISO Tradecraft podcast, host G Mark Hardy interviews early tech adopter Chris Brogan to explore the intersection of high-performance leadership and effective communication. Drawing from his interviews with Navy SEALs and his tenure as a Chief of Staff, Brogan emphasizes that leadership is essentially the management of options and the cultivation of repetitive training to build a reliable team base. The discussion highlights the necessity of aligning staff roles with business needs, which sometimes requires the difficult but professional decision to let individuals go when they no longer fit the objective. Both experts stress that fully qualifying personnel for their next level of responsibility is a vital duty for any leader aiming for organizational excellence. Ultimately, the conversation advocates for authenticity, a willingness to fail forward, and the use of technology to foster genuine human interaction. Chris Brogan's LinkedIn - https://www.linkedin.com/in/cbrogan/

    48 min
  5. #282 - Top 10 Agentic AI Attacks (with Rock Lambros)

    May 4

    #282 - Top 10 Agentic AI Attacks (with Rock Lambros)

    In this CISO Tradecraft episode, host G Mark Hardy interviews recovering CISO Rock Lambros (Zenity) about securing Agentic AI and the emerging risks beyond LLM hallucinations. Lambros recounts his path from Oracle developer to CISO and AI standards work, then explains how agentic AI increases risk by connecting models to tools and actions. They discuss agentic AI supply chain attacks, including backdoored LiteLLM packages on PyPI and a compromised Amazon Q update, and the resulting shift from “patch fast” to more cautious dependency controls. The conversation highlights the OWASP Top 10 for Agentic Applications 2026, covering threats like goal hijack, tool misuse, identity/privilege abuse, memory/context injection, insecure inter-agent communication, cascading failures, human trust exploitation, and rogue agents, concluding with practical steps: inventory, kill switches, least agency, intent gates, and observability. OWASP Top 10 for Agentic Applications - https://genai.owasp.org/resource/owasp-top-10-for-agentic-applications-for-2026/

    45 min
  6. #281 - SIEM Secrets They Don’t Tell You (with Anton Chuvakin & Alex Hurtado)

    Apr 27

    #281 - SIEM Secrets They Don’t Tell You (with Anton Chuvakin & Alex Hurtado)

    In this CISO Tradecraft episode, host G Mark Hardy talks with Anton Chuvakin and Alex Hurtado about how SIEM programs fail and how organizations overspend when implementations prioritize dashboards or compliance over actionable detection engineering and collecting the right data. They share costly war stories ranging from multi-million and eight-figure deployments that became expensive “log toilets” or missed incidents due to data rationing and gaps, to mid-market teams burned by next-gen startup SIEMs going end-of-life and forcing replatforming. The discussion covers why Gartner Magic Quadrants can be useful depending on organizational context, the tradeoffs of decoupled/hybrid SIEM and security data lake architectures (cost, coverage, vendor management, and real-time detection limits), migration and egress/lock-in concerns, emerging AI/agentic SOC models and pricing, and the need to define requirements and measure effectiveness with realistic detection testing metrics.

    48 min
  7. #280 - Mythos and the Future of Vulnerability Operations (with Gadi Evron)

    Apr 20

    #280 - Mythos and the Future of Vulnerability Operations (with Gadi Evron)

    In this episode of CISO Tradecraft, host G Mark Hardy speaks with Gadi Evron about the paper “The AI Vulnerability Storm Building: A Mythos Ready Security Program,” a community-driven draft produced in days with extensive input from security leaders. Evron explains how advances in LLMs and agents are accelerating vulnerability discovery and exploitation, shrinking time-to-exploit assumptions and likely increasing the volume of real vulnerability reports and patches. They discuss separating hype from real risk, the impact of Anthropic’s Mythos and limited access via Project Glasswing, and what CISOs should do now: adopt agents to operate at machine speed, use them defensively to find issues, build “vuln ops” capabilities, secure coding agents in the enterprise, and communicate shifting risk metrics to boards. They also preview the next Unprompted conference planned for September. VulnAxis - https://vulnaxis.com/ Gadi Evron - https://www.linkedin.com/in/gadievron/ Knostic - https://www.knostic.ai/ The AI Vulnerability Storm Paper - https://labs.cloudsecurityalliance.org/mythos-ciso/ Unprompted - https://unpromptedcon.org/

    44 min
  8. #279 - AI Readiness (with JP Bourget)

    Apr 13

    #279 - AI Readiness (with JP Bourget)

    On CISO Tradecraft, host G Mark Hardy welcomes back JP Bourgeet to discuss what “AI readiness” means for organizations, framing it as both a data governance challenge and a change-management problem. JP defines readiness for CISOs as strong threat protection, data security/governance, and device management, with the biggest gaps typically in labeling, DLP/DSPM, and poor information architecture (e.g., commingled data in SharePoint/Drive). They cover re-architecting past and future data into role-based structures so Copilot can honor permissions and sensitivity labels, plus the value of visibility, auditability, and insider-risk alerting for file access and LLM prompts. JP also discusses agentic systems and upcoming identity challenges for AI agents, compares AI readiness to platform engineering, emphasizes use-case-driven adoption (lunch-and-learns and ROI tracking), and highlights Daniel Miessler’s personal AI infrastructure work and a future shift toward AI-driven security products. JP Bourget's Website https://www.bluecycle.net/ JP Bourget's Linkedin https://www.linkedin.com/in/jpbourget/ SaltCon- https://naclcon.com/

    44 min
See All (286)

4.8
out of 5
49 Ratings

About

You are not years away from accomplishing your career goals, you are skills away. Learn the Tradecraft to Take Your Cybersecurity Skills to the Executive Level. © Copyright 2025, National Security Corporation. All Rights Reserved

Information

  • Creator
    G Mark Hardy & Ross Young
  • Years Active
    2020 - 2026
  • Episodes
    286
  • Rating
    Clean
  • Copyright
    © Copyright 2025, National Security Corporation. All Rights Reserved
  • Show Website
    CISO Tradecraft®

You Might Also Like