CISO Tradecraft

In this episode of CISO Tradecraft, host G Mark Hardy discusses the ongoing Israel-Iran conflict and its potential cyber implications with cybersecurity expert Nathan Case. They delve into lessons learned from the Russia-Ukraine conflict, discuss the effectiveness of cyber warfare, and evaluate Iran's cyber capabilities. The conversation also covers the ethical implications of cyber attacks, dual-use targets, and the danger of supply chain vulnerabilities. Practical advice is provided on improving cybersecurity measures, including the importance of MFA, network segmentation, and evaluating internal threats. Join us for an in-depth look at how current geopolitical tensions can impact global cybersecurity. Nathan Case - https://www.linkedin.com/in/nathancase/   Chapters 00:00 Introduction to the Israel-Iran Conflict 00:52 Meet the Expert: Nate Case 01:51 Cyber Warfare Insights from Russia-Ukraine Conflict 03:36 The Impact of Cyber on Critical Infrastructure 08:00 Ethics and Rules of Cyber Warfare 15:01 Iran's Cyber Capabilities and Strategies 16:56 Historical Context and Modern Cyber Threats 23:28 Foreign Cyber Threats: The Iranian Example 24:06 Israel's Cyber Capabilities 25:39 The Role of Cyber Command 26:23 Challenges in Cyber Defense 27:11 The Complexity of Cyber Warfare 32:21 Ransomware and Attribution Issues 36:13 Defensive Cyber Operations 39:39 Final Thoughts and Recommendations

Join G Mark Hardy and Carson Zimmerman, the author of '11 Strategies of a World-Class Cybersecurity Operations Center,' in this insightful episode of CISO Tradecraft. Carson shares his career journey, the evolution from the 10 to 11 strategies, and delves into the future needs of Security Operations Centers (SOCs). They discuss critical topics such as the importance of continuous improvement, AI's impact on SOCs, and the value of embracing neurodiversity in cybersecurity teams. Whether you're a seasoned cybersecurity leader or an aspiring professional, get actionable advice on how to enhance and revolutionize your SOC operations. 11 Strategies of a World Class Cybersecurity Operations Center https://www.mitre.org/sites/default/files/2022-04/11-strategies-of-a-world-class-cybersecurity-operations-center.pdf 14 Questions are all you need - https://www.first.org/resources/papers/conf2024/1445-14-Questions-Carson-Zimmerman.pdf Transcripts - https://docs.google.com/document/d/1WVJi9WkxOG7yedQYWSooiqRFjBERd9kV Chapters  00:00 Introduction and Guest Welcome 00:53 Background and Book Discussion 03:33 SOC Challenges and Stagnation 06:10 Managing SOC Alerts and Burnout 09:26 SOC Evolution and Neurodiversity 23:50 Career Progression in Cybersecurity 30:28 Impact of AI on SOC Operations 40:07 Final Thoughts and Conclusion

In this episode of CISO Tradecraft, host G Mark Hardy sits down with Matt Hillary, the Chief Information Security Officer of Drata, to discuss governance, risk, and compliance (GRC) and trust management. They explore key topics such as the evolution of GRC, trust management, compliance automation, and the advent of AI in compliance processes. Matt shares insights on building a world-class GRC program, the challenges and opportunities in modern-day compliance, and the mental health aspects of being a cybersecurity leader. This episode is a must-watch for any cybersecurity professional looking to enhance their GRC strategies and compliance operations. Big Thanks to our Sponsor Drata. You can learn more about them at https://drata.com/ Connect with Matt Hillary at https://www.linkedin.com/in/matthewhillary/ Transcripts - https://docs.google.com/document/d/1VzRQSEvgUwenDERlNn2bwlIpnz4QPQ15/  Chapters 01:39 Meet Matt Hillary: CISO of Drata 06:06 The Evolution of GRC and Trust Management 14:48 Continuous Compliance and Automation 19:26 Compliance as Code: The Future of GRC 22:18 The Importance of Getting It Right the First Time 23:15 Customer Compliance Challenges 24:21 Vendor Risk Management and Trust Building 26:26 Leveraging AI for Compliance and Risk Management 31:43 Evaluating Credibility of Third-Party Evidence 41:09 Common Mistakes in GRC Programs 43:56 Final Thoughts and Industry Call to Action

Join G Mark Hardy at THOTCON in Chicago for an insightful podcast episode on building a successful cybersecurity career. Featuring guest Ryan Gooler, they discuss the non-linear paths to success, the value of mentorship, financial planning, and the importance of continuous learning and adapting. Learn how to navigate career transitions, embrace risks, and find joy in teaching and learning from others in the cybersecurity community. Transcripts: https://docs.google.com/document/d/1nsd61mkIWbmIL1qube0-cdqINsDujAVH    Chapters 00:00 Welcome to THOTCON: Meeting Amazing People 00:26 Introducing Ryan Gooler: A Journey into Cybersecurity 04:09 The Value of Mentorship in Cybersecurity 06:22 Career Management and Setting Goals 09:33 Financial Planning for Cybersecurity Professionals 16:40 Automating Finances and Smart Spending 21:25 Financial Sophistication and Mutual Funds 22:07 Automating Life Tasks 22:41 The Concept of a Finishing Stamp 24:17 Leadership and Delegation in the Navy 26:06 Building and Maintaining Culture 27:21 Surviving Toxic Environments 29:55 Taking Risks and Finding Joy 34:34 Advice for Cybersecurity Careers 39:01 The Importance of Teaching and Learning 40:29 Conclusion and Farewell

In this episode of CISO Tradecraft, host G Mark Hardy delves into the emerging concept of Model Context Protocol (MCP) and its significance in AI and enterprise security. Launched by Anthropic in November 2024, MCP is designed to standardize how AI systems interact with external data sources and applications. Hardy explores how MCP differs from traditional APIs, its implications for security, and the steps organizations need to take to prepare for its adoption. Key topics include the stateful nature of MCP, security risks such as prompt injection and tool poisoning, and the importance of developing a robust governance framework. By the end of the episode, listeners will have a comprehensive understanding of MCP and practical recommendations for safeguarding their AI-driven workflows. Transcripts https://docs.google.com/document/d/1vyfFJgTbsH73CcQhtBBkOfDoTrJYqzl_   References Model Context Protocol specification and security best practices, https://modelcontextprotocol.io  ⁠  Security risks of MCP, https://pillar.security  ⁠ ⁠ MCP security considerations, https://writer.com   Chapters 00:00 Introduction to Model Context Protocol (MCP) 00:27 Understanding MCP and Its Importance 01:41 How MCP Works and Its Security Implications 04:23 Comparing MCP to Traditional APIs 08:41 MCP Architecture and Security Benefits 12:07 Top Security Risks of MCP 18:00 Implementing Security Controls for MCP 25:00 Governance Framework for MCP 28:03 Future Trends and Strategic Recommendations 30:34 Conclusion and Next Steps

Web 3.0 Explained: Business Cases, Security, and Future Prospects | CISO Tradecraft In this episode of CISO Tradecraft, host G Mark Hardy welcomes special guest Aaron Markell to discuss the intricacies of Web 3.0. They explore the evolution from Web 1.0 and Web 2.0 to the decentralized structure of Web 3.0, describing its application in various industries like finance, healthcare, and supply chain. The conversation dives into blockchain technology, the role of tokens, smart contracts, and consensus mechanisms like proof of work and proof of stake. They also touch on potential future developments involving AI in Web 3.0, offering valuable insights for business leaders and cybersecurity professionals looking to understand and leverage this emerging technology.    Chapters 00:00 Introduction to Web 3.0 00:31 Meet the Expert: Aaron Markell 01:39 Aaron's Journey into Web 3.0 03:51 Understanding Web 1.0, 2.0, and 3.0 04:36 Decentralization and Blockchain Basics 05:51 The SETI Project and Distributed Workloads 08:09 Proof of Work and Blockchain Security 17:22 Smart Contracts Explained 20:10 Proof of Stake vs. Proof of Work 23:51 The Role of Tokens in Web 3.0 24:22 Understanding Microtransactions and Ownership 25:05 What is an NFT? 26:40 The Rise and Fall of NFTs 28:36 Web 3.0 and Its Impact on Industries 30:10 Blockchain in Finance and Commerce 30:55 Private Blockchains and Government Transparency 34:09 Blockchain in Legal and Healthcare Sectors 36:59 Supply Chain Transformation with Web 3.0 39:59 The Future of Web 3.0 and AI Integration 41:03 Final Thoughts and Security Tips

Join G Mark Hardy, host of CISO Tradecraft, as he breaks down the latest insights from the 2025 Verizon Data Breach Investigations Report (DBIR). In this episode, discover the top 10 takeaways for cybersecurity leaders including the surge in third-party breaches, the persistence of ransomware, and the human factors in security incidents. Learn actionable strategies to enhance your organization's security posture, from improving vendor risk management to understanding industry-specific threats. Stay ahead of cybercriminals and secure your data with practical, data-driven advice straight from one of the industry's most anticipated reports. Verizon DBIR - https://www.verizon.com/business/resources/reports/dbir/ Transcripts - https://docs.google.com/document/d/1h_YMpJvhAMB9wRyx92WkPYiKpFYyW2qz Chapters 00:35 Verizon Data Breach Investigations Report (DBIR) Introduction 01:16 Accessing the DBIR Report 02:38 Key Takeaways from the DBIR 03:15 Third-Party Breaches 04:32 Ransomware Insights 08:08 Exploitation of Vulnerabilities 09:39 Credential Abuse 12:25 Espionage Attacks 14:04 System Intrusions in APAC 15:04 Business Email Compromise (BEC) 18:07 Human Risk and Security Awareness 19:19 Industry-Specific Trends 20:06 Multi-Layered Defense Strategy 21:08 Data Leakage to Gen AI

Join G Mark Hardy in this eye-opening episode of CISO Tradecraft as he shares a personal story about his dog Shelby's near-fatal experience and the costly lesson it taught him about technical debt. Discover how small overlooked issues in cybersecurity can compound and lead to significant risks and learn actionable steps to tackle technical debt before it turns into a crisis. Pictures of Dog https://drive.google.com/file/d/1nBc9e3bBJVW0BQt5inGryhP3ahBz4XsQ/view?usp=drive_link  https://drive.google.com/file/d/12V_DuwhgNBKgxJL0yqNq9Fopa4dauJfd/view?usp=drive_link Transcripts https://docs.google.com/document/d/1-_X_9RQrurOLKRvbXyMjgbygESsabcCK  Chapters 00:21 Welcome to CISO Tradecraft 00:36 RSAC 2025 Conference Experience 01:22 Shelby's Health Scare 02:08 Understanding Technical Debt 02:41 The Consequences of Technical Debt 04:09 Shelby's Story as a Technical Debt Analogy 09:28 Lessons Learned from Shelby's Story 13:09 Conclusion and Call to Action

In this episode of CISO Tradecraft, host G Mark Hardy and guest Sounil Yu delve into the dual-edged sword of implementing Microsoft 365 Copilot in enterprises. While this productivity tool has transformative potential, it introduces significant oversharing risks that can be mitigated with the right strategies. Discover how Sounil and his team at Knostic have been tackling these challenges for over a year, presenting innovative solutions to ensure both productivity and security. They discuss the importance of 'need to know' principles and knowledge segmentation, providing insight into how organizations can harness the power of Microsoft 365 Copilot safely and effectively. Tune in to learn how to avoid becoming the 'department of no' and start being the 'department of know.' Transcripts https://docs.google.com/document/d/1CT9HXdDmKojuXzWTbNYUE4Kgp_D64GyB Knostic's Website - https://www.knostic.ai/solution-brief-request  Chapters 00:00 Introduction to Microsoft Copilot Risks 00:32 Meet the Guest: Sounil Yu 02:51 Understanding Microsoft 365 Copilot 06:09 The DIKW Pyramid and Knowledge Management 08:34 Challenges of Data Permissions and Oversharing 19:01 Need to Know: A New Approach to Access Control 35:10 Measuring and Mitigating Risks with Copilot 39:46 Conclusion and Next Steps

In this episode of CISO Tradecraft, host G Mark Hardy delves into the crucial topic of Common Vulnerabilities and Exposures (CVE) and the Common Vulnerability Scoring System (CVSS). Learn about the history, structure, and significance of the CVE database, the recent funding crisis, and what it means for the future of cybersecurity. We also explore the intricacies of CVE scoring and how it aids in prioritizing vulnerabilities. Tune in to understand how as a CISO, you can better prepare your organization against cyber threats and manage vulnerabilities efficiently. Transcripts: https://docs.google.com/document/d/13VzyzG5uUVLGVhPA5Ws0UFbHPnfHbsII Chapters 00:00 Introduction to CVE and CVSS 01:13 History of Vulnerability Tracking 03:07 The CVE System Explained 06:47 Understanding CVSS Scoring 13:11 Recent Funding Crisis and Its Impact 15:53 Future of the CVE Program 18:27 Conclusion and Final Thoughts

Join host G Mark Hardy on CISO Tradecraft as he welcomes expert Scott Gicking to discuss the Center for Internet Security's (CIS) Controls Self-Assessment Tool (CSAT). Learn what CSAT is, how to effectively use it, and how it can enhance your career in cybersecurity. Stay tuned for insights on creating effective security frameworks, measuring maturity, and improving organizational security posture using the CSAT tool.   Scott Gicking - https://www.linkedin.com/in/scottgickingus/ CIS CSAT - https://www.cisecurity.org/controls/cis-controls-self-assessment-tool-cis-csat Transcripts: https://docs.google.com/document/d/1WAI9U0WEUSJH1ZVWM1HdtFEf-O9hLJBe   Chapters 01:16 Guest Introduction: Scott Gicking 02:49 Scott's Career Journey 04:03 The Hollywood Cybersecurity Incident 07:38 Introduction to CIS and Its Importance 09:49 Understanding the CIS CSAT Tool 10:13 Implementing CIS CSAT in a Real-World Scenario 13:00 Benefits of the CIS CSAT Tool 18:38 Developing a Three-Year Roadmap with CSAT 23:25 Scoring Policies and Controls 24:20 Control Implementation and Automation 25:22 CMMC Certification Levels 27:52 Honest Self-Assessment 30:01 Quick and Dirty Assessment Approach 33:07 Building Trust and Reporting 37:38 Business Impact Analysis Tool 40:02 Reputational Damage and CISO Challenges 42:55 Final Thoughts and Contact Information

Ever wonder how the CISO role went from obscure techie to boardroom MVP? In this episode of CISO Tradecraft, G Mark Hardy takes you on a journey through the evolution of the Chief Information Security Officer — from Steve Katz's groundbreaking appointment at Citibank in 1995 to the high-stakes, high-impact role CISOs play today. Transcripts: https://docs.google.com/document/d/1FlKBW6zlVBqLoSTQMGZIfz--ZLD_aS9t/edit   Chapters 00:00 Introduction to the Evolution of the CISO Role 00:58 The First CISO: Steve Katz's Pioneering Journey 03:58 Rise of Security Certifications 08:39 Regulatory Wake-Up Calls and Compliance 12:23 Cybersecurity in the Age of State-Sponsored Attacks 17:58 The Impact of Major Cyber Incidents 25:07 Modern Challenges and the Future of the CISO Role 27:51 Conclusion and Final Thoughts

In this episode of CISO Tradecraft, we host Chris Hughes, CEO of Aquia, cybersecurity consultant, and author. Chris shares insights on the evolving landscape of cybersecurity, discussing software supply chain threats, vulnerability management, relationships between security and development, and the future impacts of AI. Tune in to gain expert advice on becoming an effective cybersecurity leader. Chris Hughes - https://www.linkedin.com/in/resilientcyber/ Transcripts: https://docs.google.com/document/d/1j5ernS0Gk3LH-qcjhi6gOfojBqQljGhi Chapters  00:00 Introduction and Special Guest Announcement 00:55 Chris Hughes' Background and Career Journey 02:46 Government and Industry Engagement 03:42 Supply Chain Security Challenges 07:34 Vulnerability Management Insights 12:13 Navigating the Overwhelming Vulnerability Landscape 22:19 Building Positive Relationships in Cybersecurity 23:41 Empowering Risk-Informed Decisions 24:29 Aligning with Organizational Risk Appetite 25:33 Navigating Job Changes and Organizational Fit 26:32 The Role of Compliance in Security 33:27 The Impact of AI on Security 43:05 Balancing Build vs. Buy Decisions 45:05 Conclusion and Final Thoughts

In this episode of CSO Tradecraft, host G. Mark Hardy introduces 'The Full Irish,' a cybersecurity framework based on the '12 Steps to Cybersecurity' guidance from Ireland's National Cybersecurity Center. The episode covers comprehensive steps from governance and risk management to incident response and resilience, making it a valuable resource for cybersecurity professionals. G Mark also discusses the implications of multinational companies operating in Ireland, including tax strategies and notable GDPR fines. The episode provides pragmatic guidance and actionable insights to enhance your cybersecurity program. References: https://www.ncsc.gov.ie/pdfs/Cybersecurity_12_steps.pdf Transcripts: https://docs.google.com/document/d/1VLeRozClLZAkZsusYsUn4Q9_1v7WCoN0 Chapters  00:00 Introduction to the Full Irish 01:32 Why Ireland? 02:40 Tax Avoidance Schemes 04:25 GDPR Penalties and Data Protection 05:54 Overview of the 12 Steps to Cybersecurity 07:19 Step 1: Governance and Organization 09:24 Step 2: Identify What Matters Most 10:31 Step 3: Understanding the Threats 12:35 Step 4: Defining Risk Appetite 14:10 Step 5: Education and Awareness 16:00 Step 6: Implement Basic Protections 18:00 Step 7: Detect and Attack 19:37 Step 8: Be Prepared to React 21:24 Step 9: Risk-Based Approach to Resilience 22:52 Step 10: Automated Protections 23:58 Step 11: Challenge and Test Regularly 25:29 Step 12: Cyber Risk Management Lifecycle 26:29 Conclusion and Final Thoughts

In this episode of CISO Tradecraft, host G. Mark Hardy dives into the evolution, challenges, and solutions of Data Loss Prevention (DLP). From early methods like 'dirty word lists' in the military to advanced AI and machine learning models of today, discover how DLP technologies have developed to safeguard sensitive information. Learn about different DLP phases, regulatory impacts, and modern tools like Microsoft Purview that can help manage and classify data effectively. This episode is packed with valuable insights to help you tackle data security with confidence and efficiency. Transcripts https://docs.google.com/document/d/1u7owNI5P3WajJvRPIXbzrUYy-PCsRcfC References Crash course in Microsoft Purview: A guide to securing and managing your data estate Chapters 00:00 Introduction to Data Loss Prevention (DLP) 00:45 Early Days of DLP: Dirty Word Lists and Simple Networks 02:39 Evolution of DLP: Content Filtering and Endpoint Protection 06:05 Advanced Content Inspection and Policy Enforcement 09:19 Unified DLP and Cloud Adoption 16:04 Modern DLP: AI, Machine Learning, and Zero Trust 19:12 Implementing DLP with Microsoft Purview 28:59 Summary and Final Thoughts  

In this episode of CISO Tradecraft, G. Mark Hardy dives deep into the world of Agentic AI and its impact on cybersecurity. The discussion covers the definition and characteristics of Agentic AI, as well as expert insights on its feasibility. Learn about its primary functions—perception, cognition, and action—and explore practical cybersecurity applications. Discover the rapid advancements made by tech giants and potential risks involved. This episode is a comprehensive guide to understanding and securely implementing Agentic AI in your enterprise. Transcripts https://docs.google.com/document/d/1tIv2NKX0DL4NTnvqKV9rKrgrewa68m3W References Vladimir Putin - https://www.rt.com/news/401731-ai-rule-world-putin/ Minds and Machines - https://link.springer.com/article/10.1007/s44163-024-00216-2 Anthropic - https://www.cnbc.com/2024/10/22/anthropic-announces-ai-agents-for-complex-tasks-racing-openai.html Convergence AI - https://convergence.ai/training-web-agents-with-web-world-models-dec-2024/ OpenAI Operator - https://openai.com/index/introducing-operator/ ByteDance UITARS - https://venturebeat.com/ai/bytedances-ui-tars-can-take-over-your-computer-outperforms-gpt-4o-and-claude/ Zapier - https://www.linkedin.com/pulse/openai-bytedance-zapier-launch-ai-agents-getcoai-l6blf/ Microsoft OmniParser - https://www.microsoft.com/en-us/research/articles/omniparser-v2-turning-any-llm-into-a-computer-use-agent/ Google Project Mariner - https://deepmind.google/technologies/project-mariner/ Rajeev Sharma - Agentic AI Architecture - https://markovate.com/blog/agentic-ai-architecture/ NIST.AI.600-1 - https://doi.org/10.6028/NIST.AI.600-1 Mitre ATLAS - https://atlas.mitre.org/ OWASP Top 10 for LLMs - https://owasp.org/www-project-top-10-for-large-language-model-applications/ ISO 42001 - https://www.iso.org/standard/81230.html Chapters  00:00 Introduction and Intriguing Quote 01:10 Defining Agentic AI 02:01 Expert Insights on Agency 04:32 Agentic AI in Practice 06:54 Recent Developments in Agentic AI 08:20 Deep Dive into Agentic AI Infrastructure 15:35 Use Cases for Agentic AI 21:12 Challenges and Considerations 24:22 Conclusion and Recap

In this episode of CISO Tradecraft, G. Mark Hardy shares 15 crucial characteristics to help you succeed in your cybersecurity career and become an effective CISO. From knowing yourself and developing leadership skills to enhancing communications and staying current with trends, Hardy distills decades of wisdom into practical advice. Learn how to navigate career transitions, build technical credibility, become an effective storyteller, and master political skills essential for C-level success. Transcripts: https://docs.google.com/document/d/1MpjXD8LqnHS_Lj1S-6T7vxcclxzUjEhe   Chapters 01:30 Know Yourself: The First Step to Success 05:23 Develop Your Leadership Skills 07:09 Enhance Your Communication Skills 11:37 Gain Broad Experience 14:28 Pursue Advanced Education 18:13 Network with Other Professionals 20:47 The Importance of Mentorship 22:20 Building Valuable Connections 23:43 Aligning with Business Goals 25:38 Deepening Technical Expertise 26:59 Staying Current with Trends 28:03 Promoting a Security-First Culture 30:18 Addressing Skills Gaps 31:53 Becoming a Master Storyteller 33:35 Engaging with Executives 34:41 Strategic Thinking and Time Management 37:27 Mastering Political Skills 39:14 Conclusion and Final Thoughts

In this episode of CISO Tradecraft, host G Mark Hardy discusses Microsoft's groundbreaking announcement of their new quantum chip, the Majorana. The chip harnesses properties of a topological superconductor, making quantum computing promises more tangible. The episode delves into the technical aspects of quantum bits (qubits), cryptography, and the implications of topological quantum computing. With insights on competitor advancements by Google and potential challenges, this episode provides a comprehensive overview of quantum computing's future and its cyber security implications.   Transcripts: https://docs.google.com/document/d/1O2XG47o2_6jHBtPKL2PcwGRKPe69wFvi Link: https://azure.microsoft.com/en-us/blog/quantum/2025/02/19/microsoft-unveils-majorana-1-the-worlds-first-quantum-processor-powered-by-topological-qubits/   Chapters 00:00 Introduction to CISO Tradecraft 00:26 Microsoft's Quantum Chip Announcement 01:51 Understanding Quantum Bits 03:23 Quantum Computing and Cryptography 06:00 Microsoft's Quantum Leap 09:41 The Physics Behind Quantum Computing 16:48 Majorana Particle and Its Significance 20:29 Applications and Future of Quantum Computing 25:01 Conclusion and Final Thoughts  

In this CISO Tradecraft episode, host G. Mark Hardy delves into the recent U.S. presidential executive orders impacting AI and their implications for cybersecurity professionals. Learn about the evolution of AI policies from various administrations and how they influence national security, innovation, and the strategic decisions of CISOs. Discover key directives, deregulatory moves, and practical steps you can take to secure your AI systems in an era marked by rapidly changing regulations. Plus, explore the benefits of using AI tools like ZeroPath to bolster your cybersecurity efforts. Big Thanks to our Sponsors: ZeroPath - https://zeropath.com/ Transcripts: https://docs.google.com/document/d/1Nv27tpDQs2fjdOedJOi0LhlkyQ5N5dKt Links:  https://www.americanbar.org/groups/public_education/publications/teaching-legal-docs/what-is-an-executive-order-/  https://www.federalregister.gov/documents/2019/02/14/2019-02544/maintaining-american-leadership-in-artificial-intelligence https://www.csis.org/analysis/made-china-2025 https://www.researchgate.net/publication/242704112_China's_15-year_Science_and_Technology_Plan  https://www.federalregister.gov/documents/2020/12/08/2020-27065/promoting-the-use-of-trustworthy-artificial-intelligence-in-the-federal-government  https://www.federalregister.gov/documents/2021/05/17/2021-10460/improving-the-nations-cybersecurity https://www.federalregister.gov/documents/2023/11/01/2023-24283/safe-secure-and-trustworthy-development-and-use-of-artificial-intelligence  https://www.presidency.ucsb.edu/documents/executive-order-14148-initial-rescissions-harmful- executive-orders-and-actions https://www.federalregister.gov/documents/2025/01/17/2025-01470/strengthening-and-promoting- innovation-in-the-nations-cybersecurity https://www.federalregister.gov/documents/2025/01/17/2025-01470/strengthening-and-promoting- innovation-in-the-nations-cybersecurity  https://www.cisecurity.org/controls/cis-controls-list  Chapters  00:00 Introduction to AI Policy Shifts 00:23 AI Tool for Cybersecurity: ZeroPath 01:12 Understanding Executive Orders 02:44 EO 13859: Maintaining American Leadership in AI 05:42 EO 13960: Trustworthy AI in Federal Government 07:10 EO 14028: Strengthening U.S. Cybersecurity 09:38 EO 14110: Safe and Trustworthy AI Development 11:09 EO 14148: Rescinding AI Policies 12:21 EO 14179: Removing Barriers to AI Innovation 15:26 EO 14144: Strengthening Cybersecurity Innovation 37:19 Mapping Executive Orders to CIS Controls 40:15 Conclusion and Key Takeaways

This podcast episode discusses the formation of a professional association for CISOs, driven by increasing personal liability risks faced by these executives. The conversation centers on establishing a formal definition and accreditation process for the CISO role, moving beyond existing certifications to demonstrate operational and theoretical expertise. This professionalization effort aims to reduce personal liability through a tailored insurance product, negotiated collectively by the association, and preempt potentially ill-defined government regulations. Ultimately, the goal is to create a structured, respected profession for CISOs, offering benefits such as insurance, professional development, and a unified voice within the industry. Professional Association of CISOs - https://theciso.org/ Transcripts - https://docs.google.com/document/d/1BNeUzSyPYX-vAYwQl9qCi0GhknYhKnWF/  Chapters  00:00 Introduction to Professionalizing the CISO Role 00:52 The Genesis of a Professional Association 03:39 Challenges and Legal Liabilities for CISOs 04:43 The Value of Joining the Association 06:24 Accreditation and Certification Process 10:38 Insurance and Risk Management for CISOs 18:45 Future Directions and Getting Involved

In this episode of CISO Tradecraft, host G. Mark Hardy and special guest Colleen Lennox dive into the transformative power of AI in HR. Discover how AI can revolutionize identifying, attracting, and retaining cybersecurity talent. They discuss the challenges of finding the right personnel in the cybersecurity field, the innovative AI-driven solutions that can streamline recruitment processes, and how these tools can help in talent management and career progression. Stay tuned as they explore the potential of AI in creating a more effective and bias-free hiring process, while also discussing the future implications for HR and recruiters in the evolving landscape. Big Thanks to our Sponsors: CruiseCon - Use code CISOTRADECRAFT10 at https://cruisecon.com/ for 10% off registration! Transcripts: https://docs.google.com/document/d/1f6B9Ye02WHWo7q15avBm0359pxGNqnVu   Chapters  00:00 Introduction: AI and Workforce Concerns 00:28 Welcome to CISO Tradecraft 01:01 Meet Colleen Lennox: AI in HR 01:27 Challenges in Cybersecurity Recruitment 03:11 AI-Powered Recruitment Solutions 07:07 Improving Talent Management with AI 13:36 Addressing Bias in AI Recruitment 17:20 Future of AI in HR and Recruitment 21:04 Conclusion and Contact Information

In this episode of CISO Tradecraft, host G. Mark Hardy sits down with Bill Dougherty, CISO of Omada Health, to discuss a groundbreaking threat model called 'Includes No Dirt'. This comprehensive model integrates security, privacy, and compliance considerations, aiming to streamline and enhance threat modeling processes. The conversation covers the origin and principles of the model, its applicability across different sectors, and the essential aspects of threat modeling. Listeners are also treated to insights on handling third-party risks and adapting to emerging AI challenges. The episode provides practical advice for cybersecurity leaders looking to effectively manage and mitigate risks while reducing redundancy.   Big Thanks to our Sponsors: ZeroPath - https://zeropath.com/ CruiseCon - Use code CISOTRADECRAFT10 at https://cruisecon.com/ for 10% off registration!   The No DIRT Threat Model can be found here: http://www.includesnodirt.com/nodirt.pdf   Transcripts: https://docs.google.com/document/d/1vWq4Zx7pzM_B65W933m8_TE0fLKaUw3X   Chapters 03:27 The Genesis of Includes No Dirt 05:05 Combining Security, Privacy, and Compliance 07:24 Implementing the No Dirt Model 11:42 Scoring and Evaluating Risks 17:41 Third-Party Risk Management 25:49 Evaluating SaaS Requests Based on Risk 27:55 Adapting Threat Models for AI 31:24 Principles of Minimum Necessary Data 33:42 General Applicability of Security Principles 35:12 Includes No Dirt: A Comprehensive Threat Model 40:15 Final Thoughts and Recommendations

Join G. Mark Hardy in a riveting episode of CISO Tradecraft as he sits down with Dustin Lehr to uncover strategies for creating security champions among developers. Explore effective techniques to inspire culture change, leverage AI tools for security, and discover the difference between leadership and management. This insightful discussion includes actionable steps to establish a robust security champions program, from defining a vision to executing with gamification. Whether you're an aspiring champion or a seasoned cybersecurity leader, this episode is packed with valuable insights to elevate your organization's security practices. Big Thanks to our Sponsors: ZeroPath - https://zeropath.com/ CruiseCon - Use code CISOTRADECRAFT10 at https://cruisecon.com/ for 10% off registration!   Transcripts - https://docs.google.com/document/d/1IgPbmnNaEF_1GIQTRxHStOoUKtZM4azH   Learn more about this topic by reading Justin's Website - https://securitychampionsuccessguide.org/ Justin Lehr's Company - https://www.katilyst.com/   Chapters 01:05 Meet Dustin Lair 04:05 Leadership vs. Management 06:17 The Role of Security Champions 17:20 Recruiting Security Champions 24:42 Exploring the Framework: Vision and Goals 26:25 Defining Participants and Their Roles 28:37 Understanding the Current Setting 33:27 Conceptualizing Ideal Actions 35:20 Designing with Gamification in Mind 40:30 Effective Delivery and Continuous Tuning 41:30 Overcoming Challenges and Final Thoughts

In this episode of CISO Tradecraft, host G Mark Hardy explores the top 10 cybersecurity predictions for 2025. From the rise of AI influencers to new standards in encryption, Hardy discusses significant trends and changes expected in the cybersecurity landscape. The episode delves into topics such as branding, application security, browser-based security, and post-quantum cryptography, aiming to prepare listeners for future challenges and advancements in the field.   Big Thanks to our Sponsor CruiseCon - https://cruisecon.com/ CruiseCon Discount Code: CISOTRADECRAFT10   Team8 Fixing AppSec Paper - https://bunny-wp-pullzone-pqzn4foj9c.b-cdn.net/wp-content/uploads/2024/11/Fixing-AppSec-Paper.pdf Terraform and Open Policy Agent Example - https://spacelift.io/blog/terraform-best-practices#8-introduce-policy-as-code Transcripts - https://docs.google.com/document/d/1u6B2PrkJ1D14d9HjQQHSg7Fan3M6n4dy Chapters 01:19 1) AI Influencers become normalized 03:17 2) The Importance of Production Quality in Branding 05:19 3) Google and Apple Collaboration for Enhanced Security 06:28 4) Consolidation in Application Security and Vulnerability Management 08:36 5) The Rise of Models Committees 09:09 6) Formalizing the CISO Role 11:03 7) Exclusive CISO Retreats: The New Trend 12:12 8) Automating Cybersecurity Tasks with Agentic AI 13:10 9) Browser-Based Security Solutions 14:22 10) Post-Quantum Cryptography: Preparing for the Future  

In this episode of CISO Tradecraft, host G Mark Hardy interviews Ross Haleliuk, author of 'Cyber for Builders: The Essential Guide to Building a Cybersecurity Startup.' Ross shares valuable insights on starting a cybersecurity company, and emphasizes the importance of understanding market needs, customer engagement, and trust in the industry. They discuss the role of angel investors, the differences between product and service companies, and the challenges founders face. The episode also includes an announcement about CISO Tradecraft's partnership with CruiseCon for an upcoming cybersecurity conference. Additionally, Ross provides a glimpse into his non-traditional background and journey into the cybersecurity space.   Thank you to our sponsors - ThreatLocker - https://hubs.ly/Q02_HRGK0 - CruiseCon - https://cruisecon.com/   Ross Haleliuk's Book - https://www.amazon.com/Cyber-Builders-Essential-Building-Cybersecurity/dp/173823410X/ Ross Haleliuk's LinkedIn Page - https://www.linkedin.com/in/rosshaleliuk/    Transcripts: https://docs.google.com/document/d/1b8UPolYvYWEYbmO7n_7NqrilObv-HNzo  Chapters 02:28 Ross Haleliuk's Background and Journey 04:32 Discussing the Book: Cyber for Builders 10:52 Insights on Cybersecurity and Business 15:54 Challenges and Realities of Cybersecurity Startups 22:19 Navigating Market Competition 23:15 Entering Established Markets 24:28 Challenges in Security Tool Adoption 25:11 Legacy Vendors and Market Entrenchment 27:35 Building a Company: Beyond the Product 30:02 Validating Market Needs 32:27 Funding Your Startup 35:25 The Role of Angel Investors 43:29 Conclusion and Next Steps

Join us on CISO Tradecraft as we explore the future of cybersecurity with Merritt Barrett, former Deputy CISO at AWS. Merritt, a Harvard Law graduate, shares her expert insights on the trends expected in the upcoming years, emphasizing the enduring aspects of cybersecurity, the implications of AI, and challenges in cloud security. Discover valuable strategies for managing security risks, the evolution of ransomware, and the integration of sustainable practices within the industry. Don't miss this episode filled with practical advice for current and aspiring CISOs! Thank you to our sponsors - ThreatLocker - https://hubs.ly/Q02_HRGK0 - CruiseCon - https://cruisecon.com/   Transcripts https://docs.google.com/document/d/1KRkN7jVZvAaYk1eSBde3GTiD-G9RPjXJ   Chapters 00:00 Introduction and Guest Overview 01:16 Future of Cybersecurity 02:18 AWS Security Insights 04:35 Shared Responsibility Model 09:59 AI in Cybersecurity 21:55 Security and Environmental Concerns 32:36 Predictions for 2025 and Beyond 42:46 Closing Remarks and Contact Information

In this episode of CISO Tradecraft, host G Mark Hardy discusses the history and evolution of endpoint protection with guest Kieran Human from ThreatLocker. Starting from the inception of antivirus software by John McAfee in the late 1980s, the episode delves into the advancements through Endpoint Detection and Response (EDR) and introduces the latest in endpoint security: allowlisting and ring fencing. The conversation highlights the limitations of traditional antivirus and EDR solutions in today's threat landscape, emphasizing the necessity of default-deny approaches to enhance cybersecurity. Kieran explains how ThreatLocker's allowlisting and ring-fencing capabilities can block unauthorized applications and actions, thus significantly reducing the risk of malware and ransomware attacks. Practical insights, war stories, and deployment strategies are shared to help cybersecurity leaders implement these next-generation tools effectively.   Thank you to our sponsor ThreatLocker https://hubs.ly/Q02_HRGK0 Transcripts: https://docs.google.com/document/d/1UMrK44ysBjltNkddCkwx9ly6GJ14tIbC Chapters 00:00 Introduction to Endpoint Protection 00:41 Upcoming Event: CruiseCon 2025 01:18 History of Endpoint Protection 03:34 Evolution of Antivirus to EDR 05:25 Next-Gen Endpoint Protection: Allowlisting 06:44 Guest Introduction: Kieran Human from ThreatLocker 08:06 Benefits of Allowlisting and Ring Fencing 17:14 Challenges and Best Practices 26:19 Conclusion and Call to Action

In this crucial episode of CISO Tradecraft, host G Mark Hardy delves into the urgent topic of the 'Salt Typhoon' threat, with insights from experts Adam Isles and Andreas Kurland from the Chertoff Group. The episode covers the implications for corporate security using SMS text messages when Chinese actors are breaking into major telecommunication entities. The conversation focuses on encryption, secure communications, and measures to mitigate risks from vulnerabilities in telecommunications infrastructure. The discussion includes practical steps for securing messaging, voice calls, virtual meetings, and emails. Learn actionable strategies to bolster your organization's cybersecurity posture and ensure robust defense against sophisticated state-level cyber threats. Thank you to our sponsor Threat Locker https://www.threatlocker.com/pages/essential-eight-fast-track?utm_source=ciso_tradecraft&utm_medium=sponsor&utm_campaign=essential-eight_q4_24&utm_content=essential-eight&utm_term=podcast Link to recommendations: https://chertoffgroup.com/end-to-end-encryption-is-essential/  Transcripts https://docs.google.com/document/d/13NKPUBU3c-qYQtX18NR08oYVRSSnHD_a Chapters: 00:00 Introduction to Salt Typhoon 01:31 Meet the Experts: Adam Isles and Andreas Kurland 02:03 Understanding the Salt Typhoon Threat 04:49 Telecommunications and Security Risks 07:37 Messaging Security: Risks and Recommendations 20:14 Voice Communication Security 28:44 Securing Virtual Meetings 34:45 Email Security: Challenges and Solutions 41:35 Conclusion and Contact Information

In this riveting episode of CISO Tradecraft, host G Mark Hardy welcomes back Richard Thieme, a thought leader in cybersecurity and technology, almost three years after his last appearance. Richard delves into the necessity of thinking like a hacker, provides insights into the AI singularity, and discusses the ethical and societal implications of emerging technologies. The conversation also touches on Richard's extensive body of work, including his books and views on cyber warfare, disinformation, and ethical decision-making. Tune in for a thought-provoking discussion that challenges conventional wisdom and explores the interconnectedness of technology, consciousness, and our future. Big Thanks to our Sponsor CruiseCon - https://cruisecon.com/ CruiseCon Discount Code: CISOTRADECRAFT10 Richard Thieme's Books: https://www.amazon.com/stores/author/B0034Q73IE Transcripts: https://docs.google.com/document/d/1Q7CJkF7Spji2iAbV_mYEyYHnKWobzo6N Chapters  00:00 Introduction and Guest Announcement 00:56 Upcoming Cybersecurity Event: CruiseCon 01:41 Welcoming Back Richard Thieme 02:06 Reflecting on Past Discussions 02:59 The Necessity for Thinking Like a Hacker 03:10 Exploring Richard Thieme's Books 08:25 Understanding AI and Its Implications 18:28 Soft Power and Global Influence 24:01 The Power of Fiction in Revealing Truth 24:37 Ethical Frameworks Post 9/11 26:12 The Role of Empathy in Intelligence Work 26:37 The Blurring Line Between Fact and Fiction 29:52 The Isolation of Intelligence Work 31:18 The Interconnectedness of Everything 33:36 Exploring Remote Viewing and Consciousness 36:50 The Rise of AI and Ethical Considerations 39:43 The Evolution of Technology and Society 45:07 Final Thoughts and Reflections

This podcast episode of CISO Tradecraft features Shawnee Delaney, an insider threat expert, discussing insider threats in cybersecurity. Delaney, whose background includes espionage, explains how understanding human motivation and vulnerabilities is crucial for identifying and mitigating insider threats. The conversation highlights the importance of organizational culture, employee well-being, and proactive measures like employee lifecycle management and psychological testing in preventing such threats. Practical advice is offered for leaders to foster a supportive and communicative work environment to detect potential threats early. Finally, methods for creating effective insider threat programs and addressing cultural issues are explored. Shawnee Delaney's LinkedIn - https://www.linkedin.com/in/shawnee-delaney/ Vaillance Group - https://www.vaillancegroup.com/ Transcripts: https://docs.google.com/document/d/1xJiEMDL8CjNwwfBSvNHfnhfsrVgOMuk0 Chapters 00:00 Introduction to Insider Threat 00:26 Guest Introduction: Shawnee Delaney 00:58 CruiseCon 2025 Announcement 01:33 Shawnee's Career Journey 02:18 Understanding Espionage 03:43 Motivations Behind Espionage 07:46 Indicators of Insider Threat 10:48 Building a Positive Organizational Culture 18:21 Implementing an Insider Threat Program 21:05 Psychological Testing in Hiring 23:26 Assessing Organizational Culture 25:34 Core Values in the Navy and Marine Corps 26:16 A Commanding Officer's Story 28:32 Identifying Insider Threats 32:01 The Impact of Job Uncertainty 36:50 Gamifying Security Incentives 39:12 Building a Strong Security Culture 42:05 Final Thoughts and Recommendations

Welcome to another enlightening episode of CISO Tradecraft! In this episode, host G. Mark Hardy dives deep into the critical topic of CISO burnout with special guest Raghav Singh, a PhD candidate from the University of Buffalo. This is an eye-opening session for anyone in the cybersecurity field, especially those in or aspiring to the CISO role. Raghav shares valuable insights from his extensive research on the unique stresses faced by CISOs, the organizational factors contributing to burnout, and practical coping mechanisms. We also explore the evolutionary phases of CISOs, from technical experts to strategic business enablers. Whether you're dealing with resource limitations, seeking executive support, or managing ever-evolving cybersecurity threats, this episode offers actionable advice to navigate the demanding role of a CISO successfully. Don't forget to like, comment, and share to help other CISOs and cybersecurity leaders! Big Thanks to our Sponsor CruiseCon - https://cruisecon.com/ CruiseCon Discount Code: CISOTRADECRAFT10 Transcripts: https://docs.google.com/document/d/1fhLkaj_JetlYFQ50Q69uMGmsw3fS3Wqa CISO Burnout - https://aisel.aisnet.org/amcis2023/sig_lead/sig_lead/4/ CISO-CIO Power Dynamics https://aisel.aisnet.org/amcis2024/is_leader/is_leader/6/  Cybersec professionals and AI integration https://aisel.aisnet.org/amcis2024/security/security/29/ Raghav can be reached on rsingh45@buffalo.edu Chapters  00:00 Introduction and Guest Welcome 02:34 Understanding CISO Burnout 03:24 PhD Journey and Challenges 10:12 Key Findings on CISO Burnout 18:39 Six Sources of CISO Burnout 32:47 CISO Maturity Levels 42:57 Conclusion and Call to Action

Setting Sail with Cybersecurity: Exclusive Insights from Ira Winkler on CruiseCon 2025

Join G. Mark Hardy on this exciting episode of CISO Tradecraft as he interviews J.C. Vega, the first cyber colonel in the United States Army. Vega shares his invaluable insights on leadership, team building, and success strategies that can transform your cybersecurity career. Plus, learn about CruiseCon 2025, Wee Dram, and how you can take your leadership skills to the next level. Don't miss out on this episode packed with wisdom, actionable advice, and some fun anecdotes. Subscribe, comment, and share with your peers! Big Thanks to our Sponsor CruiseCon - https://cruisecon.com/ CruiseCon Discount Code: CISOTRADECRAFT10   JC Vega - https://www.linkedin.com/in/jcvega-cyber-colonel/  Transcripts: https://docs.google.com/document/d/1ExuX-WVO4_qqLoIZDuT0QS2VAvN2resW   Chapters 00:00 Introduction and Special Guest Announcement 01:15 Meet J.C. Vega: The First Cyber Colonel 01:55 The Wee Dram Community 03:39 Building a Trusted Cybersecurity Community 09:12 Leadership Principles from Military to Civilian Life 12:31 Building and Leading Effective Teams 24:17 The Peter Principle and Career Progression 24:49 Creating a Shared Understanding in Cybersecurity 26:43 Commander's Intent: Defining Success 29:29 Empowering Teams and Accepting Prudent Risk 36:19 Rules to Live By: The Vega's Top Three 44:58 Final Thoughts and Farewell

In this special Halloween episode of CISO Tradecraft, host G Mark Hardy delves into the lurking dangers of Shadow IT and Zombie IT within organizations. Learn about the origins, risks, and impacts of these hidden threats, and discover proactive measures that CISOs can implement to safeguard their IT ecosystems. Strategies discussed include rigorous asset management, automation, and comprehensive compliance reviews. Tune in for insights to foster a secure, compliant, and efficient IT environment, and don't miss out on an exclusive opportunity to join a cybersecurity conference aboard a luxury cruise.   CruiseCon Discount Code: CISOTRADECRAFT10 CruiseCon Link: https://cruisecon.com/   Transcripts: https://docs.google.com/document/d/1lh-TQhaSOIA2rITaXgTaqugl7FRGevnn   Chapters  00:00 Introduction to Shadow IT and Zombie IT 02:14 Defining Shadow IT 04:58 Risks of Shadow IT 07:29 Introduction to Zombie IT 09:35 Risks of Zombie IT 11:25 Shadows vs Zombies 11:25 Comparing Shadow IT and Zombie IT 19:11 Lifecycle Management Strategies 19:56 Summarizing the Threats and Solutions 22:32 Final Thoughts and Call to Action

Unlocking SOC Excellence: Master the SOC Capability Maturity Model Join host G Mark Hardy in this compelling episode of CISO Tradecraft as he explores the revolutionary SOC Capability Maturity Model (SOC CMM) authored by Rob van Os. This episode is a must-watch for CISOs, aspiring CISOs, and cybersecurity professionals aiming to optimize their Security Operations Center (SOC). Learn how to measure, evaluate, and enhance your SOC's maturity across key domains including Business, People, Process, Technology, and Services. Gain insights into leveraging radar charts for visualizing SOC capabilities and hear case studies such as a mid-sized financial company's remarkable improvements. Discover why understanding your SOC's strengths and weaknesses and conducting risk-based improvement planning are crucial. Don't miss out—elevate your cyber resilience today, subscribe, and share with your network to set your SOC on the path to excellence! References: SOC-CMM - https://www.soc-cmm.com/products/soc-cmm/ Robert van Os - https://www.linkedin.com/in/socadvisor/ Transcripts: https://docs.google.com/document/d/1Fk6_t9FMyYXDF-7EfgpX_ZjLc0iPAgfN Chapters 00:12 Introduction to CISO Tradecraft and SOCs 01:20 Understanding SOC CMM: A Game-Changing Tool 02:29 Evaluating SOC Maturity and Capability 06:04 Benefits and Implementation of SOC CMM 07:56 Understanding SOC Assessments 08:55 Deep Dive into SOC CMM Domains 12:42 Benefits and Flexibility of SOC CMM 14:40 Real-World Application and Conclusion

In this episode of CISO Tradecraft, host G Mark Hardy explores the challenges and misconceptions facing the next generation of cybersecurity professionals. The discussion covers the myth of a talent shortage, the shortcomings of current educational and certification programs, and the significance of aligning curricula with real-world needs. Hardy emphasizes the importance of hands-on experience, developing soft skills, and fostering continuous learning. The episode also highlights strategies for retaining talent, promoting internal training, and creating leadership opportunities to cultivate a skilled and satisfied cybersecurity workforce. Transcripts: https://docs.google.com/document/d/12fI2efHXuHR4dS3cu7P0UIBCtjBdgREI Chapters 00:00 Introduction to the Cybersecurity Talent Crisis 00:40 Debunking the Talent Shortage Myth 02:23 The Real Talent Gap: Mid-Career Professionals 03:04 Outsourcing and Its Impact on Entry-Level Jobs 08:29 Challenges in Cybersecurity Education 16:13 The Importance of Practical Skills Over Theory 23:52 The Importance of Writing Skills 25:10 Continuous Learning and Self-Investment 26:07 Performance and Career Progression 28:40 Mentorship and Onboarding 29:51 Training and Development Challenges 32:32 Retention Strategies 33:44 Engaging Junior Employees 39:07 Technology and Innovation 40:54 Conclusion and Final Thoughts

In this episode of CISO Tradecraft, hosted by G Mark Hardy, you'll learn about four crucial tools in cloud security: CNAPP, CASB, CSPM, and CWPP. These tools serve various functions like protecting cloud-native applications, managing access security, maintaining cloud posture, and securing cloud workloads. The discussion covers their roles, benefits, key success metrics, and best practices for CISOs. As the cloud security landscape evolves, understanding and integrating these tools is vital for keeping your organization safe against cyber threats. Transcripts: https://docs.google.com/document/d/1Mx9qr30RuWrDUw1TLNkUDQ8xo4xvQdP_ Chapters  00:00 Introduction to Cloud Security Tools 02:24 Understanding CNAPP: The Comprehensive Cyber Defense 08:13 Exploring CASB: The Cloud Access Gatekeeper 11:12 Diving into CSPM: Ensuring Cloud Compliance 13:40 CWPP: Protecting Cloud Workloads 15:08 Best Practices for Cloud Security 15:54 Conclusion and Final Thoughts

In this episode of CISO Tradecraft, hosts G Mark Hardy and Mark Rasch discuss the intersection of artificial intelligence and the law. Recorded at the COSAC computer conference in Dublin, this episode covers the legal implications of AI, copyright issues, AI-generated content, privacy concerns, and ethical considerations. They explore the nuances between directed and undirected AI, the importance of training data, and the potential risks and liabilities associated with AI-driven systems. Tune in for a deep dive into how AI is reshaping cybersecurity and legal landscapes. Transcripts: https://docs.google.com/document/d/1s_eDwz-FPuyxYZRJaOknWi2Ozjqmodrl Chapters 00:00 Introductions 01:13 Diving into Artificial Intelligence 04:04 Directed vs. Undirected AI 11:02 Legal and Ethical Issues of AI 23:47 AI and Copyright: Who Owns the Creation? 26:59 The Role of AI in Information Security 32:51 Ethical Dilemmas in AI Decision-Making 39:18 Future Challenges and Recommendations for AI

Join G. Mark Hardy in Torremolinos, Spain, for a deep dive into the security of Generative AI. This episode of CISO Tradecraft explores the basics of generative AI, including large language models like ChatGPT, and discusses the key risks and mitigation strategies for securing AI tools in the workplace. G. Mark provides real-world examples, insights into the industry's major players, and practical steps for CISOs to balance innovation with security. Discover how to protect sensitive data, manage AI-driven hallucinations, and ensure compliance through effective governance and ethical guidelines. Plus, get a glimpse into the future of AI vulnerabilities and solutions in the ever-evolving tech landscape. References OWASP Top 10 LLM Risks https://genai.owasp.org/ Gartner CARE Standard - https://www.gartner.com/en/documents/3980890 Make sure your controls work consistently over time (Consistency) Make sure your controls meet the business needs (Adequacy) Make sure your controls are appropriate and fair (Reasonableness) Make sure your controls produce the desire outcome (Effectiveness) Transcripts: https://docs.google.com/document/d/1V2ar7JBO503MN0RZcH7Q7VBkQUW9MYk6 Chapters 00:00 Introduction from Spain 00:42 Understanding Generative AI 03:25 Major Players in Generative AI 05:02 Risks of Generative AI 15:14 Mitigating Generative AI Risks 18:23 Implementing Solutions 24:09 Conclusion and Call to Action

G Mark Hardy dives deep into effective strategies for securing your business. Learn why it's essential for cybersecurity leaders to communicate the real business impact of vulnerabilities and discover the importance of identifying and prioritizing critical business processes.  Gain insights from historical references and practical frameworks like the CIA triad (Confidentiality, Integrity, Availability) to bolster your organization's cybersecurity posture. Tune in as G Mark, broadcasting from Glasgow, Scotland, shares valuable lessons on proactive security measures, risk-based decision-making, and crisis recovery strategies. 7 critical business processes common to most organizations. Book  Order  Bill  Pay Ship  Close Communicate  Transcripts https://docs.google.com/document/d/1Ra3c0J5Wo6s2BSqhNoNyqm9D65ogT07h Chapters 00:00 Introduction to Securing the Business 00:12 Begin Podcast 01:08 Understanding Critical Business Processes 02:23 Identifying and Prioritizing Business Functions 03:00 Real-World Example: Restaurant Booking System 04:57 Decision Making in Crisis Situations 10:38 Mapping Confidentiality, Integrity, and Availability 19:42 Conclusion and Final Thoughts

Join host G Mark Hardy as he dives deep into the complexities of compliance and reporting, featuring special guests Brian Bradley and Josh Williams from FedShark. Discover a unique and streamlined approach to compliance using FedShark's innovative tools and AI-assisted systems. Learn about their exclusive offers for CISO Tradecraft listeners, including free downloads and discounted pre-assessment tools. Topics covered include CMMC, HIPAA, PCI, and more. Whether you're part of the Defense Industrial Base or dealing with multiple compliance frameworks, this episode is packed with practical advice to make your compliance journey smoother and more effective. Thanks to our podcast sponsor, Fedshark CISO Traderaft Promo & Link to CMMC White Papers: https://fedshark.com/ciso RapidAssess: https://fedshark.com/rapid-assess Company website: https://fedshark.com FedShark Blog: https://fedshark.com/blog Schedule a Demo: https://fedshark.com/contact-us LinkedIn Matt Beaghley: https://www.linkedin.com/in/mbeaghley/ LinkedIn Brian Bradley: https://www.linkedin.com/in/brian-bradley-97a82668/   Chapters  00:00 Introduction and Special Offer 03:18 Meet the Experts: Brian and Josh 06:49 Challenges in Compliance 16:23 Understanding CMMC 29:02 Understanding Scope in Compliance 30:22 Introducing the AI-Enhanced Compliance Solution 31:24 Streamlining Interviews and Documentation 42:19 Final Thoughts and Recommendations

G Mark Hardy and guest Deb Radcliff talk about experiences and takeaways from Black Hat, and delve into the dynamic world of cybersecurity. Deb shares her perspectives on the intersection of AI, DevSecOps, and cyber warfare, while highlighting insights from her 'Breaking Backbones' trilogy.  Transcripts: https://docs.google.com/document/d/1XN9HjdljJYKlUITrxZ10HTq9e91R8FNT Book 1: Breaking Backbones: Information Is Power         https://amzn.to/4dLSBxQ Book 2: Breaking Backbones: Information Should Be Free         https://amzn.to/4e3BRlB Book 3: Breaking Backbones: From Chaos to Order         https://amzn.to/3X8e4u2 Chapters 00:00 Introduction and Welcome Back 01:18 Black Hat and Security Leaders Dinner 04:39 The Evolution of Cybersecurity Conferences 10:59 AI and Cybersecurity Trends 22:01 The Chip Dilemma: Parenting in a Monitored Society 23:09 Crafting Characters: Inspirations and Transformations 25:58 Writing Process: From Drafts to Details 31:38 Future of Cybersecurity: Autonomous Systems and Legal Challenges

In this episode of CISO Tradecraft, host G Mark Hardy is joined by special guest Snehal Antani, co-founder of Horizon3.AI, to discuss the crucial interplay between offensive and defensive cybersecurity tactics. They explore the technical aspects of how observing attacker behavior can enhance defensive strategies, why traditional point-in-time pen testing may be insufficient, and how autonomous pen testing can offer continuous, scalable solutions. The conversation delves into Snehal's extensive experience, the importance of readiness over compliance, and the future of cybersecurity tools designed with humans out of the loop. Tune in to learn how to elevate your cybersecurity posture in a rapidly evolving threat landscape. Horizon3 - https://www.horizon3.ai Snehal Antani - https://www.linkedin.com/in/snehalantani/ Transcripts: https://docs.google.com/document/d/1IFSQ8Uoca3I7TLqNHMkvm2X-RHk8SWpo Chapters: 00:00 Introduction and Guest Welcome 01:43 Background and Experience of Snehal Antani 03:09 Challenges and Limitations of Traditional Pen Testing 14:47 The Future of Pen Testing: Autonomous Systems 23:10 Leveraging Data for Cybersecurity Insights 24:02 Expanding the Attack Surface: Cloud and Supply Chain 24:46 Third-Party Risk Management Evolution 44:37 Future of Cyber Warfare: Algorithms vs. Humans

In this episode of CISO Tradecraft, host G Mark Hardy delves into the intricate world of Identity and Access Management (IAM). Learn the essentials and best practices of IAM, including user registration, identity proofing, directory services, identity federation, credential issuance, and much more. Stay informed about the latest trends like proximity-based MFA and behavioral biometrics. Understand the importance of effective IAM implementation for safeguarding sensitive data, compliance, and operational efficiency. Plus, hear real-world examples and practical advice on improving your IAM strategy for a secure digital landscape. Transcripts: https://docs.google.com/document/d/15zUupqhCQz9llwy21GW5cam8qXgK80JB Chapters 00:00 Introduction to CISO Tradecraft 01:24 Understanding Identity and Access Management (IAM) 01:54 Gartner's Magic Quadrant and IAM Vendors 03:29 The Importance of IAM in Enterprises 04:28 User Registration and Verification 06:48 Password Policies and Best Practices 09:53 Identity Proofing Techniques 14:53 Directory Services and Role Management 18:27 Identity Federation and Credential Issuance 22:22 Profile and Role Management 26:17 Identity Lifecycle Management 29:23 Access Management Essentials 35:05 Review and Conclusion

In this comprehensive episode of CISO Tradecraft, host G Mark Hardy sits down with Christian Hyatt, author of 'The Security Team Operating System'. Together, they delve into the five essential components needed to transform your cyber security team from reactive to unstoppable. From defining purpose and values to establishing clear roles, rhythms, and goals, this podcast offers practical insights and tools that can improve the efficacy and culture of your security team. If you're looking for strategic frameworks to align your team with business objectives and create a resilient security culture, you won't want to miss this episode! Christian Hyatt's LinkedIn Profile: https://www.linkedin.com/in/christianhyatt/ Link to the Book: https://a.co/d/aHpXXfr Transcripts: https://docs.google.com/document/d/1ogBdtJolBJTOVtqyFLO5onuLxBsfqqQP Chapters 00:00 Introduction and Guest Welcome 01:31 Overview of the Security Team Operating System 03:31 Deep Dive into the Five Elements 07:53 Aligning Security with Business Objectives 21:59 Defining Core Values for Security Teams 25:03 Aligning Organizational and Team Values 26:05 Establishing Clear Roles and Responsibilities 30:58 Implementing Effective Rhythms and Goals

Join host G Mark Hardy in this episode of CISO Tradecraft as he welcomes Olivia Rose, an experienced CISO and founder of the Rose CISO Group. Olivia discusses her journey in cybersecurity from her start in marketing to becoming a VCISO. They delve into key topics including the transition from CISO to VCISO, strategies for managing time and stress, the importance of understanding board dynamics, and practical advice on mentoring new entrants in the cybersecurity field. Olivia also shares her insights on maintaining business alignment, handling insurance as a contractor, and building a personal brand in the cybersecurity community. Olivia Rose: https://www.linkedin.com/in/oliviarosecybersecurity/ Transcripts: https://docs.google.com/document/d/1S42BepIh1QQHVWsdhhgx6x99U188q5eL Chapters 00:00 Introduction and Guest Welcome 01:14 Olivia Rose's Career Journey 06:42 Challenges in Cybersecurity Careers 15:47 Communicating with the Board 22:57 Navigating Compliance and Legal Challenges 24:10 Building Strategic Relationships 25:46 Aligning Security with Business Goals 35:05 The Importance of Reputation and Branding

In this episode of CISO Tradecraft, host G Mark Hardy continues an in-depth discussion with cybersecurity attorney Thomas Ritter on the legal considerations for cybersecurity leaders. The episode touches on essential topics such as immediate legal steps after a data breach, the importance of using correct terminology, understanding attorney-client privilege and discovery, GDPR's impact, data localization, and proactive measures CISOs should take. The conversation also explores the implications of evolving cybersecurity laws and regulations like the Digital Operations Resilience Act and the potential criminal liabilities for CISOs. Thomas Ritter: https://www.linkedin.com/in/thomas-ritter-2b91014a/ Transcripts: https://docs.google.com/document/d/15xQINUOdziGdcEFfh5SN8lS7svtK0JCT   Chapters 00:00 Introduction and Recap of Part 1 01:43 Starting the Discussion: Data Breaches 02:22 Legal Steps After a Data Breach 07:19 Understanding Attorney-Client Privilege 08:21 Discovery in Legal Cases 13:31 Staying Updated on Cybersecurity Laws 19:38 Impact of GDPR on Cybersecurity 32:00 Data Localization Challenges 34:55 Proactive Legal Preparedness 37:23 Final Thoughts and Conclusion

In this episode of CISO Tradecraft, host G Mark Hardy interviews cybersecurity lawyer Thomas Ritter. They discuss key legal topics for CISOs, including regulatory compliance, managing third-party risk, responding to data breaches, and recent legislative impacts. Thomas shares his journey into cybersecurity law and provides practical advice and real-world examples. Key points include the challenges of keeping up with evolving regulations, the intricacies of vendor management, and the implications of recent Supreme Court rulings. They also touch on major breaches like SolarWinds and Colonial Pipeline, exploring lessons learned and the importance of implementing essential security controls. Thomas Ritter - https://www.linkedin.com/in/thomas-ritter-2b91014a/ Transcripts: https://docs.google.com/document/d/1EvZ_dOpFOLCSSv5ffqxCoMnLZDOnUv_K Chapters 00:00 Introduction to CISO Tradecraft 00:48 Meet Thomas Ritter: Cybersecurity Lawyer 03:48 Legal Challenges for CISOs 04:54 Managing Third-Party Risks 13:01 Understanding Legal and Statutory Obligations 15:57 Supreme Court Rulings and Cybersecurity 32:57 Lessons from High-Profile Cyber Attacks 38:32 Ransomware Epidemic and Law Enforcement 43:30 Conclusion and Contact Information

Emotional Intelligence for Cybersecurity Leaders | CISO Tradecraft In this episode of CISO Tradecraft, host G Mark Hardy delves into the essential topic of emotional intelligence (EI) for cybersecurity leaders. He explores the difference between IQ and EI, the origins and significance of emotional intelligence, and its impact on leadership effectiveness. The episode covers various models of EI, including the Ability Model, the Trait Model, and the Mixed Model, and emphasizes practical actions to enhance EI, such as self-awareness, self-regulation, empathy, and social skills. Tune in to understand how developing emotional intelligence can significantly benefit your career, leadership performance, and personal life.    Transcripts: https://docs.google.com/document/d/15pyhXu3XVHJ_VE1OwKjSqM73Rybjbsm0   Chapters: 00:00 Introduction to CISO Tradecraft 00:53 Understanding IQ: The Basics 04:08 Introduction to Emotional Intelligence 07:38 Models of Emotional Intelligence 13:06 The Importance of Emotional Intelligence in Leadership 25:12 Practical Steps to Improve Emotional Intelligence 32:42 Conclusion and Final Thoughts

Securing Small Businesses: Essential Cybersecurity Tools and Strategies In this episode of CISO Tradecraft, host G Mark Hardy discusses cybersecurity challenges specific to small businesses. He provides insights into key tools and strategies needed for effective cybersecurity management in small enterprises, including endpoint management, patch management, EDR tools, secure web gateways, IAM solutions, email security gateways, MDR services, and password managers. Hardy also evaluates these tools against the CIS Critical Security Controls to highlight their significance in safeguarding small business operations. Transcripts: https://docs.google.com/document/d/1Hon3h950myI7A3jzGmj7YIwRXow5W1V5 Chapters 00:00 Introduction to CISO Tradecraft 00:40 Challenges of Cybersecurity in Small Businesses 01:15 Defining Small Business and Security Baselines 01:53 Top Cybersecurity Tools for Small Businesses 02:05 Hardware and Software Essentials 04:35 Patch Management Solutions 05:19 Endpoint Detection and Response (EDR) Tools 06:06 Secure Web Gateways and Website Security 11:21 Identity and Access Management (IAM) 12:57 Email Security Gateways 14:15 Managed Detection and Response (MDR) Solutions 14:54 Recap of Essential Cybersecurity Tools 15:41 Bonus Tool: Password Managers 18:33 Aligning with CIS Controls 24:48 Conclusion and Call to Action