CISO Tradecraft®

By CISO Tradecraft®

Welcome to CISO Tradecraft®, your guide to mastering the art of being a top-tier Chief Information Security Officer (CISO). Our podcast empowers you to elevate your information security skills to an e... more

4.8

4848 ratings

Download on the App Store

Download on the App Store

Get it on Google Play

FAQs about CISO Tradecraft®:

How many episodes does CISO Tradecraft® have?

The podcast currently has 230 episodes available.

CISO Tradecraft® episodes:

March 13, 2023#120 - Negotiating Your Best CISO Package (with Michael Piacente)
Have you ever wondered how to negotiate your best CISO compensation package? On this episode, we invite Michael Piacente from Hitch Partners to discuss important parts of the compensation packages. Examples include but are not limited to: - Base Salary,
Bonuses (Annual, Relocation, & Hiring)
Reserve Stock Units
Annual Leave
Title (VP or SVP)
Directors & Officers Insurance
Accelerated Vesting Clauses
Severance Agreements
You can learn more about CISO compensations by Googling any of the following compensation surveys
Hitch Partners CISO Compensation and Organizational Structure Survey Report: https://www.hitchpartners.com/ciso-security-leadership-survey-results-23
Heidrick & Struggles Global Chief Information Officer Survey: https://www.heidrick.com/en/insights/...
IANS CISO Compensation and Budget Benchmark Study: https://www.iansresearch.com/ciso-com...
Full Transcripts: https://docs.google.com/document/d/1e...
Chapters:
00:00 Introduction
01:58 What's the Difference?
06:50 The Three-Legged Stool (Base Salary, Bonuses, & RSUs)
11:44 Is there a signing bonus?
13:56 What's the difference between RSUs & Options?
18:52 Private Companies - What's the Value of the Offer?
22:04 Double Triggers in Private Companies
26:38 Should you counter an offer?
28:17 Corporate Liability Insurance
29:50 Do you want to be extended on the Director and Officer Insurance Policy?
32:56 How to negotiate a severance agreement
36:00 Compensation Survey Reports
...more
40min
March 06, 2023#119 - Ethics (with Stephen Northcutt)
One of the most difficult things to do as a manager or leader is to take an ethical stance on something you believe in. Sometimes ethical stances are clear and you know you are doing what’s right. Others are blurry, messy, and really weigh on your mind. So we thought we would take this episode to talk about various ethical models, tricky ethical scenarios you might encounter as a CISO, and finally we will look at the Federal Case where Joe Sullivan the Former Chief Security Officer of Uber was convicted of federal charges for covering up a data breach. Thanks to Stephen Northcutt for coming on today's show.
Full Transcript https://docs.google.com/document/d/1vin7gMBt9YvVGaVqT91ycPmacsKZe2T9
Chapters
00:00 Introduction
01:49 How to Make a Difference in Cybersecurity
03:34 Hackers and the Pursuit of Higher Principles
06:06 Is There a Use Case in Cybersecurity
10:56 Human Capital is the Most Important Asset That Any Organization Has
14:00 The Human Frailty Factor
18:21 Has Your Company Fully Embraced Diversity, Equity, and Inclusion
20:24 Do you have a Diversity of Experience
24:11 Getting Your EXO to Talk to Power and say you are wrong
27:40 CISOs and CISOs - Is this a Criminal Thing?
30:15 The Penalty of Crossing the Law
34:56 Pay the Ransom?
36:59 The Key to Resilience as a CISO
...more
42min
February 27, 2023#118 - Data Engineering (with Gal Shpantzer)
Our systems generate fantastic amounts of information, but do we have a complete understanding of how we collect, analyze, manage, store, and retrieve possibly petabytes a day? Gal Shpantzer has been doing InfoSec for over 20 years and has managed some huge data engineering projects, and offers a lot of actionable insights in this CISO Tradecraft episode.
Gal's LinkedIn Page - https://www.linkedin.com/in/riskmanagement/
Gal's Twitter Page - https://twitter.com/Shpantzer
Full Transcript - https://docs.google.com/document/d/14RXnsVttvKlRi6VL94BTrItCjOAjgGem/
Chapters
00:00 Introduction
02:00 How do you Architect Big Data Data Infrastructure
03:33 Are you taking a look at Ransomware?
06:11 Web Scale Technologies are used mostly in Marketing & Fraud Detection
08:11 Data Engineering - The Mindset Shift
10:51 The Iron Triangle of Data Engineering
13:55 Can I Outsource My Logging Pipeline to a Vendor
15:37 Kafka & Flink - Data Engineering in the Pipeline
18:12 Streaming Analytics & Kafka
22:08 How to Enable Data Science Analytics with Streaming Analytics
26:33 Streaming Analytics
30:25 Data Engineering - Is there a Security Log
32:30 Streaming Analytics is a Weird Thing
35:50 How to Get a Handle on a Big Data Pipeline
39:11 Data Engineering Hacks for Big Data Analytics
...more
45min
February 20, 2023#117 - Good Governance (with Sameer Sait)
Has bad governance given you trauma, boring committees, and long speeches on irrelevant issues? Today we are going to overcome that by talking about what good governance looks like. We bring on the former CISO of Amazon Whole Foods (Sameer Sait) to discuss his lessons learned as a CISO. We also highlight key topics of good governance found in the Cyber Security Profile from the Cyber Risk Institute.

Cyber Risk Institute - Cyber Security Profile https://cyberriskinstitute.org/the-profile/
Full Transcripts: https://docs.google.com/document/d/1vBM6A0utvhRFMA04wzrZvR8ktNwYo-li
Chapters
00:00 Introduction
03:10 Good Governances is a Good Thing, Right?
05:08 Cyber Strategy & Framework
06:43 Is NIST the Same as ISO?
08:40 How to Convince the Executive Leadership Team to Buy In
11:19 The CEO's Challenge is Taking Measured Risk
20:05 Is there a Cybersecurity Policy
22:32 Culture eats Policy for Lunch
24:14 The Role of the CISO
27:52 How do you Convince the Leadership Team that you need extra resources
29:51 How do you Measure Cybersecurity?
32:22 How do we communicate Risk Findings to Senior Management
36:07 Are you Aligning with the Audit Committee
...more
40min
February 13, 2023#116 - A European view of CISO responsibilities (with Michael Krausz)
In the US we often focus on SOC-2, NIST Special Pubs, and the Cybersecurity Framework. In Europe (and most of the rest of the world), ISO 27001 is the primary standard. ISO concerns itself with policy, practice, and proof, whereas NIST often shows the method to follow. Michael points out that a CISO is responsible for governance, (internal) consulting, and audit. In early stages of growing a security function, a CISO needs to be technically-focused, but as a security department matures, the CISO must be organizationally-focused. Also, to effectively grow your team, first determine what actions need to take place, how much effort it requires, and how often it needs to take place. Then, build an action sheet and collect data for three months. Finally, take that to your executives and document your requirements for more staff.
Michael Krausz LinkedIn Profile: https://www.linkedin.com/in/michael-krausz-b55862/
Michael Krausz Website: https://i-s-c.co.at/
Full Transcript: https://docs.google.com/document/d/13fghym7IWyPvuRANQXUvmv-ulkSj93xv
Chapters
00:00 Introduction
04:01 Is there a Gap Analysis in ISO 27001?
08:05 Is there a Requirement for ISO Standards?
10:57 What is ISO 27001?
13:11 Is there a Parallel Development between the US and EU?
16:57 Do you want to be a trooper?
21:17 What's the Oldest Operating System?
23:09 Is there a Legacy Operating Systems that you can't get away with?
24:11 The Most Important Class for a CISO
26:33 The Secrets of a Successful CISO
29:30 CISO - I need 6 people period
33:40 What's the Primary Skill Needed in a CISO?
37:41 How to Maximize the Number of FTEs
...more
44min
February 06, 2023#115 - The Business Case for a Global Lead of Field Cybersecurity (with Joye Purser)
How can cyber best help the sales organization? It's a great thought exercise that we bring on Joye Purser to discuss. Learn from her experience as we go over how cybersecurity is becoming an even closer business partner with the creation of a new important role.
Full Transcript: https://docs.google.com/document/d/1Shd1Qldb8iKEHBgXJqFez81Iwfpl6JT-/
Chapters
00:00 Introduction
02:58 How did you marry those two cultures?
06:40 Building a Diverse Workforce
08:23 Is this a new role based on Pain Points?
10:27 Global Lead for Field Cyber Security
15:51 Is the Global Lead for Field Cybersecurity linked to sales numbers?
19:07 Is there a Global Lead for Field Cybersecurity?
24:46 Building Relationships in a Security Leadership Role
27:48 Do you have any lessons learned from your success at Global Management Consulting?
29:33 You need to schedule time to get things done
33:33 What about Due Diligence?
37:36 The Chief Technology Officer, CRO, & CTO
...more
42min
January 30, 2023#114 - One Vendor to Secure Them All
Did you ever wonder how much security you can implement with a single vendor? We did and were surprised by how much you can do using the Australian Top Eight as a template. We'll bet you can improve your security by using these tips, tools, and techniques that you might not have even known were there.
Special thanks to our sponsor Praetorian for supporting this episode.
https://www.praetorian.com/
Full Transcripts:
https://docs.google.com/document/d/12HsuOhY9an1QzIw9wOREPMX0pXe5hqkJ
Helpful Links
Essential 8 https://www.microsoft.com/en-au/business/topic/security/essential-eight
Blocking Macros https://ite8.com.au/the-essential-8/office-macros-explained/
Windows Defender Application Control or WDAC (available from Windows 10 or Server 2016 or newer) previously Windows had App Locker (Windows 7 / 8)
https://docs.microsoft.com/en-us/mem/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control
Windows Group Policies
https://techexpert.tips/windows/gpo-block-website-url-google-chrome/
https://chromeenterprise.google/policies/#SafeBrowsingAllowlistDomains
https://data.iana.org/TLD/tlds-alpha-by-domain.txt
Software Restriction Policies http://woshub.com/how-to-block-viruses-and-ransomware-using-software-restriction-policies/
Blocking websites URL - only allow (.com, .org, .net, edu, .gov, .mil, and the countries you want).
Locking down Active Directory https://attack.stealthbits.com/tag/active-directory
File Service Resource Management
http://woshub.com/using-fsrm-on-windows-file-server-to-prevent-ransomware/
Enable MFA for RDP
https://docs.microsoft.com/en-us/azure/active-directory-domain-services/secure-remote-vm-access
https://duo.com/docs/rdp
Enable MFA for SSH
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/auth-ssh
https://docs.microsoft.com/en-us/azure/active-directory/devices/howto-vm-sign-in-azure-ad-linux
Windows Controlled Folder Access
https://support.microsoft.com/en-us/topic/ransomware-protection-in-windows-security-445039d6-537a-488a-ad53-48906f346363
Use Windows File History to create backups to one drive.
https://www.ubackup.com/windows-10/file-history-backup-to-onedrive-4348.html
Storing your files to One Drive which has ransomware detection
https://support.microsoft.com/en-us/office/ransomware-detection-and-recovering-your-files-0d90ec50-6bfd-40f4-acc7-b8c12c73637f
Windows Update
Select Start > Settings > Windows Update > Advanced options. Under Active hours, choose to update manually or automatically in Windows 11.
https://support.microsoft.com/en-us/windows/keep-your-pc-up-to-date-de79813c-7919-5fed-080f-0871c7bd9bde
Microsoft Conditional Policies- https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-policy-common
Microsoft Authenticator with Number Matching, Geo, & Additional Context
https://docs.microsoft.com/en-us/azure/active-directory/authentication/how-to-mfa-additional-context
https://websetnet.net/microsoft-rolls-out-new-microsoft-authenticator-features-for-enterprise-users/
Application Approve List- https://www.bleepingcomputer.com/tutorials/create-an-application-whitelist-policy-in-windows/
...more
25min
January 23, 2023#113 - SAST Security (with John Steven)
This episode provides a deep dive into Static Application Security Testing (SAST) tools. Learn how they work, why they don't work as well as you think they will in certain use cases, and find some novel ways apply them to your organization. Special thanks to John Steven for coming on the show to share his expertise.

Special thanks to our sponsor Praetorian for supporting this episode.
https://www.praetorian.com/
Full Transcripts - https://docs.google.com/document/d/1zoA70k78IjqyJky-2u7_-i2jlWke8_cb
Chapters:
00:00 Introduction
02:51 Source Code Analyzers
04:22 The three bears of Static Analysis
06:01 Do Linters work Better?
08:00 The Value of Full Programming Analysis Tools over Linters
11:30 The Impact of a Developer's Analysis on a Developer Environment
13:05 SAST Testing
15:47 OWASP Benchmarking
19:13 The First Static Analysis Tools
20:53 Can you break up that worry about Automated Testing?
22:44 Using Static Analysis for Defect Discovery
24:18 Using Static Analysis to Improve Web Security
31:37 Using Static Analysis to Drive Cloud Security
33:15 The Second Thing to Look Out for When Choosing a Static Analysis Tool
34:55 Using Static Analysis to Build a Vulnerability Management Practice
37:35 Can you use Static Analysis to Find Insider Threat?
...more
43min
January 17, 2023#112 - Attack Surface Management (with Richard Ford)
How do you defend against automated attacks in an era of ChatGPT-formulated malware, coordinated nation-state actors, and a host of disgruntled laid-off security professionals? Want to find your vulnerabilities faster than the bad actors do? Come listen to Richard Ford to learn how to apply best practices in attack surface management and defend your crown jewels.

Special thanks to our sponsor Praetorian for supporting this episode.
Full Transcripts - https://docs.google.com/document/d/18QyrN-7V91nxOyRQ0KsNeJU0-k-bTlqj
Chapters:
00:00 Introduction
04:22 The Impact of Continuous Attack Surface Mapping on Security Responses
07:48 What's the Difference between a CTO and a CIO?
10:24 What attracted you to the problem space?
12:53 Is the Attack Surface really exposed?
16:12 Shadow IT - The Unknown Unknowns that could Bite You
19:56 Is there a Shadow IT problem?
23:24 How to get management on board with Shadow IT?
26:38 Building an Attack Surface Management Program
29:57 You Get What You Measure, Right?
33:27 Do I Have Vulnerable Assets?
39:24 Attack Surface Management
...more
42min
January 09, 2023 #111 - Leading with Style
Have you ever wanted to be like Neo in "The Matrix" and learn things like Kung Fu in just a few minutes? Well on today's episode, we try to do just that by cramming powerful leadership concepts into your head in just 45 minutes. So sit back, relax, and enjoy CISO Tradecraft.

Show Notes with Pictures & References:
https://docs.google.com/document/d/1z5FwVwYlNiJlevQXP9IK48Z5kYqG-Ee_/edit?usp=sharing&ouid=104989998442085477687&rtpof=true&sd=true

Full Transcript:
https://docs.google.com/document/d/11iTdKRxtg1UYiQeUn-mdgM7zKqafTq34/edit?usp=sharing&ouid=104989998442085477687&rtpof=true&sd=true
...more
45min

FAQs about CISO Tradecraft®:

How many episodes does CISO Tradecraft® have?

The podcast currently has 230 episodes available.

More shows like CISO Tradecraft®

Risky Business by Patrick Gray

Risky Business

363 Listeners

SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast) by Johannes B. Ullrich

SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

632 Listeners

Defensive Security Podcast - Malware, Hacking, Cyber Security & Infosec by Jerry Bell and Andrew Kalat

Defensive Security Podcast - Malware, Hacking, Cyber Security & Infosec

370 Listeners

Hacked by Hacked

Hacked

175 Listeners

CyberWire Daily by N2K Networks

CyberWire Daily

1,010 Listeners

Smashing Security by Graham Cluley & Carole Theriault

Smashing Security

313 Listeners

Click Here by Recorded Future News

Click Here

387 Listeners

Malicious Life by Malicious Life

Malicious Life

927 Listeners

Darknet Diaries by Jack Rhysider

Darknet Diaries

7,843 Listeners

Cybersecurity Today by Jim Love

Cybersecurity Today

142 Listeners

CISO Series Podcast by David Spark, Mike Johnson, and Andy Ellis

CISO Series Podcast

188 Listeners

Hacking Humans by N2K Networks

Hacking Humans

309 Listeners

Defense in Depth by David Spark, Steve Zalewski, Geoff Belknap

Defense in Depth

72 Listeners

Cyber Security Headlines by CISO Series

Cyber Security Headlines

120 Listeners

Risky Bulletin by risky.biz

Risky Bulletin

33 Listeners