Traditional risk models focus on calculating loss frequency and magnitude, but don't go far enough in terms of modeling the most important assets in our organization, known as "crown jewels." This episode of CISO Tradecraft is a fascinating interview with the CEO and founder of a startup focusing on crown jewel analysis -- Roselle Safran. We'll look into how making this a part of your portfolio helps put the "C" in CISO by showing your understanding of the business in which you work. We'll also extend our discussion to challenges faced by women in cybersecurity, and encouragement for women (and others) to enter our exciting profession.

Containers are a lightweight technology that allows applications to deploy to a number of different host Operating Systems without having to make any modifications at all to the code.  As a result, we're been seeing a big increase in the use of Docker, Kubernetes, and other tools deployed by enterprises.  In this episode, we'll cover the fundamentals of containers, Docker, orchestration tools such as Kubernetes, and provide you with knowledge to understand this environment, and maybe even tempt you to create your own container to test your skill.

Major links referenced in the show

• Container Architecture Link

Special Thanks to our podcast Sponsor, CyberGRX

Join CISO Tradecraft for a fascinating discussion on how to build cyber traps for the bad guys that really work.  By creating a deceptive environment that "booby-trap" your networks with fake services, enticing resources, and make-believe traffic, we can create a high-fidelity, low-noise intrusion sensor system -- no legitimate user would ever try these.  Improve your SOC efficiency by actively engaging with intruders rather than sifting through false positives.  There's a lot to learn here, and Kevin Fiscus offers a promise of more to come.  By listening to this episode you will learn:

• What is cyber deception?

If you would like to learn more about Cyber Deception, then be sure to check out these great resources:

• Kevin’s YouTube channel, Take Back the Advantage Link

Special Thanks to our podcast Sponsor, CyberGRX

Special Thanks to our podcast Sponsor, CyberGRX

On today’s episode, we bring in Scott Fairbrother to help tackle key questions with Third Party Risk Management:

• How do you identify which vendors pose the highest risk to your business?

Also please subscribe to to the CISO Tradecraft LinkedIn Page to get more relevant content

Cyber Threat Intelligence is an important part of an effective CISO arsenal, but many security leaders don’t fully understand how to optimize it for their benefit.  In this show, we examine why cyber threat intelligence is vital to fielding an effective defense, discuss the intelligence cycle, examine the four types of threat intelligence, and feature a special guest, Landon Winkelvoss of https://nisos.com, who has spent a career mastering this topic and shares a number of important insights you won’t want to miss.

In this episode, we take a deep dive into that four-letter word RISK. Risk is measurable uncertainty. As a component of Governance, Risk, and Compliance (GRC), risk management is an important part of a security leader's responsibility. Risk assessment is conducted for a number of reasons, and measuring risk is an important component of effectively overseeing our IT investments. We'll look at NIST and ISO standards for risk, and define the different types of risk assessments. And, because there is risk inherent in many endeavors, this episode will be continued in a part 2, because we didn't allow for the risk of running over with this much great information.

Being a CISO has been described as the "toughest job in the world."  It comes with a lot of stress, which can lead to early burnout as well as a number of health and relationship problems.  Well, we're going to tackle this elephant in the room and investigate some of the sources of stress and ways we can deal with it.

88% of CISOS report being "moderately or tremendously stressed"   We discuss eight everyday situations that can cause CISO stress, and then explore the way of Ikigai, Japanese for "reason for being."  The intersection of what you love, what you are good at, what the world needs, and what you can be paid for represents this ideal state.  Mihaly Csikszentmihalyi describes this as "flow," when work comes seemingly effortlessly because we are in alignment with our actions.  We'll also explore Dave Crenshaw's factors to being invaluable, which can help us better meet the demands of our job by being the best possible fit.

Tune in and gain some ideas on how to help yourself. and your staff, deal with stress.

CISO Tradecraft By Topic on GitHub 

Csikszentmihalyi

Ikigai

Invaluable: The Secret to Becoming Irreplaceable

The Six Invaluable Factors by David Crenshaw

This episode of CISO Tradecraft discusses CMMC.  The Cybersecurity Maturity Model Certification (CMMC), is the US government response to the massive amounts of defense-related information compromised over the years from contractors and third parties.  The program will be mandatory for all defense contractors by 2025, and has the potential to expand to the entire Federal government, affecting every entity that sells to Uncle Sam.  CMMC has five levels of progressively more rigorous certification with up to 171 controls based on acquisition regulations, NIST standards, and Federal information processing standards. In addition, there will be an entire ecosystem of trainers, consultants, assessors, and the organizations that support them.  We'll cover those in enough detail so that you can decide if expanding your career skill set into CMMC might make sense.

On this episode of CISO Tradecraft, you will hear about the most prominent Cyber Security Laws and Regulations:

• The Health Insurance Portability and Accountability Act (HIPAA) advocates the security and privacy of personal health information

• Administrative Safeguards

• Cyber Risk Assessment

• Plan for security

• Consent

This episode of CISO Tradecraft is all about IPv6, featuring Joe Klein.  IPv6 is becoming the dominant protocol on the Internet, and CISOs should understand the implications of how their enterprise is potentially vulnerable to attacks that may come from that vector, as well as be aware of defenses that may originate from an effective IPv6 deployment.  This broadcast will cover the business cases for IPv6, the technical differences between IPv4 and IPv6, and the security implications of implementing this protocol correctly and incorrectly.