Listen Now

Have you ever wanted to get a legal perspective on cybersecurity?  On this episode of CISO Tradecraft, Evan Wolff stops by to discuss terms such as legal disclaimers, negligence, due care, and others.  He also provides important insights on how to structure your cyber policies, respond to regulators/auditors, and partner with general council.  Please enjoy.  Full Transcripts:  https://docs.google.com/document/d/1hbqB5GQfQsi0egPVdOtdfYEwLA3-1Jnh Chapters 00:00 Introductions 01:52 The Attorney Client Privilege 04:49 What's the Difference Between a Discovery Order and an Attorney Client Privilege 06:30 CISO Disclaimer 09:23 Security Is a Component of Government Contracts 11:59 What are the Borders Between Information Security and Legal Risk 15:31 Cyber Security - Is there a Standard of Care? 18:11 Do you have a Reasonable Best Effort? 21:27 CMMC 2.0 26:22 Is your Privacy Policy going to expire? 28:30 What is Reasonable Assurance? 33:41 Advice for Partnering with the General Counsel

Have you ever wondered how to negotiate your best CISO compensation package?  On this episode, we invite Michael Piacente from Hitch Partners to discuss important parts of the compensation packages.  Examples include but are not limited to: - Base Salary, Bonuses (Annual, Relocation, & Hiring) Reserve Stock Units Annual Leave Title (VP or SVP) Directors & Officers Insurance Accelerated Vesting Clauses Severance Agreements You can learn more about CISO compensations by Googling any of the following compensation surveys Hitch Partners CISO Compensation and Organizational Structure Survey Report: https://www.hitchpartners.com/ciso-security-leadership-survey-results-23 Heidrick & Struggles Global Chief Information Officer Survey: https://www.heidrick.com/en/insights/... IANS CISO Compensation and Budget Benchmark Study: https://www.iansresearch.com/ciso-com... Full Transcripts: https://docs.google.com/document/d/1e... Chapters 00:00 Introduction 01:58 What's the Difference? 06:50 The Three-Legged Stool (Base Salary, Bonuses, RSUs) 11:44 Is there a signing bonus? 13:56 What's the difference between RSUs & Options? 18:52 Private Companies - What's the Value of the Offer? 22:04 Double Triggers in Private Companies 26:38 Should you counter an offer? 28:17 Corporate Liability Insurance 29:50 Do you want to be extended on the Director and Officer Insurance Policy? 32:56 How to negotiate a severance agreement 36:00 Compensation Survey Reports

One of the most difficult things to do as a manager or leader is to take an ethical stance on something you believe in.  Sometimes ethical stances are clear and you know you are doing what’s right.  Others are blurry, messy, and really weigh on your mind.  So we thought we would take this episode to talk about various ethical models, tricky ethical scenarios you might encounter as a CISO, and finally we will look at the Federal Case where Joe Sullivan the Former Chief Security Officer of Uber was convicted of federal charges for covering up a data breach.  Thanks to Stephen Northcutt for coming on today's show. Full Transcript https://docs.google.com/document/d/1vin7gMBt9YvVGaVqT91ycPmacsKZe2T9 Chapters 00:00 Introduction 01:49 How to Make a Difference in Cybersecurity 03:34 Hackers and the Pursuit of Higher Principles 06:06 Is There a Use Case in Cybersecurity 10:56 Human Capital is the Most Important Asset That Any Organization Has 14:00 The Human Frailty Factor 18:21 Has Your Company Fully Embraced Diversity, Equity, and Inclusion 20:24 Do you have a Diversity of Experience 24:11 Getting Your EXO to Talk to Power and say you are wrong 27:40 CISOs and CISOs - Is this a Criminal Thing? 30:15 The Penalty of Crossing the Law 34:56 Pay the Ransom? 36:59 The Key to Resilience as a CISO

Our systems generate fantastic amounts of information, but do we have a complete understanding of how we collect, analyze, manage, store, and retrieve possibly petabytes a day? Gal Shpantzer has been doing InfoSec for over 20 years and has managed some huge data engineering projects, and offers a lot of actionable insights in this CISO Tradecraft episode. Gal's LinkedIn Page - https://www.linkedin.com/in/riskmanagement/ Gal's Twitter Page - https://twitter.com/Shpantzer Full Transcript - https://docs.google.com/document/d/14RXnsVttvKlRi6VL94BTrItCjOAjgGem/ Chapters 00:00 Introduction 02:00 How do you Architect Big Data Data Infrastructure 03:33 Are you taking a look at Ransomware? 06:11 Web Scale Technologies are used mostly in Marketing & Fraud Detection 08:11 Data Engineering - The Mindset Shift 10:51 The Iron Triangle of Data Engineering 13:55 Can I Outsource My Logging Pipeline to a Vendor 15:37 Kafka & Flink - Data Engineering in the Pipeline 18:12 Streaming Analytics & Kafka 22:08 How to Enable Data Science Analytics with Streaming Analytics 26:33 Streaming Analytics 30:25 Data Engineering - Is there a Security Log 32:30 Streaming Analytics is a Weird Thing 35:50 How to Get a Handle on a Big Data Pipeline 39:11 Data Engineering Hacks for Big Data Analytics

Has bad governance given you trauma, boring committees, and long speeches on irrelevant issues?  Today we are going to overcome that by talking about what good governance looks like.  We bring on the former CISO of Amazon Whole Foods (Sameer Sait) to discuss his lessons learned as a CISO.  We also highlight key topics of good governance found in the Cyber Security Profile from the Cyber Risk Institute. Cyber Risk Institute - Cyber Security Profile https://cyberriskinstitute.org/the-profile/ Full Transcripts: https://docs.google.com/document/d/1vBM6A0utvhRFMA04wzrZvR8ktNwYo-li Chapters 00:00 Introduction 03:10 Good Governances is a Good Thing, Right? 05:08 Cyber Strategy & Framework 06:43 Is NIST the Same as ISO? 08:40 How to Convince the Executive Leadership Team to Buy In 11:19 The CEO's Challenge is Taking Measured Risk 20:05 Is there a Cybersecurity Policy 22:32 Culture eats Policy for Lunch 24:14 The Role of the CISO 27:52 How do you Convince the Leadership Team that you need extra resources 29:51 How do you Measure Cybersecurity? 32:22 How do we communicate Risk Findings to Senior Management 36:07 Are you Aligning with the Audit Committee

In the US we often focus on SOC-2, NIST Special Pubs, and the Cybersecurity Framework. In Europe (and most of the rest of the world), ISO 27001 is the primary standard. ISO concerns itself with policy, practice, and proof, whereas NIST often shows the method to follow. Michael points out that a CISO is responsible for governance, (internal) consulting, and audit. In early stages of growing a security function, a CISO needs to be technically-focused, but as a security department matures, the CISO must be organizationally-focused. Also, to effectively grow your team, first determine what actions need to take place, how much effort it requires, and how often it needs to take place. Then, build an action sheet and collect data for three months. Finally, take that to your executives and document your requirements for more staff. Michael Krausz LinkedIn Profile: https://www.linkedin.com/in/michael-krausz-b55862/ Michael Krausz Website: https://i-s-c.co.at/ Full Transcript: https://docs.google.com/document/d/13fghym7IWyPvuRANQXUvmv-ulkSj93xv  Chapters 00:00 Introduction 04:01 Is there a Gap Analysis in ISO 27001? 08:05 Is there a Requirement for ISO Standards? 10:57 What is ISO 27001? 13:11 Is there a Parallel Development between the US and EU? 16:57 Do you want to be a trooper? 21:17 What's the Oldest Operating System? 23:09 Is there a Legacy Operating Systems that you can't get away with? 24:11 The Most Important Class for a CISO 26:33 The Secrets of a Successful CISO 29:30 CISO - I need 6 people period 33:40 What's the Primary Skill Needed in a CISO? 37:41 How to Maximize the Number of FTEs

How can cyber best help the sales organization?  It's a great thought exercise that we bring on Joye Purser to discuss. Learn from her experience as we go over how cybersecurity is becoming an even closer business partner with the creation of a new important role. Full Transcript: https://docs.google.com/document/d/1Shd1Qldb8iKEHBgXJqFez81Iwfpl6JT-/ Chapters 00:00 Introduction 02:58 How did you marry those two cultures? 06:40 Building a Diverse Workforce 08:23 Is this a new role based on Pain Points? 10:27 Global Lead for Field Cyber Security 15:51 Is the Global Lead for Field Cybersecurity linked to sales numbers? 19:07 Is there a Global Lead for Field Cybersecurity? 24:46 Building Relationships in a Security Leadership Role 27:48 Do you have any lessons learned from your success at Global Management Consulting? 29:33 You need to schedule time to get things done 33:33 What about Due Diligence? 37:36 The Chief Technology Officer, CRO, & CTO

Did you ever wonder how much security you can implement with a single vendor?  We did and were surprised by how much you can do using the Australian Top Eight as a template.  We'll bet you can improve your security by using these tips, tools, and techniques that you might not have even known were there. Special thanks to our sponsor Praetorian for supporting this episode. https://www.praetorian.com/ Full Transcripts: https://docs.google.com/document/d/12HsuOhY9an1QzIw9wOREPMX0pXe5hqkJ Helpful Links Essential 8 https://www.microsoft.com/en-au/business/topic/security/essential-eight Blocking Macros https://ite8.com.au/the-essential-8/office-macros-explained/  Windows Defender Application Control or WDAC (available from Windows 10 or Server 2016 or newer) previously Windows had App Locker (Windows 7 / 8) https://docs.microsoft.com/en-us/mem/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control Windows Group Policies https://techexpert.tips/windows/gpo-block-website-url-google-chrome/ https://chromeenterprise.google/policies/#SafeBrowsingAllowlistDomains  https://data.iana.org/TLD/tlds-alpha-by-domain.txt  Software Restriction Policies http://woshub.com/how-to-block-viruses-and-ransomware-using-software-restriction-policies/ Blocking websites URL - only allow (.com, .org, .net, edu, .gov, .mil, and the countries you want).    Locking down Active Directory https://attack.stealthbits.com/tag/active-directory  File Service Resource Management http://woshub.com/using-fsrm-on-windows-file-server-to-prevent-ransomware/ Enable MFA for RDP https://docs.microsoft.com/en-us/azure/active-directory-domain-services/secure-remote-vm-access   https://duo.com/docs/rdp Enable MFA for SSH https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/auth-ssh https://docs.microsoft.com/en-us/azure/active-directory/devices/howto-vm-sign-in-azure-ad-linux  Windows Controlled Folder Access https://support.microsoft.com/en-us/topic/ransomware-protection-in-windows-security-445039d6-537a-488a-ad53-48906f346363 Use Windows File History to create backups to one drive. https://www.ubackup.com/windows-10/file-history-backup-to-onedrive-4348.html Storing your files to One Drive which has ransomware detection https://support.microsoft.com/en-us/office/ransomware-detection-and-recovering-your-files-0d90ec50-6bfd-40f4-acc7-b8c12c73637f Windows Update Select Start > Settings > Windows Update > Advanced options. Under Active hours, choose to update manually or automatically in Windows 11.  https://support.microsoft.com/en-us/windows/keep-your-pc-up-to-date-de79813c-7919-5fed-080f-0871c7bd9bde  Microsoft Conditional Policies- https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-policy-common  Microsoft Authenticator with Number Matching, Geo, & Additional Context https://docs.microsoft.com/en-us/azure/active-directory/authentication/how-to-mfa-additional-context  https://websetnet.net/microsoft-rolls-out-new-microsoft-authenticator-features-for-enterprise-users/ Application Approve List- https://www.bleepingcomputer.com/tutorials/create-an-application-whitelist-policy-in-windows/

This episode provides a deep dive into Static Application Security Testing (SAST) tools.  Learn how they work, why they don't work as well as you think they will in certain use cases, and find some novel ways apply them to your organization.  Special thanks to John Steven for coming on the show to share his expertise.     Special thanks to our sponsor Praetorian for supporting this episode. https://www.praetorian.com/ Full Transcript https://docs.google.com/document/d/1zoA70k78IjqyJky-2u7_-i2jlWke8_cb

How do you defend against automated attacks in an era of ChatGPT-formulated malware, coordinated nation-state actors, and a host of disgruntled laid-off security professionals? Want to find your vulnerabilities faster than the bad actors do? Come listen to Richard Ford to learn how to apply best practices in attack surface management and defend your crown jewels. Special thanks to our sponsor Praetorian for supporting this episode. A Full Transcript of this podcast can be found here: https://docs.google.com/document/d/18QyrN-7V91nxOyRQ0KsNeJU0-k-bTlqj

Have you ever wanted to be like Neo in "The Matrix" and learn things like Kung Fu in just a few minutes?  Well on today's episode, we try to do just that by cramming powerful leadership concepts into your head in just 45 minutes.  So sit back, relax, and enjoy CISO Tradecraft.   Show Notes with Pictures & References: https://docs.google.com/document/d/1z5FwVwYlNiJlevQXP9IK48Z5kYqG-Ee_/edit?usp=sharing&ouid=104989998442085477687&rtpof=true&sd=true Full Transcript: https://docs.google.com/document/d/11iTdKRxtg1UYiQeUn-mdgM7zKqafTq34/edit?usp=sharing&ouid=104989998442085477687&rtpof=true&sd=true

Want to know CISO Tradecraft's Top 10 cyber security predictions for 2023?  Listen to the episode to learn more about: Proactive Identity Management = Automated Provisioning of Access + Minimizing Digital Blast Radius Convergence of Security Tools Collaboration Technology Evolution of the Endpoint (Chromebooks or Browser Isolation) Chatbots Vague and unclear cyber laws CISO liability increases Umbrella IT general controls mapping Companies will be less truthful during 3rd party questionnaires Cyber defense will become more difficult because of people Be sure to also check out G Mark Hardy's annual ISACA talk at http://isaca-cmc.org/  Link to full transcripts of the podcast can be found here: https://docs.google.com/document/d/1RkrtkuunBn-qaU-Y9HvgHJzAKoIIszcW/edit?usp=sharing&ouid=104989998442085477687&rtpof=true&sd=true

Success leaves clues, but sometimes we limit ourselves by only looking close by for them.  This week, we pondered what business skills are essential for a successful CISO, and then extended the search to some non-traditional sources to find some very relevant advice.  Take the time to listen and do a self-examination (you don't have to submit for a grade :) and see where you could boost your skills portfolio to increase your success as a security leader.  Some of the essential skills we discuss on this episode of CISO Tradecraft are: Be a leader Manage money and resources Differentiate yourself and your message Communicate with clarity and emphasis Delegate and hold subordinates accountable Build a personal network Mentor your team Be adaptable Be sensitive to cultural and political issues Watch the details and ensure your management makes informed risk-based decisions & Know your limitations We thank our sponsor Nucleus Security for supporting this episode Full Transcript: https://docs.google.com/document/d/1C357cX_4wKTRmhRUsGh_2d9vIMX5LspL/ Show links:   https://www.smallbusiness.wa.gov.au/starting-and-growing/essential-business-skills   https://cisotradecraft.podbean.com/e/108-budgeting-for-cisos-with-nick-vigier/   https://nativeintelligence.com/   https://github.com/cisotradecraft/Podcast#business-management--leadership   https://www.ef.com/wwen/blog/efacademyblog/skills-for-success/   https://www.criticalthinking.org/pages/defining-critical-thinking/766   https://your.yale.edu/learn-and-grow-what-adaptability-workplace   https://openai.com/blog/chatgpt/   https://openai.com/dall-e-2/

There's a lot of things you need to know as a CISO, but one of the things least taught is budgeting best practices.  On today's episode, CISO Nick Vigier stops by to share his lessons learned on the topic.  His conversations focus on spends vs investments.  Remember spends = overhead, whereas investments = growth.  Here's a great point. [10:00] There are opportunities that we have to frame some of these things as investments versus framing them as risk mitigations. And so one of the mantras or things that I like to think about is the business has a limited appetite for risk management, but they have infinite appetite for profits and making money.  So if you're able to frame them as how they're actually going to help accelerate the business or improve the business that brings the CEO and the CFO along on the journey, that you're not just there to lock the doors, you might actually be there to help put another floor on the building and that's a very different conversation. We also thank our sponsor Nucleus Security for supporting this episode. Full Transcript: https://docs.google.com/document/d/1nURiml3BJFnszFRA8qov1CgO_VkDFaCY

Special thanks to Jeff Gouge for sharing his thoughts on consolidating vulnerability management.  We also thank our sponsor Nucleus Security for supporting this episode. Consistently tracking and prioritizing vulnerabilities is a difficult problem.  This episode talks about it in detail and helps you increase your understanding in: Various application security scanning tools (SAST, DAST, SCA, Container, IoT, Secret Scanners, Cloud Security Scans, ...) and why companies need so many How CVSS base scores are actually calculated so you can understand its strengths and weaknesses How Threat Intelligence Data improves CVSS scoring Knowing which vulnerabilities are being actively exploited by bad actors through the CISA Known Exploited Vulnerabilities Catalog Knowing with vulnerabilities are being exploited in your industry or organization Knowing how the Exploit Prediction Scoring System (EPSS) can predict which vulnerabilities will be exploited soon Learning about the Stakeholder-Specific Vulnerability Categorization Guide (SSVC) Note a Full Transcript of this podcast can be found here: https://docs.google.com/document/d/1dWDS8rd-iscZuZ28U27IBuPPfrlFAV69/

Are You Ready To Win Your First CISO role? Apply these techniques into your resume and interview process so both recruiters and hiring managers will offer you the job.  This show focuses on: Highlighting the Different Types of CISO Roles Showing how to progress from a Senior Director Role into a Fortune 100 CISO Resume Tricks and Tips that get you noticed by recruiters How to have a great interview with a recruiter What Hiring Managers want to see from CISOs during their interviews Please note the full show transcript can be found here https://docs.google.com/document/d/18Feg4eXbezHVPiNQ9qO6Pdht3P0eQ5nn

Would you like to hear a master class on what Technology professionals need to know about startups?  On this episode Bob Cousins stops by to share his knowledge and experience on working in technology companies, dealing with founders, and partnering with venture capitalists.  Listen and learn more about: What should a technology professional know about venture capital and dealing with venture capitalists? What is the role of marketing? What do engineers get wrong with helping businesses create profitable growth? What is the value of a product? Subscribe to the CISO Tradecraft LinkedIn Page

Special Thanks to our podcast sponsor, Cymulate.  On this episode, Dave Klein stops by to discuss the 3 Digital Challenges that organizations face: Cyber threats evolve on a daily basis and this constant threat to our environment appears to be only accelerating The level of vulnerabilities today is 30x what it was 10 years ago.  We have more IT infrastructure, complexity, and developers in our current environment. In the pursuit of digital innovation, we are changing our IT infrastructure by the hour.  For Example: Infrastructure as Code capabilities (Chef, Puppet, Terraform, etc.) allow developers to deploy faster and create more opportunities for misconfigured code at scale.   Breach and Attack Simulation tooling address these 3 digital challenges by focusing on Breach Attack Simulation, Vulnerability Prioritization, & Threat Exposure Management.  This combined approach allows a cyber organization to ensure its security is fully optimized and its risk exposure is minimized.  Key benefits of adopting Breach and Attack Simulation software include: Managing organizational cyber-risk end to end Rationalizing security spend Prioritizing mitigations based on validated risks Protecting against the latest threats in near real-time Preventing environmental drift   Welcome back listeners and thank you for continuing your education in CISO Tradecraft.  Today we are excited to share with you a great episode focused on Breach and Attack Simulation software.  To begin we will provide a solid background on Breach and Attack Simulation then we are going to bring on our special guest Dave Klein who will give us the pro tips that help CISOs maximize the value from Breach and Attack Simulation Software.   Starting from the beginning.  What is Breach and Attack Simulation software and why is this needed?  At the end of the day most companies are not on an island.  They need to connect to clients, partners, and vendors.  They need the ability for employees to visit websites.  They need to host public facing websites to sell products and services.  Each of these activities result in creating organizational assets such as IT equipment that has internet connectivity.  Now internet connectivity isn’t a bad thing.  Remember internet connectivity allows companies to generate income which allows the organization to exist.  This income goes to funding expenses like the cyber organization so that is a good thing.     If bad actors with the intent and capability to cause your company harm can find your company's internet connected assets which have vulnerabilities, then you have a risk to your organization.  So enter vulnerability assessment and penetration testing tools that companies can buy to identify and address this risk.  Now sometimes you will hear the terms Cyber Asset Attack Surface Management or (CAASM).  It’s also commonly referred to as continuous threat exposure management.  Essentially these two categories of tools are the latest evolution of vulnerability management tooling that have the additional benefit of ingesting data from multiple sources.  Essentially they are designed to address key questions such as:  How do we get an inventory of what we have? How do we know our vulnerabilities? and  How do we know which vulnerabilities might be exploited by threat actors?     Now if you want to take this line of questioning one step further, then you should consider adopting Breach and Attack Simulation software.  Note Breach and Attack Simulation software overlaps with many of the CAASM capabilities, but it does something unique.  Breach and Attack Simulation software allows you to pose as bad actors on your network and perform red team exercises.  Essentially you learn how bad actors can bypass your cyber tooling and safeguards.  This means you go from knowing where you are vulnerable to actually seeing how well your incident response activities perform.  Example if I can take a normal user's laptop and spawn a Powershell Script or run a tool like MimiKatz to gain Domain Admin level privileges, then I want to know if the Cyber Security Incident Response team was alerted to that activity.  I also want to know if the Incident Response team blocked or disabled this account in a timely manner.  According to the 2022 Microsoft Digital Defense Report the median time it takes for an attacker to access your private data if you fall victim to a phishing email is 1 hour 12 minutes.  The report also stated that the median time for an attacker to begin moving laterally within your corporate network once a device is compromised is 1 hour 42 minutes.  Remember the difference to responding to these attacks in minutes vs hours can be the difference between how much files get encrypted when ransomware actors get into your environment.     Another thing that CISOs need to ensure is that vulnerabilities get fixed.  How do you test that?  You have to replay the attack.     You can think of fire drills as the comparison.  If an organization only did one fire drill every 24 months, then chances are the company’s time to exit the building isn’t going to decrease all that much.  It’s likely to stay the same.  Now if an organization does 8-12 fire drills over the course of 24 months, then you would generally see a good decrease in departure times as people get familiar with knowing how to leave the building in a timely fashion.  The good thing on Breach and Attack Simulation tools is they have the ability to replay numerous attacks with the click of a button.  This can save your penetration testing team hours over manual exploitation activities which would have to be repeated to confirm successful patches and mitigations.   If we look at Breach and Attack Simulation software the tools have typically come in two flavors.  One is an agent based approach.  Example.  A company might install an attack agent on a laptop inside the corporate environment that runs Data Loss Protection software.  The attack agent might look at how much data it can exfiltrate which is not stopped by the DLP tool.  The attack agent could also run similar attacks with how much malware the Antivirus detects, how much sensitive email it send outside the company despite there being an email protection solution.  These attack agents can also be placed on servers to determine how effective web applications firewalls are at stopping attacks.   Essentially having an attack agent on the internal side of a trusted network and one on the outside allows an organization to evaluate the effectiveness of various cyber tools.  Now there’s a few concerns with this type of approach.  One, companies don't want to add more agents across their network because it steals critical system resources and makes things slower.  Two, the time it takes to install and test agents means the value you can get out of these tools is delayed because cyber needs approvals from the desktop team, the network team, the firewall team, etc. before these solutions can be deployed.  Three, by having an agent you don’t always truly simulate what an attacker would do since you don't have to live off the land and gain permissions the attacker did.  Your agent may not be know to antivirus or EDR tools, but using windows libraries to gain access does.    Now let’s compare this with an agentless approach.  This approach is quite popular since labs where agents are run don’t always look like a production environment.  Example they lack the amount of traffic, don’t possess the same amount of production data, or contain last month’s versions of software.     Here attacker software may start with the premise what happens if someone from the Accounting Team opens an Excel document containing a malicious macro.  Let’s see how we can automate an attack after that initial compromise step occurs.  Then let’s walk through every attack identified by the Mitre Attack Framework and see what gets caught and what doesn’t.  The tooling can then look at the technical safeguards in the organization that should have been applied and provide recommendations on how to increase their effectiveness.  This might be something simple like adding a Windows Group Policy to stop an attack.  Also breach and attack simulation tools can provide alerting recommendations to the SIEM that help identify when an endpoint attack occurred.  Example: Instead of knowing that bad actors can run an attack, the Breach and Attack Simulation software actually gives you the Splunk Signature that your SOC team can leverage.  That’s a great add to minimize the amount of time to improve your alerting capabilities.     Now when the breach and attack simulation software replays attacks each month, cyber leadership can look at how fast the Incident Response team detected and remediated the attack.  It might be as simple as we stopped this attack before it could happen by applying the new Windows Group Policy or it took the team 4 hours to determine XYZ account had been taken over.  These metrics allow you to know how well your Response plans work.  So you get the value of a penetration test with the automation & scaling of vulnerability management tools.     What’s even more impressive is how these tools are evolving to meet the larger mission of cyber organizations.     Example: Most Financial and Health Care organizations have to demonstrate evidence that IT controls are working effectively.  Generally this is a manual process done in the Governance Risk and Compliance (GRC) team within a cyber organization.  GRC teams have to ask developers to provide evidence to various IT controls such as are you monitoring and alerting to privilege activity.  Now imagine if you had an automated tool that showed evidence that monitorin

Have you ever just met someone that was so interesting that you just sat and gave them your full attention?  On this episode of CISO Tradecraft, we have Bill Cheswick come on the show.  Bill talks about his 50 years in computing.  From working with the pioneers of Unix at Bell Labs, inventing network visualization techniques for the DoD, and creating the early best practices in firewalls and perimeter defenses.  He was also the first person to co-author a book on Internet Security.  So listen in and enjoy. Also special thanks to our sponsor, Obsidian Security.  You can learn more about them at: https://www.obsidiansecurity.com/sspm/

Hello, and welcome to another episode of CISO Tradecraft -- the podcast that provides you with the information, knowledge, and wisdom to be a more effective cybersecurity leader.  My name is G. Mark Hardy, and today's episode is about how to better mentor your people (and in doing so, improve yourself as well.)  Mentoring is an important part of being a leader, and I would venture that most listeners have achieved their current level of success with the insights of a mentor, along with a lot of hard work.  Today we're going to give you a template for creating a personal development plan you can use with your team.  I also want to introduce you to a booklet that I keep on my desk.  It was written in 1899.  Do you have any idea what it might be?  Well, keep listening and you'll find out, and you may end up getting yourself a copy of your own. Let's take a moment to hear from today's sponsor Obsidian Security. Career success rarely happens independently -- it usually involves multiple milestones, promotions, and sometimes moves.  But success shouldn't be a secret.  As Tony Robbins said, "success leaves clues."  One of the best ways to achieve personal or professional success, or indeed help others do the same, is through mentoring and sponsorship.  But the right person rarely shows up at our doorstep offering us the key to the future -- we have to go out and make that relationship happen.  Today we're going to talk about mentors, protégés, sponsors, and that little booklet that has a repeatable secret for success. Definitions Let's start with what is a mentor - the dictionary definition is "an experienced and trusted adviser."  My definition is it's a person with more experience and WISDOM who is willing to provide guidance to someone else -- a protégé.  Notice I didn't say anything about careers -- you can have a spiritual mentor, an academic mentor, and if you're a new grandparent you want to pass along some tips to help raise your grandkids.  You may also hear the term "mentee" instead of protégé -- I see that used from time to time, but it makes me think of those big slow sea creatures that keep getting run over by speedboats. Mentor Let's talk about the who, what, when, why, and how of being a mentor.  The WHO part is someone with experience and wisdom willing to share insights.  Insights about WHAT, at least as far as we're concerned today, is usually career-related -- what jobs or assignments may be best, what personal characteristics are important, whom should you meet and why. The WHEN portion of mentoring is usually a condition of the type of relationship.  A traditional one-on-one mentor relationship may be established formally or informally.  We established a program at work where those willing to offer advice could volunteer as a mentor and those seeking advice could request the assistance of a mentor.  I was asked by our most senior technical security expert if I would serve as his mentor -- an assignment which I was pleased to accept, and we held mentoring sessions quarterly.  Of course, we worked together more frequently than that, but those sessions were specifically about what he could learn from me as a mentor, and what I could do to structure his experiences to help with his personal and career growth.  [Irish whiskey story] The WHY can be either because there is a mentorship program at your organization (and if there isn't one, do your homework and consider proposing one) or because someone reached out and requested assistance.  Mentoring is not like doing the dishes where anyone can do a competent job.  It requires empathy, communication skills, wisdom, and time commitment.  I'm at the point in my life and career where I actively try to help others who are not as old as I am.  Many times, that's appreciated, but some people seem to prefer to make all of their own mistakes and resist the effort.  Oh, well.  As my Latin teacher used to say, "suum quique" -- to each their own. Finally, the HOW.  Mentors should prioritize their sessions by preparing in advance and setting aside time without interruptions.  Establish an agenda based upon specific requirements -- not just what the protégé wants but what the mentor believes he needs.  Martina Bretous published an article on HubSpot where she points out ten ways to be an amazing mentor: Understand what you want out of the relationship. Set expectations together in the very beginning. Take a genuine interest in your mentee as a person. Build trust. Know when to give advice. Don’t assume anything about your mentee – ask. Share your journey. Celebrate their achievements. Seek out resources to help your mentee grow. Be sure you have the bandwidth. In summary, if you want to be a mentor and seek out the right people in whom to invest your time, here's a short checklist.  Look for protégés with a strong work ethic -- people who have built a reputation of delivering on time on budget.  Select only those people of the proper character -- you don't want to be teaching a sociopath how to take over the organization.  And you'll find you work better with others who share similar values.  If you value hard work, honesty, humility, and perseverance, look for those characteristics, or at least the potential to develop those characteristics, in your potential mentee.  We all know how hard it is to change ourselves.  Think about how much harder it is to change someone else.  In the end, you're just showing the way and it's up to the other person to take the appropriate actions, but you want to build a winning record of successful mentorships -- it doesn't help your own career if you're viewed as the incubator of failure. Protege As listeners of this show, you are likely in a position to be a mentor.  But that doesn't mean you can't benefit from having a mentor yourself.  Let's look at the who, what, when, why, and how of being a protégé.  The WHO is someone who can gain insight from a relationship with someone farther along in a given path.  Mentees may be assigned a mentor relationship, or they may seek out that relationship on their own.  Both are valid paths, and even if a formal program exists it's often up to the mentee to select from available mentors.  It doesn't always work the other way around [Navy mentor story.] The WHAT is the reason for participating in this type of relationship.  Usually, it's to gain insight into career and professional goals, but as I mentioned earlier, it can be about most anything where you could learn from someone who's not in the role of a teacher or supervisor. WHEN should you seek the advice of a mentor?  Well, there's probably never a time NOT to seek advice, but if you're heads-down in a long project that you enjoy or find yourself in a position where you're content and soon winding down your career, then I suppose you're fine going it alone.  Otherwise, after you've been in a position for a year or so and you've figured out your current role and how you fit in, that might be a suitable time to start looking for a mentor. I think the WHY is obvious, but let's address it.  No one knows everything, but someone usually knows what you need.  Seeking a mentor is a rational way of gaining insights that can help move your career along. And HOW do you become a protégé?  You need to a-s-k to g-e-t.  Potential mentors are usually busy people -- they don't go looking for more things to add to an already overwhelming calendar.  That said, the saying "if you want something done, give it to a busy person" is often true, because busy people are in the business of making things happen.  If your organization offers a mentorship program, jump at the opportunity.  Just make sure that the person with whom you are paired has the time, the expertise, and the interest to help you in your career. When searching for a mentor, remember that you should have a clear goal in mind.  "Hey, I need a mentor" isn't very specific, and the Mr. Rodger's "won't you be my mentor?" isn't very compelling.  Rather, start with a specific objective.  For example, it could be, "how do I become fully qualified to become a first-line manager?" or "what does this organization look for when selecting a C-level executive?"  Once you have your goal, you can start your search, but remember that you need to stay professional.  You're not seeking a drinking buddy -- a mentor rarely is a peer (although technically I have heard of peer-to-peer mentoring, but that runs the risk of the parable of the two blind men who both fall into a ditch.)  You want someone with relevant knowledge and experience.  And ideally first develop a working relationship before you pop the question.  A busy mentor will feel more comfortable working with a known quantity than being left to wonder if this person represents a reputational risk. Let's turn our conversation now to sponsors. Sponsors Executive coach May Busch recommends forming a career board of directors to advance your career.  She points out that you need both mentors and sponsors -- sponsors are those in your organization with sufficient clout to put you into key assignments and can advocate behind closed doors for your career advancement.  Wow -- sounds great; where do I sign up?  The issue is that you typically can't recruit sponsors; they come looking for you.  Like a mentee, a "sponsee" represents potential risk to sponsors -- they are putting their own credibility with peers on the line by advocating for you.  If you crash and burn, you both lose. Like any sales effort, you shouldn't put all of your eggs in a single basket, so if you want to identify a potential sponsor, look for a couple of candidates.  Now, where you work there may be exactly one person who controls the vertical and the horizontal, but in most matrixed organizations, there is a range of opportunities to find advocacy.  Find out who is senior enough to influence t