CISO Tradecraft®

Have you ever wanted to get a legal perspective on cybersecurity?  On this episode of CISO Tradecraft, Evan Wolff stops by to discuss terms such as legal disclaimers, negligence, due care, and others.  He also provides important insights on how to structure your cyber policies, respond to regulators/auditors, and partner with general council.  Please enjoy. 

Full Transcripts:  https://docs.google.com/document/d/1hbqB5GQfQsi0egPVdO...

Have you ever wondered how to negotiate your best CISO compensation package?  On this episode, we invite Michael Piacente from Hitch Partners to discuss important parts of the compensation packages.  Examples include but are not limited to: - Base Salary,

• Bonuses (Annual, Relocation, & Hiring)
• Reserve Stock Units
• Annual Leave
• Title (VP or SVP)
• Directors & Officers Insurance
• Accelerated Vesting Clauses
• Severance Agreements

One of the most difficult things to do as a manager or leader is to take an ethical stance on something you believe in.  Sometimes ethical stances are clear and you know you are doing what’s right.  Others are blurry, messy, and really weigh on your mind.  So we thought we would take this episode to talk about various ethical models, tricky ethical scenarios you might encounter as a CISO, and finally we will look at the Federal Cas...

Our systems generate fantastic amounts of information, but do we have a complete understanding of how we collect, analyze, manage, store, and retrieve possibly petabytes a day? Gal Shpantzer has been doing InfoSec for over 20 years and has managed some huge data engineering projects, and offers a lot of actionable insights in this CISO Tradecraft episode.

Gal's LinkedIn Page - https://www.linkedin.com/in/riskmanagement/

Gal's Twitt...

Has bad governance given you trauma, boring committees, and long speeches on irrelevant issues?  Today we are going to overcome that by talking about what good governance looks like.  We bring on the former CISO of Amazon Whole Foods (Sameer Sait) to discuss his lessons learned as a CISO.  We also highlight key topics of good governance found in the Cyber Security Profile from the Cyber Risk Institute. Cyber Risk Institute - Cyber...

In the US we often focus on SOC-2, NIST Special Pubs, and the Cybersecurity Framework. In Europe (and most of the rest of the world), ISO 27001 is the primary standard. ISO concerns itself with policy, practice, and proof, whereas NIST often shows the method to follow. Michael points out that a CISO is responsible for governance, (internal) consulting, and audit. In early stages of growing a security function, a CISO needs to be te...

How can cyber best help the sales organization?  It's a great thought exercise that we bring on Joye Purser to discuss. Learn from her experience as we go over how cybersecurity is becoming an even closer business partner with the creation of a new important role.

Full Transcript: https://docs.google.com/document/d/1Shd1Qldb8iKEHBgXJqFez81Iwfpl6JT-/

Chapters

• 00:00 Introduction
• 02:58 How did you marry those two cultures?
• 06:40 B...

Did you ever wonder how much security you can implement with a single vendor?  We did and were surprised by how much you can do using the Australian Top Eight as a template.  We'll bet you can improve your security by using these tips, tools, and techniques that you might not have even known were there.

Special thanks to our sponsor Praetorian for supporting this episode.

https://www.praetorian.com/

Full...

This episode provides a deep dive into Static Application Security Testing (SAST) tools.  Learn how they work, why they don't work as well as you think they will in certain use cases, and find some novel ways apply them to your organization.  Special thanks to John Steven for coming on the show to share his expertise.  

Special thanks to our sponsor Praetorian for supporting this episode.

How do you defend against automated attacks in an era of ChatGPT-formulated malware, coordinated nation-state actors, and a host of disgruntled laid-off security professionals? Want to find your vulnerabilities faster than the bad actors do? Come listen to Richard Ford to learn how to apply best practices in attack surface management and defend your crown jewels.

Special thanks to our sponsor Praetorian for supporting this episod...

Have you ever wanted to be like Neo in "The Matrix" and learn things like Kung Fu in just a few minutes?  Well on today's episode, we try to do just that by cramming powerful leadership concepts into your head in just 45 minutes.  So sit back, relax, and enjoy CISO Tradecraft.

Show Notes with Pictures & References:

https://docs.google.com/document/d/1z5FwVwYlNiJlevQXP9IK48Z5kYqG-Ee_/edit?usp=sharing&ouid=104989998442085477687&rtp...

Want to know CISO Tradecraft's Top 10 cyber security predictions for 2023?  Listen to the episode to learn more about:

1. Proactive Identity Management = Automated Provisioning of Access + Minimizing Digital Blast Radius
2. Convergence of Security Tools
3. Collaboration Technology
4. Evolution of the Endpoint (Chromebooks or Browser Isolation)
5. Chatbots
6. Vague and unclear cyber laws
7. CISO liability increases
8. Umbrella IT general controls mappi...

Success leaves clues, but sometimes we limit ourselves by only looking close by for them.  This week, we pondered what business skills are essential for a successful CISO, and then extended the search to some non-traditional sources to find some very relevant advice.  Take the time to listen and do a self-examination (you don't have to submit for a grade :) and see where you could boost your skills portfolio to increase your succes...

There's a lot of things you need to know as a CISO, but one of the things least taught is budgeting best practices.  On today's episode, CISO Nick Vigier stops by to share his lessons learned on the topic.  His conversations focus on spends vs investments.  Remember spends = overhead, whereas investments = growth.  Here's a great point.

[10:00] There are opportunities that we have to frame some of these things as investments versus...

Special thanks to Jeff Gouge for sharing his thoughts on consolidating vulnerability management.  We also thank our sponsor Nucleus Security for supporting this episode.

Consistently tracking and prioritizing vulnerabilities is a difficult problem.  This episode talks about it in detail and helps you increase your understanding in:

• Various application security scanning tools (SAST, DAST, SCA, Container, IoT, Secret Scanners, Cl...

Are You Ready To Win Your First CISO role? Apply these techniques into your resume and interview process so both recruiters and hiring managers will offer you the job.  This show focuses on:

1. Highlighting the Different Types of CISO Roles
2. Showing how to progress from a Senior Director Role into a Fortune 100 CISO
3. Resume Tricks and Tips that get you noticed by recruiters
4. How to have a great interview with a recruiter
5. What Hiring ...

Would you like to hear a master class on what Technology professionals need to know about startups?  On this episode Bob Cousins stops by to share his knowledge and experience on working in technology companies, dealing with founders, and partnering with venture capitalists.  Listen and learn more about:

• What should a technology professional know about venture capital and dealing with venture capitalists?
• What is the role of ma...

Special Thanks to our podcast sponsor, Cymulate. 

On this episode, Dave Klein stops by to discuss the 3 Digital Challenges that organizations face:

1. Cyber threats evolve on a daily basis and this constant threat to our environment appears to be only accelerating
2. The level of vulnerabilities today is 30x what it was 10 years ago.  We have more IT infrastructure, complexity, and developers in our current environment.
3. In the pursui...

Have you ever just met someone that was so interesting that you just sat and gave them your full attention?  On this episode of CISO Tradecraft, we have Bill Cheswick come on the show.  Bill talks about his 50 years in computing.  From working with the pioneers of Unix at Bell Labs, inventing network visualization techniques for the DoD, and creating the early best practices in firewalls and perimeter defenses.  He was also the fir...