April 7, 2025 • 28 mins
Ever wonder how the CISO role went from obscure techie to boardroom MVP? In this episode of CISO Tradecraft, G Mark Hardy takes you on a journey through the evolution of the Chief Information Security Officer — from Steve Katz's groundbreaking appointment at Citibank in 1995 to the high-stakes, high-impact role CISOs play today.
Transcripts: https://docs.google.com/document/d/1FlKBW6zlVBqLoSTQMGZIfz--ZLD_aS9t/edit
Chapters
- 00:00 Introduction to the Evolution of the CISO Role
- 00:58 The First CISO: Steve Katz's Pioneering Journey
- 03:58 Rise of Security Certifications
- 08:39 Regulatory Wake-Up Calls and Compliance
- 12:23 Cybersecurity in the Age of State-Sponsored Attacks
- 17:58 The Impact of Major Cyber Incidents
- 25:07 Modern Challenges and the Future of the CISO Role
- 27:51 Conclusion and Final Thoughts
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
G Mark Hardy (00:03):
From the very first CISO, today's Threat Hunting Boardroom
advisor, the role has come a long way.
Today, we're gonna walk through thechemo and it shaped our CISO careers.
And if you're leading security today,you're standing on the shoulders of
giants and maybe a few firewalls.
(00:31):
Hello, and welcome to another episodeof CISO Tradecraft, the podcast that
provides you with the information,knowledge, and wisdom to be a more
effective cybersecurity leader.
My name is G Mark Hardy, your host andfellow CISO, and today we're gonna dive
into the timeline of our profession,from the humble beginnings to the
relevance we have today in the boardroom.
And whether you're new to the CISOjob or a veteran like I am, this
(00:53):
episode is your time capsule of howwe got here and where we're going.
Let's start with a man who, start it all.
Steve Katz.
Steve Katz before he became theWorld's Chief Information Security
Officer of the CISO at Citibank in1994, this gentleman had already built
a robust career in both informationtechnology and information security.
(01:16):
So he had a real strongfoundation for this historic role.
So if you're wondering like, howdo you pick like serial number
one, he was vice president oftechnology and risk management at
JP Morgan before he joined Citibank.
He was responsible formanaging technology risk.
worked early strategies forsafeguarding financial systems.
Gave him direct experience in integratingsecurity with large scale business ops.
(01:38):
And then, although the role of aCISO didn yet exist, he was already
focusing on security and risk andthings that are core to the discipline.
Access controls, secure networkarchitectures, incident response
processes, and a lot of this work had anemphasis on governance and how do we align
our security with our business objectives
plus he had built a reputation for abusiness and technology integration.
(02:00):
He was able to translate technicalrisk into business language.
You probably heard that on the show a lot.
And the known for bridging the gapbetween the IT and a business, which
was really important when Citibankwas trying to create a security
leadership role that would report toand then appeal to the executive suite.
Now, in 1994, Citibank had a significantcyber incident involving Russian hackers,
(02:22):
no surprise, infiltrating their systems.
And at that time, information securitywas largely an ad hoc responsibility.
It was part of what you did as acollateral duty, as an IT administrator.
There really wasn't a cohesive strategy.
There wasn't a governance model,really no executive oversight
dedicated to protecting digital assets.
Now I was doing IT securityconsulting back then.
(02:43):
I had started my first businessback in 1988 and I was focusing
on doing that very niche pieceof the IT job that was security.
And I can tell you in my early days,it was a little bit like hand to mouth
where you'd go ahead and you'd get acontract, you'd work the job, you'd
get paid, and then take all that moneyand you burn it up trying to find the
next customer and things such as that.
(03:04):
Well that early Pioneer stage gave wayto a little bit more of a professionalism
because Citi had recognized having ancentralized executive level security
oversight with someone like Steve Katz.
He's got technical understanding,risk management experience,
communication skills.
Hey, what a winner.
So he became the first chiefinformation security officer.
(03:25):
Now, what was the first job?
Build an organizational wide cybersecurityprogram that's gonna report directly
to higher levels of leadership.
Now, he approached this with some vision.
It was just a technical hurdle.
He looked at it as a risk issue, hadbusiness implications, frameworks
for risk assessment, collaborationacross departments, and defining what
cyber governance could look like.
(03:47):
So it really wasn't just a new jobtitle, it was beginning of a new
type of leadership, someone whocould bridge business technology
and security and bring it together.
Now, as the 1990s progressed intothe early two thousands, we had the
rise of security certifications.
ISC2 launched the CISSP certifiedInformation System and Security
(04:10):
Professional back in 1994.
Covered at the time, 10 domains,and now we got eight that range from
cryptography, security, architecture,legal consideration, et cetera.
The idea was to set a foundationalbasis for cybersecurity leadership.
Now, only 46 people got CISSP thefirst year, but by the time the
(04:30):
new millennium came around, itwas almost a 3000 and I, remember.
When the founder of that kind of cameto me and he said, Hey, Mark, Hal
Tipton, you oughta get the CISSP.
It'll be good for you.
And I, it should been 94 or 95, so Iprobably could have had a two digit CISSP
number, but I didn't get the vision.
I didn't wait, waited until 2000.
(04:52):
So yes, my CISSP is over 25 yearsold and probably the people who
are still practicing it might be inthe top couple hundred survivors.
But so what?
Who cares?
The idea was it started the concept.
Of a certification is atesting what you knew.
And in 2002, ISACA came out with acertified information security manager
(05:15):
credential, and I was more focused onstrategic alignment risk management.
Great.
If you're aspiring a CISO, Iactually applied for under their
grandfather rules, the fact I wasalready existing practitioner.
Could have been grandfatheredinto CISSP and I'm thinking
like, I didn't get the vision.
this time I get corrected.
It's yeah, I'm gonna hop on board.
That.
And having that CISM, I continued to paythose dues and had been doing so for,
(05:36):
again, about 25 years as SANS introducedthe GSLC, the Global Security Leader
certification a couple years later.
In response to the growing recognitionthat cybersecurity leadership needed
more than technical expertise, youhad to have strategic oversight.
Policy, governance, risk management,and the ability to communicate
effectively with executive leadership.
(05:58):
Now, SANS has been known andstill is known for their excellent
technical courseware, GSEC, GCIH,being able to culminate in the GSE
and for my fellow sans instructors,when I used to work there, having
a number below 100 was a big deal.
Having a one of the firstglobal security experts.
But Stephen Northcutt, startedteaching in management 512.
(06:19):
Wrote it, taught it full disclosure.
I taught that course, for about 10years at SANS and really loved it.
I thought the content was awesome.
It had things like governance, riskmanagement, security frameworks, policy
development, business continuity, disasterrecovery, incident response, legal issues,
budgets, security awareness programs.
All these things are part ofthe portfolio of what we do as a
(06:41):
cybersecurity professional today.
These certs filled a major gap because HRdepartments could now qualify a candidate
with an objective standard, becausethere's a lot of opportunity that was
not yet there in the university world.
You couldn't get a degree incybersecurity can now, but in the
early days, it really wasn't out there.
(07:02):
When I went through and didmy computer science degree,
hey, it was with punch cards.
I guess I'm showing my age a little bit.
In any case, when I had a chanceto work as an adjunct professor.
It turned out that the approval processfor curriculum change took a long
time, and as a result, a certificationprogram that could make changes two
(07:23):
and three times a year could reallyget inside the decision cycle.
For those of us who understand the term,the OODA loop, the observe, orient,
decide, and act of the universities, andso certs became the currency of the realm
in cybersecurity more so than the degrees.
Now, it provided credibility.
Then what happened is we startedto see all this training taking
(07:46):
place is say sans, which quantitatedall the way back to 1989.
Hard to believe that I started a companya year before them, but of course
they're now probably a nine figurebusiness, doing quite well and adding
all kinds of value to the community.
They had all of these analysts, defendersincident responses, as well as people
who want to work their way up intothe security leadership positions.
(08:08):
EC council launched a certifiedethical hacker, the CEH.
It would take offensive securityturn into a legitimate career path,
and now with offensive security,you have practical lab-based exams.
They're really gonna push yourcandidates to prove real world skills.
For CISOs, this is atransformational development.
You could hire team members that hadverifiable specialized skill sets,
(08:32):
and then you yourself could pursueleadership training that would actually
align with your operational reality.
sometime in the two thousandswe got all this regulatory
wake up call after Enron world.
Carl Sarbanes XI Act was passed in2002, and that required publicly traded
companies to establish strong internalcontrols over financial reporting.
(08:56):
for CISOs.
This now all of a sudden meansthat you might have a seat at the
audit table 'cause it controlschange management data integrity.
These are no longeroptional, these are mandated.
At the same time.
The healthcare section saw HIPAA'ssecurity rule finally go into
effect in 2005, although it hadbeen around for a number of years.
But there we had to haveadministrative, technical and
(09:18):
physical safeguards to protect.
Patient data.
Then the retail world was introducedto PCI-DSS version 1.0 came out in
December of 2004, and that standardizedhow payment card data should be handled.
See, these compliance regimes createda whole new era of accountability.
CISOs had to evolve their rolesfrom being a protector of systems
to interpreting regulation,ensuring that the security controls
(09:41):
aligned with the legal obligations.
It was really the beginning of theCISO's, dual identity technical
expert and compliance strategist.
As we roll into the two thousands, we alsofind out that well, money gets involved.
I remember sitting through the.comcrash back in March of 2000.
Sounds a little bit like last weekend.
(10:01):
And for those of us who arelistening to this show live.
but here in April of 2025, we justhad the interesting back to back days.
after the.com market crashed.
It didn't mean thattechnology was wiped out.
It means you shouldn't simply couldn'tjust start a business saying, it's gonna
be on the internet and we don't knowhow we're gonna make money and we're
(10:23):
gonna lose money on every customer,but we'll make it up on volume.
And that was the mentality back therein 1999, 2000, we got serious about it.
And so we had companies likee-sentire . I used to be on their
advisory board, wished I stuck around.
They're now a, unicorn.
FireEye started in 2004.
Palo Alto Networks in 05.
Tanium in 07, Zscaler in 08and CrowdStrike as late as
(10:46):
2021 and, or I'm sorry, 2011.
And investors pouredbillions into cyber startups.
and now all of a sudden theCISOs have access to a whole
bunch of innovative tools.
But, With great choicecomes great responsibility.
Now, as a CISO, you're the gatekeeper andan influencer in this new vendor economy.
(11:07):
You have to evaluate new solutions,not just for the effectiveness of
the technology, but does it alignwith the enterprise architecture?
Does it have the operationalcapacity to meet your requirements?
Can does it conform with yourrisk appetite in terms of
what it's gonna do for you?
And actually, is this company stillgonna be around in a couple years?
See, a smart CISO could use thismoment to reshape their tech stacks,
(11:28):
and if you're thinking forward,you can even partner with vendors,
co-develop features, shape roadmaps,and now you're not just a protector
anymore, you're a market influencer.
I had the privilege to work fora couple years in the CISO board
with a company called Red Canary.
We've had their founder on the show,and what they did is they brought
in several, chief Informationsecurity officers who are customers.
(11:51):
And said, let us show you our roadmap.
Let us hear back from you as customerswhat you need so we can build the
tools and the capabilities you want.
I thought that was brilliant.
I still have monthly calls with myRed Canary success rep. No, this
is not a paid ad. This is justhappy customer talking, and I don't
know why nobody else does that.
They're the only company that havea regular call with once a month.
(12:13):
So if you're.
Cybersecurity company and you want toincrease your stickiness to your customers
and have them become raving fans.
Call 'em once a month.
Now, over time, we found out thatcybersecurity turned out not to be
just the interest of companies, butgovernments as far back as 1998.
1999 was Moonlight Maze.
(12:36):
Suspect suspected Russian governmentactors, targeting US Department of
Defense, Department of Energy, NASA, even private defense contractors.
It was really the first publiclyknown state-sponsored cyber espionage
campaign and involved access tohighly sensitive US networks.
Focusing mostly on the government,exfiltrating vast quantities
(12:56):
of data, including classifiedinformation and research.
It demonstrated that cyber attacks couldbe used for long-term strategic espionage.
It prompted the US to beginseriously considering cybersecurity
as a national security concern.
Oh, cyber command didn't comearound for another decade or so.
Titan Rain, which is believedto be Chinese military hackers,
(13:18):
probably unit 6 1 3 9 8.
APT one, was targeting a LockheedMartin Sandia National Laboratories,
nasa, army Information Systems.
And really those were coordinatedattacks going after defense contractors,
government agencies to stealsensitive military and aerospace data.
And it demonstrated a very highlevel of sophistication and persist
(13:40):
by the attackers, which is wherewe got the A PT, the P there.
it's really one of the first acknowledged.
Large scale economic and militarycyber espionage campaigns, and
also marked China as a rising cyberpower and brought attention to the
intellectual theft of property.
So almost 20 years ago now, think howfar China has come in that capability.
(14:02):
By 2009, 2010, operation Aurora, ChineseState sponsored hackers, had targeted
Google, Adobe Juniper, Morgan Stanley.
20 other companies and theyexploited some zero day volume and
Internet Explorer to gain access tointernal systems and email accounts.
Now, Google went ahead and exposedthat attack publicly in 2010.
It's a pretty bold move at the time.
(14:23):
Now, of course, zero day publicationsand being able to have the announcement
of, hey, something is a breach,or more precisely something has
a evolved, it's been reportedto the vendor, sorry, vendor.
You got 30 days or 60 days to fix it,and then we're going live with it.
Created some accountability, sometransparency and assertiveness on Google's
part in terms of their, response for it.
(14:45):
But it's also a wake up call tothe state sponsored corporate
espionage and, Just one more for fun.
STUXNET, which is discovered in 2010, andthe perpetrators have been ascribed to
United States and Israel, though neithercountry has ever said, yeah, we did it.
It's a suspected likely because theirtarget was the Iranian nuclear facilities,
(15:07):
especially at Natanz, and it was reallythe first known offensive cyber weapon.
And it really began cyber warfareas a strategic military tool.
And for those who aren't familiar withthe history of Stuxnet, it was basically
sabotaging Ute on's uranium enrichmentprocess, the uranium hexa fluoride
that they would go through and isolate.
(15:28):
And the Siemens programmablelogic controllers, were targeted
basically SCADA systems.
And it showed that you couldactually cause physical destructions
of things through a cyber attack.
It really did bring up a huge questionof, how do we go ahead and keep
this genie in the bottle if we can?
Oh, by the way, the question I used toask is, would you send your sons and
daughter in the war, kinetic war againstan attacker who launched a cyber attack
(15:55):
against you, but didn't put any bombsor missiles or guns, or anything else?
It's an interesting question thatwe haven't yet figured out yet.
in 2014, Sony Pictures gothit with a significant breach.
It was attributed toNorth Korean state actors.
they had, film out, I think it was calledthe Interview, that was not positive
(16:15):
with regard to the beloved leader of theDemocratic People's Republic of Korea.
And so therefore, the US companygot hit, which basically said, no
industry safe, no company safe, and themotivations may not just be financial.
And then the next year, OPMbreach, I remember that one
Chinese actors exfiltrated thepersonal data of over 21 million.
(16:35):
Government employees, current, former,and then all their contacts that they had,
which is all about security clearance.
Now, that is a massive win, if youwill, for China, because if you
know everybody who's got a securityclearance in the United States,
some of these people are still gonnabe around 20, 30 years from now.
They're early in their careers.
In addition, we had seen futurehacks that go against the.
(16:58):
Healthcare databases that companiesthat provided healthcare insurance
for federal employees and then creditreporting bureaus put the pieces together.
What can you do?
This particular person is a high levelclearance and it indicates that they
have some health issues that aren't beingaddressed by the insurance companies.
'cause insurance companies arepushing back and, oh yeah, they've
(17:20):
got some financial problems.
What a wonderful target.
To go and try to recruit them orto go ahead and put a little bit of
leverage on them, with regard to.
Turning people into, spies or whatever.
we, find out that the cyber stuffhas really gone very high order.
we now gotta think of the geopoliticalactors in our threat models.
(17:41):
It's not just stopping criminals,it's gotta counter espionage,
sabotage, psychological operations.
And now the boardrooms are startingto sit up and take notice, who
might want to target us and why?
And now threat intelligencebecame a big industry and.
It's required capabilities,not just a luxury.
And then by the time I got towhat, 2017 was WannaCry NotPetya,
(18:03):
this is Destructive Malware.
if you remember WannaCry, thiscame out in May of 2017 and they
were able to spread through somestolen tools that were originated
at the National Security Agency.
A group known as a Shadow brokers wentahead and leaked it in something called
Eternal Blue, which would take advantageof a weakness in Microsoft's SMB protocol.
(18:25):
So this self propagatingransomware would go sideways.
It would work without user interaction,zero click and then you could go ahead
and demand Bitcoin for encrypted filesIn 2017, a lot of people didn't know
how to get Bitcoin, and I like to sayan executive trying to buy Bitcoin is
like a grandmother trying to buy heroin.
They don't know where to begin.
(18:46):
Plus it was a lot cheaper back then,but the impact was over 230,000
computers, over 150 countries,and it spread within hours.
The UK National Health Service washit, FedEx was hit Renault, $40 billion
in, global damages, and they figuredit was probably the Lazarus group.
Democratic People's Republic of NorthKorea, who have, set some records lately
(19:08):
in their ability to go ahead and getbillions of dollars through cyber crime.
Not Petya came out to you,but it's just a month later.
It looked like ransomware, and whenit first came out, when I heard they
had ransomware out there and it wasn'tworking correctly, and it seemed to have
a Russian origin, I'm thinking, yeah,there's gonna be a bullet administered
in Moscow because someone has broken thissacred oath among ransomware operators.
(19:31):
Think about it.
If there's an industry on ransomware,and it's well known that if you
get ransomware and you pay theransom, you get your files back.
Then what's gonna happen thenext time you get ransomware?
just pay it and we'll get our files back.
But then somebody comes alongand says, Hey, you pay it and we
don't give you your files back.
(19:51):
You're breaking that model and all ofa sudden people are gonna stop paying.
it turned out.
It wasn't ransomware, it was a wiper.
It just was masquerading as ransomwarebecause they all went to the same address.
So you couldn't even sort out whowas who in the zoo in terms of people
who wanted to give you some Bitcoin.
It went through infectedsoftware doc, updates, from
(20:12):
Meoc, Ukrainian accounting tool.
Also used Eternal Blue, eternalRomance, mask, what a $300 million.
Hit from that America sne,FedEx, over $10 billion.
Total damage.
This is collateral damage.
Not really the primary target.
The primary target was Ukraine.
This is 2017.
We've seen Russia and Ukraine not gettingalong all that well for quite a few
(20:35):
years now, and, was believed to be GRUand it ended up with a global fallout.
So the old assumptions were, Hey,your perimeter defense is fine, but if
you have a patch management failure.
There's something that's not up todate, and then lateral movement is
possible without your enterprise.
It's a massive consequence, almostexistential to your company.
(20:59):
So now resilience became really key.
Business continuity planning,disaster recovery, cyber insurance.
We had to take a look at that.
And now as a CISO, you haveto become a crisis manager.
And now cyber resilienceis a board level concern.
by 2018 we have GDPR, the GeneralData Protection Regulation.
(21:20):
It went into effect 99 differentparagraphs and you have trouble sleeping.
Go ahead and read GDPRall the way through.
I have, I didn't fall asleep though'cause that's what we do for a living
and some of us find it interesting,but it basically forced companies
worldwide to reevaluate how you collect,store and process personal data.
It empowers data subjects, be IEpeople, European citizens with
(21:42):
the rights to access, rectifyand delete their information.
And as a CISO, this is a paradigm shift'cause security controls now have to
align with privacy principles, encryption.
Pseudo nominization say that fastfive times and data minimization
are no longer best practices.
These are regulatory requirements.
You gotta do it.
And then a 72 hour breachnotice, oh my goodness, how
(22:04):
are we gonna do it that fast?
Of course, today we see thingsthat have a lot shorter.
Fuses on there, but there's a hugepressure on detect and respond
capabilities, and then it's alsogonna elevate the importance of
cross-functional partnerships.
You gotta work with the privacyofficers, the legal teams, and the
data stewards who are out there.
for those of us who, lived through theGreat Pandemic and most of us alive
(22:26):
here, I think have, and it created whatthe largest remote workforce experiment
in history, starting in early 2020.
Practically overnight,organizations had to support entire
workforces outside the corporate.
Perimeter, our VPNs maxed outand we couldn't handle it.
The home networks became attack surfaces.
Personal devices got pressed intoservice because we didn't have them.
(22:49):
And so they didn't havecopper controls on it.
Family members were using it.
You're out and playing Minecraft inthe evening and dad's going ahead
and working on stuff during the day,and then mom's working on her job
on the afternoon, and who knows whatthe kids have put on this thing.
And so now, as a CISO,you have to have agility.
You have to be able to respond to thesechanging environmental conditions.
You can't sacrifice security.
(23:10):
Where's your new perimeter?
It's identity.
And now we have to go to zero trustmodels and endpoint detection and response
and CASBs and cloud security platforms.
And now all of a sudden you have toaccelerate your security programs and
all that technical debt comes due.
And it's also really a cultural inflectionpoint because if you succeeded as
(23:31):
a CISO in making your organization.
Go through this.
You became a trustedadvisor to the business.
You weren't just a policy enforcer,'cause you could do transformation
while maintaining trust.
I remember in early 2020 when I hadjust finished completing writing an
incident response plan on disasterrecovery plans for the organization.
(23:52):
And then my client had said,Hey, could you write a pandemic
response plan just in case?
hey, I already had the template,so you changed disaster to pandemic
global search and replace a littlebit more than that, but not too much
different than people can't get to theoffice because of a massive snowfall
or earthquake or flood or fire orbuilding shut down or anything else
(24:13):
that would keep people outta the office.
It was a much, the model was builtaround and then we tested it, told
everybody, bring all your equipmenthome, your phone and your laptop and your
chargers on a Wednesday, work from home.
Nobody ever done that beforein the history of the company.
I always came to workMonday through Friday.
On Thursday, we allcome back in the office.
We sort out notes and things like that.
What work, what doing.
Okay?
We said, okay, Friday, so Thursday night,take your stuff home with you again.
(24:37):
Work from home on Friday.
Have your chargers, your paperwork, yourlaptop, and we'll talk about on Monday.
over the weekend, Washington DC shut downand they stayed shut down for 66 weeks.
We had zero interruptions in the business.
Everything kept rolling.
Why?
Because it got lucky because we hadtested this plan literally the day before
(24:57):
Everything went down and we had all thebugs worked out, and as a result, other
companies scrambling, forgotten activity.
scramble, We did just great.
Let's look about today.
What challenges do we face?
As a CISO, you gotta deal with risk.
We deal with resilience, wegotta deal with reporting.
you gotta be a technologist,a communicator, a strategist.
(25:17):
Regulations are onlygoing up more and more.
Now, the SEC requires your publiccompanies to disclose material
cyber incidents within four days.
I gotta be fluent in disclosurelanguage and materiality assessments.
Boards say your metrics have to tiecyber risk to the business outcomes.
That can't be just focused on it.
We've gone from technical dashboards.
(25:39):
To business aligned risk scoring, andwe've also got personal liability.
Had a chance to spend some timewith Tim Brown several weeks ago.
This poor gentleman has been,standing in the gap, if you will,
for our CISOs, community dealingwith an a tremendous amount of time.
If you don't know about 'em, I'll get'em on the show you've already agreed to,
and I'd love to have him tell your storyabout that kind of a precautionary tale
(26:03):
of what could possibly go wrong when youdon't think you're doing anything wrong.
but, here's the thing.
With these lawsuits, regulatoryactions, now we're 10 potentially
in the target, and the good news is,that if organizations recognize the
strategic value of cybersecurity,then maybe the CISO's gonna be
protected by the eras and emissions,the executive and the directors and
(26:24):
officers policies and things like that.
The Professional Association of CISOs,whom I had on the show about a month ago.
Join that and work with the PAC.
You can get the liability insurancefor that and things such as that.
And so I'm still going through,I'm a little bit late on my
paperwork, but, going throughthere for their accreditation.
But now the modern CISO has influenced'cause you're shaping digital trust
(26:45):
so well, where does that leave us?
Calling back 1994 from Steve Cass totoday, where our CISOs communicate risk.
We face the boards.
We're considered executives, althoughI still argue in a lot of places, it's
a little C for our CISO, but the CISOrole has transformed dramatically.
We've got compliance, we've got training,we've got vendors and all that assortment
(27:08):
of stuff that we have to manage.
Cyber warfare, privacy, law, compliancerequirements, all this chaos.
We have to turn into clarity.
If we've done so effectively, we haveearned our seat at the grownups table, so
to speak, to be able to communicate withand help senior executives make decisions.
So what's going forward to us?
AI driven threats,quantum vulnerabilities,
(27:32):
reporting for ESG and maybe even agreater expectation to build a secure.
Digital ecosystems, plus the concernthat comes with the warfare that's
going on around the world, and can thatextend out more into the cyber world?
history shows that we adoptand we evolve and we lead.
So for our CSOs out there, thank youfor listening to CISO Tradecraft.
(27:56):
I hope you found thisinteresting and a little bit,
revealing about the background.
if you love CISO Tradecraft, makesure you're subscribing to us.
Follow us on.
YouTube like us there.
Listen to us, our favorite podcastchannel, tell other people where they hear
about it, and then give us some feedback.
We're on LinkedIn.
We got a lot more than just podcasts.
We'll go ahead and havea Substack newsletter.
(28:17):
We have little out cakes and shortsand things that we put out there.
Help us help you in yourcareer to do better.
So this is your host, G Mark Hardy.
Thank you for the opportunityto spend the time with you.
until next time, stay safe out there.
From the very first CISO, today's Threat Hunting Boardroom
advisor, the role has come a long way.
Today, we're gonna walk through thechemo and it shaped our CISO careers.
And if you're leading security today,you're standing on the shoulders of
giants and maybe a few firewalls.
(00:31):
Hello, and welcome to another episodeof CISO Tradecraft, the podcast that
provides you with the information,knowledge, and wisdom to be a more
effective cybersecurity leader.
My name is G Mark Hardy, your host andfellow CISO, and today we're gonna dive
into the timeline of our profession,from the humble beginnings to the
relevance we have today in the boardroom.
And whether you're new to the CISOjob or a veteran like I am, this
(00:53):
episode is your time capsule of howwe got here and where we're going.
Let's start with a man who, start it all.
Steve Katz.
Steve Katz before he became theWorld's Chief Information Security
Officer of the CISO at Citibank in1994, this gentleman had already built
a robust career in both informationtechnology and information security.
(01:16):
So he had a real strongfoundation for this historic role.
So if you're wondering like, howdo you pick like serial number
one, he was vice president oftechnology and risk management at
JP Morgan before he joined Citibank.
He was responsible formanaging technology risk.
worked early strategies forsafeguarding financial systems.
Gave him direct experience in integratingsecurity with large scale business ops.
(01:38):
And then, although the role of aCISO didn yet exist, he was already
focusing on security and risk andthings that are core to the discipline.
Access controls, secure networkarchitectures, incident response
processes, and a lot of this work had anemphasis on governance and how do we align
our security with our business objectives
plus he had built a reputation for abusiness and technology integration.
(02:00):
He was able to translate technicalrisk into business language.
You probably heard that on the show a lot.
And the known for bridging the gapbetween the IT and a business, which
was really important when Citibankwas trying to create a security
leadership role that would report toand then appeal to the executive suite.
Now, in 1994, Citibank had a significantcyber incident involving Russian hackers,
(02:22):
no surprise, infiltrating their systems.
And at that time, information securitywas largely an ad hoc responsibility.
It was part of what you did as acollateral duty, as an IT administrator.
There really wasn't a cohesive strategy.
There wasn't a governance model,really no executive oversight
dedicated to protecting digital assets.
Now I was doing IT securityconsulting back then.
(02:43):
I had started my first businessback in 1988 and I was focusing
on doing that very niche pieceof the IT job that was security.
And I can tell you in my early days,it was a little bit like hand to mouth
where you'd go ahead and you'd get acontract, you'd work the job, you'd
get paid, and then take all that moneyand you burn it up trying to find the
next customer and things such as that.
(03:04):
Well that early Pioneer stage gave wayto a little bit more of a professionalism
because Citi had recognized having ancentralized executive level security
oversight with someone like Steve Katz.
He's got technical understanding,risk management experience,
communication skills.
Hey, what a winner.
So he became the first chiefinformation security officer.
(03:25):
Now, what was the first job?
Build an organizational wide cybersecurityprogram that's gonna report directly
to higher levels of leadership.
Now, he approached this with some vision.
It was just a technical hurdle.
He looked at it as a risk issue, hadbusiness implications, frameworks
for risk assessment, collaborationacross departments, and defining what
cyber governance could look like.
(03:47):
So it really wasn't just a new jobtitle, it was beginning of a new
type of leadership, someone whocould bridge business technology
and security and bring it together.
Now, as the 1990s progressed intothe early two thousands, we had the
rise of security certifications.
ISC2 launched the CISSP certifiedInformation System and Security
(04:10):
Professional back in 1994.
Covered at the time, 10 domains,and now we got eight that range from
cryptography, security, architecture,legal consideration, et cetera.
The idea was to set a foundationalbasis for cybersecurity leadership.
Now, only 46 people got CISSP thefirst year, but by the time the
(04:30):
new millennium came around, itwas almost a 3000 and I, remember.
When the founder of that kind of cameto me and he said, Hey, Mark, Hal
Tipton, you oughta get the CISSP.
It'll be good for you.
And I, it should been 94 or 95, so Iprobably could have had a two digit CISSP
number, but I didn't get the vision.
I didn't wait, waited until 2000.
(04:52):
So yes, my CISSP is over 25 yearsold and probably the people who
are still practicing it might be inthe top couple hundred survivors.
But so what?
Who cares?
The idea was it started the concept.
Of a certification is atesting what you knew.
And in 2002, ISACA came out with acertified information security manager
(05:15):
credential, and I was more focused onstrategic alignment risk management.
Great.
If you're aspiring a CISO, Iactually applied for under their
grandfather rules, the fact I wasalready existing practitioner.
Could have been grandfatheredinto CISSP and I'm thinking
like, I didn't get the vision.
this time I get corrected.
It's yeah, I'm gonna hop on board.
That.
And having that CISM, I continued to paythose dues and had been doing so for,
(05:36):
again, about 25 years as SANS introducedthe GSLC, the Global Security Leader
certification a couple years later.
In response to the growing recognitionthat cybersecurity leadership needed
more than technical expertise, youhad to have strategic oversight.
Policy, governance, risk management,and the ability to communicate
effectively with executive leadership.
(05:58):
Now, SANS has been known andstill is known for their excellent
technical courseware, GSEC, GCIH,being able to culminate in the GSE
and for my fellow sans instructors,when I used to work there, having
a number below 100 was a big deal.
Having a one of the firstglobal security experts.
But Stephen Northcutt, startedteaching in management 512.
(06:19):
Wrote it, taught it full disclosure.
I taught that course, for about 10years at SANS and really loved it.
I thought the content was awesome.
It had things like governance, riskmanagement, security frameworks, policy
development, business continuity, disasterrecovery, incident response, legal issues,
budgets, security awareness programs.
All these things are part ofthe portfolio of what we do as a
(06:41):
cybersecurity professional today.
These certs filled a major gap because HRdepartments could now qualify a candidate
with an objective standard, becausethere's a lot of opportunity that was
not yet there in the university world.
You couldn't get a degree incybersecurity can now, but in the
early days, it really wasn't out there.
(07:02):
When I went through and didmy computer science degree,
hey, it was with punch cards.
I guess I'm showing my age a little bit.
In any case, when I had a chanceto work as an adjunct professor.
It turned out that the approval processfor curriculum change took a long
time, and as a result, a certificationprogram that could make changes two
(07:23):
and three times a year could reallyget inside the decision cycle.
For those of us who understand the term,the OODA loop, the observe, orient,
decide, and act of the universities, andso certs became the currency of the realm
in cybersecurity more so than the degrees.
Now, it provided credibility.
Then what happened is we startedto see all this training taking
(07:46):
place is say sans, which quantitatedall the way back to 1989.
Hard to believe that I started a companya year before them, but of course
they're now probably a nine figurebusiness, doing quite well and adding
all kinds of value to the community.
They had all of these analysts, defendersincident responses, as well as people
who want to work their way up intothe security leadership positions.
(08:08):
EC council launched a certifiedethical hacker, the CEH.
It would take offensive securityturn into a legitimate career path,
and now with offensive security,you have practical lab-based exams.
They're really gonna push yourcandidates to prove real world skills.
For CISOs, this is atransformational development.
You could hire team members that hadverifiable specialized skill sets,
(08:32):
and then you yourself could pursueleadership training that would actually
align with your operational reality.
sometime in the two thousandswe got all this regulatory
wake up call after Enron world.
Carl Sarbanes XI Act was passed in2002, and that required publicly traded
companies to establish strong internalcontrols over financial reporting.
(08:56):
for CISOs.
This now all of a sudden meansthat you might have a seat at the
audit table 'cause it controlschange management data integrity.
These are no longeroptional, these are mandated.
At the same time.
The healthcare section saw HIPAA'ssecurity rule finally go into
effect in 2005, although it hadbeen around for a number of years.
But there we had to haveadministrative, technical and
(09:18):
physical safeguards to protect.
Patient data.
Then the retail world was introducedto PCI-DSS version 1.0 came out in
December of 2004, and that standardizedhow payment card data should be handled.
See, these compliance regimes createda whole new era of accountability.
CISOs had to evolve their rolesfrom being a protector of systems
to interpreting regulation,ensuring that the security controls
(09:41):
aligned with the legal obligations.
It was really the beginning of theCISO's, dual identity technical
expert and compliance strategist.
As we roll into the two thousands, we alsofind out that well, money gets involved.
I remember sitting through the.comcrash back in March of 2000.
Sounds a little bit like last weekend.
(10:01):
And for those of us who arelistening to this show live.
but here in April of 2025, we justhad the interesting back to back days.
after the.com market crashed.
It didn't mean thattechnology was wiped out.
It means you shouldn't simply couldn'tjust start a business saying, it's gonna
be on the internet and we don't knowhow we're gonna make money and we're
(10:23):
gonna lose money on every customer,but we'll make it up on volume.
And that was the mentality back therein 1999, 2000, we got serious about it.
And so we had companies likee-sentire . I used to be on their
advisory board, wished I stuck around.
They're now a, unicorn.
FireEye started in 2004.
Palo Alto Networks in 05.
Tanium in 07, Zscaler in 08and CrowdStrike as late as
(10:46):
2021 and, or I'm sorry, 2011.
And investors pouredbillions into cyber startups.
and now all of a sudden theCISOs have access to a whole
bunch of innovative tools.
But, With great choicecomes great responsibility.
Now, as a CISO, you're the gatekeeper andan influencer in this new vendor economy.
(11:07):
You have to evaluate new solutions,not just for the effectiveness of
the technology, but does it alignwith the enterprise architecture?
Does it have the operationalcapacity to meet your requirements?
Can does it conform with yourrisk appetite in terms of
what it's gonna do for you?
And actually, is this company stillgonna be around in a couple years?
See, a smart CISO could use thismoment to reshape their tech stacks,
(11:28):
and if you're thinking forward,you can even partner with vendors,
co-develop features, shape roadmaps,and now you're not just a protector
anymore, you're a market influencer.
I had the privilege to work fora couple years in the CISO board
with a company called Red Canary.
We've had their founder on the show,and what they did is they brought
in several, chief Informationsecurity officers who are customers.
(11:51):
And said, let us show you our roadmap.
Let us hear back from you as customerswhat you need so we can build the
tools and the capabilities you want.
I thought that was brilliant.
I still have monthly calls with myRed Canary success rep. No, this
is not a paid ad. This is justhappy customer talking, and I don't
know why nobody else does that.
They're the only company that havea regular call with once a month.
(12:13):
So if you're.
Cybersecurity company and you want toincrease your stickiness to your customers
and have them become raving fans.
Call 'em once a month.
Now, over time, we found out thatcybersecurity turned out not to be
just the interest of companies, butgovernments as far back as 1998.
1999 was Moonlight Maze.
(12:36):
Suspect suspected Russian governmentactors, targeting US Department of
Defense, Department of Energy, NASA, even private defense contractors.
It was really the first publiclyknown state-sponsored cyber espionage
campaign and involved access tohighly sensitive US networks.
Focusing mostly on the government,exfiltrating vast quantities
(12:56):
of data, including classifiedinformation and research.
It demonstrated that cyber attacks couldbe used for long-term strategic espionage.
It prompted the US to beginseriously considering cybersecurity
as a national security concern.
Oh, cyber command didn't comearound for another decade or so.
Titan Rain, which is believedto be Chinese military hackers,
(13:18):
probably unit 6 1 3 9 8.
APT one, was targeting a LockheedMartin Sandia National Laboratories,
nasa, army Information Systems.
And really those were coordinatedattacks going after defense contractors,
government agencies to stealsensitive military and aerospace data.
And it demonstrated a very highlevel of sophistication and persist
(13:40):
by the attackers, which is wherewe got the A PT, the P there.
it's really one of the first acknowledged.
Large scale economic and militarycyber espionage campaigns, and
also marked China as a rising cyberpower and brought attention to the
intellectual theft of property.
So almost 20 years ago now, think howfar China has come in that capability.
(14:02):
By 2009, 2010, operation Aurora, ChineseState sponsored hackers, had targeted
Google, Adobe Juniper, Morgan Stanley.
20 other companies and theyexploited some zero day volume and
Internet Explorer to gain access tointernal systems and email accounts.
Now, Google went ahead and exposedthat attack publicly in 2010.
It's a pretty bold move at the time.
(14:23):
Now, of course, zero day publicationsand being able to have the announcement
of, hey, something is a breach,or more precisely something has
a evolved, it's been reportedto the vendor, sorry, vendor.
You got 30 days or 60 days to fix it,and then we're going live with it.
Created some accountability, sometransparency and assertiveness on Google's
part in terms of their, response for it.
(14:45):
But it's also a wake up call tothe state sponsored corporate
espionage and, Just one more for fun.
STUXNET, which is discovered in 2010, andthe perpetrators have been ascribed to
United States and Israel, though neithercountry has ever said, yeah, we did it.
It's a suspected likely because theirtarget was the Iranian nuclear facilities,
(15:07):
especially at Natanz, and it was reallythe first known offensive cyber weapon.
And it really began cyber warfareas a strategic military tool.
And for those who aren't familiar withthe history of Stuxnet, it was basically
sabotaging Ute on's uranium enrichmentprocess, the uranium hexa fluoride
that they would go through and isolate.
(15:28):
And the Siemens programmablelogic controllers, were targeted
basically SCADA systems.
And it showed that you couldactually cause physical destructions
of things through a cyber attack.
It really did bring up a huge questionof, how do we go ahead and keep
this genie in the bottle if we can?
Oh, by the way, the question I used toask is, would you send your sons and
daughter in the war, kinetic war againstan attacker who launched a cyber attack
(15:55):
against you, but didn't put any bombsor missiles or guns, or anything else?
It's an interesting question thatwe haven't yet figured out yet.
in 2014, Sony Pictures gothit with a significant breach.
It was attributed toNorth Korean state actors.
they had, film out, I think it was calledthe Interview, that was not positive
(16:15):
with regard to the beloved leader of theDemocratic People's Republic of Korea.
And so therefore, the US companygot hit, which basically said, no
industry safe, no company safe, and themotivations may not just be financial.
And then the next year, OPMbreach, I remember that one
Chinese actors exfiltrated thepersonal data of over 21 million.
(16:35):
Government employees, current, former,and then all their contacts that they had,
which is all about security clearance.
Now, that is a massive win, if youwill, for China, because if you
know everybody who's got a securityclearance in the United States,
some of these people are still gonnabe around 20, 30 years from now.
They're early in their careers.
In addition, we had seen futurehacks that go against the.
(16:58):
Healthcare databases that companiesthat provided healthcare insurance
for federal employees and then creditreporting bureaus put the pieces together.
What can you do?
This particular person is a high levelclearance and it indicates that they
have some health issues that aren't beingaddressed by the insurance companies.
'cause insurance companies arepushing back and, oh yeah, they've
(17:20):
got some financial problems.
What a wonderful target.
To go and try to recruit them orto go ahead and put a little bit of
leverage on them, with regard to.
Turning people into, spies or whatever.
we, find out that the cyber stuffhas really gone very high order.
we now gotta think of the geopoliticalactors in our threat models.
(17:41):
It's not just stopping criminals,it's gotta counter espionage,
sabotage, psychological operations.
And now the boardrooms are startingto sit up and take notice, who
might want to target us and why?
And now threat intelligencebecame a big industry and.
It's required capabilities,not just a luxury.
And then by the time I got towhat, 2017 was WannaCry NotPetya,
(18:03):
this is Destructive Malware.
if you remember WannaCry, thiscame out in May of 2017 and they
were able to spread through somestolen tools that were originated
at the National Security Agency.
A group known as a Shadow brokers wentahead and leaked it in something called
Eternal Blue, which would take advantageof a weakness in Microsoft's SMB protocol.
(18:25):
So this self propagatingransomware would go sideways.
It would work without user interaction,zero click and then you could go ahead
and demand Bitcoin for encrypted filesIn 2017, a lot of people didn't know
how to get Bitcoin, and I like to sayan executive trying to buy Bitcoin is
like a grandmother trying to buy heroin.
They don't know where to begin.
(18:46):
Plus it was a lot cheaper back then,but the impact was over 230,000
computers, over 150 countries,and it spread within hours.
The UK National Health Service washit, FedEx was hit Renault, $40 billion
in, global damages, and they figuredit was probably the Lazarus group.
Democratic People's Republic of NorthKorea, who have, set some records lately
(19:08):
in their ability to go ahead and getbillions of dollars through cyber crime.
Not Petya came out to you,but it's just a month later.
It looked like ransomware, and whenit first came out, when I heard they
had ransomware out there and it wasn'tworking correctly, and it seemed to have
a Russian origin, I'm thinking, yeah,there's gonna be a bullet administered
in Moscow because someone has broken thissacred oath among ransomware operators.
(19:31):
Think about it.
If there's an industry on ransomware,and it's well known that if you
get ransomware and you pay theransom, you get your files back.
Then what's gonna happen thenext time you get ransomware?
just pay it and we'll get our files back.
But then somebody comes alongand says, Hey, you pay it and we
don't give you your files back.
(19:51):
You're breaking that model and all ofa sudden people are gonna stop paying.
it turned out.
It wasn't ransomware, it was a wiper.
It just was masquerading as ransomwarebecause they all went to the same address.
So you couldn't even sort out whowas who in the zoo in terms of people
who wanted to give you some Bitcoin.
It went through infectedsoftware doc, updates, from
(20:12):
Meoc, Ukrainian accounting tool.
Also used Eternal Blue, eternalRomance, mask, what a $300 million.
Hit from that America sne,FedEx, over $10 billion.
Total damage.
This is collateral damage.
Not really the primary target.
The primary target was Ukraine.
This is 2017.
We've seen Russia and Ukraine not gettingalong all that well for quite a few
(20:35):
years now, and, was believed to be GRUand it ended up with a global fallout.
So the old assumptions were, Hey,your perimeter defense is fine, but if
you have a patch management failure.
There's something that's not up todate, and then lateral movement is
possible without your enterprise.
It's a massive consequence, almostexistential to your company.
(20:59):
So now resilience became really key.
Business continuity planning,disaster recovery, cyber insurance.
We had to take a look at that.
And now as a CISO, you haveto become a crisis manager.
And now cyber resilienceis a board level concern.
by 2018 we have GDPR, the GeneralData Protection Regulation.
(21:20):
It went into effect 99 differentparagraphs and you have trouble sleeping.
Go ahead and read GDPRall the way through.
I have, I didn't fall asleep though'cause that's what we do for a living
and some of us find it interesting,but it basically forced companies
worldwide to reevaluate how you collect,store and process personal data.
It empowers data subjects, be IEpeople, European citizens with
(21:42):
the rights to access, rectifyand delete their information.
And as a CISO, this is a paradigm shift'cause security controls now have to
align with privacy principles, encryption.
Pseudo nominization say that fastfive times and data minimization
are no longer best practices.
These are regulatory requirements.
You gotta do it.
And then a 72 hour breachnotice, oh my goodness, how
(22:04):
are we gonna do it that fast?
Of course, today we see thingsthat have a lot shorter.
Fuses on there, but there's a hugepressure on detect and respond
capabilities, and then it's alsogonna elevate the importance of
cross-functional partnerships.
You gotta work with the privacyofficers, the legal teams, and the
data stewards who are out there.
for those of us who, lived through theGreat Pandemic and most of us alive
(22:26):
here, I think have, and it created whatthe largest remote workforce experiment
in history, starting in early 2020.
Practically overnight,organizations had to support entire
workforces outside the corporate.
Perimeter, our VPNs maxed outand we couldn't handle it.
The home networks became attack surfaces.
Personal devices got pressed intoservice because we didn't have them.
(22:49):
And so they didn't havecopper controls on it.
Family members were using it.
You're out and playing Minecraft inthe evening and dad's going ahead
and working on stuff during the day,and then mom's working on her job
on the afternoon, and who knows whatthe kids have put on this thing.
And so now, as a CISO,you have to have agility.
You have to be able to respond to thesechanging environmental conditions.
You can't sacrifice security.
(23:10):
Where's your new perimeter?
It's identity.
And now we have to go to zero trustmodels and endpoint detection and response
and CASBs and cloud security platforms.
And now all of a sudden you have toaccelerate your security programs and
all that technical debt comes due.
And it's also really a cultural inflectionpoint because if you succeeded as
(23:31):
a CISO in making your organization.
Go through this.
You became a trustedadvisor to the business.
You weren't just a policy enforcer,'cause you could do transformation
while maintaining trust.
I remember in early 2020 when I hadjust finished completing writing an
incident response plan on disasterrecovery plans for the organization.
(23:52):
And then my client had said,Hey, could you write a pandemic
response plan just in case?
hey, I already had the template,so you changed disaster to pandemic
global search and replace a littlebit more than that, but not too much
different than people can't get to theoffice because of a massive snowfall
or earthquake or flood or fire orbuilding shut down or anything else
(24:13):
that would keep people outta the office.
It was a much, the model was builtaround and then we tested it, told
everybody, bring all your equipmenthome, your phone and your laptop and your
chargers on a Wednesday, work from home.
Nobody ever done that beforein the history of the company.
I always came to workMonday through Friday.
On Thursday, we allcome back in the office.
We sort out notes and things like that.
What work, what doing.
Okay?
We said, okay, Friday, so Thursday night,take your stuff home with you again.
(24:37):
Work from home on Friday.
Have your chargers, your paperwork, yourlaptop, and we'll talk about on Monday.
over the weekend, Washington DC shut downand they stayed shut down for 66 weeks.
We had zero interruptions in the business.
Everything kept rolling.
Why?
Because it got lucky because we hadtested this plan literally the day before
(24:57):
Everything went down and we had all thebugs worked out, and as a result, other
companies scrambling, forgotten activity.
scramble, We did just great.
Let's look about today.
What challenges do we face?
As a CISO, you gotta deal with risk.
We deal with resilience, wegotta deal with reporting.
you gotta be a technologist,a communicator, a strategist.
(25:17):
Regulations are onlygoing up more and more.
Now, the SEC requires your publiccompanies to disclose material
cyber incidents within four days.
I gotta be fluent in disclosurelanguage and materiality assessments.
Boards say your metrics have to tiecyber risk to the business outcomes.
That can't be just focused on it.
We've gone from technical dashboards.
(25:39):
To business aligned risk scoring, andwe've also got personal liability.
Had a chance to spend some timewith Tim Brown several weeks ago.
This poor gentleman has been,standing in the gap, if you will,
for our CISOs, community dealingwith an a tremendous amount of time.
If you don't know about 'em, I'll get'em on the show you've already agreed to,
and I'd love to have him tell your storyabout that kind of a precautionary tale
(26:03):
of what could possibly go wrong when youdon't think you're doing anything wrong.
but, here's the thing.
With these lawsuits, regulatoryactions, now we're 10 potentially
in the target, and the good news is,that if organizations recognize the
strategic value of cybersecurity,then maybe the CISO's gonna be
protected by the eras and emissions,the executive and the directors and
(26:24):
officers policies and things like that.
The Professional Association of CISOs,whom I had on the show about a month ago.
Join that and work with the PAC.
You can get the liability insurancefor that and things such as that.
And so I'm still going through,I'm a little bit late on my
paperwork, but, going throughthere for their accreditation.
But now the modern CISO has influenced'cause you're shaping digital trust
(26:45):
so well, where does that leave us?
Calling back 1994 from Steve Cass totoday, where our CISOs communicate risk.
We face the boards.
We're considered executives, althoughI still argue in a lot of places, it's
a little C for our CISO, but the CISOrole has transformed dramatically.
We've got compliance, we've got training,we've got vendors and all that assortment
(27:08):
of stuff that we have to manage.
Cyber warfare, privacy, law, compliancerequirements, all this chaos.
We have to turn into clarity.
If we've done so effectively, we haveearned our seat at the grownups table, so
to speak, to be able to communicate withand help senior executives make decisions.
So what's going forward to us?
AI driven threats,quantum vulnerabilities,
(27:32):
reporting for ESG and maybe even agreater expectation to build a secure.
Digital ecosystems, plus the concernthat comes with the warfare that's
going on around the world, and can thatextend out more into the cyber world?
history shows that we adoptand we evolve and we lead.
So for our CSOs out there, thank youfor listening to CISO Tradecraft.
(27:56):
I hope you found thisinteresting and a little bit,
revealing about the background.
if you love CISO Tradecraft, makesure you're subscribing to us.
Follow us on.
YouTube like us there.
Listen to us, our favorite podcastchannel, tell other people where they hear
about it, and then give us some feedback.
We're on LinkedIn.
We got a lot more than just podcasts.
We'll go ahead and havea Substack newsletter.
(28:17):
We have little out cakes and shortsand things that we put out there.
Help us help you in yourcareer to do better.
So this is your host, G Mark Hardy.
Thank you for the opportunityto spend the time with you.
until next time, stay safe out there.
Popular Podcasts
Bookmarked by Reese's Book Club
Welcome to Bookmarked by Reese’s Book Club — the podcast where great stories, bold women, and irresistible conversations collide! Hosted by award-winning journalist Danielle Robay, each week new episodes balance thoughtful literary insight with the fervor of buzzy book trends, pop culture and more. Bookmarked brings together celebrities, tastemakers, influencers and authors from Reese's Book Club and beyond to share stories that transcend the page. Pull up a chair. You’re not just listening — you’re part of the conversation.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!