CISO Tradecraft® – Details, episodes & analysis

In this episode of CISO Tradecraft, host G. Mark Hardy sits down with Bill Dougherty, CISO of Omada Health, to discuss a groundbreaking threat model called 'Includes No Dirt'. This comprehensive model integrates security, privacy, and compliance considerations, aiming to streamline and enhance threat modeling processes. The conversation covers the origin and principles of the model, its applicability across different sectors, and the essential aspects of threat modeling. Listeners are also treated to insights on handling third-party risks and adapting to emerging AI challenges. The episode provides practical advice for cybersecurity leaders looking to effectively manage and mitigate risks while reducing redundancy.

Big Thanks to our Sponsors:

ZeroPath - https://zeropath.com/

CruiseCon - Use code CISOTRADECRAFT10 at https://cruisecon.com/ for 10% off registration!

The No DIRT Threat Model can be found here: http://www.includesnodirt.com/nodirt.pdf

Transcripts: https://docs.google.com/document/d/1vWq4Zx7pzM_B65W933m8_TE0fLKaUw3X

Chapters

• 03:27 The Genesis of Includes No Dirt
• 05:05 Combining Security, Privacy, and Compliance
• 07:24 Implementing the No Dirt Model
• 11:42 Scoring and Evaluating Risks
• 17:41 Third-Party Risk Management
• 25:49 Evaluating SaaS Requests Based on Risk
• 27:55 Adapting Threat Models for AI
• 31:24 Principles of Minimum Necessary Data
• 33:42 General Applicability of Security Principles
• 35:12 Includes No Dirt: A Comprehensive Threat Model
• 40:15 Final Thoughts and Recommendations

Join G. Mark Hardy in a riveting episode of CISO Tradecraft as he sits down with Dustin Lehr to uncover strategies for creating security champions among developers. Explore effective techniques to inspire culture change, leverage AI tools for security, and discover the difference between leadership and management. This insightful discussion includes actionable steps to establish a robust security champions program, from defining a vision to executing with gamification. Whether you’re an aspiring champion or a seasoned cybersecurity leader, this episode is packed with valuable insights to elevate your organization’s security practices.

Big Thanks to our Sponsors:

ZeroPath - https://zeropath.com/

CruiseCon - Use code CISOTRADECRAFT10 at https://cruisecon.com/ for 10% off registration!

Transcripts - https://docs.google.com/document/d/1IgPbmnNaEF_1GIQTRxHStOoUKtZM4azH

Learn more about this topic by reading Justin's Website - https://securitychampionsuccessguide.org/

Justin Lehr's Company - https://www.katilyst.com/

Chapters

• 01:05 Meet Dustin Lair
• 04:05 Leadership vs. Management
• 06:17 The Role of Security Champions
• 17:20 Recruiting Security Champions
• 24:42 Exploring the Framework: Vision and Goals
• 26:25 Defining Participants and Their Roles
• 28:37 Understanding the Current Setting
• 33:27 Conceptualizing Ideal Actions
• 35:20 Designing with Gamification in Mind
• 40:30 Effective Delivery and Continuous Tuning
• 41:30 Overcoming Challenges and Final Thoughts

Welcome to another enlightening episode of CISO Tradecraft! In this episode, host G. Mark Hardy dives deep into the critical topic of CISO burnout with special guest Raghav Singh, a PhD candidate from the University of Buffalo. This is an eye-opening session for anyone in the cybersecurity field, especially those in or aspiring to the CISO role. Raghav shares valuable insights from his extensive research on the unique stresses faced by CISOs, the organizational factors contributing to burnout, and practical coping mechanisms. We also explore the evolutionary phases of CISOs, from technical experts to strategic business enablers. Whether you're dealing with resource limitations, seeking executive support, or managing ever-evolving cybersecurity threats, this episode offers actionable advice to navigate the demanding role of a CISO successfully. Don't forget to like, comment, and share to help other CISOs and cybersecurity leaders!

Big Thanks to our Sponsor CruiseCon - https://cruisecon.com/

• CruiseCon Discount Code: CISOTRADECRAFT10

Transcripts: https://docs.google.com/document/d/1fhLkaj_JetlYFQ50Q69uMGmsw3fS3Wqa

CISO Burnout - https://aisel.aisnet.org/amcis2023/sig_lead/sig_lead/4/

CISO-CIO Power Dynamics https://aisel.aisnet.org/amcis2024/is_leader/is_leader/6/ 

Cybersec professionals and AI integration https://aisel.aisnet.org/amcis2024/security/security/29/

Raghav can be reached on [email protected]

Chapters 

• 00:00 Introduction and Guest Welcome
• 02:34 Understanding CISO Burnout
• 03:24 PhD Journey and Challenges
• 10:12 Key Findings on CISO Burnout
• 18:39 Six Sources of CISO Burnout
• 32:47 CISO Maturity Levels
• 42:57 Conclusion and Call to Action

Has bad governance given you trauma, boring committees, and long speeches on irrelevant issues?  Today we are going to overcome that by talking about what good governance looks like.  We bring on the former CISO of Amazon Whole Foods (Sameer Sait) to discuss his lessons learned as a CISO.  We also highlight key topics of good governance found in the Cyber Security Profile from the Cyber Risk Institute. Cyber Risk Institute - Cyber Security Profile https://cyberriskinstitute.org/the-profile/ Full Transcripts: https://docs.google.com/document/d/1vBM6A0utvhRFMA04wzrZvR8ktNwYo-li

Chapters

• 00:00 Introduction
• 03:10 Good Governances is a Good Thing, Right?
• 05:08 Cyber Strategy & Framework
• 06:43 Is NIST the Same as ISO?
• 08:40 How to Convince the Executive Leadership Team to Buy In
• 11:19 The CEO's Challenge is Taking Measured Risk
• 20:05 Is there a Cybersecurity Policy
• 22:32 Culture eats Policy for Lunch
• 24:14 The Role of the CISO
• 27:52 How do you Convince the Leadership Team that you need extra resources
• 29:51 How do you Measure Cybersecurity?
• 32:22 How do we communicate Risk Findings to Senior Management
• 36:07 Are you Aligning with the Audit Committee

In the US we often focus on SOC-2, NIST Special Pubs, and the Cybersecurity Framework. In Europe (and most of the rest of the world), ISO 27001 is the primary standard. ISO concerns itself with policy, practice, and proof, whereas NIST often shows the method to follow. Michael points out that a CISO is responsible for governance, (internal) consulting, and audit. In early stages of growing a security function, a CISO needs to be technically-focused, but as a security department matures, the CISO must be organizationally-focused. Also, to effectively grow your team, first determine what actions need to take place, how much effort it requires, and how often it needs to take place. Then, build an action sheet and collect data for three months. Finally, take that to your executives and document your requirements for more staff.

Michael Krausz LinkedIn Profile: https://www.linkedin.com/in/michael-krausz-b55862/

Michael Krausz Website: https://i-s-c.co.at/

Full Transcript: https://docs.google.com/document/d/13fghym7IWyPvuRANQXUvmv-ulkSj93xv 

Chapters

• 00:00 Introduction
• 04:01 Is there a Gap Analysis in ISO 27001?
• 08:05 Is there a Requirement for ISO Standards?
• 10:57 What is ISO 27001?
• 13:11 Is there a Parallel Development between the US and EU?
• 16:57 Do you want to be a trooper?
• 21:17 What's the Oldest Operating System?
• 23:09 Is there a Legacy Operating Systems that you can't get away with?
• 24:11 The Most Important Class for a CISO
• 26:33 The Secrets of a Successful CISO
• 29:30 CISO - I need 6 people period
• 33:40 What's the Primary Skill Needed in a CISO?
• 37:41 How to Maximize the Number of FTEs

How can cyber best help the sales organization?  It's a great thought exercise that we bring on Joye Purser to discuss. Learn from her experience as we go over how cybersecurity is becoming an even closer business partner with the creation of a new important role.

Full Transcript: https://docs.google.com/document/d/1Shd1Qldb8iKEHBgXJqFez81Iwfpl6JT-/

Chapters

• 00:00 Introduction
• 02:58 How did you marry those two cultures?
• 06:40 Building a Diverse Workforce
• 08:23 Is this a new role based on Pain Points?
• 10:27 Global Lead for Field Cyber Security
• 15:51 Is the Global Lead for Field Cybersecurity linked to sales numbers?
• 19:07 Is there a Global Lead for Field Cybersecurity?
• 24:46 Building Relationships in a Security Leadership Role
• 27:48 Do you have any lessons learned from your success at Global Management Consulting?
• 29:33 You need to schedule time to get things done
• 33:33 What about Due Diligence?
• 37:36 The Chief Technology Officer, CRO, & CTO

Did you ever wonder how much security you can implement with a single vendor?  We did and were surprised by how much you can do using the Australian Top Eight as a template.  We'll bet you can improve your security by using these tips, tools, and techniques that you might not have even known were there.

Special thanks to our sponsor Praetorian for supporting this episode.

https://www.praetorian.com/

Full Transcripts:

https://docs.google.com/document/d/12HsuOhY9an1QzIw9wOREPMX0pXe5hqkJ

Helpful Links

1. Essential 8 https://www.microsoft.com/en-au/business/topic/security/essential-eight
2. Blocking Macros https://ite8.com.au/the-essential-8/office-macros-explained/ 
3. Windows Defender Application Control or WDAC (available from Windows 10 or Server 2016 or newer) previously Windows had App Locker (Windows 7 / 8)
   • https://docs.microsoft.com/en-us/mem/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager
   • https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control
4. Windows Group Policies
   • https://techexpert.tips/windows/gpo-block-website-url-google-chrome/
   • https://chromeenterprise.google/policies/#SafeBrowsingAllowlistDomains 
   • https://data.iana.org/TLD/tlds-alpha-by-domain.txt 
   • Software Restriction Policies http://woshub.com/how-to-block-viruses-and-ransomware-using-software-restriction-policies/
   • Blocking websites URL - only allow (.com, .org, .net, edu, .gov, .mil, and the countries you want).   
   • Locking down Active Directory https://attack.stealthbits.com/tag/active-directory 
5. File Service Resource Management
   • http://woshub.com/using-fsrm-on-windows-file-server-to-prevent-ransomware/
6. Enable MFA for RDP
   • https://docs.microsoft.com/en-us/azure/active-directory-domain-services/secure-remote-vm-access  
   • https://duo.com/docs/rdp
7. Enable MFA for SSH
   • https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/auth-ssh
   • https://docs.microsoft.com/en-us/azure/active-directory/devices/howto-vm-sign-in-azure-ad-linux 
8. Windows Controlled Folder Access
   • https://support.microsoft.com/en-us/topic/ransomware-protection-in-windows-security-445039d6-537a-488a-ad53-48906f346363
9. Use Windows File History to create backups to one drive.
   • https://www.ubackup.com/windows-10/file-history-backup-to-onedrive-4348.html
10. Storing your files to One Drive which has ransomware detection
    • https://support.microsoft.com/en-us/office/ransomware-detection-and-recovering-your-files-0d90ec50-6bfd-40f4-acc7-b8c12c73637f
11. Windows Update
    • Select Start > Settings > Windows Update > Advanced options. Under Active hours, choose to update manually or automatically in Windows 11. 
    • https://support.microsoft.com/en-us/windows/keep-your-pc-up-to-date-de79813c-7919-5fed-080f-0871c7bd9bde 
12. Microsoft Conditional Policies- https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-policy-common 
13. Microsoft Authenticator with Number Matching, Geo, & Additional Context
    • https://docs.microsoft.com/en-us/azure/active-directory/authentication/how-to-mfa-additional-context 
    • https://websetnet.net/microsoft-rolls-out-new-microsoft-authenticator-features-for-enterprise-users/
14. Application Approve List- https://www.bleepingcomputer.com/tutorials/create-an-application-whitelist-policy-in-windows/

This episode provides a deep dive into Static Application Security Testing (SAST) tools.  Learn how they work, why they don't work as well as you think they will in certain use cases, and find some novel ways apply them to your organization.  Special thanks to John Steven for coming on the show to share his expertise.  

Special thanks to our sponsor Praetorian for supporting this episode.

https://www.praetorian.com/

Full Transcripts - https://docs.google.com/document/d/1zoA70k78IjqyJky-2u7_-i2jlWke8_cb

Chapters:

• 00:00 Introduction
• 02:51 Source Code Analyzers
• 04:22 The three bears of Static Analysis
• 06:01 Do Linters work Better?
• 08:00 The Value of Full Programming Analysis Tools over Linters
• 11:30 The Impact of a Developer's Analysis on a Developer Environment
• 13:05 SAST Testing
• 15:47 OWASP Benchmarking
• 19:13 The First Static Analysis Tools
• 20:53 Can you break up that worry about Automated Testing?
• 22:44 Using Static Analysis for Defect Discovery
• 24:18 Using Static Analysis to Improve Web Security
• 31:37 Using Static Analysis to Drive Cloud Security
• 33:15 The Second Thing to Look Out for When Choosing a Static Analysis Tool
• 34:55 Using Static Analysis to Build a Vulnerability Management Practice
• 37:35 Can you use Static Analysis to Find Insider Threat?

How do you defend against automated attacks in an era of ChatGPT-formulated malware, coordinated nation-state actors, and a host of disgruntled laid-off security professionals? Want to find your vulnerabilities faster than the bad actors do? Come listen to Richard Ford to learn how to apply best practices in attack surface management and defend your crown jewels.

Special thanks to our sponsor Praetorian for supporting this episode.

Full Transcripts - https://docs.google.com/document/d/18QyrN-7V91nxOyRQ0KsNeJU0-k-bTlqj

Chapters:

• 00:00 Introduction
• 04:22 The Impact of Continuous Attack Surface Mapping on Security Responses
• 07:48 What's the Difference between a CTO and a CIO?
• 10:24 What attracted you to the problem space?
• 12:53 Is the Attack Surface really exposed?
• 16:12 Shadow IT - The Unknown Unknowns that could Bite You
• 19:56 Is there a Shadow IT problem?
• 23:24 How to get management on board with Shadow IT?
• 26:38 Building an Attack Surface Management Program
• 29:57 You Get What You Measure, Right?
• 33:27 Do I Have Vulnerable Assets?
• 39:24 Attack Surface Management

Have you ever wanted to be like Neo in "The Matrix" and learn things like Kung Fu in just a few minutes?  Well on today's episode, we try to do just that by cramming powerful leadership concepts into your head in just 45 minutes.  So sit back, relax, and enjoy CISO Tradecraft.

Show Notes with Pictures & References:

https://docs.google.com/document/d/1z5FwVwYlNiJlevQXP9IK48Z5kYqG-Ee_/edit?usp=sharing&ouid=104989998442085477687&rtpof=true&sd=true

Full Transcript: https://docs.google.com/document/d/11iTdKRxtg1UYiQeUn-mdgM7zKqafTq34/edit?usp=sharing&ouid=104989998442085477687&rtpof=true&sd=true