Welcome to CISO Tradecraft®, your guide to mastering the art of being a top-tier Chief Information Security Officer (CISO). Our podcast empowers you to elevate ...
In this episode of CISO Tradecraft, host G. Mark Hardy sits down with Bill Dougherty, CISO of Omada Health, to discuss a groundbreaking threat model called 'Includes No Dirt'. This comprehensive model integrates security, privacy, and compliance considerations, aiming to streamline and enhance threat modeling processes. The conversation covers the origin and principles of the model, its applicability across different sectors, and the essential aspects of threat modeling. Listeners are also treated to insights on handling third-party risks and adapting to emerging AI challenges. The episode provides practical advice for cybersecurity leaders looking to effectively manage and mitigate risks while reducing redundancy.
Big Thanks to our Sponsors:
ZeroPath - https://zeropath.com/
CruiseCon - Use code CISOTRADECRAFT10 at https://cruisecon.com/ for 10% off registration!
The No DIRT Threat Model can be found here: http://www.includesnodirt.com/nodirt.pdf
Transcripts: https://docs.google.com/document/d/1vWq4Zx7pzM_B65W933m8_TE0fLKaUw3X
Chapters
03:27 The Genesis of Includes No Dirt
05:05 Combining Security, Privacy, and Compliance
07:24 Implementing the No Dirt Model
11:42 Scoring and Evaluating Risks
17:41 Third-Party Risk Management
25:49 Evaluating SaaS Requests Based on Risk
27:55 Adapting Threat Models for AI
31:24 Principles of Minimum Necessary Data
33:42 General Applicability of Security Principles
35:12 Includes No Dirt: A Comprehensive Threat Model
40:15 Final Thoughts and Recommendations
--------
44:59
#216 - The TTPs of a Security Champions Program (with Dustin Lehr)
Join G. Mark Hardy in a riveting episode of CISO Tradecraft as he sits down with Dustin Lehr to uncover strategies for creating security champions among developers. Explore effective techniques to inspire culture change, leverage AI tools for security, and discover the difference between leadership and management. This insightful discussion includes actionable steps to establish a robust security champions program, from defining a vision to executing with gamification. Whether you’re an aspiring champion or a seasoned cybersecurity leader, this episode is packed with valuable insights to elevate your organization’s security practices.
Big Thanks to our Sponsors:
ZeroPath - https://zeropath.com/
CruiseCon - Use code CISOTRADECRAFT10 at https://cruisecon.com/ for 10% off registration!
Transcripts - https://docs.google.com/document/d/1IgPbmnNaEF_1GIQTRxHStOoUKtZM4azH
Learn more about this topic by reading Justin's Website - https://securitychampionsuccessguide.org/
Justin Lehr's Company - https://www.katilyst.com/
Chapters
01:05 Meet Dustin Lair
04:05 Leadership vs. Management
06:17 The Role of Security Champions
17:20 Recruiting Security Champions
24:42 Exploring the Framework: Vision and Goals
26:25 Defining Participants and Their Roles
28:37 Understanding the Current Setting
33:27 Conceptualizing Ideal Actions
35:20 Designing with Gamification in Mind
40:30 Effective Delivery and Continuous Tuning
41:30 Overcoming Challenges and Final Thoughts
--------
45:32
#215 - CISO Predictions for 2025
In this episode of CISO Tradecraft, host G Mark Hardy explores the top 10 cybersecurity predictions for 2025. From the rise of AI influencers to new standards in encryption, Hardy discusses significant trends and changes expected in the cybersecurity landscape. The episode delves into topics such as branding, application security, browser-based security, and post-quantum cryptography, aiming to prepare listeners for future challenges and advancements in the field.
Big Thanks to our Sponsor
CruiseCon - https://cruisecon.com/
CruiseCon Discount Code: CISOTRADECRAFT10
Team8 Fixing AppSec Paper - https://bunny-wp-pullzone-pqzn4foj9c.b-cdn.net/wp-content/uploads/2024/11/Fixing-AppSec-Paper.pdf
Terraform and Open Policy Agent Example - https://spacelift.io/blog/terraform-best-practices#8-introduce-policy-as-code
Transcripts - https://docs.google.com/document/d/1u6B2PrkJ1D14d9HjQQHSg7Fan3M6n4dy
Chapters
01:19 1) AI Influencers become normalized
03:17 2) The Importance of Production Quality in Branding
05:19 3) Google and Apple Collaboration for Enhanced Security
06:28 4) Consolidation in Application Security and Vulnerability Management
08:36 5) The Rise of Models Committees
09:09 6) Formalizing the CISO Role
11:03 7) Exclusive CISO Retreats: The New Trend
12:12 8) Automating Cybersecurity Tasks with Agentic AI
13:10 9) Browser-Based Security Solutions
14:22 10) Post-Quantum Cryptography: Preparing for the Future
--------
18:35
#214 - Deceive to Detect (with Yuriy Gatupov)
🔥 Hackers Beware! Cyber Deception is Changing the Game 🔥
In this must-hear episode of CISO Tradecraft, we expose a mind-blowing cybersecurity strategy that flips the script on attackers. Instead of waiting to be breached, cyber deception technology tricks hackers into revealing themselves—before they can do real damage. 🚨🎭
Imagine laying digital traps—fake credentials, bogus systems, and irresistible bait—that lead cybercriminals straight into a controlled maze where every move they make is tracked.
Early threat detection? ✅
Real-time attacker intel? ✅
Fewer false positives? ✅
🎙️ Featuring deception tech guru Yuriy Gatupov, we break down:
✅ How deception tech works & why it’s a game-changer
✅ How to expose and track hackers in real time
✅ How to prove ROI and make the case for your org Cyber deception isn’t just defense—it’s offense against cyber threats. Are you ready to fight back? Listen now!
Big thanks to our Sponsors
ThreatLocker - https://hubs.ly/Q02_HRGK0
CruiseCon - https://cruisecon.com/
Contact Yuriy Gatupov - [email protected]
Yuri's LinkedIn - https://www.linkedin.com/in/yuriy-gatupov-373155281/
Transcripts: https://docs.google.com/document/d/1oyQzCBRoPLbDOCOCypJMGGXxcPI5w75o
Chapters
02:05 History of Cyber Deception
04:57 Advantages of Deception Technology
06:57 Engagement and Detection Strategies
10:18 How Deception Technology Works
16:13 Attack Scenarios and Detection
24:09 Decoys and Deception: A New Paradigm
24:56 Real-World Success Stories
33:30 Deception in OT and SCADA Systems
37:38 Calculating ROI for Deception Technologies
--------
45:47
#213 - How to Build a Successful Cybersecurity Startup (with Ross Haleliuk)
In this episode of CISO Tradecraft, host G Mark Hardy interviews Ross Haleliuk, author of 'Cyber for Builders: The Essential Guide to Building a Cybersecurity Startup.' Ross shares valuable insights on starting a cybersecurity company, and emphasizes the importance of understanding market needs, customer engagement, and trust in the industry. They discuss the role of angel investors, the differences between product and service companies, and the challenges founders face. The episode also includes an announcement about CISO Tradecraft's partnership with CruiseCon for an upcoming cybersecurity conference. Additionally, Ross provides a glimpse into his non-traditional background and journey into the cybersecurity space.
Thank you to our sponsors
- ThreatLocker - https://hubs.ly/Q02_HRGK0
- CruiseCon - https://cruisecon.com/
Ross Haleliuk's Book - https://www.amazon.com/Cyber-Builders-Essential-Building-Cybersecurity/dp/173823410X/
Ross Haleliuk's LinkedIn Page - https://www.linkedin.com/in/rosshaleliuk/
Transcripts: https://docs.google.com/document/d/1b8UPolYvYWEYbmO7n_7NqrilObv-HNzo
Chapters
02:28 Ross Haleliuk's Background and Journey
04:32 Discussing the Book: Cyber for Builders
10:52 Insights on Cybersecurity and Business
15:54 Challenges and Realities of Cybersecurity Startups
22:19 Navigating Market Competition
23:15 Entering Established Markets
24:28 Challenges in Security Tool Adoption
25:11 Legacy Vendors and Market Entrenchment
27:35 Building a Company: Beyond the Product
30:02 Validating Market Needs
32:27 Funding Your Startup
35:25 The Role of Angel Investors
43:29 Conclusion and Next Steps
Canada - english