Welcome to CISO Tradecraft®, your guide to mastering the art of being a top-tier Chief Information Security Officer (CISO). Our podcast empowers you to elevate ...
#219 - The Professionalization of CISOs (with Steve Zalewski & Tyson Kopczynski)
This podcast episode discusses the formation of a professional association for CISOs, driven by increasing personal liability risks faced by these executives. The conversation centers on establishing a formal definition and accreditation process for the CISO role, moving beyond existing certifications to demonstrate operational and theoretical expertise. This professionalization effort aims to reduce personal liability through a tailored insurance product, negotiated collectively by the association, and preempt potentially ill-defined government regulations. Ultimately, the goal is to create a structured, respected profession for CISOs, offering benefits such as insurance, professional development, and a unified voice within the industry.
Professional Association of CISOs - https://theciso.org/
Transcripts - https://docs.google.com/document/d/1BNeUzSyPYX-vAYwQl9qCi0GhknYhKnWF/
Chapters
00:00 Introduction to Professionalizing the CISO Role
00:52 The Genesis of a Professional Association
03:39 Challenges and Legal Liabilities for CISOs
04:43 The Value of Joining the Association
06:24 Accreditation and Certification Process
10:38 Insurance and Risk Management for CISOs
18:45 Future Directions and Getting Involved
--------
41:15
#218 - How AI Changes Talent Management (with Colleen Lennox)
In this episode of CISO Tradecraft, host G. Mark Hardy and special guest Colleen Lennox dive into the transformative power of AI in HR. Discover how AI can revolutionize identifying, attracting, and retaining cybersecurity talent. They discuss the challenges of finding the right personnel in the cybersecurity field, the innovative AI-driven solutions that can streamline recruitment processes, and how these tools can help in talent management and career progression. Stay tuned as they explore the potential of AI in creating a more effective and bias-free hiring process, while also discussing the future implications for HR and recruiters in the evolving landscape. Big Thanks to our
Sponsors: CruiseCon - Use code CISOTRADECRAFT10 at https://cruisecon.com/ for 10% off registration!
Transcripts: https://docs.google.com/document/d/1f6B9Ye02WHWo7q15avBm0359pxGNqnVu
Chapters
00:00 Introduction: AI and Workforce Concerns
00:28 Welcome to CISO Tradecraft
01:01 Meet Colleen Lennox: AI in HR
01:27 Challenges in Cybersecurity Recruitment
03:11 AI-Powered Recruitment Solutions
07:07 Improving Talent Management with AI
13:36 Addressing Bias in AI Recruitment
17:20 Future of AI in HR and Recruitment
21:04 Conclusion and Contact Information
--------
23:49
#217 - Includes No Dirt (with Bill Dougherty)
In this episode of CISO Tradecraft, host G. Mark Hardy sits down with Bill Dougherty, CISO of Omada Health, to discuss a groundbreaking threat model called 'Includes No Dirt'. This comprehensive model integrates security, privacy, and compliance considerations, aiming to streamline and enhance threat modeling processes. The conversation covers the origin and principles of the model, its applicability across different sectors, and the essential aspects of threat modeling. Listeners are also treated to insights on handling third-party risks and adapting to emerging AI challenges. The episode provides practical advice for cybersecurity leaders looking to effectively manage and mitigate risks while reducing redundancy.
Big Thanks to our Sponsors:
ZeroPath - https://zeropath.com/
CruiseCon - Use code CISOTRADECRAFT10 at https://cruisecon.com/ for 10% off registration!
The No DIRT Threat Model can be found here: http://www.includesnodirt.com/nodirt.pdf
Transcripts: https://docs.google.com/document/d/1vWq4Zx7pzM_B65W933m8_TE0fLKaUw3X
Chapters
03:27 The Genesis of Includes No Dirt
05:05 Combining Security, Privacy, and Compliance
07:24 Implementing the No Dirt Model
11:42 Scoring and Evaluating Risks
17:41 Third-Party Risk Management
25:49 Evaluating SaaS Requests Based on Risk
27:55 Adapting Threat Models for AI
31:24 Principles of Minimum Necessary Data
33:42 General Applicability of Security Principles
35:12 Includes No Dirt: A Comprehensive Threat Model
40:15 Final Thoughts and Recommendations
--------
44:59
#216 - The TTPs of a Security Champions Program (with Dustin Lehr)
Join G. Mark Hardy in a riveting episode of CISO Tradecraft as he sits down with Dustin Lehr to uncover strategies for creating security champions among developers. Explore effective techniques to inspire culture change, leverage AI tools for security, and discover the difference between leadership and management. This insightful discussion includes actionable steps to establish a robust security champions program, from defining a vision to executing with gamification. Whether you’re an aspiring champion or a seasoned cybersecurity leader, this episode is packed with valuable insights to elevate your organization’s security practices.
Big Thanks to our Sponsors:
ZeroPath - https://zeropath.com/
CruiseCon - Use code CISOTRADECRAFT10 at https://cruisecon.com/ for 10% off registration!
Transcripts - https://docs.google.com/document/d/1IgPbmnNaEF_1GIQTRxHStOoUKtZM4azH
Learn more about this topic by reading Justin's Website - https://securitychampionsuccessguide.org/
Justin Lehr's Company - https://www.katilyst.com/
Chapters
01:05 Meet Dustin Lair
04:05 Leadership vs. Management
06:17 The Role of Security Champions
17:20 Recruiting Security Champions
24:42 Exploring the Framework: Vision and Goals
26:25 Defining Participants and Their Roles
28:37 Understanding the Current Setting
33:27 Conceptualizing Ideal Actions
35:20 Designing with Gamification in Mind
40:30 Effective Delivery and Continuous Tuning
41:30 Overcoming Challenges and Final Thoughts
--------
45:32
#215 - CISO Predictions for 2025
In this episode of CISO Tradecraft, host G Mark Hardy explores the top 10 cybersecurity predictions for 2025. From the rise of AI influencers to new standards in encryption, Hardy discusses significant trends and changes expected in the cybersecurity landscape. The episode delves into topics such as branding, application security, browser-based security, and post-quantum cryptography, aiming to prepare listeners for future challenges and advancements in the field.
Big Thanks to our Sponsor
CruiseCon - https://cruisecon.com/
CruiseCon Discount Code: CISOTRADECRAFT10
Team8 Fixing AppSec Paper - https://bunny-wp-pullzone-pqzn4foj9c.b-cdn.net/wp-content/uploads/2024/11/Fixing-AppSec-Paper.pdf
Terraform and Open Policy Agent Example - https://spacelift.io/blog/terraform-best-practices#8-introduce-policy-as-code
Transcripts - https://docs.google.com/document/d/1u6B2PrkJ1D14d9HjQQHSg7Fan3M6n4dy
Chapters
01:19 1) AI Influencers become normalized
03:17 2) The Importance of Production Quality in Branding
05:19 3) Google and Apple Collaboration for Enhanced Security
06:28 4) Consolidation in Application Security and Vulnerability Management
08:36 5) The Rise of Models Committees
09:09 6) Formalizing the CISO Role
11:03 7) Exclusive CISO Retreats: The New Trend
12:12 8) Automating Cybersecurity Tasks with Agentic AI
13:10 9) Browser-Based Security Solutions
14:22 10) Post-Quantum Cryptography: Preparing for the Future