CISO Tradecraft®

In this CISO Tradecraft episode, host G Mark Hardy interviews Steve McMichael, author of "How to Break into GRC: Mindset, Methods, and Skills," about entering cybersecurity through governance, risk, and compliance. McMichael shares his transition from accounting and explains GRC’s role as decision support and the interface between business and technical teams, breaking down governance, risk management, and compliance (including audits and third-party/supply-chain assurance). They discuss misconceptions that GRC is “just paperwork,” barriers like imposter syndrome, and strategies such as building T-shaped skills, targeting about 20% technical depth across domains, and developing credibility through a deep specialty. McMichael also describes an immersion mindset driven by emotional engagement, and showcases an open-source NIST Cybersecurity Framework Profile Assessment Database project on GitHub to help newcomers build skills and portfolio contributions.

Want to move from "security expert" to "trusted business leader"?
Join G. Mark Hardy and Michael Hammer. The mind behind the core of DMARC, for 40 years of hard-won wisdom on navigating the CISO role, This episode is a masterclass in evolving from a technical gatekeeper to a strategic influencer who changes the environment,.
Inside this episode:
Modern Email Security: Why DMARC and SPF aren't "set and forget" tools and how to stop "cousin domain" attacks,.
The 30-Minute Audit: Use the "Turn the Rocks Over" method to vet any vendor’s security posture in minutes.
Risk vs. Ownership: Why you must ensure the executive team makes informed risk decisions, and why you should get them in writing.
The AI Storm: How Mythos AI is accelerating the disclosure of years of hidden code vulnerabilities,.
Stop being a "compliance tax" and start protecting revenue. Watch now to learn how to build a true security culture

What if your next breach isn't caused by a human... but by an AI agent acting exactly as instructed?
Cyberhaven's CEO (Nishant Doshi) and SVP of Engineering (Saro Subbiah) reveal why AI is a true zero-to-one shift, why every employee is building agents, and why traditional security controls are struggling to keep up with machine-speed workflows.
The most interesting question for CISOs isn't whether AI will be adopted, it's which security control breaks first when thousands of human-plus-agent workflows start operating across your enterprise?
Watch the episode and weigh in: What do you believe will be the first major failure point of enterprise AI adoption, identity, code review, third-party dependencies, data security, audit trails, or something else entirely?

Big thanks to our Sponsor Cyberhaven -
https://www.cyberhaven.com/product

In this discussion, G. Mark Hardy and Nishant Kaushik explore the necessity of moving beyond traditional passwords, which they define as the original sin of cybersecurity due to their vulnerability to credential stuffing and phishing attacks. Kaushik explains that the FIDO Alliance promotes a passwordless future by replacing shared secrets with asymmetric cryptography, utilizing private keys stored on smartphones or hardware tokens like YubiKeys to ensure phishing-resistant authentication. The conversation highlights that identity is the new perimeter, shifting the focus from human-memorized codes to biometric verification and device-bound passkeys that verify user presence. Ultimately, the experts warn that a secure transition must include robust account recovery flows, as failing to secure the "back door" renders even the most advanced cryptographic-based authentication vulnerable to exploitation.
FIDO Alliance - https://fidoalliance.org/

What can today’s CISOs learn from the chaos of Code Red and SQL Slammer?
In this episode, G Mark Hardy interviews Aaron Turner about what it was like responding inside Microsoft during two of the most infamous cyber outbreaks in history.
Aaron shares firsthand stories from the era when SQL Slammer infected at least 75,000 systems in roughly 10 minutes, exposing massive gaps in patch management, security QA, firewall design, and enterprise readiness. He explains how Microsoft’s early security culture operated, how major incidents and source-code theft forced change, and why many of the same mistakes are now reappearing in enterprise AI adoption.
The conversation connects the lessons of Code Red and Slammer directly to today’s AI security challenges, including:
Unauthenticated MCP servers and weak authorization models
AI accelerating exploit development and vulnerability discovery
Why the traditional “patching game” no longer scales
The growing importance of identity security, ITDR, SASE, and developer controls
How CISOs should think about technical debt and legacy modernization
Why serverless and cloud-native architectures may become security necessities
If you’re a CISO, deputy CISO, security architect, or aspiring security leader navigating the risks of AI-driven attacks, this episode provides practical lessons from one of the most important eras in cybersecurity history and why those lessons matter even more today.
Aaron Turner's Linkedin - https://www.linkedin.com/in/aaronrturner/