#229 - Understanding the Critical Role of CVEs and CVSS
In this episode of CISO Tradecraft, host G Mark Hardy delves into the crucial topic of Common Vulnerabilities and Exposures (CVE) and the Common Vulnerability Scoring System (CVSS). Learn about the history, structure, and significance of the CVE database, the recent funding crisis, and what it means for the future of cybersecurity. We also explore the intricacies of CVE scoring and how it aids in prioritizing vulnerabilities. Tune in to understand how as a CISO, you can better prepare your organization against cyber threats and manage vulnerabilities efficiently.
Transcripts: https://docs.google.com/document/d/13VzyzG5uUVLGVhPA5Ws0UFbHPnfHbsII
Chapters
00:00 Introduction to CVE and CVSS
01:13 History of Vulnerability Tracking
03:07 The CVE System Explained
06:47 Understanding CVSS Scoring
13:11 Recent Funding Crisis and Its Impact
15:53 Future of the CVE Program
18:27 Conclusion and Final Thoughts
--------
20:06
#228 - CIS CSAT (with Scot Gicking)
Join host G Mark Hardy on CISO Tradecraft as he welcomes expert Scott Gicking to discuss the Center for Internet Security's (CIS) Controls Self-Assessment Tool (CSAT). Learn what CSAT is, how to effectively use it, and how it can enhance your career in cybersecurity. Stay tuned for insights on creating effective security frameworks, measuring maturity, and improving organizational security posture using the CSAT tool.
Scott Gicking - https://www.linkedin.com/in/scottgickingus/
CIS CSAT - https://www.cisecurity.org/controls/cis-controls-self-assessment-tool-cis-csat
Transcripts: https://docs.google.com/document/d/1WAI9U0WEUSJH1ZVWM1HdtFEf-O9hLJBe
Chapters
01:16 Guest Introduction: Scott Gicking
02:49 Scott's Career Journey
04:03 The Hollywood Cybersecurity Incident
07:38 Introduction to CIS and Its Importance
09:49 Understanding the CIS CSAT Tool
10:13 Implementing CIS CSAT in a Real-World Scenario
13:00 Benefits of the CIS CSAT Tool
18:38 Developing a Three-Year Roadmap with CSAT
23:25 Scoring Policies and Controls
24:20 Control Implementation and Automation
25:22 CMMC Certification Levels
27:52 Honest Self-Assessment
30:01 Quick and Dirty Assessment Approach
33:07 Building Trust and Reporting
37:38 Business Impact Analysis Tool
40:02 Reputational Damage and CISO Challenges
42:55 Final Thoughts and Contact Information
--------
44:48
#227 - The 30 Year CISO Evolution
Ever wonder how the CISO role went from obscure techie to boardroom MVP? In this episode of CISO Tradecraft, G Mark Hardy takes you on a journey through the evolution of the Chief Information Security Officer — from Steve Katz's groundbreaking appointment at Citibank in 1995 to the high-stakes, high-impact role CISOs play today.
Transcripts: https://docs.google.com/document/d/1FlKBW6zlVBqLoSTQMGZIfz--ZLD_aS9t/edit
Chapters
00:00 Introduction to the Evolution of the CISO Role
00:58 The First CISO: Steve Katz's Pioneering Journey
03:58 Rise of Security Certifications
08:39 Regulatory Wake-Up Calls and Compliance
12:23 Cybersecurity in the Age of State-Sponsored Attacks
17:58 The Impact of Major Cyber Incidents
25:07 Modern Challenges and the Future of the CISO Role
27:51 Conclusion and Final Thoughts
--------
28:34
#226 - Vulnerability Management (with Chris Hughes)
In this episode of CISO Tradecraft, we host Chris Hughes, CEO of Aquia, cybersecurity consultant, and author. Chris shares insights on the evolving landscape of cybersecurity, discussing software supply chain threats, vulnerability management, relationships between security and development, and the future impacts of AI. Tune in to gain expert advice on becoming an effective cybersecurity leader.
Chris Hughes - https://www.linkedin.com/in/resilientcyber/
Transcripts: https://docs.google.com/document/d/1j5ernS0Gk3LH-qcjhi6gOfojBqQljGhi
Chapters
00:00 Introduction and Special Guest Announcement
00:55 Chris Hughes' Background and Career Journey
02:46 Government and Industry Engagement
03:42 Supply Chain Security Challenges
07:34 Vulnerability Management Insights
12:13 Navigating the Overwhelming Vulnerability Landscape
22:19 Building Positive Relationships in Cybersecurity
23:41 Empowering Risk-Informed Decisions
24:29 Aligning with Organizational Risk Appetite
25:33 Navigating Job Changes and Organizational Fit
26:32 The Role of Compliance in Security
33:27 The Impact of AI on Security
43:05 Balancing Build vs. Buy Decisions
45:05 Conclusion and Final Thoughts
--------
45:53
#225 - The Full Irish
In this episode of CSO Tradecraft, host G. Mark Hardy introduces 'The Full Irish,' a cybersecurity framework based on the '12 Steps to Cybersecurity' guidance from Ireland's National Cybersecurity Center. The episode covers comprehensive steps from governance and risk management to incident response and resilience, making it a valuable resource for cybersecurity professionals. G Mark also discusses the implications of multinational companies operating in Ireland, including tax strategies and notable GDPR fines. The episode provides pragmatic guidance and actionable insights to enhance your cybersecurity program.
References: https://www.ncsc.gov.ie/pdfs/Cybersecurity_12_steps.pdf
Transcripts: https://docs.google.com/document/d/1VLeRozClLZAkZsusYsUn4Q9_1v7WCoN0
Chapters
00:00 Introduction to the Full Irish
01:32 Why Ireland?
02:40 Tax Avoidance Schemes
04:25 GDPR Penalties and Data Protection
05:54 Overview of the 12 Steps to Cybersecurity
07:19 Step 1: Governance and Organization
09:24 Step 2: Identify What Matters Most
10:31 Step 3: Understanding the Threats
12:35 Step 4: Defining Risk Appetite
14:10 Step 5: Education and Awareness
16:00 Step 6: Implement Basic Protections
18:00 Step 7: Detect and Attack
19:37 Step 8: Be Prepared to React
21:24 Step 9: Risk-Based Approach to Resilience
22:52 Step 10: Automated Protections
23:58 Step 11: Challenge and Test Regularly
25:29 Step 12: Cyber Risk Management Lifecycle
26:29 Conclusion and Final Thoughts
Netherlands