CISO Tradecraft®

Want to learn about cyber security?

CISO Tradecraft® provides fun and engaging podcasts on the Top 10 Cybersecurity Topic Domains. Whether you're a newbie or an expert, there's important tradecraft here for everyone to learn.

Subscribe to get the lastest content. THANK YOU!

Topic Domains

CISO Role
Business Management & Leadership
Defensive Technologies
Detection and Response Capabilities
Enabling Technologies
Governance
Identity & Access Management
Laws, Regulations, & Oversight
Product Security
Risk Management
Security Culture
Other Topics

CISO Role

This topic is used to increase understanding about the position of a Chief Information Security Officer (CISO). It also provides tips to help cyber executives succeed such as Building a Cyber Strategy.

• What is a CISO
• 3 Business Objectives & 5 CISO Archetypes (with Christian Hyatt)
• 7 Ways CISOs Setup for Success
• Board Decks (with Demetrios Lazarikos)
• Career Lessons from a CISO (with John Hellickson)
• CISO Knowledge Domains Part 1
• CISO Knowledge Domains Part 2
• How do CISOs spend their time?
• How to Win Your First CISO Role
• Lessons Learned as a CISO (with Gary Hayslip)
• Negotiating Your Best CISO Package (with Michael Piacente)
• Refreshing Your Cybersecurity Strategy
• The CISO Mindmap (with Rafeeq Rehman)
• 2024 CISO Mindmap (with Rafeeq Rehman)
• The 3 Keys to being a CISO (with Allan Alford)
• Updating the Executive Leadership Team on Cyber
• Updating the Mindmap (with Rafeeq Rehman)
• Your First 90 Days as a CISO (with Mark Egan)

Business Management & Leadership

Business Management & Leadership is an essential skill for executives to lead and influence others. These soft skills are critical to organizations where politics requires effective leaders to implement change via large collaboration efforts.

• 1% Better Leadership (with Andy Ellis)
• Accepted Cyber Security Strategy (with Branden Newman)
• Addressing the Top CEO Concerns
• Connecting the Dots (with Sean Heritage)
• Crisis Leadership (with G Mark Hardy's 9/11 Experience)
• Crucial Conversations
• Effective Meetings
• Ensuring Profitable Growth
• Executive Competencies
• Executive Presence
• Framing Executive Discussions
• Gaining Trust (with Robin Dreeke)
• How to Read Your Boss
• Leading with Style
• New Kid in Town (with Rebecca Mossman)
• Partnership is Key
• Presentation Skills
• Principles of Persuasion
• Promotion through Politics
• Reality-Based Leadership
• Responsibility, Accountability, and Authority
• Show Me The Money (with Nick Vigier)
• Speak My Language (with Andrew Chrostowski)
• Team Building
• The Demise of the Cybersecurity Workforce
• The Great Resignation
• The Right Stuff
• Welcome to the C-Level (with Nate Warfield)

Defensive Technologies

Defensive Technologies is about creating defense in depth in an organization to protect against a multitude of attacks. Knowledge of these domains is key as it’s one of the most common things auditors assess in an organization since it’s required for things like PCI compliance.

• Active Directory is Active with Attacks
• Attack Surface Management (with Richard Ford)
• Consolidating Vulnerability Management (with Jeff Gouge)
• Cryptography
• Data Protection (with Amer Deeba)
• Fun and Games to Stop Bad Actors (with Dr. Neal Krawetz)
• Got any Data Security (with Brian Vecci)
• Global War on Email
• I have more Agents than the FBI
• IPv6 Your Competitive Advantage (with Joe Klein)
• Logging in with SIEMs (with Anton Chuvakin)
• NSA's Top 10 Defensive Technologies
• One Vendor to Secure Them All
• Operational Resilience
• Outrunning the Bear
• SAST Security (with John Steven)
• Say Firewall One More Time
• The Essential 8
• The Fab 5 Security Outcomes Study (with Helen Patton)

Detection and Response Capabilities

Detection & Response Capabilities is about creating an organization to identify how attackers might circumvent your organization’s defensive technologies. Since 100% protection isn’t achievable, it’s about effective incident response to cyber incidents such as ransomware or business email compromise. This section also includes Offensive Security Concepts, Business Continuity, and Disaster Recovery Planning.

• 10 Steps to Cyber Incident Response Playbooks
• Brace for Incident (with Bryan Murphy)
• Breach and Attack Simulation (with Dave Klein)
• Building a Data Security Lake (with Noam Brosh)
• Cyber Deception (with Kevin Fiscus)
• Cyber Ranges (with Debbie Gordon)
• Cyber Threat Intelligence (with Jeff Majka & Andrew Dutton)
• Data Engineering (with Gal Shpantzer)
• Everything you wanted to know about Ransomware
• Flirting with Disaster (BCPs, DRPs, and BIA)
• From Hunt Team to Hunter (with Bryce Kunz)
• Got any Threat Intelligence? (with Landon Winkelvoss)
• How to Stop Bad Guys from Staying on Your Network (with Kevin Fiscus)
• Inside the 2024 Verizon Data Breach Investigations Report
• Insider Threat Operations (with Jim Lawler)
• Modernizing our SOC Ingest (with JP Bourget)
• Ransomware Response (with Ricoh Danielson)
• Shaping the SOC of Tomorrow (with Debbie Gordon)
• Slay the Dragon or Save the Princess?
• SMB CISO Challenges (with Kevin O'Connor)
• SOC Skills Part 1 (with Hasan Eksi)
• SOC Skills Part 2 (with Hasan Eksi)

Enabling Technologies

Enabling Technologies is about enabling businesses to create digital transformation. This is helpful when organizations feel their technology is dated and want to adopt newer technologies such as Artifical Intelligence, 5G, Internet of Things, Serverless Computing, Biometrics, Augmented/Virtual Reality, Blockchain, Robotics, Natural Language Processing, Quantum Computing, etc. Essentially this type of CISO focuses on technology transformation to enable the business.

• AI Coaching (with Tom Bendien)
• AI and ML and How to Tell When Vendors Are Full of It
• Blockchain for CISOs
• Border Gateway Protocol (BGP)
• ChatGPT & Generative AI (with Konstantinos Sgantzos)
• CISO Predictions for 2023
• CISO Predictions for 2024
• Cloud Drift (with Yoni Leitersdorf)
• How to Compare Software
• Introduction to Docker Containers and Kubernetes (K8s)
• Introduction to the Cloud
• Mobile Application Security (with Brian Reed)
• Navigating the Cloud Security Landscape (with Chris Rothe)
• SaaS Security Posture Management (with Ben Johnson)
• Securing the Cloud

Governance

Governance is about understanding what technology your organization uses so you can effectively manage it through a process. This can be particularly helpful when you need a CISO who can optimize how your resources are spent.

• A European View of CISO Responsibilities (with Michael Krausz)
• Asset Management
• Board Perspectives
• Cyber Frameworks
• Cyber Defense Matrix (with Sounil Yu)
• Cyber Defense Matrix Reloaded (with Sounil Yu)
• Cyber Acronymns You Should Know / The Cyber UPDATE
• Ethics and Artificial Intelligence (AI)
• Good Governance (with Sameer Sait)
• Measuring Results
• Methodologies for Analysis (with Christopher Crowley)
• IT Governance
• Simple, Easy, & Cheap Cybersecurity Measures (with Brent Deterding)
• The 9 Cs of Cyber
• The Cost of Cyber Defense

Identity & Access Management

Identity & Access Management is about limiting the scope of an attacker who could cause harm to your organization. This is a key skill set for organizations that use lots of technologies from external vendors/providers. This knowledge is also helpful for organizations where data sharing agreements with partners and third parties is common.

• Authentication, Rainbow Tables, and Password Managers
• Betting on MFA
• Identity and Access Management is the New Perimeter
• Knock Knock, Who's There and Whatcha Want?
• MFA Mishaps
• Pass the Passwords
• Zero Trust

Laws, Regulations, & Oversight

Laws, Regulations, and Oversight is about ensuring compliance with appropriate laws and regulations. This is particularly useful in highly regulated industries (Financial Services or Medical Industry). Organizations that are coming out of a data breach scenario are also likely to find increased scrutiny by regulators/auditors.

• Brace for Audit (with Brian Murphy)
• Cyber Law Musings (with Mark Rasch)
• Cyber Security Laws and Regulations
• Cyberwar and the Law of Armed Conflict (with Lary Dietz)
• CMMC and Me
• Emerging Risks with the Chertoff Group
• Ethics (with Stephen Northcutt)
• Executive Order on Improving the Nation’s Cybersecurity
• Handling Regulatory Change
• Legal Questions (with Evan Wolff)
• Living in a Materiality World
• Navigating NYDFS Cyber Regulation

Product Security

Product Security is focused on ensuring developers write secure code. This can be a competitive advantage for organizations that build large amounts of custom code.

• A CISO's Guide to Pentesting
• Complexity is Killing Us
• DevOps
• Easier, Better, Faster, & Cheaper Software
• The Three Ways of DevOps
• Mastering Vulnerability Management
• Modern Software Development Practices
• OWASP Top 10 Web Application Attacks
• Navigating Software Supply Chain Security (with Cassie Crossley)
• Setting Up an Application Security Program
• Threat Modeling (with Adam Shostack)
• Working on the Supply Chain Gang

Risk Management

Risk Management is about effectively identifying what the biggest risks to the company are, what's the likelihood and magnitude of an attack, and how much does it cost to remediate. This is helpful for organizations who want more transparency.

• Cybersecuirty First Principles (with Rick Howard)
• Cyber War
• Risky Business
• More Risky Business with FAIR
• Protecting your Crown Jewels (with Roselle Safran)
• Table Top Exercises
• Third Party Risk Management (with Scott Fairbrother)

Security Culture

Security Culture is about building an organization where the entire company becomes resilient. Building culture requires a strong focus on promoting security awareness and training so employees don’t click malicious links or send sensitive data outside the company.

• Aligning Security Initiatives with Business Objectives
• Avoiding Death by PowerPoint
• Breaking Backbones (with Deb Radcliff)
• Bobby the Intern
• Change Management
• Countering Corporate Espionage
• Cybersecurity Apprenticeships (with Craig Barber)
• Game-Based Learning (with Andy Serwin & Eric Basu)
• Hacker Summer Camp
• How to Become a Cyber Security Expert
• Listening to the Wise (with Bill Cheswick)
• Metrics that Matter
• Mentorship, Sponsorship, and A Message to Garcia
• Powerful Questions
• Roses, Buds, & Thorns
• Secure Developer Training Programs (with Scott Russo) Part 1
• Secure Developer Training Programs (With Scott Russo) Part 2
• Shall We Play A Game?
• Start Me Up (with Bob Cousins)
• Tackling 3 Really Hard Problems in Cyber (with Andy Ellis)
• The 7 Broken Pillars of Cybersecurity
• The 7 Lies in Cyber
• The Business Case for a Global lead of Field Cybersecurity (with Joye Purser)
• There's Room For Everybody In Your Router (with Giorgio Perticone)
• Thought Provoking Discussions (with Richard Thieme)
• Wonderful (with Winn Schwartau)

Other Topics

Helpful Topics to improve the quality of life for Cyber Executives

• Financial Planning (with Logan Jackson)
• From Hacking to Hardcover (with Bill Pollock)
• Founding to Funding (with Cyndi and Ron Gula)
• Protecting Your Family
• Stressed Out? Find your Ikigai and 6 Invaluable Factors
• The Seesaw of Cyber Recruiting (with Lee Kushner)