#230 - How To Make Your AI Less Chatty (with Sounil Yu)
In this episode of CISO Tradecraft, host G Mark Hardy and guest Sounil Yu delve into the dual-edged sword of implementing Microsoft 365 Copilot in enterprises. While this productivity tool has transformative potential, it introduces significant oversharing risks that can be mitigated with the right strategies. Discover how Sounil and his team at Knostic have been tackling these challenges for over a year, presenting innovative solutions to ensure both productivity and security. They discuss the importance of 'need to know' principles and knowledge segmentation, providing insight into how organizations can harness the power of Microsoft 365 Copilot safely and effectively. Tune in to learn how to avoid becoming the 'department of no' and start being the 'department of know.'
Transcripts https://docs.google.com/document/d/1CT9HXdDmKojuXzWTbNYUE4Kgp_D64GyB
Knostic's Website - https://www.knostic.ai/solution-brief-request
Chapters
00:00 Introduction to Microsoft Copilot Risks
00:32 Meet the Guest: Sounil Yu
02:51 Understanding Microsoft 365 Copilot
06:09 The DIKW Pyramid and Knowledge Management
08:34 Challenges of Data Permissions and Oversharing
19:01 Need to Know: A New Approach to Access Control
35:10 Measuring and Mitigating Risks with Copilot
39:46 Conclusion and Next Steps
--------
44:46
#229 - Understanding the Critical Role of CVEs and CVSS
In this episode of CISO Tradecraft, host G Mark Hardy delves into the crucial topic of Common Vulnerabilities and Exposures (CVE) and the Common Vulnerability Scoring System (CVSS). Learn about the history, structure, and significance of the CVE database, the recent funding crisis, and what it means for the future of cybersecurity. We also explore the intricacies of CVE scoring and how it aids in prioritizing vulnerabilities. Tune in to understand how as a CISO, you can better prepare your organization against cyber threats and manage vulnerabilities efficiently.
Transcripts: https://docs.google.com/document/d/13VzyzG5uUVLGVhPA5Ws0UFbHPnfHbsII
Chapters
00:00 Introduction to CVE and CVSS
01:13 History of Vulnerability Tracking
03:07 The CVE System Explained
06:47 Understanding CVSS Scoring
13:11 Recent Funding Crisis and Its Impact
15:53 Future of the CVE Program
18:27 Conclusion and Final Thoughts
--------
20:06
#228 - CIS CSAT (with Scot Gicking)
Join host G Mark Hardy on CISO Tradecraft as he welcomes expert Scott Gicking to discuss the Center for Internet Security's (CIS) Controls Self-Assessment Tool (CSAT). Learn what CSAT is, how to effectively use it, and how it can enhance your career in cybersecurity. Stay tuned for insights on creating effective security frameworks, measuring maturity, and improving organizational security posture using the CSAT tool.
Scott Gicking - https://www.linkedin.com/in/scottgickingus/
CIS CSAT - https://www.cisecurity.org/controls/cis-controls-self-assessment-tool-cis-csat
Transcripts: https://docs.google.com/document/d/1WAI9U0WEUSJH1ZVWM1HdtFEf-O9hLJBe
Chapters
01:16 Guest Introduction: Scott Gicking
02:49 Scott's Career Journey
04:03 The Hollywood Cybersecurity Incident
07:38 Introduction to CIS and Its Importance
09:49 Understanding the CIS CSAT Tool
10:13 Implementing CIS CSAT in a Real-World Scenario
13:00 Benefits of the CIS CSAT Tool
18:38 Developing a Three-Year Roadmap with CSAT
23:25 Scoring Policies and Controls
24:20 Control Implementation and Automation
25:22 CMMC Certification Levels
27:52 Honest Self-Assessment
30:01 Quick and Dirty Assessment Approach
33:07 Building Trust and Reporting
37:38 Business Impact Analysis Tool
40:02 Reputational Damage and CISO Challenges
42:55 Final Thoughts and Contact Information
--------
44:48
#227 - The 30 Year CISO Evolution
Ever wonder how the CISO role went from obscure techie to boardroom MVP? In this episode of CISO Tradecraft, G Mark Hardy takes you on a journey through the evolution of the Chief Information Security Officer — from Steve Katz's groundbreaking appointment at Citibank in 1995 to the high-stakes, high-impact role CISOs play today.
Transcripts: https://docs.google.com/document/d/1FlKBW6zlVBqLoSTQMGZIfz--ZLD_aS9t/edit
Chapters
00:00 Introduction to the Evolution of the CISO Role
00:58 The First CISO: Steve Katz's Pioneering Journey
03:58 Rise of Security Certifications
08:39 Regulatory Wake-Up Calls and Compliance
12:23 Cybersecurity in the Age of State-Sponsored Attacks
17:58 The Impact of Major Cyber Incidents
25:07 Modern Challenges and the Future of the CISO Role
27:51 Conclusion and Final Thoughts
--------
28:34
#226 - Vulnerability Management (with Chris Hughes)
In this episode of CISO Tradecraft, we host Chris Hughes, CEO of Aquia, cybersecurity consultant, and author. Chris shares insights on the evolving landscape of cybersecurity, discussing software supply chain threats, vulnerability management, relationships between security and development, and the future impacts of AI. Tune in to gain expert advice on becoming an effective cybersecurity leader.
Chris Hughes - https://www.linkedin.com/in/resilientcyber/
Transcripts: https://docs.google.com/document/d/1j5ernS0Gk3LH-qcjhi6gOfojBqQljGhi
Chapters
00:00 Introduction and Special Guest Announcement
00:55 Chris Hughes' Background and Career Journey
02:46 Government and Industry Engagement
03:42 Supply Chain Security Challenges
07:34 Vulnerability Management Insights
12:13 Navigating the Overwhelming Vulnerability Landscape
22:19 Building Positive Relationships in Cybersecurity
23:41 Empowering Risk-Informed Decisions
24:29 Aligning with Organizational Risk Appetite
25:33 Navigating Job Changes and Organizational Fit
26:32 The Role of Compliance in Security
33:27 The Impact of AI on Security
43:05 Balancing Build vs. Buy Decisions
45:05 Conclusion and Final Thoughts
USA