In this episode of CISO Tradecraft, host G Mark Hardy and guest Sounil Yu delve into the dual-edged sword of implementing Microsoft 365 Copilot in enterprises. While this productivity tool has transformative potential, it introduces significant oversharing risks that can be mitigated with the right strategies. Discover how Sounil and his team at Knostic have been tackling these challenges for over a year, presenting innovative solutions to ensure both productivity and security. They discuss the importance of 'need to know' principles and knowledge segmentation, providing insight into how organizations can harness the power of Microsoft 365 Copilot safely and effectively. Tune in to learn how to avoid becoming the 'department of no' and start being the 'department of know.'

Transcripts https://docs.google.com/document/d/1CT9HXdDmKojuXzWTbNYUE4Kgp_D64GyB

Knostic's Website - https://www.knostic.ai/solution-brief-request

Chapters

• 00:00 Introduction to Microsoft Copilot Risks
• 00:32 Meet the Guest: Sounil Yu
• 02:51 Understanding Microsoft 365 Copilot
• 06:09 The DIKW Pyramid and Knowledge Management
• 08:34 Challenges of Data Permissions and Oversharing
• 19:01 Need to Know: A New Approach to Access Control
• 35:10 Measuring and Mitigating Risks with Copilot
• 39:46 Conclusion and Next Steps

In this episode of CISO Tradecraft, host G Mark Hardy delves into the crucial topic of Common Vulnerabilities and Exposures (CVE) and the Common Vulnerability Scoring System (CVSS). Learn about the history, structure, and significance of the CVE database, the recent funding crisis, and what it means for the future of cybersecurity. We also explore the intricacies of CVE scoring and how it aids in prioritizing vulnerabilities. Tune in to understand how as a CISO, you can better prepare your organization against cyber threats and manage vulnerabilities efficiently.

Transcripts: https://docs.google.com/document/d/13VzyzG5uUVLGVhPA5Ws0UFbHPnfHbsII

Chapters

• 00:00 Introduction to CVE and CVSS
• 01:13 History of Vulnerability Tracking
• 03:07 The CVE System Explained
• 06:47 Understanding CVSS Scoring
• 13:11 Recent Funding Crisis and Its Impact
• 15:53 Future of the CVE Program
• 18:27 Conclusion and Final Thoughts

Join host G Mark Hardy on CISO Tradecraft as he welcomes expert Scott Gicking to discuss the Center for Internet Security's (CIS) Controls Self-Assessment Tool (CSAT). Learn what CSAT is, how to effectively use it, and how it can enhance your career in cybersecurity. Stay tuned for insights on creating effective security frameworks, measuring maturity, and improving organizational security posture using the CSAT tool.

Scott Gicking - https://www.linkedin.com/in/scottgickingus/

CIS CSAT - https://www.cisecurity.org/controls/cis-controls-self-assessment-tool-cis-csat

Transcripts: https://docs.google.com/document/d/1WAI9U0WEUSJH1ZVWM1HdtFEf-O9hLJBe

Chapters

• 01:16 Guest Introduction: Scott Gicking
• 02:49 Scott's Career Journey
• 04:03 The Hollywood Cybersecurity Incident
• 07:38 Introduction to CIS and Its Importance
• 09:49 Understanding the CIS CSAT Tool
• 10:13 Implementing CIS CSAT in a Real-World Scenario
• 13:00 Benefits of the CIS CSAT Tool
• 18:38 Developing a Three-Year Roadmap with CSAT
• 23:25 Scoring Policies and Controls
• 24:20 Control Implementation and Automation
• 25:22 CMMC Certification Levels
• 27:52 Honest Self-Assessment
• 30:01 Quick and Dirty Assessment Approach
• 33:07 Building Trust and Reporting
• 37:38 Business Impact Analysis Tool
• 40:02 Reputational Damage and CISO Challenges
• 42:55 Final Thoughts and Contact Information

Ever wonder how the CISO role went from obscure techie to boardroom MVP? In this episode of CISO Tradecraft, G Mark Hardy takes you on a journey through the evolution of the Chief Information Security Officer — from Steve Katz's groundbreaking appointment at Citibank in 1995 to the high-stakes, high-impact role CISOs play today.

Transcripts: https://docs.google.com/document/d/1FlKBW6zlVBqLoSTQMGZIfz--ZLD_aS9t/edit

Chapters

• 00:00 Introduction to the Evolution of the CISO Role
• 00:58 The First CISO: Steve Katz's Pioneering Journey
• 03:58 Rise of Security Certifications
• 08:39 Regulatory Wake-Up Calls and Compliance
• 12:23 Cybersecurity in the Age of State-Sponsored Attacks
• 17:58 The Impact of Major Cyber Incidents
• 25:07 Modern Challenges and the Future of the CISO Role
• 27:51 Conclusion and Final Thoughts

In this episode of CISO Tradecraft, we host Chris Hughes, CEO of Aquia, cybersecurity consultant, and author. Chris shares insights on the evolving landscape of cybersecurity, discussing software supply chain threats, vulnerability management, relationships between security and development, and the future impacts of AI. Tune in to gain expert advice on becoming an effective cybersecurity leader.

Chris Hughes - https://www.linkedin.com/in/resilientcyber/

Transcripts: https://docs.google.com/document/d/1j5ernS0Gk3LH-qcjhi6gOfojBqQljGhi

Chapters

• 00:00 Introduction and Special Guest Announcement
• 00:55 Chris Hughes' Background and Career Journey
• 02:46 Government and Industry Engagement
• 03:42 Supply Chain Security Challenges
• 07:34 Vulnerability Management Insights
• 12:13 Navigating the Overwhelming Vulnerability Landscape
• 22:19 Building Positive Relationships in Cybersecurity
• 23:41 Empowering Risk-Informed Decisions
• 24:29 Aligning with Organizational Risk Appetite
• 25:33 Navigating Job Changes and Organizational Fit
• 26:32 The Role of Compliance in Security
• 33:27 The Impact of AI on Security
• 43:05 Balancing Build vs. Buy Decisions
• 45:05 Conclusion and Final Thoughts

In this episode of CSO Tradecraft, host G. Mark Hardy introduces 'The Full Irish,' a cybersecurity framework based on the '12 Steps to Cybersecurity' guidance from Ireland's National Cybersecurity Center. The episode covers comprehensive steps from governance and risk management to incident response and resilience, making it a valuable resource for cybersecurity professionals. G Mark also discusses the implications of multinational companies operating in Ireland, including tax strategies and notable GDPR fines. The episode provides pragmatic guidance and actionable insights to enhance your cybersecurity program.

References: https://www.ncsc.gov.ie/pdfs/Cybersecurity_12_steps.pdf

Transcripts: https://docs.google.com/document/d/1VLeRozClLZAkZsusYsUn4Q9_1v7WCoN0

Chapters

• 00:00 Introduction to the Full Irish
• 01:32 Why Ireland?
• 02:40 Tax Avoidance Schemes
• 04:25 GDPR Penalties and Data Protection
• 05:54 Overview of the 12 Steps to Cybersecurity
• 07:19 Step 1: Governance and Organization
• 09:24 Step 2: Identify What Matters Most
• 10:31 Step 3: Understanding the Threats
• 12:35 Step 4: Defining Risk Appetite
• 14:10 Step 5: Education and Awareness
• 16:00 Step 6: Implement Basic Protections
• 18:00 Step 7: Detect and Attack
• 19:37 Step 8: Be Prepared to React
• 21:24 Step 9: Risk-Based Approach to Resilience
• 22:52 Step 10: Automated Protections
• 23:58 Step 11: Challenge and Test Regularly
• 25:29 Step 12: Cyber Risk Management Lifecycle
• 26:29 Conclusion and Final Thoughts

In this episode of CISO Tradecraft, host G. Mark Hardy dives into the evolution, challenges, and solutions of Data Loss Prevention (DLP). From early methods like 'dirty word lists' in the military to advanced AI and machine learning models of today, discover how DLP technologies have developed to safeguard sensitive information. Learn about different DLP phases, regulatory impacts, and modern tools like Microsoft Purview that can help manage and classify data effectively. This episode is packed with valuable insights to help you tackle data security with confidence and efficiency.

Transcripts

• https://docs.google.com/document/d/1u7owNI5P3WajJvRPIXbzrUYy-PCsRcfC

References

• Crash course in Microsoft Purview: A guide to securing and managing your data estate

Chapters

• 00:00 Introduction to Data Loss Prevention (DLP)
• 00:45 Early Days of DLP: Dirty Word Lists and Simple Networks
• 02:39 Evolution of DLP: Content Filtering and Endpoint Protection
• 06:05 Advanced Content Inspection and Policy Enforcement
• 09:19 Unified DLP and Cloud Adoption
• 16:04 Modern DLP: AI, Machine Learning, and Zero Trust
• 19:12 Implementing DLP with Microsoft Purview
• 28:59 Summary and Final Thoughts

In this episode of CISO Tradecraft, G. Mark Hardy dives deep into the world of Agentic AI and its impact on cybersecurity. The discussion covers the definition and characteristics of Agentic AI, as well as expert insights on its feasibility. Learn about its primary functions—perception, cognition, and action—and explore practical cybersecurity applications. Discover the rapid advancements made by tech giants and potential risks involved. This episode is a comprehensive guide to understanding and securely implementing Agentic AI in your enterprise.

Transcripts https://docs.google.com/document/d/1tIv2NKX0DL4NTnvqKV9rKrgrewa68m3W

References

• Vladimir Putin - https://www.rt.com/news/401731-ai-rule-world-putin/
• Minds and Machines - https://link.springer.com/article/10.1007/s44163-024-00216-2
• Anthropic - https://www.cnbc.com/2024/10/22/anthropic-announces-ai-agents-for-complex-tasks-racing-openai.html
• Convergence AI - https://convergence.ai/training-web-agents-with-web-world-models-dec-2024/
• OpenAI Operator - https://openai.com/index/introducing-operator/
• ByteDance UITARS - https://venturebeat.com/ai/bytedances-ui-tars-can-take-over-your-computer-outperforms-gpt-4o-and-claude/
• Zapier - https://www.linkedin.com/pulse/openai-bytedance-zapier-launch-ai-agents-getcoai-l6blf/
• Microsoft OmniParser - https://www.microsoft.com/en-us/research/articles/omniparser-v2-turning-any-llm-into-a-computer-use-agent/
• Google Project Mariner - https://deepmind.google/technologies/project-mariner/
• Rajeev Sharma - Agentic AI Architecture - https://markovate.com/blog/agentic-ai-architecture/
• NIST.AI.600-1 - https://doi.org/10.6028/NIST.AI.600-1
• Mitre ATLAS - https://atlas.mitre.org/
• OWASP Top 10 for LLMs - https://owasp.org/www-project-top-10-for-large-language-model-applications/
• ISO 42001 - https://www.iso.org/standard/81230.html

Chapters

• 00:00 Introduction and Intriguing Quote
• 01:10 Defining Agentic AI
• 02:01 Expert Insights on Agency
• 04:32 Agentic AI in Practice
• 06:54 Recent Developments in Agentic AI
• 08:20 Deep Dive into Agentic AI Infrastructure
• 15:35 Use Cases for Agentic AI
• 21:12 Challenges and Considerations
• 24:22 Conclusion and Recap