In this episode of CISO Tradecraft, host G Mark Hardy and guest Sounil Yu delve into the dual-edged sword of implementing Microsoft 365 Copilot in enterprises. While this productivity tool has transformative potential, it introduces significant oversharing risks that can be mitigated with the right strategies. Discover how Sounil and his team at Knostic have been tackling these challenges for over a year, presenting innovative solutions to ensure both productivity and security. They discuss the importance of 'need to know' principles and knowledge segmentation, providing insight into how organizations can harness the power of Microsoft 365 Copilot safely and effectively. Tune in to learn how to avoid becoming the 'department of no' and start being the 'department of know.'

Transcripts https://docs.google.com/document/d/1CT9HXdDmKojuXzWTbNYUE4Kgp_D64GyB

Knostic's Website - https://www.knostic.ai/solution-brief-request

Chapters

• 00:00 Introduction to Microsoft Copilot Risks
• 00:32 Meet the Guest: Sounil Yu
• 02:51 Understanding Microsoft 365 Copilot
• 06:09 The DIKW Pyramid and Knowledge Management
• 08:34 Challenges of Data Permissions and Oversharing
• 19:01 Need to Know: A New Approach to Access Control
• 35:10 Measuring and Mitigating Risks with Copilot
• 39:46 Conclusion and Next Steps

In this episode of CISO Tradecraft, host G Mark Hardy delves into the crucial topic of Common Vulnerabilities and Exposures (CVE) and the Common Vulnerability Scoring System (CVSS). Learn about the history, structure, and significance of the CVE database, the recent funding crisis, and what it means for the future of cybersecurity. We also explore the intricacies of CVE scoring and how it aids in prioritizing vulnerabilities. Tune in to understand how as a CISO, you can better prepare your organization against cyber threats and manage vulnerabilities efficiently.

Transcripts: https://docs.google.com/document/d/13VzyzG5uUVLGVhPA5Ws0UFbHPnfHbsII

Chapters

• 00:00 Introduction to CVE and CVSS
• 01:13 History of Vulnerability Tracking
• 03:07 The CVE System Explained
• 06:47 Understanding CVSS Scoring
• 13:11 Recent Funding Crisis and Its Impact
• 15:53 Future of the CVE Program
• 18:27 Conclusion and Final Thoughts

Join host G Mark Hardy on CISO Tradecraft as he welcomes expert Scott Gicking to discuss the Center for Internet Security's (CIS) Controls Self-Assessment Tool (CSAT). Learn what CSAT is, how to effectively use it, and how it can enhance your career in cybersecurity. Stay tuned for insights on creating effective security frameworks, measuring maturity, and improving organizational security posture using the CSAT tool.

Scott Gicking - https://www.linkedin.com/in/scottgickingus/

CIS CSAT - https://www.cisecurity.org/controls/cis-controls-self-assessment-tool-cis-csat

Transcripts: https://docs.google.com/document/d/1WAI9U0WEUSJH1ZVWM1HdtFEf-O9hLJBe

Chapters

• 01:16 Guest Introduction: Scott Gicking
• 02:49 Scott's Career Journey
• 04:03 The Hollywood Cybersecurity Incident
• 07:38 Introduction to CIS and Its Importance
• 09:49 Understanding the CIS CSAT Tool
• 10:13 Implementing CIS CSAT in a Real-World Scenario
• 13:00 Benefits of the CIS CSAT Tool
• 18:38 Developing a Three-Year Roadmap with CSAT
• 23:25 Scoring Policies and Controls
• 24:20 Control Implementation and Automation
• 25:22 CMMC Certification Levels
• 27:52 Honest Self-Assessment
• 30:01 Quick and Dirty Assessment Approach
• 33:07 Building Trust and Reporting
• 37:38 Business Impact Analysis Tool
• 40:02 Reputational Damage and CISO Challenges
• 42:55 Final Thoughts and Contact Information