CISO Tradecraft®

In this CISO Tradecraft episode, G Mark Hardy, Ross Young, and Andy Ellis share RSAC insights from the vendor floor, including Andy’s effort to visit about 607 booths. They highlight dominant themes like AI SOC offerings and agentic/agent security messaging, noting that many booths used unclear marketing or even failed to describe what they do. The discussion critiques activity-based metrics like badge scans, arguing for outcome-focused goals such as awareness, qualified follow-ups, and customer-driven product feedback. They explore how marketing should create informed buyers, how startups should communicate problem, urgency, and differentiation, and how AI and “vibe coding” may pressure vendor pricing or encourage internal tool-building. The episode also covers open-source sustainability and recommends networking via both major conferences and smaller private CISO events. Take a look at these three helpful RSAC Reviews: DUHA - https://www.duha.co/reports/state-of-security-vendors-rsac-2026/ VibeCoded - https://vibecoded.vc/cooked/ Jake Epstein's RSA 2026 Startup Landscape - https://jakee.vc/rsa-2026-landscape.html

In this CISO Tradecraft episode, co-hosts G Mark Hardy and Ross Young discuss how large language models are transforming software development and shifting cybersecurity from buying Software as a Service to “Service as Software,” and ultimately to "Systems of AI agents". They explain how writing code in English enables rapid prototyping, changing cost models by reducing labor hours and increasing speed and scale, with metrics like shrinking a 40-hour threat model effort to a 10-minute agent output. Ross outlines three generations, SIEM (SaaS), SOAR (services as software), and systems of agents (AI SOC), highlighting broader, evolving detection coverage. They cover risks including underestimated maintenance, scope creep, automating bad processes, and insecure AI-generated code, and demo a prompt-built software composition analysis/SBOM tool using CycloneDX and OSV. Ross also introduces his company, Clear Capabilities, focused on agentic workforce automation for governance, privacy, architecture, and compliance.Cybersecurity's Dirty Secret: Why Most Budgets Go To Waste - https://www.amazon.com/Cybersecuritys-Dirty-Secret-Budgets-Tradecraft%C2%AE/dp/B0G26WHVTG/ Ross Young - https://www.linkedin.com/in/mrrossyoung/ Developer AI Threats - https://threats.backslash.security/

In this episode of CISO Tradecraft, host G Mark Hardy speaks with Brian Long, CEO and co-founder of Adaptive Security, about how AI is accelerating and scaling social engineering through deepfakes, OSINT-driven personalization, and real-time conversational attacks. Brian says people remain the biggest opportunity in cyber defense, citing rapid growth in deepfake-enabled incidents and examples including a widely reported $25M wire fraud involving a fake Zoom meeting of “peers,” plus a CFO/controller case where a deepfaked CEO pushed secrecy and urgency. They argue detection alone is unreliable due to an arms race and attackers shifting to unverified channels (phone, Teams/Slack, Signal). Key mitigations include workforce awareness, stronger organizational controls (especially for hiring and payments), verification habits, and personalized training paired with AI-powered simulations and reporting/automated email handling.Big thanks to our sponsor Adaptive Security. Note, you can learn more about them by visiting their website:https://www.adaptivesecurity.com/demo/security-awareness-training

In this CISO Tradecraft episode, host G Mark Hardy interviews Shahar Man of Backslash Security about the rapidly expanding attack surface created by AI-driven “vibe coding” tools like Claude Code, Cursor, and Copilot. Shahar explains how prompting is shifting software creation, affecting education and hiring, and pushing security “further left” to the prompt, agent, MCP, skills, and rules level. He discuss risks such as loss of source integrity, excessive permissions, prompt injection, data leaks, use of unauthorized tools or accounts, and the spread of coding beyond engineering to teams like marketing and finance. Shahar argues AppSec work will transform toward securing the “sausage factory” and describes Backslash’s approach: enterprise-wide visibility, component vetting, endpoint monitoring via a local proxy, guardrails and blocking, and forwarding alerts to SOC/SIEM, with deployments scaling to thousands of workstations.Looking to get more secure on Vibe Coding? Check out the Ultimate 2026 Vibe Coding Security Buyer's Guide https://www.backslash.security/resources/vibe-coding-security-buyers-guide?utm_campaign=354642149-ciso-tradecraft&utm_source=ross-young&utm_medium=podcast-march-2026

In this CISO Tradecraft episode, host G Mark Hardy interviews Steve Shelton (https://www.linkedin.com/in/greenshoesteve/) of Green Shoe Consulting about the “State of Stress in Cybersecurity 2025” report and why burnout is widespread among cybersecurity leaders. Shelton explains the difference between beneficial stress (eustress) and chronic distress, how threat vs challenge interpretations shape performance, and why cybersecurity’s volatile, high-stakes environment amplifies stress, especially when CISOs have responsibility without authority and limited leadership training. They discuss systemic burnout drivers such as workload, autonomy, values alignment, recognition, and leadership behaviors like trust and delegation, plus different CISO leadership styles (strategic, adaptive, tactical, operational). Shelton describes efforts to build training and measurement tools for stress and energy, comments on AI-driven uncertainty, and shares the report download link at: https://www.greenshoeconsulting.com/stateofstressreport

Your SOC is drowning in alerts, false positives, and static tuning, while attackers evolve faster than your team can respond. Analysts burn out chasing noise. Real threats slip through. And traditional metrics reward ticket volume instead of investigation quality, creating “Swiss cheese security.” In this CISO Tradecraft episode, G. Mark Hardy and Oren Saban break down the rise of the Wisdom-Led, AI-driven SOC, where AI agents handle investigations and humans focus on judgment, prevention, and faster containment. Big Thanks to Mate Security for sponsoring this episode. To learn more about their offerings please check out their website at https://mate.security/

In this episode of CISO Tradecraft, host G Mark Hardy speaks with EJ Pappas of PKWARE and Ross Young about why AI-driven threats demand a shift from platform-centric security to a data-centric strategy.CISOs still struggle to answer, “Where is our sensitive data?” as it sprawls across AI, endpoints, cloud, SaaS, and shared environments. In this conversation, we explore: Why CISOs still struggle with data visibility How vendor sprawl and fragmented toolsets create blind spots The difference between structured and unstructured data risk Why AI accelerates both defense and mistakes DLP vs. encryption: complementary, not competing controls Commonly missed exposure areas (test/QA environments, cloud storage) Compliance drivers including GLBA, PCI DSS, HIPAA, HITRUST CSF, and NIST SP 800-171Learn more at PKWARE.com/demo or contact EJ.Pappas@PKWARE.com

In this special episode of CISO Tradecraft, host G Mark Hardy welcomes Chris Inglis, former National Cyber Director and career public servant, to delve into a wide-ranging conversation about cybersecurity leadership, public service, and life lessons. Chris shares his career journey from the Air Force Academy to piloting planes and serving at the NSA, providing unique insights along the way. They discuss the importance of integrating technology with business strategy, handling insider threats, and the future of AI in cybersecurity. Plus, enjoy some heartwarming stories about the power of culture and the joys of being grandparents.

Can you still tell what’s true on the internet or does everything feel questionable now? That confusion isn’t accidental. Disinformation, deepfakes, and cyber deception are being used deliberately to manipulate attention, erode trust, and fracture societies, often faster than truth can respond. In this episode of CISO Tradecraft, we break down how modern information warfare actually works and what leaders can do to defend truth using critical thinking, verification strategies, and practical countermeasures for today’s digital battlefield.

Third-party risk management has become a time-consuming, frustrating exercise. Security teams and vendors alike are buried under long, repetitive TPRM questionnaires that often miss what actually matters. Buyers struggle to assess real risk, while vendors waste countless hours answering low-value questions, slowing deals and draining resources.These bloated questionnaires don’t just waste time, they actively weaken security programs. Important risks get lost in the noise, assessments become checkbox exercises, and both sides grow cynical about the process. As supply chain attacks increase, relying on outdated, one-size-fits-all approaches leaves organizations exposed and ill-prepared to respond.In this episode of CISO Tradecraft, G Mark Hardy sits down with Nate Lee to explore smarter, more effective approaches to TPRM. Drawing on his experience as a CISO and entrepreneur, Nate shares practical strategies for automating assessments, asking more meaningful security questions, and using AI to reduce friction while improving insight. The conversation offers actionable guidance for buyers and vendors to streamline TPRM, focus on real risk, and build stronger, more scalable security programs.Nate Lee - https://www.linkedin.com/in/natetrustmind/Nate Lee -  nate@trustmind.com

Everyone talks about Zero Trust — but very few organizations actually know how to implement it successfully.In this episode of CISO Tradecraft, host G. Mark Hardy is joined by George Finney, a practicing CISO who literally wrote the book on Zero Trust and has implemented it in one of the most challenging environments imaginable: higher education.Together, they break down:Why Zero Trust is a strategy, not a productWhy most Zero Trust initiatives fail due to people and politics, not technologyHow attackers exploit trust and lateral movementHow to implement Zero Trust without destroying culture or productivityWhat changes when AI enters the trust modelWhy AI is effectively “100% trust” — and how to reduce the blast radiusHow CISOs should explain Zero Trust and AI risk to the boardGeorge also shares practical analogies (including his now-famous restaurant model for AI) that make Zero Trust and AI security understandable for executives, IT teams, and non-technical leaders alike.If you’re serious about:Preventing breaches instead of just responding to themLimiting lateral movementSecuring AI-driven systemsTurning Zero Trust from buzzword into business strategy👉 This episode is a must-watch.George's Books:Rise of the Machine: https://www.amazon.com/Rise-Machines-Project-Trust-Story/dp/1394303718Project Zero Trust: https://www.amazon.com/Project-Zero-Trust-Strategy-Aligning/dp/1119884845/

You’re working longer hours than ever… yet somehow getting less done. Sound familiar? In this episode of CISO Tradecraft, we break down why busy has become the enemy of effectiveness and why “Busy is the New Stupid.” This isn’t about working harder or faster. It’s about understanding how your time gets attacked, how distractions persist, and how even high-performing leaders fall into productivity traps. We introduce a practical framework inspired by MITRE ATT&CK to show: How meetings, emails, and interruptions gain initial access to your day Why multitasking and constant context-switching kill execution How “always-on” culture and people-pleasing create persistence What effective CISOs do to defend their time and focus on impact, not noise If you’re a CISO, security leader, or executive who feels constantly busy but strategically behind, this episode will challenge how you think about productivity—and give you a better way forward. 👉 Grab the Busy Is the New Stupid template for free https://www.cisotradecraft.com/bitns 👉 Share what’s missing and help us evolve the framework 👉 Follow CISO Tradecraft for more insights on leadership, strategy, and security Because being busy isn’t the goal. Being effective is.

CISOs are expected to anticipate the next major security failure, yet the cybersecurity market is moving too fast, too fragmented, and too noisily for any leader to clearly see what’s coming next. AI is accelerating vendor sprawl, threat models are shifting mid-year, and every product claims to be “critical.” CISOs aren’t missing threats because they’re uninformed; they’re overwhelmed. By the time a risk is obvious, it’s already budgeted, deployed, and exploited. Boards ask “How did we not see this?” while CISOs are left defending decisions made with incomplete signals and outdated market maps. In this episode of CISO Tradecraft, G Mark Hardy and industry analyst Richard Stiennon break down how CISOs can regain strategic foresight. Drawing on Richard’s experience at Gartner, IT Harvest, and the Security Yearbook, they share practical ways to cut through market noise, understand where AI is truly changing security, and identify emerging risks before they become incidents giving CISOs a clearer view of what matters next.

In this episode of CISO Tradecraft, hosts G Mark Hardy and Ross Young discuss the extensive redesign at CISO Tradecraft and introduce a series of free cybersecurity tools and templates available on their website. The tools, created with the help of AI, range from a Cybersecurity Budget Template and Gen AI Risk Assessment to a Personal Values Exercise and Process Improvement exercise. They also cover topics such as AI coding, CMMC Compliance, Cloud Security Alliance’s AI Control Matrix, and the Cyber Six Pack for improving vulnerability management. Additionally, they share insights on tools rationalization exercises, such as the cybersecurity murder board, and the importance of aligning tasks with personal values. Tune in for detailed walkthroughs of these innovative resources designed to enhance your cybersecurity strategies without breaking the bank. Templates can be found here: https://www.cisotradecraft.com/freetemplates

Most cybersecurity programs are built on rigid “best practices” that assume people will behave rationally, consistently, and exactly as policy dictates; even under stress, time pressure, and uncertainty. In reality, humans don’t work that way. Cognitive bias, fatigue, incentives, and real-world constraints cause well-intentioned employees, analysts, and leaders to make decisions that quietly undermine security. The result? Incident response stalls, SOCs drown in noise, and organizations continue to repeat the same failures, even while believing they’re “doing everything right.” In this episode of CISO Tradecraft, host G. Mark Hardy and Dr. Dustin Sachs demonstrate how applying behavioral science and human decision-making can radically improve cybersecurity outcomes. By designing security around how people actually think and operate, not how policies assume they do, leaders can build adaptable, resilient programs that work in the real world. Check out Dustin's new book: https://www.amazon.com/Behavioral-Insights-Cybersecurity-Security-Leadership/dp/1032998539 Dustin Sachs's Linkedin Profile: https://www.linkedin.com/in/dustinsachs/

In this episode of CISO Tradecraft, host G Mark Hardy welcomes special guest Rajan Kapoor, VP of Security at Material Security, to discuss critical topics in cloud workspace security. From discussing the increased attack surfaces in cloud environments like Google Workspace and Microsoft 365 to practical solutions for mitigating these risks, Rajan provides invaluable insights into creating a secure cloud office environment. Tune in for expert advice on improving security maturity, managing cloud security tools efficiently, and leveraging modern technology for enhanced protection and reduced dwell time. Whether you're a small enterprise or a large corporation, this episode has actionable insights to help you strengthen your security posture.Check out the Material Security Scorecard to measure your Cloud Office Securityhttps://material.security/workspace-security-scorecardRajan Kapoorhttps://www.linkedin.com/in/rajankkapoor/MITRE ATT&CK® Office Suite platform https://attack.mitre.org/matrices/enterprise/cloud/officesuite/

Dive into the rapidly evolving world of AI with G Mark Hardy and Ross Young in this episode of CISO Tradecraft. Explore how AI is transforming business processes, the critical need for cybersecurity leadership in AI deployments, and the importance of setting clear goals, monitoring performance, and ensuring data quality. Learn about the different types of AI from traditional to generative and agentic AI, and understand the frameworks and risk assessments shaping the future of AI integration in organizations. Don't miss this essential conversation for cybersecurity leaders looking to stay ahead of the curve. Generative Artificial Intelligence Risk Assessment SIMM 5305-F: https://cdt.ca.gov/wp-content/uploads/2025/08/SIMM-5305-F-Generative-Artificial-Intelligence-Risk-Assessment-20250822FINAL.pdf

In this episode of CISO Tradecraft, host G Mark Hardy is joined by Neatsun Ziv from Ox Security to discuss the evolving landscape of vibe coding and its security implications. The conversation delves into the risks and opportunities surrounding vibe coding, how it can enhance productivity while maintaining security, and the importance of embedding security into the entire lifecycle. They also explore the concept of VibeSec, why traditional shift-left security approaches might be failing, and what new methodologies can be adopted to ensure robust security in a rapidly changing tech world. Tune in to gain valuable insights into how you can future-proof your code, leverage modern IDEs and MCP, and maintain a strong security posture in the era of AI-driven development.Ox Security's Website - https://www.ox.security/Are AI App Builders Secure - https://www.ox.security/resource-category/whitepapers-and-reports/are-ai-app-builders-secure-we-tested-lovable-base44-and-bolt-to-find-out/The AI Code Security Crisis - https://www.ox.security/resource-category/whitepapers-and-reports/army-of-juniors/

In this episode of CISO Tradecraft, host G Mark Hardy is joined by Yuriy Tsibere from ThreatLocker to discuss an essential topic for cybersecurity leaders: Defense Against Configurations (DAC). With a focus on the significant risks posed by misconfigurations, Yuriy shares insights on how ThreatLocker's new DAC tool helps organizations identify and rectify vulnerabilities in OS configurations, ensuring a higher degree of security. They explore the critical role of maintaining proper endpoint configurations, Zero Trust principles, and how DAC seamlessly integrates into ThreatLocker’s platform to provide real-time monitoring and reporting. Yuriy also touches on how DAC supports various security frameworks and compliance standards, making it a valuable asset for any organization aiming to enhance its cybersecurity posture. Big Thanks to Threatlocker for supporting this episode. Register to attend Zero Trust World 2026: https://ztw.com/?utm_source=ciso_tradecraft&utm_medium=sponsor&utm_campaign=dac_yuriy_q4_25&utm_content=dac_yuriy-&utm_term=video Use discount code ZTWCISOTRADECRAFT26 for $200 off

Join host G Mark Hardy in an exciting episode of CISO Tradecraft where we delve into the cutting-edge world of Human AI Security Operation Centers (SOCs). With special guests Brian Carbaugh and William McMillan, former CIA operatives and leading figures in cybersecurity innovation, we explore how AI is transforming the landscape of security operations. Discover the unparalleled efficiency, accuracy, and proactive threat detection offered by AI-driven SOCs compared to traditional platforms. Learn from real-world examples, such as condensing hundreds of investigative hours into just 90 seconds, and understand the critical role of contextual data in modern threat detection. Perfect for CISOs ready to elevate their security strategies, this episode provides actionable insights and expert advice on navigating AI SOC adoption and integration. Don't miss this informative and forward-thinking discussion! Big thanks to our sponsorBig thanks to our sponsor Forcepoint Check out their The Practical Guide to Mastering Data Compliance: https://www.forcepoint.com/resources/ebooks/practical-guide-mastering-data-compliance?utm_source=&sf_src_cmpid=701a600000exxd7AAA&utm_medium=display&utm_content=AW_NC_LinkedInAds_October25_ban&utm_campaign=LinkedInAds_October25William MacMillan - https://www.linkedin.com/in/william-andesite/Brian Carbaugh- https://www.linkedin.com/in/brian-carbaugh-38b339243/