CISO Dojo Podcast
The CISO Dojo podcast looks at various security leader topics and guests discuss their paths in information security that lead them to where they are at today.
info_outline CISO Actions - Russia/Ukraine Activity 02/24/2022
CISO Actions - Russia/Ukraine Activity With tensions building in the Ukraine, it's a good time to take a step back and look at what actions a CISO should be considering if this is an area of concern. In this episode Joe Sullivan and Stacy Dunn cover the following topics: News Resources: SANS ISC and Webinars Business Analysis: PEST Analysis Team Analysis: SWOT Analysis Technical Controls: Firewalls, Geolocation Blocking, and MFA Administrative Controls: Travel/Evacuation, Asset Disposal, and Crown Jewels Executive Briefings: History of the Russia/Ukraine cyber attacks Board Briefings: State of security and action plans
info_outline Cyber Issues Recapped from 2021 and Looking Ahead to 2022 01/30/2022
Cyber Issues Recapped from 2021 and Looking Ahead to 2022 In this episode we recap some of the bad things that happened in 2021 and theorize what could be in store during 2022.
info_outline Harshil Parikh of Tromzo Discusses Application Security 11/22/2021
Harshil Parikh of Tromzo Discusses Application Security Harshil Parikh, CEO of Tromzo, discusses application and how to eliminate developer/security friction by using context to sort through the noise and empower developers to fix what matters. Find Harshil online at:
info_outline Being a One Person Football Team and Breaking into Security 11/12/2021
Being a One Person Football Team and Breaking into Security Tanner James started his career in IT after graduating with an MIS degree from OU in 2016. Since then, Tanner has worked for a telecommunications consulting firm and is currently employed as the IT manager for LuGreg Trucking. At this point in his career, he is wanting to develop his security skillset to take on a role in information security. When he isn’t working with technology, he enjoys lots of time outdoors with his family. You can find Tanner James online at: This episode is sponsored by AntiCrysys When you need post breach crisis management AntiCrysys can help you get your security program back on track.
info_outline From Factory Work to CISO 11/01/2021
From Factory Work to CISO Russell Eubanks started shares his story about transitioning from factory work, breaking into information security, becoming a CISO, and starting his own consulting practice. Russell shares some good advice, guidance, and tips for others looking to further their career, lead teams, and personal development in your information security career. You can find Russell Eubanks online at: https://securityeverafter.com/ SANS: LinkedIn: Twitter: https://twitter.com/russelleubanks
info_outline Cobalt Strike, Ransomware, Supply Chain Attacks, and RiskIQ 10/04/2021
Cobalt Strike, Ransomware, Supply Chain Attacks, and RiskIQ Steve Ginty Director of Threat Intelligence at RiskIQ joins us on this episode to discuss detecting risks your organization might not be aware of. Steve also talks about how RiskIQ contributes to the detection of Cobalt Strike, ransomware actor activity, supply chain attacks, and how RiskIQ can help with vendor management. Website: LinkedIn:
info_outline Meet Jerich Beason Chief Information SVP and Security Officer for Epiq 09/20/2021
Meet Jerich Beason Chief Information SVP and Security Officer for Epiq Jerich Beason is a cyber security hobbyist turned professional who holds Bachelors and Masters degrees in Cyber Security. He has served in progressive roles at some of the most respected companies within the cyber security industry including Lockheed Martin, RSA and Deloitte where he was a trusted advisor to executives within the federal government and fortune 500 organizations. Jerich advised these companies on cyber security strategy, architecture and program development. In his most role as Deputy CISO at AECOM, he was responsible for security architecture, risk management, compliance, and the overall security strategy. As a thought leader in cyber security, Jerich has been invited to sit on panels, speak at conferences and events contribute to white papers and security. Jerich is currently the host of Epiq’s new podcast, Cyberside Chats which has the mission of increasing knowledge and awareness of cyber security within the legal industry At Epiq, Jerich serves as Sr. Vice President and Chief Information Security officer where he leads the Global enterprise and Product Security organizations. @blanketSec https://www.linkedin.com/in/jerich-beason-874b908/
info_outline Meet AJ Yawn CEO and Co Founder of Bytechek 09/13/2021
Meet AJ Yawn CEO and Co Founder of Bytechek AJ Yawn joins us for this episode of the CISO Dojo Podcast. AJ Yawn is a seasoned cloud security professional that possesses over a decade of senior information security experience with extensive experience managing a wide range of cybersecurity compliance assessments (SOC 2, ISO 27001, HIPAA, etc.) for a variety of SaaS, IaaS, and PaaS providers. AJ advises startups on cloud security and serves on the Board of Directors of the ISC2 Miami chapter as the Education Chair, he is also a Founding Board member of the National Association of Black Compliance and Risk Management professions, regularly speaks on information security podcasts, events, and he contributes blogs and articles to the information security community including publications such as CISOMag, InfosecMag, HackerNoon, and ISC2. @AjYawn
info_outline Fraudulent Job Applicants 09/01/2021
Fraudulent Job Applicants What's the strangest thing you've encountered with a new hire? In this episode we talk about the time an evil twin with no experience managed to get an IT position and how scammers with no experience are landing multiple work from home tech jobs just to collect a paycheck until they get terminated. The rabbit hole goes even deeper with fake sites being set up as past employers and answering services attempting to make them look legitimate. We also talk about how to combat these attempts and weed out the scammers from the legitimate applicants.
info_outline Meet Paul Tucker CISO of Bank of Oklahoma 07/12/2021
Meet Paul Tucker CISO of Bank of Oklahoma Paul Tucker CISO of Bank of Oklahoma joins us for this episode of the CISO Dojo Podcast. Paul Tucker is Senior Vice President and Chief Information Security and Privacy Officer at BOK Financial. In this role Tucker leads the cybersecurity team responsible for the banks efforts to protect information important to the banks operation, while ensuring the overall cyber resiliency and privacy of the bank.
info_outline Cloud Security, Casinos, Supply Chain Attacks, INFOSEC Bikini, and Haters of Pants 07/08/2021
Cloud Security, Casinos, Supply Chain Attacks, INFOSEC Bikini, and Haters of Pants Joe Sullivan and Stacy Dunn wrap up the the third part of their cloud security series. The episode extends into current events with casino ransomware attacks, supply chain attacks, and why casinos should not be getting breached. We also talk about Social Media happenings like INFOSEC Bikini, the negative element on Twitter, and haters of pants.
info_outline Attack Surface Management & Threat Intelligence with Alex Tarter 06/28/2021
Attack Surface Management & Threat Intelligence with Alex Tarter Alex Tarter joins us on the podcast to discuss attack surface management and threat intelligence. Alex is one of the founding members of TurgenSec which has recently had an interesting string of responsible disclosures related to: Virgin Media The Gates Foundation Charity 190+ Law Firms The Philippines Government Check out Alex at:
info_outline Stacy Dunn on Diversity, Equity, and Inclusivity | Part 3 06/14/2021
Stacy Dunn on Diversity, Equity, and Inclusivity | Part 3 Part 3: Action items and actionable information; Give insights into how to support marginalized people and adopt better hiring practices. Sources:
info_outline Meet CISO Chad Kliewer 06/07/2021
Meet CISO Chad Kliewer Chad Kliewer, CISO of Pioneer Telephone shares his journey in information security where he overcame nearly insurmountable challenges. Chad has faced broad use of credential sharing, placing the mouse on the monitor, because this is how it's supposed to work right? Chad has survived Sox audits and even the SolarWinds attack. There's so much to learn from this episode from a CISO and information security perspective! Connect with Chad on Twitter @ChadKliewer
info_outline CISO Dojo Ransomware Special Edition 06/05/2021
CISO Dojo Ransomware Special Edition The White House just release a special document to the private sector about responsibility and steps to prevent ransomware. Quoting directly from the document: Companies that view ransomware as a threat to their core business operations rather than a simple risk of data theft will react and recover more effectively. The document goes on to talk about best practices such as: Utilizing Multifactor Authentication Endpoint Detection and Response Threat Hunting Utilizing Threat Intelligence Backing up your data and keeping it offline Updating and patching systems Testing your incident response plan Penetration Tests Segmenting Networks These are all basic activities organization need to start implementing now. The ransomware threat is escalating, and your organization can be a target.
info_outline Stacy Dunn on Diversity, Equity, and Inclusivity | Part 2 05/31/2021
Stacy Dunn on Diversity, Equity, and Inclusivity | Part 2 Part of being an effective security leader is understanding and including people from all types of backgrounds. Usually, it’s talk tech, security, and strategy, but for these episodes, it’s time to discuss the 8th layer and how acceptance is not just 1’s and 0’s. In this short solo three-parter, Stacy will take you through the who, what, when, and why of Diversity, Equity, and Inclusivity. (DEI) Sources for Part 2: . A link to my own Medium Article:
info_outline Stacy Dunn on Diversity, Equity, and Inclusivity | Part 1 05/24/2021
Stacy Dunn on Diversity, Equity, and Inclusivity | Part 1 In this episode Stacy Dunn talks about Diversity, Equity, and Inclusivity and how we can get better at improving the culture of the information security workplaces and community. Part of being an effective security leader is understanding and including people from all types of backgrounds. Usually, it’s talk tech, security, and strategy, but for these episodes, it’s time to discuss the 8th layer and how acceptance is not just 1’s and 0’s. In this short solo three-parter, Stacy will take you through the who, what, when, and why of Diversity, Equity, and Inclusivity. (DEI) Sources for Part 1: and
info_outline Hiring Pen Testers, Hacking Holidays, and Hand Grenades 05/17/2021
Hiring Pen Testers, Hacking Holidays, and Hand Grenades Chris Elgee is a senior security analyst and design lead for , and commander of the Army National Guard's 126th Cyber Protection Battalion. At Counter Hack, Chris is responsible for the design and implementation of NetWars challenges and has created some of the player-favorite challenges throughout NetWars and the . Chris also teaches for the SANS Institute. Read more about Chris Elgee at: Follow Chris on Twitter: @chriselgee
info_outline From Reverse Engineering Malware to CISO 05/10/2021
From Reverse Engineering Malware to CISO Lenny is the CISO at , which is a cybersecurity tech company. Lenny has also helped build anti-malware software at an innovative startup and oversaw security services at a Fortune 500 technology company. He has also lead the consulting practice at a leading cloud services provider. Lenny is also a Fellow Instructor at SANS and is the primary author of . Lennny maintains a popular malware analysis tool kit called as well. REMnux® is a Linux toolkit for reverse-engineering and analyzing malicious software. REMnux provides a curated collection of free tools created by the community. Analysts can use it to investigate malware without having to find, install, and configure the tools. Lenny is also the author of the which is designed exclusively for cybersecurity professionals, that teaches the key topics to address in security reports and other written communications and how to pick the best words, structure, look, and tone. Catch Lenny on Twitter at:
info_outline Cloud Security Part 2 05/04/2021
Cloud Security Part 2 In this episode we discuss concerns with security in the cloud that organizations need to be aware of. Moving to the cloud doesn't automatically mean it's more secure. We'll take a look at the CIS Controls and how you can implement them in a cloud environment to better secure your networks and data. The topics discussed in this episode are: Malware Defenses in the Cloud Limiting Network Protocol Ports and Services Cloud Security Data Recovery Capabilities Cloud Security Configurations
info_outline Cloud Security 04/27/2021
Cloud Security In this episode we discuss concerns with security in the cloud that organizations need to be aware of. Moving to the cloud doesn't automatically mean it's more secure. We'll take a look at the CIS Controls and how you can implement them in a cloud environment to better secure your networks and data.
info_outline Cyberstalking 04/21/2021
Cyberstalking Stalking- What is it, exactly? And, more importantly, what do you do if it happens to you? What are the steps you can take and how can you understand ways to better protect yourself? What are the avenues for reporting stalking? How has technology impacted stalking and what can we do, as a society, to keep these behaviors from perpetuating? National Resources: (1-800-799-SAFE) Local Resources: Stalking definition: The Department of Justice defines stalking as "A perpetrator engaging in a course of conduct directed at a specific person that would cause a reasonable person to fear for their safety or the safety of others or suffer substantial emotional distress." The Office on Women's Health defines stalking as "Any repeated contact that makes you feel afraid or harassed." This communication or behavior could involve repeated visual, physical, verbal, written, or implied threats, nonconsensual communication, or a combination of these measures. Stalking is against the law. Stalking is a crime. Stalking can be charged as a state or a federal crime, and depending on the case, it can be: Misdemeanor - punishable by imprisonment for up to 1 year or a fine that cannot exceed $1,000, or both. Felony - for aggravated stalking, punishable with up to 5 years in prison or a fine of maximum $10,000, or both. Who can be stalked: Anyone. However, 1 in 6 women experience stalking their lifetime and women are twice as likely to be stalked as men are. (This is according to the National Center for Victims of Crime.) Stalking falls into three broad categories: Intimate or former intimate partner stalking- The stalker and victim may be in a relationship, may have lived together, may be serious or casual partners, or former partners to some facet. Acquaintance stalking- The stalker and victim may know one another casually, such as a coworker, neighbor, or something similar. Stranger stalking- The stalker and victim do not know one another. This usually includes cases where the victim may be a celebrity. Examples of stalking: Following you around or spying on you Befriending or manipulating your family, friends, or coworkers to intrude on your inner circle Sending you unwanted emails, messages, or letters Calling you often Harassing you on social media Creating fake profiles to keep tabs on you Attempting to gain access to your computer, email, or social media accounts Tracking your computer or internet use Using technology such as GPS to track your location Showing up uninvited to your house, school, work, or places you frequent Leaving you unwanted gifts or tokens of affection Damaging your home, car, or other property Threatening you, your family, your friends, or your children and pets with violence Misconceptions about stalking: "Stalking is only stalking if they keep doing it after you've asked them to stop or have confronted them in some way." -I hear this sentiment a lot. If someone has been following you, tracking you, or harassing you and you're just discovering it, it's been stalking the whole time. They don't get a magical free pass to do so until you've said no, it's stalking regardless. And, confronting the perpetrator can often be dangerous. "Only celebrities are stalked." -As previously mentioned, anyone can be stalked. In fact, 1.4 million people are stalked every year in the United States. "If you ignore the stalker, they will go away." -If only this were true. Each case varies, but stalking is dangerous, it's against the law, and anyone that experiences stalking should seek help. "You can't be stalked by someone you're dating." -Big huge nope. Biggest nope. You absolutely can. If an intimate partner is tracking your location, following you around, and making you feel smothered and afraid, that is stalking. It doesn't matter your relationship with the person. When is stalking categorized as cyberstalking?: Nowadays, stalking usually includes cyberstalking. As security professionals, we have to be cognizant of how people use technology in a way that's malicious. Cyberstalking falls under the stalking umbrella. It's yet another form of stalking and is widely used among perpetrators because it gives them a relatively easy way of monitoring someone, particularly if their "digital footprint" is very wide. Cyberstalking is the use of the internet or other electronic means to stalk or harass an individual, group, or organization. As mentioned, cyberstalking is often accompanied by real-time or "offline" stalking, but may be exclusively used as the primary or only means of stalking. Physical or real-time stalking is not necessary for the act to be considered a crime. Cyberstalking, in of itself, is also a crime. Something to note: States vary in how they categorize offenses. By 2009, 14 states adopted legislation on high-tech stalking, punished by up to 18 months imprisonment and a $10,000 fine for a fourth-degree charge to 10 years in prison and a $150,000 fine for a second-degree charge. What to do if you're being stalked: The obvious answer may be to blanketly tell everyone to call 911 or contact the authorities. However, the unfortunate truth is that not all law enforcement officers are trauma-informed nor are all of them equipped to handle stalking. And, sadly, some of them may not take the case seriously. Even with that, I highly suggest reporting, if you feel safe to do so. Sometimes, your stalker may even be a police officer or someone that is powerful. It's not always easy to go to the authorities, particularly if you have been let down in the past or get grilled by law enforcement as if the stalking is your own fault. Here are a few other suggestions of who to contact to assist you: National Domestic Violence or Victim Resources such as The Hotline Dot Org, Victims of Crime Dot Org, Stalking Awareness Dot Org, and so on. We will link all of these resources in the show notes. Local Domestic Violence Coalitions such as YWCA, Palomar, and other non-profits that may be exclusive to your area. Legal Resources or Lawyers that are trauma-informed specialize in domestic violence, sexual assault, and stalking cases. A trusted friend, family member, mentor, teacher, counselor or therapist. Some steps you can take to help protect yourself and mitigate a stalker's ability to gather more information about you: In an ideal world, we would want to stop the stalkers from stalking. The onus is on them. It's not your fault you're being stalked, and these preventative measures do not suggest that this is in any way your fault, but please- Take these measures into consideration if you are being stalked. Document everything. Record dates. Take screenshots and keep everything organized. Describe the actions as well as how they made you feel in the moment. Keep a running timeline, if possible. Inform someone you trust of the stalking. Carry your cell phone with you and inform your trusted friend or family member on your whereabouts, especially if the person is capable of physically finding you. On the topic of your cellphone, ensure that it does not have any unknown applications, tracking, or compromised accounts on it. Review your installed applications, accounts, and enable multi-factor authentication where possible. Use unique and secure passwords for all of your accounts. (Make sure your passwords are not easily "guessable." Depending on the situation, stopping all communication with the stalker is ideal. Your circumstances may dictate that completely cutting them off is actually less safe, so trust your instincts and document your decision. That said, block the stalker on all platforms, if it is safe to do so. Limit your social media posts to friends and family. Avoid posting anything publicly. Be cognizant of sharing, tagging, and what is shown in images. Minimize mutual contacts. Do not share your home address or place of work online. Additionally, do not share when you're at home, and when you are not. If physical stalking is present: Vary your travel schedule, try not to use the same route or routine every day if travel is required.
info_outline The Birth Of a CISO 04/05/2021
The Birth Of a CISO This week's episode acts as a follow up to provide answers to your burning questions following the interview of our special guest, Gordon Rudd of Stone Creek Coaching, who trains and coaches aspiring and current CISO's. But, how do you know if you want to be a CISO. Heck- What is a CISO? It's in the name, right? How do we know exactly what a Chief Information Security Officer is? Does the definition change between organizations? Are the expectations the same? Listen as Joe and Stacy give the ins and outs of what it takes to get the title, what to expect, and why it's needed.
info_outline From Fortran to CISO to Executive Coaching 03/27/2021
From Fortran to CISO to Executive Coaching Gordon Rudd joins us for this week's episode of the podcast. Gordon Rudd is a former CISO, executive coach, author, keynote speaker, and teacher with Stone Creek Coaching. Gordon founded the CISO Mentoring Project in 2012 and is an engaged mentor to many aspiring and active CISOs around the world. He founded Stone Creek Coaching in 2019 to help create world-class, cybersecurity leaders. Gordon is a regular instructor with (ISC)2 an international, nonprofit association for information security leaders, creating educational videos, leading educational events, and creating content for their members. Gordon served as the thought leader in residence for Venminder utilizing his 40+ years of third-party risk management, information technology, information security, third-party risk management and GRC (Governance, Risk Management and Compliance) program development experience. Gordon worked with clients as a third-party risk management and cybersecurity subject matter expert in residence. Gordon began his cybersecurity career while working as a contractor for the defense industrial base in America. He was instrumental in the formation of the cybersecurity program for a Fortune 50 oil and gas company. Gordon has consulted with some of the world’s largest financial services organizations on cybersecurity and business continuity management preparedness. He has created dozens of business continuity plans for organizations in manufacturing, oil & gas, health care and banking. He joined Venminder from RCB Bank where he held the position of Vice President, Chief Information Security Officer (CISO). Gordon implemented and managed both their cybersecurity program and third-party risk management program, including managing internal audits, external audits, and regulatory examinations. Gordon is a recognized cybersecurity expert, and is frequently sought to speak at industry events on information security, GRC and enterprise risk management. Gordon received his B.B.A. in Finance from the University of Oklahoma and an M.B.A. from West Texas A&M University. Gordon was instrumental in my transition from security technologist to security leader and it would have been a rough journey without his coaching, guidance, and mentoring. You can find Gordon online at https://www.linkedin.com/in/gordonrudd.
info_outline My Path in Information Security: Stacy Dunn 03/22/2021
My Path in Information Security: Stacy Dunn In this episode of CISO Dojo, Stacy outlines how she broke through into the field of Information Technology, and, subsequently, Cyber Security. How does one connect the dots from being a Retail Store Manager with an Associate's in Fine Arts to becoming an aspiring Security Engineer with one of the world's largest security companies? Stained shirts and socks with sandals, that's how! What...? Wait just a minute...? Yeah, that's right! But, what does that have to do with IT!? Listen for the full story, down to the dirty details, and gain some insights in how to better build yourself up to take control of your career.