CISO Tradecraft®

In this CISO Tradecraft episode, G Mark Hardy, Ross Young, and Andy Ellis share RSAC insights from the vendor floor, including Andy’s effort to visit about 607 booths. They highlight dominant themes like AI SOC offerings and agentic/agent security messaging, noting that many booths used unclear marketing or even failed to describe what they do. The discussion critiques activity-based metrics like badge scans, arguing for outcome-focused goals such as awareness, qualified follow-ups, and customer-driven product feedback. They explore how marketing should create informed buyers, how startups should communicate problem, urgency, and differentiation, and how AI and “vibe coding” may pressure vendor pricing or encourage internal tool-building. The episode also covers open-source sustainability and recommends networking via both major conferences and smaller private CISO events.

Take a look at these three helpful RSAC Reviews:
DUHA - https://www.duha.co/reports/state-of-security-vendors-rsac-2026/
VibeCoded - https://vibecoded.vc/cooked/
Jake Epstein's RSA 2026 Startup Landscape - https://jakee.vc/rsa-2026-landscape.html

In this CISO Tradecraft episode, co-hosts G Mark Hardy and Ross Young discuss how large language models are transforming software development and shifting cybersecurity from buying Software as a Service to “Service as Software,” and ultimately to "Systems of AI agents". They explain how writing code in English enables rapid prototyping, changing cost models by reducing labor hours and increasing speed and scale, with metrics like shrinking a 40-hour threat model effort to a 10-minute agent output. Ross outlines three generations, SIEM (SaaS), SOAR (services as software), and systems of agents (AI SOC), highlighting broader, evolving detection coverage. They cover risks including underestimated maintenance, scope creep, automating bad processes, and insecure AI-generated code, and demo a prompt-built software composition analysis/SBOM tool using CycloneDX and OSV. Ross also introduces his company, Clear Capabilities, focused on agentic workforce automation for governance, privacy, architecture, and compliance.

Cybersecurity's Dirty Secret: Why Most Budgets Go To Waste - https://www.amazon.com/Cybersecuritys-Dirty-Secret-Budgets-Tradecraft%C2%AE/dp/B0G26WHVTG/

Ross Young -
https://www.linkedin.com/in/mrrossyoung/

Developer AI Threats -
https://threats.backslash.security/

In this episode of CISO Tradecraft, host G Mark Hardy speaks with Brian Long, CEO and co-founder of Adaptive Security, about how AI is accelerating and scaling social engineering through deepfakes, OSINT-driven personalization, and real-time conversational attacks. Brian says people remain the biggest opportunity in cyber defense, citing rapid growth in deepfake-enabled incidents and examples including a widely reported $25M wire fraud involving a fake Zoom meeting of “peers,” plus a CFO/controller case where a deepfaked CEO pushed secrecy and urgency. They argue detection alone is unreliable due to an arms race and attackers shifting to unverified channels (phone, Teams/Slack, Signal). Key mitigations include workforce awareness, stronger organizational controls (especially for hiring and payments), verification habits, and personalized training paired with AI-powered simulations and reporting/automated email handling.

Big thanks to our sponsor Adaptive Security. Note, you can learn more about them by visiting their website:
https://www.adaptivesecurity.com/demo/security-awareness-training

In this CISO Tradecraft episode, host G Mark Hardy interviews Shahar Man of Backslash Security about the rapidly expanding attack surface created by AI-driven “vibe coding” tools like Claude Code, Cursor, and Copilot. Shahar explains how prompting is shifting software creation, affecting education and hiring, and pushing security “further left” to the prompt, agent, MCP, skills, and rules level. He discuss risks such as loss of source integrity, excessive permissions, prompt injection, data leaks, use of unauthorized tools or accounts, and the spread of coding beyond engineering to teams like marketing and finance. Shahar argues AppSec work will transform toward securing the “sausage factory” and describes Backslash’s approach: enterprise-wide visibility, component vetting, endpoint monitoring via a local proxy, guardrails and blocking, and forwarding alerts to SOC/SIEM, with deployments scaling to thousands of workstations.

Looking to get more secure on Vibe Coding? Check out the Ultimate 2026 Vibe Coding Security Buyer's Guide
https://www.backslash.security/resources/vibe-coding-security-buyers-guide?utm_campaign=354642149-ciso-tradecraft&utm_source=ross-young&utm_medium=podcast-march-2026

In this CISO Tradecraft episode, host G Mark Hardy interviews Steve Shelton (https://www.linkedin.com/in/greenshoesteve/) of Green Shoe Consulting about the “State of Stress in Cybersecurity 2025” report and why burnout is widespread among cybersecurity leaders. Shelton explains the difference between beneficial stress (eustress) and chronic distress, how threat vs challenge interpretations shape performance, and why cybersecurity’s volatile, high-stakes environment amplifies stress, especially when CISOs have responsibility without authority and limited leadership training. They discuss systemic burnout drivers such as workload, autonomy, values alignment, recognition, and leadership behaviors like trust and delegation, plus different CISO leadership styles (strategic, adaptive, tactical, operational). Shelton describes efforts to build training and measurement tools for stress and energy, comments on AI-driven uncertainty, and shares the report download link at: https://www.greenshoeconsulting.com/stateofstressreport