Resilient Cyber brings listeners discussions from a variety of Cybersecurity and Information Technology (IT) Subject Matter Experts (SME) across the Public and Private domains from a variety of industries. As we watch the increased digitalization of our society, striving for a secure and resilient ecosystem is paramount.
Resilient Cyber w/ Shyam Sankar - The Primacy of Digital Dominance
In this episode we sit down Shyam Sankar, Chief Technology Officer (CTO) of Palantir Technologies. We will dive into a wide range of topics, from cyber regulation, software liability, navigating Federal/Defense cyber compliance and the need for digital defense of the modern national security ecosystem.- First off, for those unfamiliar with you and your background, can you tell us a bit about yourself, as well as Palantir?You're a big proponent on the role that software plays now, and will play in the future when it comes the fifth domain of warfare, cybersecurity, so let's give into some of those topics.- I know you've voiced some strong opinions on the role of cyber insurance and also compliance when it comes to its static nature, compared to the dynamic activity of malicious actors and the threat landscape. Can you expand on that?- You and I also chatted about the fact that most cyber issues tie back to hygiene, and that there are no silver bullets. Do you feel like this gets lost among the marketing hype of cyber?- I know you've talked about externalizing some of Palantir's software infrastructure to enable more companies with security infrastructure and toolchains. Can you tell us about some of those capabilities?- The enablement of more companies is key, as you know the DIB has seen massive consolidation in the past decade or more, largely with the small handful of players dominating the lions share of the work in the DoD. This arguably poses systemic concentrated risks, as well as doesn't give access for the DoD to commercial innovation.You called the DoD's most powerful ally America's commerical tech sector in a recent piece. We know that times have changed, and unlike eras of the past, most digital innovation comes from the commercial space, but DoD tends to have a not built here syndrome, no doubt driven by incumbents, incentives, fiefdom building and more. What do you think the national security risks of this are?- Given you've been around DoD for some time, you've no doubt been exposed to processes like ATO's and RMF and more. What are your thoughts on the current state of compliance in the DoD and how it could potentially hinder access to commercial innovation?
10/18/2024 • 34 minutes, 3 seconds
Resilient Cyber w/ Mark Simos - Cybersecurity Anti-Patterns
In this episode we sit down with Mark Simos to dive into his RSA Conference talk "You're Doing It Wrong - Common Security AntiPatterns" to dig into several painfully true anti-patterns in cybersecurity and how we often are our own worst enemy.-- First off, for those not familiar with you or your background, can you tell us a bit about that.- So you delivered this talk at RSA, focused on Cybersecurity "Anti-Patterns". How did the talk come about and how was it received by the audience?We won't be able to name them all, but I would love to discuss some of them.- You talk about the technology-centric thinking, and how folks believe security is about technology instead of business assets. Can you explain this one?- The silver bullet mindset was another that jumped out to me. This is thinking a single solution can 100% solve complex and continuous problems. What ways have you seen this one play out?- The paradox of blame is one that made me laugh because I have seen this play out a lot. You talk about the CYA mentality, how security warns about issues, they are skipped and then security is blamed. This one really stings because I have seen it happen, and in fact, I feel like we're seeing it play out with some of the CISO liability cases and regulations that are emerging. - Perhaps one of the most well known anti-patterns of security being the office of no or resisting trends. I feel like we saw this with Cloud, Mobile, SaaS and now AI. Why do we keep repeating these mistakes?
10/17/2024 • 29 minutes, 30 seconds
Resilient Cyber w/ Helen Oakley - Exploring the AI Supply Chain
- First off, for folks not familiar with your background, can you tell us a bit about that and how you got to the role you're in now?- We see rapid adoption of AI and security inevitably trying to keep up, where should folks start?- There are some really interesting intersections when it comes to AI and supply chain, what are some of them?- We see a thriving OSS ecosystem around AI, including communities and platforms like Hugging Face. What are some key things to keep in mind here?- AI BOM's - what are they, how do they differ from SBOM's, and what are some notable efforts underway right now around them?
10/8/2024 • 20 minutes, 26 seconds
Resilient Cyber w/ Ross Young - How to Become a CISO
- First off, for those who don't know you, can you tell us a bit about your background?- You've been providing a deep dive talk into how to become a CISO. I'm curious, what made you put together the presentation, and how has it been received so far when you've had a chance to deliver it?- You have broken down what you call "four stages of the journey" that encompasses skills in areas such as Technical, Management, Leadership and Political. This to me comes across as CISO's need to be multidisciplinary professionals with a variety of skillsets. What do you think makes this so important for CISO's to be successful?- Let's walk through the four stages a bit. You start off with Technical skills. This seems to the foundation many CISO's start with, coming from roles in areas such as engineering, architecture and so on. What makes this foundation so key?- How do CISO's maintain a strong technical foundation and depth, as they get further away from the tactical work and more into the leadership and strategic role?- CISO's of course have to be able to manage the teams they build and/or oversee. What are some of the key management leadership skills you think CISO's must have?- Leading is a fundamental part of what CISO's do. Whether it is direct reports, or the broader security org. What are some of these leadership skills and how can they have a positive or negative impact?- Last but not least is the political side of things. CISO's of course operate among other C Suite peers, the board and within complex organizations with competing interests, personalities and incentives. This could arguably be the most important skill to hone in terms of ensuring you're effective in your role, and have a lasting impact on organizational risks. What are your thoughts on the political skills front? - I'm curious as someone who's been a multiple time CISO and is now advising others on how to obtain the role - where do you see the role of the CISO headed in the future? We see new aspects such as litigation, SEC rules, determining materiality, CISO's needing to speak the language of the business and more - all while needing to manage risks with the ever changing technological landscape, with AI being the latest example. Where is it all headed?
10/8/2024 • 32 minutes, 57 seconds
Resilient Cyber w/ Jit - Exploring the Emerging ASPM Ecosystem
In this episode we sit down with Amir Kessler and Aviram Shmueli of AppSec innovator Jit to dive into the complexities of the modern AppSec landscape and explore the emerging Application Security Posture Management (ASPM) ecosystem.- First off, for folks not familiar with your backgrounds, can you tell us a bit about both of your backgrounds and how you got to the roles you're in now?- We're seeing a ton of interest in the topic of ASPM in the AppSec space. What do you think has led to this emerging category and what key problems is it looking to solve?- I know your team puts a big emphasis on not just the tech but also the DexEx and UX. Why is this so critical to address AppSec risks and securing organizations and their code?- While there is value in ASPM platforms, many Dev teams and engineers are opinionated about their tools, how important is this flexibility and extensibility in the platform that the Jit team has built?- A key challenge includes vulnerability overload. Teams drowning in massive vulnerability backlogs and trying to add vulnerability context and focus on the most relevant risks for developers. How does Jit approach this?- Not all ASPM platforms are the same, but we see many vendors rallying around the category. What do you think makes Jit unique and differentiates what the team has built?
10/1/2024 • 26 minutes, 33 seconds
Resilient Cyber w/ Christina Liaghati - Navigating Threats to AI Systems
- For those that don't know you, can you tell us a bit about your background and your current role?- I know you help lead the ATLAS project for MITRE, what exactly is ATLAS and how did it come about?- The AI threat landscape is evolving quickly, as organizations are rapidly adopting GenAI, LLM's and AI more broadly. We are still flushing out some fundamental risks, threats and vulnerabilities to consider. Why is it so important to have a way to characterize it all?- When it comes to AI Security, there is also a lot of hype, buzz and dare I say FUD out there. Why are you so adamant that we take a data-driven and actionable approach?- I know you recently helped participate in the first big AI security incident focused TTX, including with CISA and other Government and Industry partners, can you speak a bit about the experience and why exercises like this are important for organizations to do when it comes to AI security?- As someone close to the AI domain, when it comes to security, what are your thoughts on both where we're headed for security of AI, and AI to bolster security? - For folks wanting to learn more about ATLAS, and the work MITRE is doing around AI security, where should folks get started?- What are some key open questions and opportunities for the community to help shape the future of AI security and assurance?https://atlas.mitre.org/ ← Check out MITRE ATLAS!
9/6/2024 • 24 minutes, 58 seconds
Resilient Cyber w/ Steve Wilson - Securing the Adoption of GenAI & LLM's
In this episode we sit down with GenAI and Security Leader Steve Wilson to discuss securing the explosive adoption of GenAI and LLM's. Steve is the leader of the OWASP Top 10 for LLM's and the upcoming book The Developer's Playbook for LLM Security: Building Secure AI Applications-- First off, for those not familiar with your background, can you tell us a bit about yourself and what brought you to focusing on AI Security as you have currently?- Many may not be familiar with the OWASP LLM Top 10, can you tell us how the project came about, and some of the value it provides the community?- I don't want to talk through the list item by item, but I wanted to ask, what are some of the key similarities and key differences when it comes to securing AI systems and applications compared to broader historical AppSec?- Where do you think organizations should look to get started to try and keep pace with the businesses adoption of GenAI and LLM's?- You've also been working on publishing the Developers Playbook to LLM Security which I've been working my way through an early preview edition of and it is great. What are some of the core topics you cover in the book?- One hot topic in GenAI and LLM is the two large paths of either closed and open source models, services and platforms. What are some key considerations from your perspective for those adopting one or the other?- I know software supply chain security is a key part of LLM and GenAI security, why is that, and what should folks keep in mind?- For those wanting to learn more, where can they find more resources, such as the LLM Top 10, your book, any upcoming talks etc?
8/28/2024 • 28 minutes, 40 seconds
Resilient Cyber w/ Snehal Antani - Building and Scaling a Security Startup
In this episode we sit down with the Founder/CEO of Horizon3.ai to discuss disrupting the Pen Testing and Offensive Security ecosystem, and building and scaling a security startup - from a founders perspective.From HP, to Splunk to JSOC - all leading to founding Horizon3, Snehal brings a unique perspective of business acumen and technical depth and puts on a masterclass around venture, founding and scaling a team and disrupting the industry!---- For those not familiar with your background who Horizon3AI, can you tell us a bit about both?You are building something special at Horizon3AI and I will dive into that here soon, but you've also been posting some great content about building a security startup, the team, the market dynamics and more, so I wanted to spend a little time chatting about that. - First off, your company was recently listed by Forbes as one of the top 25 venture backed startups likely to reach a $1 billion dollar valuation. How did that feel and what do you think contributed to your team landing on such a prestigious list?- Speaking of venture backed, you recently participated in the Innovators and Investors Summit at BlackHat where you and other panelists dove into the topic of what founders should look for in investors and how VC's can stand out in a highly competitive market. As someone who's navigated that journey and is now being listed on lists such as that from Forbes - what are some of your key lessons learned and recommendations for early-stage founders?- You've stressed the importance of the team over the initial idea and what you've called "pace setters" and "ankle weights" within the team and the importance of both. Can you elaborate on the terms and broader context around building a foundational team to scale the company successfully?- You also have discussed the 4 advantages iconic companies build over time, what are they and why do they help differentiate you?- Pivoting a bit, you have a really unique background, blending both the private and public/defense sector. How do you think that's helped shape you and the way you've build your team and company and approach the market?- Horizon3AI is big on the mantra of "offense informed defense". Why is that critical and why do you think we miss the value in this approach in many spaces in the security ecosystem?- You all have poked some fun at the way many organizations operate, running vuln scans, doing an annual pen test, and having a false sense of security. How is Horizon3AI disrupting the traditional Pen Testing space and leading to more secure organizational outcomes?
8/21/2024 • 29 minutes, 33 seconds
Resilient Cyber w/ Rob Allen - Endpoint Protection, VulnMgt & Zero Trust
- For those not familiar with you and ThreatLocker, can you tell us a bit about yourself and the ThreatLocker team?- When we look out at the endpoint protection landscape, what do you feel some of the most pressing threats and risks are?- There of course has been a big push for Zero Trust in the industry being led by CISA, NIST, and industry. How does ThreatLocker approach Zero Trust when it comes to the Endpoint Protection Platform?- Another thing that caught my eye is the ThreatLocker Allowlisting capability. We know Applications remain one of the top attack vectors per sources such as the DBIR. Can you tell us about the ThreatLocker Allowlisting capability and blocking malicious app activity on endpoints?- Taking that a step further, you all often speak about your Ringfencing capability that deals with Zero Day vulnerabilities. As we know, traditional vulnerability management tools can't stop Zero Day exploits. How does the ThreatLocker platform handle Zero Day protection?- I saw you all recently had a webinar focused on CMMC and NIST 800-171, which applies to the Defense Industrial Base. Obviously endpoint threats are a big concern there for the DoD and the DIB. Can you talk about how ThreatLocker is working with that community?- For folks wanting to learn more about ThreatLocker, where should they go, and what are some things to keep an eye out for?Find out more about ThreatLocker!
8/19/2024 • 24 minutes, 58 seconds
Resilient Cyber w/ Chloe Messdaghi - AI Security & the Threat Landscape
In this episode we sit down with Chloe Messdaghi, Head of Threat Intelligence at HiddenLayer, an AI Security startup focused on securing the quickly evolving AI security landscape. HiddenLayer was the 2023 RSAC Innovation Sandbox Winner and offers a robust platform including AI Security, Detection & Response and Model Scanning.- For folks now familiar with you or the HiddenLayer team, can you tell us a bit about your background, as well as that of HiddenLayer?- When you look at the AI landscape, and discussions around securing AI, what is the current state of things as it stands now? I would recommend checking out the "AI Threat Landscape Report" you all recently published.- Many organizations of course are in their infancy in terms of AI adoption and security. I know the HiddenLayer team has really been advocating concepts such as AI Governance. Can you talk about how organizations can get started on this foundational activity?- HiddenLayer published a great two part series on an "AI Step-by-Step Guide for CISO's", can you talk about some of those recommendations a bit?- You all also have been evangelizing practices such as Red Teaming for AI and AI Models. What exactly is AI Red Teaming and why is it so critical to do?- Another interesting topic is how we're beginning to look to Govern AI, both here in the U.S. with things such as the AI EO, and in the EU with the EU AI Act. What are some key takeaways from those, and what do you think about the differences in approaches we're seeing so far?
- For folks not familiar with you and your background, can you tell us a bit about that?- How about Resourcely, how did it come about and what problem did you set out to tackle?- Why do you think Cloud Misconfigurations are still so pervasive, despite being fairly well into the Cloud adoption lifecycle?- How have organizations traditionally tried to handle secure configurations, in terms of establishing them, maintaining them, monitoring for drift and so on?- Where do you think we're headed, I know you all recently had your capability go GA and you discuss concepts such as blueprints, frameworks, paved paths etc. - You've been talking a lot about the Death of DevSecOps. Let's chat about that, what case are you making with regard to DevSecOps and where the industry is headed?
7/25/2024 • 17 minutes, 59 seconds
Resilient Cyber w/ Stuart Mitchell Cyber Talent, Recruiting & the Workforce
- First off, for folks now familiar with your background, can you tell us a bit about yourself?- You made the leap from working for a firm to founding your own talent and recruiting company. Can you tell us about that decisions and experience?- Before we dive into specific topics, what are some of the biggest workforce trends you are seeing in cyber currently? I have seen you talk about the pendulum shift from workers to employers on aspects like remote roles, and so on. What is the current dynamic across the cyber landscape broadly at the moment?- The cyber workforce is often discussed painfully, with talks of struggles to attract and retain technical talent, but I feel like it isn't just a headcount problem. We also often see absolutely awful PD's and processes that impact organizations hiring abilities. What are your thoughts here?- You're often seeking out some of the best talent for leading organizations. What sort of experiences, qualities and characteristics do you find yourself looking for in candidates that make them stand out from the broader workforce?- Conversely, what are some things you see organizations doing the best that really set them apart from others when it comes to building amazing security teams?- What can folks be doing to try and best position themselves for their dream role? What are key things to keep in mind and emphasize from an expertise, personal branding, resume and other factors perspectives?
7/19/2024 • 47 minutes, 33 seconds
S6E21: Christoph Kern - Dissecting Secure-by-Design
- First off, for those that don't know you or your work, would you mind telling us a bit about your background?- You recently published a paper titled "Secure-by-Design at Google" which got a lot of attention. Can you tell us about the paper and some of the key themes it emphasizes?- In the paper you discuss some of the unique aspects of software that are different from mass-produced physical systems. Such as their dynamic and iterative nature. On one hand you mention how the risk of introducing a new defect over time for a physical system after manufacturing is low, unlike software. I know Google are big proponents of DORA for example, and past papers have shown organizations that are capable of routinely delivering software to production at-scale also have more resilient outcomes, this seems to be both a risk and a benefit of software over physical systems?- You also discuss the need for Secure Default Configurations. Historically it feels like producers have erred on the side of functionality and usability over secure default configurations, and we have even heard CISA begin using terms like "loosening guides" over hardening guides. Do you feel the two concepts of security and usability at inherently at odds, or need to be?- One aspect of your paper that really jumped out to me is that "developers are users too". I feel like this is even more pertinent with both the rise of software supply chain attacks and the realization that most defects are introduced by Developers and also they are best positioned to address flaws and vulnerabilities. How critical do you think it is to design systems with this in mind?- Some may pushback and say it is easy for Google to say advocate this approach of Secure-by-Design due to their incredible expertise and resources, but obviously, and conversely, Google has a scale in terms of challenges that most organizations can't fathom. How does Google balance the two?- What role do you think leading software suppliers and organizations such as Google have to play when it comes to ensuring a more resilient digital ecosystem for everyone?
6/13/2024 • 45 minutes, 51 seconds
S6E20: Joe McCaffrey - Securing the Digital Arsenal of Democracy
- First off, for folks that don't know you, can you tell us a bit about your current role and background?- On that same note, can you tell the audience a bit about Anduril, the mission of the organization and some of the current initiatives it is working on?- What are some of the biggest challenges of being a new entrant in a space such as the DoD, which has longstanding system integrators and large prime contractors who have deep relationships, industry expertise/experience and so on?- I know you're passionate about the ATO process. What are your thoughts on how it stands currently and the impact it has on both new entrants, as well as impacting the ability to get innovative capabilities into the hands of warfighters and mission owners?- CMMC- We know your organization is looking to bring innovative commercial technologies into Defense, what are some of the challenges there beyond the ATO aspect?- Outside of the technical aspect, we know the DoD and Federal space have longstanding challenges with attracting and retaining technical talent. How does that impact your abilities to be effective in this space with your Government peers, and additionally, how does Anduril navigate that when looking to attract modern digital talent to a space like Defense?- Many are now arguing that cybersecurity is a domain of warfare and we're seeing the use of phrases such as "Software-Defined Warfare" by organizations such as The Atlantic Council. How important do you think modern digital capabilities are to national security and why?- DevSecOps thoughts
6/12/2024 • 39 minutes, 34 seconds
S6E19: Madison Oliver - Open Source & GitHub Advisory Database
- For those that don't know you or haven't come across you quite yet, can you tell us a bit about your background in tech/cyber and your role with GitHub?- What exactly is the GitHub Advisory Database and what is the mission of the team there?- There's been a big focus on vulnerability databases, especially lately with some of the challenges of the NVD. What role do you see among the other vulnerability databases in the ecosystem, including GHAD and how it fits into the ecosystem?- GitHub has a very unique position, being the most widely used development platform in the world, boasting millions of users. How do you all use that position and the insights from it to help drive vulnerability awareness across the ecosystem?- There's been a large focus on software supply chain security, including securing OSS. What are your thoughts on these trends and some ways we can combat these risks?- You're also involved with the CVE program, can you tell us about that?- We know you collaborate with another group, out of OpenSSF, known as the Vulnerability Disclosure Working Group. What does that group do and what role do you play?
6/12/2024 • 30 minutes
S6E18: Stephen Carter - VulnMgt Modernization & FedRAMP
- For those don't know your background or Nucleus Security, can you start by telling us a bit about both?- You have experience and a background in the Federal environment, and Nucleus recently achieved their FedRAMP authorization, can you tell us a bit about that process?- When you look at the Federal/Defense/IC VulnMgt landscape, what are some of the biggest problems from your experience and where do you think innovative products and solutions can help?- Going broader, we have seen a recent uptick in the interest around VulnMgt, and looking to modernize the way we do things. What do you think is driving this recent focus on VulnMgt and what major innovations or disruptions in the space do you see underway?- What do you feel helps differentiate Nucleus Security from some of the other competitors we see in this space focusing on this problem?- We're seeing a big push for Secure-by-Design software, which of course deals with driving down vulnerabilities, and repeated classes of vulnerabilities. What's your take on this push and do you see it being effective?
6/4/2024 • 31 minutes, 20 seconds
S6E17: Jimmy Mesta - Kubernetes, Runtime and Supply Chains
- For those unfamiliar, please tell us a bit about your background, as well as about RAD Security. What do you all focus on and specialize in?- Your team recently was part of the RSAC Innovation Sandbox. Can you tell us a bit about that experience, and being able to highlight the innovative capabilities of RAD to such a key audience?- You recently published a comprehensive resource on Kubernetes Security Posture Management (KSPM), what are some of the key items in there folks need to be focusing on?- The RAD security team emphasizes their fingerprint capability for Kubernetes workloads. Can you unpack that this is and how it differs from say signature based security tools and so on?- When thinking about software supply chain security, how does Kubernetes fit in, given the current digital landscape and explosive growth of Kubernetes and Containerized workloads?- You all are big proponents of runtime security, a category that is getting increased attention latest in the security industry. Why do you think runtime is so critical, compared to say some other tools or products that may focus on different aspects of the SDLC or lean into "shifting left" for example?
6/4/2024 • 26 minutes, 12 seconds
S6E15: John Hammond - Cybersecurity Industry Trend Analysis & Content Creation
5/1/2024 • 38 minutes, 24 seconds
S6E14: Dr. Georgianna Shea: Cyber-Physical Resilience & Supply Chain Security
- For folks not familiar with it, can you tell us a bit about the report, its intent, and how it came about?- Some may be asking, what's the big deal, its just software. Can you help explain the pertinent risk we face with increasingly seeing physical systems, infrastructure and society run on software?- The report makes some key recommendations to fortify the resilience of the Nation's critical infrastructure, can you talk about those a bit?- It's often discussed how much of the critical infrastructure is privately owned and operated, is that true, and if so, what challenges does that pose?- Do you see this as something that will be increasingly regulated, and if so, how do we balance regulations with some of the constraints and limitations of the critical infrastructure operators and organizations such as financial, expertise and so on?- One thing I noticed is the emphasize on industry, board, CEO and executive accountability. We're seeing a similar trend with recent SEC rules for publicly traded companies as well as CISA's Secure-by-Design publication and public comments, about leadership and executives taking more accountability for secure outcomes. Do you feel this is a major gap, and if so, how do we ensure the message doesn't get diminished from leadership across middle management, and staff?
4/30/2024 • 28 minutes, 23 seconds
S6E12: Matt Nelson & David Cantrell - BESPIN Software Factory - Innovating at the Edge
Can you each tell us a bit about your background, before we dive in?For those not in the DoD or familiar with the term, what is a “Software Factory”?What is BESPIN?What is the current state of mobile security within the DoD?Why do you think there’s such a delay in maturing policy, process and pathways for mobile in DoD, given the big emphasis the last several years of “edge”, along with the rapid growth of the remote workforce and so on?Are there any official mobile app sec requirements? Can you tell us a bit about what tools and methodologies you all use to secure the mobile-centric applications you all deliver?Most know that in DoD and Federal there are also a lot of compliance rigor and hurdles to deal with. How has that experience been for a program doing something a bit different from most software factories?Since there are no official mobile requirements you kind of get a second mover advantage, how can you take lessons learned from the Cloud Computing SRGs and apply that to mobile? Can you help our audience understand the importance of secure mobile capabilities for the Airman and warfighter? We know the modern way of fighting looks much different and mobile is a key part of that, whether simply supporting Airman on a form of compute they grew up using, all the way to those on the forward edge, engaging against adversaries, including in the digital domain.
3/24/2024 • 55 minutes, 55 seconds
S6E2 - Jacob Horne - 171, CMMC and the Federal Compliance Landscape
- For folks not tracking, let's level set a bit, what exactly is NIST 800-171 and CMMC, and what is the succinct background on the evolution of the two?- Are there notable events that led the DoD to pursue CMMC, building on the history of 171?- Obviously the introduction of the 3PAO aspect brings more rigor than previously existed with self-assessments. Many in industry have bemoaned the burden, cost and complexity of the new program and the impact it will have on industry (myself included). What are your thoughts on the potential to impact the DoD supplier base and lead to further consolidation?- Many DIB suppliers are of course SMB's who rely on CSP's and MSP's to meet these requirements, or conduct their daily operations, leveraging various external parties. How does CMMC handle entities like CSP's and MSPs?- There was recently a memo from the DoD CIO clarifying some language around "FedRAMP equivalency" for DFARS 7012. First off, what is 7012, how does it tie to 171 and CMMC and what did the DoD CIO memo essentially say?- Most SMB's in the DIB lack internal cyber expertise and resources, and of course this has led to a booming industry of 171/CMMC consultants and 3PAO's. What are your thoughts on that growing ecosystem and how do SMB's ensure they're working with the right advisors and assessors?- What are some of the details on the timelines and rollout of the finalized CMMC rule? When and how should folks be preparing?- Many of course are quick to claim "compliance isn't security" when discussing stuff like 171 and CMMC. What's your initial reaction to those claims, and how do we help folks understand that industry will not just voluntarily spend and focus on security requirements without being required to do so?- CMMC of course has a ConMon aspect, right now that is does via annual self-assessments/reporting as I understand it. What do you think CMMC gets right on this front, and what could be done better?
1/12/2024 • 1 hour, 3 minutes, 14 seconds
S6E1 - Rob van der Veer - Navigating the AI Security Landscape
- You've been heavily involved in the AI dialogue in the industry as it has heated up, how did you get your start specializing in software security and most notably AI?- AI continues to be one of the hottest cybersecurity topics in 2023 and heading into 2024. What do you think are some of the most pressing risks around the rapid growth of AI adoption and use?- We're seeing Governments scramble to regulate AI, with notable efforts like the EU AI Act. Why do you think it is critical for Governments to act so quickly on this emerging technology, especially when Government is historically reactionary and slow to adapt?- What are some of the key considerations that must be kept in mind to help securely govern and regulate AI without hindering innovation and economic prosperity and potential that AI may bring?- You're involved in efforts such as the OWASP AI Exchange, can you tell usa bit about that effort, how it came about and how practitioners can learn from and leverage it?- Compliance can be cumbersome with many overlapping and often duplicative compliance frameworks that industry has to wrestle with. You've been working on an effort dubbed "OpenCRE" can you tell us a bit about that and what the goals are?
1/5/2024 • 32 minutes, 58 seconds
S5E9: Kevin Greene - The Cyber Journey, AI/ML and Secure SDLC
- Tell us a bit about your cybersecurity journey, you've held a variety of roles with FFRDC's and industry- You've been talking a good bit about the latest Secure-by-Design push, what do you make of this push? I know you've raised concerns about needing to do some research to determine the effectiveness of these "secure" SDLC's- AI and ML are everywhere we turn in the cyber industry discussions. You've been speaking about the role of ML in cyber detection for example going back several years. There's a lot of focus on the risks of AI, but what do you think about the promise of AI and ML to help with defending organizations and agencies?- I know you've been discussing threat informed defense and even took a swing at NIST 800-53/FedRAMP and its relevance. Can you elaborate on this, and how you think we're getting it wrong as an industry with regard to compliance and security?- You recently had awesome comments about the risks in public cloud attack surfaces and implications for national security, let's dive into that one, give us some thoughts on this front?- We're heading into 2024, so let me ask, what are some of your top predictions we may see in cybersecurity over the next year?
12/22/2023 • 43 minutes, 57 seconds
S5E8: Jake Meloche - Cloud Native Security
- First off, tell us a bit about yourself, what you're up to and how you have gotten where you are career wise- What are some of the key differences with cloud-native security?- There's a lot of acronyms in the cloud-sec space, such as CWPP, CSPM, KSPM and so on. Can you unpack a few of these for the audience and what they mean?- This also infers there's a lot of different tools and capabilities to manage. Why do you think it is important to have a comprehensive platform to bring it together, to avoid tool sprawl and cognitive and alert fatigue?- There's a lot of focus of course on shifting security left, and CI/CD pipelines and so on, but I know you also focus on runtime security. What makes runtime security so crucial in the cloud context?- Can you tell us a bit about Aqua Security, what you all do and what makes you unique from some of the other platform providers and security companies out there?- What does the term "cyber resilience" mean to you?
12/15/2023 • 21 minutes, 16 seconds
S5E7: Darwin Salazar - Data, Detections & the Cybersecurity Market
Nikki - Can you tell us a little bit about what interested you in cloud security in the first place? I know you have a particular interest in misconfigurations - was there a singular event that spurred your interest? Chris - What are your thoughts around Guardrails in the cloud and using things such as event based detections?Chris - You interestingly took a Product role, but have a Detection and CloudSec background. How has the Product role been and do you think having the practitioner background helps you be a more effective Product Manager and leader?Nikki - There's a lot of talk around DataOps and SecOps - we're really seeing a bridging of fields and concepts to bring teams together. I wanted to talk a little bit about the human element here - do you see more of these blending of fields/disciplines?Chris - I know you've taken a new role recently with Monad, which focuses on Security Data Lake. What made you interested in this role and why do you think we're seeing the focus on Security Data Lakes in the industry so much? Nikki - What are some of the emerging trends you see in cyber attacks against cloud? What should people be most concerned with and focus on first when it comes to cloud security? Chris - You also lead the Cyber Pulse newsletter, which I read and strongly recommend for news and market trends. What made you start the newsletter and have you found it helps keep you sharp due to needing to stay on top of relevant topics and trends?Nikki - What does cyber resiliency mean to you?
11/14/2023 • 29 minutes, 43 seconds
S5E6: Allie Mellen - SecOps, Detection and AI
Nikki - I have to start with the fact that you've been looking into the vulnerability management space! This is an area I've been focused on for many years and I'm curious - what are the biggest pain points you see now in VulnMgmt? Chris - I recently saw you had a blog regarding Exposure Management and contrasting it with Vulnerability Management. Can you talk about what Exposure Management is, and the differences between the two? Nikki - What got you interested in research? I'm always curious because there is such a niche space within cybersecurity and I love meeting other researchers. How do you think cyber benefits from research and vice versa?Chris - You also recently had some content regarding doing a deep dive into Nation State threats. We're increasingly seeing cyber play a part in nation state conflicts, why do you think that is, and can you touch on how this plays into regulatory fallout as well? Nikki - I want to talk about your blog post about "The Blob" - you talk about how people use some similar terminology and language (false messaging) to steer the conversation in security tooling. Can you talk a little bit more about this concept and what you think it means to the industry? Chris - You have been having conversations about Detection Engineering. Can you talk about how it is different from legacy/traditional SecOps and what the future of Detection Engineering and Detections-as-Code looks like? Nikki - What does cyber resiliency mean to you?
10/20/2023 • 25 minutes, 55 seconds
S5E5: Greg Rasner - Zero Trust and Third Party Risk Management
- You recently wrote a book titled Zero Trust and Third Party Risk. Can you tell us a bit about the book, why you wrote it and how you see the convergence of ZT and TPRM?- There's been a lot of discussion lately around Software Supply Chain Security, but also Cybersecurity Supply Chain Risk Management, or C-SCRM. Do you see the former being part of the latter, and what challenges do you think organizations face trying to tackle both?- TPRM often involves manual subjective lengthy questionnaires that we are all painfully familiar with. How effective do you think these are and do you think we are going to see a future based on machine-readable attestations and more automated assessments to augment some of the traditional manual questionnaire type activities?- Most organizations struggle to implement fundamental security practices and processes within their own organization, let alone thoroughly ensuring all of their 3rd and nth tier suppliers are, is this a gordian knot type situation?- What are your thoughts on first party self-attestations vs 3rd party assessments? Each has its pros and cons and challenges. - The name Zero Trust is a bit of a misnomer, as we know it means no implicit trust, and it also seems a little counter-intuitive in our increasingly inter-connected ecosystem and society. How do you see the push for Zero Trust playing out when we look at the broader supply chain ecosystem?
10/15/2023 • 37 minutes, 17 seconds
S5E4: Jonathan Rau - The Modern Security Data Landscape
Nikki - With your current role as a Distinguished Engineer - I know you focus a lot on cloud security. What does being a DE entail? Do you do some research along with your other duties?Chris: We've seen the discussion around data in the security space evolve quite a bit. From legacy environments with a SIEM/SOC centralized approach, oriented around "collecting all the things" to now discussions around data lakes, analytics, and automation among others. Can you discuss the evolution a bit with us and your thoughts on it?Chris: I've been reading pieces lately that are pushing the narrative that there isn't "security" data, there's just business/organizational data, some of which has security context/use. What are your thoughts on this? It seems to be in-line with a push for security to be more tightly coupled with and speak the language of the business.Nikki - Recently you were posting about the AWS IR guide and even getting into some logging with AWS. Logging is one of those areas that I'm super interested in - especially from an IR perspective. What do you think about where we are with security logging guidance and what should organizations know about setting up complex logging environments? Chris: As we continue to watch the security data space evolve I know you've been championing the concept of, and even have written extensively about the term "SecDataOps". What is this exactly, and why do you feel like it is the time to have the industry move this direction?Chris: We're also seeing a push for standardized logging formats, such as the Open Cybersecurity Schema Framework (OCSF), which has gotten support from some of the largest tech companies. How important is it for the industry to rally around a standardized cybersecurity schema/framework and what are the challenges of not doing so? Nikki - You have also done some Board Advising and taken on several Advisory roles for Boards. Two part question - what got you interested in taking on an advisory role and what would you suggest for other technical practitioners who want to get more involved at the Board or executive level? Nikki - What does cyber resiliency mean to you?
10/3/2023 • 28 minutes, 46 seconds
S5E3: Patrick Garrity - Vulnerability Research, Management and Visualizations
Nikki - I wanted to ask you first what got you so passionate about vulnerability management - what was it that first sparked your curiousity and interest into security research? Nikki - You do a lot of awesome graphics and visualizations of vulnerability data from both CISA KEV and around types of CVE's - what kind of statistics do you think are most important for security practitioners to know - and on the other side, what is most important for executives to understand? Chris - You've now begun to even start to submit known exploited vulnerabilities to CISA to be added to the KEV, can you tell us about that experience, how you're identifying them and how the process has been?Chris - We talk a lot about the need for vulnerability context, going beyond CVSS and using things such as KEV and EPSS. In your work, how do you see organizations leveraging context to help vulnerability prioritization?Nikki - We know that organizations could have a backlog of up to 10k vulnerabilities - based on some recent statistics. Where do organizations start? How do they get a handle on vulnerability management? Chris - What are some other trends you see in Vulnerability Management that organizations can use to start to get a handle on things?Chris - You've made the transition from marketing to vulnerability research, visualization and some would say industry leader. Can you speak about the journey and advice for others looking to follow a similar path?Nikki - What's next for you - besides being the pre-eminent vulnerability researcher in this space?
9/24/2023 • 35 minutes, 19 seconds
S5E2: Scott Piper - Modern Cloud Security and Resilience
Chris: First off, you've been knee deep in CloudSec for several years now, watching trends, incidents and the industry evolve. Where do you think we've made the most headway, and where do you think we still have the largest gaps to close?Nikki: I'm really interested in multi-cloud environments and security - because of the connectivity potential between separate cloud providers. What do you think organizations should be most concerned with when looking at using multiple cloud providers? Chris: You recently contributed to a report with the Atlantic Council about the systemic risks of Cloud and Critical Infrastructure. Can you speak on that a bit? What are your thoughts about systemic risks are more and more of our critical infrastructure and national security systems now become reliant on cloud?Chris: While we know most cloud security incidents are due to customer misconfigurations, we've recently seen some major hyperscaler CSP's experience some very damaging incidents that impacted many. Do you think these incidents are causing some organizations and industries to second guess their plans for cloud adoption or lead to trust issues in Cloud?Nikki: One of my biggest concerns in cloud environments is Identity and Access Management (IAM) - especially in complex development environments. What are some of the major configuration challenges around IAM in cloud? Nikki: What is your favorite cloud security statistic?Nikki: I have to bring in the people angle - do you think that current tech teams have the skills and tools they need to manage cloud environments? Do you have any references or skills you recommend as teams build bigger cloud environments?Chris: On the people front, we know misconfigurations reign supreme for cloud security incidents. Do you think organizations are waking up the reality that they have to invest in their workforce when it comes to adopting technologies such as Cloud?Chris: We know you have your fwd:cloudsec event which has become an industry staple for learning and information sharing on cloud security. How did the event come about and what does the future look like for it?
9/8/2023 • 41 minutes, 51 seconds
S5E1: Amit Elazari - Convergence of Technology & Digital Policy
- For those who haven't met you yet or come across your work, can you tell us a bit about your background?- First off, tell us a bit about OpenPolicy, what is the organizations mission and why did you found it?- Why do you think it's important for there to be tight collaboration and open communication between businesses, startups and policy makers? - Some often say that policy is written by those unfamiliar with the technology it governs or the impact of the regulation and it has unintended consequences. Do you think this occurs and how do we go about avoiding it?- You were recently involved in the launch of the U.S. Cyber Trust Mark program launch for IoT labeling, can you tell us a bit about that?- We're seeing increased calls and efforts for regulating technology and software, especially around software supply chain security, Secure-by-Design products and not leaving risk to the consumers. How do we balance the regulatory push without stifling innovation, which is often the concern?- I recently saw you launch your own show and interview Jim Dempsey, who I've interviewed in the past. Among other topics, you all touched on the recent SEC rule changes and the increased push for cybersecurity to be a key consideration and activity for governing publicly trading companies. Why do you think we're seeing such a push?- For those looking to learn more about Open Policy, and your efforts around digital policy and regulation, where can folks learn more and potentially even get involved?
9/1/2023 • 40 minutes, 5 seconds
S4E24: Michael McLaughlin & Bill Holstein - Battlefield Cyber
- First off, for those unfamiliar with this problem and situation, what exactly is the challenge here, and why should more people be paying attention to this?- What do you say to those who may say this is just something occurring in the digital realm, and not a physical or real threat, given the ubiquity of software, this seems short sighted, no?- In the book, you touch on malicious actors using U.S. based infrastructure to attack U.S. targets, a topic that was touched on in the NCS, can you expand on that and the challenges with addressing it, particularly in the cloud?- There's fears that these adversaries are looking to persist in U.S. based systems and infrastructure in advance of future conflicts. What could be some of the ramifications of this in the future, and how do we go about rooting out these threats in the here and now?- The Defense Industrial Base (DIB) is often called the "soft under belly" of the DoD. We've seen increased targeting of the DIB by malicious actors and nation states and the emergence of efforts such as NIST 800-171 and now CMMC. How do we go about ensuring improved security posture of the DIB while balancing the cost and burden on SMB's and further constraining the diversity and resiliency of a DIB supplier base?- On the flip side, we see the DoD, IC and Federal Government with deep dependencies on a small handful of technology companies, some, even despite continued exploitation and vulnerabilities impacting these agencies. How do we go about addressing this elephant in the room and demand stronger security outcomes and performance from these critical suppliers, especially with their massive financial and political clout?- Much of these activities occur below the threshold of traditional "declarations or acts of war". How do we get our leadership to realize we're already at war, but in a new paradigm?- You guys talk about how everyone with an internet connection is essentially on the battlefield. How do we address that reality while balancing aspects of our society that are unique, such as freedom and privacy. Citizens continue to use software and applications that expose their data, that of their employers, and in some cases, even of the DoD and national security. How do go about better informing and engaging the citizenry on this front?- Another aspect you touch on, is that this isn't just a technical issue, but there's efforts such as misinformation and such to degrade trust in our institutions, sow resentment and stoke flames of divisiveness in our society. These threats are likely even more concerning, as we tear ourselves apart internally. What are your thoughts on this front?
8/4/2023 • 59 minutes, 5 seconds
S4E23: Michael Klipstein - Cybersecurity from Sea to Space
Nikki - In addition to your Senior Policy Advisor role, you are also part of several academic institutions, including one we have in common - Capitol Technology University. Can you talk a little bit about why you wanted to be involved in the technical and academic side? Have their been any benefits you've seen in academia that you've brought to the military space, or vice versa? Nikki - We're seeing a ton in the news about software supply chain security, zero trust, AI/ML - but not necessarily how they relate to warfare or protecting our critical assets (critical infrastructure). Why do you think we haven't seen as much in this space and what are some of the major risks you're concerned with at the moment? Chris - We know you've contributed to the National Maritime Cybersecurity Plan - why is it so critical to protect maritime activities from a cybersecurity and national security perspective and how do you see this going so far, since the plan was originally published in 2020?Chris - Switching from sea, we know you've contributed to some analysis and reporting from FDD on how space systems should be designated as critical infrastructure. Can you explain why that is, and where we have gaps currently?Nikki - We recently were talking about the US Cyberspace Solarium Commission and you mentioned you contributed to their report on the designation of space systems as critical infrastructure. Do you think we're missing a cyber space command or more legislation/guidance around this area? Nikki - On the topic of space and cyber, when it comes to critical infrastructure I think we're still lacking in a number of areas for detection/response for critical infrastructure. What are some IR considerations or potentially research we need in this space? Chris - In a previous role you served as the Director of International Cybersecurity Policy. International cyber activities and policies were also emphasized in the recent National Cyber Strategy. Can you tell us a bit about that experience and why international collaboration is key in the cybersecurity realm?Nikki - Since you went to UMD - I have to ask. Are you getting some MD crabs this summer?6. What does cyber resiliency mean to you
6/30/2023 • 30 minutes, 21 seconds
S4E22: Omkhar Arasaratnam - OSS and OpenSSF
You are now at the Open Source Security Foundation - but you have a ton of experience (even as a former IBMer) from Google, to JPMorgan, and financial institutions through architecture, management, and engineering. Can you talk a little bit about your leadership journey? Let's dig into OpenSSF a bit more - we're only seeing an increase in software supply chain attacks - what is driving the OpenSSF and any particular threats you're concerned with at the moment? We know the OpenSSF has focused heavily on securing OSS and the ecosystem and even launched the OSS Security Mobilization Plan. Are you able to talk a bit about that plan and what it hopes to accomplish?OpenSSF is obviously one of several organizations such as OWASP and others helping to provide valuable resources to the industry to tackle these challenges. Are you able to speak about any active collaborations with other organizations or institutions, academia etc. or how organizations can look to collaborate with the OpenSSF?You are also a Fellow at the Center for Cybersecurity at the NYU Tandon school. Both Chris and I are also Fellows (at different organizations) - can you talk a little bit about what a Fellow does and how you got involved? Where can organizations really start though? With so many vulnerabilities, libraries, dependencies, and managing software and infrastructure, it is incredibly cumbersome for organizations to get a handle to what to work on first. Where do software teams start? Coming off of Father's Day, I noticed your LinkedIn tagline leads with Dad and Husband. How have you found success in balancing those critical roles and responsibilities while still pursuing your professional endeavors and aspirations?What does cyber resiliency mean to you?
6/23/2023 • 41 minutes, 25 seconds
S4E21: Kelly Shortridge - Security Chaos Engineering & Resilience
Chris - For those not familiar with Security Chaos Engineering, how would you summarize it, and what made you decide to author the new book on it?Nikki - In one of your sections of Security Chaos Engineering, you talk about what a modern security program looks like. Can you talk about what this means compared to security programs maybe 5 to 10 years ago? Chris - When approaching leadership, it can be tough to sell the concept of being disruptive, what advice do you have for security professionals looking to get buy-in from their leadership to introduce security chaos engineering?Nikki - One of the hallmarks of chaos engineering is actually building resilience into development and application environments, but people here 'chaos engineering' and don't quite know what to make of it. Can you talk about how security chaos engineering can build resiliency into infrastructure?Chris - I've cited several of your articles, such as Markets DGAF Security and others. You often take a counter-culture perspective to some of the groupthink in our industry. Why do you think we tend to rally around concepts even when the data doesn't prove them out and have your views been met with defensiveness among some who hold those views? Nikki - One of my favorite parts of chaos engineering is the hyptohesis-based approach and framework for building a security chaos engineering program. It may seem counter-intuitive to the 'chaos' in 'chaos engineering'. What do you think about the scientific method approach? Chris - Another topic I've been seeing you write and talk about is increasing the burden/cost on malicious actors to drive down their ROI. Can you touch on this topic with us?
6/9/2023 • 41 minutes, 53 seconds
S4E20: Luke Hinds & Craig McLuckie - The Founders Journey & Software Supply Chain Security
- First off, can you each tell us a bit about your backgrounds and experience in the space?- What made you all decide to found Stacklok, what gaps and opportunities in the ecosystem did you see?- What are your thoughts around the industry's response to software supply chain security and how do you see things such as OSS and Sigstore playing a role?- While we've seen tremendous adoption of OSS and for reasons such as speed to market, the robust OSS community, innovation and more, as you both know, OSS has its concerns too, such as pedigree/provenance, known vulnerabilities, lack of maintenance and support etc. How do organizations balance these concerns while still taking advantage of OSS?- No software supply chain security discussions would be complete without touching on SBOM, which has gotten a lot of industry attention on the topics. What are each of your thoughts on SBOM?- Another topic that is around every corner lately is AI and the disruption it will cause. We're seeing organizations integrate and market AI into every possible use case when it comes to cybersecurity while there is also a lot of FUD about malicious actors using AI and even calling it a possible "extinction event". What is your take on AI and the role it is and will have on software supply chain and cyber?
5/31/2023 • 37 minutes, 41 seconds
S4E19: Mark Montgomery - Securing the Digital Democracy
Nikki - What does cyber resiliency mean to you?Nikki - Can you tell us a little bit more about the Cyberspace Solarium Commission or CSC, in particular I'm interested in the promotion of national resilience. Can you talk a little bit about what that means and what's in progress at the moment? Chris - There's been a lot of activity lately with the Cyber EO, OMB Memos, activities by NIST, publications by CISA and of course the National Cyber Strategy. How do you feel about where we're headed as a nation on the Cyber front and do you think we could be doing more, and if so, what in particular?Chris - I recently saw you made comments regarding Cloud Service Providers (CSP) and their lack of being designated as critical infrastructure I believe. I have seen similar comments from the OCND, due to how critical CSP's, especially major IaaS providers are to the nation. Why do you think they have avoided this designation as long as they have?Nikki - There are a lot of us in cybersecurity that got into it to help defend our nation and protect our country (myself included). Are there ways that other cyber defenders or technical professionals can get involved or any resources you would recommend? Nikki - I don't see a ton in legislature or in the Executive Order about the human element behind cybersecurity and our challenges with risk management. Do you foresee any legislation or anything that may come out around how to protect our users and even our security practitioners? Chris - I mentioned the NCS earlier, a big part of that was shifting market forces, the idea of software liability and also safe harbor. What are your thoughts on this topic?Chris - CISA recently released "Secure-by-Design/Default" guidance for software suppliers and manufacturers. I wrote an article recently tracing the advocacy for "secure by design" back 50 years to the Ware Report. Yet here we are, still advocating for the same concepts. What do you think it will take for this to become a requirement rather than a recommendation and how important is this paradigm shift for national security?
5/26/2023 • 50 minutes, 51 seconds
S4E18: Joseph Lewis - Cybersecurity & Servant Leadership
Nikki - You're a newly minted CISO and SES - how's it going? How have the first few months been in the role? Nikki - With your background in both Academia as an Adjunct Professor and with your cyber and executive leadership experience - how important would you say the intersection of academia, research, and leadership go? Chris - We know you're a big proponent in servant leadership. What does being a Servant Leader in Cybersecurity and more broadly in general mean to you?Chris - We have been discussing soft skills lately with various guests. Why do you feel like soft skills are so often neglected, yet so critical to being a effective leader?Nikki - As someone who is relatively new to a CISO role - what surprised you about the role? Were there any challenges or anything that came up initially that was surprisingly good? Nikki - What experience do you recommend for anyone who's looking to move into a cyber manager or CISO leadership role at an organization? Any books or references your recommend for anyone around leadership? Chris - As we look at the Federal Cyber landscape, there is a lot of efforts under way from the EO, OMB Memos, Zero Trust, Software Supply Chain and the list goes on. How do you calibrate your focus in your new role?Nikki - We've seen a lot in the news around the National Cyber Strategy and other federal legislation potentially in the works. Are you seeing things like Zero Trust and Software Supply Chain security being top of mind? Or are you more worried about things like ChatGPT potentially being used by the Government?
5/19/2023 • 22 minutes, 20 seconds
S4E17: Yotam Perkal - Vulnerability Management and Modernization
Chris - To set the stage for the discussion of vulnerability management, Rezilion recently had a report that found that organizations had over 100,000 backlogged vulnerabilities. Why do you think things have gotten so bad?Chris - Leaders also stated that they are able to patch less than half of that backlog, thousands of vulnerabilities never get addressed. Doesn't this create a situation ripe for malicious actors to exploit?Nikki - You have a background in both data science and security research - where do you feel like the intersection of both of these areas meets? Do you feel like we need more data science experience in cybersecurity? Nikki - Vulnerability management - my favorite topic. Why do you think people are just now starting to bring back up vuln mgmt? It seems like it's been almost 10 years since I've seen substantial research and guidance in this area. Nikki - Security research is seen in two distinct ways - in both the vulnerability identification and in academia - but both are looking at different problems and solving in different ways. Where can the two sides of the coin come together and benefit from sharing research? Chris - On the topic of vulnerability prioritization, organizations seem to be struggling. We know going simply based off of CVSS isn't wise, what are some prioritization tactics organizations can take to address vulnerabilities that pose the most risk in that massive backlog we discussed earlier?Chris - We know that less than 1-2% of CVE's are generally exploited by malicious actors, and while that number may sound small, as the number of published vulnerabilities grow, that 1-2% represents more and more exploitable vulnerabilities. What do you think is driving the growth of CVE's, from a few thousand in the 1990s to over 190,000 now?Nikki - What are the top 3 trends you're seeing in vulnerability management and identifying vulnerabilities? What should we be most concerned with? Nikki - What does cyber resilience mean to you?
Chris - Why do you think SaaS security is so overlooked in the conversation around cloud security, despite SaaS being so pervasive?Chris - SaaS obviously involves a lot of third-party integrations. What are the risks o f these ungoverned integrations and can they have a cascading impact if one of the providers has an incident?Nikki - Chris and I have talked a lot about software security, SBOM's, and what does open source security look like. As a leader in the cybersecurity community, what are you most concerned with when it comes to third-party risk and software supply chain?Nikki - When we talk about SaaS and application management at organizations, what do you think about how SaaS applies to building relationships and working together with other organizations? Nikki - When it comes to integration between SaaS products and a cloud infrastructure, what do you think about as far as risk and how to manage risk within organizations? Chris - If we're trying to handle threats, how important is it to understand integrations from the perspective of who created it, why, what data it involves etc?Chris - How do organizations start to get a handle on governing SaaS and their third-party integrations to mitigate these risks? Nikki - I see you posting recently about exercise/fitness - this is a topic Chris and I discuss often. The balance of physical well-being and being present at work. What do you think about the balance of physical and mental pursuits? Nikki - What does cyber resilience mean to you?
5/5/2023 • 27 minutes, 11 seconds
S4E15: Tom Pace - Firmware, IoT and Cyber Physical Systems (CPS)
Chris: First off, tell us a bit about NetRise, what you all do, and what your focus is on?Chris: There's been a tremendous focus as of late on software supply chain security, as you know, but much of it focuses on things such as Cloud, SaaS, Containers etc. at NetRise you all take a focus on Firmware, IoT and Cyber Physical Systems (CPS). Why is that and what are some concerns folks overlook with these vectors?Nikki: You just announced the launch of ETHOS - a cooperation between several organizations to investigate threat indicators and looking into emerging trends in attacks. Can you talk a little bit about how this idea came together and what ETHOS will be doing? Nikki:You have a lot of expertise around IoT and IIoT, can you talk about some emerging trends in cyber threats and concerns around the connectivity of devices? Chris: I know you guys focus a fair bit on SBOM. For those not required to have one due to policy or regulations, what are the benefits of doing so?Chris: I know you all have experience and expertise with vulnerabilities in products. Does SBOM help address scenarios where the product itself may have no identified vulnerabilities or CVE's but components identified in its SBOM do?Chris: I noticed you're also a USMC veteran, so first, thanks for your service. As a fellow veteran, as I recently walked the RSAC floor this past week I noticed how many leaders in the industry had former military experience. Have you noticed anything similar in Cyber and has your military experience served you in any ways as you have went on to go into industry cyber roles and now as a CEO?Nikki: You have such great experience between threat hunting, incident response, to now being a CEO / Co-founder and Advisor to multiple other companies. What has that transition been like and do you have any advice for any other practitioners out there that may be interested in starting their own organization? Nikki: What's your favorite book, podcast, or other media right now? Anything we should be checking out? Nikki: What are some of the big things going on at NetRise right now? Any other projects you and the team are working on that you would like to share?
4/28/2023 • 37 minutes, 18 seconds
S4E14: Josh Reiter - U.S. Navy Workforce and Cyber Superiority
Chris: Can you tell us a bit about your background and what the role of the Deputy Principal Cyber Advisor does?Nikki: When we talk about workforce challenges, I think about the types of skills that someone is looking for in a cyber program. What types of skills do you look for in hiring and what kinds of skills do we still need in the cyber profession? Chris: We know you've been focused heavily on the Cybersecurity workforce for DoN. In our discussions of digital modernization, the focus is often on tech, such as cloud, zero trust, etc. Why do you think the people or workforce aspect is so often overlooked? Nikki: What do you think about the value of education and certifications when it comes to hiring and retaining cybersecurity professionals? Whether it's an analyst or an engineer, there is a lot of back and forth in the industry on whether certifications should be required or if it may be limiting the talent pool Nikki: I saw you posted recently about North Dakota requiring cybersecurity education in schools - how critical do you think this is for K-12? As a mom this is something I think about all the time Chris: Can you tell us a bit about the DoN's approach to modernizing the workforce around cybersecurity?Chris: There's been some buzz around the DoN's Cyberspace Superiority Vision, what exactly does that entail?Nikki: I have the opportunity to teach my kids but what about all the other children without parents in cybersecurity? Nikki: One of the other interesting articles that came out recently was around the potential change in cybersecurity leadership we'll be seeing in the next few years. Do you foresee some of these leaders leaving the industry and what kind of effect do you think it will have on the industry? Chris: We know there's rumbles of an upcoming DoN Cyber Strategy. We recently saw the release of the National Cyber Strategy. How will the DoN strategy build on that and what are the synergies between the two? Nikki: What does cyber resiliency mean to you?
4/21/2023 • 33 minutes, 37 seconds
S4E13: Chris Kulakowski - Threat Hunting & Detection Engineering
4/14/2023 • 26 minutes, 56 seconds
S4E12: Kristin Saling - U.S. Army Workforce Modernization & Analytics
Nikki - First - tell me a little bit about yourself and your background Nikki - You have a ton of experience with the Army, can you talk a little bit about what you like most about working with the military and specifically in HR? Chris - We hear a lot about digital transformation in the DoD, Cloud, Cyber, Zero Trust, and so on - but how critical do you think the workforce is to make all of these transformation efforts successful Chris - We know the DoD has historically struggled to attract and retain technical talent. What specific changes do you think are needed to help resolve this challenge and do you think we're making any headway there? Nikki - One of your previous roles was Deputy Director of People Analytics, I've not heard much about this role before and I'm interested what that type of position entails and what that means to the people in an organization? Nikki - I want to talk to you about health, fitness, and wellness when it comes to IT and cybersecurity positions. There is a ton of research around the burnout and stress that technical positions carry - what can we do to help our technical teams? Chris - I have seen you posting and speaking about the role AI is playing in assigning resources, assistance and leadership to various Army cohorts, what are your thoughts on the role AI is and will play in your area of expertise?Chris - I believe there has been a new Army vision for the future of talent management, can you tell us a bit about that and what it entails? Nikki - Can you talk about the integration of AI/ML into both HR and administrative functions? I could see how beneficial it would be and free up some cycles to focus on the people and their wellbeing. Nikki - Can you talk about some of the other innovation in the HR space?
4/7/2023 • 24 minutes, 9 seconds
S4E10: Lily Zeleke - DoD Cloud & Software Modernization
Chris: Before we dive into some technical topics and questions, we would love to hear a bit about your background and careerChris: - We've now seen the introduction of JWCC into the mix after quite a challenging road to get there. What major changes do you see JWCC playing in the DoD cloud landscape and cloud adoption journey?Nikki: - There's been a tremendous focus on software supply chain security, with a 742% increase in software supply chain attacks in the last three years. What are your thoughts on how the DoD is approaching securing the software supply chain, SBOM's and challenges of that nature?Chris: - We know the DoD CIO office published an Open Source Software (OSS) memo not too long ago. What role do you think OSS plays in the future of the DoD's software and warfighting capabilities?Nikki - We've seen a blossoming ecosystem of software factories across the DoD, now numbering near or beyond 30. How key do you think these software factories have been to the DoD's software modernization efforts?Nikki - I would be remiss if I didn't ask you about the DoD's workforce challenges. We know the DoD has had long standing issues attracting and particularly retaining technical talent. How crucial is remedying those workforce challenges to see successful cloud adoption and software modernization?Chris - Being a longtime Federal and DoD Cyber professional I have to bring up the topic of compliance, RMF and ATO's in any discussion around fielding software. We've seen a push from some senior leaders to try and shift to a culture of cyber readiness and alleviate some of the traditional box-checking/compliance culture we know is pervasive across Government. Any thoughts on how we can modernize Cyber and Compliance in DoD to facilitate getting innovative and modernized software-enabled capabilities into the hands of system and mission owners?
3/27/2023 • 30 minutes, 12 seconds
S4E9: Resilient Cyber Show w/ Day Johnson
Nikki - With your experience in various cloud and Cybersecurity roles, what would you say the top 3 concerns are right now for cloud security? Nikki - I see you do a lot of work Cybersecurity and cloud education, do you feel like we have better tools and resources today than a few years ago? Or too many resources? Chris - We know you have a Detection Engineering background. For folks not familiar with Detection Engineering can you tell us a bit about it and the role it plays in Cloud Security?Chris - It is often said that Detection Engineering builds on the practice of Threat Modeling, in terms of identifying relevant threats and building detections associated with those threats. Do you agree with that and how valuable do you think Threat Modeling is for Cyber and Cloud Security professionals?Nikki - What would you recommend for anyone getting started in the cloud, moving from on premises or data centers, what should they do first? Nikki - What do you think is next for cloud? I see so many debates in the industry and it seems like there's a trend towards creating systems on prem versus in the cloud.Chris - I know in addition to your professional role you've a huge content creator with over 20,000 folks following you on YouTube. How did you get going down this path?Chris - Do you think it is important in the current industry landscape and remote work paradigm to be out there building a personal brand, creating content and engaging with the community?
3/24/2023 • 27 minutes, 59 seconds
S4E8: Jim Dempsey - Cyber Policy & Regulation
Chris - I have to start with the intersection of law and cybersecurity. We're seeing major strides in regulations, both federal and state (like NYFDS), to regulate and enforce cybersecurity policies and program-based guidance. What are some of the emerging trends we're seeing in cyber law? Chris - As you know, we recently saw the new National Cyber Strategy, which makes a push for shifting the burden/responsibility for cybersecurity on the vendor or those best positioned to address it. Why do you think it has taken us so long to get to this point? I know you've drawn parallels to other industries such as automobilesChris - On the topic of parallels to other markets and industries, such as automobiles, pharmaceuticals and manufacturing, there are some unique aspects of software, in the sense it isn't tangible or kinetic, and can be very opaque, What impact do you think those characteristics have on trying to regulate it like we have done with other industries?Chris - The National Cyber Strategy also introduces the concept of Software Liability. This part of the strategy got the most aggressive response from industry and the community. Why do you think this makes everyone perk up so much?Chris - Many started to raise questions such as who will define "secure", who and how will it be validated or verified, and where is the line of responsibility between the software supplier and consumer. Any thoughts on these topics and questions?Chris - On the topic of regulation, many consider cybersecurity to be an example of a market failure. Can you explain what that is, and why some feel that way? How do you think think we balance regulation without stifling innovation in the tech industry?Nikki - How do you think the public sector and private sector are seeing cybersecurity laws differently? Do you feel like the private sector is lagging behind in cybersecurity regulations? Chris - I have worked on programs such as FedRAMP before, for Federal Cloud Services and I am familiar with NIST 800-171/CMMC as well for the DIB. Many argue, and I think there is merit to the claim that these sort of frameworks lead to smaller pools of suppliers and potentially a less diverse pool of market participants. Any thoughts on these impacts and if it is worth the trade off?Chris - Many compliance and regulatory schemes either take one of two approaches. The first being a self-attested model where entities self-attest their compliance, such as NIST 800-171 for the DIB was, and the second is a 3PAO model, where a 3rd party verifies compliance, such as in FedRAMP. Each of these models has drawbacks, such as less than truthful or accurate self-assessments, or the 3PAO requirement becoming cumbersome, costly and a bottleneck. What do you think about these two approaches and where do you see us heading with regards to say the National Cyber Strategy, liability and so on?
3/10/2023 • 44 minutes, 38 seconds
S4E7:Jeff Williams - DevSecOps and Application Security (AppSec)
Nikki: I have to start with an article you wrote a couple of years ago, about how we explain and provide context around vulnerabilities. I love the analogy of a 'vulnerability recipe' and how we can step through an explanation of vulnerabilities. Can you talk a little bit about the process and what compelled you to explore this topic? Nikki: I saw you spoke to Ron Ross recently, we had him on the show last year talking about cyber resiliency and of course software supply chain. Can you talk a little bit about security assurance and what that means to both developers and security practitioners? Chris: You've been a leader in the AppSec space for some time, particularly focusing on capabilities and tooling such as IAST. For folks not familiar with IAST, can you explain what it is and the value it adds over say SAST and DAST?Chris: I know you and I have exchanged messages and comments about Software Supply Chain Security and SBOM. What are your thoughts about where were headed on this front as an industry?Chris: With the release of the National Cyber Strategy yesterday I of course have to ask your initial thoughts. First more broadly, about the overall sentiment of the strategy and also about specific areas, such as increased requirements on software vendors and technology providers to produce secure products and the potential for increased liability.Nikki: It looks like you had a pretty lengthy time with OWASP - can you talk about some of the work you did there and the work that OWASP does? I think people typically equate OWASP with the OWASP top ten, but there are so many free resources and tools available for developers and security professionals. Chris: Given your past involvement of a decade with OWASP in its early growth, any thoughts on the recent open letter we saw sent to the OWASP leadership?Nikki: Can you talk a little bit more about Contrast security and the type of work you all do? Would like to hear more about what the company has going on and anything else you may have coming up.Chris: Continuing on with Contrast, I am interested in the founders journey a bit. Contrast has been around for nearly a decade and is now up to several hundreds of employees. What has that journey been like and what are some of the major ways the industry has, or hasn't changed during that time?
3/4/2023 • 41 minutes, 44 seconds
S4E6: Matt Cronin - Cyber Law & National Cyber Strategy
Nikki: I saw you recently did a Cyber Jeopardy Panel at the American Bar Association about cybersecurity and cyber law - can you talk a little bit about the intersection of cybersecurity and law?Chris: Continuing on that thread a little more, and you and I have chatted about this, what are some of the dichotomies or challenges of Cybersecurity in a democratic society versus say an authoritative regime or nation?Chris: I know you have a background with the DoJ and U.S. Attorney's office, are there some challenges with say cyber investigations in the U.S. due to some of our protections for individual freedom, privacy and so on? Nikki: It seems like we're seeing more and more organizations seeing the need for both mature cybersecurity programs and cyber law programs - but I haven't seen a ton of these groups working closely together. How can we build both programs in combination?Chris: It seems like every day we are seeing headlines about catastrophic cyber incidents. Are there any historical parallels to what we are dealing with today? Do you think we’ll ever get out of it? Nikki: What do you think major attacks like ransomware in healthcare and even in local and state governments and school are doing to shape cyber legislation?Nikki: If you could give one message to the American people about how we will address this challenge, what would it be?Chris: I would be remiss if I let you off the show without trying to dig into the forthcoming National Cyber Strategy with you. With the extent of what you're able to share, there's been a lot of buzz and rumors about an increased call for regulation, do you have any thoughts on that front?Chris: Many have said that Cybersecurity is a market failure and that it will require government intervention and regulatory measures to change things and have cybersecurity be taken more seriously by businesses and organizations. How do we balance that need for truly addressing cybersecurity risk without at the same time stifling innovation and our free market society? Nikki: Do you see more legislation potentially coming in the future around security governance and compliance?Nikki: I'm very fascinated by cybersecurity and law terminology - do you think there's some room for us to find a common thread between both disciplines to help people like me understand law terminology and language better?
2/24/2023 • 39 minutes, 9 seconds
S4E5: Robert Wood - The Soft Side of Cyber
Chris: First off, why do you think soft skills are so often overlooked or undervalued in our field of cybersecurity?Chris: I'm curious your perspective on how to help people build soft skills, much like technical skills, some may have more of an aptitude for technical work or prefer not interacting with people as often. Any advice for folks who may be a bit more of an introvert and finding dealing with people intimidating?Niki: I wanted to first talk about the Learning resources you have on your site - the softsideofcyber.com - I am a big fan of this area because you include everything from books and articles to newsletters. Can you talk a little bit about why you included this section and what you're hoping to do with it in the future? Nikki: This may seem like a silly question - but clarity and definitions for terminology and language are really important. People talk about 'soft skills' in a lot of ways. What does 'soft skills' mean to you and how have these skills aided you in your career? Nikki: What is the perfect balance of technical and 'soft skills' - do you feel like it depends on your role? Or do you feel like this balance is essential, regardless of your role? Chris: You recently wrote an article on CSO online about unleashing the power of an effective security engineering team. While you did discuss technical skills you also wove in content from folks such as Sidney Dekker and Adam Grant. How do you feel like diversifying your learning outside of technical topics has helped you be more successful in your own roles and career?Nikki: Do you feel like 'soft skills' expands from empathy and emotional intelligence to an understanding of cognitive bias, mental workloads, and other psychological phenomena?Chris: What's next for the Soft Side of Cyber? What projects are you working on and what are you hoping to do with this in the next 6 months?Nikki: Since I know what cyber resiliency means to you in a technical context, can you expand on what this means to you in the 'soft skills' and human context?
2/12/2023 • 34 minutes, 50 seconds
S4E4: Derek Fisher - The AppSec Handbook
Nikki: My first question is about your book, The Application Security Handbook - who do you think most benefits from this type of book and why do you think they need it?Nikki: What inspired you to write this? You have a ton of experience from being a security architect, to working in an IAM group, to application security - I would imagine all of that expertise allows you to see application security through a unique lens.Chris: In your book you touch on the dichotomy of shifting security left while minimizing friction between the Security and Development teams. This is a common challenge many security teams face. Can you elaborate on some of your recommendations on this front?Chris: You also emphasize the role of security champions and democratizing security to some extent through this approach. What exactly is a security champion and how do organizations go about doing this?Nikki: You mention threat modeling in your book - what do you think is the best place for Application Security programs to start when building in threat modeling? This is typically a higher level of maturity for programs and I'm curious at what time it's best to integrate threat modeling?Chris: We're obviously seeing a big push for robust CICD pipeline tooling for security such as SAST, DAST, SCA, Secrets Scanning and So on. Of course this tooling all produces noise. You lay out some strategies in the book on dealing with that. Can you touch on some of those here?Chris: I would be remiss if I let you go without discussing Software Supply Chain Security and SBOM's. I know you touch on SCA, OSS and SBOM's in the book. Why do you think it is key for organizations to start including this in their appsec programs? Nikki: What do you think are the greatest concerns when building a mature application security program? What are the biggest impediments? Nikki: What does cyber resiliency mean to you?
2/3/2023 • 37 minutes
S4E3: Dr. Nikki Robinson - Bridging the Gap with IT and Security
- Can you tell us a bit about the book, what made you want to write it and how you settled on this topic?- Historically IT and Security have been at odds, often feeling like the other party is conflicting with their goals and responsibilities. Why do you think this is?- Do you think the push for DevSecOps and breaking down silos between Security and Operations (and Development) has helped at all?- Your book talks about emotional intelligence, empathy and non-technical traits. How critical do you think those are in this situation and why do they not get discussed enough?- What methods do you think IT and Security teams can take to improve their relationships and drive towards a unified outlook and goals?- What do you see as the biggest gaps on this topic as we move into the future?
1/27/2023 • 27 minutes, 20 seconds
S4E2: Karen Scarfone - Secure Software Development & NIST
Nikki - What do you see as emerging trends around cybersecurity guidance and frameworks? With the newer NIST 800-53r5 and the SSDF, there is a TON of literature coming out from NIST. What's next? Chris - I wanted to dig into SSDF a bit. Can you tell us a bit about being involved in that? How it came about after the Cyber EO and your experience writing it? Chris - We know OMB is now requiring Federal agencies to start to self-attest to secure software development practices, specifically SSDF practices. How does it feel to have your work be cited in something this far reaching?Chris - What do you think organizations neglect most when it comes to secure software development, do you think the OMB memo will have a rising tide impact on the ecosystem like other frameworks such as CSF outside of Government?Nikki - What are some of the most fun parts of your job? You've written so much incredible content for not just the cybersecurity industry, but so many SMB's and non-for-profits can use the NIST guidance as a place to build their cybersecurity programs. Nikki - What is one of the biggest challenges in writing something like the SSDF or the Cybersecurity Framework? I would imagine there are so many considerations that go into deciding on everything from format to the type of language you use. Chris - What are your thoughts around the attention as of late on software supply chain security, SBOM's and topics in that domain? Do you think we need more guidance and publications on this front?Nikki - Before taking us to our last question, I wanted to ask you about your blog! It's called Scarfone Cybersecurity and I know you're just getting this going. Can you talk a little bit about why you wanted to start this blog? What are you interested in writing about? Nikki - What does Cyber Resiliency mean to you?
1/15/2023 • 26 minutes, 7 seconds
S4E1: Stephen Carter - The Vulnerability Management Landscape
Nikki: To start us off, I'm curious about your opinion on the current state of vulnerability management guidance and documentation available for organizations. There are some references from NIST, but a lot of it centers around compliance. Chris: How do you think things such as Cloud, DevSecOps and shift-left security have changed vulnerability management? Nikki: Can you talk a little bit about what organizations and their vulnerability management programs should be working on right now? With more sophistication of attacks by malicious actors, we have to create more Chris: Most of us know the Common Vulnerability Scoring System (CVSS) but many critique it saying CVSS scores alone aren't enough to drive vulnerability prioritization. What role do you think things such as Threat Intelligence should play?Chris: In addition to CVSS CISA recently has been making a push to evangelize the Stakeholder-Specific Vulnerability Categorization (SSVC) guide. Can you tell us a bit about it and your thoughts about how it fits into the conversation on vulnerability scoring and prioritization? Nikki: There is a renewed focus on exploitable vulnerabilities, with the Known Exploited Vulnerabilities catalog by CISA, as well as the EPSS, or Exploit Prediction Scoring System - do you think we're headed in the right direction with helping to prioritize vulnerabilities and not just remediate everything?
1/9/2023 • 28 minutes, 26 seconds
S3E28: Chris Hetner - Cyber, the Board and Regulations
Nikki - I wanted to start with the major explosion of ransomware and ransomware-as-a-service across all industries. This seems like a good starting point for why cybersecurity advisors belong in the boardroom. Do you think the sophistication and ease of purchase with ransomware should be part of the conversation to bring more cyber experts in? Nikki - You made a post recently about the vast cybersecurity risk that API's pose to organizations. API security has been top of mind given how prevalent they are and how useful they are to both administrators and developers. Do you think API security will become a more prevalent topic in the coming year? Chris - It seems logical that boards should have cybersecurity expertise in the mix given how critical technology is to most modern businesses. Why do you think it has taken us this long?Chris - What are some of the largest coming changes you think will drive this paradigm shift? I know groups like the SEC are pushing for organizations to disclose to what extent they have cyber expertise among the board. Nikki - What do you think organizations can do that may not have the budget or contacts in place to add cybersecurity expertise to their boards - is there somewhere they can start?Chris - I know you recently have spoken about the incident reporting timeline changes from the SEC and the need to provide insight into the "materiality" of a breach. For those unfamiliar with the term, what does it mean and is the CISO even in a position to know this? If not, who is?Chris - To flip it a bit from the boards perspective, for practitioners aspiring to fill this emerging need for cyber expertise in or among the board, where should folks begin? How do they position themselves as desirable candidates for these board opportunities?
12/16/2022 • 45 minutes, 44 seconds
S3E27: Varun Badhwar - OSS Governance and Vulnerability Management
- Before we dive into the technical topics, you're a repeat Founder, including some acquisitions of firms you've founded. Can you tell us a bit about that Founders journey and what leads you to creating organizations?- Something you've been focused on a lot lately is Software Supply Chain Security. Why is this such a complicated topic, and has it always been, or do you feel it is increasingly complex? - One of the challenges organizations have around OSS use is OSS Governance and software component inventory. Can you speak a bit about that challenge and how you are looking to solve it?- A term thrown around a lot is "Dependency Hell" - which is the term developers use when it comes to managing their often large dependency footprints when it comes to updates, patches, versioning and so on. How are you seeing this problem addressed?- There's a lot of hype around SBOM's and VEX. What are your thoughts on SBOM's and how they fit into the conversation around securing the software supply chain?- One issue with the increased transparency is development teams drowning in hundreds or thousands vulnerabilities. As you know, this doesn't actually mean they are exploitable. How do we cut through that noise to drive down risk but also frustration?- We talk a lot about CVE's and Vulnerabilities and so on but I know you recently shared research from Chinmayi Sharma who I've interviewed - and she points out CVE's are just one potential risk of OSS dependencies. Any thoughts on leading indicators of risk, as they're often called?- Moving forward, what are some things you are focusing on at ENDoR Labs and where do we see us heading as an industry on this topic, in say 2-3 years?
11/28/2022 • 33 minutes, 18 seconds
S3E26: Mark Curphey - Challenges in SCA/SBOM and Modernizing OWASP
- You recently wrote an article about the SBOM Frenzy being Pre-Mature. For those not familiar with SBOM's, what is an SBOM and what has led to the frenzy as you call it?- In your article you discuss challenges related to the build environments and hosts that can cause different outputs and SBOM's unless a build occurs on two identical machines. Can you explain why that is? - What role do you think emerging frameworks such as SLSA or SSDF and higher maturity requirements for things such as Reproducible Builds or Hermitic Builds play in alleviating some of these concerns?- Given the challenges of dynamic ephemeral build environments and hosts, do you think this undermines the usefulness of SBOM's as an industry artifact related to software supply chain security?- You also recently wrote a follow-up article about why Software Composition Analysis (SCA) is really hard. What are some of the reasons you think that is the case?- You mentioned challenges with CVE's and their accuracy. As many know, CVE's are created via CNA's and as part of NVD. Do you think alternative vulnerability databases such as the Global Security Database (GSD) or OSV will alleviate any of the vulnerability issues in the industry? - You were involved in founding OWASP. I personally, and I suspect many others would love to hear about that a bit, given just how much of an industry staple OWASP is from Top 10 lists, CycloneDX and countless other widely used projects.- You recently ran a campaign to be elected to the OWASP Board to try and modernize it and address many gaps you state lead to OWASP being on a path to irrelevance. Can you tell us what some of those issues are and your plan to address it to keep such a great organization a key part of our industry in the modern era of Cloud-native and DevSecOps?
11/12/2022 • 36 minutes, 10 seconds
S3E25: Richard Stiennon - Cyber Industry Research and Analysis
Nikki: With your latest book, the Security Yearbook for 2022 ,this is the third iteration of the series right? It started in 2020 and has only grown since then. Can you talk a little bit about why you started this annual compilation of research? Nikki: For any other security practitioners or anyone in the field who's interested in writing a book or putting together a comprehensive manuscript or research, do you have any tips or advice for them to get started?Chris: Can you tell us about your endeavors with IT-Harvest and your IT industry research, what is it and how did you get started?Chris: I know you serve in various advisory roles. How does your industry research help inform your advisory perspective?Chris: Based on your current IT industry research what are some of the most alarming or interesting trends around vendors, investors and M&A you see currently? Nikki: What is one of the most surprising statistics that you've uncovered year after year? I know one that continues to surprise me is just how prevalent and SUCCESSFUL phishing attacks are. What about you? Nikki: What are your top recommendations, based on your research, for security practitioners and business owners to be aware of and focus on when it comes to risk mitigation?Chris: Looking at the current IT industry and trends, what is one prediction you have for some of the most significant changes we can expect in say 3-5 years?
11/12/2022 • 28 minutes, 29 seconds
S3E24: Chinmayi Sharma - Tragedy of the Digital Commons
- First off, tell us a bit about your background, you were a developer prior to focusing on Law. Why the change and do you feel that technical background helps you in your legal and academic career?- Before we dive into the specifics of the paper and topics, what led you to focus on this issue for research and publication?- You penned an article about how modern digital infrastructure is built on a "house of cards". Can you elaborate on that?- Your paper is broken down into several sections, so let's step through those and dissect each area a bit.- You touch on the unique aspects of OSS from proprietary code and discuss the benefits and also the risks. Can you discuss some of those?- You claim that OSS should be designated critical infrastructure and arguably under areas such as the IT Sector. First off, why do you think it should be, and why do you think it already hasn't been?- In part II of your paper you went into topics around the origins of OSS security issues and barriers to resolution. What are some of the major issues and barriers to resolving them?- You touch on economic theory such as the least-cost avoider. What exactly is that, and why do you think software vendors in this case are best-suited to fix some of the core OSS security issues?- In part III of the paper you discuss some of the current interventions and efforts. Can you touch on what some of those major efforts are?- You discuss emerging things such as the Open Source Software Security Act as well as the OMB Memo requiring vendors to self-attest to NIST's SSDF and even provide SBOM's. What are your thoughts on these emerging requirements?- How do you think we balance the need to keep the spirit of OSS, in terms of being open to everyone, cultivate a society of citizen developers and a thriving FOSS ecosystem while also pushing for more rigor and governance? Do we risk constraining the ecosystem and limiting the Federal government (and industry's) access to small innovative software projects and initiatives?
10/27/2022 • 1 hour, 1 minute, 26 seconds
S3E23: Richard Bird - Digital Identity & API Security
- Looking at your background, you've held a lot of Identity-centric roles and positions in the industry. How do you think Identity and associated security is evolving with the continued adoption of Cloud?- Identity is obviously at the core of the conversation around Zero Trust, what do you think some of the fundamental things organizations get wrong when it comes IAM at-scale?- You recently made the pivot from roles with a strong Identity focus to API and API Security. What drove you to make that shift? - What do you think some of the most interesting challenges are in the current API Security landscape?- I noticed you also have an Army background. It is very common to see veterans make their way into Cybersecurity. Why do you think that is, and there are any lessons from the Army you feel have benefited you in your Cyber career?
10/7/2022 • 45 minutes, 37 seconds
S3E22: Steve Springett - Navigating the Digital Supply Chain
Chris: Before we dive into too many specific topics, one thing I wanted to ask is, you've been working in/around the topic of SBOM and Software Supply Chain for sometime via NTIA, CycloneDX, SCVS etc. How did you have the foresight or what drove you to focus on this topic well before many others in the industry?Nikki: You mentioned recently about the SBOM Forum and their recommendation of the NVD adopt Package URL. I think the recommendations are great for NVD, because the NVD, CVE ID mechanisms, and CWE's weren't technically built for al ot of the updated vulnerabilities and concerns we see today, especially in the software supply chain. Can you talk a little bit about the challenges around vulnerability management when it comes to software supply chain?Chris: I wanted to ask you about SaaSBOM which has been a topic of discussion in the CISA SBOM WG that I know you and I participate in. What is a SaaSBOM in your mind and where does it begin and end, given most of the Cloud, including Infrastructure is software-defined. Nikki: I liked your article titled "SBOM should not exist! Long live the SBOM" - what really caught me was the idea that BOM's or Bill of Materials have been around for a while, and in other industries as well. I'm curious because there are a lot of potential implications for using BOM's outside of software. What are you thoughts on how we could potentially use the idea of BOMs in other cybersecurity or software development areas? Chris: I want to discuss some critiques of SBOM. VEX Is promising but of course requires information from software producers, and then of course trusting their assertions. VEX: Do you see a future where both SBOM and VEX and automated in terms of generation and ingestion to inform organizational vulnerability management and potentially procurement activities? Nikki: I would be re-missed if I didn't ask you about the human element in all of this. I fee like the complexity of the software supply chain, on top of infrastructure, operations, cloud deployments, etc, can get somewhat complex. How do you think the increased complexity around software supply chain is affecting the management and operations groups?Chris: You have long been the lead on the wildly popular Dependency Track project. Can you tell us a bit about its origins, where it stands today and where it is headed?Chris: There has been a lot of guidance lately on Software Supply Chain, such as NIST EO outputs from Section 4, NIST SSDF, guidance from CSA, CNCF et. al - how does SCVS fit into the mix and do you see organizations using all, or rallying around some of the guidance? Chris Follow Up: Some have claimed that these requirements are simply impractical for anyone except large enterprise organizations and software producers. Any thoughts on the practicality of the guidance for smaller organizations who still play a major role in the software ecosystem?
9/30/2022 • 44 minutes, 29 seconds
S3E21: Josh Bressers - Securing Open Source Software
Chris: To start us off, why do you think OSS and the software supply chain are now beginning to get so much attention, despite being widely used for years now?Chris: When it comes to OSS, any thoughts on how we balance security while also not stifling the innovative creative environment that is the OSS ecosystem?Nikki: On one of your recent podcast episodes, you discussed how open source can be unfair, whether that's to users or to developers. Can you break that down a little bit for our audience?Nikki: I think there are a lot of valuable lessons from the past that inform future trends. What would you say some of the top emerging trends are around open-source software - what should we be concerned about today versus a year from now?Chris: What are your thoughts on the current state of Vulnerability Databases, we know you have some strong opinions and have been involved in an effort titled the Global Security Database with CSA - can you tell us a bit about that and why it is needed?Chris: Do you think the emerging frameworks such as NIST 800 161 R1, SSDF, SLSA etc. are going in the right direction?Chris: We couldn't let you go without discussing SBOM. What are your thoughts on the current state and direction of both SBOM and VEX. Do you think this increased level of transparency and granularity of vulnerabilities will be something most organizations can manage successfully?Nikki: You have 341 episodes of your podcast - can you talk a little bit about why you wanted to get into podcasting? And also if you have any tips or advice for anyone who wants to start their own podcast?Nikki: One of the major areas I don't hear being discussed around open source software is the 'human factor'. I see the integration of open source software as alleviating some of the mental workloads and information processing for developers and teams, but may also introduce other concerns. How do you feel about the human factor around OSS?
9/23/2022 • 34 minutes, 42 seconds
S3E20: Ken Myers - Federal ICAM & Zero Trust
Chris: What do you think some of the fundamental changes of IAM are from on-prem to cloud?Chris: What are some of the key tradeoffs and considerations for using IDaaS offerings?Nikki: There are a lot of solutions out there that discuss zero trust as a product or a service that can be leveraged to 'bake in' zero trust into an environment. But I'm curious on your perspective - do you think we need additional tools to configure zero trust principles, or leverage the technology at hand to implement zero trust?Nikki: There's this move towards passwordless solutions - I can see that being a big boost to zero trust architectures, but I think we're still missing the need for trusted identities, whether it's passwords, pins, or tokens. How do you feel about the passwordless movement and do you think more products will move in that direction?Chris: You've been a part of the FICAM group and efforts in the CIO Council. Can you tell us a bit about that and where it is headed?Chris: It is said Identity is the new perimeter in the age of Zero Trust, why do you think this is and how can organizations address it?Nikki: There was an interesting research publication I read, titled "Beyond zero trust: Trust is a vulnerability" by M. Campbell in the IEEE Computer journal. I like the idea of considering zero trust principles, like least privilege, or limited permissions, as potential vulnerabilities instead of security controls. Do you think the language is important when discussing vulnerabilities versus security controls?Chris: What role do you think NPE's play in the modern threat landscape?Chris: If people want to learn more about the Federal FICAM/ZT Strategies, where do you recommend they begin?
9/20/2022 • 39 minutes, 9 seconds
S3E19: Andres Vega & Andrew Clay Shafer - GRC in the Age of DevOps
- What do you think some of the primary factors are that contributed to GRC not coming along initially with the DevOps movement?- Traditionally, what factors have plagued compliance when it comes to software delivery?- How do some of those factors change in the era of DevOps and Cloud-native?- Do you think regulation has a significant impact, and how can policy and regulation be improved?- How important is it for the workforce aspect of GRC to be addressed when it comes to compliance innovation and new technologies and ways of work?- Can incentives play a part, and if so, what can we do to improve that?- Andres - What was the impetus of the book and can you tell us a bit about the writing experience?- Where can people find out more about the book?
9/20/2022 • 43 minutes, 9 seconds
S3E18: Jacques Chester - Vulnerability Scoring and Software Supply Chain
Chris: For those not familiar with CVSS, what exactly is it, and why is vulnerability scoring important?Chris: What are some of the most notable critiques of CVSS?Nikki: I read your article 'A Closer look at CVSS Scores" and have had a lot of similar thoughts. The CVSS SIG is doing great work, and there are other scoring methods out there to help determine the real threat of vulnerabilities. Do you have any advice for organizations that are struggling with the amount of High and Critical vulnerabilities they see based on this scoring method? Chris: Do you think organizations approaching Vulnerability Management using CVSS strictly from base scores is an effective approach?Nikki: Do you think that the industry needs a shift as far as vulnerability scoring systems? Not from a mathematical or quantification space, because we have some great people working on that. But from the understanding of how those vulnerabilities actually impact their businesses? Nikki: Where do you see vulnerability scoring and vulnerability management activities heading? Do you think we need some other methods for scoring insider threat and accumulating those scores with hardware and software vulnerabilities?Chris: Pivoting a bit from vulnerability scoring, I know you're also involved with groups such as OpenSSF. Can you tell us a bit about that work?Chris: What are your thoughts on Software Supply Chain Security more broadly, in terms of SBOM's, VEX, and the uptick in Software Supply Chain Attacks. Do you think we're trending in the right direction to respond to the rise in these attacks?
Chris: So you're a proponent of a term called RegOps, can you explain what that is to us a bit and how it differs from traditional compliance?Nikki: I'm interested in your background from Solutions Architect, to CTO, to Co-founding and running companies. Do you have any advice for other architects or IT and security practitioners for building up leadership skills and transitioning to business ownership? Chris: Do you think the evolution of Cloud and API enabled platforms is positioning us to innovate in compliance and potentially keep pace with DevSecOps? Nikki: What are some of the biggest reasons that organizations fail audits - do you feel like GRC/compliance and framework adoption is too challenging? Do you think that organizations are underwater with missing controls and where can they start? Chris: We know you're a big proponent of OSCAL and your organization RegScale has contributed to some of the OSCAL working groups. For those not familiar, can you explain what OSCAL is and the potential impact it can have on compliance?Nikki: What do you see as some of the emerging trends around solving compliance issues - do you think we need a mix of tooling, processes, and orienting our practitioners/users to adapt? Or do we have too many different frameworks/guidelines that it can be difficult for us to keep up?Chris: Looking at the future of compliance in say 3-5 years, how different do you think it will be and do you think this push towards automation, API's, codified artifacts and such will change compliance forever?
9/2/2022 • 27 minutes
S3E16: Greg Thomas - Secure Service Mesh & Cloud-native Networking
Nikki - In one of your recent posts you speak about how more organizations are looking to leverage service mesh in their own environments. Can you talk a little bit about why a team may be interested in moving to a more service mesh architecture? Nikki: What do you think may impede or stop an organization from adopting updated networking practices and technologies, like service mesh, and how can they get started adopting it?Chris: What role do you think Service Mesh plays in the push for Zero Trust and maturing security in cloud-native environments?Chris: I've heard you use the team Secure Service Networking, what exactly is this, and is it different than Service Mesh? We know there are the four pillars of Service Networking: Service Discovery, Secure Network, Automate Network, Access Service. What are these exactly? Chris: In the context of micro-services and Kubernetes, how does networking change? Nikki: The field of engineering is growing more and more, we have Infrastructure Engineers, Application Engineers, versus the traditional job roles of Systems or Software Engineers. Do you see an industry trend moving to expanding the engineering field into different disciplines, like Platform Engineers? Or do you think some of these roles are similar but are getting updated titles?Chris: HashiCorp has some excellent offerings such as Terraform, Vault, Consul and so on. What resources can folks use to upskill in these technologies?Nikki: I saw you recently did a talk on securing service level networking for the DoD - do you feel like a lot of those principles apply outside of the DOD or federal space? Or do you see the private sector using more of these technologies?
9/1/2022 • 32 minutes, 50 seconds
S3E13: Jimmy Mesta - Kubernetes Security & Compliance
Chris: For those not familiar with Kubernetes, can you tell us what it is and why there is so much buzz around it?Chris: Kubernetes, while it has many benefits also is a very complex technology, what are some of the key things organizations should keep in mind when using Kubernetes securely?Nikki: What kind of role do you see RBAC playing with Kubernetes? I don't hear a lot of talk around this subject and I'm curious what you think may be the importance of RBAC around KubernetesChris: Any nuances or recommendations to those rolling their own versus using managed Kubernetes offerings?Nikki: What does governance look like around Kubernetes - specifically around large, multi-cluster environmentsChris: From a compliance perspective, what are some resources organizations can use to securely provision and operate Kubernetes from a compliance perspective?Nikki: Can we also chat about Kubernetes API logs when it comes to auditing and assessments?Chris: You lead the Kubernetes Top 10 project with OWASP, can you tell us a bit about that?Nikki: Where do you think kubernetes, clusters, etc are heading? What does the future look like for security teams to not only understand these new technology areas, but to understand how to secure them properly?Chris: Do you feel like security practitioners are keeping pace with the rate of innovative technologies like Kubernetes, and if now, how can we fix that?Chris: We know you are the CTO and Co-Founder of KSOC - tell us a bit about the firm and what you all specialize in and what led you to founding it?
8/10/2022 • 43 minutes, 34 seconds
S3E14: Jon Meadows - The Secure Software Factory
Nikki: In some ways I think "software supply chain security" has become almost a buzz word, or buzz phrase? But to me it's more of a concern for security programs at large, since so many products and services are being developed in-house at organizations. What are the top three concerns that CISO's or security leaders should know? Chris: We're obviously seeing a lot of buzz around SBOM, and now VEX. What are your thoughts on where things are headed with software component inventory and SBOM as part of cyber vulnerability management?Chris: You were involved in the CNCF Secure Software Factory Reference Architecture. How was that experience and do you think organizations will be able to adopt the practices and guidance laid out there? There are a lot of moving parts. Nikki: How do you feel about how pentests should be involved in a software supply chain security program? I personally am curious about possible implications and benefits of actively (and consistently) testing dependencies and potentially finding unknown vulnerabilities.Chris: So we've talked about frameworks and guidance. Another big one is SLSA, Supply Chain Levels for Software Artifacts. What are your thoughts on SLSA and it's utility in the broader software supply chain security conversation.Chris: SCRM can be like eating an elephant when you look at CSP's, MSP's, Software, and so on - what are your thoughts for organizations that don't have the resources of say a CitiBank, such as an SMB. Where do they start?Nikki: I think we're still missing the human element of what a software supply chain security program looks like - how do you feel about that? Do you think we need to take more into account how people are using software, from a developer and a user perspective?Chris: There has been a lot of focus on Containers of course in the conversation around Cloud-native ecosystems, coupled with Kubernetes, IaC and so on. Do you think these innovations make the challenge of software supply chain easier, or more difficult to manage?
8/10/2022 • 34 minutes, 22 seconds
S3E15: Aaron Rinehart - Chaos Engineering
8/10/2022 • 35 minutes, 54 seconds
S3E12: Daniel Krivelevich of Cider Security - CI/CD Pipeline Security
- For folks that are familiar, what is a CI/CD pipeline and why is it becoming such a hot topic in modern software delivery?- Do you think earlier on in the pursuit of DevOps/DevSecOps organizations overlooked the pipeline as an attack vector?- Any thoughts are notable incidents such as SolarWinds, do you think they brought more attention to the build environment?- What are you thoughts on emerging guidance such as SLSA NIST SSDF or 800-161. Do you think these are helping bring attention to best practices on securing pipelines?- In the context of software supply chain security, why do you think pipelines are so critical?- Keeping on the theme of SBOM, what are your thoughts on the rising adoption and push for SBOM, and now VEX and how can pipelines help facilitate that?- Cider has produced some excellent resources such as articles and also CICD Goat - how do you all keep innovating on the knowledge and tooling front and how has it been received by the community?- One of those resources is the Top 10 CICD security risks. Do you want to touch on the list and maybe a couple of the leading risks from the list?- Any recommendations on learning resources for folks wanting to learn more about pipeline security, best practices and why it is important?
7/22/2022 • 44 minutes, 36 seconds
S3E11: Larry Clinton w/ Internet Security Alliance: Cybersecurity as a Business Risk
- Why do you think Cybersecurity has traditionally been seen as an IT issue?- With more and more of economic activity being tied to digital platforms, do you think organizations are realizing that cybersecurity is tied to business outcomes and value?- What do you think of recent activities by the SEC to require organizations to disclose cyber expertise among their board makeup?- How critical do you think Cybersecurity is for organizations competing in the modern digital economy?- Any advice or recommendations for Cyber professionals trying to communicate risks with their business peers?- How do you see the role of the CISO evolving with the push for Cyber at the C-Suite and beyond?- Where can folks find out more about the ISA?
7/11/2022 • 45 minutes, 15 seconds
S3E9: Rob Black - vCISO and Story Telling
- For those unfamiliar with a vCISO, what is it and how is it different than a traditional CISO?- Do you feel like the SMB market is catching on to the necessity of a vCISO and how it is critical to enabling secure business outcomes?- How do organizations go about ensuring they get a qualified vCISO? Any things in particular to watch out for?- For those looking to get started as serving as a vCISO, any recommendations?- You are a great story teller and communicator on LinkedIn. What made you start making your videos?- How important do you think communication is to helping drive secure business outcomes for Cyber professionals?
7/7/2022 • 25 minutes, 19 seconds
S3E10: Magno Logan - Container & Kubernetes Security
- First off, for those not familiar with Containers and Kubernetes, what are they?- Why are organizations increasingly adopting these technologies over traditional forms of compute?- How does Cybersecurity change with Kubernetes and what are some things practitioners should be sure to keep an eye on?- When organizations are adopting Kubernetes they often are faced with options such as rolling their own or using managed Kubernetes offerings, any thoughts there?- I recently read a report that researchers found 380,000 publicly exposed Kubernetes API servers, do you think people simply are spinning up these new technologies with security as an afterthought?- Kubernetes is incredibly complex, do you think this leads to challenges around properly configuring and securing it?- Any thoughts on software supply chain security as it relates to Kubernetes and Containers?- For those looking to learn more about Kubernetes and Container Security, do you have any recommended resources?
7/7/2022 • 29 minutes, 34 seconds
S3E8: Maril Vernon - Purple Teaming & Personal Branding
Chris - Lets start off with discussing what is Purple Teaming exactly, and what is it not?Nikki - The industry can be somewhat siloed between job roles, and purple teaming really breaks down those barriers - do you see purple teaming being adopted more in the industry? Or do you think that too many industry experts hold too closely to their areas of expertise? Chris - People often conflate Red Teaming, Pen Testing and Purple Teaming - how do we help clear up that confusion? Nikki - Purple teaming is supposed to be an iterative continuous process between red teams and blue teams. Do you feel like this continuous flow of information should be consistent between the teams? Do you feel like there is more value in one direction versus another? Nikki - The purple team concept is centered around blue teams and red teams, but this type of iterative and cooperative concept could be applied outside of red teamers and network defenders. Do you see value between using this type of cooperation between security assessment and audit teams and network defense teams?Chris: You've been someone I have watched who has been really effective at personal branding through platforms like LI. Can you discuss how you approach that and why it is valuable?Chris: For those looking to get into Purple Teaming or more broadly OffSec or even Blue Team, what are some of your primary recommendations resource wise for learning?
6/22/2022 • 31 minutes, 33 seconds
S3E7: Robert Hurlbut - All Things Threat Modeling
- For those not familiar with Threat Modeling, what is it? Also, to clear up potential confusion, what is it not? (e.g. Threat Hunting)- You were part of an effort to create the Threat Modeling Manifesto, can you tell us a bit about that project?- We recently saw NIST both define critical software as part of the Cyber EO and also list Threat Modeling as a key activity for critical software. What are your thoughts on that occurring and if you think that will impact the Threat Modeling community?- Some folks have made comments about Threat Modeling being too cumbersome for methodologies/cultures such as DevOps/DevSecOps. Why do you think that is an opinion among some and is it true? - Can Threat Modeling be applied to any sort of architecture or system? Are there any major differences for same on-prem vs cloud systems?- For organizations looking to get started with Threat Modeling, where do you recommend they start? - Moving on from getting started, have you seen large organizations with successful, or unsuccessful Threat Modeling programs, and what were some major themes either way?
6/16/2022 • 34 minutes, 2 seconds
S3E6: Walter Haydock - Software Supply Chain & Vulnerability Management
Nikki - You have some really awesome content on LinkedIn around Vulnerability management - one of my favorite posts you made recently was asking "Is vulnerability management dead". Can you explain a little bit about what you mean? I'm curious on your take, because there isn't a ton of modern guidance around vulnerability management Nikki - One of the biggest challenges I think we face around vulnerability identification, and specifically prioritization, is that a lot of emphasis is put around CVSS scores and CVE ID's specifically. And while an incredibly helpful tool, plenty of vulnerabilities are not ID'ed or are not seen in traditional vulnerability scanners. What do you think the industry can do to better use other tools/techniques to identify and remediate vulnerabilities? Nikki - Can you talk a little bit about where you think we could use more guidance or leadership around vulnerability management? I really don't hear about it when we talk cloud security or AI/ML, but it still incredibly relevantChris - We know another topic you're passionate about is software supply chain security. Can you share your thoughts on where the industry is headed with SBOM, VEX and other efforts to bring transparency and better governance to the SW supply chain?Chris - You've also written and spoken a fair bit about broader Supply Chain Risk, partners, MSP's, CSP's etc. Do you think organizations are just now waking up to the exponential risk due to the interconnected and as-a-Service orientation we've taken as an industry?Chris - As we mentioned, you do a ton of writing on LinkedIn, as well as your substack distro. How do you keep up the pace and what led you to start the substack originally? Where can people follow it and stay informed?
6/16/2022 • 27 minutes, 32 seconds
S3E5: Kelsei Young - Cybersecurity M&A & Doctoral Studies
6/16/2022 • 21 minutes, 34 seconds
S3E4: Dr. Butler - Cybersecurity & Academia
Chris - We know there's a massive Cyber workforce challenge, what role do you think academia plays there and how can it improve to close the gap?Nikki - Speaking of the young professionals in cybersecurity, what do you think are some of the in-demand skillsets and career paths available for individuals interested in pursuing a career in cybersecurity?Chris - There's often a debate between academics and practitioners, why do you think that is, and do you think we're seeing that gap dissolve with new degree programs and more practitioner focused curriculum? Nikki - On the subject of academia - do you feel like there is enough focus on research in cybersecurity fields? Do you think that research is getting to private and public partners or is there something we can be doing to strengthen those relationships?Chris - What do you think the future of Cybersecurity education looks like? What role does non-traditional education such as certifications, bootcamps, online courses and content etc. play in the hiring qualifications of the future?
5/23/2022 • 33 minutes, 41 seconds
S3E3: Dan Lorenc - Software Supply Chain, Sigstore and OSS
Chris: We're undoubtedly seeing a growing discussion around Software Supply Chain, with several notable events and also now evolving guidance/legislation such as the Cyber EO, NIST guidance etc. Any thoughts on why this is just now becoming such a focused concern?Nikki: When a lot of people discuss software supply chain security, it can quickly turn into a discussion about SBOM or Log4j and SolarWinds. I think about software supply chain security as being part of a really good threat detection and response program - what are your thoughts on that?Nikki: I also wanted to address, expanding on the topic of threat detection and moving into threat modeling - do you think that with the attack surface expanding through the software supply chain that there are threat modeling techniques that can be used to understand and account for that growing attack surface?Chris: You've been pretty involved in efforts around software supply chain and DevSecOps, most notably sigstore - can you tell us what that is and why it is important or useful? Nikki: In the last couple of years ' technical debt' has become a bigger concern for organizations, but this includes software supply chain, dependencies, EOL or outdated software, etc. How do you think organizations can account for their software inventory better and more efficiently?Chris: As we look to the future of Software Supply Chain, with efforts such as SBOM, VEX, Sigstore, SLSA and more, where do you think we're headed? What does the state of software supply chain look like in say 3 years?
5/23/2022 • 23 minutes, 49 seconds
S3E2: Jacob Horne - Security vs. Compliance
Nikki - You have a varied background between being a security engineer, consultant, manager, etc. What made you decide to focus more on the compliance aspects of cybersecurity?Chris - It is often said "Compliance doesn't equal Security". Why do you think this phrase has taken hold, do you think its accurate and how do we evolve beyond it? Nikki - Based on some of your posts about compliance - one specifically about implementing frameworks and guidance from NIST and the CMMC standards - do you think there's a need in the industry to focus more on implementation guides or do you feel like organizations are to complex to create guides? Chris - On the topic of compliance frameworks, we seem to be so reactionary, with new frameworks coming after incidents etc. and organizations struggle to keep up. Do you think we have a framework sprawl problem?Chris - On the topic of 800-171 and CMMC, there's a lot of talk on the topic of affordability and cost and the impact to the small businesses in the DIB, which has already seen massive consolidation. What are your thoughts on this, and how do we balance compliance/security with the need for a robust DIB of suppliers?Nikki - What do you think the future of compliance looks like? CMMC and otherwise - do you foresee more legislation around compliance coming down the pike?
5/23/2022 • 33 minutes, 17 seconds
S3E1: Bob Zukis - Cybersecurity in the Boardroom
Chris: So let's start with how we've gotten here. With digital systems accounting for 60% of global GDP, how do we still not have requirements or adoption of cyber expertise on public board?Nikki: You mention in your article about the SEC mandating cyber leadership into board rooms - do you think that the type of experience expected on boards should be geared specifically to risk management, or a mix of highly technical and governance experience?Chris: For those looking to fill some of those upcoming board opportunities, what recommendations do you have?Nikki: For your book the Great Reboot - you recommend that not only leadership but employees read it as well - do you think there's a gap in knowledge or maybe awareness of how risk impacts the business from a practitioner level? Would you encourage junior and senior personnel to read this book?Chris: On the flip side, for boards and publicly traded companies looking to bring cyber expertise into the fold, what competencies and skills should they be looking for? Where do they start?Nikki: Risk is bigger than one vulnerability or one misconfiguration but can have a number of definitions - how do you define risk management and do you think there's a need to define 'risk' more aptly in organizations?Chris: You often speak about systemic risk. Do you think the modern digitally driven economy and ecosystem is inherently insecure and vulnerable?
5/23/2022 • 25 minutes, 32 seconds
S2E24: Breaking Down the DoD Continuous ATO (cATO) Memo w/ Paul Puckett & Tyler Gesling
A discussion with the Director of the Army Enterprise Cloud Management Agency (ECMA) - Paul Puckett and Cybersecurity Subject Matter Expert (SME) from DoD CIO-IE office, Tyler Gesling on the recent DoD cATO memo.
3/31/2022 • 1 hour, 2 minutes, 2 seconds
S2E23: Greg Touhill - Security/Boardroom Leadership & Zero Trust
- We know you served as the First Federal U.S. CISO, can you tell us a bit about that experience?- In addition to your military and public sector background, you've held various industry roles as well, what are some of the major differences between the two environments you've experienced?- We know you've held various board advisor and even director roles. Do you feel that Cyber is increasingly becoming a boardroom concern?- You're very passionate about Zero Trust. What are your thoughts on the Federal push to adopt Zero Trust in an environment as big and complex as the Federal and DoD space?- You've served as the highest levels of Cybersecurity leadership for several years - any advise for aspiring security leaders?- What do you think the CISO of the future looks like in terms of skillsets and competencies?- Can you tell us a bit about what you're up to these days with the CERT Division at SEI?
3/30/2022 • 38 minutes, 31 seconds
S2E22: HackerOne - Bug Bounty, Vulnerability Disclosure and Ethics
Nikki: I've spent a number of years studying vulnerability chaining and using low and medium vulnerabilities in combination to create very critical attacks. Do you see this as a common method for attacks in the wild?Chris: we're continuing to see the growth of bug bounty programs, such as HackerOne. How do you think these programs contrast (or compliment) companies internal pen test/red teams for example? Nikki: Vulnerability management is an incredibly complex topic for a lot of organizations. Do you think bug bounty programs and Vulnerability Disclosure Programs (VDP) are helping to mature those programs?Chris: How do companies have a level of assurance that the hackers will conduct the activities ethically? Nikki: I think there's still sometimes a disconnect between what hackers and pentesters know about vulnerabilities and the actual attack paths, and the remediation teams that are working to prevent these types of attacks. Do you think there's a need to educate more Blue teamers on specific types of attacks and how they are conducted?Chris: on the flip side, for hackers interested in bug bounty, how can they best go about getting started?Nikki: we're starting to see more development teams taking responsibility for security — we frequently hear the term "shifting left." Is that a trend you are observing as well?Chris: thoughts on log4shell?
3/25/2022 • 29 minutes, 54 seconds
S2E17: Ron Ross (NIST) - DevSecOps, Resilience and Compliance Innovation
Nikki - Can you tell us a little bit about what you're currently working on right now at NIST?Chris - Software Supply Chain Security has become a hot topic lately. We know NIST published 800-161 covering C-SCRM, C-SCRM is a complex topic. Where do you see the industry going forward in terms of maturing C-SCRM practices?Nikki - Speaking of maturing C-SCRM practices, do you feel that there is a need to provide more documentation for maturing other aspects of cybersecurity? I do not see a lot of people in the industry discussing vulnerability management programs, but it continues to be a challenging undertaking for organizations. Chris - NIST 800-160 focuses on developing Cyber Resilient Systems. The DoD's Software Modernization Strategy focuses on Cyber Survivability as well. Do you feel the focus on resilience is critical, knowing that no system is infallible?Chris - The Government is making a big push for DevSecOps. Many argue that the Governments approach to compliance, with RMF is too cumbersome for DevSecOps. Do you disagree with this? If so, why, and do you think there's any changes we can make to better facilitate DevSecOps adoption?Nikki - NIST is very well known for their inclusion of public collaboration with practitioners, researchers, and academic institutions - do you feel that there is more that can be done to increase collaboration between public, private, and academic institutions?Chris - There's tons of buzz about cATO. Despite this recent buzz, Ongoing Authorization has been part of the RMF lexicon for quite some time. Do you feel that modern technologies such as Cloud can better help agencies and systems achieve a cATO?Nikki - NIST has been on an absolute roll lately with publishing guidance, much of it tied to the Cyber EO. From Zero Trust, SSDF, and more. How does the organization keep such a pace on publishing industry guidance? What can we look for next in terms of big publications from NIST?Chris - What's next for Ron Ross? You've been involved in countless major publications and methodologies. What do you see the legacy of Ron Ross being when you finally step away from being such a pillar in our community?Nikki - What does cyber resiliency mean to you?
2/15/2022 • 39 minutes, 32 seconds
S2E15: Shubhi Mishra - Government Innovation & Women in Tech
Nikki - First, I need to hear about how you feel about women in technology and any words of encouragement for women who are interested in starting a business? Chris - We know your organization raft is up to some innovative work in the Federal space, can you tell us a bit about that?Nikki - You have such a unique background with business and law and technology, I've actually considered getting a law degree. Do you think that has altered your perspective as a business owner?Chris - In your experience what have been some of the biggest impediments to digital transformation efforts in Government and do you have any recommendations for industry partners of Government on how to overcome them?Nikki - Why do you feel it's so important to connect women in executive positions? Do you think there's a disconnect with how women are able to connect once they reach a certain level?Chris - I know raft has several SBIR awards. For folks now familiar with SBIR, what is it and how is it different than traditional government contracts?
2/2/2022 • 29 minutes, 16 seconds
S2E14: Jacquelyn Schneider - U.S. Cybersecurity Policy & Cyber Deterrence
Nikki - You are currently a Fellow with Stanford University - could you talk a little about the journey you've made to this point and how cybersecurity plays into the Fellowship?Chris - We know you served as a Senior Policy Advisor for the U.S. Cyberspace Solarium Commission. Can you speak about that, for those that aren’t familiar with the commission, and knowing the government has acted on some of the commission's recommendations, do you think we’re making the progress needed as a nation when it comes to Cyber?Nikki - Do you feel that we're doing enough to blend academic, industry, and public sector pursuits in cybersecurity? Chris - You recently spoke about why deterrence isn’t the right approach for national security, can you elaborate on that, and what direction we may look to take instead?Nikki - Given your background with the Air Force - do you think there are any lessons learned that we could use or, at the very least consider in other organizations when it comes to protecting systems?Chris - We know you have an extensive background as a cybersecurity researcher and advisor, how do you go about ensuring you keep a pulse on the practitioner aspect of cybersecurity in addition to the research and academic aspect of cybersecurity?
1/26/2022 • 25 minutes, 8 seconds
S2E13: Omar Marrero - Chaos Engineering and Building a Resilient DoD
- Can you tell us a bit about your background, how you got into the role you're in now?- For those unfamiliar with the term "Chaos Engineering" what is it and why should organizations be practicing it?- You currently support a program named Kessel Run, what do they do?- Performing something disruptive such as Chaos Engineering almost seems unheard of in organizations such as the DoD with low-risk tolerances for disruption, how did this come about?- For people looking to get started with Chaos Engineering, where should they begin? Any recommended learning resources? How do they approach their leadership to propose implementing the practices of Chaos Engineering and get buy in?
1/19/2022 • 26 minutes, 4 seconds
S2E12: Dr. Nikki Robinson - Vulnerability Chaining
What is vulnerability chaining for those unfamiliar with it? Is it becoming more prevalent among malicious actors?Why do you think we traditionally look at vulnerabilities in isolation?How do we get organizations to shift their mindset of how they look at vulnerabilities?How can organizations get context to understand what vulnerabilities can be chained together and how to mitigate those?
1/12/2022 • 22 minutes, 16 seconds
S2E11: Drew Malloy - DISA, Zero Trust & Thunderdome
We know the DoD is pushing towards Zero Trust adoption and DISA is playing a key role in that. Can you tell us a bit about that?What do you think some of the biggest hurdles for Zero Trust adoption in the DoD are and how can we start to address them?Zero Trust has inevitably become a bit of a buzzword. If there is something people misunderstand about Zero Trust, what would you say that is?For those looking to learn more about DISA's approach to Zero Trust, and just the topic more broadly, do you have any specific recommendations?DISA's new network architecture project Thunderdome, what will it be and what does it consist of?
12/21/2021 • 24 minutes, 17 seconds
S2E10: Shane Barney - Federal Zero Trust, Cloud, and DevSecOps
Chris - There's quite a push for Zero Trust in the Federal Government, with the Cyber EO and ZT publications from CISA. What do you see as some of the biggest impediments for the Government's adoption of ZT? What are some of the biggest opportunities?Nikki - One of your recent posts you mention the difference between zero trust being a concept vs being something to act on. What do you think the right way to implement a zero-trust architecture is?Nikki - Do you have any resources for practitioners who are looking to ensure they are meeting a zero trust architecture framework?Chris - You commented recently about Compliance NOT being Security. This is something that many of us who have been in the field long enough agree with. That said, the Government's approach to cybersecurity largely revolves around Compliance. Why is that, and how do we go about changing that to a focus on real security?Chris - You recently had some comments about the CISO reporting relationship, in the Federal space, reporting to the CIO. Do you want to share any thoughts on who you think the CISO should report to and how CISO's can help influence who they report to, to support their security initiatives?Nikki You mention a need for CIO/CISO partnership - can you expand on why that's so important in an organization? How can the organization benefit from this partnership?Chris - As you know, there's a big push for DevSecOps both in Government and Industry. What can Security teams learn from their Development peers and how do we successfully facilitate the push for DevSecOps?
12/14/2021 • 37 minutes, 18 seconds
S2E9: Ron Gula - Cybersecurity Founding, Investing and Board Advising
Nikki - As someone who has such wide ranging experience in cybersecurity from practitioner and business owner to investor - what would you say are the largest concerns in cybersecurity right now? Zero trust? Incident Response? Cloud security?Chris - You hold several advisory and board member roles. For Cybersecurity professionals looking to perform similar roles, do you have any recommendations?Nikki - With your background in a company like Tenable and the security tool industry, do you feel like cybersecurity practitioners have the tools that they need to perform tasks? Do you think there are any gaps between technology, process, and the people?Chris - Having been around the cybersecurity industry for quite a bit, what do you think some of the biggest emerging changes are, and also, something that has remained relatively consistent?Nikki - With all of the amazing nonprofit work you do - why do you think we still have such a skills gap and a need for more people in the security industry? How can we close that gap?Nikki - Do you have anything in particular you're working on right now you'd like to share with our audience?
12/7/2021 • 21 minutes, 10 seconds
S2E7: Rock Lambros - Cybersecurity, Business & The Evolution of The CISO
Chris - You have a book coming out titled The CISO Evolution - Business Knowledge for Cybersecurity Executives. How critical do you think it is for CISO's to understand the business, and how do they balance their technical skills with business acumen?Nikki - I see you've posted several videos on LinkedIn - my favorite so far is the "paralysis-by-analysis" concept. We've discussed before cognitive limitations and just how much data we could actually put into our decision making when it comes to risk. Where do you think the sweet spot is with amount of data vs quality of data?Chris - You and I participated in the Qualified Technical Expert course from Bob Zukis together. Do you think we will see boards required to obtain QTE's and why do you think boards lack technical fluency now, when so much of GDP and business is tied to technology?Nikki - You spoke at the SANS Cybersecurity Leadership Summit on Translating cyber risk into business risk. What would you say are the biggest takeaways for practitioners to be able to explain and express risk properly to improve security and hopefully, lower risk across the organization?Chris - Do you think Cybersecurity is a business enabler? If so, how do we as cyber professionals help the business view Cybersecurity as an enabler and protecting of revenue?Chris - Do you have any recommendations for Cybersecurity professionals looking to transition into a CISO role in the future? Any key business books or resources to familiarize themselves with?What Does Cyber Resilient mean to you?
11/17/2021 • 21 minutes, 35 seconds
S2E6: Tracy Bannon - DevSecOps, Innovation & The Public Sector
Chris - We know you are extremely passionate about DevSecOps in Government. What do you think some of the biggest impediments for widespread Government adoption of DevSecOps is?Nikki - I see you spoke recently about minimum viable continuous delivery - can you tell us a little bit about what that is and what it means? And what you think the possible implications may be on development cycles? Chris - Do you feel there is often a disconnect between leadership and practitioners when it comes to successful DevSecOps implementation, and if so, what do you think that disconnect entails?Nikki - I also saw in one of your recent talks you discuss how industry and the public sector need to work more closely together. This is something I'm also very passionate about - can you talk about why this partnership is so needed? Not just from a cybersecurity perspective but from an emerging tech perspective as well?Chris - What can organizations do to help provide their workforce the space and grace to grow and learn to help facilitate the push for DevSecOps and Digital Transformation to ensure its success?What does Cyber Resilience mean to you?
11/9/2021 • 26 minutes, 59 seconds
S2E5: Lonye Ford - Cybersecurity Workforce & Leadership
Nikki - I'm so impressed with your wide range of cybersecurity - and with that experience you also are a Co-Founder and CEO. Can you talk a little bit about the transition from full time practitioner to business owner? Chris - If you had to list 1-2 top issues facing the Cybersecurity community within Government in particular?Nikki - What would you say are some of the biggest challenges that you've faced running your own company in the security and intelligence space? Chris - We know there is a big push for cATO/Ongoing Authorization in Government. Do you think this is something that can be achieved? Any thoughts on the key factors to help it be successful?Nikki - Would you have some advice for security practitioners that are thinking about starting their own business or moving up to a more managerial role from a technical role?Chris - You have started and now lead a successful company in the Public Sector space. Any tips for your fellow entrepreneurs who may want to do something similar?
11/3/2021 • 34 minutes, 42 seconds
S2E2: Cole Kennedy - Software Supply Chain Security, SBOM and Open Source
I was reading the CISA document "Defending Against Software Supply Chain" and was curious if the guidance within was helpful or informative for anyone who wants to start a S-SCRM program? What role do you feel compliance frameworks play in SCRM? We are seeing sources such as NIST 800-53 include SCRM specific controls now. Will it help?What would you say is the most resilient component an individual could add to their own organization to recover quickly in the event of a software supply chain attack?From the perspective of Cloud, do you feel cloud adoption can help, or hinder when it comes to driving down risk associated with the supply chain?What are the biggest concerns / risks when it comes to building a secure software supply chain programI know you've been involved with projects such as TUF and in-toto. Can you help folks understand what those are and why they are valuable?What does the term "Cyber Resilient" mean to you?Find out more from Cole at Testify Sec - https://www.testifysec.com/
10/13/2021 • 19 minutes, 47 seconds
Resilient Cyber - Episode 3 - Calvin Nobles, PhD - Human Factors in Cybersecurity
3/13/2021 • 26 minutes, 1 second
Resilient Cyber - Episode 2 - Dutch Schwartz - Cloud Security, Culture and The Workforce