Africa-focused technology, digital and innovation ecosystem insight and commentary.
…
continue reading
Player FM - Internet Radio Done Right
Checked 7d ago
اضافه شده در four سال پیش
محتوای ارائه شده توسط Chris Hughes. تمام محتوای پادکست شامل قسمتها، گرافیکها و توضیحات پادکست مستقیماً توسط Chris Hughes یا شریک پلتفرم پادکست آنها آپلود و ارائه میشوند. اگر فکر میکنید شخصی بدون اجازه شما از اثر دارای حق نسخهبرداری شما استفاده میکند، میتوانید روندی که در اینجا شرح داده شده است را دنبال کنید.https://fa.player.fm/legal
مشابه Resilient Cyber
Show notes are at https://stevelitchfield.com/sshow/chat.html
…
continue reading
T
The Talk Show With John Gruber
1
The Talk Show With John Gruber
Daring Fireball / John Gruber
2k
343
The director’s commentary track for Daring Fireball. Long digressions on Apple, technology, design, movies, and more.
…
continue reading
Android Backstage, a podcast by and for Android developers. Hosted by developers from the Android engineering team, this show covers topics of interest to Android programmers, with in-depth discussions and interviews with engineers on the Android team at Google. Subscribe to Android Developers YouTube → https://goo.gle/AndroidDevs
…
continue reading
Download This Show is your weekly guide to the world of media, culture, and technology. From social media to gadgets, streaming services to privacy issues. Each week Rae Johnston and guests take a fun, deep dive into how technology is reshaping our lives.
…
continue reading
The power of Data is undeniable. And unharnessed - it’s nothing but chaos. Making data your ally. Using it to lead with confidence and clarity. Host Jess Carter is solving problems in real-time to reveal what’s possible. Helping communities and people thrive. This is Data Driven Leadership, a show brought to you by Resultant.
…
continue reading
R
Redefining AI - Artificial Intelligence with Squirro
1
Redefining AI - Artificial Intelligence with Squirro
Squirro
12k119
Redefining AI is the 2024 New York Digital Award winning tech podcast! Discover a whole new take on Artificial Intelligence in joining host Lauren Hawker Zafer, a top voice in Artificial Intelligence on LinkedIn, for insightful chats that unravel the fascinating world of tech innovation, use case exploration and AI knowledge. Dive into candid discussions with accomplished industry experts and established academics. With each episode, you'll expand your grasp of cutting-edge technologies and ...
…
continue reading
On The Bike Shed, hosts Joël Quenneville and Stephanie Minn discuss development experiences and challenges at thoughtbot with Ruby, Rails, JavaScript, and whatever else is drawing their attention, admiration, or ire this week.
…
continue reading
We help founders make something people want.
…
continue reading
This is the audio podcast version of Troy Hunt's weekly update video published here: https://www.troyhunt.com/tag/weekly-update/
…
continue reading
Player FM - برنامه پادکست
با برنامه Player FM !
با برنامه Player FM !
))
Daily Deals
پادکست هایی که ارزش شنیدن دارند
حمایت شده
T
This Is Woman's Work with Nicole Kalil
We’ve turned intuition into a buzzword—flattened it into a slogan, a gut feeling, or a vague whisper we don’t always know how to hear. But what if intuition is so much more? What if it's one of the most powerful tools we have—and we’ve just forgotten how to use it? In this episode, I’m joined by Hrund Gunnsteinsdóttir , Icelandic thought leader, filmmaker, and author of InnSæi: Icelandic Wisdom for Turbulent Times . Hrund has spent over 20 years studying and teaching the science and art of intuition through her TED Talk, Netflix documentary (InnSæi: The Power of Intuition), and global work on leadership, innovation, and inner knowing. Together, we explore what intuition really is (hint: not woo-woo), how to cultivate it in a culture obsessed with logic and overthinking, and why your ability to listen to yourself might be the most essential skill you can develop. In This Episode, We Cover: ✅ Why we’ve misunderstood intuition—and how to reclaim it ✅ Practical ways to strengthen your intuitive muscle ✅ What Icelandic wisdom teaches us about inner knowing ✅ How to use intuition during uncertainty and decision-making ✅ Why trusting yourself is an act of rebellion (and power) Intuition isn’t magic—it’s a deep, internal guidance system that already exists inside you. The question is: are you listening? Connect with Hrund: Website: www.hrundgunnsteinsdottir.com TedTalk: https://www.ted.com/talks/hrund_gunnsteinsdottir_listen_to_your_intuition_it_can_help_you_navigate_the_future?utm_campaign=tedspread&utm_medium=referral&utm_source=tedcomshare Newsletter: https://hrundgunnsteinsdottir.com/blog/ LI: www.linkedin.com/in/hrundgunnsteinsdottir IG: https://www.instagram.com/hrundgunnsteinsdottir/ Book: InnSæi: Icelandic Wisdom for Turbulent Times Related Podcast Episodes: How To Breathe: Breathwork, Intuition and Flow State with Francesca Sipma | 267 VI4P - Know Who You Are (Chapter 4) Gentleness: Cultivating Compassion for Yourself and Others with Courtney Carver | 282 Share the Love: If you found this episode insightful, please share it with a friend, tag us on social media, and leave a review on your favorite podcast platform! 🔗 Subscribe & Review: Apple Podcasts | Spotify | Amazon Music Learn more about your ad choices. Visit megaphone.fm/adchoices…
Resilient Cyber w/ Jit - Agentic AI for AppSec is Here
Manage episode 475891700 series 2947250
محتوای ارائه شده توسط Chris Hughes. تمام محتوای پادکست شامل قسمتها، گرافیکها و توضیحات پادکست مستقیماً توسط Chris Hughes یا شریک پلتفرم پادکست آنها آپلود و ارائه میشوند. اگر فکر میکنید شخصی بدون اجازه شما از اثر دارای حق نسخهبرداری شما استفاده میکند، میتوانید روندی که در اینجا شرح داده شده است را دنبال کنید.https://fa.player.fm/legal
In this episode, we sit down with David Melamed and Shai Horovitz of the Jit team.
We discussed Agentic AI for AppSec and how security teams use it to get real work done.
We covered a lot of key topics, including:
- What some of the systemic problems facing AppSec are, even before the widespread adoption of AI, such as vulnerability prioritization, security technical debt and being outnumbered exponentially by Developers.
- The surge of interest and investment in AI and agentic workflows for AppSec, and why AppSec is an appealing space for this sort of investment and excitement.
- How the prior wave of AppSec tooling was focused on findings problems, riding the wave of shift left but how this has led to alert fatigue and overload, and how the next-era of AppSec tools will need to focus on not just finding but actually fixing problems.
- Some of the unique capabilities and features the Jit team has been working on, such as purpose-built agents in areas such as SecOps, AppSec and Compliance, as well as context-graphs with organizational insights to drive effective remediation.
- The role of Agentic AI and how it will help tackle some of the systemic challenges in the AppSec industry.
- Addressing concerns around privacy and security when using AI, by leveraging offerings from CSPs and integrating guardrails and controls to mitigate risks.
166 قسمت
اشتراک گذاریManage episode 475891700 series 2947250
محتوای ارائه شده توسط Chris Hughes. تمام محتوای پادکست شامل قسمتها، گرافیکها و توضیحات پادکست مستقیماً توسط Chris Hughes یا شریک پلتفرم پادکست آنها آپلود و ارائه میشوند. اگر فکر میکنید شخصی بدون اجازه شما از اثر دارای حق نسخهبرداری شما استفاده میکند، میتوانید روندی که در اینجا شرح داده شده است را دنبال کنید.https://fa.player.fm/legal
In this episode, we sit down with David Melamed and Shai Horovitz of the Jit team.
We discussed Agentic AI for AppSec and how security teams use it to get real work done.
We covered a lot of key topics, including:
- What some of the systemic problems facing AppSec are, even before the widespread adoption of AI, such as vulnerability prioritization, security technical debt and being outnumbered exponentially by Developers.
- The surge of interest and investment in AI and agentic workflows for AppSec, and why AppSec is an appealing space for this sort of investment and excitement.
- How the prior wave of AppSec tooling was focused on findings problems, riding the wave of shift left but how this has led to alert fatigue and overload, and how the next-era of AppSec tools will need to focus on not just finding but actually fixing problems.
- Some of the unique capabilities and features the Jit team has been working on, such as purpose-built agents in areas such as SecOps, AppSec and Compliance, as well as context-graphs with organizational insights to drive effective remediation.
- The role of Agentic AI and how it will help tackle some of the systemic challenges in the AppSec industry.
- Addressing concerns around privacy and security when using AI, by leveraging offerings from CSPs and integrating guardrails and controls to mitigate risks.
166 قسمت
همه قسمت ها
×
In this episode, I sit down with longtime industry leader and visionary Phil Venables to discuss the evolution of cybersecurity leadership, including Phil's own journey from CISO to Venture Capitalist. We chatted about: A recent interview Phil gave about CISOs transforming into business-critical digital risk leaders and some of the key themes and areas CISOs need to focus on the most when making that transition Some of the key attributes CISOs need to be the most effective in terms of technical, soft skills, financial acumen, and more, leaning on Phil's 30 years of experience in the field and as a multiple-time CISO Phil's transition to Venture Capital with Ballistic Ventures and what drew him to this space from being a security practitioner Some of the product areas and categories Phil is most excited about from an investment perspective The double-edged sword is AI, which is used for security and needs security. Phil's past five years blogging and sharing his practical, hard-earned wisdom at www.philvenables.com, and how that has helped him organize his thinking and contribute to the community. Some specific tactics and strategies Phil finds the most valuable when it comes to maintaining deep domain expertise, but also broader strategic skillsets, and the importance of being in the right environment around the right people to learn and grow…
R
Resilient Cyber
1 Resilient Cyber w/ Vineeth Sai Narajala: Model Context Protocol (MCP) - Potential & Pitfalls 18:32
In this episode, I discuss the Model Context Protocol (MCP) with the OWASP GenAI Co-Lead for Agentic Application Security, Vineeth Sai Narajala. We will discuss MCP's potential and pitfalls, its role in the emerging Agentic AI ecosystem, and how security practitioners should consider secure MCP enablement. We discussed: MCP 101, what it is and why it matters The role of MCP as a double-edged sword, offering opportunities but additional risks and considerations from a security perspective Vineeth's work on the "Vulnerable MCP" project is a repository of MCP risks, vulnerabilities, and corresponding mitigations. How MCP is also offering tremendous opportunities on the security-enabling side, extending security capabilities into AI-native platforms such as Claude and Cursor, and security vendors releasing their own MCP servers Where we see MCP heading from a research and implementation perspective Additional Resources: Anthropic - Introducing the Model Context Protocol (MCP) Enhanced Tool Definition Interface (ETDI): A Security Fortification for the Model Context Protocol Enterprise-Grade Security for the Model Context Protocol (MCP): Frameworks and Mitigation Strategies Vulnerable MCP Project…
R
Resilient Cyber
1 Resilient Cyber w/ Jay Jacobs & Michael Roytman - VulnMgt Modernization & Localized Modeling 33:53
In this episode, I sit with long-time vulnerability management and data science experts Jay Jacobs and Michael Roytman , who recently co-founded Empirical Security . We dive into the state of vulnerability management, including: How it is difficult to quantify and evaluate the effectiveness of vulnerability prioritization and scoring schemes, such as CVSS, EPSS, KEV, and proprietary vendor prioritization frameworks, and what can be done better Systemic challenges include setbacks in the NIST National Vulnerability Database (NVD) program, the MITRE CVE funding fiasco, and the need for a more resilient vulnerability database and reporting ecosystem. Domain-specific considerations when it comes to vulnerability identifiers and vulnerability management, in areas such as AppSec, Cloud, and Configuration Management, and using data to make more effective decisions The overuse of the term “single pane of glass” and some alternatives Empirical’s innovative approach to “localized” models when it comes to vulnerability management, which takes unique organizational and environmental considerations into play, such as mitigating controls, threats, tooling, and more, and how they are experimenting with this new approach for the industry…
In this episode, we sit down with the Co-Founder and CPO of Seemplicity , Ravid Circus , to discuss tackling the prioritization crisis in cybersecurity and how AI is changing vulnerability management. We dove into a lot of great topics, including: The massive challenge of not just finding and managing vulnerabilities but also remediation, with Seemplicity’s Year in Review report finding organizations face 48.6 million vulnerabilities annually and only 1.7 % of them are critical. That still means hundreds of thousands to millions of vulnerabilities need to be remedied - and organizations struggle with this, even with the context of what to prioritize. There’s a lot of excitement around AI in Cyber, including in GRC, SecOps, and, of course, AppSec and vulnerability management. How do you discern between what is hype and what can provide real outcomes? What practical steps can teams take to bridge the gap between AI’s ability to find problems and security teams’ ability to fix them? One of the major issues is determining who is responsible for fixing findings in the space of Remediation Operations, where Seemplicity specializes. Ravid talks about how, both technically and culturally, Seemplicity addresses this challenge of finding the fixer. What lies ahead for Seemplicity this year with RSA and beyond…
In this episode, we sit down with Varun Badhwar , Founder and CEO of Endor Labs , to discuss the state of AI for AppSec and move beyond the buzzwords. We discussed the rapid adoption of AI-driven development, its implications for AppSec, and how AppSec can leverage AI to address longstanding challenges and mitigate organizational risks at scale. Varun and I dove into a lot of great topics, such as: The rise of GenAI and LLMs and their broad implications on Cybersecurity The dominant use case of AI-driven development with Copilots and LLM written code, leading to a Developer productivity boost. AppSec has struggled to keep up historically, with vulnerability backlogs getting out of control. What will the future look like now? Studies show that AI-driven development and Copilots don’t inherently produce secure code, and frontier models are primarily trained on open source software, which has vulnerabilities and other risks. What are the implications of this for AppSec? How can AppSec and Cyber leverage AI and agentic workflows to address systemic security challenges? Developers and attackers are both early adopters of this technology. Navigating vulnerability prioritization, dealing with insecure design decisions and addressing factors such as transitive dependencies. The importance of integrating with developer workflows, reducing cognitive disruption and avoiding imposing a “Developer Tax” with legacy processes and tooling from security.…
In this episode, we sit down with David Melamed and Shai Horovitz of the Jit team. We discussed Agentic AI for AppSec and how security teams use it to get real work done. We covered a lot of key topics, including: What some of the systemic problems facing AppSec are, even before the widespread adoption of AI, such as vulnerability prioritization, security technical debt and being outnumbered exponentially by Developers. The surge of interest and investment in AI and agentic workflows for AppSec, and why AppSec is an appealing space for this sort of investment and excitement. How the prior wave of AppSec tooling was focused on findings problems, riding the wave of shift left but how this has led to alert fatigue and overload, and how the next-era of AppSec tools will need to focus on not just finding but actually fixing problems. Some of the unique capabilities and features the Jit team has been working on, such as purpose-built agents in areas such as SecOps, AppSec and Compliance, as well as context-graphs with organizational insights to drive effective remediation. The role of Agentic AI and how it will help tackle some of the systemic challenges in the AppSec industry. Addressing concerns around privacy and security when using AI, by leveraging offerings from CSPs and integrating guardrails and controls to mitigate risks.…
In this episode, we sit down with Piyush Sharrma, CEO and co-founder of the Tuskira team. They're an AI-powered defense optimization platform innovating around leveraging an Agentic Security Mesh. We will dive into topics such as Platform vs. Point Solutions, Security Tool Sprawl, Alert Fatigue, and how AI can create "intelligent" layers to unify and enhance security tooling ROI. We discussed: What drove Piyush to jump back into the startup space after successfully exiting from a previous startup he helped found The industry debate around Platform vs. Point Solutions or Best-of-Breed and the perspectives between industry industry leaders and innovative startups Dealing with the challenge of alert fatigue security and development teams and the role of AI in reducing cognitive overload and providing insight into organizational risks across tools, tech stacks, and architectures The role of AI in providing intelligence layers or an Agentic Security Mesh across existing security tools and defenses and mitigating organizational risks beyond isolated vulnerability scans by looking at compensating controls, configurations, and more. Shifting security from a reactionary model around incident response and exploitation to a preemptive risk defense model that minimizes attack surface and optimizes existing security investments and architectures…
We sit with Lasso Security CEO and Co-Founder Elad Schulman in this episode. Lasso focuses on secure enterprise LLM/GenAI adoption, from LLM Applications, GenAI Chatbots, Code Protection, Model Red Teaming, and more. Check them out at https://lasso.security We dove into a lot of great topics, such as: Dealing with challenges around visibility and governance of AI, much like previous technological waves such as mobile, Cloud, and SaaS Unique security considerations for different paths of using and building with AI, such as self-hosted models and consuming models as-a-service from SaaS LLM providers Potential vulnerabilities and threats associated with AI-driven development products such as Copilots and Coding assistants Software Supply Chain Security (SSCS) risks such as package hallucinations, and both safeguarding the data that goes out to external coding tools, as well as secure consumption of the data coming into the organization Securing AI itself and dealing with risks and threats such as model poisoning and implementing model red teaming Lasso discovered several critical concerns in their AI security research, such as Microsoft’s Copilot exposing thousands of private GitHub repos…
In this episode, we sit with security leader and venture investor Sergej Epp to discuss the Cloud-native Security Landscape. Sergej currently serves as the Global CISO and Executive at Cloud Security leader Sysdig and is a Venture Partner at Picus Capital. We will dive into some insights from Sysdig's recent " 2025 Cloud-native Security and Usage Report ." Big shout out to our episode sponsor, Yubico ! Passwords aren’t enough. Cyber threats are evolving, and attackers bypass weak authentication every day. YubiKeys provides phishing-resistant security for individuals and businesses—fast, frictionless, and passwordless. Upgrade your security: https://yubico.com Sergj and I dove into a lot of great topics related to Cloud-native Security, including: Some of the key trends in the latest Sysdig 2025 Cloud-native Security Report and trends that have stayed consistent YoY. Sergj points out that while attackers have stayed consistent, organizations have and continue to make improvements to their security Sergj elaborated on his current role as Sysdig’s internal CISO and his prior role as a field CISO and the differences between the two roles in terms of how you interact with your organization, customers, and the community. We unpacked the need for automated Incident Response, touching on how modern cloud-native attacks can happen in as little as 10 minutes and how organizations can and do struggle without sufficient visibility and the ability to automate their incident response. The report points out that machine identities, or Non-Human Identities (NHI), are 7.5 times riskier than human identities and that there are 40,000 times more of them to manage. This is a massive problem and gap for the industry, and Sergj and I walked through why this is a challenge and its potential risks. Vulnerability prioritization continues to be crucial, with the latest Sysdig report showing that just 6% of vulnerabilities are “in-use”, or reachable. Still, container bloat has ballooned, quintupling in the last year alone. This presents real problems as organizations continue to expand their attack surface with expanded open-source usage but struggle to determine what vulnerabilities truly present risks and need to be addressed. We covered the challenges with compliance, as organizations wrestle with multiple disparate compliance frameworks, and how compliance can drive better security but also can have inverse impacts when written poorly or not keeping pace with technologies and threats. We rounded out the conversation with discussing AI/ML packages and the fact they have grown by 500% when it comes to usage, but organizations have decreased public exposure of AI/ML workloads by 38% since the year prior, showing some improvements are being made to safeguarding AI workloads from risks as well.…
In this episode, we sit down with Lior Div and Nate Burke of 7AI to discuss Agentic AI, Service-as-Software, and the future of Cybersecurity. Lior is the CEO/Co-Founder of 7AI and a former CEO/Co-Founder of Cybereason, while Nate brings a background as a CMO with firms such as Axonius, Nagomi, and now 7AI . Lior and Nate bring a wealth of experience and expertise from various startups and industry-leading firms, which made for an excellent conversation. We discussed: The rise of AI and Agentic AI and its implications for cybersecurity. Why the 7AI team chose to focus on SecOps in particular and the importance of tackling toil work to reduce cognitive overload, address workforce challenges, and improve security outcomes. The importance of distinguishing between Human and Non-Human work, and why the idea of eliminating analysts is the wrong approach. Being reactive and leveraging Agentic AI for threat hunting and proactive security activities. The unique culture that comes from having the 7AI team in-person on-site together, allowing them to go from idea to production in a single day while responding quickly to design partners and customer requests. Challenges of building with Agentic AI and how the space is quickly evolving and growing. Key perspectives from Nate as a CMO regarding messaging around AI and getting security to be an early adopter rather than a laggard when it comes to this emerging technology. Insights from Lior on building 7AI compared to his previous role, founding Cybereason, which went on to become an industry giant and leader in the EDR space.…
In this episode, we sit down with Investor, Advisor, Board Member, and Cybersecurity Leader Chenxi Wang to discuss the interaction of AI and Cybersecurity, what Agentic AI means for Services-as-a-Software, as well as security in the boardroom Chenxi and I covered a lot of ground, including: When we discuss AI for Cybersecurity, it is usually divided into two categories: AI for Cybersecurity and Securing AI. Chenxi and I walk through the potential for each and which one she finds more interesting at the moment. Chenxi believes LLMs are fundamentally changing the nature of software development, and the industry's current state seems to support that. We discussed what this means for Developers and the cybersecurity implications when LLMs and Copilots create the majority of code and applications. LLMs and GenAI are currently being applied to various cybersecurity areas, such as SecOps, GRC, and AppSec. Chenxi and I unpack which areas AI may have the greatest impact on and the areas we see the most investment and innovation in currently. As mentioned above, there is also the need to secure AI itself, which introduces new attack vectors, such as supply chain attacks, model poisoning, prompt injection, and more. We cover how organizations are currently dealing with these new attack vectors and the potential risks. The biggest buzz of 2025 (and beyond) is Agentic AI or AI Agents, and their potential to disrupt traditional services work represents an outsized portion of cybersecurity spending and revenue. Chenxi envisions a future where Agentic AI and Services-as-a-Software may change what cyber services look like and how cyber activities are conducted within an organization. If you aren’t already following Chenxi Wang on LinkedIn, I strongly recommend you do. I have a lot of connections, but she is someone when I see a post, I am sure to stop and read because she shares a TON of great insights from the boardroom, investment, cyber, startups, AI, and more. I’m thankful to have her on the show to come chat!…
In this episode, we sit down with Rob Shavell, CEO and Co-Founder of DeleteMe , an organization focused on safeguarding exposed personal data on the public web and addressing user privacy challenges. We dove into a lot of great topics, such as: The rapidly growing problem of personal data ending up on the public web and some of the major risks many may not think about or realize Trends contributing to personal data exposure, from the Internet itself to social media, mobile phones/apps, IoT devices, COVID, and now AI Where to get started when it comes to taking control of your personal data and privacy Potential abuses and malicious uses for personal data and how threat actors are leveraging it How DeleteMe can help, as well as free resources and DIY guides that individuals can use to mitigate risk associated with their personal data being exposed…
In this episode of Resilient Cyber, we sit down with Steve Martano, Partner in the cyber Security Practice at Artico Search, to discuss the recent IANS & Artico Search Publications on the 2025 State of the CISO, security budgets, and broader security career dynamics. Steve and I touched on some great topics, including: The 2025 State of the CISO report and key findings Board reporting cadences for CISO’s and the importance of Boardroom involvement in Cybersecurity The three archetypes of CISO’s: Tactical, Functional and Strategic How security leaders can advance their career to becoming strategic CISO’s as well as key considerations for organziation’s looking to attract and retain their security talent The growing scope of responsibility for CISO roles from not just Infosec but to broader IT, business risk, and digital strategy and implications for CISO’s Security budget trends, spending, macroeconomic factors and allocations Here are a list of some of the great resources from IANS and Artico below on various areas of interest for CISO’s and Security leaders alike! https://www.iansresearch.com/resources/ians-security-budget-benchmark-report https://www.iansresearch.com/resources/ians-ciso-compensation-benchmark-report https://www.iansresearch.com/resources/ians-state-of-the-ciso-report https://www.iansresearch.com/resources/ians-leadership-organization-benchmark-report…
In this episode of Resilient Cyber, we catch up with Katie Norton , an Industry Analyst at IDC who focuses on DevSecOps and Software Supply Chain Security. We will dive into all things AppSec, including 2024 trends and analysis and 2025 predictions. Katie and I discussed: Her role with IDC and transition from Research and Data Analytics into being a Cyber and AppSec Industry Analyst and how that background has served her during her new endeavor. Key themes and reflections in AppSec through 2024, including disruption among Software Composition Analysis (SCA) and broader AppSec testing vendors. The age-old Platform vs. Point product debate concerns the iterative and constant cycle of new entrants and innovations that grow, add capabilities, and become platforms or are acquired by larger platform vendors. The cycle continues infinitely. Katie's key research areas for 2025 include Application Security Posture Management (ASPM), Platform Engineering, SBOM Management, and Securing AI Applications. The concept of a “Developer Tax” and the financial and productivity impact legacy security tools and practices are having on organizations while also building silos between us and our Development peers. The role of AI in corrective code fixes and the ability of AI-assisted automated remediation tooling to drive down remediation timelines and vulnerability backlogs. The importance of storytelling, both as an Industry Analyst and in the broader career field of Cybersecurity.…
R
Resilient Cyber
1 Resilient Cyber w/ Ed Merrett - AI Vendor Transparency: Understanding Models, Data and Customer Impact 23:55
In this episode of Resilient Cyber, Ed Merrett, Director of Security & TechOps at Harmonic Security, will dive into AI Vendor Transparency. We discussed the nuances of understanding models and data and the potential for customer impact related to AI security risks. Ed and I dove into a lot of interesting GenAI Security topics, including: Harmonic’s recent report on GenAI data leakage shows that nearly 10% of all organizational user prompts include sensitive data such as customer information, intellectual property, source code, and access keys. Guardrails and measures to prevent data leakage to external GenAI services and platforms The intersection of SaaS Governance and Security and GenAI and how GenAI is exacerbating longstanding SaaS security challenges Supply chain risk management considerations with GenAI vendors and services, and key questions and risks organizations should be considering Some of the nuances between self-hosted GenAI/LLM’s and external GenAI SaaS providers The role of compliance around GenAI and the different approaches we see between examples such as the EU with the EU AI Act, NIS2, DORA, and more, versus the U.S.-based approach…
In this episode, we sit down with Sounil Yu , Co-Founder and CTO at Knostic , a security company focusing on need-to-know-based access controls for LLM-based Enterprise AI. Sounil is a recognized industry security leader and the author of the widely popular Cyber Defense Matrix. Sounil and I dug into a lot of interesting topics, such as: The latest news with DeepSeek and some of its implications regarding broader AI, cybersecurity, and the AI arms race, most notably between China and the U.S. The different approaches to AI security and safety we’re seeing unfold between the U.S. and EU, with the former being more best-practice and guidance-driven and the latter being more rigorous and including hard requirements. The age-old concept of need-to-know access control, the role it plays, and potentially new challenges implementing it when it comes to LLM’s Organizations rolling out and adopting LLMs and how they can go about implementing least-permissive access control and need-to-know Some of the different security considerations between Some of the work Knostic is doing around LLM enterprise readiness assessments, focusing on visibility, policy enforcement, and remediation of data exposure risks ---------------- Interested in sponsoring an issue of Resilient Cyber? This includes reaching over 16,000 subscribers, ranging from Developers, Engineers, Architects, CISO’s/Security Leaders and Business Executives Reach out below! -> Contact Us! ----------------…
SecOps continues to be one of the most challenging areas of cybersecurity. It involves addressing alert fatigue, minimizing dwell time and meantime-to-respond (MTTR), automating repetitive tasks, integrating with existing tools, and leading to ROI. In this episode, we sit with Grant Oviatt, Head of SecOps at Prophet Security and an experienced SecOps leader, to discuss how AI SOC Analysts are reshaping SecOps by addressing systemic security operations challenges and driving down organizational risks. Grant and I dug into a lot of great topics, such as: Systemic issues impacting the SecOps space include alert fatigue, triage, burnout, staffing shortages, and inability to keep up with threats. What makes SecOps such a compelling niche for Agentic AI, and what key ways can AI help with these systemic challenges? How Agentic AI and platforms such as Prophet Security can aid with key metrics such as SLOs or meantime-to-remediation (MTTR) to drive down organizational risks. Addressing the skepticism around AI, including its use in production operational environments and how the human-in-the-loop still plays a critical role for many organizations. Many organizations are using Managed Detection and Response (MDR) providers as well, and how Agentic AI may augment or replace these existing offerings depending on the organization's maturity, complexity, and risk tolerance. How Prophet Security differs from vendor-native offerings such as Microsoft Co-Pilot and the role of cloud-agnostic offerings for Agentic AI.…
While cybercriminals can (and do) infiltrate organizations by exploiting software vulnerabilities and launching brute force attacks, the most direct—and often the most effective—route is via the inbox. As the front door of an enterprise and the gateway upon which employees rely to do their jobs, the inbox represents an ideal access point for attackers. And it seems that, unfortunately, cybercriminals aren’t lacking when it comes to identifying new ways to sneak in. Abnormal Security’s Field CISO, Mick Leach, will discuss some of the sophisticated threats we anticipate escalating in the coming year—including cryptocurrency fraud, AI-generated business email compromise, and more. Mick and I dove into a lot of great topics, including: The evolution of email based attacks and why traditional tooling may fall short How attackers are leveraging GenAI and LLM’s to make more compelling email-based attacks How defenders can utilize AI to improve their defensive capabilities The role of tooling such as Secure Email Gateways and more, and how they still play a role but fail to meet the latest threat landscape How Abnormal is tacking email-based attacks and the outcomes they are helping customers achieve with streamlined integration and use…
In this episode, we sit down with Rajan Kapoor , Field CISO of Material Security , to discuss the security risks and shortcomings of native cloud workspace security offerings and the role of modern platforms for email security, data governance, and posture management. Email and Cloud Collaboration Workspace Security continues to be one of the most pervasive and challenging security environments, and Rajan provided a TON of excellent insights. We covered: Why email and cloud workspaces are some of the most highly targeted environments by cyber criminals, what they can do once they do compromise the email environment, and the broad implications. The lack of security features and capabilities of native cloud workspaces such as M365 and Google Workspaces and the technical and resource constraints that drive teams to seek out innovative products such as Material Security. The tug of war between security and productivity and how Material Security helps address challenges of the native workspaces that often make it hard for people to do their work and lead to security being sidestepped. Particularly industries that are targeted and impacted the most, such as healthcare, where there is highly sensitive data, regulatory challenges, and more. Common patterns among threats, attacks, and vulnerabilities and how organizations can work to bolster the security of their cloud workspace environments. This is a fascinating area of security. We often hear “identity is the new perimeter” and see identity play a key role in trends such as zero trust. But, so often, that identity starts with your email, and it can lead to lateral movement, capturing MFA codes, accessing sensitive data, impacting business partners, phishing others in the organization, and more, all of which can have massive consequences for the organizations impacted. Raja brought his expertise as a Field CISO and longtime security practitioner to drop a ton of gems in this one, so be sure to check it out!…
We’ve heard a ton of excitement about AI Agents, Agentic AI, and its potential for Cybersecurity. This ranges in areas such as GRC, SecOps, and Application Security (AppSec). That is why I was excited to sit down with Ghost Security Co-Founder/CEO Greg Martin. In this episode, we sit down with Ghost Security CEO and Co-Founder Greg Martin to chat about Agentic AI and AppSec. Agentic AI is one of the hottest trends going into 2025, and we will discuss what it is, its role in AppSec, and what system industry challenges it may help tackle. Greg and I chatted about a lot of great topics, including: The hype around Agentic AI and what makes AppSec, in particular, such a promising area and use case for AI to tackle longstanding AppSec challenges such as vulnerabilities, insecure code, backlogs, and workforce constraints. Greg’s experience as a multi-time founder, including going through acquisitions, but what continues to draw him back to being a builder and operational founder. The challenges of historical AppSec tooling and why the time for innovation, new ways of thinking, and leveraging AI is due. Whether we think AI will end up helping or hurting more in terms of defenders and attackers and their mutual use of this promising technology. And much more, so be sure to tune in and check it out, as well as check out his team at Ghost Security and what they’re up to!…
In this episode, we will be sitting down with Filip Stojkovski and Dylan Williams to dive into AI, Agentic AI, and the intersection with cybersecurity, specifically Security Operations (SecOps). I’ve been following Filip and Dylan for a bit via LinkedIn and really impressed with their perspective on AI and its intersection with Cyber, especially SecOps. We dove into that in this episode including: What exactly Agentic AI and AI Agents are, and how they work What a Blueprint for AI Agents in Cybersecurity may look like, using their example in their blog with the same title The role of multi-agentic architectures, potential patterns, and examples such as Triage Agents, Threat Hunting Agents, and Response Agents and how they may work in unison The potential threats to AI Agents and Agentic AI architectures, including longstanding challenges such as Identity and Access Management (IAM), Least-Permissive Access Control, Exploitation, and Lateral Movement The current state of adoption across enterprises and the startup landscape and key considerations for CISO’s and security leaders looking to potentially leverage Agentic SecOps products and offerings…
In this episode, we sit down with StackAware Founder and AI Governance Expert Walter Haydock. Walter specializes in helping companies navigate AI governance and security certifications, frameworks, and risks. We will dive into key frameworks, risks, lessons learned from working directly with organizations on AI Governance, and more. We discussed Walter’s pivot with his company StackAware from AppSec and Supply Chain to a focus on AI Governance and from a product-based approach to a services-oriented offering and what that entails. Walter has been actively helping organizations with AI Governance, including helping them meet emerging and newly formed standards such as ISO 42001. Walter provides field notes, lessons learned and some of the most commonly encountered pain points organizations have around AI Governance. Organizations have a ton of AI Governance and Security resources to rally around, from OWASP, Cloud Security Alliance, NIST, and more. Walter discusses how he recommends organizations get started and where. The U.S. and EU have taken drastically different approaches to AI and Cybersecurity, from the EU AI Act, U.S. Cyber EO, Product Liability, and more. We discuss some of the pros and cons of each and why the U.S.’s more relaxed approach may contribute to economic growth, while the EU’s approach to being a regulatory superpower may impede their economic growth. Walter lays our key credentials practitioners can explore to demonstrate expertise in AI security, including the IAPP AI Governance credential, which he recently took himself. You can find our more about Walter Haydock by following him on LinkedIn where he shares a lot of great AI Governance and Security insights, as well as his company website www.stackaware.com…
In this episode, we sit with the return guest, Jim Dempsey. Jim is the Managing Director of the Cybersecurity Law Center at IAPP, Senior Policy Advisory at Stanford, and Lecturer at UC Berkeley. We will discuss the complex cyber regulatory landscape, where it stands now, and implications for the future based on the recent U.S. Presidential election outcome. We dove into a lot of topics including: The potential impact of the latest U.S. Presidential election, including the fact that while there are parallels between Trump’s first term and Joe Biden’s, there are also key differences. We’re likely to see a deregulatory approach related to commercial industry and consumer tech but much more alignment and firm stances related to cyber and national security. The future of efforts around Software Liability and Safe Harbor Contrasted differences between the EU’s tech regulatory efforts and the U.S. The U.S. has taken a much more voluntary approach. While Jim is an advocate of regulation and thinks it is needed, he simply cannot get behind the heavy-handed approach of the EU and suspects it will continue to widen the tech gap between the U.S. and the EU. What is the potential for regulatory harmonization and the challenges due to the unique aspects of each industry, vertical, data types, and more. Jim leads the recently formed IAPP Cybersecurity Law Center He is also the author of the book Cybersecurity Law Fundamentals, Second Edition .…
R
Resilient Cyber
In this episode of Resilient Cyber I will be chatting with industry leaders Tyler Shields and James Berthoty on the topic of "Shift Left". This includes the origins and early days of the shift left movement, as well as some of the current challenges, complaints and if the shift left movement is losing its shine. We dive into a lot of topics such as: Tyler and Jame’s high-level thoughts on shift left and where it may have went wrong or run into challenges Tyler’s thoughts on the evolution of shift left over the last several decades from some of his early Pen Testing roles and working with early legacy applications before the age of Cloud, DevOps and Microservices James’ perspective, having started in Cyber in the age of Cloud and how his entire career has come at shift left from a bit of a different perspective The role that Vendors, VC’s and products play and why the industry only seems to come at this from the tool perspective Where we think the industry is headed with similar efforts such as Secure-by-Design/Default and its potential as well as possible challenges…
In this episode we sit down Shyam Sankar, Chief Technology Officer (CTO) of Palantir Technologies. We will dive into a wide range of topics, from cyber regulation, software liability, navigating Federal/Defense cyber compliance and the need for digital defense of the modern national security ecosystem. - First off, for those unfamiliar with you and your background, can you tell us a bit about yourself, as well as Palantir? You're a big proponent on the role that software plays now, and will play in the future when it comes the fifth domain of warfare, cybersecurity, so let's give into some of those topics. - I know you've voiced some strong opinions on the role of cyber insurance and also compliance when it comes to its static nature, compared to the dynamic activity of malicious actors and the threat landscape. Can you expand on that? - You and I also chatted about the fact that most cyber issues tie back to hygiene, and that there are no silver bullets. Do you feel like this gets lost among the marketing hype of cyber? - I know you've talked about externalizing some of Palantir's software infrastructure to enable more companies with security infrastructure and toolchains. Can you tell us about some of those capabilities? - The enablement of more companies is key, as you know the DIB has seen massive consolidation in the past decade or more, largely with the small handful of players dominating the lions share of the work in the DoD. This arguably poses systemic concentrated risks, as well as doesn't give access for the DoD to commercial innovation. You called the DoD's most powerful ally America's commerical tech sector in a recent piece. We know that times have changed, and unlike eras of the past, most digital innovation comes from the commercial space, but DoD tends to have a not built here syndrome, no doubt driven by incumbents, incentives, fiefdom building and more. What do you think the national security risks of this are? - Given you've been around DoD for some time, you've no doubt been exposed to processes like ATO's and RMF and more. What are your thoughts on the current state of compliance in the DoD and how it could potentially hinder access to commercial innovation?…
In this episode we sit down with Mark Simos to dive into his RSA Conference talk "You're Doing It Wrong - Common Security AntiPatterns" to dig into several painfully true anti-patterns in cybersecurity and how we often are our own worst enemy. - - First off, for those not familiar with you or your background, can you tell us a bit about that. - So you delivered this talk at RSA, focused on Cybersecurity "Anti-Patterns". How did the talk come about and how was it received by the audience? We won't be able to name them all, but I would love to discuss some of them. - You talk about the technology-centric thinking, and how folks believe security is about technology instead of business assets. Can you explain this one? - The silver bullet mindset was another that jumped out to me. This is thinking a single solution can 100% solve complex and continuous problems. What ways have you seen this one play out? - The paradox of blame is one that made me laugh because I have seen this play out a lot. You talk about the CYA mentality, how security warns about issues, they are skipped and then security is blamed. This one really stings because I have seen it happen, and in fact, I feel like we're seeing it play out with some of the CISO liability cases and regulations that are emerging. - Perhaps one of the most well known anti-patterns of security being the office of no or resisting trends. I feel like we saw this with Cloud, Mobile, SaaS and now AI. Why do we keep repeating these mistakes?…
- First off, for those who don't know you, can you tell us a bit about your background? - You've been providing a deep dive talk into how to become a CISO. I'm curious, what made you put together the presentation, and how has it been received so far when you've had a chance to deliver it? - You have broken down what you call "four stages of the journey" that encompasses skills in areas such as Technical, Management, Leadership and Political. This to me comes across as CISO's need to be multidisciplinary professionals with a variety of skillsets. What do you think makes this so important for CISO's to be successful? - Let's walk through the four stages a bit. You start off with Technical skills. This seems to the foundation many CISO's start with, coming from roles in areas such as engineering, architecture and so on. What makes this foundation so key? - How do CISO's maintain a strong technical foundation and depth, as they get further away from the tactical work and more into the leadership and strategic role? - CISO's of course have to be able to manage the teams they build and/or oversee. What are some of the key management leadership skills you think CISO's must have? - Leading is a fundamental part of what CISO's do. Whether it is direct reports, or the broader security org. What are some of these leadership skills and how can they have a positive or negative impact? - Last but not least is the political side of things. CISO's of course operate among other C Suite peers, the board and within complex organizations with competing interests, personalities and incentives. This could arguably be the most important skill to hone in terms of ensuring you're effective in your role, and have a lasting impact on organizational risks. What are your thoughts on the political skills front? - I'm curious as someone who's been a multiple time CISO and is now advising others on how to obtain the role - where do you see the role of the CISO headed in the future? We see new aspects such as litigation, SEC rules, determining materiality, CISO's needing to speak the language of the business and more - all while needing to manage risks with the ever changing technological landscape, with AI being the latest example. Where is it all headed?…
- First off, for folks not familiar with your background, can you tell us a bit about that and how you got to the role you're in now? - We see rapid adoption of AI and security inevitably trying to keep up, where should folks start? - There are some really interesting intersections when it comes to AI and supply chain, what are some of them? - We see a thriving OSS ecosystem around AI, including communities and platforms like Hugging Face. What are some key things to keep in mind here? - AI BOM's - what are they, how do they differ from SBOM's, and what are some notable efforts underway right now around them?…
In this episode we sit down with Amir Kessler and Aviram Shmueli of AppSec innovator Jit to dive into the complexities of the modern AppSec landscape and explore the emerging Application Security Posture Management (ASPM) ecosystem. - First off, for folks not familiar with your backgrounds, can you tell us a bit about both of your backgrounds and how you got to the roles you're in now? - We're seeing a ton of interest in the topic of ASPM in the AppSec space. What do you think has led to this emerging category and what key problems is it looking to solve? - I know your team puts a big emphasis on not just the tech but also the DexEx and UX. Why is this so critical to address AppSec risks and securing organizations and their code? - While there is value in ASPM platforms, many Dev teams and engineers are opinionated about their tools, how important is this flexibility and extensibility in the platform that the Jit team has built? - A key challenge includes vulnerability overload. Teams drowning in massive vulnerability backlogs and trying to add vulnerability context and focus on the most relevant risks for developers. How does Jit approach this? - Not all ASPM platforms are the same, but we see many vendors rallying around the category. What do you think makes Jit unique and differentiates what the team has built?…
- For those that don't know you, can you tell us a bit about your background and your current role? - I know you help lead the ATLAS project for MITRE, what exactly is ATLAS and how did it come about? - The AI threat landscape is evolving quickly, as organizations are rapidly adopting GenAI, LLM's and AI more broadly. We are still flushing out some fundamental risks, threats and vulnerabilities to consider. Why is it so important to have a way to characterize it all? - When it comes to AI Security, there is also a lot of hype, buzz and dare I say FUD out there. Why are you so adamant that we take a data-driven and actionable approach? - I know you recently helped participate in the first big AI security incident focused TTX, including with CISA and other Government and Industry partners, can you speak a bit about the experience and why exercises like this are important for organizations to do when it comes to AI security? - As someone close to the AI domain, when it comes to security, what are your thoughts on both where we're headed for security of AI, and AI to bolster security? - For folks wanting to learn more about ATLAS, and the work MITRE is doing around AI security, where should folks get started? - What are some key open questions and opportunities for the community to help shape the future of AI security and assurance? https://atlas.mitre.org/ ← Check out MITRE ATLAS!…
In this episode we sit down with GenAI and Security Leader Steve Wilson to discuss securing the explosive adoption of GenAI and LLM's. Steve is the leader of the OWASP Top 10 for LLM's and the upcoming book The Developer's Playbook for LLM Security: Building Secure AI Applications - - First off, for those not familiar with your background, can you tell us a bit about yourself and what brought you to focusing on AI Security as you have currently? - Many may not be familiar with the OWASP LLM Top 10, can you tell us how the project came about, and some of the value it provides the community? - I don't want to talk through the list item by item, but I wanted to ask, what are some of the key similarities and key differences when it comes to securing AI systems and applications compared to broader historical AppSec? - Where do you think organizations should look to get started to try and keep pace with the businesses adoption of GenAI and LLM's? - You've also been working on publishing the Developers Playbook to LLM Security which I've been working my way through an early preview edition of and it is great. What are some of the core topics you cover in the book? - One hot topic in GenAI and LLM is the two large paths of either closed and open source models, services and platforms. What are some key considerations from your perspective for those adopting one or the other? - I know software supply chain security is a key part of LLM and GenAI security, why is that, and what should folks keep in mind? - For those wanting to learn more, where can they find more resources, such as the LLM Top 10, your book, any upcoming talks etc?…
In this episode we sit down with the Founder/CEO of Horizon3.ai to discuss disrupting the Pen Testing and Offensive Security ecosystem, and building and scaling a security startup - from a founders perspective. From HP, to Splunk to JSOC - all leading to founding Horizon3, Snehal brings a unique perspective of business acumen and technical depth and puts on a masterclass around venture, founding and scaling a team and disrupting the industry! --- - For those not familiar with your background who Horizon3AI, can you tell us a bit about both? You are building something special at Horizon3AI and I will dive into that here soon, but you've also been posting some great content about building a security startup, the team, the market dynamics and more, so I wanted to spend a little time chatting about that. - First off, your company was recently listed by Forbes as one of the top 25 venture backed startups likely to reach a $1 billion dollar valuation. How did that feel and what do you think contributed to your team landing on such a prestigious list? - Speaking of venture backed, you recently participated in the Innovators and Investors Summit at BlackHat where you and other panelists dove into the topic of what founders should look for in investors and how VC's can stand out in a highly competitive market. As someone who's navigated that journey and is now being listed on lists such as that from Forbes - what are some of your key lessons learned and recommendations for early-stage founders? - You've stressed the importance of the team over the initial idea and what you've called "pace setters" and "ankle weights" within the team and the importance of both. Can you elaborate on the terms and broader context around building a foundational team to scale the company successfully? - You also have discussed the 4 advantages iconic companies build over time, what are they and why do they help differentiate you? - Pivoting a bit, you have a really unique background, blending both the private and public/defense sector. How do you think that's helped shape you and the way you've build your team and company and approach the market? - Horizon3AI is big on the mantra of "offense informed defense". Why is that critical and why do you think we miss the value in this approach in many spaces in the security ecosystem? - You all have poked some fun at the way many organizations operate, running vuln scans, doing an annual pen test, and having a false sense of security. How is Horizon3AI disrupting the traditional Pen Testing space and leading to more secure organizational outcomes?…
- For those not familiar with you and ThreatLocker, can you tell us a bit about yourself and the ThreatLocker team? - When we look out at the endpoint protection landscape, what do you feel some of the most pressing threats and risks are? - There of course has been a big push for Zero Trust in the industry being led by CISA, NIST, and industry. How does ThreatLocker approach Zero Trust when it comes to the Endpoint Protection Platform? - Another thing that caught my eye is the ThreatLocker Allowlisting capability. We know Applications remain one of the top attack vectors per sources such as the DBIR. Can you tell us about the ThreatLocker Allowlisting capability and blocking malicious app activity on endpoints? - Taking that a step further, you all often speak about your Ringfencing capability that deals with Zero Day vulnerabilities. As we know, traditional vulnerability management tools can't stop Zero Day exploits. How does the ThreatLocker platform handle Zero Day protection? - I saw you all recently had a webinar focused on CMMC and NIST 800-171, which applies to the Defense Industrial Base. Obviously endpoint threats are a big concern there for the DoD and the DIB. Can you talk about how ThreatLocker is working with that community? - For folks wanting to learn more about ThreatLocker, where should they go, and what are some things to keep an eye out for? Find out more about ThreatLocker !…
In this episode we sit down with Chloe Messdaghi, Head of Threat Intelligence at HiddenLayer, an AI Security startup focused on securing the quickly evolving AI security landscape. HiddenLayer was the 2023 RSAC Innovation Sandbox Winner and offers a robust platform including AI Security, Detection & Response and Model Scanning. - For folks now familiar with you or the HiddenLayer team, can you tell us a bit about your background, as well as that of HiddenLayer? - When you look at the AI landscape, and discussions around securing AI, what is the current state of things as it stands now? I would recommend checking out the "AI Threat Landscape Report" you all recently published. - Many organizations of course are in their infancy in terms of AI adoption and security. I know the HiddenLayer team has really been advocating concepts such as AI Governance. Can you talk about how organizations can get started on this foundational activity? - HiddenLayer published a great two part series on an "AI Step-by-Step Guide for CISO's", can you talk about some of those recommendations a bit? - You all also have been evangelizing practices such as Red Teaming for AI and AI Models. What exactly is AI Red Teaming and why is it so critical to do? - Another interesting topic is how we're beginning to look to Govern AI, both here in the U.S. with things such as the AI EO, and in the EU with the EU AI Act. What are some key takeaways from those, and what do you think about the differences in approaches we're seeing so far?…
- For folks not familiar with you and your background, can you tell us a bit about that? - How about Resourcely, how did it come about and what problem did you set out to tackle? - Why do you think Cloud Misconfigurations are still so pervasive, despite being fairly well into the Cloud adoption lifecycle? - How have organizations traditionally tried to handle secure configurations, in terms of establishing them, maintaining them, monitoring for drift and so on? - Where do you think we're headed, I know you all recently had your capability go GA and you discuss concepts such as blueprints, frameworks, paved paths etc. - You've been talking a lot about the Death of DevSecOps. Let's chat about that, what case are you making with regard to DevSecOps and where the industry is headed?…
- First off, for folks now familiar with your background, can you tell us a bit about yourself? - You made the leap from working for a firm to founding your own talent and recruiting company. Can you tell us about that decisions and experience? - Before we dive into specific topics, what are some of the biggest workforce trends you are seeing in cyber currently? I have seen you talk about the pendulum shift from workers to employers on aspects like remote roles, and so on. What is the current dynamic across the cyber landscape broadly at the moment? - The cyber workforce is often discussed painfully, with talks of struggles to attract and retain technical talent, but I feel like it isn't just a headcount problem. We also often see absolutely awful PD's and processes that impact organizations hiring abilities. What are your thoughts here? - You're often seeking out some of the best talent for leading organizations. What sort of experiences, qualities and characteristics do you find yourself looking for in candidates that make them stand out from the broader workforce? - Conversely, what are some things you see organizations doing the best that really set them apart from others when it comes to building amazing security teams? - What can folks be doing to try and best position themselves for their dream role? What are key things to keep in mind and emphasize from an expertise, personal branding, resume and other factors perspectives?…
- For folks not familiar with you or the Miggo team, can you tell us a bit about your background? - How do you define ADR and why do you think we have seen the need for this new category of security tooling to come about? - Most organizations are struggling with vulnerability overload, with massive vulnerability backlogs and struggles around vulnerability prioritization. Can you share some insights on how you all tackle this problem? - We're increasingly seeing the AppSec space become more complex, with Cloud, API's, Microservices, IaC and more. What do you see as some of the most critical trends in the AppSec space currently?…
- First off, for those that don't know you or your work, would you mind telling us a bit about your background? - You recently published a paper titled "Secure-by-Design at Google" which got a lot of attention. Can you tell us about the paper and some of the key themes it emphasizes? - In the paper you discuss some of the unique aspects of software that are different from mass-produced physical systems. Such as their dynamic and iterative nature. On one hand you mention how the risk of introducing a new defect over time for a physical system after manufacturing is low, unlike software. I know Google are big proponents of DORA for example, and past papers have shown organizations that are capable of routinely delivering software to production at-scale also have more resilient outcomes, this seems to be both a risk and a benefit of software over physical systems? - You also discuss the need for Secure Default Configurations. Historically it feels like producers have erred on the side of functionality and usability over secure default configurations, and we have even heard CISA begin using terms like "loosening guides" over hardening guides. Do you feel the two concepts of security and usability at inherently at odds, or need to be? - One aspect of your paper that really jumped out to me is that "developers are users too". I feel like this is even more pertinent with both the rise of software supply chain attacks and the realization that most defects are introduced by Developers and also they are best positioned to address flaws and vulnerabilities. How critical do you think it is to design systems with this in mind? - Some may pushback and say it is easy for Google to say advocate this approach of Secure-by-Design due to their incredible expertise and resources, but obviously, and conversely, Google has a scale in terms of challenges that most organizations can't fathom. How does Google balance the two? - What role do you think leading software suppliers and organizations such as Google have to play when it comes to ensuring a more resilient digital ecosystem for everyone?…
- First off, for folks that don't know you, can you tell us a bit about your current role and background? - On that same note, can you tell the audience a bit about Anduril, the mission of the organization and some of the current initiatives it is working on? - What are some of the biggest challenges of being a new entrant in a space such as the DoD, which has longstanding system integrators and large prime contractors who have deep relationships, industry expertise/experience and so on? - I know you're passionate about the ATO process. What are your thoughts on how it stands currently and the impact it has on both new entrants, as well as impacting the ability to get innovative capabilities into the hands of warfighters and mission owners? - CMMC - We know your organization is looking to bring innovative commercial technologies into Defense, what are some of the challenges there beyond the ATO aspect? - Outside of the technical aspect, we know the DoD and Federal space have longstanding challenges with attracting and retaining technical talent. How does that impact your abilities to be effective in this space with your Government peers, and additionally, how does Anduril navigate that when looking to attract modern digital talent to a space like Defense? - Many are now arguing that cybersecurity is a domain of warfare and we're seeing the use of phrases such as "Software-Defined Warfare" by organizations such as The Atlantic Council. How important do you think modern digital capabilities are to national security and why? - DevSecOps thoughts…
- For those that don't know you or haven't come across you quite yet, can you tell us a bit about your background in tech/cyber and your role with GitHub? - What exactly is the GitHub Advisory Database and what is the mission of the team there? - There's been a big focus on vulnerability databases, especially lately with some of the challenges of the NVD. What role do you see among the other vulnerability databases in the ecosystem, including GHAD and how it fits into the ecosystem? - GitHub has a very unique position, being the most widely used development platform in the world, boasting millions of users. How do you all use that position and the insights from it to help drive vulnerability awareness across the ecosystem? - There's been a large focus on software supply chain security, including securing OSS. What are your thoughts on these trends and some ways we can combat these risks? - You're also involved with the CVE program, can you tell us about that? - We know you collaborate with another group, out of OpenSSF, known as the Vulnerability Disclosure Working Group. What does that group do and what role do you play?…
- For those don't know your background or Nucleus Security, can you start by telling us a bit about both? - You have experience and a background in the Federal environment, and Nucleus recently achieved their FedRAMP authorization, can you tell us a bit about that process? - When you look at the Federal/Defense/IC VulnMgt landscape, what are some of the biggest problems from your experience and where do you think innovative products and solutions can help? - Going broader, we have seen a recent uptick in the interest around VulnMgt, and looking to modernize the way we do things. What do you think is driving this recent focus on VulnMgt and what major innovations or disruptions in the space do you see underway? - What do you feel helps differentiate Nucleus Security from some of the other competitors we see in this space focusing on this problem? - We're seeing a big push for Secure-by-Design software, which of course deals with driving down vulnerabilities, and repeated classes of vulnerabilities. What's your take on this push and do you see it being effective?…
- For those unfamiliar, please tell us a bit about your background, as well as about RAD Security. What do you all focus on and specialize in? - Your team recently was part of the RSAC Innovation Sandbox. Can you tell us a bit about that experience, and being able to highlight the innovative capabilities of RAD to such a key audience? - You recently published a comprehensive resource on Kubernetes Security Posture Management (KSPM), what are some of the key items in there folks need to be focusing on? - The RAD security team emphasizes their fingerprint capability for Kubernetes workloads. Can you unpack that this is and how it differs from say signature based security tools and so on? - When thinking about software supply chain security, how does Kubernetes fit in, given the current digital landscape and explosive growth of Kubernetes and Containerized workloads? - You all are big proponents of runtime security, a category that is getting increased attention latest in the security industry. Why do you think runtime is so critical, compared to say some other tools or products that may focus on different aspects of the SDLC or lean into "shifting left" for example?…
- You recently presented at Wiz's MisCONfigured at RSA, where you covered some of the most relevant cloud threats and risks, can you touch on what some of those are? - We know Wiz just announced a massive capital raise and there's been talks about M&A plans for Wiz, I know you help with looking at potential products/firms - what are some key things you look at? - When you acquire a new product and team, how does it look to ensure there is a smooth integration with the Wiz team and platform? - There's a bit of debate in the industry around "platforms" and best of breed. How do you/Wiz think about this approach and how do you ensure as you add new products to the platform that you remain a leader in the space? - We've heard a lot of talk about AI and its implications both for improving security, but also needing to be secured, how do you and Wiz think of AI when it comes to cybersecurity and where do you see the most promise?…
R
Resilient Cyber
R
Resilient Cyber
- For folks not familiar with it, can you tell us a bit about the report, its intent, and how it came about? - Some may be asking, what's the big deal, its just software. Can you help explain the pertinent risk we face with increasingly seeing physical systems, infrastructure and society run on software? - The report makes some key recommendations to fortify the resilience of the Nation's critical infrastructure, can you talk about those a bit? - It's often discussed how much of the critical infrastructure is privately owned and operated, is that true, and if so, what challenges does that pose? - Do you see this as something that will be increasingly regulated, and if so, how do we balance regulations with some of the constraints and limitations of the critical infrastructure operators and organizations such as financial, expertise and so on? - One thing I noticed is the emphasize on industry, board, CEO and executive accountability. We're seeing a similar trend with recent SEC rules for publicly traded companies as well as CISA's Secure-by-Design publication and public comments, about leadership and executives taking more accountability for secure outcomes. Do you feel this is a major gap, and if so, how do we ensure the message doesn't get diminished from leadership across middle management, and staff?…
- First off, for folks not familiar with your background can you tell us a bit about your background from your journey in your earlier IT/Cyber and military time to eventually being a Founder and CEO? - What made you decide to take that leap and found not just one, but two cybersecurity companies, moving from being a practitioner? - What did you find to be some of the biggest challenges when transitioning from practitioner to business owner? - Have you had to navigate working on versus in the business, and what has that looked like for you? - For some aspiring cyber professionals with goals to found a company someday, what would be some of your key pieces of advice? - I know you're also very passionate about the veteran community in cyber, why do you think veterans make up such a share of our community and often make some of the best cyber practitioners?…
R
Resilient Cyber
Can you each tell us a bit about your background, before we dive in? For those not in the DoD or familiar with the term, what is a “Software Factory”? What is BESPIN? What is the current state of mobile security within the DoD? Why do you think there’s such a delay in maturing policy, process and pathways for mobile in DoD, given the big emphasis the last several years of “edge”, along with the rapid growth of the remote workforce and so on? Are there any official mobile app sec requirements? Can you tell us a bit about what tools and methodologies you all use to secure the mobile-centric applications you all deliver? Most know that in DoD and Federal there are also a lot of compliance rigor and hurdles to deal with. How has that experience been for a program doing something a bit different from most software factories? Since there are no official mobile requirements you kind of get a second mover advantage, how can you take lessons learned from the Cloud Computing SRGs and apply that to mobile? Can you help our audience understand the importance of secure mobile capabilities for the Airman and warfighter? We know the modern way of fighting looks much different and mobile is a key part of that, whether simply supporting Airman on a form of compute they grew up using, all the way to those on the forward edge, engaging against adversaries, including in the digital domain.…
- First off, for folks that don't know you can you give them a brief overview of your background/organizations? - Josh, let's start with you. Can you explain some of what is going on with the drama around NVD and what happened that caught everyone's attention? - Dan - I know you've raised concerns around the implications for the community when it comes to the lack of CVE enrichment, how do you see this impacting the vulnerability management ecosystem? - Josh - Your team has started providing some accompanying resources to try and address the gap, can you tell us a bit about that? Dan - You've spun up an open letter to congress and have kicked off a bit of a grass roots effort to raise awareness around the problem. How is it going so far and what are you hoping to accomplish with the letter? - Why do you both think this is such a big deal, and how can something so critical to the entire software ecosystem be so underfunded, overlooked and taken for granted? - What are some things you all hope to see in the future to resolve this, both from NIST/NVD and the Government but also from industry as well?…
- It is often now said that identity is the new perimeter, why do you think that phrase has taken hold and what does it mean to you? - How much do you think the complicated identity landscape plays a role, for example most organizations have multiple IdP's, as well as external environments such as SaaS and so on that they have identities and permissions tied to - It often feels like SaaS is overwhelmingly overlooked in both conversations about Cloud Security as well as software supply chain security - why do you think that is?- You all have published some innovative research around what you dubbed as the "SaaS Attack Matrix" can you tell us a bit about that research and how organizations can use it? - You're also doing some really great work focused on IdP threats, such as OktaJacking, detection, and even response. Can you unpack that for us? - It's been said that the browser is the new OS, and I have seen you all say if that's the case, Push Security is the new EDR. Can you elaborate on that? - I recently saw a headline from LinkedIn's own CISO Georgg Belknap that read "Push Security does for identity what Crowdstrike does for Endpoint". That's quite the endorsement and also catalyst for what you all focus on. How can organizations go about getting a handle on the identity threat landscape given the current complexity?…
- First off, you have an incredible background evolving from software engineer to management roles and ultimately a CISO for some of the industry leading organizations such as Siemen's and HP. I would love to hear about that journey and how you found yourself ultimately becoming an industry leading CISO along the way. - How do you think the CISO role has changed over the years? We're hearing more about speaking the language of the business, potential legal liability, new SEC rules and more. What is your perspective on the current challenges and evolution of the CISO role? - You're now out of the CISO seat but still active in the community, serving in various director roles, including with publicly traded companies I believe. We've long heard some state that CISO's would make great board members and bring a long-needed perspective on cyber risk. How has it been transitioning out of the CISO role and into Director type roles? - Many CISO's and cybersecurity leaders now want to pursue a similar path, looking for advisory and board roles with firms and so on. Can you provide some guidance and tips for those looking to do something similar? - I noticed you also have some advisory roles in addition to Director roles. Can you draw a distinction between the two roles for listeners, and what to consider when pursuing one or the other, so folks better understand the potential pathways? - Knowing you've had such an amazing career and are still so passionate about the community and giving back, what are some of the key recommendations you have for both those aspiring to advance their career in cyber and eventually become a CISO, or beyond that, move into board level and advisory roles? What skillsets and expertise should they be focused on the most?…
- What are some of the most interesting developments in the world of software supply chain security (SSCS) in the last 12 months or so? - It's now been a couple of years since the major fall out of notable incidents such as SolarWinds and Log4j, do you feel like the industry is making headway in addressing software supply chain threats? - For organizations either just starting or looking to mature their software supply chain maturity, where are some key areas you recommend organizations focus their attention? - We have a complex landscape from extensive use of open source, SaaS and Cloud providers, partners and third parties, how have you seen firms successfully handle this complexity when it comes to activities such as incident response? - There's a bit of a heated debate in the industry underway on point products vs. platforms. I know Checkmarx has a comprehensive AppSec platform. How do you view this debate, and do you think we will always have and see the need for point products, best of breed and comprehensive platforms in the industry? - You spend a fair bit of time focused on SSCS research, how does your team approach these activities and sharing the insights with the community? - Checkmarx shares a tremendous amount of informative and insightful research around SSCS. Where can folks learn more and what are some of the interesting projects you all are currently working on?…
- First off, for folks not familiar with your backgrounds, can you please each tell us a bit about yourselves? - Let's set the table a bit, what is software liability and what is driving the increased calls for it? For example the recently released National Cyber Strategy, and commentary by U.S. leaders such as from CISA's Jen Easterly - What are some examples the software industry can pull from to try and establish a foundational liability regime? - What are some of the unique challenges that make software a nuanced domain to try and implement something like this in, compared to some other industries? - Jim - you recently wrote a paper about "establishing the floor", can you elaborate on that for us a bit? How about you Chinmayi, any thoughts? - Some of have of course exclaimed something like this could/would kill innovation and have major economic consequences, or lead to "ambulance chasing" type behavior pursuing litigation as a weapon against vendors. What do you think about that? - Chinmayi - you had a paper titled "A Bug in the Software Liability Debate", where you talked about challenges of defining a duty of care, can you elaborate, and dealing with unknown vulnerabilities. Can you expand on that a bit? Jim - You've talked about focusing on the outcomes/product, not the process, why do you think that's important? - Another equally critical part of the conversation is Safe Harbor, that is protections for those who due perform the duty of care or act responsible. Can you touch on that topic, and each give your thoughts on what that may look like if it were to take shape?…
- First, please tell us a bit about your background and how you got into the role you are now in your career? What drew you to the marketing side of cybersecurity? - I have to be honest, many in the cyber practitioner community often bemoan cyber marketers, often citing poor tactics or interactions. What do you think has contributed to this systemic feeling and how do you think we get past it? - You've talked about how there is a lot of trash marketing out there and its a threat to national security, and the need to become more cyber literate as an industry, and civilians as well. Let's hear your take on that! - What differentiates a "good" cybersecurity marketer? - How do you find yourself effectively working with product teams, and bridging the gap between the deeply technical engineering and development types and the broader cyber business community, and activities such as sales and GTM? - I feel there is a lot cyber practitioners, including CISO's could learn from cyber marketers. For example, we often hear about the need for soft skills in cyber, things like communication, story telling, relationship building, empathy and more. What do you think about that, and what lessons can practitioners, including CISO's learn from our marketing peers?…
- Let's start off by discussing everyone's favorite topic, vulnerability management. When it comes to AppSec, obviously there's been a big push to "shift security left" which comes with CI/CD pipelines, SAST, DAST, Secrets Scanning, IaC scanning etc. How have you handled scaling AppSec effectively without burdening Dev teams with massive vulnerability lists and being a blocker for production and delivery? - There's a lot of tools to choose from, across a lot of various categories, from source, build and runtime. How have you navigated selecting the right tools for the job? What about actually integrating, tuning and optimizing them when the team is often already stretched thing? - On the tooling front, what has been your experience between vendor tools, vs. OSS options? What are some of the pros and cons you have seen from each? - Behind all the technology is people. How have you approached building your AppSec teams? - There's some nuances between existing team members and building the team. When you begin a new role, how have you approached building rapport among the team, getting trust, understanding historical team and org context and so on? - You seem to continue to find yourself in various leadership roles in AppSec, event after a recent move back to an IC role. Why do you think that is, and what skills have helped you stand out as someone others want to work with, and even for in some cases, as a leader? - What are some of your go-to resources for learning more about AppSec and keeping up to date on such a fast moving and dynamic space?…
- First off, tell us about your journey to the role of the CISO. What did that look like, what steps did you take, what helped prepare you and so on? - To many, the CISO is considered the pinnacle of the cyber career field. How did it feel when you landed the role and looking back a year now, what are some thoughts that come to mind? - We know as you become more of a senior leader, you get less into the nuance and details of the technical activities and more focused on strategy, vision, organizational objectives and so on. Can you speak about balancing the technical expertise and experience with learning to better engage your business peers and fellow leaders across the organizations? - A key part of being a CISO is building and empowering the team around you to ensure security is successful. How do you approach building and leading a team as a CISO? - Something worth calling out is you aren't the CISO of a SMB of commercial product company, you're the CISO if a Federal agency. That comes with its own unique challenges, demands and complexity, from resources, requirements, compliance rigor and more. Can you speak a bit about the unique aspects of being a Federal CISO and how you've navigated those so far? - What are some of your biggest lessons learned, challenges and recommendations around being an effective leader? - For those aspiring to become a CISO, what resources and steps do you recommend? - Let's talk a bit about your current role and organization, many of course are interested to hear about that. What are some key strategic objectives you're focused on at CDC, to the extent you're able to speak about them publicly?…
R
Resilient Cyber
1 S6E3 - Ross Haleliuk - Cyber for Builders & The Cyber Ecosystem 1:02:42
1:02:42 
پخش در آینده 
پخش در آینده 
لیست ها 
پسندیدن 
دوست داشته شد1:02:42
پخش در آینده پخش در آینده لیست ها پسندیدن دوست داشته شد- First off, tell us a bit about your background and how you got to where you are now in your career - What led you to write the book? Tell us a bit about the process and the experience so far, given you didn't take a traditional route with a standard publisher etc - Your book is broken into different sections, such as security as an industry, understanding the ecosystem and trends shaping the future of cyber. Lets dive into some of those - You talk about how Cyber is horizontal, not vertical and the role of trust. Can you elaborate on that and how it makes our field unique? - You talk extensively about the role of capital, the different types of capital/investors and how it prevents cyber companies from failing at standard rates, or avoiding natural selection as you call it. I suspect this contributes to what some perceive as having "too many security vendors". Do you think that's the case, and is there any merit to the too many vendors argument? - You dive deep into the role of industry analysts, how they impact purchasing decisions especially among large established firms and organizations. Do you think industry analyst firms have the same impact as they did a decade ago? What impact do you think social media, and "influencers" and practitioners themselves being more vocal about products, tools and methodologies is having? - One topic you speak about that I really enjoy is moving from promise based to evidence based security. You talk about outcomes over promises and buzzwords, but we also know it is hard to quickly determine if a tool or vendor keeps promises, and it isn't only on tools, there are resources, staffing, internal expertise and bandwidth that all play a part. Can we delve into that topic a bit? - Do you think security practitioners being more involved in the buying process is also driving change? - Let's pivot a bit to founders. You have produced incredible pieces of the founder ecosystem, pioneer firms who led the way, the role of large publicly traded cyber firms and the role of networks among military, Israeli and repeat founders. It feels like the old saying success begets more success. Do you think there's lessons from these pioneer and repeat founders that some new founders neglect and are there opportunities for new founders to disrupt the way things worked in the past? - You also stress the need to validate problems before going all in on a company focus and product. This is one I am passionate about, as often cyber feels like a hammer looking for a nail. You discuss how problems experienced among the cyber "1%" such as silicon valley and cloud-native startups are much different than big enterprise firms, but the latter is where the money is. I assume it is tempting to focus on the sexy and shiny issues but not realize it's not always where the money is? - Looking to the future, you discuss the convergence of software and engineering with security, with the push to everything become as-Code, the adoption of DevOps, now DevSecOps and the Cloud of course. What do you think security practitioners of the future look like in terms of key differences from today? - I personally think it is very important for security practitioners to step back and actually understand the ecosystem they operate in, as it is easy to get caught up in a specific product, platform, or cyber role and lose the bigger picture. Your articles are among the best on this topic in my opinion, especially for products, vendors, capital and more. What advice do you have for security practitioners when it comes to needing to better understand the broader aspects of the ecosystem they operate in?…
R
Resilient Cyber
1 S6E2 - Jacob Horne - 171, CMMC and the Federal Compliance Landscape 1:03:14
1:03:14 پخش در آینده پخش در آینده لیست ها پسندیدن دوست داشته شد1:03:14
پخش در آینده پخش در آینده لیست ها پسندیدن دوست داشته شد- For folks not tracking, let's level set a bit, what exactly is NIST 800-171 and CMMC, and what is the succinct background on the evolution of the two? - Are there notable events that led the DoD to pursue CMMC, building on the history of 171? - Obviously the introduction of the 3PAO aspect brings more rigor than previously existed with self-assessments. Many in industry have bemoaned the burden, cost and complexity of the new program and the impact it will have on industry (myself included). What are your thoughts on the potential to impact the DoD supplier base and lead to further consolidation? - Many DIB suppliers are of course SMB's who rely on CSP's and MSP's to meet these requirements, or conduct their daily operations, leveraging various external parties. How does CMMC handle entities like CSP's and MSPs? - There was recently a memo from the DoD CIO clarifying some language around "FedRAMP equivalency" for DFARS 7012. First off, what is 7012, how does it tie to 171 and CMMC and what did the DoD CIO memo essentially say? - Most SMB's in the DIB lack internal cyber expertise and resources, and of course this has led to a booming industry of 171/CMMC consultants and 3PAO's. What are your thoughts on that growing ecosystem and how do SMB's ensure they're working with the right advisors and assessors? - What are some of the details on the timelines and rollout of the finalized CMMC rule? When and how should folks be preparing? - Many of course are quick to claim "compliance isn't security" when discussing stuff like 171 and CMMC. What's your initial reaction to those claims, and how do we help folks understand that industry will not just voluntarily spend and focus on security requirements without being required to do so? - CMMC of course has a ConMon aspect, right now that is does via annual self-assessments/reporting as I understand it. What do you think CMMC gets right on this front, and what could be done better?…
- You've been heavily involved in the AI dialogue in the industry as it has heated up, how did you get your start specializing in software security and most notably AI? - AI continues to be one of the hottest cybersecurity topics in 2023 and heading into 2024. What do you think are some of the most pressing risks around the rapid growth of AI adoption and use? - We're seeing Governments scramble to regulate AI, with notable efforts like the EU AI Act. Why do you think it is critical for Governments to act so quickly on this emerging technology, especially when Government is historically reactionary and slow to adapt? - What are some of the key considerations that must be kept in mind to help securely govern and regulate AI without hindering innovation and economic prosperity and potential that AI may bring? - You're involved in efforts such as the OWASP AI Exchange, can you tell usa bit about that effort, how it came about and how practitioners can learn from and leverage it? - Compliance can be cumbersome with many overlapping and often duplicative compliance frameworks that industry has to wrestle with. You've been working on an effort dubbed "OpenCRE" can you tell us a bit about that and what the goals are?…
- Tell us a bit about your cybersecurity journey, you've held a variety of roles with FFRDC's and industry - You've been talking a good bit about the latest Secure-by-Design push, what do you make of this push? I know you've raised concerns about needing to do some research to determine the effectiveness of these "secure" SDLC's - AI and ML are everywhere we turn in the cyber industry discussions. You've been speaking about the role of ML in cyber detection for example going back several years. There's a lot of focus on the risks of AI, but what do you think about the promise of AI and ML to help with defending organizations and agencies? - I know you've been discussing threat informed defense and even took a swing at NIST 800-53/FedRAMP and its relevance. Can you elaborate on this, and how you think we're getting it wrong as an industry with regard to compliance and security? - You recently had awesome comments about the risks in public cloud attack surfaces and implications for national security, let's dive into that one, give us some thoughts on this front? - We're heading into 2024, so let me ask, what are some of your top predictions we may see in cybersecurity over the next year?…
- First off, tell us a bit about yourself, what you're up to and how you have gotten where you are career wise - What are some of the key differences with cloud-native security? - There's a lot of acronyms in the cloud-sec space, such as CWPP, CSPM, KSPM and so on. Can you unpack a few of these for the audience and what they mean? - This also infers there's a lot of different tools and capabilities to manage. Why do you think it is important to have a comprehensive platform to bring it together, to avoid tool sprawl and cognitive and alert fatigue? - There's a lot of focus of course on shifting security left, and CI/CD pipelines and so on, but I know you also focus on runtime security. What makes runtime security so crucial in the cloud context? - Can you tell us a bit about Aqua Security, what you all do and what makes you unique from some of the other platform providers and security companies out there? - What does the term "cyber resilience" mean to you?…
Nikki - Can you tell us a little bit about what interested you in cloud security in the first place? I know you have a particular interest in misconfigurations - was there a singular event that spurred your interest? Chris - What are your thoughts around Guardrails in the cloud and using things such as event based detections? Chris - You interestingly took a Product role, but have a Detection and CloudSec background. How has the Product role been and do you think having the practitioner background helps you be a more effective Product Manager and leader? Nikki - There's a lot of talk around DataOps and SecOps - we're really seeing a bridging of fields and concepts to bring teams together. I wanted to talk a little bit about the human element here - do you see more of these blending of fields/disciplines? Chris - I know you've taken a new role recently with Monad, which focuses on Security Data Lake. What made you interested in this role and why do you think we're seeing the focus on Security Data Lakes in the industry so much? Nikki - What are some of the emerging trends you see in cyber attacks against cloud? What should people be most concerned with and focus on first when it comes to cloud security? Chris - You also lead the Cyber Pulse newsletter, which I read and strongly recommend for news and market trends. What made you start the newsletter and have you found it helps keep you sharp due to needing to stay on top of relevant topics and trends? Nikki - What does cyber resiliency mean to you?…
Nikki - I have to start with the fact that you've been looking into the vulnerability management space! This is an area I've been focused on for many years and I'm curious - what are the biggest pain points you see now in VulnMgmt? Chris - I recently saw you had a blog regarding Exposure Management and contrasting it with Vulnerability Management. Can you talk about what Exposure Management is, and the differences between the two? Nikki - What got you interested in research? I'm always curious because there is such a niche space within cybersecurity and I love meeting other researchers. How do you think cyber benefits from research and vice versa? Chris - You also recently had some content regarding doing a deep dive into Nation State threats. We're increasingly seeing cyber play a part in nation state conflicts, why do you think that is, and can you touch on how this plays into regulatory fallout as well? Nikki - I want to talk about your blog post about "The Blob" - you talk about how people use some similar terminology and language (false messaging) to steer the conversation in security tooling. Can you talk a little bit more about this concept and what you think it means to the industry? Chris - You have been having conversations about Detection Engineering. Can you talk about how it is different from legacy/traditional SecOps and what the future of Detection Engineering and Detections-as-Code looks like? Nikki - What does cyber resiliency mean to you?…
- You recently wrote a book titled Zero Trust and Third Party Risk. Can you tell us a bit about the book, why you wrote it and how you see the convergence of ZT and TPRM? - There's been a lot of discussion lately around Software Supply Chain Security, but also Cybersecurity Supply Chain Risk Management, or C-SCRM. Do you see the former being part of the latter, and what challenges do you think organizations face trying to tackle both? - TPRM often involves manual subjective lengthy questionnaires that we are all painfully familiar with. How effective do you think these are and do you think we are going to see a future based on machine-readable attestations and more automated assessments to augment some of the traditional manual questionnaire type activities? - Most organizations struggle to implement fundamental security practices and processes within their own organization, let alone thoroughly ensuring all of their 3rd and nth tier suppliers are, is this a gordian knot type situation? - What are your thoughts on first party self-attestations vs 3rd party assessments? Each has its pros and cons and challenges. - The name Zero Trust is a bit of a misnomer, as we know it means no implicit trust, and it also seems a little counter-intuitive in our increasingly inter-connected ecosystem and society. How do you see the push for Zero Trust playing out when we look at the broader supply chain ecosystem?…
Nikki - With your current role as a Distinguished Engineer - I know you focus a lot on cloud security. What does being a DE entail? Do you do some research along with your other duties? Chris: We've seen the discussion around data in the security space evolve quite a bit. From legacy environments with a SIEM/SOC centralized approach, oriented around "collecting all the things" to now discussions around data lakes, analytics, and automation among others. Can you discuss the evolution a bit with us and your thoughts on it? Chris: I've been reading pieces lately that are pushing the narrative that there isn't "security" data, there's just business/organizational data, some of which has security context/use. What are your thoughts on this? It seems to be in-line with a push for security to be more tightly coupled with and speak the language of the business. Nikki - Recently you were posting about the AWS IR guide and even getting into some logging with AWS. Logging is one of those areas that I'm super interested in - especially from an IR perspective. What do you think about where we are with security logging guidance and what should organizations know about setting up complex logging environments? Chris: As we continue to watch the security data space evolve I know you've been championing the concept of, and even have written extensively about the term "SecDataOps". What is this exactly, and why do you feel like it is the time to have the industry move this direction? Chris: We're also seeing a push for standardized logging formats, such as the Open Cybersecurity Schema Framework (OCSF), which has gotten support from some of the largest tech companies. How important is it for the industry to rally around a standardized cybersecurity schema/framework and what are the challenges of not doing so? Nikki - You have also done some Board Advising and taken on several Advisory roles for Boards. Two part question - what got you interested in taking on an advisory role and what would you suggest for other technical practitioners who want to get more involved at the Board or executive level? Nikki - What does cyber resiliency mean to you?…
R
Resilient Cyber
Nikki - I wanted to ask you first what got you so passionate about vulnerability management - what was it that first sparked your curiousity and interest into security research? Nikki - You do a lot of awesome graphics and visualizations of vulnerability data from both CISA KEV and around types of CVE's - what kind of statistics do you think are most important for security practitioners to know - and on the other side, what is most important for executives to understand? Chris - You've now begun to even start to submit known exploited vulnerabilities to CISA to be added to the KEV, can you tell us about that experience, how you're identifying them and how the process has been? Chris - We talk a lot about the need for vulnerability context, going beyond CVSS and using things such as KEV and EPSS. In your work, how do you see organizations leveraging context to help vulnerability prioritization? Nikki - We know that organizations could have a backlog of up to 10k vulnerabilities - based on some recent statistics. Where do organizations start? How do they get a handle on vulnerability management? Chris - What are some other trends you see in Vulnerability Management that organizations can use to start to get a handle on things? Chris - You've made the transition from marketing to vulnerability research, visualization and some would say industry leader. Can you speak about the journey and advice for others looking to follow a similar path? Nikki - What's next for you - besides being the pre-eminent vulnerability researcher in this space?…
Chris: First off, you've been knee deep in CloudSec for several years now, watching trends, incidents and the industry evolve. Where do you think we've made the most headway, and where do you think we still have the largest gaps to close? Nikki: I'm really interested in multi-cloud environments and security - because of the connectivity potential between separate cloud providers. What do you think organizations should be most concerned with when looking at using multiple cloud providers? Chris: You recently contributed to a report with the Atlantic Council about the systemic risks of Cloud and Critical Infrastructure. Can you speak on that a bit? What are your thoughts about systemic risks are more and more of our critical infrastructure and national security systems now become reliant on cloud? Chris: While we know most cloud security incidents are due to customer misconfigurations, we've recently seen some major hyperscaler CSP's experience some very damaging incidents that impacted many. Do you think these incidents are causing some organizations and industries to second guess their plans for cloud adoption or lead to trust issues in Cloud? Nikki: One of my biggest concerns in cloud environments is Identity and Access Management (IAM) - especially in complex development environments. What are some of the major configuration challenges around IAM in cloud? Nikki: What is your favorite cloud security statistic? Nikki: I have to bring in the people angle - do you think that current tech teams have the skills and tools they need to manage cloud environments? Do you have any references or skills you recommend as teams build bigger cloud environments? Chris: On the people front, we know misconfigurations reign supreme for cloud security incidents. Do you think organizations are waking up the reality that they have to invest in their workforce when it comes to adopting technologies such as Cloud? Chris: We know you have your fwd:cloudsec event which has become an industry staple for learning and information sharing on cloud security. How did the event come about and what does the future look like for it?…
- For those who haven't met you yet or come across your work, can you tell us a bit about your background? - First off, tell us a bit about OpenPolicy, what is the organizations mission and why did you found it? - Why do you think it's important for there to be tight collaboration and open communication between businesses, startups and policy makers? - Some often say that policy is written by those unfamiliar with the technology it governs or the impact of the regulation and it has unintended consequences. Do you think this occurs and how do we go about avoiding it? - You were recently involved in the launch of the U.S. Cyber Trust Mark program launch for IoT labeling, can you tell us a bit about that? - We're seeing increased calls and efforts for regulating technology and software, especially around software supply chain security, Secure-by-Design products and not leaving risk to the consumers. How do we balance the regulatory push without stifling innovation, which is often the concern? - I recently saw you launch your own show and interview Jim Dempsey, who I've interviewed in the past. Among other topics, you all touched on the recent SEC rule changes and the increased push for cybersecurity to be a key consideration and activity for governing publicly trading companies. Why do you think we're seeing such a push? - For those looking to learn more about Open Policy, and your efforts around digital policy and regulation, where can folks learn more and potentially even get involved?…
- First off, for those unfamiliar with this problem and situation, what exactly is the challenge here, and why should more people be paying attention to this? - What do you say to those who may say this is just something occurring in the digital realm, and not a physical or real threat, given the ubiquity of software, this seems short sighted, no? - In the book, you touch on malicious actors using U.S. based infrastructure to attack U.S. targets, a topic that was touched on in the NCS, can you expand on that and the challenges with addressing it, particularly in the cloud? - There's fears that these adversaries are looking to persist in U.S. based systems and infrastructure in advance of future conflicts. What could be some of the ramifications of this in the future, and how do we go about rooting out these threats in the here and now? - The Defense Industrial Base (DIB) is often called the "soft under belly" of the DoD. We've seen increased targeting of the DIB by malicious actors and nation states and the emergence of efforts such as NIST 800-171 and now CMMC. How do we go about ensuring improved security posture of the DIB while balancing the cost and burden on SMB's and further constraining the diversity and resiliency of a DIB supplier base? - On the flip side, we see the DoD, IC and Federal Government with deep dependencies on a small handful of technology companies, some, even despite continued exploitation and vulnerabilities impacting these agencies. How do we go about addressing this elephant in the room and demand stronger security outcomes and performance from these critical suppliers, especially with their massive financial and political clout? - Much of these activities occur below the threshold of traditional "declarations or acts of war". How do we get our leadership to realize we're already at war, but in a new paradigm? - You guys talk about how everyone with an internet connection is essentially on the battlefield. How do we address that reality while balancing aspects of our society that are unique, such as freedom and privacy. Citizens continue to use software and applications that expose their data, that of their employers, and in some cases, even of the DoD and national security. How do go about better informing and engaging the citizenry on this front? - Another aspect you touch on, is that this isn't just a technical issue, but there's efforts such as misinformation and such to degrade trust in our institutions, sow resentment and stoke flames of divisiveness in our society. These threats are likely even more concerning, as we tear ourselves apart internally. What are your thoughts on this front?…
Nikki - In addition to your Senior Policy Advisor role, you are also part of several academic institutions, including one we have in common - Capitol Technology University. Can you talk a little bit about why you wanted to be involved in the technical and academic side? Have their been any benefits you've seen in academia that you've brought to the military space, or vice versa? Nikki - We're seeing a ton in the news about software supply chain security, zero trust, AI/ML - but not necessarily how they relate to warfare or protecting our critical assets (critical infrastructure). Why do you think we haven't seen as much in this space and what are some of the major risks you're concerned with at the moment? Chris - We know you've contributed to the National Maritime Cybersecurity Plan - why is it so critical to protect maritime activities from a cybersecurity and national security perspective and how do you see this going so far, since the plan was originally published in 2020? Chris - Switching from sea, we know you've contributed to some analysis and reporting from FDD on how space systems should be designated as critical infrastructure. Can you explain why that is, and where we have gaps currently? Nikki - We recently were talking about the US Cyberspace Solarium Commission and you mentioned you contributed to their report on the designation of space systems as critical infrastructure. Do you think we're missing a cyber space command or more legislation/guidance around this area? Nikki - On the topic of space and cyber, when it comes to critical infrastructure I think we're still lacking in a number of areas for detection/response for critical infrastructure. What are some IR considerations or potentially research we need in this space? Chris - In a previous role you served as the Director of International Cybersecurity Policy. International cyber activities and policies were also emphasized in the recent National Cyber Strategy. Can you tell us a bit about that experience and why international collaboration is key in the cybersecurity realm? Nikki - Since you went to UMD - I have to ask. Are you getting some MD crabs this summer?6. What does cyber resiliency mean to you…
You are now at the Open Source Security Foundation - but you have a ton of experience (even as a former IBMer) from Google, to JPMorgan, and financial institutions through architecture, management, and engineering. Can you talk a little bit about your leadership journey? Let's dig into OpenSSF a bit more - we're only seeing an increase in software supply chain attacks - what is driving the OpenSSF and any particular threats you're concerned with at the moment? We know the OpenSSF has focused heavily on securing OSS and the ecosystem and even launched the OSS Security Mobilization Plan. Are you able to talk a bit about that plan and what it hopes to accomplish? OpenSSF is obviously one of several organizations such as OWASP and others helping to provide valuable resources to the industry to tackle these challenges. Are you able to speak about any active collaborations with other organizations or institutions, academia etc. or how organizations can look to collaborate with the OpenSSF? You are also a Fellow at the Center for Cybersecurity at the NYU Tandon school. Both Chris and I are also Fellows (at different organizations) - can you talk a little bit about what a Fellow does and how you got involved? Where can organizations really start though? With so many vulnerabilities, libraries, dependencies, and managing software and infrastructure, it is incredibly cumbersome for organizations to get a handle to what to work on first. Where do software teams start? Coming off of Father's Day, I noticed your LinkedIn tagline leads with Dad and Husband. How have you found success in balancing those critical roles and responsibilities while still pursuing your professional endeavors and aspirations? What does cyber resiliency mean to you?…
Chris - For those not familiar with Security Chaos Engineering, how would you summarize it, and what made you decide to author the new book on it? Nikki - In one of your sections of Security Chaos Engineering, you talk about what a modern security program looks like. Can you talk about what this means compared to security programs maybe 5 to 10 years ago? Chris - When approaching leadership, it can be tough to sell the concept of being disruptive, what advice do you have for security professionals looking to get buy-in from their leadership to introduce security chaos engineering? Nikki - One of the hallmarks of chaos engineering is actually building resilience into development and application environments, but people here 'chaos engineering' and don't quite know what to make of it. Can you talk about how security chaos engineering can build resiliency into infrastructure? Chris - I've cited several of your articles, such as Markets DGAF Security and others. You often take a counter-culture perspective to some of the groupthink in our industry. Why do you think we tend to rally around concepts even when the data doesn't prove them out and have your views been met with defensiveness among some who hold those views? Nikki - One of my favorite parts of chaos engineering is the hyptohesis-based approach and framework for building a security chaos engineering program. It may seem counter-intuitive to the 'chaos' in 'chaos engineering'. What do you think about the scientific method approach? Chris - Another topic I've been seeing you write and talk about is increasing the burden/cost on malicious actors to drive down their ROI. Can you touch on this topic with us?…
R
Resilient Cyber
- First off, can you each tell us a bit about your backgrounds and experience in the space? - What made you all decide to found Stacklok, what gaps and opportunities in the ecosystem did you see? - What are your thoughts around the industry's response to software supply chain security and how do you see things such as OSS and Sigstore playing a role? - While we've seen tremendous adoption of OSS and for reasons such as speed to market, the robust OSS community, innovation and more, as you both know, OSS has its concerns too, such as pedigree/provenance, known vulnerabilities, lack of maintenance and support etc. How do organizations balance these concerns while still taking advantage of OSS? - No software supply chain security discussions would be complete without touching on SBOM, which has gotten a lot of industry attention on the topics. What are each of your thoughts on SBOM? - Another topic that is around every corner lately is AI and the disruption it will cause. We're seeing organizations integrate and market AI into every possible use case when it comes to cybersecurity while there is also a lot of FUD about malicious actors using AI and even calling it a possible "extinction event". What is your take on AI and the role it is and will have on software supply chain and cyber?…
Nikki - What does cyber resiliency mean to you? Nikki - Can you tell us a little bit more about the Cyberspace Solarium Commission or CSC, in particular I'm interested in the promotion of national resilience. Can you talk a little bit about what that means and what's in progress at the moment? Chris - There's been a lot of activity lately with the Cyber EO, OMB Memos, activities by NIST, publications by CISA and of course the National Cyber Strategy. How do you feel about where we're headed as a nation on the Cyber front and do you think we could be doing more, and if so, what in particular? Chris - I recently saw you made comments regarding Cloud Service Providers (CSP) and their lack of being designated as critical infrastructure I believe. I have seen similar comments from the OCND, due to how critical CSP's, especially major IaaS providers are to the nation. Why do you think they have avoided this designation as long as they have? Nikki - There are a lot of us in cybersecurity that got into it to help defend our nation and protect our country (myself included). Are there ways that other cyber defenders or technical professionals can get involved or any resources you would recommend? Nikki - I don't see a ton in legislature or in the Executive Order about the human element behind cybersecurity and our challenges with risk management. Do you foresee any legislation or anything that may come out around how to protect our users and even our security practitioners? Chris - I mentioned the NCS earlier, a big part of that was shifting market forces, the idea of software liability and also safe harbor. What are your thoughts on this topic? Chris - CISA recently released "Secure-by-Design/Default" guidance for software suppliers and manufacturers. I wrote an article recently tracing the advocacy for "secure by design" back 50 years to the Ware Report. Yet here we are, still advocating for the same concepts. What do you think it will take for this to become a requirement rather than a recommendation and how important is this paradigm shift for national security?…
Nikki - You're a newly minted CISO and SES - how's it going? How have the first few months been in the role? Nikki - With your background in both Academia as an Adjunct Professor and with your cyber and executive leadership experience - how important would you say the intersection of academia, research, and leadership go? Chris - We know you're a big proponent in servant leadership. What does being a Servant Leader in Cybersecurity and more broadly in general mean to you? Chris - We have been discussing soft skills lately with various guests. Why do you feel like soft skills are so often neglected, yet so critical to being a effective leader? Nikki - As someone who is relatively new to a CISO role - what surprised you about the role? Were there any challenges or anything that came up initially that was surprisingly good? Nikki - What experience do you recommend for anyone who's looking to move into a cyber manager or CISO leadership role at an organization? Any books or references your recommend for anyone around leadership? Chris - As we look at the Federal Cyber landscape, there is a lot of efforts under way from the EO, OMB Memos, Zero Trust, Software Supply Chain and the list goes on. How do you calibrate your focus in your new role? Nikki - We've seen a lot in the news around the National Cyber Strategy and other federal legislation potentially in the works. Are you seeing things like Zero Trust and Software Supply Chain security being top of mind? Or are you more worried about things like ChatGPT potentially being used by the Government?…
Chris - To set the stage for the discussion of vulnerability management, Rezilion recently had a report that found that organizations had over 100,000 backlogged vulnerabilities. Why do you think things have gotten so bad? Chris - Leaders also stated that they are able to patch less than half of that backlog, thousands of vulnerabilities never get addressed. Doesn't this create a situation ripe for malicious actors to exploit? Nikki - You have a background in both data science and security research - where do you feel like the intersection of both of these areas meets? Do you feel like we need more data science experience in cybersecurity? Nikki - Vulnerability management - my favorite topic. Why do you think people are just now starting to bring back up vuln mgmt? It seems like it's been almost 10 years since I've seen substantial research and guidance in this area. Nikki - Security research is seen in two distinct ways - in both the vulnerability identification and in academia - but both are looking at different problems and solving in different ways. Where can the two sides of the coin come together and benefit from sharing research? Chris - On the topic of vulnerability prioritization, organizations seem to be struggling. We know going simply based off of CVSS isn't wise, what are some prioritization tactics organizations can take to address vulnerabilities that pose the most risk in that massive backlog we discussed earlier? Chris - We know that less than 1-2% of CVE's are generally exploited by malicious actors, and while that number may sound small, as the number of published vulnerabilities grow, that 1-2% represents more and more exploitable vulnerabilities. What do you think is driving the growth of CVE's, from a few thousand in the 1990s to over 190,000 now? Nikki - What are the top 3 trends you're seeing in vulnerability management and identifying vulnerabilities? What should we be most concerned with? Nikki - What does cyber resilience mean to you?…
Chris - Why do you think SaaS security is so overlooked in the conversation around cloud security, despite SaaS being so pervasive? Chris - SaaS obviously involves a lot of third-party integrations. What are the risks o f these ungoverned integrations and can they have a cascading impact if one of the providers has an incident? Nikki - Chris and I have talked a lot about software security, SBOM's, and what does open source security look like. As a leader in the cybersecurity community, what are you most concerned with when it comes to third-party risk and software supply chain? Nikki - When we talk about SaaS and application management at organizations, what do you think about how SaaS applies to building relationships and working together with other organizations? Nikki - When it comes to integration between SaaS products and a cloud infrastructure, what do you think about as far as risk and how to manage risk within organizations? Chris - If we're trying to handle threats, how important is it to understand integrations from the perspective of who created it, why, what data it involves etc? Chris - How do organizations start to get a handle on governing SaaS and their third-party integrations to mitigate these risks? Nikki - I see you posting recently about exercise/fitness - this is a topic Chris and I discuss often. The balance of physical well-being and being present at work. What do you think about the balance of physical and mental pursuits? Nikki - What does cyber resilience mean to you?…
Chris: First off, tell us a bit about NetRise, what you all do, and what your focus is on? Chris: There's been a tremendous focus as of late on software supply chain security, as you know, but much of it focuses on things such as Cloud, SaaS, Containers etc. at NetRise you all take a focus on Firmware, IoT and Cyber Physical Systems (CPS). Why is that and what are some concerns folks overlook with these vectors? Nikki: You just announced the launch of ETHOS - a cooperation between several organizations to investigate threat indicators and looking into emerging trends in attacks. Can you talk a little bit about how this idea came together and what ETHOS will be doing? Nikki:You have a lot of expertise around IoT and IIoT, can you talk about some emerging trends in cyber threats and concerns around the connectivity of devices? Chris: I know you guys focus a fair bit on SBOM. For those not required to have one due to policy or regulations, what are the benefits of doing so? Chris: I know you all have experience and expertise with vulnerabilities in products. Does SBOM help address scenarios where the product itself may have no identified vulnerabilities or CVE's but components identified in its SBOM do? Chris: I noticed you're also a USMC veteran, so first, thanks for your service. As a fellow veteran, as I recently walked the RSAC floor this past week I noticed how many leaders in the industry had former military experience. Have you noticed anything similar in Cyber and has your military experience served you in any ways as you have went on to go into industry cyber roles and now as a CEO? Nikki: You have such great experience between threat hunting, incident response, to now being a CEO / Co-founder and Advisor to multiple other companies. What has that transition been like and do you have any advice for any other practitioners out there that may be interested in starting their own organization? Nikki: What's your favorite book, podcast, or other media right now? Anything we should be checking out? Nikki: What are some of the big things going on at NetRise right now? Any other projects you and the team are working on that you would like to share?…
Chris: Can you tell us a bit about your background and what the role of the Deputy Principal Cyber Advisor does? Nikki: When we talk about workforce challenges, I think about the types of skills that someone is looking for in a cyber program. What types of skills do you look for in hiring and what kinds of skills do we still need in the cyber profession? Chris: We know you've been focused heavily on the Cybersecurity workforce for DoN. In our discussions of digital modernization, the focus is often on tech, such as cloud, zero trust, etc. Why do you think the people or workforce aspect is so often overlooked? Nikki: What do you think about the value of education and certifications when it comes to hiring and retaining cybersecurity professionals? Whether it's an analyst or an engineer, there is a lot of back and forth in the industry on whether certifications should be required or if it may be limiting the talent pool Nikki: I saw you posted recently about North Dakota requiring cybersecurity education in schools - how critical do you think this is for K-12? As a mom this is something I think about all the time Chris: Can you tell us a bit about the DoN's approach to modernizing the workforce around cybersecurity? Chris: There's been some buzz around the DoN's Cyberspace Superiority Vision, what exactly does that entail? Nikki: I have the opportunity to teach my kids but what about all the other children without parents in cybersecurity? Nikki: One of the other interesting articles that came out recently was around the potential change in cybersecurity leadership we'll be seeing in the next few years. Do you foresee some of these leaders leaving the industry and what kind of effect do you think it will have on the industry? Chris: We know there's rumbles of an upcoming DoN Cyber Strategy. We recently saw the release of the National Cyber Strategy. How will the DoN strategy build on that and what are the synergies between the two? Nikki: What does cyber resiliency mean to you?…
Nikki - First - tell me a little bit about yourself and your background Nikki - You have a ton of experience with the Army, can you talk a little bit about what you like most about working with the military and specifically in HR? Chris - We hear a lot about digital transformation in the DoD, Cloud, Cyber, Zero Trust, and so on - but how critical do you think the workforce is to make all of these transformation efforts successful Chris - We know the DoD has historically struggled to attract and retain technical talent. What specific changes do you think are needed to help resolve this challenge and do you think we're making any headway there? Nikki - One of your previous roles was Deputy Director of People Analytics, I've not heard much about this role before and I'm interested what that type of position entails and what that means to the people in an organization? Nikki - I want to talk to you about health, fitness, and wellness when it comes to IT and cybersecurity positions. There is a ton of research around the burnout and stress that technical positions carry - what can we do to help our technical teams? Chris - I have seen you posting and speaking about the role AI is playing in assigning resources, assistance and leadership to various Army cohorts, what are your thoughts on the role AI is and will play in your area of expertise? Chris - I believe there has been a new Army vision for the future of talent management, can you tell us a bit about that and what it entails? Nikki - Can you talk about the integration of AI/ML into both HR and administrative functions? I could see how beneficial it would be and free up some cycles to focus on the people and their wellbeing. Nikki - Can you talk about some of the other innovation in the HR space?…
Chris: I have been following your research for several years now, dating back to your role before Chainguard. As you have watched the conversation around Software Supply Chain Security unfold in the industry, do you feel like we're making positive headway? Chris: You have done a lot of research into software supply chain security, and of course SBOM's. One recent study you took a look at the quality of SBOM's in the OSS ecosystem, compared to say the NTIA defined minimum elements for SBOM. Can you tell us a bit about the study and implications of the findings? Chris: In addition to SBOM, we're seeing the emergence of VEX, can you speak a bit about its importance? Chris: I wanted to follow up about OSS, since it has become such a core aspect of the software supply chain conversation. I'm sure based on your studies you know the phrase dubbed Linus' Law, which states that "with enough eyeballs all bugs are shallow" but based on my research for writing a book recently, I realized that the overwhelming majority of OSS projects lack enough eyeballs. Do you think this is a challenge when we look at the widespread adoption of OSS? Chris: Can you tell us a bit about your next/current efforts for software supply chain security research?…
Chris: Before we dive into some technical topics and questions, we would love to hear a bit about your background and career Chris: - We've now seen the introduction of JWCC into the mix after quite a challenging road to get there. What major changes do you see JWCC playing in the DoD cloud landscape and cloud adoption journey? Nikki: - There's been a tremendous focus on software supply chain security, with a 742% increase in software supply chain attacks in the last three years. What are your thoughts on how the DoD is approaching securing the software supply chain, SBOM's and challenges of that nature? Chris: - We know the DoD CIO office published an Open Source Software (OSS) memo not too long ago. What role do you think OSS plays in the future of the DoD's software and warfighting capabilities? Nikki - We've seen a blossoming ecosystem of software factories across the DoD, now numbering near or beyond 30. How key do you think these software factories have been to the DoD's software modernization efforts? Nikki - I would be remiss if I didn't ask you about the DoD's workforce challenges. We know the DoD has had long standing issues attracting and particularly retaining technical talent. How crucial is remedying those workforce challenges to see successful cloud adoption and software modernization? Chris - Being a longtime Federal and DoD Cyber professional I have to bring up the topic of compliance, RMF and ATO's in any discussion around fielding software. We've seen a push from some senior leaders to try and shift to a culture of cyber readiness and alleviate some of the traditional box-checking/compliance culture we know is pervasive across Government. Any thoughts on how we can modernize Cyber and Compliance in DoD to facilitate getting innovative and modernized software-enabled capabilities into the hands of system and mission owners?…
Nikki - With your experience in various cloud and Cybersecurity roles, what would you say the top 3 concerns are right now for cloud security? Nikki - I see you do a lot of work Cybersecurity and cloud education, do you feel like we have better tools and resources today than a few years ago? Or too many resources? Chris - We know you have a Detection Engineering background. For folks not familiar with Detection Engineering can you tell us a bit about it and the role it plays in Cloud Security? Chris - It is often said that Detection Engineering builds on the practice of Threat Modeling, in terms of identifying relevant threats and building detections associated with those threats. Do you agree with that and how valuable do you think Threat Modeling is for Cyber and Cloud Security professionals? Nikki - What would you recommend for anyone getting started in the cloud, moving from on premises or data centers, what should they do first? Nikki - What do you think is next for cloud? I see so many debates in the industry and it seems like there's a trend towards creating systems on prem versus in the cloud. Chris - I know in addition to your professional role you've a huge content creator with over 20,000 folks following you on YouTube. How did you get going down this path? Chris - Do you think it is important in the current industry landscape and remote work paradigm to be out there building a personal brand, creating content and engaging with the community?…
Chris - I have to start with the intersection of law and cybersecurity. We're seeing major strides in regulations, both federal and state (like NYFDS), to regulate and enforce cybersecurity policies and program-based guidance. What are some of the emerging trends we're seeing in cyber law? Chris - As you know, we recently saw the new National Cyber Strategy, which makes a push for shifting the burden/responsibility for cybersecurity on the vendor or those best positioned to address it. Why do you think it has taken us so long to get to this point? I know you've drawn parallels to other industries such as automobiles Chris - On the topic of parallels to other markets and industries, such as automobiles, pharmaceuticals and manufacturing, there are some unique aspects of software, in the sense it isn't tangible or kinetic, and can be very opaque, What impact do you think those characteristics have on trying to regulate it like we have done with other industries? Chris - The National Cyber Strategy also introduces the concept of Software Liability. This part of the strategy got the most aggressive response from industry and the community. Why do you think this makes everyone perk up so much? Chris - Many started to raise questions such as who will define "secure", who and how will it be validated or verified, and where is the line of responsibility between the software supplier and consumer. Any thoughts on these topics and questions? Chris - On the topic of regulation, many consider cybersecurity to be an example of a market failure. Can you explain what that is, and why some feel that way? How do you think think we balance regulation without stifling innovation in the tech industry? Nikki - How do you think the public sector and private sector are seeing cybersecurity laws differently? Do you feel like the private sector is lagging behind in cybersecurity regulations? Chris - I have worked on programs such as FedRAMP before, for Federal Cloud Services and I am familiar with NIST 800-171/CMMC as well for the DIB. Many argue, and I think there is merit to the claim that these sort of frameworks lead to smaller pools of suppliers and potentially a less diverse pool of market participants. Any thoughts on these impacts and if it is worth the trade off? Chris - Many compliance and regulatory schemes either take one of two approaches. The first being a self-attested model where entities self-attest their compliance, such as NIST 800-171 for the DIB was, and the second is a 3PAO model, where a 3rd party verifies compliance, such as in FedRAMP. Each of these models has drawbacks, such as less than truthful or accurate self-assessments, or the 3PAO requirement becoming cumbersome, costly and a bottleneck. What do you think about these two approaches and where do you see us heading with regards to say the National Cyber Strategy, liability and so on?…
Nikki: I have to start with an article you wrote a couple of years ago, about how we explain and provide context around vulnerabilities. I love the analogy of a 'vulnerability recipe' and how we can step through an explanation of vulnerabilities. Can you talk a little bit about the process and what compelled you to explore this topic? Nikki: I saw you spoke to Ron Ross recently, we had him on the show last year talking about cyber resiliency and of course software supply chain. Can you talk a little bit about security assurance and what that means to both developers and security practitioners? Chris: You've been a leader in the AppSec space for some time, particularly focusing on capabilities and tooling such as IAST. For folks not familiar with IAST, can you explain what it is and the value it adds over say SAST and DAST? Chris: I know you and I have exchanged messages and comments about Software Supply Chain Security and SBOM. What are your thoughts about where were headed on this front as an industry? Chris: With the release of the National Cyber Strategy yesterday I of course have to ask your initial thoughts. First more broadly, about the overall sentiment of the strategy and also about specific areas, such as increased requirements on software vendors and technology providers to produce secure products and the potential for increased liability. Nikki: It looks like you had a pretty lengthy time with OWASP - can you talk about some of the work you did there and the work that OWASP does? I think people typically equate OWASP with the OWASP top ten, but there are so many free resources and tools available for developers and security professionals. Chris: Given your past involvement of a decade with OWASP in its early growth, any thoughts on the recent open letter we saw sent to the OWASP leadership? Nikki: Can you talk a little bit more about Contrast security and the type of work you all do? Would like to hear more about what the company has going on and anything else you may have coming up. Chris: Continuing on with Contrast, I am interested in the founders journey a bit. Contrast has been around for nearly a decade and is now up to several hundreds of employees. What has that journey been like and what are some of the major ways the industry has, or hasn't changed during that time?…
Nikki: I saw you recently did a Cyber Jeopardy Panel at the American Bar Association about cybersecurity and cyber law - can you talk a little bit about the intersection of cybersecurity and law? Chris: Continuing on that thread a little more, and you and I have chatted about this, what are some of the dichotomies or challenges of Cybersecurity in a democratic society versus say an authoritative regime or nation? Chris: I know you have a background with the DoJ and U.S. Attorney's office, are there some challenges with say cyber investigations in the U.S. due to some of our protections for individual freedom, privacy and so on? Nikki: It seems like we're seeing more and more organizations seeing the need for both mature cybersecurity programs and cyber law programs - but I haven't seen a ton of these groups working closely together. How can we build both programs in combination? Chris: It seems like every day we are seeing headlines about catastrophic cyber incidents. Are there any historical parallels to what we are dealing with today? Do you think we’ll ever get out of it? Nikki: What do you think major attacks like ransomware in healthcare and even in local and state governments and school are doing to shape cyber legislation? Nikki: If you could give one message to the American people about how we will address this challenge, what would it be? Chris: I would be remiss if I let you off the show without trying to dig into the forthcoming National Cyber Strategy with you. With the extent of what you're able to share, there's been a lot of buzz and rumors about an increased call for regulation, do you have any thoughts on that front? Chris: Many have said that Cybersecurity is a market failure and that it will require government intervention and regulatory measures to change things and have cybersecurity be taken more seriously by businesses and organizations. How do we balance that need for truly addressing cybersecurity risk without at the same time stifling innovation and our free market society? Nikki: Do you see more legislation potentially coming in the future around security governance and compliance? Nikki: I'm very fascinated by cybersecurity and law terminology - do you think there's some room for us to find a common thread between both disciplines to help people like me understand law terminology and language better?…
Chris: First off, why do you think soft skills are so often overlooked or undervalued in our field of cybersecurity? Chris: I'm curious your perspective on how to help people build soft skills, much like technical skills, some may have more of an aptitude for technical work or prefer not interacting with people as often. Any advice for folks who may be a bit more of an introvert and finding dealing with people intimidating? Niki: I wanted to first talk about the Learning resources you have on your site - the softsideofcyber.com - I am a big fan of this area because you include everything from books and articles to newsletters. Can you talk a little bit about why you included this section and what you're hoping to do with it in the future? Nikki: This may seem like a silly question - but clarity and definitions for terminology and language are really important. People talk about 'soft skills' in a lot of ways. What does 'soft skills' mean to you and how have these skills aided you in your career? Nikki: What is the perfect balance of technical and 'soft skills' - do you feel like it depends on your role? Or do you feel like this balance is essential, regardless of your role? Chris: You recently wrote an article on CSO online about unleashing the power of an effective security engineering team. While you did discuss technical skills you also wove in content from folks such as Sidney Dekker and Adam Grant. How do you feel like diversifying your learning outside of technical topics has helped you be more successful in your own roles and career? Nikki: Do you feel like 'soft skills' expands from empathy and emotional intelligence to an understanding of cognitive bias, mental workloads, and other psychological phenomena? Chris: What's next for the Soft Side of Cyber? What projects are you working on and what are you hoping to do with this in the next 6 months? Nikki: Since I know what cyber resiliency means to you in a technical context, can you expand on what this means to you in the 'soft skills' and human context?…
Nikki: My first question is about your book, The Application Security Handbook - who do you think most benefits from this type of book and why do you think they need it? Nikki: What inspired you to write this? You have a ton of experience from being a security architect, to working in an IAM group, to application security - I would imagine all of that expertise allows you to see application security through a unique lens. Chris: In your book you touch on the dichotomy of shifting security left while minimizing friction between the Security and Development teams. This is a common challenge many security teams face. Can you elaborate on some of your recommendations on this front? Chris: You also emphasize the role of security champions and democratizing security to some extent through this approach. What exactly is a security champion and how do organizations go about doing this? Nikki: You mention threat modeling in your book - what do you think is the best place for Application Security programs to start when building in threat modeling? This is typically a higher level of maturity for programs and I'm curious at what time it's best to integrate threat modeling? Chris: We're obviously seeing a big push for robust CICD pipeline tooling for security such as SAST, DAST, SCA, Secrets Scanning and So on. Of course this tooling all produces noise. You lay out some strategies in the book on dealing with that. Can you touch on some of those here? Chris: I would be remiss if I let you go without discussing Software Supply Chain Security and SBOM's. I know you touch on SCA, OSS and SBOM's in the book. Why do you think it is key for organizations to start including this in their appsec programs? Nikki: What do you think are the greatest concerns when building a mature application security program? What are the biggest impediments? Nikki: What does cyber resiliency mean to you?…
- Can you tell us a bit about the book, what made you want to write it and how you settled on this topic? - Historically IT and Security have been at odds, often feeling like the other party is conflicting with their goals and responsibilities. Why do you think this is? - Do you think the push for DevSecOps and breaking down silos between Security and Operations (and Development) has helped at all? - Your book talks about emotional intelligence, empathy and non-technical traits. How critical do you think those are in this situation and why do they not get discussed enough? - What methods do you think IT and Security teams can take to improve their relationships and drive towards a unified outlook and goals? - What do you see as the biggest gaps on this topic as we move into the future?…
Nikki - What do you see as emerging trends around cybersecurity guidance and frameworks? With the newer NIST 800-53r5 and the SSDF, there is a TON of literature coming out from NIST. What's next? Chris - I wanted to dig into SSDF a bit. Can you tell us a bit about being involved in that? How it came about after the Cyber EO and your experience writing it? Chris - We know OMB is now requiring Federal agencies to start to self-attest to secure software development practices, specifically SSDF practices. How does it feel to have your work be cited in something this far reaching? Chris - What do you think organizations neglect most when it comes to secure software development, do you think the OMB memo will have a rising tide impact on the ecosystem like other frameworks such as CSF outside of Government? Nikki - What are some of the most fun parts of your job? You've written so much incredible content for not just the cybersecurity industry, but so many SMB's and non-for-profits can use the NIST guidance as a place to build their cybersecurity programs. Nikki - What is one of the biggest challenges in writing something like the SSDF or the Cybersecurity Framework? I would imagine there are so many considerations that go into deciding on everything from format to the type of language you use. Chris - What are your thoughts around the attention as of late on software supply chain security, SBOM's and topics in that domain? Do you think we need more guidance and publications on this front? Nikki - Before taking us to our last question, I wanted to ask you about your blog! It's called Scarfone Cybersecurity and I know you're just getting this going. Can you talk a little bit about why you wanted to start this blog? What are you interested in writing about? Nikki - What does Cyber Resiliency mean to you?…
Nikki: To start us off, I'm curious about your opinion on the current state of vulnerability management guidance and documentation available for organizations. There are some references from NIST, but a lot of it centers around compliance. Chris: How do you think things such as Cloud, DevSecOps and shift-left security have changed vulnerability management? Nikki: Can you talk a little bit about what organizations and their vulnerability management programs should be working on right now? With more sophistication of attacks by malicious actors, we have to create more Chris: Most of us know the Common Vulnerability Scoring System (CVSS) but many critique it saying CVSS scores alone aren't enough to drive vulnerability prioritization. What role do you think things such as Threat Intelligence should play? Chris: In addition to CVSS CISA recently has been making a push to evangelize the Stakeholder-Specific Vulnerability Categorization (SSVC) guide. Can you tell us a bit about it and your thoughts about how it fits into the conversation on vulnerability scoring and prioritization? Nikki: There is a renewed focus on exploitable vulnerabilities, with the Known Exploited Vulnerabilities catalog by CISA, as well as the EPSS, or Exploit Prediction Scoring System - do you think we're headed in the right direction with helping to prioritize vulnerabilities and not just remediate everything?…
Nikki - I wanted to start with the major explosion of ransomware and ransomware-as-a-service across all industries. This seems like a good starting point for why cybersecurity advisors belong in the boardroom. Do you think the sophistication and ease of purchase with ransomware should be part of the conversation to bring more cyber experts in? Nikki - You made a post recently about the vast cybersecurity risk that API's pose to organizations. API security has been top of mind given how prevalent they are and how useful they are to both administrators and developers. Do you think API security will become a more prevalent topic in the coming year? Chris - It seems logical that boards should have cybersecurity expertise in the mix given how critical technology is to most modern businesses. Why do you think it has taken us this long? Chris - What are some of the largest coming changes you think will drive this paradigm shift? I know groups like the SEC are pushing for organizations to disclose to what extent they have cyber expertise among the board. Nikki - What do you think organizations can do that may not have the budget or contacts in place to add cybersecurity expertise to their boards - is there somewhere they can start? Chris - I know you recently have spoken about the incident reporting timeline changes from the SEC and the need to provide insight into the "materiality" of a breach. For those unfamiliar with the term, what does it mean and is the CISO even in a position to know this? If not, who is? Chris - To flip it a bit from the boards perspective, for practitioners aspiring to fill this emerging need for cyber expertise in or among the board, where should folks begin? How do they position themselves as desirable candidates for these board opportunities?…
- Before we dive into the technical topics, you're a repeat Founder, including some acquisitions of firms you've founded. Can you tell us a bit about that Founders journey and what leads you to creating organizations? - Something you've been focused on a lot lately is Software Supply Chain Security. Why is this such a complicated topic, and has it always been, or do you feel it is increasingly complex? - One of the challenges organizations have around OSS use is OSS Governance and software component inventory. Can you speak a bit about that challenge and how you are looking to solve it? - A term thrown around a lot is "Dependency Hell" - which is the term developers use when it comes to managing their often large dependency footprints when it comes to updates, patches, versioning and so on. How are you seeing this problem addressed? - There's a lot of hype around SBOM's and VEX. What are your thoughts on SBOM's and how they fit into the conversation around securing the software supply chain? - One issue with the increased transparency is development teams drowning in hundreds or thousands vulnerabilities. As you know, this doesn't actually mean they are exploitable. How do we cut through that noise to drive down risk but also frustration? - We talk a lot about CVE's and Vulnerabilities and so on but I know you recently shared research from Chinmayi Sharma who I've interviewed - and she points out CVE's are just one potential risk of OSS dependencies. Any thoughts on leading indicators of risk, as they're often called? - Moving forward, what are some things you are focusing on at ENDoR Labs and where do we see us heading as an industry on this topic, in say 2-3 years?…
Nikki: With your latest book, the Security Yearbook for 2022 ,this is the third iteration of the series right? It started in 2020 and has only grown since then. Can you talk a little bit about why you started this annual compilation of research? Nikki: For any other security practitioners or anyone in the field who's interested in writing a book or putting together a comprehensive manuscript or research, do you have any tips or advice for them to get started? Chris: Can you tell us about your endeavors with IT-Harvest and your IT industry research, what is it and how did you get started? Chris: I know you serve in various advisory roles. How does your industry research help inform your advisory perspective? Chris: Based on your current IT industry research what are some of the most alarming or interesting trends around vendors, investors and M&A you see currently? Nikki: What is one of the most surprising statistics that you've uncovered year after year? I know one that continues to surprise me is just how prevalent and SUCCESSFUL phishing attacks are. What about you? Nikki: What are your top recommendations, based on your research, for security practitioners and business owners to be aware of and focus on when it comes to risk mitigation? Chris: Looking at the current IT industry and trends, what is one prediction you have for some of the most significant changes we can expect in say 3-5 years?…
- You recently wrote an article about the SBOM Frenzy being Pre-Mature. For those not familiar with SBOM's, what is an SBOM and what has led to the frenzy as you call it? - In your article you discuss challenges related to the build environments and hosts that can cause different outputs and SBOM's unless a build occurs on two identical machines. Can you explain why that is? - What role do you think emerging frameworks such as SLSA or SSDF and higher maturity requirements for things such as Reproducible Builds or Hermitic Builds play in alleviating some of these concerns? - Given the challenges of dynamic ephemeral build environments and hosts, do you think this undermines the usefulness of SBOM's as an industry artifact related to software supply chain security? - You also recently wrote a follow-up article about why Software Composition Analysis (SCA) is really hard. What are some of the reasons you think that is the case? - You mentioned challenges with CVE's and their accuracy. As many know, CVE's are created via CNA's and as part of NVD. Do you think alternative vulnerability databases such as the Global Security Database (GSD) or OSV will alleviate any of the vulnerability issues in the industry? - You were involved in founding OWASP. I personally, and I suspect many others would love to hear about that a bit, given just how much of an industry staple OWASP is from Top 10 lists, CycloneDX and countless other widely used projects. - You recently ran a campaign to be elected to the OWASP Board to try and modernize it and address many gaps you state lead to OWASP being on a path to irrelevance. Can you tell us what some of those issues are and your plan to address it to keep such a great organization a key part of our industry in the modern era of Cloud-native and DevSecOps?…
R
Resilient Cyber
1 S3E24: Chinmayi Sharma - Tragedy of the Digital Commons 1:01:26
1:01:26 پخش در آینده پخش در آینده لیست ها پسندیدن دوست داشته شد1:01:26
پخش در آینده پخش در آینده لیست ها پسندیدن دوست داشته شد- First off, tell us a bit about your background, you were a developer prior to focusing on Law. Why the change and do you feel that technical background helps you in your legal and academic career? - Before we dive into the specifics of the paper and topics, what led you to focus on this issue for research and publication? - You penned an article about how modern digital infrastructure is built on a "house of cards". Can you elaborate on that? - Your paper is broken down into several sections, so let's step through those and dissect each area a bit. - You touch on the unique aspects of OSS from proprietary code and discuss the benefits and also the risks. Can you discuss some of those? - You claim that OSS should be designated critical infrastructure and arguably under areas such as the IT Sector. First off, why do you think it should be, and why do you think it already hasn't been? - In part II of your paper you went into topics around the origins of OSS security issues and barriers to resolution. What are some of the major issues and barriers to resolving them? - You touch on economic theory such as the least-cost avoider. What exactly is that, and why do you think software vendors in this case are best-suited to fix some of the core OSS security issues? - In part III of the paper you discuss some of the current interventions and efforts. Can you touch on what some of those major efforts are? - You discuss emerging things such as the Open Source Software Security Act as well as the OMB Memo requiring vendors to self-attest to NIST's SSDF and even provide SBOM's. What are your thoughts on these emerging requirements? - How do you think we balance the need to keep the spirit of OSS, in terms of being open to everyone, cultivate a society of citizen developers and a thriving FOSS ecosystem while also pushing for more rigor and governance? Do we risk constraining the ecosystem and limiting the Federal government (and industry's) access to small innovative software projects and initiatives?…
- Looking at your background, you've held a lot of Identity-centric roles and positions in the industry. How do you think Identity and associated security is evolving with the continued adoption of Cloud? - Identity is obviously at the core of the conversation around Zero Trust, what do you think some of the fundamental things organizations get wrong when it comes IAM at-scale? - You recently made the pivot from roles with a strong Identity focus to API and API Security. What drove you to make that shift? - What do you think some of the most interesting challenges are in the current API Security landscape? - I noticed you also have an Army background. It is very common to see veterans make their way into Cybersecurity. Why do you think that is, and there are any lessons from the Army you feel have benefited you in your Cyber career?…
Chris: Before we dive into too many specific topics, one thing I wanted to ask is, you've been working in/around the topic of SBOM and Software Supply Chain for sometime via NTIA, CycloneDX, SCVS etc. How did you have the foresight or what drove you to focus on this topic well before many others in the industry? Nikki: You mentioned recently about the SBOM Forum and their recommendation of the NVD adopt Package URL. I think the recommendations are great for NVD, because the NVD, CVE ID mechanisms, and CWE's weren't technically built for al ot of the updated vulnerabilities and concerns we see today, especially in the software supply chain. Can you talk a little bit about the challenges around vulnerability management when it comes to software supply chain? Chris: I wanted to ask you about SaaSBOM which has been a topic of discussion in the CISA SBOM WG that I know you and I participate in. What is a SaaSBOM in your mind and where does it begin and end, given most of the Cloud, including Infrastructure is software-defined. Nikki: I liked your article titled "SBOM should not exist! Long live the SBOM" - what really caught me was the idea that BOM's or Bill of Materials have been around for a while, and in other industries as well. I'm curious because there are a lot of potential implications for using BOM's outside of software. What are you thoughts on how we could potentially use the idea of BOMs in other cybersecurity or software development areas? Chris: I want to discuss some critiques of SBOM. VEX Is promising but of course requires information from software producers, and then of course trusting their assertions. VEX: Do you see a future where both SBOM and VEX and automated in terms of generation and ingestion to inform organizational vulnerability management and potentially procurement activities? Nikki: I would be re-missed if I didn't ask you about the human element in all of this. I fee like the complexity of the software supply chain, on top of infrastructure, operations, cloud deployments, etc, can get somewhat complex. How do you think the increased complexity around software supply chain is affecting the management and operations groups? Chris: You have long been the lead on the wildly popular Dependency Track project. Can you tell us a bit about its origins, where it stands today and where it is headed? Chris: There has been a lot of guidance lately on Software Supply Chain, such as NIST EO outputs from Section 4, NIST SSDF, guidance from CSA, CNCF et. al - how does SCVS fit into the mix and do you see organizations using all, or rallying around some of the guidance? Chris Follow Up: Some have claimed that these requirements are simply impractical for anyone except large enterprise organizations and software producers. Any thoughts on the practicality of the guidance for smaller organizations who still play a major role in the software ecosystem?…
Chris: To start us off, why do you think OSS and the software supply chain are now beginning to get so much attention, despite being widely used for years now? Chris: When it comes to OSS, any thoughts on how we balance security while also not stifling the innovative creative environment that is the OSS ecosystem? Nikki: On one of your recent podcast episodes, you discussed how open source can be unfair, whether that's to users or to developers. Can you break that down a little bit for our audience? Nikki: I think there are a lot of valuable lessons from the past that inform future trends. What would you say some of the top emerging trends are around open-source software - what should we be concerned about today versus a year from now? Chris: What are your thoughts on the current state of Vulnerability Databases, we know you have some strong opinions and have been involved in an effort titled the Global Security Database with CSA - can you tell us a bit about that and why it is needed? Chris: Do you think the emerging frameworks such as NIST 800 161 R1, SSDF, SLSA etc. are going in the right direction? Chris: We couldn't let you go without discussing SBOM. What are your thoughts on the current state and direction of both SBOM and VEX. Do you think this increased level of transparency and granularity of vulnerabilities will be something most organizations can manage successfully? Nikki: You have 341 episodes of your podcast - can you talk a little bit about why you wanted to get into podcasting? And also if you have any tips or advice for anyone who wants to start their own podcast? Nikki: One of the major areas I don't hear being discussed around open source software is the 'human factor'. I see the integration of open source software as alleviating some of the mental workloads and information processing for developers and teams, but may also introduce other concerns. How do you feel about the human factor around OSS?…
- What do you think some of the primary factors are that contributed to GRC not coming along initially with the DevOps movement? - Traditionally, what factors have plagued compliance when it comes to software delivery? - How do some of those factors change in the era of DevOps and Cloud-native? - Do you think regulation has a significant impact, and how can policy and regulation be improved? - How important is it for the workforce aspect of GRC to be addressed when it comes to compliance innovation and new technologies and ways of work? - Can incentives play a part, and if so, what can we do to improve that? - Andres - What was the impetus of the book and can you tell us a bit about the writing experience? - Where can people find out more about the book?…
Chris: What do you think some of the fundamental changes of IAM are from on-prem to cloud? Chris: What are some of the key tradeoffs and considerations for using IDaaS offerings? Nikki: There are a lot of solutions out there that discuss zero trust as a product or a service that can be leveraged to 'bake in' zero trust into an environment. But I'm curious on your perspective - do you think we need additional tools to configure zero trust principles, or leverage the technology at hand to implement zero trust? Nikki: There's this move towards passwordless solutions - I can see that being a big boost to zero trust architectures, but I think we're still missing the need for trusted identities, whether it's passwords, pins, or tokens. How do you feel about the passwordless movement and do you think more products will move in that direction? Chris: You've been a part of the FICAM group and efforts in the CIO Council. Can you tell us a bit about that and where it is headed? Chris: It is said Identity is the new perimeter in the age of Zero Trust, why do you think this is and how can organizations address it? Nikki: There was an interesting research publication I read, titled "Beyond zero trust: Trust is a vulnerability" by M. Campbell in the IEEE Computer journal. I like the idea of considering zero trust principles, like least privilege, or limited permissions, as potential vulnerabilities instead of security controls. Do you think the language is important when discussing vulnerabilities versus security controls? Chris: What role do you think NPE's play in the modern threat landscape? Chris: If people want to learn more about the Federal FICAM/ZT Strategies, where do you recommend they begin?…
Chris: For those not familiar with CVSS, what exactly is it, and why is vulnerability scoring important? Chris: What are some of the most notable critiques of CVSS? Nikki: I read your article 'A Closer look at CVSS Scores" and have had a lot of similar thoughts. The CVSS SIG is doing great work, and there are other scoring methods out there to help determine the real threat of vulnerabilities. Do you have any advice for organizations that are struggling with the amount of High and Critical vulnerabilities they see based on this scoring method? Chris: Do you think organizations approaching Vulnerability Management using CVSS strictly from base scores is an effective approach? Nikki: Do you think that the industry needs a shift as far as vulnerability scoring systems? Not from a mathematical or quantification space, because we have some great people working on that. But from the understanding of how those vulnerabilities actually impact their businesses? Nikki: Where do you see vulnerability scoring and vulnerability management activities heading? Do you think we need some other methods for scoring insider threat and accumulating those scores with hardware and software vulnerabilities? Chris: Pivoting a bit from vulnerability scoring, I know you're also involved with groups such as OpenSSF. Can you tell us a bit about that work? Chris: What are your thoughts on Software Supply Chain Security more broadly, in terms of SBOM's, VEX, and the uptick in Software Supply Chain Attacks. Do you think we're trending in the right direction to respond to the rise in these attacks?…
Chris: So you're a proponent of a term called RegOps, can you explain what that is to us a bit and how it differs from traditional compliance? Nikki: I'm interested in your background from Solutions Architect, to CTO, to Co-founding and running companies. Do you have any advice for other architects or IT and security practitioners for building up leadership skills and transitioning to business ownership? Chris: Do you think the evolution of Cloud and API enabled platforms is positioning us to innovate in compliance and potentially keep pace with DevSecOps? Nikki: What are some of the biggest reasons that organizations fail audits - do you feel like GRC/compliance and framework adoption is too challenging? Do you think that organizations are underwater with missing controls and where can they start? Chris: We know you're a big proponent of OSCAL and your organization RegScale has contributed to some of the OSCAL working groups. For those not familiar, can you explain what OSCAL is and the potential impact it can have on compliance? Nikki: What do you see as some of the emerging trends around solving compliance issues - do you think we need a mix of tooling, processes, and orienting our practitioners/users to adapt? Or do we have too many different frameworks/guidelines that it can be difficult for us to keep up? Chris: Looking at the future of compliance in say 3-5 years, how different do you think it will be and do you think this push towards automation, API's, codified artifacts and such will change compliance forever?…
Nikki - In one of your recent posts you speak about how more organizations are looking to leverage service mesh in their own environments. Can you talk a little bit about why a team may be interested in moving to a more service mesh architecture? Nikki: What do you think may impede or stop an organization from adopting updated networking practices and technologies, like service mesh, and how can they get started adopting it? Chris: What role do you think Service Mesh plays in the push for Zero Trust and maturing security in cloud-native environments? Chris: I've heard you use the team Secure Service Networking, what exactly is this, and is it different than Service Mesh? We know there are the four pillars of Service Networking: Service Discovery, Secure Network, Automate Network, Access Service. What are these exactly? Chris: In the context of micro-services and Kubernetes, how does networking change? Nikki: The field of engineering is growing more and more, we have Infrastructure Engineers, Application Engineers, versus the traditional job roles of Systems or Software Engineers. Do you see an industry trend moving to expanding the engineering field into different disciplines, like Platform Engineers? Or do you think some of these roles are similar but are getting updated titles? Chris: HashiCorp has some excellent offerings such as Terraform, Vault, Consul and so on. What resources can folks use to upskill in these technologies? Nikki: I saw you recently did a talk on securing service level networking for the DoD - do you feel like a lot of those principles apply outside of the DOD or federal space? Or do you see the private sector using more of these technologies?…
Chris: For those not familiar with Kubernetes, can you tell us what it is and why there is so much buzz around it? Chris: Kubernetes, while it has many benefits also is a very complex technology, what are some of the key things organizations should keep in mind when using Kubernetes securely? Nikki: What kind of role do you see RBAC playing with Kubernetes? I don't hear a lot of talk around this subject and I'm curious what you think may be the importance of RBAC around Kubernetes Chris: Any nuances or recommendations to those rolling their own versus using managed Kubernetes offerings? Nikki: What does governance look like around Kubernetes - specifically around large, multi-cluster environments Chris: From a compliance perspective, what are some resources organizations can use to securely provision and operate Kubernetes from a compliance perspective? Nikki: Can we also chat about Kubernetes API logs when it comes to auditing and assessments? Chris: You lead the Kubernetes Top 10 project with OWASP, can you tell us a bit about that? Nikki: Where do you think kubernetes, clusters, etc are heading? What does the future look like for security teams to not only understand these new technology areas, but to understand how to secure them properly? Chris: Do you feel like security practitioners are keeping pace with the rate of innovative technologies like Kubernetes, and if now, how can we fix that? Chris: We know you are the CTO and Co-Founder of KSOC - tell us a bit about the firm and what you all specialize in and what led you to founding it?…
Nikki: In some ways I think "software supply chain security" has become almost a buzz word, or buzz phrase? But to me it's more of a concern for security programs at large, since so many products and services are being developed in-house at organizations. What are the top three concerns that CISO's or security leaders should know? Chris: We're obviously seeing a lot of buzz around SBOM, and now VEX. What are your thoughts on where things are headed with software component inventory and SBOM as part of cyber vulnerability management? Chris: You were involved in the CNCF Secure Software Factory Reference Architecture. How was that experience and do you think organizations will be able to adopt the practices and guidance laid out there? There are a lot of moving parts. Nikki: How do you feel about how pentests should be involved in a software supply chain security program? I personally am curious about possible implications and benefits of actively (and consistently) testing dependencies and potentially finding unknown vulnerabilities. Chris: So we've talked about frameworks and guidance. Another big one is SLSA, Supply Chain Levels for Software Artifacts. What are your thoughts on SLSA and it's utility in the broader software supply chain security conversation. Chris: SCRM can be like eating an elephant when you look at CSP's, MSP's, Software, and so on - what are your thoughts for organizations that don't have the resources of say a CitiBank, such as an SMB. Where do they start? Nikki: I think we're still missing the human element of what a software supply chain security program looks like - how do you feel about that? Do you think we need to take more into account how people are using software, from a developer and a user perspective? Chris: There has been a lot of focus on Containers of course in the conversation around Cloud-native ecosystems, coupled with Kubernetes, IaC and so on. Do you think these innovations make the challenge of software supply chain easier, or more difficult to manage?…
- For folks that are familiar, what is a CI/CD pipeline and why is it becoming such a hot topic in modern software delivery? - Do you think earlier on in the pursuit of DevOps/DevSecOps organizations overlooked the pipeline as an attack vector? - Any thoughts are notable incidents such as SolarWinds, do you think they brought more attention to the build environment? - What are you thoughts on emerging guidance such as SLSA NIST SSDF or 800-161. Do you think these are helping bring attention to best practices on securing pipelines? - In the context of software supply chain security, why do you think pipelines are so critical? - Keeping on the theme of SBOM, what are your thoughts on the rising adoption and push for SBOM, and now VEX and how can pipelines help facilitate that? - Cider has produced some excellent resources such as articles and also CICD Goat - how do you all keep innovating on the knowledge and tooling front and how has it been received by the community? - One of those resources is the Top 10 CICD security risks. Do you want to touch on the list and maybe a couple of the leading risks from the list? - Any recommendations on learning resources for folks wanting to learn more about pipeline security, best practices and why it is important?…
R
Resilient Cyber
- Why do you think Cybersecurity has traditionally been seen as an IT issue? - With more and more of economic activity being tied to digital platforms, do you think organizations are realizing that cybersecurity is tied to business outcomes and value? - What do you think of recent activities by the SEC to require organizations to disclose cyber expertise among their board makeup? - How critical do you think Cybersecurity is for organizations competing in the modern digital economy? - Any advice or recommendations for Cyber professionals trying to communicate risks with their business peers? - How do you see the role of the CISO evolving with the push for Cyber at the C-Suite and beyond? - Where can folks find out more about the ISA?…
- For those unfamiliar with a vCISO, what is it and how is it different than a traditional CISO? - Do you feel like the SMB market is catching on to the necessity of a vCISO and how it is critical to enabling secure business outcomes? - How do organizations go about ensuring they get a qualified vCISO? Any things in particular to watch out for? - For those looking to get started as serving as a vCISO, any recommendations? - You are a great story teller and communicator on LinkedIn. What made you start making your videos? - How important do you think communication is to helping drive secure business outcomes for Cyber professionals?…
- First off, for those not familiar with Containers and Kubernetes, what are they? - Why are organizations increasingly adopting these technologies over traditional forms of compute? - How does Cybersecurity change with Kubernetes and what are some things practitioners should be sure to keep an eye on? - When organizations are adopting Kubernetes they often are faced with options such as rolling their own or using managed Kubernetes offerings, any thoughts there? - I recently read a report that researchers found 380,000 publicly exposed Kubernetes API servers, do you think people simply are spinning up these new technologies with security as an afterthought? - Kubernetes is incredibly complex, do you think this leads to challenges around properly configuring and securing it? - Any thoughts on software supply chain security as it relates to Kubernetes and Containers? - For those looking to learn more about Kubernetes and Container Security, do you have any recommended resources?…
Chris - Lets start off with discussing what is Purple Teaming exactly, and what is it not? Nikki - The industry can be somewhat siloed between job roles, and purple teaming really breaks down those barriers - do you see purple teaming being adopted more in the industry? Or do you think that too many industry experts hold too closely to their areas of expertise? Chris - People often conflate Red Teaming, Pen Testing and Purple Teaming - how do we help clear up that confusion? Nikki - Purple teaming is supposed to be an iterative continuous process between red teams and blue teams. Do you feel like this continuous flow of information should be consistent between the teams? Do you feel like there is more value in one direction versus another? Nikki - The purple team concept is centered around blue teams and red teams, but this type of iterative and cooperative concept could be applied outside of red teamers and network defenders. Do you see value between using this type of cooperation between security assessment and audit teams and network defense teams? Chris: You've been someone I have watched who has been really effective at personal branding through platforms like LI. Can you discuss how you approach that and why it is valuable? Chris: For those looking to get into Purple Teaming or more broadly OffSec or even Blue Team, what are some of your primary recommendations resource wise for learning?…
Nikki - You have some really awesome content on LinkedIn around Vulnerability management - one of my favorite posts you made recently was asking "Is vulnerability management dead". Can you explain a little bit about what you mean? I'm curious on your take, because there isn't a ton of modern guidance around vulnerability management Nikki - One of the biggest challenges I think we face around vulnerability identification, and specifically prioritization, is that a lot of emphasis is put around CVSS scores and CVE ID's specifically. And while an incredibly helpful tool, plenty of vulnerabilities are not ID'ed or are not seen in traditional vulnerability scanners. What do you think the industry can do to better use other tools/techniques to identify and remediate vulnerabilities? Nikki - Can you talk a little bit about where you think we could use more guidance or leadership around vulnerability management? I really don't hear about it when we talk cloud security or AI/ML, but it still incredibly relevant Chris - We know another topic you're passionate about is software supply chain security. Can you share your thoughts on where the industry is headed with SBOM, VEX and other efforts to bring transparency and better governance to the SW supply chain? Chris - You've also written and spoken a fair bit about broader Supply Chain Risk, partners, MSP's, CSP's etc. Do you think organizations are just now waking up to the exponential risk due to the interconnected and as-a-Service orientation we've taken as an industry? Chris - As we mentioned, you do a ton of writing on LinkedIn, as well as your substack distro. How do you keep up the pace and what led you to start the substack originally? Where can people follow it and stay informed?…
- For those not familiar with Threat Modeling, what is it? Also, to clear up potential confusion, what is it not? (e.g. Threat Hunting) - You were part of an effort to create the Threat Modeling Manifesto, can you tell us a bit about that project? - We recently saw NIST both define critical software as part of the Cyber EO and also list Threat Modeling as a key activity for critical software. What are your thoughts on that occurring and if you think that will impact the Threat Modeling community? - Some folks have made comments about Threat Modeling being too cumbersome for methodologies/cultures such as DevOps/DevSecOps. Why do you think that is an opinion among some and is it true? - Can Threat Modeling be applied to any sort of architecture or system? Are there any major differences for same on-prem vs cloud systems? - For organizations looking to get started with Threat Modeling, where do you recommend they start? - Moving on from getting started, have you seen large organizations with successful, or unsuccessful Threat Modeling programs, and what were some major themes either way?…
Nikki - You have a varied background between being a security engineer, consultant, manager, etc. What made you decide to focus more on the compliance aspects of cybersecurity? Chris - It is often said "Compliance doesn't equal Security". Why do you think this phrase has taken hold, do you think its accurate and how do we evolve beyond it? Nikki - Based on some of your posts about compliance - one specifically about implementing frameworks and guidance from NIST and the CMMC standards - do you think there's a need in the industry to focus more on implementation guides or do you feel like organizations are to complex to create guides? Chris - On the topic of compliance frameworks, we seem to be so reactionary, with new frameworks coming after incidents etc. and organizations struggle to keep up. Do you think we have a framework sprawl problem? Chris - On the topic of 800-171 and CMMC, there's a lot of talk on the topic of affordability and cost and the impact to the small businesses in the DIB, which has already seen massive consolidation. What are your thoughts on this, and how do we balance compliance/security with the need for a robust DIB of suppliers? Nikki - What do you think the future of compliance looks like? CMMC and otherwise - do you foresee more legislation around compliance coming down the pike?…
Chris: We're undoubtedly seeing a growing discussion around Software Supply Chain, with several notable events and also now evolving guidance/legislation such as the Cyber EO, NIST guidance etc. Any thoughts on why this is just now becoming such a focused concern? Nikki: When a lot of people discuss software supply chain security, it can quickly turn into a discussion about SBOM or Log4j and SolarWinds. I think about software supply chain security as being part of a really good threat detection and response program - what are your thoughts on that? Nikki: I also wanted to address, expanding on the topic of threat detection and moving into threat modeling - do you think that with the attack surface expanding through the software supply chain that there are threat modeling techniques that can be used to understand and account for that growing attack surface? Chris: You've been pretty involved in efforts around software supply chain and DevSecOps, most notably sigstore - can you tell us what that is and why it is important or useful? Nikki: In the last couple of years ' technical debt' has become a bigger concern for organizations, but this includes software supply chain, dependencies, EOL or outdated software, etc. How do you think organizations can account for their software inventory better and more efficiently? Chris: As we look to the future of Software Supply Chain, with efforts such as SBOM, VEX, Sigstore, SLSA and more, where do you think we're headed? What does the state of software supply chain look like in say 3 years?…
Chris - We know there's a massive Cyber workforce challenge, what role do you think academia plays there and how can it improve to close the gap? Nikki - Speaking of the young professionals in cybersecurity, what do you think are some of the in-demand skillsets and career paths available for individuals interested in pursuing a career in cybersecurity? Chris - There's often a debate between academics and practitioners, why do you think that is, and do you think we're seeing that gap dissolve with new degree programs and more practitioner focused curriculum? Nikki - On the subject of academia - do you feel like there is enough focus on research in cybersecurity fields? Do you think that research is getting to private and public partners or is there something we can be doing to strengthen those relationships? Chris - What do you think the future of Cybersecurity education looks like? What role does non-traditional education such as certifications, bootcamps, online courses and content etc. play in the hiring qualifications of the future?…
Chris: So let's start with how we've gotten here. With digital systems accounting for 60% of global GDP, how do we still not have requirements or adoption of cyber expertise on public board? Nikki: You mention in your article about the SEC mandating cyber leadership into board rooms - do you think that the type of experience expected on boards should be geared specifically to risk management, or a mix of highly technical and governance experience? Chris: For those looking to fill some of those upcoming board opportunities, what recommendations do you have? Nikki: For your book the Great Reboot - you recommend that not only leadership but employees read it as well - do you think there's a gap in knowledge or maybe awareness of how risk impacts the business from a practitioner level? Would you encourage junior and senior personnel to read this book? Chris: On the flip side, for boards and publicly traded companies looking to bring cyber expertise into the fold, what competencies and skills should they be looking for? Where do they start? Nikki: Risk is bigger than one vulnerability or one misconfiguration but can have a number of definitions - how do you define risk management and do you think there's a need to define 'risk' more aptly in organizations? Chris: You often speak about systemic risk. Do you think the modern digitally driven economy and ecosystem is inherently insecure and vulnerable?…
R
Resilient Cyber
1 S2E24: Breaking Down the DoD Continuous ATO (cATO) Memo w/ Paul Puckett & Tyler Gesling 1:02:02
1:02:02 پخش در آینده پخش در آینده لیست ها پسندیدن دوست داشته شد1:02:02
پخش در آینده پخش در آینده لیست ها پسندیدن دوست داشته شدA discussion with the Director of the Army Enterprise Cloud Management Agency (ECMA) - Paul Puckett and Cybersecurity Subject Matter Expert (SME) from DoD CIO-IE office, Tyler Gesling on the recent DoD cATO memo.
- We know you served as the First Federal U.S. CISO, can you tell us a bit about that experience? - In addition to your military and public sector background, you've held various industry roles as well, what are some of the major differences between the two environments you've experienced? - We know you've held various board advisor and even director roles. Do you feel that Cyber is increasingly becoming a boardroom concern? - You're very passionate about Zero Trust. What are your thoughts on the Federal push to adopt Zero Trust in an environment as big and complex as the Federal and DoD space? - You've served as the highest levels of Cybersecurity leadership for several years - any advise for aspiring security leaders? - What do you think the CISO of the future looks like in terms of skillsets and competencies? - Can you tell us a bit about what you're up to these days with the CERT Division at SEI?…
Nikki: I've spent a number of years studying vulnerability chaining and using low and medium vulnerabilities in combination to create very critical attacks. Do you see this as a common method for attacks in the wild? Chris: we're continuing to see the growth of bug bounty programs, such as HackerOne. How do you think these programs contrast (or compliment) companies internal pen test/red teams for example? Nikki: Vulnerability management is an incredibly complex topic for a lot of organizations. Do you think bug bounty programs and Vulnerability Disclosure Programs (VDP) are helping to mature those programs? Chris: How do companies have a level of assurance that the hackers will conduct the activities ethically? Nikki: I think there's still sometimes a disconnect between what hackers and pentesters know about vulnerabilities and the actual attack paths, and the remediation teams that are working to prevent these types of attacks. Do you think there's a need to educate more Blue teamers on specific types of attacks and how they are conducted? Chris: on the flip side, for hackers interested in bug bounty, how can they best go about getting started? Nikki: we're starting to see more development teams taking responsibility for security — we frequently hear the term "shifting left." Is that a trend you are observing as well? Chris: thoughts on log4shell?…
R
Resilient Cyber
You hold a variety of roles, from advisor, podcast host, CISO and have a great industry presence. How do you juggle it all, and what drives you to do so much? You recently spoke about emotional intelligence; do you feel it is overlooked in tech and cyber? You speak a lot about leadership in Cybersecurity. What are some of the characteristics you think are the most important for the modern cyber leader? We know you often dive into Cloud security. You recently made some comments about SaaS Security Posture Management (SSPM). What is that and why do folks need it? Why do you feel that SaaS Security in general gets overlooked in the conversation on Cloud security?…
When you look at the state of the Open-Source Software (OSS) ecosystem, what do you think some of the biggest problems are? Why do you think we're now starting to see so much increased attention on the Software Supply Chain? When it comes to OSS maintainers and contributors, typically this is all done voluntarily and uncompensated in many cases. How is Tidelift looking to changing that paradigm? What are some recommendations you have for organizations as they start to try and get a handle on their software supply chain? What are some things Tidelift is focused on that you think will benefit the industry and community?…
We know you’ve held several executive roles, we would love to hear your perspective regarding balancing business and organization leadership with the technology side Your recently testified before Congress regarding FISMA reform. Why do you feel this reform is so needed and what do you feel in particular would make the biggest impact? What advice would you have for technology professionals who want to advance to executive roles like you've held? What do you think we as an industry can do to help encourage more women into STEM and tech fields?…
Nikki - What does EDR look like right now and where is it going? Nikki - What are the differences between typical A/V and EDR? Chris - What role do you see EDR playing in the push for Zero Trust? Nikki - How do you integrate EDR into your environments and how do you feel about using EDR with SIEMs? Chris - Do you feel that the boon for working from home has impacted the EDR space? Nikki - Can you talk a little bit about what DLP is and how it relates to EDR roll outs? Chris - Building on EDR, what is XDR and how is it different? Nikki - What would you say are some of the biggest challenges around deploying EDR and some of the pitfalls admins/engineers should be aware of? Chris - Do you have some resources for anyone thinking about deploying EDR? Nikki - How do you feel about container-based deployments of EDR? Chris - What does cyber resiliency mean to you?…
Nikki - Can you tell us a little bit about what you're currently working on right now at NIST? Chris - Software Supply Chain Security has become a hot topic lately. We know NIST published 800-161 covering C-SCRM, C-SCRM is a complex topic. Where do you see the industry going forward in terms of maturing C-SCRM practices? Nikki - Speaking of maturing C-SCRM practices, do you feel that there is a need to provide more documentation for maturing other aspects of cybersecurity? I do not see a lot of people in the industry discussing vulnerability management programs, but it continues to be a challenging undertaking for organizations. Chris - NIST 800-160 focuses on developing Cyber Resilient Systems. The DoD's Software Modernization Strategy focuses on Cyber Survivability as well. Do you feel the focus on resilience is critical, knowing that no system is infallible? Chris - The Government is making a big push for DevSecOps. Many argue that the Governments approach to compliance, with RMF is too cumbersome for DevSecOps. Do you disagree with this? If so, why, and do you think there's any changes we can make to better facilitate DevSecOps adoption? Nikki - NIST is very well known for their inclusion of public collaboration with practitioners, researchers, and academic institutions - do you feel that there is more that can be done to increase collaboration between public, private, and academic institutions? Chris - There's tons of buzz about cATO. Despite this recent buzz, Ongoing Authorization has been part of the RMF lexicon for quite some time. Do you feel that modern technologies such as Cloud can better help agencies and systems achieve a cATO? Nikki - NIST has been on an absolute roll lately with publishing guidance, much of it tied to the Cyber EO. From Zero Trust, SSDF, and more. How does the organization keep such a pace on publishing industry guidance? What can we look for next in terms of big publications from NIST? Chris - What's next for Ron Ross? You've been involved in countless major publications and methodologies. What do you see the legacy of Ron Ross being when you finally step away from being such a pillar in our community? Nikki - What does cyber resiliency mean to you?…
Nikki - Please tell us a little bit about your dissertation and why you felt like drone forensics needed further research? Chris - We know you have a Doctorate where your focus was UAV systems forensics framework. My background is largely with DoD which is increasingly embracing UAV/Drones etc. Are there any major security concerns a community like that should consider as they embrace these technologies? Nikki - Do you feel like there is still a need to create more comprehensive policies and frameworks around drone forensics? Chris - I noticed you also have an MBA in addition to your massive technical expertise and background. Does the business context help you in your various roles? Nikki - Do you see a need for Incident Response frameworks for drones as well? What if they're hacked during missions or when out in the field? Chris - You're involved in quite a bit of non-profit and volunteer groups such as ISSA, Krypto Kids and more. Why do you feel it is important to stay involved in these groups and the how do you feel it helps our broader Cyber community to have groups like these? Nikki - Where do you see the future of research around drones and how they will affect our current cybersecurity practices? Nikki - What does cyber resiliency mean to you, and specifically in the growing field of drones and drone research?…
Nikki - First, I need to hear about how you feel about women in technology and any words of encouragement for women who are interested in starting a business? Chris - We know your organization raft is up to some innovative work in the Federal space, can you tell us a bit about that? Nikki - You have such a unique background with business and law and technology, I've actually considered getting a law degree. Do you think that has altered your perspective as a business owner? Chris - In your experience what have been some of the biggest impediments to digital transformation efforts in Government and do you have any recommendations for industry partners of Government on how to overcome them? Nikki - Why do you feel it's so important to connect women in executive positions? Do you think there's a disconnect with how women are able to connect once they reach a certain level? Chris - I know raft has several SBIR awards. For folks now familiar with SBIR, what is it and how is it different than traditional government contracts?…
Nikki - You are currently a Fellow with Stanford University - could you talk a little about the journey you've made to this point and how cybersecurity plays into the Fellowship? Chris - We know you served as a Senior Policy Advisor for the U.S. Cyberspace Solarium Commission. Can you speak about that, for those that aren’t familiar with the commission, and knowing the government has acted on some of the commission's recommendations, do you think we’re making the progress needed as a nation when it comes to Cyber? Nikki - Do you feel that we're doing enough to blend academic, industry, and public sector pursuits in cybersecurity? Chris - You recently spoke about why deterrence isn’t the right approach for national security, can you elaborate on that, and what direction we may look to take instead? Nikki - Given your background with the Air Force - do you think there are any lessons learned that we could use or, at the very least consider in other organizations when it comes to protecting systems? Chris - We know you have an extensive background as a cybersecurity researcher and advisor, how do you go about ensuring you keep a pulse on the practitioner aspect of cybersecurity in addition to the research and academic aspect of cybersecurity?…
- Can you tell us a bit about your background, how you got into the role you're in now? - For those unfamiliar with the term "Chaos Engineering" what is it and why should organizations be practicing it? - You currently support a program named Kessel Run, what do they do? - Performing something disruptive such as Chaos Engineering almost seems unheard of in organizations such as the DoD with low-risk tolerances for disruption, how did this come about? - For people looking to get started with Chaos Engineering, where should they begin? Any recommended learning resources? How do they approach their leadership to propose implementing the practices of Chaos Engineering and get buy in?…
What is vulnerability chaining for those unfamiliar with it? Is it becoming more prevalent among malicious actors? Why do you think we traditionally look at vulnerabilities in isolation? How do we get organizations to shift their mindset of how they look at vulnerabilities? How can organizations get context to understand what vulnerabilities can be chained together and how to mitigate those?…
We know the DoD is pushing towards Zero Trust adoption and DISA is playing a key role in that. Can you tell us a bit about that? What do you think some of the biggest hurdles for Zero Trust adoption in the DoD are and how can we start to address them? Zero Trust has inevitably become a bit of a buzzword. If there is something people misunderstand about Zero Trust, what would you say that is? For those looking to learn more about DISA's approach to Zero Trust, and just the topic more broadly, do you have any specific recommendations? DISA's new network architecture project Thunderdome, what will it be and what does it consist of?…
Chris - There's quite a push for Zero Trust in the Federal Government, with the Cyber EO and ZT publications from CISA. What do you see as some of the biggest impediments for the Government's adoption of ZT? What are some of the biggest opportunities? Nikki - One of your recent posts you mention the difference between zero trust being a concept vs being something to act on. What do you think the right way to implement a zero-trust architecture is? Nikki - Do you have any resources for practitioners who are looking to ensure they are meeting a zero trust architecture framework? Chris - You commented recently about Compliance NOT being Security. This is something that many of us who have been in the field long enough agree with. That said, the Government's approach to cybersecurity largely revolves around Compliance. Why is that, and how do we go about changing that to a focus on real security? Chris - You recently had some comments about the CISO reporting relationship, in the Federal space, reporting to the CIO. Do you want to share any thoughts on who you think the CISO should report to and how CISO's can help influence who they report to, to support their security initiatives? Nikki You mention a need for CIO/CISO partnership - can you expand on why that's so important in an organization? How can the organization benefit from this partnership? Chris - As you know, there's a big push for DevSecOps both in Government and Industry. What can Security teams learn from their Development peers and how do we successfully facilitate the push for DevSecOps?…
Nikki - As someone who has such wide ranging experience in cybersecurity from practitioner and business owner to investor - what would you say are the largest concerns in cybersecurity right now? Zero trust? Incident Response? Cloud security? Chris - You hold several advisory and board member roles. For Cybersecurity professionals looking to perform similar roles, do you have any recommendations? Nikki - With your background in a company like Tenable and the security tool industry, do you feel like cybersecurity practitioners have the tools that they need to perform tasks? Do you think there are any gaps between technology, process, and the people? Chris - Having been around the cybersecurity industry for quite a bit, what do you think some of the biggest emerging changes are, and also, something that has remained relatively consistent? Nikki - With all of the amazing nonprofit work you do - why do you think we still have such a skills gap and a need for more people in the security industry? How can we close that gap? Nikki - Do you have anything in particular you're working on right now you'd like to share with our audience?…
Given your wide range of experience with AWS and cloud security - what would you say are some of the most common types of attacks for cloud platforms? What would you say are the top three skills someone should work on if they're interested in a career on a Red Team or as a penetration tester? Are there some really good resources or open-source tools you recommend for anyone learning about offensive security? Shifting to Purple Teaming, how does Purple Team differ from traditional PenTest/Red Team activities? For organizations looking to build out a purple team, where do you recommend they begin? What does the term Cyber Resilience mean to you?…
Chris - You have a book coming out titled The CISO Evolution - Business Knowledge for Cybersecurity Executives. How critical do you think it is for CISO's to understand the business, and how do they balance their technical skills with business acumen? Nikki - I see you've posted several videos on LinkedIn - my favorite so far is the "paralysis-by-analysis" concept. We've discussed before cognitive limitations and just how much data we could actually put into our decision making when it comes to risk. Where do you think the sweet spot is with amount of data vs quality of data? Chris - You and I participated in the Qualified Technical Expert course from Bob Zukis together. Do you think we will see boards required to obtain QTE's and why do you think boards lack technical fluency now, when so much of GDP and business is tied to technology? Nikki - You spoke at the SANS Cybersecurity Leadership Summit on Translating cyber risk into business risk. What would you say are the biggest takeaways for practitioners to be able to explain and express risk properly to improve security and hopefully, lower risk across the organization? Chris - Do you think Cybersecurity is a business enabler? If so, how do we as cyber professionals help the business view Cybersecurity as an enabler and protecting of revenue? Chris - Do you have any recommendations for Cybersecurity professionals looking to transition into a CISO role in the future? Any key business books or resources to familiarize themselves with? What Does Cyber Resilient mean to you?…
Chris - We know you are extremely passionate about DevSecOps in Government. What do you think some of the biggest impediments for widespread Government adoption of DevSecOps is? Nikki - I see you spoke recently about minimum viable continuous delivery - can you tell us a little bit about what that is and what it means? And what you think the possible implications may be on development cycles? Chris - Do you feel there is often a disconnect between leadership and practitioners when it comes to successful DevSecOps implementation, and if so, what do you think that disconnect entails? Nikki - I also saw in one of your recent talks you discuss how industry and the public sector need to work more closely together. This is something I'm also very passionate about - can you talk about why this partnership is so needed? Not just from a cybersecurity perspective but from an emerging tech perspective as well? Chris - What can organizations do to help provide their workforce the space and grace to grow and learn to help facilitate the push for DevSecOps and Digital Transformation to ensure its success? What does Cyber Resilience mean to you?…
Nikki - I'm so impressed with your wide range of cybersecurity - and with that experience you also are a Co-Founder and CEO. Can you talk a little bit about the transition from full time practitioner to business owner? Chris - If you had to list 1-2 top issues facing the Cybersecurity community within Government in particular? Nikki - What would you say are some of the biggest challenges that you've faced running your own company in the security and intelligence space? Chris - We know there is a big push for cATO/Ongoing Authorization in Government. Do you think this is something that can be achieved? Any thoughts on the key factors to help it be successful? Nikki - Would you have some advice for security practitioners that are thinking about starting their own business or moving up to a more managerial role from a technical role? Chris - You have started and now lead a successful company in the Public Sector space. Any tips for your fellow entrepreneurs who may want to do something similar?…
For those unaware, what exactly is an SBOM, and why is it so important? One of the presentations you gave mentioned that software supply chain attacks shouldn't be discussed as "emerging threats" - these really have been going on for years. Why do you think we still talk about it as an emerging threat or something novel? We know you've recently talked about an effort dubbed "VEX" which seeks to add context to SBOM information. How is this valuable and how can it be used to reduce risk? What would you say are the top 3 things that organizations could do today to be aware of in regards to software supply chain attacks? In regards to SBOMs for complex environments such as SaaS where you have several parties involved and interdependencies, how do you see the SBOM evolving in that space? How do you see organizations operationalizing SBOM's from a Cyber practitioner perspective? How will it fit in to a robust cybersecurity program?…
You have just received your first-time role in cybersecurity as a Security Analyst - congratulations! How has your first experience been so far in this new role? LinkedIn can be a powerful method of meeting others. Of all the amazing things you've done - what is the best advice you could give for someone trying to break into cybersecurity? On the flip side - what is something you would like for hiring managers to consider when they are interviewing potential security analysts? Of the conference volunteering, speaking at conferences, networking, and certifications that you've been working towards, what do you feel like was the most helpful to land your first job? As someone who's been trying to break into cyber, what did you find were the biggest impediments? What can we do as an industry to make the field more inclusive to aspiring entrants of all backgrounds?…
I was reading the CISA document "Defending Against Software Supply Chain" and was curious if the guidance within was helpful or informative for anyone who wants to start a S-SCRM program? What role do you feel compliance frameworks play in SCRM? We are seeing sources such as NIST 800-53 include SCRM specific controls now. Will it help? What would you say is the most resilient component an individual could add to their own organization to recover quickly in the event of a software supply chain attack? From the perspective of Cloud, do you feel cloud adoption can help, or hinder when it comes to driving down risk associated with the supply chain? What are the biggest concerns / risks when it comes to building a secure software supply chain program I know you've been involved with projects such as TUF and in-toto. Can you help folks understand what those are and why they are valuable? What does the term "Cyber Resilient" mean to you? Find out more from Cole at Testify Sec - https://www.testifysec.com/…
R
Resilient Cyber
1 S2E1: Michael Baker - VP/CISO at GDIT - Business Acumen, Leadership & the Evolution of the CISO 30:12
Leadership and Business Accumen, we know you're passionate about these topics. How much do you think these play a role in the success of a person's career in Cyber and do you think these are things some of us may overlook? Organizational Influence is something we know you've spoken about. Can you elaborate on that? How do you go about influencing organizational change for cybersecurity, especially in organizations the size of GDIT? Does this change at all when you're trying to influence change at an external organization? Team Building is undoubtedly something you've had to do throughout your career, do you have any tips for those looking to build strong teams? On the topic of team building, there's also the topic of mentoring. Is this critical within teams? How about mentoring others outside of our team, and even outside of our organizations? Being in a role such as VP and CISO at a major firm like GDIT, Executive Communication is key. Do you have advice for others when it comes to communicating cyber risks and objectives to executive leadership?…
R
Resilient Cyber
-As Founder of the Security Television Network, how did you come up with the idea? -We have so many channels right now in the airwaves, and it seems like every day there is a security incident, why STN? What does STN bring to the security news forum? -Can you tell us a little bit about the Indiegogo campaign? -You also have a Doctorate and teach at Capitol Technology University. Can you explain the significance or interest you have in academic research and technical pursuits? -On top of everything else - you were also a Marine and in the U.S. Coast Guard. Can you talk about how that experience maybe plays into your current role as CEO / Network Owner / Security officianado? -How can a business connect with you to become a sponsor on the network? -What does cyber resilience mean to you?…
R
Resilient Cyber
1 Resilient Cyber Podcast - Episode 22 - Tia Hopkins - Cyber Leader, Empowering Women, Power of Research 46:13
You have some incredible accolades, titles, and roles - but before we dive into those, can you tell us about your journey? We always love hearing about how someone go to where they are, and the hard work, discipline, and sacrifice that went into that As mentioned previously, you have a lot of different titles - Cyber Exec, Professor, Author, Keynote Speaker. How important do you feel personal branding is in our career field? Any advice for other aspiring cyber professionals looking to expand their own profiles and differentiate themselves? You are also listed as one of the Top 100 Women in Cyber, and Top 25 Women Leaders in Cyber. We are big advocates for bringing more women in the Cyber field. Can you speak on the presence of women in cyber, how we can help bring more women into the field, and ways women can stand apart from their male counterparts in Cyber? We know you're also a PhD student. Can you tell us what made you want to pursue a PhD? What do you intend to write and research on, and how do you see a PhD impacting your career potentially? One thing I love is that not only are you a master at personal branding, executive presence, networking, and things of that nature but you also have a very strong architecture background and expertise. How do you think the two play together, and do you feel some people miss the boat in terms of pairing their technical skills and competencies with their social skills and ability to master both the technical and soft skills? What does Cyber Resilience mean to you?…
You have quite a bit of experience and a lot of research into implementing secure software - but we'd like to dig into a little bit about where organizations should start - tools, multiple developers? What kind of baselines should be consider? There's an increased focus on secure software supply chains, especially with the recent Executive Order (EO). The EO emphasizes the prevalence of an SBOM and it seems like SBOM's are set to become and industry norm in the not-so-distance future. What are your thoughts around SBOMs and how they can help mitigate or at least shed light on some of the security concerns around external third parties, insecure dependencies, and the organizations overall software consumption? There are multiple vectors for insecure external code to be introduced into an application. How should organizations be protecting their applications in the context of third-party libraries? With some of those major pain points in developing a secure software program, how can organizations integrate security and secure practices with Developers? There are some leading industry resources such as the OWASP Software Assurance Maturity Model (SAMM) and Building Security in Maturity Model (BSIMM) for organizations to leverage to support their software security initiatives. Have you seen organizations have much success with these approaches and do you have any advice on this front in terms of how to adopt and use these resources? Now that we've covered how to integrate security into Development teams, how can we integrate secure practices into Operations teams? What are some resources that Developers, Operations, and Management can look to when they're trying to integrate secure practices into their pipelines? What does cyber resilience mean to you in the context of DevSecOps practices?…
1. You are part of several working groups within the NIST Cloud Computing area - could you tell us a little bit more about the Security and Forensic Sciences groups? For individuals who aren't with NIST but have relevant expertise, is there a way we can contribute to publications? 2. You have recently released the NIST Open Security Controls Assessment Language (OSCAL) document - could you give us some background on how this document came about and how much feedback you received from the OSCAL community? 3 OSCAL has the promise to make standard security documentation such as SSPs and others machine readable and integrated with tooling for automated assessment, continuous monitoring, and visualization in dashboards. What sort of impact do you see this having on the traditional way of doing Federal cybersecurity? Do you see this as the future of cybersecurity across Government and DoD? 4 To expand on that topic a little bit, NIST has a great history of working with the public, community groups, and other agencies to work on the best documentation, controls, and guidance for both the private and public sector. Can you speak about the importance of collaboration between the private and public sectors? 5 NIST has had some great webinars and virtual events lately. As the impacts of COVID dissipate, does NIST Plan to keep these sorts of events up to help spread their reach and impact across the IT/cyber community? 6 Have you had any involvement with NIST DevSecOps efforts and can you speak about DevSecOps adoption within Government? Any thoughts in particular on its value, the challenges and the major benefits? One area of strong interest lately is the area of On-Going Authorization or Continuous ATO - versus the traditional 3 year ATO cycle. Can you discuss how OSCAL may play a part here? 7 What does Cyber Resilience mean to you?…
Could you provide some advice for anyone who may want to be a CISO - or even provide some guidance for how and why someone may want to be a CISO? You've written a book called "How to Measure Risk with Anything" - could you maybe provide some advice to cybersecurity professionals who have a topic in mind and want to write a book of their own? With your vast knowledge and experience in cybersecurity leadership - can you give us an example of some of the major challenges or roadblocks you've seen in maturing a cybersecurity program? You're currently the CISO and Co-Founder at Soluble which focuses on GitOps Security Testing. For those not familiar with it, What is GitOps? Why is this sort of testing valuable? Any thoughts on Compliance-as-Code? How is it working as a CISO at a SaaS/Startup compared to some of your previous roles such as Kaiser Permanente and GE Healthcare? Do you feel that Cloud presents new challenges for CISO's? If so, how? Any major recommendations for CISO's looking to get a handle on Cloud Security? What does Cyber Resilient mean to you?…
R
Resilient Cyber
Questions: Can you tell us a little bit about what rThreat does? We spoke a bit about your background in education and curriculum development - can you give us some more information about that and how it has impacted your new role? Can you give us a bit about what it's like to work at a startup and how your interest in security got you into that? How do you feel the threat landscape is changing? Do you think we need to change the way we think about security awareness? (Related to my research) - How do you feel like vulnerability chaining ties into what rThreat is doing and how organizations should be considering these attacks? What does cyber resiliency mean to you?…
Can you tell us a bit about your journey to becoming the CISO at CMS, we know you spent most of your time in the commercial industry prior. How has it helped, what are some of the major differences you've experienced? Can you give us some industry specific guidance on what it means to be a CISO in the healthcare industry? CMS handles the PII of over 50 Million Americans I believe - can you elaborate on the scale/scope of that challenge and how the organization prioritizes this protection given the huge responsibility and reach? Based on your experience are there targeted threats against your industry or maybe specific types of security considerations are most important? We know you've mentioned some of the challenges with programs like FedRAMP when it comes to Government Cloud, and just the struggles/risks associated with overly cumbersome regulation and compliance requirements - how do we balance the need for security, compliance, and governance, without introducing bottlenecks that stifle innovation? As a CISO, how do you feel about Incident Response? Is this more or less important than the preventative measures you may be using? You've mentioned a Batcave DevSecOps type initiative you have in mind - can you tell us a bit about that? The government has a long history of challenging to attract and retain tech talent, any recommendations on this front to draw more folks like yourself and others to civil service? Given your role at a major Federal civilian agency, and the recent Cybersecurity Executive Order (EO) - do you have any major takeaways or thoughts regarding the EO and its potential impact on not just the government but the broader IT/Cyber industry? What does the term Cyber Resilience mean to you?…
R
Resilient Cyber
1 Resilient Cyber - Episode 1 - Introductions, Vulnerability Chaining & Human Factors Research 23:05
Episode 1 of the Resilient Cyber podcast kicks off the show and covers the following: - Chris Hughes Introduction/Background - Dr. Nikki Robinson Introduction/Background - Why do each of us want to start a podcast? What do we hope we get out of it and how it may benefit others? - Deep Dive into Nikki's research First Doctorate (Vulnerability Scoring/Chaining) Current Doctoral Pursuit (Vulnerability Chaining Blindness and Human Factors) How do each of us define Cyber Resilience? Who's the first guest on the podcast?…
R
Resilient Cyber
1. You are an active member on LinkedIn as an ally to women wanting to get into or succeed in cybersecurity, can you explain why that is so important to you? 2. You have a number of public speaking engagements under your belt, could you give us some detail into how you came across it and what interested you about it? 3. Could you give some advice to anyone looking to get into speaking at cyber conferences? 4. You participate in a number of local groups, either as a volunteer or an active member, I'd love to get your take on why these local chapters of WiCyS, ISSA, Infragard, etc are so important to the cyber community at large? 5. You previously served as the Deputy Director of the Defense Industrial Base Collaboration Information Sharing Environment, which is the reporting and analysis hub for the implementation of sections of the National Defense Authorization Act (NDAA) as well as DFARS 7012), related to Cyber Incidents and mandatory reporting. Can you tell us a bit about that? 6.What role do you see CMMC playing in the DIB, and what gaps does it address? Do you think it is feasible for DIB vendors to meet CMMC requirements, particularly SMBs?…
For those unfamiliar with Zero Trust, if you had to summarize what Zero Trust is, how would you describe it? Zero trust is in the news quite a bit recently, with NIST even coming out with their own guide just a year ago. Do you think this is really a new topic or more of a maturation of older processes? It seems like every breach we hear Zero Trust could have prevented x, y, and z - Do you think Zero Trust has the potential to mitigate breaches, or at least minimize their impact? I see Zero trust typically talked about as only applying to layer 7 in the osi model. Do you think that's true? Or do you see the general concepts as applying to more layers as a defense in depth strategy? Given the hype around Zero Trust, many vendors are now claiming their product equates to Zero Trust, or gets you Zero Trust compliant and similar phrases, how do you feel about this, and do you see it as misleading? What does Cyber Resilience mean to you? Does implementing Zero Trust make an organization or system more resilient?…
In this episode we chat with some of the leadership team from Army Futures Command We discuss: What exactly does a Chief Product and Innovation Officer do and why is a role like this needed in the DoD? How has AFC built on lessons learned from previous efforts, such as Kessel Run? We know there's a push for Soldier-led Software Development, why is that and what is it important for National Security, over traditional ways of doing software development within the DoD? We know there's a push towards Cloud, DevSecOps etc. within DoD, how does the Army's approach differ from say the Air Force's, and what are the similarities? What are some of the challenges with trying to implement the Software Factory concept in the DoD? You recently spoke at an event by the Defense Entrepreneurs Forum (DEF), titled DEFxSoftware, why are groups like these important for the innovation ecosystem of the DoD? I know the Army cloud office has spoken on the need for "CISO-as-a-Service" technologies, what does that mean exactly?…
R
Resilient Cyber
1 Resilient Cyber - Episode 13 - Carlota Sage - vCISO Challenges, Solutions, and Collaboration 23:03
Please give us a bit of a background on how you became a vCISO and what responsibilities come with that job? You have built several successful security programs from the ground up - what would you say is the most challenging part of that process? Now that we've talked about some of the challenges around creating a security program, what would you say is the most rewarding or most interesting part of that? Can you talk about some of the flexibility that a vCISO or CISO must have when leading a security team? What does cyber resilience mean to you?…
Can you tell us a bit about your role as the Director of SW Modernization for the DoD? What does that entail? On the SW Modernization front, at a high-level, what are some of the primary SW modernziation objectives of the DoD? How does SW modernization tie into National Defense and why is it so critical to get right? There's an increased push to adopt DevSecOps, what are your thoughts on that and why there's such an interest among the DoD/Federal community? Jason Weiss Bio: Jason Weiss has an exceptional background in software engineering, cryptology, and computer security dating back to his service in the US Navy as a cryptologist during the first Gulf War. He is the author of Java Cryptography Extensions, published by Morgan-Kaufman, and co-author or contributor to several other books on distributed computing. He is the sole inventor of the patented Volume Mount Authentication endpoint security algorithm that was eventually integrated into Seagate’s DriveTrust technology, and co-inventor of the Cloud Connected Transponder. In 2000, the NSA recognized Jason as a talented security designer of critical infrastructure protection. He has lectured internationally, including presentations at SD West, Sybase TechWave, Rocky Mountain Java Symposium, AnDevCon, AWS Summit, and various keynotes on NFC and RFID at events like the WIMA European NFC Developers Summit in Monaco. As Director of Software Modernization in the Office of the Secretary of Defense, DoD CIO, he executes critical activities to both maintain and modernization the DoD Information Enterprise, including the department’s push to adopt DevSecOps. Jason holds a BS in computer science and an MA in Intelligence (Information Warfare).…
R
Resilient Cyber
1 Resilient Cyber - Episode 11 - Dr. Margaret Cunningham - Human Factors, Cybersecurity, Cognitive Psychology 21:23
1. Can you give us a brief description of your background in cognitive psychology and how you found your way into cybersecurity? 2. Can you describe how psychology is directly applicable to cybersecurity? 3. Can you discuss how philosophy is also applicable to cybersecurity? 4. How do you feel that neuroscience plays into cybersecurity - and maybe specifically discuss cognitive limitations and how they may affect us in the cybersecurity field? 5. Tell me about your new research! I see you have a new article released in March of this year titled "How Minor Mistakes When Remote Working Could Lead to Major Cybersecurity Breaches" 6. How do you feel about cyber resiliency as it relates to security and human factors research?…
R
Resilient Cyber
Today's episode is a conversation between Dr. Nikki Robinson and Chris Hughes on Vulnerability Management. Dr. Nikki has a PhD which focuses in Vulnerability Chaining and the co-hosts discuss the difficulties of Vulnerability Management. What would you say are the biggest reasons why vulnerability management is still so difficult for organizations? Why is it so important to patch or mitigate end-of-life software, and what are some of the challenges around that? Is vulnerability scanning still a major component to secure your network in a continuous monitoring program?…
What is Infrastructure-as-Code (IaC) and how does it differ from traditional ways of provisioning INF? How does IaC fit into the broader push of DevSecOps and pushing security-left? What is Compliance-as-Code (CaC)? What does that look like and how can organizations benefit from implementing it? What are some of the challenges associated with adopting IaC and CaC? Where is the future of IaC/CaC headed and what are some opportunities you think haven't been explored yet? What does "cyber resilient" mean to you? Matt Johnson: Matt Johnson (@metahertz) is a Developer Advocate for Bridgecrew.io, based in not-so-sunny Manchester, UK, he helps DevOps teams simplify, automate and improve their infrastructure security. Coming from a security and platform automation background, formerly at Cisco, he is excited by the disruptive power of Infrastructure as Code, container and serverless orchestration in bringing scalable, cost-effective IT to companies of all sizes, while also building awareness of the security challenges these new capabilities bring.Outside of work, he is learning to fly, and enjoys travel, aviation, rugby, steak and a growing whisky collection!…
R
Resilient Cyber
You're the Authorizing Official for the USMC, can you explain what you do in that role for those who aren't familiar with the team AO? The DoD is increasingly looking to adopt DevSecOps - can you tell us where the Marine Corps is on that journey, some of the challenges, and what opportunities DevSecOps would provide the USMC? Given your role, and the DoD's continued push to adopt DevSecOps, how do you see processes changing around the implementation of the Risk Management Framework (RMF) to achieve a Continuous ATO (cATO)? How have your academic pursuits and research been integrated into your role with the USMC? Do you feel that academic research can be beneficial to the military and the public sector? What does "cyber resilience" mean to you?…
What is Tactical Edge Cloud Computing? How does it apply to the DoD and Military and what advantages/challenges does it provide? I know you're involved with the Defense Entrepreneurs Forum (DEF) and the Joint Software Alliance (JSOFT), can you tell us a bit about those and why you think organizations like those are important for the DoD community? I've heard you say that "The future of national security is digital technology integration" - With the increased growth of things such as Cloud Computing, DevSecOps and Modernization, what roles do these play in national security? Knowing the importance of digital technology in relation to national security, how does the DoD as a community overcome some of its challenges (e.g. JEDI Protest, IT/Cyber Workforce Challenges, Acquisition etc.) to ensure it can appropriate adopt and enable digital technologies? What does "cyber resilient" mean to you?…
R
Resilient Cyber
-What first interested you in cloud technology and pursuing a career in cloud security? -Do you feel that learning a cloud platform is essential for todays' IT and security workforce -Do you recommend hybrid cloud environments? Do you think it adds too much complexity to provide proper security controls? -What are some of the biggest threats to cloud and hybrid environments? -What are some emerging trends in cloud security? How do you think cyber resiliency specifically applies to cloud environments?…
* How can we go about breaking barriers for folks in our field * Workforce challenges and how changes to hiring practices can help * Security Theater (this is a good one!) * Security Not Enabling the Business * Ego * Overpriced Vendor Products * And as a running theme of our show, we would love to close with "What does cyber resilience mean to you?"…
Do you think your lessons from athletics and the military contributed to your success in the Cyber career field? What are some of the hardest lessons you've learned so far since transitioning to being a CEO? What do you think technologies such as Cloud Computing change about the Compliance field? You're involved with the Nat'l Association of Black Compliance & Risk Management Professionals (NABCRMP) can you tell us a bit about the organization and why you think efforts like this are important? What advice do you have for aspiring Cyber professionals and how can we as a community help make the field more welcoming and obtainable? What does the term "Cyber Resilience" mean to you?…
R
Resilient Cyber
R
Resilient Cyber
به Player FM خوش آمدید!
Player FM در سراسر وب را برای یافتن پادکست های با کیفیت اسکن می کند تا همین الان لذت ببرید. این بهترین برنامه ی پادکست است که در اندروید، آیفون و وب کار می کند. ثبت نام کنید تا اشتراک های شما در بین دستگاه های مختلف همگام سازی شود.
Daily Deals
مشابه Resilient Cyber
Africa-focused technology, digital and innovation ecosystem insight and commentary.
…
continue reading
Show notes are at https://stevelitchfield.com/sshow/chat.html
…
continue reading
T
The Talk Show With John Gruber
1
The Talk Show With John Gruber
Daring Fireball / John Gruber
2k343
The director’s commentary track for Daring Fireball. Long digressions on Apple, technology, design, movies, and more.
…
continue reading
Android Backstage, a podcast by and for Android developers. Hosted by developers from the Android engineering team, this show covers topics of interest to Android programmers, with in-depth discussions and interviews with engineers on the Android team at Google. Subscribe to Android Developers YouTube → https://goo.gle/AndroidDevs
…
continue reading
Download This Show is your weekly guide to the world of media, culture, and technology. From social media to gadgets, streaming services to privacy issues. Each week Rae Johnston and guests take a fun, deep dive into how technology is reshaping our lives.
…
continue reading
The power of Data is undeniable. And unharnessed - it’s nothing but chaos. Making data your ally. Using it to lead with confidence and clarity. Host Jess Carter is solving problems in real-time to reveal what’s possible. Helping communities and people thrive. This is Data Driven Leadership, a show brought to you by Resultant.
…
continue reading
R
Redefining AI - Artificial Intelligence with Squirro
1
Redefining AI - Artificial Intelligence with Squirro
Squirro
12k119
Redefining AI is the 2024 New York Digital Award winning tech podcast! Discover a whole new take on Artificial Intelligence in joining host Lauren Hawker Zafer, a top voice in Artificial Intelligence on LinkedIn, for insightful chats that unravel the fascinating world of tech innovation, use case exploration and AI knowledge. Dive into candid discussions with accomplished industry experts and established academics. With each episode, you'll expand your grasp of cutting-edge technologies and ...
…
continue reading
On The Bike Shed, hosts Joël Quenneville and Stephanie Minn discuss development experiences and challenges at thoughtbot with Ruby, Rails, JavaScript, and whatever else is drawing their attention, admiration, or ire this week.
…
continue reading
We help founders make something people want.
…
continue reading
This is the audio podcast version of Troy Hunt's weekly update video published here: https://www.troyhunt.com/tag/weekly-update/
…
continue reading
Player FM - برنامه پادکست
با برنامه Player FM !
با برنامه Player FM !
))
