Resilient Cyber cover image

Resilient Cyber

Latest episodes

undefined
Jun 16, 2022 • 22min

S3E5: Kelsei Young - Cybersecurity M&A & Doctoral Studies

undefined
Jun 16, 2022 • 34min

S3E7: Robert Hurlbut - All Things Threat Modeling

- For those not familiar with Threat Modeling, what is it? Also, to clear up potential confusion, what is it not? (e.g. Threat Hunting)- You were part of an effort to create the Threat Modeling Manifesto, can you tell us a bit about that project?- We recently saw NIST both define critical software as part of the Cyber EO and also list Threat Modeling as a key activity for critical software. What are your thoughts on that occurring and if you think that will impact the Threat Modeling community?- Some folks have made comments about Threat Modeling being too cumbersome for methodologies/cultures such as DevOps/DevSecOps. Why do you think that is an opinion among some and is it true? - Can Threat Modeling be applied to any sort of architecture or system? Are there any major differences for same on-prem vs cloud systems?- For organizations looking to get started with Threat Modeling, where do you recommend they start? - Moving on from getting started, have you seen large organizations with successful, or unsuccessful Threat Modeling programs, and what were some major themes either way?
undefined
May 23, 2022 • 24min

S3E3: Dan Lorenc - Software Supply Chain, Sigstore and OSS

Chris: We're undoubtedly seeing a growing discussion around Software Supply Chain, with several notable events and also now evolving guidance/legislation such as the Cyber EO, NIST guidance etc. Any thoughts on why this is just now becoming such a focused concern?Nikki: When a lot of people discuss software supply chain security, it can quickly turn into a discussion about SBOM or Log4j and SolarWinds. I think about software supply chain security as being part of a really good threat detection and response program - what are your thoughts on that?Nikki: I also wanted to address, expanding on the topic of threat detection and moving into threat modeling - do you think that with the attack surface expanding through the software supply chain that there are threat modeling techniques that can be used to understand and account for that growing attack surface?Chris: You've been pretty involved in efforts around software supply chain and DevSecOps, most notably sigstore - can you tell us what that is and why it is important or useful? Nikki: In the last couple of years ' technical debt' has become a bigger concern for organizations, but this includes software supply chain, dependencies, EOL or outdated software, etc. How do you think organizations can account for their software inventory better and more efficiently?Chris: As we look to the future of Software Supply Chain, with efforts such as SBOM, VEX, Sigstore, SLSA and more, where do you think we're headed? What does the state of software supply chain look like in say 3 years?
undefined
May 23, 2022 • 34min

S3E4: Dr. Butler - Cybersecurity & Academia

Chris - We know there's a massive Cyber workforce challenge, what role do you think academia plays there and how can it improve to close the gap?Nikki - Speaking of the young professionals in cybersecurity, what do you think are some of the in-demand skillsets and career paths available for individuals interested in pursuing a career in cybersecurity?Chris - There's often a debate between academics and practitioners, why do you think that is, and do you think we're seeing that gap dissolve with new degree programs and more practitioner focused curriculum?  Nikki - On the subject of academia - do you feel like there is enough focus on research in cybersecurity fields? Do you think that research is getting to private and public partners or is there something we can be doing to strengthen those relationships?Chris - What do you think the future of Cybersecurity education looks like? What role does non-traditional education such as certifications, bootcamps, online courses and content etc. play in the hiring qualifications of the future?
undefined
May 23, 2022 • 33min

S3E2: Jacob Horne - Security vs. Compliance

Nikki - You have a varied background between being a security engineer, consultant, manager, etc. What made you decide to focus more on the compliance aspects of cybersecurity?Chris - It is often said "Compliance doesn't equal Security". Why do you think this phrase has taken hold, do you think its accurate and how do we evolve beyond it? Nikki -  Based on some of your posts about compliance - one specifically about implementing frameworks and guidance from NIST and the CMMC standards - do you think there's a need in the industry to focus more on implementation guides or do you feel like organizations are to complex to create guides? Chris - On the topic of compliance frameworks, we seem to be so reactionary, with new frameworks coming after incidents etc. and organizations struggle to keep up. Do you think we have a framework sprawl problem?Chris - On the topic of 800-171 and CMMC, there's a lot of talk on the topic of affordability and cost and the impact to the small businesses in the DIB, which has already seen massive consolidation. What are your thoughts on this, and how do we balance compliance/security with the need for a robust DIB of suppliers?Nikki -  What do you think the future of compliance looks like? CMMC and otherwise - do you foresee more legislation around compliance coming down the pike?
undefined
May 23, 2022 • 26min

S3E1: Bob Zukis - Cybersecurity in the Boardroom

Chris: So let's start with how we've gotten here. With digital systems accounting for 60% of global GDP, how do we still not have requirements or adoption of cyber expertise on public board?Nikki: You mention in your article about the SEC mandating cyber leadership into board rooms - do you think that the type of experience expected on boards should be geared specifically to risk management, or a mix of highly technical and governance experience?Chris: For those looking to fill some of those upcoming board opportunities, what recommendations do you have?Nikki: For your book the Great Reboot - you recommend that not only leadership but employees read it as well - do you think there's a gap in knowledge or maybe awareness of how risk impacts the business from a practitioner level? Would you encourage junior and senior personnel to read this book?Chris: On the flip side, for boards and publicly traded companies looking to bring cyber expertise into the fold, what competencies and skills should they be looking for? Where do they start?Nikki: Risk is bigger than one vulnerability or one misconfiguration but can have a number of definitions - how do you define risk management and do you think there's a need to define 'risk' more aptly in organizations?Chris: You often speak about systemic risk. Do you think the modern digitally driven economy and ecosystem is inherently insecure and vulnerable? 
undefined
Mar 31, 2022 • 1h 2min

S2E24: Breaking Down the DoD Continuous ATO (cATO) Memo w/ Paul Puckett & Tyler Gesling

A discussion with the Director of the Army Enterprise Cloud Management Agency (ECMA) - Paul Puckett and Cybersecurity Subject Matter Expert (SME) from DoD CIO-IE office, Tyler Gesling on the recent DoD cATO memo.
undefined
Mar 30, 2022 • 39min

S2E23: Greg Touhill - Security/Boardroom Leadership & Zero Trust

- We know you served as the First Federal U.S. CISO, can you tell us a bit about that experience?- In addition to your military and public sector background, you've held various industry roles as well, what are some of the major differences between the two environments you've experienced?- We know you've held various board advisor and even director roles. Do you feel that Cyber is increasingly becoming a boardroom concern?- You're very passionate about Zero Trust. What are your thoughts on the Federal push to adopt Zero Trust in an environment as big and complex as the Federal and DoD space?- You've served as the highest levels of Cybersecurity leadership for several years - any advise for aspiring security leaders?- What do you think the CISO of the future looks like in terms of skillsets and competencies?- Can you tell us a bit about what you're up to these days with the CERT Division at SEI?
undefined
Mar 25, 2022 • 30min

S2E22: HackerOne - Bug Bounty, Vulnerability Disclosure and Ethics

Nikki: I've spent a number of years studying vulnerability chaining and using low and medium vulnerabilities in combination to create very critical attacks. Do you see this as a common method for attacks in the wild?Chris: we're continuing to see the growth of bug bounty programs, such as HackerOne. How do you think these programs contrast (or compliment) companies internal pen test/red teams for example? Nikki: Vulnerability management is an incredibly complex topic for a lot of organizations. Do you think bug bounty programs and Vulnerability Disclosure Programs (VDP) are helping to mature those programs?Chris: How do companies have a level of assurance that the hackers will conduct the activities ethically? Nikki: I think there's still sometimes a disconnect between what hackers and pentesters know about vulnerabilities and the actual attack paths, and the remediation teams that are working to prevent these types of attacks. Do you think there's a need to educate more Blue teamers on specific types of attacks and how they are conducted?Chris: on the flip side, for hackers interested in bug bounty, how can they best go about getting started?Nikki: we're starting to see more development teams taking responsibility for security — we frequently hear the term "shifting left." Is that a trend you are observing as well?Chris: thoughts on log4shell?
undefined
Mar 15, 2022 • 25min

S2E21: Jerich Beason Emotional Intelligence, Cyber Leadership and SaaS Security

You hold a variety of roles, from advisor, podcast host, CISO and have a great industry presence. How do you juggle it all, and what drives you to do so much?You recently spoke about emotional intelligence; do you feel it is overlooked in tech and cyber?You speak a lot about leadership in Cybersecurity. What are some of the characteristics you think are the most important for the modern cyber leader?We know you often dive into Cloud security. You recently made some comments about SaaS Security Posture Management (SSPM). What is that and why do folks need it?Why do you feel that SaaS Security in general gets overlooked in the conversation on Cloud security?

Get the Snipd
podcast app

Unlock the knowledge in podcasts with the podcast player of the future.
App store bannerPlay store banner

AI-powered
podcast player

Listen to all your favourite podcasts with AI-powered features

Discover
highlights

Listen to the best highlights from the podcasts you love and dive into the full episode

Save any
moment

Hear something you like? Tap your headphones to save it with AI-generated key takeaways

Share
& Export

Send highlights to Twitter, WhatsApp or export them to Notion, Readwise & more

AI-powered
podcast player

Listen to all your favourite podcasts with AI-powered features

Discover
highlights

Listen to the best highlights from the podcasts you love and dive into the full episode