When you look at the state of the Open-Source Software (OSS) ecosystem, what do you think some of the biggest problems are?Why do you think we're now starting to see so much increased attention on the Software Supply Chain?When it comes to OSS maintainers and contributors, typically this is all done voluntarily and uncompensated in many cases. How is Tidelift looking to changing that paradigm?What are some recommendations you have for organizations as they start to try and get a handle on their software supply chain?What are some things Tidelift is focused on that you think will benefit the industry and community?

We know you’ve held several executive roles, we would love to hear your perspective regarding balancing business and organization leadership with the technology sideYour recently testified before Congress regarding FISMA reform. Why do you feel this reform is so needed and what do you feel in particular would make the biggest impact? What advice would you have for technology professionals who want to advance to executive roles like you've held? What do you think we as an industry can do to help encourage more women into STEM and tech fields? 

Nikki - What does EDR look like right now and where is it going?Nikki - What are the differences between typical A/V and EDR?Chris - What role do you see EDR playing in the push for Zero Trust? Nikki - How do you integrate EDR into your environments and how do you feel about using EDR with SIEMs?Chris - Do you feel that the boon for working from home has impacted the EDR space?Nikki - Can you talk a little bit about what DLP is and how it relates to EDR roll outs?Chris - Building on EDR, what is XDR and how is it different?Nikki - What would you say are some of the biggest challenges around deploying EDR and some of the pitfalls admins/engineers should be aware of?Chris - Do you have some resources for anyone thinking about deploying EDR?Nikki - How do you feel about container-based deployments of EDR?Chris - What does cyber resiliency mean to you?

Nikki - Can you tell us a little bit about what you're currently working on right now at NIST?Chris - Software Supply Chain Security has become a hot topic lately. We know NIST published 800-161 covering C-SCRM, C-SCRM is a complex topic. Where do you see the industry going forward in terms of maturing C-SCRM practices?Nikki - Speaking of maturing C-SCRM practices, do you feel that there is a need to provide more documentation for maturing other aspects of cybersecurity? I do not see a lot of people in the industry discussing vulnerability management programs, but it continues to be a challenging undertaking for organizations. Chris - NIST 800-160 focuses on developing Cyber Resilient Systems. The DoD's Software Modernization Strategy focuses on Cyber Survivability as well. Do you feel the focus on resilience is critical, knowing that no system is infallible?Chris - The Government is making a big push for DevSecOps. Many argue that the Governments approach to compliance, with RMF is too cumbersome for DevSecOps. Do you disagree with this? If so, why, and do you think there's any changes we can make to better facilitate DevSecOps adoption?Nikki - NIST is very well known for their inclusion of public collaboration with practitioners, researchers, and academic institutions - do you feel that there is more that can be done to increase collaboration between public, private, and academic institutions?Chris - There's tons of buzz about cATO. Despite this recent buzz, Ongoing Authorization has been part of the RMF lexicon for quite some time.  Do you feel that modern technologies such as Cloud can better help agencies and systems achieve a cATO?Nikki - NIST has been on an absolute roll lately with publishing guidance, much of it tied to the Cyber EO. From Zero Trust, SSDF, and more. How does the organization keep such a pace on publishing industry guidance? What can we look for next in terms of big publications from NIST?Chris - What's next for Ron Ross? You've been involved in countless major publications and methodologies. What do you see the legacy of Ron Ross being when you finally step away from being such a pillar in our community?Nikki - What does cyber resiliency mean to you?

Nikki - Please tell us a little bit about your dissertation and why you felt like drone forensics needed further research?Chris - We know you have a Doctorate where your focus was UAV systems forensics framework. My background is largely with DoD which is increasingly embracing UAV/Drones etc. Are there any major security concerns a community like that should consider as they embrace these technologies?Nikki - Do you feel like there is still a need to create more comprehensive policies and frameworks around drone forensics?Chris - I noticed you also have an MBA in addition to your massive technical expertise and background. Does the business context help you in your various roles?Nikki - Do you see a need for Incident Response frameworks for drones as well? What if they're hacked during missions or when out in the field?Chris - You're involved in quite a bit of non-profit and volunteer groups such as ISSA, Krypto Kids and more. Why do you feel it is important to stay involved in these groups and the how do you feel it helps our broader Cyber community to have groups like these?Nikki - Where do you see the future of research around drones and how they will affect our current cybersecurity practices?Nikki - What does cyber resiliency mean to you, and specifically in the growing field of drones and drone research?

Nikki -  First, I need to hear about how you feel about women in technology and any words of encouragement for women who are interested in starting a business? Chris - We know your organization raft is up to some innovative work in the Federal space, can you tell us a bit about that?Nikki - You have such a unique background with business and law and technology, I've actually considered getting a law degree. Do you think that has altered your perspective as a business owner?Chris - In your experience what have been some of the biggest impediments to digital transformation efforts in Government and do you have any recommendations for industry partners of Government on how to overcome them?Nikki - Why do you feel it's so important to connect women in executive positions? Do you think there's a disconnect with how women are able to connect once they reach a certain level?Chris - I know raft has several SBIR awards. For folks now familiar with SBIR, what is it and how is it different than traditional government contracts? 

Nikki - You are currently a Fellow with Stanford University - could you talk a little about the journey you've made to this point and how cybersecurity plays into the Fellowship?Chris - We know you served as a Senior Policy Advisor for the U.S. Cyberspace Solarium Commission. Can you speak about that, for those that aren’t familiar with the commission, and knowing the government has acted on some of the commission's recommendations, do you think we’re making the progress needed as a nation when it comes to Cyber?Nikki - Do you feel that we're doing enough to blend academic, industry, and public sector pursuits in cybersecurity? Chris - You recently spoke about why deterrence isn’t the right approach for national security, can you elaborate on that, and what direction we may look to take instead?Nikki - Given your background with the Air Force - do you think there are any lessons learned that we could use or, at the very least consider in other organizations when it comes to protecting systems?Chris - We know you have an extensive background as a cybersecurity researcher and advisor, how do you go about ensuring you keep a pulse on the practitioner aspect of cybersecurity in addition to the research and academic aspect of cybersecurity?

- Can you tell us a bit about your background, how you got into the role you're in now?- For those unfamiliar with the term "Chaos Engineering" what is it and why should organizations be practicing it?- You currently support a program named Kessel Run, what do they do?- Performing something disruptive such as Chaos Engineering almost seems unheard of in organizations such as the DoD with low-risk tolerances for disruption, how did this come about?- For people looking to get started with Chaos Engineering, where should they begin? Any recommended learning resources? How do they approach their leadership to propose implementing the practices of Chaos Engineering and get buy in?

What is vulnerability chaining for those unfamiliar with it? Is it becoming more prevalent among malicious actors?Why do you think we traditionally look at vulnerabilities in isolation?How do we get organizations to shift their mindset of how they look at vulnerabilities?How can organizations get context to understand what vulnerabilities can be chained together and how to mitigate those?

We know the DoD is pushing towards Zero Trust adoption and DISA is playing a key role in that. Can you tell us a bit about that?What do you think some of the biggest hurdles for Zero Trust adoption in the DoD are and how can we start to address them?Zero Trust has inevitably become a bit of a buzzword. If there is something people misunderstand about Zero Trust, what would you say that is?For those looking to learn more about DISA's approach to Zero Trust, and just the topic more broadly, do you have any specific recommendations?DISA's new network architecture project Thunderdome, what will it be and what does it consist of?