Chris - There's quite a push for Zero Trust in the Federal Government, with the Cyber EO and ZT publications from CISA. What do you see as some of the biggest impediments for the Government's adoption of ZT? What are some of the biggest opportunities?Nikki - One of your recent posts you mention the difference between zero trust being a concept vs being something to act on. What do you think the right way to implement a zero-trust architecture is?Nikki - Do you have any resources for practitioners who are looking to ensure they are meeting a zero trust architecture framework?Chris - You commented recently about Compliance NOT being Security. This is something that many of us who have been in the field long enough agree with. That said, the Government's approach to cybersecurity largely revolves around Compliance. Why is that, and how do we go about changing that to a focus on real security?Chris - You recently had some comments about the CISO reporting relationship, in the Federal space, reporting to the CIO. Do you want to share any thoughts on who you think the CISO should report to and how CISO's can help influence who they report to, to support their security initiatives?Nikki You mention a need for CIO/CISO partnership - can you expand on why that's so important in an organization? How can the organization benefit from this partnership?Chris - As you know, there's a big push for DevSecOps both in Government and Industry. What can Security teams learn from their Development peers and how do we successfully facilitate the push for DevSecOps?

Nikki - As someone who has such wide ranging experience in cybersecurity from practitioner and business owner to investor - what would you say are the largest concerns in cybersecurity right now? Zero trust? Incident Response? Cloud security?Chris - You hold several advisory and board member roles. For Cybersecurity professionals looking to perform similar roles, do you have any recommendations?Nikki - With your background in a company like Tenable and the security tool industry, do you feel like cybersecurity practitioners have the tools that they need to perform tasks? Do you think there are any gaps between technology, process, and the people?Chris - Having been around the cybersecurity industry for quite a bit, what do you think some of the biggest emerging changes are, and also, something that has remained relatively consistent?Nikki - With all of the amazing nonprofit work you do - why do you think we still have such a skills gap and a need for more people in the security industry? How can we close that gap?Nikki - Do you have anything in particular you're working on right now you'd like to share with our audience?

Given your wide range of experience with AWS and cloud security - what would you say are some of the most common types of attacks for cloud platforms? What would you say are the top three skills someone should work on if they're interested in a career on a Red Team or as a penetration tester? Are there some really good resources or open-source tools you recommend for anyone learning about offensive security?Shifting to Purple Teaming, how does Purple Team differ from traditional PenTest/Red Team activities?For organizations looking to build out a purple team, where do you recommend they begin?What does the term Cyber Resilience mean to you?

Chris - You have a book coming out titled The CISO Evolution - Business Knowledge for Cybersecurity Executives. How critical do you think it is for CISO's to understand the business, and how do they balance their technical skills with business acumen?Nikki - I see you've posted several videos on LinkedIn - my favorite so far is the "paralysis-by-analysis" concept. We've discussed before cognitive limitations and just how much data we could actually put into our decision making when it comes to risk. Where do you think the sweet spot is with amount of data vs quality of data?Chris - You and I participated in the Qualified Technical Expert course from Bob Zukis together. Do you think we will see boards required to obtain QTE's and why do you think boards lack technical fluency now, when so much of GDP and business is tied to technology?Nikki - You spoke at the SANS Cybersecurity Leadership Summit on Translating cyber risk into business risk. What would you say are the biggest takeaways for practitioners to be able to explain and express risk properly to improve security and hopefully, lower risk across the organization?Chris - Do you think Cybersecurity is a business enabler? If so, how do we as cyber professionals help the business view Cybersecurity as an enabler and protecting of revenue?Chris - Do you have any recommendations for Cybersecurity professionals looking to transition into a CISO role in the future? Any key business books or resources to familiarize themselves with?What Does Cyber Resilient mean to you?

Chris - We know you are extremely passionate about DevSecOps in Government. What do you think some of the biggest impediments for widespread Government adoption of DevSecOps is?Nikki - I see you spoke recently about minimum viable continuous delivery - can you tell us a little bit about what that is and what it means? And what you think the possible implications may be on development cycles? Chris - Do you feel there is often a disconnect between leadership and practitioners when it comes to successful DevSecOps implementation, and if so, what do you think that disconnect entails?Nikki - I also saw in one of your recent talks you discuss how industry and the public sector need to work more closely together. This is something I'm also very passionate about - can you talk about why this partnership is so needed? Not just from a cybersecurity perspective but from an emerging tech perspective as well?Chris - What can organizations do to help provide their workforce the space and grace to grow and learn to help facilitate the push for DevSecOps and Digital Transformation to ensure its success?What does Cyber Resilience mean to you?

Nikki - I'm so impressed with your wide range of cybersecurity - and with that experience you also are a Co-Founder and CEO. Can you talk a little bit about the transition from full time practitioner to business owner? Chris - If you had to list 1-2 top issues facing the Cybersecurity community within Government in particular?Nikki - What would you say are some of the biggest challenges that you've faced running your own company in the security and intelligence space? Chris - We know there is a big push for cATO/Ongoing Authorization in Government. Do you think this is something that can be achieved? Any thoughts on the key factors to help it be successful?Nikki - Would you have some advice for security practitioners that are thinking about starting their own business or moving up to a more managerial role from a technical role?Chris - You have started and now lead a successful company in the Public Sector space. Any tips for your fellow entrepreneurs who may want to do something similar?

 For those unaware, what exactly is an SBOM, and why is it so important?One of the presentations you gave mentioned that software supply chain attacks shouldn't be discussed as "emerging threats" - these really have been going on for years. Why do you think we still talk about it as an emerging threat or something novel? We know you've recently talked about an effort dubbed "VEX" which seeks to add context to SBOM information. How is this valuable and how can it be used to reduce risk?What would you say are the top 3 things that organizations could do today to be aware of in regards to software supply chain attacks?In regards to SBOMs for complex environments such as SaaS where you have several parties involved and interdependencies, how do you see the SBOM evolving in that space?How do you see organizations operationalizing SBOM's from a Cyber practitioner perspective? How will it fit in to a robust cybersecurity program?

You have just received your first-time role in cybersecurity as a Security Analyst - congratulations! How has your first experience been so far in this new role?LinkedIn can be a powerful method of meeting others. Of all the amazing things you've done - what is the best advice you could give for someone trying to break into cybersecurity?On the flip side - what is something you would like for hiring managers to consider when they are interviewing potential security analysts?Of the conference volunteering, speaking at conferences, networking, and certifications that you've been working towards, what do you feel like was the most helpful to land your first job?As someone who's been trying to break into cyber, what did you find were the biggest impediments?What can we do as an industry to make the field more inclusive to aspiring entrants of all backgrounds?

I was reading the CISA document "Defending Against Software Supply Chain" and was curious if the guidance within was helpful or informative for anyone who wants to start a S-SCRM program? What role do you feel compliance frameworks play in SCRM? We are seeing sources such as NIST 800-53 include SCRM specific controls now. Will it help?What would you say is the most resilient component an individual could add to their own organization to recover quickly in the event of a software supply chain attack?From the perspective of Cloud, do you feel cloud adoption can help, or hinder when it comes to driving down risk associated with the supply chain?What are the biggest concerns / risks when it comes to building a secure software supply chain programI know you've been involved with projects such as TUF and in-toto. Can you help folks understand what those are and why they are valuable?What does the term "Cyber Resilient" mean to you?Find out more from Cole at Testify Sec - https://www.testifysec.com/

Leadership and Business Accumen, we know you're passionate about these topics. How much do you think these play a role in the success of a person's career in Cyber and do you think these are things some of us may overlook?Organizational Influence is something we know you've spoken about. Can you elaborate on that? How do you go about influencing organizational change for cybersecurity, especially in organizations the size of GDIT? Does this change at all when you're trying to influence change at an external organization?Team Building is undoubtedly something you've had to do throughout your career, do you have any tips for those looking to build strong teams?On the topic of team building, there's also the topic of mentoring. Is this critical within teams? How about mentoring others outside of our team, and even outside of our organizations?Being in a role such as VP and CISO at a major firm like GDIT, Executive Communication is key. Do you have advice for others when it comes to communicating cyber risks and objectives to executive leadership?