-As Founder of the Security Television Network, how did you come up with the idea?-We have so many channels right now in the airwaves, and it seems like every day there is a security incident, why STN? What does STN bring to the security news forum?-Can you tell us a little bit about the Indiegogo campaign?-You also have a Doctorate and teach at Capitol Technology University. Can you explain the significance or interest you have in academic research and technical pursuits?-On top of everything else - you were also a Marine and in the U.S. Coast Guard. Can you talk about how that experience maybe plays into your current role as CEO / Network Owner / Security officianado? -How can a business connect with you to become a sponsor on the network? -What does cyber resilience mean to you?

You have some incredible accolades, titles, and roles - but before we dive into those, can you tell us about your journey? We always love hearing about how someone go to where they are, and the hard work, discipline, and sacrifice that went into thatAs mentioned previously, you have a lot of different titles - Cyber Exec, Professor, Author, Keynote Speaker. How important do you feel personal branding is in our career field? Any advice for other aspiring cyber professionals looking to expand their own profiles and differentiate themselves?You are also listed as one of the Top 100 Women in Cyber, and Top 25 Women Leaders in Cyber. We are big advocates for bringing more women in the Cyber field. Can you speak on the presence of women in cyber, how we can help bring more women into the field, and ways women can stand apart from their male counterparts in Cyber?We know you're also a PhD student. Can you tell us what made you want to pursue a PhD? What do you intend to write and research on, and how do you see a PhD impacting your career potentially?One thing I love is that not only are you a master at personal branding, executive presence, networking, and things of that nature but you also have a very strong architecture background and expertise. How do you think the two play together, and do you feel some people miss the boat in terms of pairing their technical skills and competencies with their social skills and ability to master both the technical and soft skills? What does Cyber Resilience mean to you?

You have quite a bit of experience and a lot of research into implementing secure software - but we'd like to dig into a little bit about where organizations should start - tools, multiple developers? What kind of baselines should be consider?There's an increased focus on secure software supply chains, especially with the recent Executive Order (EO). The EO emphasizes the prevalence of an SBOM and it seems like SBOM's are set to become and industry norm in the not-so-distance future. What are your thoughts around SBOMs and how they can help mitigate or at least shed light on some of the security concerns around external third parties, insecure dependencies, and the organizations overall software consumption?There are multiple vectors for insecure external code to be introduced into an application. How should organizations be protecting their applications in the context of third-party libraries?With some of those major pain points in developing a secure software program, how can organizations integrate security and secure practices with Developers?There are some leading industry resources such as the OWASP Software Assurance Maturity Model (SAMM) and Building Security in Maturity Model (BSIMM) for organizations to leverage to support their software security initiatives. Have you seen organizations have much success with these approaches and do you have any advice on this front in terms of how to adopt and use these resources?Now that we've covered how to integrate security into Development teams, how can we integrate secure practices into Operations teams?What are some resources that Developers, Operations, and Management can look to when they're trying to integrate secure practices into their pipelines?What does cyber resilience mean to you in the context of DevSecOps practices?

1. You are part of several working groups within the NIST Cloud Computing area - could you tell us a little bit more about the Security and Forensic Sciences groups? For individuals who aren't with NIST but have relevant expertise, is there a way we can contribute to publications?2. You have recently released the NIST Open Security Controls Assessment Language (OSCAL) document - could you give us some background on how this document came about and how much feedback you received from the OSCAL community? 3 OSCAL has the promise to make standard security documentation such as SSPs and others machine readable and integrated with tooling for automated assessment, continuous monitoring, and visualization in dashboards. What sort of impact do you see this having on the traditional way of doing Federal cybersecurity? Do you see this as the future of cybersecurity across Government and DoD? 4  To expand on that topic a little bit, NIST has a great history of working with the public, community groups, and other agencies to work on the best documentation, controls, and guidance for both the private and public sector. Can you speak about the importance of collaboration between the private and public sectors?5  NIST has had some great webinars and virtual events lately. As the impacts of COVID dissipate, does NIST Plan to keep these sorts of events up to help spread their reach and impact across the IT/cyber community?6  Have you had any involvement with NIST DevSecOps efforts and can you speak about DevSecOps adoption within Government? Any thoughts in particular on its value, the challenges and the major benefits? One area of strong interest lately is the area of On-Going Authorization or Continuous ATO - versus the traditional 3 year ATO cycle. Can you discuss how OSCAL may play a part here?7 What does Cyber Resilience mean to you?

Could you provide some advice for anyone who may want to be a CISO - or even provide some guidance for how and why someone may want to be a CISO? You've written a book called "How to Measure Risk with Anything" - could you maybe provide some advice to cybersecurity professionals who have a topic in mind and want to write a book of their own?  With your vast knowledge and experience in cybersecurity leadership - can you give us an example of some of the major challenges or roadblocks you've seen in maturing a cybersecurity program?You're currently the CISO and Co-Founder at Soluble which focuses on GitOps Security Testing. For those not familiar with it, What is GitOps? Why is this sort of testing valuable? Any thoughts on Compliance-as-Code?How is it working as a CISO at a SaaS/Startup compared to some of your previous roles such as Kaiser Permanente and GE Healthcare?Do you feel that Cloud presents new challenges for CISO's? If so, how? Any major recommendations for CISO's looking to get a handle on Cloud Security? What does Cyber Resilient mean to you?

Questions:Can you tell us a little bit about what rThreat does?We spoke a bit about your background in education and curriculum development - can you give us some more information about that and how it has impacted your new role?Can you give us a bit about what it's like to work at a startup and how your interest in security got you into that?How do you feel the threat landscape is changing? Do you think we need to change the way we think about security awareness?(Related to my research) - How do you feel like vulnerability chaining ties into what rThreat is doing and how organizations should be considering these attacks?What does cyber resiliency mean to you?

Can you tell us a bit about your journey to becoming the CISO at CMS, we know you spent most of your time in the commercial industry prior. How has it helped, what are some of the major differences you've experienced?Can you give us some industry specific guidance on what it means to be a CISO in the healthcare industry?CMS handles the PII of over 50 Million Americans I believe - can you elaborate on the scale/scope of that challenge and how the organization prioritizes this protection given the huge responsibility and reach?Based on your experience are there targeted threats against your industry or maybe specific types of security considerations are most important?We know you've mentioned some of the challenges with programs like FedRAMP when it comes to Government Cloud, and just the struggles/risks associated with overly cumbersome regulation and compliance requirements - how do we balance the need for security, compliance, and governance, without introducing bottlenecks that stifle innovation?As a CISO, how do you feel about Incident Response? Is this more or less important than the preventative measures you may be using?You've mentioned a Batcave DevSecOps type initiative you have in mind - can you tell us a bit about that?The government has a long history of challenging to attract and retain tech talent, any recommendations on this front to draw more folks like yourself and others to civil service?Given your role at a major Federal civilian agency, and the recent Cybersecurity Executive Order (EO) - do you have any major takeaways or thoughts regarding the EO and its potential impact on not just the government but the broader IT/Cyber industry?What does the term Cyber Resilience mean to you?

1. You are an active member on LinkedIn as an ally to women wanting to get into or succeed in cybersecurity, can you explain why that is so important to you?  2. You have a number of public speaking engagements under your belt, could you give us some detail into how you came across it and what interested you about it?  3. Could you give some advice to anyone looking to get into speaking at cyber conferences?  4. You participate in a number of local groups, either as a volunteer or an active member, I'd love to get your take on why these local chapters of WiCyS, ISSA, Infragard, etc are so important to the cyber community at large?5. You previously served as the Deputy Director of the Defense Industrial Base Collaboration Information Sharing Environment, which is the reporting and analysis hub for the implementation of sections of the National Defense Authorization Act (NDAA) as well as DFARS 7012), related to Cyber Incidents and mandatory reporting. Can you tell us a bit about that?6.What role do you see CMMC playing in the DIB, and what gaps does it address? Do you think it is feasible for DIB vendors to meet CMMC requirements, particularly SMBs?

For those unfamiliar with Zero Trust, if you had to summarize what Zero Trust is, how would you describe it?Zero trust is in the news quite a bit recently, with NIST even coming out with their own guide just a year ago. Do you think this is really a new topic or more of a maturation of older processes?It seems like every breach we hear Zero Trust could have prevented x, y, and z - Do you think Zero Trust has the potential to mitigate breaches, or at least minimize their impact?I see Zero trust typically talked about as only applying to layer 7 in the osi model. Do you think that's true? Or do you see the general concepts as applying to more layers as a defense in depth strategy?Given the hype around Zero Trust, many vendors are now claiming their product equates to Zero Trust, or gets you Zero Trust compliant and similar phrases, how do you feel about this, and do you see it as misleading?What does Cyber Resilience mean to you? Does implementing Zero Trust make an organization or system more resilient?

In this episode we chat with some of the leadership team from Army Futures CommandWe discuss:What exactly does a Chief Product and Innovation Officer do and why is a role like this needed in the DoD?How has AFC built on lessons learned from previous efforts, such as Kessel Run?We know there's a push for Soldier-led Software Development, why is that and what is it important for National Security, over traditional ways of doing software development within the DoD?We know there's a push towards Cloud, DevSecOps etc. within DoD, how does the Army's approach differ from say the Air Force's, and what are the similarities?What are some of the challenges with trying to implement the Software Factory concept in the DoD? You recently spoke at an event by the Defense Entrepreneurs Forum (DEF), titled DEFxSoftware, why are groups like these important for the innovation ecosystem of the DoD?I know the Army cloud office has spoken on the need for "CISO-as-a-Service" technologies, what does that mean exactly?