Resilient Cyber

A discussion with the Director of the Army Enterprise Cloud Management Agency (ECMA) - Paul Puckett and Cybersecurity Subject Matter Expert (SME) from DoD CIO-IE office, Tyler Gesling on the recent DoD cATO memo.

- We know you served as the First Federal U.S. CISO, can you tell us a bit about that experience?- In addition to your military and public sector background, you've held various industry roles as well, what are some of the major differences between the two environments you've experienced?- We know you've held various board advisor and even director roles. Do you feel that Cyber is increasingly becoming a boardroom concern?- You're very passionate about Zero Trust. What are your thoughts on the Federal push to adopt Zero Trust in an environment as big and complex as the Federal and DoD space?- You've served as the highest levels of Cybersecurity leadership for several years - any advise for aspiring security leaders?- What do you think the CISO of the future looks like in terms of skillsets and competencies?- Can you tell us a bit about what you're up to these days with the CERT Division at SEI?

Nikki: I've spent a number of years studying vulnerability chaining and using low and medium vulnerabilities in combination to create very critical attacks. Do you see this as a common method for attacks in the wild?Chris: we're continuing to see the growth of bug bounty programs, such as HackerOne. How do you think these programs contrast (or compliment) companies internal pen test/red teams for example? Nikki: Vulnerability management is an incredibly complex topic for a lot of organizations. Do you think bug bounty programs and Vulnerability Disclosure Programs (VDP) are helping to mature those programs?Chris: How do companies have a level of assurance that the hackers will conduct the activities ethically? Nikki: I think there's still sometimes a disconnect between what hackers and pentesters know about vulnerabilities and the actual attack paths, and the remediation teams that are working to prevent these types of attacks. Do you think there's a need to educate more Blue teamers on specific types of attacks and how they are conducted?Chris: on the flip side, for hackers interested in bug bounty, how can they best go about getting started?Nikki: we're starting to see more development teams taking responsibility for security — we frequently hear the term "shifting left." Is that a trend you are observing as well?Chris: thoughts on log4shell?

You hold a variety of roles, from advisor, podcast host, CISO and have a great industry presence. How do you juggle it all, and what drives you to do so much?You recently spoke about emotional intelligence; do you feel it is overlooked in tech and cyber?You speak a lot about leadership in Cybersecurity. What are some of the characteristics you think are the most important for the modern cyber leader?We know you often dive into Cloud security. You recently made some comments about SaaS Security Posture Management (SSPM). What is that and why do folks need it?Why do you feel that SaaS Security in general gets overlooked in the conversation on Cloud security?

When you look at the state of the Open-Source Software (OSS) ecosystem, what do you think some of the biggest problems are?Why do you think we're now starting to see so much increased attention on the Software Supply Chain?When it comes to OSS maintainers and contributors, typically this is all done voluntarily and uncompensated in many cases. How is Tidelift looking to changing that paradigm?What are some recommendations you have for organizations as they start to try and get a handle on their software supply chain?What are some things Tidelift is focused on that you think will benefit the industry and community?

We know you’ve held several executive roles, we would love to hear your perspective regarding balancing business and organization leadership with the technology sideYour recently testified before Congress regarding FISMA reform. Why do you feel this reform is so needed and what do you feel in particular would make the biggest impact? What advice would you have for technology professionals who want to advance to executive roles like you've held? What do you think we as an industry can do to help encourage more women into STEM and tech fields? 

Nikki - What does EDR look like right now and where is it going?Nikki - What are the differences between typical A/V and EDR?Chris - What role do you see EDR playing in the push for Zero Trust? Nikki - How do you integrate EDR into your environments and how do you feel about using EDR with SIEMs?Chris - Do you feel that the boon for working from home has impacted the EDR space?Nikki - Can you talk a little bit about what DLP is and how it relates to EDR roll outs?Chris - Building on EDR, what is XDR and how is it different?Nikki - What would you say are some of the biggest challenges around deploying EDR and some of the pitfalls admins/engineers should be aware of?Chris - Do you have some resources for anyone thinking about deploying EDR?Nikki - How do you feel about container-based deployments of EDR?Chris - What does cyber resiliency mean to you?

Nikki - Can you tell us a little bit about what you're currently working on right now at NIST?Chris - Software Supply Chain Security has become a hot topic lately. We know NIST published 800-161 covering C-SCRM, C-SCRM is a complex topic. Where do you see the industry going forward in terms of maturing C-SCRM practices?Nikki - Speaking of maturing C-SCRM practices, do you feel that there is a need to provide more documentation for maturing other aspects of cybersecurity? I do not see a lot of people in the industry discussing vulnerability management programs, but it continues to be a challenging undertaking for organizations. Chris - NIST 800-160 focuses on developing Cyber Resilient Systems. The DoD's Software Modernization Strategy focuses on Cyber Survivability as well. Do you feel the focus on resilience is critical, knowing that no system is infallible?Chris - The Government is making a big push for DevSecOps. Many argue that the Governments approach to compliance, with RMF is too cumbersome for DevSecOps. Do you disagree with this? If so, why, and do you think there's any changes we can make to better facilitate DevSecOps adoption?Nikki - NIST is very well known for their inclusion of public collaboration with practitioners, researchers, and academic institutions - do you feel that there is more that can be done to increase collaboration between public, private, and academic institutions?Chris - There's tons of buzz about cATO. Despite this recent buzz, Ongoing Authorization has been part of the RMF lexicon for quite some time.  Do you feel that modern technologies such as Cloud can better help agencies and systems achieve a cATO?Nikki - NIST has been on an absolute roll lately with publishing guidance, much of it tied to the Cyber EO. From Zero Trust, SSDF, and more. How does the organization keep such a pace on publishing industry guidance? What can we look for next in terms of big publications from NIST?Chris - What's next for Ron Ross? You've been involved in countless major publications and methodologies. What do you see the legacy of Ron Ross being when you finally step away from being such a pillar in our community?Nikki - What does cyber resiliency mean to you?

Nikki - Please tell us a little bit about your dissertation and why you felt like drone forensics needed further research?Chris - We know you have a Doctorate where your focus was UAV systems forensics framework. My background is largely with DoD which is increasingly embracing UAV/Drones etc. Are there any major security concerns a community like that should consider as they embrace these technologies?Nikki - Do you feel like there is still a need to create more comprehensive policies and frameworks around drone forensics?Chris - I noticed you also have an MBA in addition to your massive technical expertise and background. Does the business context help you in your various roles?Nikki - Do you see a need for Incident Response frameworks for drones as well? What if they're hacked during missions or when out in the field?Chris - You're involved in quite a bit of non-profit and volunteer groups such as ISSA, Krypto Kids and more. Why do you feel it is important to stay involved in these groups and the how do you feel it helps our broader Cyber community to have groups like these?Nikki - Where do you see the future of research around drones and how they will affect our current cybersecurity practices?Nikki - What does cyber resiliency mean to you, and specifically in the growing field of drones and drone research?

Nikki -  First, I need to hear about how you feel about women in technology and any words of encouragement for women who are interested in starting a business? Chris - We know your organization raft is up to some innovative work in the Federal space, can you tell us a bit about that?Nikki - You have such a unique background with business and law and technology, I've actually considered getting a law degree. Do you think that has altered your perspective as a business owner?Chris - In your experience what have been some of the biggest impediments to digital transformation efforts in Government and do you have any recommendations for industry partners of Government on how to overcome them?Nikki - Why do you feel it's so important to connect women in executive positions? Do you think there's a disconnect with how women are able to connect once they reach a certain level?Chris - I know raft has several SBIR awards. For folks now familiar with SBIR, what is it and how is it different than traditional government contracts?