Resilient Cyber

Given your wide range of experience with AWS and cloud security - what would you say are some of the most common types of attacks for cloud platforms? What would you say are the top three skills someone should work on if they're interested in a career on a Red Team or as a penetration tester? Are there some really good resources or open-source tools you recommend for anyone learning about offensive security?Shifting to Purple Teaming, how does Purple Team differ from traditional PenTest/Red Team activities?For organizations looking to build out a purple team, where do you recommend they begin?What does the term Cyber Resilience mean to you?

Chris - You have a book coming out titled The CISO Evolution - Business Knowledge for Cybersecurity Executives. How critical do you think it is for CISO's to understand the business, and how do they balance their technical skills with business acumen?Nikki - I see you've posted several videos on LinkedIn - my favorite so far is the "paralysis-by-analysis" concept. We've discussed before cognitive limitations and just how much data we could actually put into our decision making when it comes to risk. Where do you think the sweet spot is with amount of data vs quality of data?Chris - You and I participated in the Qualified Technical Expert course from Bob Zukis together. Do you think we will see boards required to obtain QTE's and why do you think boards lack technical fluency now, when so much of GDP and business is tied to technology?Nikki - You spoke at the SANS Cybersecurity Leadership Summit on Translating cyber risk into business risk. What would you say are the biggest takeaways for practitioners to be able to explain and express risk properly to improve security and hopefully, lower risk across the organization?Chris - Do you think Cybersecurity is a business enabler? If so, how do we as cyber professionals help the business view Cybersecurity as an enabler and protecting of revenue?Chris - Do you have any recommendations for Cybersecurity professionals looking to transition into a CISO role in the future? Any key business books or resources to familiarize themselves with?What Does Cyber Resilient mean to you?

Chris - We know you are extremely passionate about DevSecOps in Government. What do you think some of the biggest impediments for widespread Government adoption of DevSecOps is?Nikki - I see you spoke recently about minimum viable continuous delivery - can you tell us a little bit about what that is and what it means? And what you think the possible implications may be on development cycles? Chris - Do you feel there is often a disconnect between leadership and practitioners when it comes to successful DevSecOps implementation, and if so, what do you think that disconnect entails?Nikki - I also saw in one of your recent talks you discuss how industry and the public sector need to work more closely together. This is something I'm also very passionate about - can you talk about why this partnership is so needed? Not just from a cybersecurity perspective but from an emerging tech perspective as well?Chris - What can organizations do to help provide their workforce the space and grace to grow and learn to help facilitate the push for DevSecOps and Digital Transformation to ensure its success?What does Cyber Resilience mean to you?

Nikki - I'm so impressed with your wide range of cybersecurity - and with that experience you also are a Co-Founder and CEO. Can you talk a little bit about the transition from full time practitioner to business owner? Chris - If you had to list 1-2 top issues facing the Cybersecurity community within Government in particular?Nikki - What would you say are some of the biggest challenges that you've faced running your own company in the security and intelligence space? Chris - We know there is a big push for cATO/Ongoing Authorization in Government. Do you think this is something that can be achieved? Any thoughts on the key factors to help it be successful?Nikki - Would you have some advice for security practitioners that are thinking about starting their own business or moving up to a more managerial role from a technical role?Chris - You have started and now lead a successful company in the Public Sector space. Any tips for your fellow entrepreneurs who may want to do something similar?

 For those unaware, what exactly is an SBOM, and why is it so important?One of the presentations you gave mentioned that software supply chain attacks shouldn't be discussed as "emerging threats" - these really have been going on for years. Why do you think we still talk about it as an emerging threat or something novel? We know you've recently talked about an effort dubbed "VEX" which seeks to add context to SBOM information. How is this valuable and how can it be used to reduce risk?What would you say are the top 3 things that organizations could do today to be aware of in regards to software supply chain attacks?In regards to SBOMs for complex environments such as SaaS where you have several parties involved and interdependencies, how do you see the SBOM evolving in that space?How do you see organizations operationalizing SBOM's from a Cyber practitioner perspective? How will it fit in to a robust cybersecurity program?

You have just received your first-time role in cybersecurity as a Security Analyst - congratulations! How has your first experience been so far in this new role?LinkedIn can be a powerful method of meeting others. Of all the amazing things you've done - what is the best advice you could give for someone trying to break into cybersecurity?On the flip side - what is something you would like for hiring managers to consider when they are interviewing potential security analysts?Of the conference volunteering, speaking at conferences, networking, and certifications that you've been working towards, what do you feel like was the most helpful to land your first job?As someone who's been trying to break into cyber, what did you find were the biggest impediments?What can we do as an industry to make the field more inclusive to aspiring entrants of all backgrounds?

I was reading the CISA document "Defending Against Software Supply Chain" and was curious if the guidance within was helpful or informative for anyone who wants to start a S-SCRM program? What role do you feel compliance frameworks play in SCRM? We are seeing sources such as NIST 800-53 include SCRM specific controls now. Will it help?What would you say is the most resilient component an individual could add to their own organization to recover quickly in the event of a software supply chain attack?From the perspective of Cloud, do you feel cloud adoption can help, or hinder when it comes to driving down risk associated with the supply chain?What are the biggest concerns / risks when it comes to building a secure software supply chain programI know you've been involved with projects such as TUF and in-toto. Can you help folks understand what those are and why they are valuable?What does the term "Cyber Resilient" mean to you?Find out more from Cole at Testify Sec - https://www.testifysec.com/

Leadership and Business Accumen, we know you're passionate about these topics. How much do you think these play a role in the success of a person's career in Cyber and do you think these are things some of us may overlook?Organizational Influence is something we know you've spoken about. Can you elaborate on that? How do you go about influencing organizational change for cybersecurity, especially in organizations the size of GDIT? Does this change at all when you're trying to influence change at an external organization?Team Building is undoubtedly something you've had to do throughout your career, do you have any tips for those looking to build strong teams?On the topic of team building, there's also the topic of mentoring. Is this critical within teams? How about mentoring others outside of our team, and even outside of our organizations?Being in a role such as VP and CISO at a major firm like GDIT, Executive Communication is key. Do you have advice for others when it comes to communicating cyber risks and objectives to executive leadership? 

-As Founder of the Security Television Network, how did you come up with the idea?-We have so many channels right now in the airwaves, and it seems like every day there is a security incident, why STN? What does STN bring to the security news forum?-Can you tell us a little bit about the Indiegogo campaign?-You also have a Doctorate and teach at Capitol Technology University. Can you explain the significance or interest you have in academic research and technical pursuits?-On top of everything else - you were also a Marine and in the U.S. Coast Guard. Can you talk about how that experience maybe plays into your current role as CEO / Network Owner / Security officianado? -How can a business connect with you to become a sponsor on the network? -What does cyber resilience mean to you?

You have some incredible accolades, titles, and roles - but before we dive into those, can you tell us about your journey? We always love hearing about how someone go to where they are, and the hard work, discipline, and sacrifice that went into thatAs mentioned previously, you have a lot of different titles - Cyber Exec, Professor, Author, Keynote Speaker. How important do you feel personal branding is in our career field? Any advice for other aspiring cyber professionals looking to expand their own profiles and differentiate themselves?You are also listed as one of the Top 100 Women in Cyber, and Top 25 Women Leaders in Cyber. We are big advocates for bringing more women in the Cyber field. Can you speak on the presence of women in cyber, how we can help bring more women into the field, and ways women can stand apart from their male counterparts in Cyber?We know you're also a PhD student. Can you tell us what made you want to pursue a PhD? What do you intend to write and research on, and how do you see a PhD impacting your career potentially?One thing I love is that not only are you a master at personal branding, executive presence, networking, and things of that nature but you also have a very strong architecture background and expertise. How do you think the two play together, and do you feel some people miss the boat in terms of pairing their technical skills and competencies with their social skills and ability to master both the technical and soft skills? What does Cyber Resilience mean to you?