Can you each tell us a bit about your background, before we dive in?For those not in the DoD or familiar with the term, what is a “Software Factory”?What is BESPIN?What is the current state of mobile security within the DoD?Why do you think there’s such a delay in maturing policy, process and pathways for mobile in DoD, given the big emphasis the last several years of “edge”, along with the rapid growth of the remote workforce and so on?Are there any official mobile app sec requirements? Can you tell us a bit about what tools and methodologies you all use to secure the mobile-centric applications you all deliver?Most know that in DoD and Federal there are also a lot of compliance rigor and hurdles to deal with. How has that experience been for a program doing something a bit different from most software factories?Since there are no official mobile requirements you kind of get a second mover advantage, how can you take lessons learned from the Cloud Computing SRGs and apply that to mobile? Can you help our audience understand the importance of secure mobile capabilities for the Airman and warfighter? We know the modern way of fighting looks much different and mobile is a key part of that, whether simply supporting Airman on a form of compute they grew up using, all the way to those on the forward edge, engaging against adversaries, including in the digital domain.

Experts discuss the drama around NVD and its impact on vulnerability management. They highlight concerns about lack of CVE enrichment and the grassroots effort to raise awareness. The podcast explores the underfunding and oversight of critical software ecosystem components. Future solutions from NIST/NVD, government, and industry are discussed to resolve the issue.

- It is often now said that identity is the new perimeter, why do you think that phrase has taken hold and what does it mean to you? - How much do you think the complicated identity landscape plays a role, for example most organizations have multiple IdP's, as well as external environments such as SaaS and so on that they have identities and permissions tied to  - It often feels like SaaS is overwhelmingly overlooked in both conversations about Cloud Security as well as software supply chain security - why do you think that is?- You all have published some innovative research around what you dubbed as the "SaaS Attack Matrix" can you tell us a bit about that research and how organizations can use it?  - You're also doing some really great work focused on IdP threats, such as OktaJacking, detection, and even response. Can you unpack that for us? - It's been said that the browser is the new OS, and I have seen you all say if that's the case, Push Security is the new EDR. Can you elaborate on that?  - I recently saw a headline from LinkedIn's own CISO Georgg Belknap that read "Push Security does for identity what Crowdstrike does for Endpoint". That's quite the endorsement and also catalyst for what you all focus on. How can organizations go about getting a handle on the identity threat landscape given the current complexity?

- First off, you have an incredible background evolving from software engineer to management roles and ultimately a CISO for some of the industry leading organizations such as Siemen's and HP. I would love to hear about that journey and how you found yourself ultimately becoming an industry leading CISO along the way. - How do you think the CISO role has changed over the years? We're hearing more about speaking the language of the business, potential legal liability, new SEC rules and more. What is your perspective on the current challenges and evolution of the CISO role?- You're now out of the CISO seat but still active in the community, serving in various director roles, including with publicly traded companies I believe. We've long heard some state that CISO's would make great board members and bring a long-needed perspective on cyber risk. How has it been transitioning out of the CISO role and into Director type roles?- Many CISO's and cybersecurity leaders now want to pursue a similar path, looking for advisory and board roles with firms and so on. Can you provide some guidance and tips for those looking to do something similar? - I noticed you also have some advisory roles in addition to Director roles. Can you draw a distinction between the two roles for listeners, and what to consider when pursuing one or the other, so folks better understand the potential pathways?- Knowing you've had such an amazing career and are still so passionate about the community and giving back, what are some of the key recommendations you have for both those aspiring to advance their career in cyber and eventually become a CISO, or beyond that, move into board level and advisory roles? What skillsets and expertise should they be focused on the most?

- What are some of the most interesting developments in the world of software supply chain security (SSCS) in the last 12 months or so?- It's now been a couple of years since the major fall out of notable incidents such as SolarWinds and Log4j, do you feel like the industry is making headway in addressing software supply chain threats?- For organizations either just starting or looking to mature their software supply chain maturity, where are some key areas you recommend organizations focus their attention?- We have a complex landscape from extensive use of open source, SaaS and Cloud providers, partners and third parties, how have you seen firms successfully handle this complexity when it comes to activities such as incident response? - There's a bit of a heated debate in the industry underway on point products vs. platforms. I know Checkmarx has a comprehensive AppSec platform. How do you view this debate, and do you think we will always have and see the need for point products, best of breed and comprehensive platforms in the industry?- You spend a fair bit of time focused on SSCS research, how does your team approach these activities and sharing the insights with the community?- Checkmarx shares a tremendous amount of informative and insightful research around SSCS. Where can folks learn more and what are some of the interesting projects you all are currently working on?

- First off, for folks not familiar with your backgrounds, can you please each tell us a bit about yourselves?- Let's set the table a bit, what is software liability and what is driving the increased calls for it? For example the recently released National Cyber Strategy, and commentary by U.S. leaders such as from CISA's Jen Easterly- What are some examples the software industry can pull from to try and establish a foundational liability regime?- What are some of the unique challenges that make software a nuanced domain to try and implement something like this in, compared to some other industries?- Jim - you recently wrote a paper about "establishing the floor", can you elaborate on that for us a bit? How about you Chinmayi, any thoughts?- Some of have of course exclaimed something like this could/would kill innovation and have major economic consequences, or lead to "ambulance chasing" type behavior pursuing litigation as a weapon against vendors. What do you think about that? - Chinmayi - you had a paper titled "A Bug in the Software Liability Debate", where you talked about challenges of defining a duty of care, can you elaborate, and dealing with unknown vulnerabilities. Can you expand on that a bit?Jim - You've talked about focusing on the outcomes/product, not the process, why do you think that's important?- Another equally critical part of the conversation is Safe Harbor, that is protections for those who due perform the duty of care or act responsible. Can you touch on that topic, and each give your thoughts on what that may look like if it were to take shape?

- First, please tell us a bit about your background and how you got into the role you are now in your career? What drew you to the marketing side of cybersecurity?- I have to be honest, many in the cyber practitioner community often bemoan cyber marketers, often citing poor tactics or interactions. What do you think has contributed to this systemic feeling and how do you think we get past it?- You've talked about how there is a lot of trash marketing out there and its a threat to national security, and the need to become more cyber literate as an industry, and civilians as well. Let's hear your take on that!- What differentiates a "good" cybersecurity marketer? - How do you find yourself effectively working with product teams, and bridging the gap between the deeply technical engineering and development types and the broader cyber business community, and activities such as sales and GTM?- I feel there is a lot cyber practitioners, including CISO's could learn from cyber marketers. For example, we often hear about the need for soft skills in cyber, things like communication, story telling, relationship building, empathy and more. What do you think about that, and what lessons can practitioners, including CISO's learn from our marketing peers?

- Let's start off by discussing everyone's favorite topic, vulnerability management. When it comes to AppSec, obviously there's been a big push to "shift security left" which comes with CI/CD pipelines, SAST, DAST, Secrets Scanning, IaC scanning etc. How have you handled scaling AppSec effectively without burdening Dev teams with massive vulnerability lists and being a blocker for production and delivery? - There's a lot of tools to choose from, across a lot of various categories, from source, build and runtime. How have you navigated selecting the right tools for the job? What about actually integrating, tuning and optimizing them when the team is often already stretched thing?- On the tooling front, what has been your experience between vendor tools, vs. OSS options? What are some of the pros and cons you have seen from each?- Behind all the technology is people. How have you approached building your AppSec teams?- There's some nuances between existing team members and building the team. When you begin a new role, how have you approached building rapport among the team, getting trust, understanding historical team and org context and so on?- You seem to continue to find yourself in various leadership roles in AppSec, event after a recent move back to an IC role. Why do you think that is, and what skills have helped you stand out as someone others want to work with, and even for in some cases, as a leader?- What are some of your go-to resources for learning more about AppSec and keeping up to date on such a fast moving and dynamic space?

- First off, tell us about your journey to the role of the CISO. What did that look like, what steps did you take, what helped prepare you and so on?- To many, the CISO is considered the pinnacle of the cyber career field. How did it feel when you landed the role and looking back a year now, what are some thoughts that come to mind?- We know as you become more of a senior leader, you get less into the nuance and details of the technical activities and more focused on strategy, vision, organizational objectives and so on. Can you speak about balancing the technical expertise and experience with learning to better engage your business peers and fellow leaders across the organizations?- A key part of being a CISO is building and empowering the team around you to ensure security is successful. How do you approach building and leading a team as a CISO?- Something worth calling out is you aren't the CISO of a SMB of commercial product company, you're the CISO if a Federal agency. That comes with its own unique challenges, demands and complexity, from resources, requirements, compliance rigor and more. Can you speak a bit about the unique aspects of being a Federal CISO and how you've navigated those so far?- What are some of your biggest lessons learned, challenges and recommendations around being an effective leader? - For those aspiring to become a CISO, what resources and steps do you recommend?- Let's talk a bit about your current role and organization, many of course are interested to hear about that. What are some key strategic objectives you're focused on at CDC, to the extent you're able to speak about them publicly?

- First off, tell us a bit about your background and how you got to where you are now in your career- What led you to write the book? Tell us a bit about the process and the experience so far, given you didn't take a traditional route with a standard publisher etc- Your book is broken into different sections, such as security as an industry, understanding the ecosystem and trends shaping the future of cyber. Lets dive into some of those- You talk about how Cyber is horizontal, not vertical and the role of trust. Can you elaborate on that and how it makes our field unique?- You talk extensively about the role of capital, the different types of capital/investors and how it prevents cyber companies from failing at standard rates, or avoiding natural selection as you call it. I suspect this contributes to what some perceive as having "too many security vendors". Do you think that's the case, and is there any merit to the too many vendors argument?- You dive deep into the role of industry analysts, how they impact purchasing decisions especially among large established firms and organizations. Do you think industry analyst firms have the same impact as they did a decade ago? What impact do you think social media, and "influencers" and practitioners themselves being more vocal about products, tools and methodologies is having?- One topic you speak about that I really enjoy is moving from promise based to evidence based security. You talk about outcomes over promises and buzzwords, but we also know it is hard to quickly determine if a tool or vendor keeps promises, and it isn't only on tools, there are resources, staffing, internal expertise and bandwidth that all play a part. Can we delve into that topic a bit?- Do you think security practitioners being more involved in the buying process is also driving change?- Let's pivot a bit to founders. You have produced incredible pieces of the founder ecosystem, pioneer firms who led the way, the role of large publicly traded cyber firms and the role of networks among military, Israeli and repeat founders. It feels like the old saying success begets more success. Do you think there's lessons from these pioneer and repeat founders that some new founders neglect and are there opportunities for new founders to disrupt the way things worked in the past?- You also stress the need to validate problems before going all in on a company focus and product. This is one I am passionate about, as often cyber feels like a hammer looking for a nail. You discuss how problems experienced among the cyber "1%" such as silicon valley and cloud-native startups are much different than big enterprise firms, but the latter is where the money is. I assume it is tempting to focus on the sexy and shiny issues but not realize it's not always where the money is?- Looking to the future, you discuss the convergence of software and engineering with security, with the push to everything become as-Code, the adoption of DevOps, now DevSecOps and the Cloud of course. What do you think security practitioners of the future look like in terms of key differences from today?- I personally think it is very important for security practitioners to step back and actually understand the ecosystem they operate in, as it is easy to get caught up in a specific product, platform, or cyber role and lose the bigger picture. Your articles are among the best on this topic in my opinion, especially for products, vendors, capital and more. What advice do you have for security practitioners when it comes to needing to better understand the broader aspects of the ecosystem they operate in?