Resilient Cyber

Dylan Williams, a cybersecurity expert focused on security operations and large language models, and Filip Stojkovski, a seasoned professional in SecOps and threat intelligence, discuss the cutting-edge integration of Agentic AI in cybersecurity. They break down the concept of AI agents and multi-agent architectures, highlighting their potential to streamline operations. The conversation also touches on challenges like identity management and the necessity of human oversight, alongside practical tips for integrating AI into existing security frameworks.

In a thought-provoking discussion, Walter Haydock, Founder of StackAware and an expert in AI governance, delves into the key challenges organizations face in AI adoption. He emphasizes the need for robust internal governance and security frameworks, sharing lessons from his fieldwork. A fascinating comparison between U.S. and EU regulatory approaches reveals how differing policies impact innovation and economic growth. Walter also highlights essential certifications for practitioners and offers actionable advice for navigating the evolving landscape of AI security.

In this discussion, Jim Dempsey, Managing Director of the Cybersecurity Law Center at IAPP and policy advisor at Stanford, dives into the evolving cyber regulatory landscape. He shares insights on the potential shifts post-U.S. Presidential election, highlighting a possible deregulation trend in commercial tech while emphasizing tighter cyber national security measures. Dempsey contrasts the U.S.'s voluntary regulatory approach with the EU's stringent frameworks, advocating for balanced regulations that promote innovation without sacrificing safety. He also discusses the need for cohesive regulations and the importance of educating policymakers.

Tyler Shields, a cybersecurity expert with over 20 years in offensive security, and James Berthoty, founder of Latio Tech, delve into the evolution and challenges of the 'shift left' movement in cybersecurity. They reflect on its historical context and discuss how its relevance is fading in today’s fast-paced tech landscape. The conversation highlights the role of vendors and tools, while advocating for more comprehensive security approaches, questioning if 'secure by design' can truly address industry discrepancies. It's a thought-provoking discussion on the future of secure software development.

In this episode we sit down Shyam Sankar, Chief Technology Officer (CTO) of Palantir Technologies. We will dive into a wide range of topics, from cyber regulation, software liability, navigating Federal/Defense cyber compliance and the need for digital defense of the modern national security ecosystem.- First off, for those unfamiliar with you and your background, can you tell us a bit about yourself, as well as Palantir?You're a big proponent on the role that software plays now, and will play in the future when it comes the fifth domain of warfare, cybersecurity, so let's give into some of those topics.- I know you've voiced some strong opinions on the role of cyber insurance and also compliance when it comes to its static nature, compared to the dynamic activity of malicious actors and the threat landscape. Can you expand on that?- You and I also chatted about the fact that most cyber issues tie back to hygiene, and that there are no silver bullets. Do you feel like this gets lost among the marketing hype of cyber?- I know you've talked about externalizing some of Palantir's software infrastructure to enable more companies with security infrastructure and toolchains. Can you tell us about some of those capabilities?- The enablement of more companies is key, as you know the DIB has seen massive consolidation in the past decade or more, largely with the small handful of players dominating the lions share of the work in the DoD. This arguably poses systemic concentrated risks, as well as doesn't give access for the DoD to commercial innovation.You called the DoD's most powerful ally America's commerical tech sector in a recent piece. We know that times have changed, and unlike eras of the past, most digital innovation comes from the commercial space, but DoD tends to have a not built here syndrome, no doubt driven by incumbents, incentives, fiefdom building and more. What do you think the national security risks of this are?- Given you've been around DoD for some time, you've no doubt been exposed to processes like ATO's and RMF and more. What are your thoughts on the current state of compliance in the DoD and how it could potentially hinder access to commercial innovation?

In this captivating discussion, Mark Simos, a Microsoft veteran with a wealth of experience in cybersecurity, shares insights from his provocative RSA Conference talk on common security anti-patterns. He emphasizes how a technology-centric mindset often neglects business assets, calls out the harmful 'silver bullet' mentality, and humorously addresses the paradox of blame in security settings. Mark also critiques the office of 'no' that resists new trends, urging a shift towards empathy and collaboration to break these recurring mistakes.

- First off, for those who don't know you, can you tell us a bit about your background?- You've been providing a deep dive talk into how to become a CISO. I'm curious, what made you put together the presentation, and how has it been received so far when you've had a chance to deliver it?- You have broken down what you call "four stages of the journey" that encompasses skills in areas such as Technical, Management, Leadership and Political. This to me comes across as CISO's need to be multidisciplinary professionals with a variety of skillsets. What do you think makes this so important for CISO's to be successful?- Let's walk through the four stages a bit. You start off with Technical skills. This seems to the foundation many CISO's start with, coming from roles in areas such as engineering, architecture and so on. What makes this foundation so key?- How do CISO's maintain a strong technical foundation and depth, as they get further away from the tactical work and more into the leadership and strategic role?- CISO's of course have to be able to manage the teams they build and/or oversee. What are some of the key management leadership skills you think CISO's must have?- Leading is a fundamental part of what CISO's do. Whether it is direct reports, or the broader security org. What are some of these leadership skills and how can they have a positive or negative impact?- Last but not least is the political side of things. CISO's of course operate among other C Suite peers, the board and within complex organizations with competing interests, personalities and incentives. This could arguably be the most important skill to hone in terms of ensuring you're effective in your role, and have a lasting impact on organizational risks. What are your thoughts on the political skills front? - I'm curious as someone who's been a multiple time CISO and is now advising others on how to obtain the role - where do you see the role of the CISO headed in the future? We see new aspects such as litigation, SEC rules, determining materiality, CISO's needing to speak the language of the business and more - all while needing to manage risks with the ever changing technological landscape, with AI being the latest example. Where is it all headed?

Helen Oakley, an expert in software supply chain security at SAP, discusses the complexities of securing AI supply chains in a rapidly evolving landscape. She highlights the need for transparency and risk assessment to mitigate vulnerabilities. Oakley introduces the concept of AI-BOMs, which provide critical insights into AI models and datasets, and contrasts them with traditional SBOMs. The conversation also touches on the implications of AI regulations in the U.S. and EU, underscoring compliance challenges in high-stakes sectors like healthcare and finance.

In this episode we sit down with Amir Kessler and Aviram Shmueli of AppSec innovator Jit to dive into the complexities of the modern AppSec landscape and explore the emerging Application Security Posture Management (ASPM) ecosystem.- First off, for folks not familiar with your backgrounds, can you tell us a bit about both of your backgrounds and how you got to the roles you're in now?- We're seeing a ton of interest in the topic of ASPM in the AppSec space. What do you think has led to this emerging category and what key problems is it looking to solve?- I know your team puts a big emphasis on not just the tech but also the DexEx and UX. Why is this so critical to address AppSec risks and securing organizations and their code?- While there is value in ASPM platforms, many Dev teams and engineers are opinionated about their tools, how important is this flexibility and extensibility in the platform that the Jit team has built?- A key challenge includes vulnerability overload. Teams drowning in massive vulnerability backlogs and trying to add vulnerability context and focus on the most relevant risks for developers. How does Jit approach this?- Not all ASPM platforms are the same, but we see many vendors rallying around the category. What do you think makes Jit unique and differentiates what the team has built?

- For those that don't know you, can you tell us a bit about your background and your current role?- I know you help lead the ATLAS project for MITRE, what exactly is ATLAS and how did it come about?- The AI threat landscape is evolving quickly, as organizations are rapidly adopting GenAI, LLM's and AI more broadly. We are still flushing out some fundamental risks, threats and vulnerabilities to consider. Why is it so important to have a way to characterize it all?- When it comes to AI Security, there is also a lot of hype, buzz and dare I say FUD out there. Why are you so adamant that we take a data-driven and actionable approach?- I know you recently helped participate in the first big AI security incident focused TTX, including with CISA and other Government and Industry partners, can you speak a bit about the experience and why exercises like this are important for organizations to do when it comes to AI security?- As someone close to the AI domain, when it comes to security, what are your thoughts on both where we're headed for security of AI, and AI to bolster security? - For folks wanting to learn more about ATLAS, and the work MITRE is doing around AI security, where should folks get started?- What are some key open questions and opportunities for the community to help shape the future of AI security and assurance?https://atlas.mitre.org/ ← Check out MITRE ATLAS!