Resilient Cyber

- For folks not familiar with it, can you tell us a bit about the report, its intent, and how it came about?- Some may be asking, what's the big deal, its just software. Can you help explain the pertinent risk we face with increasingly seeing physical systems, infrastructure and society run on software?- The report makes some key recommendations to fortify the resilience of the Nation's critical infrastructure, can you talk about those a bit?- It's often discussed how much of the critical infrastructure is privately owned and operated, is that true, and if so, what challenges does that pose?- Do you see this as something that will be increasingly regulated, and if so, how do we balance regulations with some of the constraints and limitations of the critical infrastructure operators and organizations such as financial, expertise and so on?- One thing I noticed is the emphasize on industry, board, CEO and executive accountability. We're seeing a similar trend with recent SEC rules for publicly traded companies as well as CISA's Secure-by-Design publication and public comments, about leadership and executives taking more accountability for secure outcomes. Do you feel this is a major gap, and if so, how do we ensure the message doesn't get diminished from leadership across middle management, and staff?

- First off, for folks not familiar with your background can you tell us a bit about your background from your journey in your earlier IT/Cyber and military time to eventually being a Founder and CEO?- What made you decide to take that leap and found not just one, but two cybersecurity companies, moving from being a practitioner?- What did you find to be some of the biggest challenges when transitioning from practitioner to business owner?- Have you had to navigate working on versus in the business, and what has that looked like for you?- For some aspiring cyber professionals with goals to found a company someday, what would be some of your key pieces of advice?- I know you're also very passionate about the veteran community in cyber, why do you think veterans make up such a share of our community and often make some of the best cyber practitioners?

Can you each tell us a bit about your background, before we dive in?For those not in the DoD or familiar with the term, what is a “Software Factory”?What is BESPIN?What is the current state of mobile security within the DoD?Why do you think there’s such a delay in maturing policy, process and pathways for mobile in DoD, given the big emphasis the last several years of “edge”, along with the rapid growth of the remote workforce and so on?Are there any official mobile app sec requirements? Can you tell us a bit about what tools and methodologies you all use to secure the mobile-centric applications you all deliver?Most know that in DoD and Federal there are also a lot of compliance rigor and hurdles to deal with. How has that experience been for a program doing something a bit different from most software factories?Since there are no official mobile requirements you kind of get a second mover advantage, how can you take lessons learned from the Cloud Computing SRGs and apply that to mobile? Can you help our audience understand the importance of secure mobile capabilities for the Airman and warfighter? We know the modern way of fighting looks much different and mobile is a key part of that, whether simply supporting Airman on a form of compute they grew up using, all the way to those on the forward edge, engaging against adversaries, including in the digital domain.

Experts discuss the drama around NVD and its impact on vulnerability management. They highlight concerns about lack of CVE enrichment and the grassroots effort to raise awareness. The podcast explores the underfunding and oversight of critical software ecosystem components. Future solutions from NIST/NVD, government, and industry are discussed to resolve the issue.

- It is often now said that identity is the new perimeter, why do you think that phrase has taken hold and what does it mean to you? - How much do you think the complicated identity landscape plays a role, for example most organizations have multiple IdP's, as well as external environments such as SaaS and so on that they have identities and permissions tied to  - It often feels like SaaS is overwhelmingly overlooked in both conversations about Cloud Security as well as software supply chain security - why do you think that is?- You all have published some innovative research around what you dubbed as the "SaaS Attack Matrix" can you tell us a bit about that research and how organizations can use it?  - You're also doing some really great work focused on IdP threats, such as OktaJacking, detection, and even response. Can you unpack that for us? - It's been said that the browser is the new OS, and I have seen you all say if that's the case, Push Security is the new EDR. Can you elaborate on that?  - I recently saw a headline from LinkedIn's own CISO Georgg Belknap that read "Push Security does for identity what Crowdstrike does for Endpoint". That's quite the endorsement and also catalyst for what you all focus on. How can organizations go about getting a handle on the identity threat landscape given the current complexity?

- First off, you have an incredible background evolving from software engineer to management roles and ultimately a CISO for some of the industry leading organizations such as Siemen's and HP. I would love to hear about that journey and how you found yourself ultimately becoming an industry leading CISO along the way. - How do you think the CISO role has changed over the years? We're hearing more about speaking the language of the business, potential legal liability, new SEC rules and more. What is your perspective on the current challenges and evolution of the CISO role?- You're now out of the CISO seat but still active in the community, serving in various director roles, including with publicly traded companies I believe. We've long heard some state that CISO's would make great board members and bring a long-needed perspective on cyber risk. How has it been transitioning out of the CISO role and into Director type roles?- Many CISO's and cybersecurity leaders now want to pursue a similar path, looking for advisory and board roles with firms and so on. Can you provide some guidance and tips for those looking to do something similar? - I noticed you also have some advisory roles in addition to Director roles. Can you draw a distinction between the two roles for listeners, and what to consider when pursuing one or the other, so folks better understand the potential pathways?- Knowing you've had such an amazing career and are still so passionate about the community and giving back, what are some of the key recommendations you have for both those aspiring to advance their career in cyber and eventually become a CISO, or beyond that, move into board level and advisory roles? What skillsets and expertise should they be focused on the most?

- What are some of the most interesting developments in the world of software supply chain security (SSCS) in the last 12 months or so?- It's now been a couple of years since the major fall out of notable incidents such as SolarWinds and Log4j, do you feel like the industry is making headway in addressing software supply chain threats?- For organizations either just starting or looking to mature their software supply chain maturity, where are some key areas you recommend organizations focus their attention?- We have a complex landscape from extensive use of open source, SaaS and Cloud providers, partners and third parties, how have you seen firms successfully handle this complexity when it comes to activities such as incident response? - There's a bit of a heated debate in the industry underway on point products vs. platforms. I know Checkmarx has a comprehensive AppSec platform. How do you view this debate, and do you think we will always have and see the need for point products, best of breed and comprehensive platforms in the industry?- You spend a fair bit of time focused on SSCS research, how does your team approach these activities and sharing the insights with the community?- Checkmarx shares a tremendous amount of informative and insightful research around SSCS. Where can folks learn more and what are some of the interesting projects you all are currently working on?

- First off, for folks not familiar with your backgrounds, can you please each tell us a bit about yourselves?- Let's set the table a bit, what is software liability and what is driving the increased calls for it? For example the recently released National Cyber Strategy, and commentary by U.S. leaders such as from CISA's Jen Easterly- What are some examples the software industry can pull from to try and establish a foundational liability regime?- What are some of the unique challenges that make software a nuanced domain to try and implement something like this in, compared to some other industries?- Jim - you recently wrote a paper about "establishing the floor", can you elaborate on that for us a bit? How about you Chinmayi, any thoughts?- Some of have of course exclaimed something like this could/would kill innovation and have major economic consequences, or lead to "ambulance chasing" type behavior pursuing litigation as a weapon against vendors. What do you think about that? - Chinmayi - you had a paper titled "A Bug in the Software Liability Debate", where you talked about challenges of defining a duty of care, can you elaborate, and dealing with unknown vulnerabilities. Can you expand on that a bit?Jim - You've talked about focusing on the outcomes/product, not the process, why do you think that's important?- Another equally critical part of the conversation is Safe Harbor, that is protections for those who due perform the duty of care or act responsible. Can you touch on that topic, and each give your thoughts on what that may look like if it were to take shape?

- First, please tell us a bit about your background and how you got into the role you are now in your career? What drew you to the marketing side of cybersecurity?- I have to be honest, many in the cyber practitioner community often bemoan cyber marketers, often citing poor tactics or interactions. What do you think has contributed to this systemic feeling and how do you think we get past it?- You've talked about how there is a lot of trash marketing out there and its a threat to national security, and the need to become more cyber literate as an industry, and civilians as well. Let's hear your take on that!- What differentiates a "good" cybersecurity marketer? - How do you find yourself effectively working with product teams, and bridging the gap between the deeply technical engineering and development types and the broader cyber business community, and activities such as sales and GTM?- I feel there is a lot cyber practitioners, including CISO's could learn from cyber marketers. For example, we often hear about the need for soft skills in cyber, things like communication, story telling, relationship building, empathy and more. What do you think about that, and what lessons can practitioners, including CISO's learn from our marketing peers?