Resilient Cyber

- For those don't know your background or Nucleus Security, can you start by telling us a bit about both?- You have experience and a background in the Federal environment, and Nucleus recently achieved their FedRAMP authorization, can you tell us a bit about that process?- When you look at the Federal/Defense/IC VulnMgt landscape, what are some of the biggest problems from your experience and where do you think innovative products and solutions can help?- Going broader, we have seen a recent uptick in the interest around VulnMgt, and looking to modernize the way we do things. What do you think is driving this recent focus on VulnMgt and what major innovations or disruptions in the space do you see underway?- What do you feel helps differentiate Nucleus Security from some of the other competitors we see in this space focusing on this problem?- We're seeing a big push for Secure-by-Design software, which of course deals with driving down vulnerabilities, and repeated classes of vulnerabilities. What's your take on this push and do you see it being effective?

- For those unfamiliar, please tell us a bit about your background, as well as about RAD Security. What do you all focus on and specialize in?- Your team recently was part of the RSAC Innovation Sandbox. Can you tell us a bit about that experience, and being able to highlight the innovative capabilities of RAD to such a key audience?- You recently published a comprehensive resource on Kubernetes Security Posture Management (KSPM), what are some of the key items in there folks need to be focusing on?- The RAD security team emphasizes their fingerprint capability for Kubernetes workloads. Can you unpack that this is and how it differs from say signature based security tools and so on?- When thinking about software supply chain security, how does Kubernetes fit in, given the current digital landscape and explosive growth of Kubernetes and Containerized workloads?- You all are big proponents of runtime security, a category that is getting increased attention latest in the security industry. Why do you think runtime is so critical, compared to say some other tools or products that may focus on different aspects of the SDLC or lean into "shifting left" for example?

- You recently presented at Wiz's MisCONfigured at RSA, where you covered some of the most relevant cloud threats and risks, can you touch on what some of those are?- We know Wiz just announced a massive capital raise and there's been talks about M&A plans for Wiz, I know you help with looking at potential products/firms - what are some key things you look at?- When you acquire a new product and team, how does it look to ensure there is a smooth integration with the Wiz team and platform?- There's a bit of debate in the industry around "platforms" and best of breed. How do you/Wiz think about this approach and how do you ensure as you add new products to the platform that you remain a leader in the space?- We've heard a lot of talk about AI and its implications both for improving security, but also needing to be secured, how do you and Wiz think of AI when it comes to cybersecurity and where do you see the most promise?

- For folks not familiar with it, can you tell us a bit about the report, its intent, and how it came about?- Some may be asking, what's the big deal, its just software. Can you help explain the pertinent risk we face with increasingly seeing physical systems, infrastructure and society run on software?- The report makes some key recommendations to fortify the resilience of the Nation's critical infrastructure, can you talk about those a bit?- It's often discussed how much of the critical infrastructure is privately owned and operated, is that true, and if so, what challenges does that pose?- Do you see this as something that will be increasingly regulated, and if so, how do we balance regulations with some of the constraints and limitations of the critical infrastructure operators and organizations such as financial, expertise and so on?- One thing I noticed is the emphasize on industry, board, CEO and executive accountability. We're seeing a similar trend with recent SEC rules for publicly traded companies as well as CISA's Secure-by-Design publication and public comments, about leadership and executives taking more accountability for secure outcomes. Do you feel this is a major gap, and if so, how do we ensure the message doesn't get diminished from leadership across middle management, and staff?

- First off, for folks not familiar with your background can you tell us a bit about your background from your journey in your earlier IT/Cyber and military time to eventually being a Founder and CEO?- What made you decide to take that leap and found not just one, but two cybersecurity companies, moving from being a practitioner?- What did you find to be some of the biggest challenges when transitioning from practitioner to business owner?- Have you had to navigate working on versus in the business, and what has that looked like for you?- For some aspiring cyber professionals with goals to found a company someday, what would be some of your key pieces of advice?- I know you're also very passionate about the veteran community in cyber, why do you think veterans make up such a share of our community and often make some of the best cyber practitioners?

Can you each tell us a bit about your background, before we dive in?For those not in the DoD or familiar with the term, what is a “Software Factory”?What is BESPIN?What is the current state of mobile security within the DoD?Why do you think there’s such a delay in maturing policy, process and pathways for mobile in DoD, given the big emphasis the last several years of “edge”, along with the rapid growth of the remote workforce and so on?Are there any official mobile app sec requirements? Can you tell us a bit about what tools and methodologies you all use to secure the mobile-centric applications you all deliver?Most know that in DoD and Federal there are also a lot of compliance rigor and hurdles to deal with. How has that experience been for a program doing something a bit different from most software factories?Since there are no official mobile requirements you kind of get a second mover advantage, how can you take lessons learned from the Cloud Computing SRGs and apply that to mobile? Can you help our audience understand the importance of secure mobile capabilities for the Airman and warfighter? We know the modern way of fighting looks much different and mobile is a key part of that, whether simply supporting Airman on a form of compute they grew up using, all the way to those on the forward edge, engaging against adversaries, including in the digital domain.

Experts discuss the drama around NVD and its impact on vulnerability management. They highlight concerns about lack of CVE enrichment and the grassroots effort to raise awareness. The podcast explores the underfunding and oversight of critical software ecosystem components. Future solutions from NIST/NVD, government, and industry are discussed to resolve the issue.

- It is often now said that identity is the new perimeter, why do you think that phrase has taken hold and what does it mean to you? - How much do you think the complicated identity landscape plays a role, for example most organizations have multiple IdP's, as well as external environments such as SaaS and so on that they have identities and permissions tied to  - It often feels like SaaS is overwhelmingly overlooked in both conversations about Cloud Security as well as software supply chain security - why do you think that is?- You all have published some innovative research around what you dubbed as the "SaaS Attack Matrix" can you tell us a bit about that research and how organizations can use it?  - You're also doing some really great work focused on IdP threats, such as OktaJacking, detection, and even response. Can you unpack that for us? - It's been said that the browser is the new OS, and I have seen you all say if that's the case, Push Security is the new EDR. Can you elaborate on that?  - I recently saw a headline from LinkedIn's own CISO Georgg Belknap that read "Push Security does for identity what Crowdstrike does for Endpoint". That's quite the endorsement and also catalyst for what you all focus on. How can organizations go about getting a handle on the identity threat landscape given the current complexity?

- First off, you have an incredible background evolving from software engineer to management roles and ultimately a CISO for some of the industry leading organizations such as Siemen's and HP. I would love to hear about that journey and how you found yourself ultimately becoming an industry leading CISO along the way. - How do you think the CISO role has changed over the years? We're hearing more about speaking the language of the business, potential legal liability, new SEC rules and more. What is your perspective on the current challenges and evolution of the CISO role?- You're now out of the CISO seat but still active in the community, serving in various director roles, including with publicly traded companies I believe. We've long heard some state that CISO's would make great board members and bring a long-needed perspective on cyber risk. How has it been transitioning out of the CISO role and into Director type roles?- Many CISO's and cybersecurity leaders now want to pursue a similar path, looking for advisory and board roles with firms and so on. Can you provide some guidance and tips for those looking to do something similar? - I noticed you also have some advisory roles in addition to Director roles. Can you draw a distinction between the two roles for listeners, and what to consider when pursuing one or the other, so folks better understand the potential pathways?- Knowing you've had such an amazing career and are still so passionate about the community and giving back, what are some of the key recommendations you have for both those aspiring to advance their career in cyber and eventually become a CISO, or beyond that, move into board level and advisory roles? What skillsets and expertise should they be focused on the most?