Resilient Cyber

- First off, tell us a bit about your background and how you got to where you are now in your career- What led you to write the book? Tell us a bit about the process and the experience so far, given you didn't take a traditional route with a standard publisher etc- Your book is broken into different sections, such as security as an industry, understanding the ecosystem and trends shaping the future of cyber. Lets dive into some of those- You talk about how Cyber is horizontal, not vertical and the role of trust. Can you elaborate on that and how it makes our field unique?- You talk extensively about the role of capital, the different types of capital/investors and how it prevents cyber companies from failing at standard rates, or avoiding natural selection as you call it. I suspect this contributes to what some perceive as having "too many security vendors". Do you think that's the case, and is there any merit to the too many vendors argument?- You dive deep into the role of industry analysts, how they impact purchasing decisions especially among large established firms and organizations. Do you think industry analyst firms have the same impact as they did a decade ago? What impact do you think social media, and "influencers" and practitioners themselves being more vocal about products, tools and methodologies is having?- One topic you speak about that I really enjoy is moving from promise based to evidence based security. You talk about outcomes over promises and buzzwords, but we also know it is hard to quickly determine if a tool or vendor keeps promises, and it isn't only on tools, there are resources, staffing, internal expertise and bandwidth that all play a part. Can we delve into that topic a bit?- Do you think security practitioners being more involved in the buying process is also driving change?- Let's pivot a bit to founders. You have produced incredible pieces of the founder ecosystem, pioneer firms who led the way, the role of large publicly traded cyber firms and the role of networks among military, Israeli and repeat founders. It feels like the old saying success begets more success. Do you think there's lessons from these pioneer and repeat founders that some new founders neglect and are there opportunities for new founders to disrupt the way things worked in the past?- You also stress the need to validate problems before going all in on a company focus and product. This is one I am passionate about, as often cyber feels like a hammer looking for a nail. You discuss how problems experienced among the cyber "1%" such as silicon valley and cloud-native startups are much different than big enterprise firms, but the latter is where the money is. I assume it is tempting to focus on the sexy and shiny issues but not realize it's not always where the money is?- Looking to the future, you discuss the convergence of software and engineering with security, with the push to everything become as-Code, the adoption of DevOps, now DevSecOps and the Cloud of course. What do you think security practitioners of the future look like in terms of key differences from today?- I personally think it is very important for security practitioners to step back and actually understand the ecosystem they operate in, as it is easy to get caught up in a specific product, platform, or cyber role and lose the bigger picture. Your articles are among the best on this topic in my opinion, especially for products, vendors, capital and more. What advice do you have for security practitioners when it comes to needing to better understand the broader aspects of the ecosystem they operate in?

- For folks not tracking, let's level set a bit, what exactly is NIST 800-171 and CMMC, and what is the succinct background on the evolution of the two?- Are there notable events that led the DoD to pursue CMMC, building on the history of 171?- Obviously the introduction of the 3PAO aspect brings more rigor than previously existed with self-assessments. Many in industry have bemoaned the burden, cost and complexity of the new program and the impact it will have on industry (myself included). What are your thoughts on the potential to impact the DoD supplier base and lead to further consolidation?- Many DIB suppliers are of course SMB's who rely on CSP's and MSP's to meet these requirements, or conduct their daily operations, leveraging various external parties. How does CMMC handle entities like CSP's and MSPs?- There was recently a memo from the DoD CIO clarifying some language around "FedRAMP equivalency" for DFARS 7012. First off, what is 7012, how does it tie to 171 and CMMC and what did the DoD CIO memo essentially say?- Most SMB's in the DIB lack internal cyber expertise and resources, and of course this has led to a booming industry of 171/CMMC consultants and 3PAO's. What are your thoughts on that growing ecosystem and how do SMB's ensure they're working with the right advisors and assessors?- What are some of the details on the timelines and rollout of the finalized CMMC rule? When and how should folks be preparing?- Many of course are quick to claim "compliance isn't security" when discussing stuff like 171 and CMMC. What's your initial reaction to those claims, and how do we help folks understand that industry will not just voluntarily spend and focus on security requirements without being required to do so?- CMMC of course has a ConMon aspect, right now that is does via annual self-assessments/reporting as I understand it. What do you think CMMC gets right on this front, and what could be done better?

- You've been heavily involved in the AI dialogue in the industry as it has heated up, how did you get your start specializing in software security and most notably AI?- AI continues to be one of the hottest cybersecurity topics in 2023 and heading into 2024. What do you think are some of the most pressing risks around the rapid growth of AI adoption and use?- We're seeing Governments scramble to regulate AI, with notable efforts like the EU AI Act. Why do you think it is critical for Governments to act so quickly on this emerging technology, especially when Government is historically reactionary and slow to adapt?- What are some of the key considerations that must be kept in mind to help securely govern and regulate AI without hindering innovation and economic prosperity and potential that AI may bring?- You're involved in efforts such as the OWASP AI Exchange, can you tell usa bit about that effort, how it came about and how practitioners can learn from and leverage it?- Compliance can be cumbersome with many overlapping and often duplicative compliance frameworks that industry has to wrestle with. You've been working on an effort dubbed "OpenCRE" can you tell us a bit about that and what the goals are?

- Tell us a bit about your cybersecurity journey, you've held a variety of roles with FFRDC's and industry- You've been talking a good bit about the latest Secure-by-Design push, what do you make of this push? I know you've raised concerns about needing to do some research to determine the effectiveness of these "secure" SDLC's- AI and ML are everywhere we turn in the cyber industry discussions. You've been speaking about the role of ML in cyber detection for example going back several years. There's a lot of focus on the risks of AI, but what do you think about the promise of AI and ML to help with defending organizations and agencies?- I know you've been discussing threat informed defense and even took a swing at NIST 800-53/FedRAMP and its relevance. Can you elaborate on this, and how you think we're getting it wrong as an industry with regard to compliance and security?- You recently had awesome comments about the risks in public cloud attack surfaces and implications for national security, let's dive into that one, give us some thoughts on this front?- We're heading into 2024, so let me ask, what are some of your top predictions we may see in cybersecurity over the next year?

- First off, tell us a bit about yourself, what you're up to and how you have gotten where you are career wise- What are some of the key differences with cloud-native security?- There's a lot of acronyms in the cloud-sec space, such as CWPP, CSPM, KSPM and so on. Can you unpack a few of these for the audience and what they mean?- This also infers there's a lot of different tools and capabilities to manage. Why do you think it is important to have a comprehensive platform to bring it together, to avoid tool sprawl and cognitive and alert fatigue?- There's a lot of focus of course on shifting security left, and CI/CD pipelines and so on, but I know you also focus on runtime security. What makes runtime security so crucial in the cloud context?- Can you tell us a bit about Aqua Security, what you all do and what makes you unique from some of the other platform providers and security companies out there?- What does the term "cyber resilience" mean to you?

Nikki -  Can you tell us a little bit about what interested you in cloud security in the first place? I know you have a particular interest in misconfigurations - was there a singular event that spurred your interest? Chris - What are your thoughts around Guardrails in the cloud and using things such as event based detections?Chris - You interestingly took a Product role, but have a Detection and CloudSec background. How has the Product role been and do you think having the practitioner background helps you be a more effective Product Manager and leader?Nikki - There's a lot of talk around DataOps and SecOps - we're really seeing a bridging of fields and concepts to bring teams together. I wanted to talk a little bit about the human element here - do you see more of these blending of fields/disciplines?Chris - I know you've taken a new role recently with Monad, which focuses on Security Data Lake. What made you interested in this role and why do you think we're seeing the focus on Security Data Lakes in the industry so much? Nikki -  What are some of the emerging trends you see in cyber attacks against cloud? What should people be most concerned with and focus on first when it comes to cloud security? Chris - You also lead the Cyber Pulse newsletter, which I read and strongly recommend for news and market trends. What made you start the newsletter and have you found it helps keep you sharp due to needing to stay on top of relevant topics and trends?Nikki -  What does cyber resiliency mean to you?

Nikki - I have to start with the fact that you've been looking into the vulnerability management space! This is an area I've been focused on for many years and I'm curious - what are the biggest pain points you see now in VulnMgmt? Chris - I recently saw you had a blog regarding Exposure Management and contrasting it with Vulnerability Management. Can you talk about what Exposure Management is, and the differences between the two? Nikki - What got you interested in research? I'm always curious because there is such a niche space within cybersecurity and I love meeting other researchers. How do you think cyber benefits from research and vice versa?Chris - You also recently had some content regarding doing a deep dive into Nation State threats. We're increasingly seeing cyber play a part in nation state conflicts, why do you think that is, and can you touch on how this plays into regulatory fallout as well?  Nikki - I want to talk about your blog post about "The Blob" - you talk about how people use some similar terminology and language (false messaging) to steer the conversation in security tooling. Can you talk a little bit more about this concept and what you think it means to the industry? Chris - You have been having conversations about Detection Engineering. Can you talk about how it is different from legacy/traditional SecOps and what the future of Detection Engineering and Detections-as-Code looks like? Nikki -  What does cyber resiliency mean to you?

- You recently wrote a book titled Zero Trust and Third Party Risk. Can you tell us a bit about the book, why you wrote it and how you see the convergence of ZT and TPRM?- There's been a lot of discussion lately around Software Supply Chain Security, but also Cybersecurity Supply Chain Risk Management, or C-SCRM. Do you see the former being part of the latter, and what challenges do you think organizations face trying to tackle both?- TPRM often involves manual subjective lengthy questionnaires that we are all painfully familiar with. How effective do you think these are and do you think we are going to see a future based on machine-readable attestations and more automated assessments to augment some of the traditional manual questionnaire type activities?- Most organizations struggle to implement fundamental security practices and processes within their own organization, let alone thoroughly ensuring all of their 3rd and nth tier suppliers are, is this a gordian knot type situation?- What are your thoughts on first party self-attestations vs 3rd party assessments? Each has its pros and cons and challenges. - The name Zero Trust is a bit of a misnomer, as we know it means no implicit trust, and it also seems a little counter-intuitive in our increasingly inter-connected ecosystem and society. How do you see the push for Zero Trust playing out when we look at the broader supply chain ecosystem?

Nikki - With your current role as a Distinguished Engineer - I know you focus a lot on cloud security. What does being a DE entail? Do you do some research along with your other duties?Chris: We've seen the discussion around data in the security space evolve quite a bit. From legacy environments with a SIEM/SOC centralized approach, oriented around "collecting all the things" to now discussions around data lakes, analytics, and automation among others. Can you discuss the evolution a bit with us and your thoughts on it?Chris: I've been reading pieces lately that are pushing the narrative that there isn't "security" data, there's just business/organizational data, some of which has security context/use. What are your thoughts on this? It seems to be in-line with a push for security to be more tightly coupled with and speak the language of the business.Nikki - Recently you were posting about the AWS IR guide and even getting into some logging with AWS. Logging is one of those areas that I'm super interested in - especially from an IR perspective. What do you think about where we are with security logging guidance and what should organizations know about setting up complex logging environments? Chris: As we continue to watch the security data space evolve I know you've been championing the concept of, and even have written extensively about the term "SecDataOps". What is this exactly, and why do you feel like it is the time to have the industry move this direction?Chris: We're also seeing a push for standardized logging formats, such as the Open Cybersecurity Schema Framework (OCSF), which has gotten support from some of the largest tech companies. How important is it for the industry to rally around a standardized cybersecurity schema/framework and what are the challenges of not doing so? Nikki - You have also done some Board Advising and taken on several Advisory roles for Boards. Two part question - what got you interested in taking on an advisory role and what would you suggest for other technical practitioners who want to get more involved at the Board or executive level?  Nikki - What does cyber resiliency mean to you?

The podcast discusses the importance of visualizations in vulnerability management and how they help non-technical individuals understand the need for vulnerability management. It also explores the process of selecting vulnerabilities for the CAV list and the challenges faced by CISA. The significance of leveraging commercial threat intelligence, prioritizing vulnerabilities, and managing vulnerability backlogs is highlighted. The speaker shares their journey in the cybersecurity field and emphasizes the importance of addressing cyber resilience.