Resilient Cyber cover image

Resilient Cyber

Latest episodes

undefined
Apr 28, 2023 • 37min

S4E15: Tom Pace - Firmware, IoT and Cyber Physical Systems (CPS)

Chris: First off, tell us a bit about NetRise, what you all do, and what your focus is on?Chris: There's been a tremendous focus as of late on software supply chain security, as you know, but much of it focuses on things such as Cloud, SaaS, Containers etc. at NetRise you all take a focus on Firmware, IoT and Cyber Physical Systems (CPS). Why is that and what are some concerns folks overlook with these vectors?Nikki: You just announced the launch of ETHOS - a cooperation between several organizations to investigate threat indicators and looking into emerging trends in attacks. Can you talk a little bit about how this idea came together and what ETHOS will be doing? Nikki:You have a lot of expertise around IoT and IIoT, can you talk about some emerging trends in cyber threats and concerns around the connectivity of devices? Chris: I know you guys focus a fair bit on SBOM. For those not required to have one due to policy or regulations, what are the benefits of doing so?Chris: I know you all have experience and expertise with vulnerabilities in products. Does SBOM help address scenarios where the product itself may have no identified vulnerabilities or CVE's but components identified in its SBOM do?Chris: I noticed you're also a USMC veteran, so first, thanks for your service. As a fellow veteran, as I recently walked the RSAC floor this past week I noticed how many leaders in the industry had former military experience. Have you noticed anything similar in Cyber and has your military experience served you in any ways as you have went on to go into industry cyber roles and now as a CEO?Nikki: You have such great experience between threat hunting, incident response, to now being a CEO / Co-founder and Advisor to multiple other companies. What has that transition been like and do you have any advice for any other practitioners out there that may be interested in starting their own organization? Nikki: What's your favorite book, podcast, or other media right now? Anything we should be checking out? Nikki: What are some of the big things going on at NetRise right now? Any other projects you and the team are working on that you would like to share?
undefined
Apr 21, 2023 • 34min

S4E14: Josh Reiter - U.S. Navy Workforce and Cyber Superiority

Chris: Can you tell us a bit about your background and what the role of the Deputy Principal Cyber Advisor does?Nikki: When we talk about workforce challenges, I think about the types of skills that someone is looking for in a cyber program. What types of skills do you look for in hiring and what kinds of skills do we still need in the cyber profession? Chris: We know you've been focused heavily on the Cybersecurity workforce for DoN.  In our discussions of digital modernization, the focus is often on tech, such as cloud, zero trust, etc. Why do you think the people or workforce aspect is so often overlooked? Nikki: What do you think about the value of education and certifications when it comes to hiring and retaining cybersecurity professionals? Whether it's an analyst or an engineer, there is a lot of back and forth in the industry on whether certifications should be required or if it may be limiting the talent pool  Nikki: I saw you posted recently about North Dakota requiring cybersecurity education in schools - how critical do you think this is for K-12? As a mom this is something I think about all the time Chris: Can you tell us a bit about the DoN's approach to modernizing the workforce around cybersecurity?Chris: There's been some buzz around the DoN's Cyberspace Superiority Vision, what exactly does that entail?Nikki: I have the opportunity to teach my kids but what about all the other children without parents in cybersecurity?  Nikki: One of the other interesting articles that came out recently was around the potential change in cybersecurity leadership we'll be seeing in the next few years. Do you foresee some of these leaders leaving the industry and what kind of effect do you think it will have on the industry? Chris: We know there's rumbles of an upcoming DoN Cyber Strategy. We recently saw the release of the National Cyber Strategy. How will the DoN strategy build on that and what are the synergies between the two? Nikki: What does cyber resiliency mean to you?
undefined
Apr 14, 2023 • 27min

S4E13: Chris Kulakowski - Threat Hunting & Detection Engineering

undefined
Apr 7, 2023 • 24min

S4E12: Kristin Saling - U.S. Army Workforce Modernization & Analytics

Nikki - First - tell me a little bit about yourself and your background  Nikki - You have a ton of experience with the Army, can you talk a little bit about what you like most about working with the military and specifically in HR? Chris - We hear a lot about digital transformation in the DoD, Cloud, Cyber, Zero Trust, and so on - but how critical do you think the workforce is to make all of these transformation efforts successful Chris - We know the DoD has historically struggled to attract and retain technical talent. What specific changes do you think are needed to help resolve this challenge and do you think we're making any headway there? Nikki - One of your previous roles was Deputy Director of People Analytics, I've not heard much about this role before and I'm interested what that type of position entails and what that means to the people in an organization? Nikki - I want to talk to you about health, fitness, and wellness when it comes to IT and cybersecurity positions. There is a ton of research around the burnout and stress that technical positions carry - what can we do to help our technical teams? Chris - I have seen you posting and speaking about the role AI is playing in assigning resources, assistance and leadership to various Army cohorts, what are your thoughts on the role AI is and will play in your area of expertise?Chris - I believe there has been a new Army vision for the future of talent management, can you tell us a bit about that and what it entails? Nikki - Can you talk about the integration of AI/ML into both HR and administrative functions? I could see how beneficial it would be and free up some cycles to focus on the people and their wellbeing. Nikki - Can you talk about some of the other innovation in the HR space?
undefined
Mar 31, 2023 • 37min

S4E11: John Speed Meyers - Data Science & Software Supply Chain Security

Chris: I have been following your research for several years now, dating back to your role before Chainguard. As you have watched the conversation around Software Supply Chain Security unfold in the industry, do you feel like we're making positive headway?Chris: You have done a lot of research into software supply chain security, and of course SBOM's. One recent study you took a look at the quality of SBOM's in the OSS ecosystem, compared to say the NTIA defined minimum elements for SBOM. Can you tell us a bit about the study and implications of the findings?Chris: In addition to SBOM, we're seeing the emergence of VEX, can you speak a bit about its importance?Chris: I wanted to follow up about OSS, since it has become such a core aspect of the software supply chain conversation. I'm sure based on your studies you know the phrase dubbed Linus' Law, which states that "with enough eyeballs all bugs are shallow" but based on my research for writing a book recently, I realized that the overwhelming majority of OSS projects lack enough eyeballs. Do you think this is a challenge when we look at the widespread adoption of OSS?Chris: Can you tell us a bit about your next/current efforts for software supply chain security research?
undefined
Mar 27, 2023 • 30min

S4E10: Lily Zeleke - DoD Cloud & Software Modernization

Chris: Before we dive into some technical topics and questions, we would love to hear a bit about your background and careerChris: - We've now seen the introduction of JWCC into the mix after quite a challenging road to get there. What major changes do you see JWCC playing in the DoD cloud landscape and cloud adoption journey?Nikki: - There's been a tremendous focus on software supply chain security, with a 742% increase in software supply chain attacks in the last three years. What are your thoughts on how the DoD is approaching securing the software supply chain, SBOM's and challenges of that nature?Chris: - We know the DoD CIO office published an Open Source Software (OSS) memo not too long ago. What role do you think OSS plays in the future of the DoD's software and warfighting capabilities?Nikki - We've seen a blossoming ecosystem of software factories across the DoD, now numbering near or beyond 30. How key do you think these software factories have been to the DoD's software modernization efforts?Nikki - I would be remiss if I didn't ask you about the DoD's workforce challenges. We know the DoD has had long standing issues attracting and particularly retaining technical talent. How crucial is remedying those workforce challenges to see successful cloud adoption and software modernization?Chris - Being a longtime Federal and DoD Cyber professional I have to bring up the topic of compliance, RMF and ATO's in any discussion around fielding software. We've seen a push from some senior leaders to try and shift to a culture of cyber readiness and alleviate some of the traditional box-checking/compliance culture we know is pervasive across Government. Any thoughts on how we can modernize Cyber and Compliance in DoD to facilitate getting innovative and modernized software-enabled capabilities into the hands of system and mission owners?
undefined
Mar 24, 2023 • 28min

S4E9: Resilient Cyber Show w/ Day Johnson

Nikki - With your experience in various cloud and Cybersecurity roles, what would you say the top 3 concerns are right now for cloud security? Nikki -  I see you do a lot of work Cybersecurity and cloud education, do you feel like we have better tools and resources today than a few years ago? Or too many resources? Chris - We know you have a Detection Engineering background. For folks not familiar with Detection Engineering can you tell us a bit about it and the role it plays in Cloud Security?Chris - It is often said that Detection Engineering builds on the practice of Threat Modeling, in terms of identifying relevant threats and building detections associated with those threats. Do you agree with that and how valuable do you think Threat Modeling is for Cyber and Cloud Security professionals?Nikki -  What would you recommend for anyone getting started in the cloud, moving from on premises or data centers, what should they do first? Nikki - What do you think is next for cloud? I see so many debates in the industry and it seems like there's a trend towards creating systems on prem versus in the cloud.Chris - I know in addition to your professional role you've a huge content creator with over 20,000 folks following you on YouTube. How did you get going down this path?Chris - Do you think it is important in the current industry landscape and remote work paradigm to be out there building a personal brand, creating content and engaging with the community?
undefined
Mar 10, 2023 • 45min

S4E8: Jim Dempsey - Cyber Policy & Regulation

Chris - I have to start with the intersection of law and cybersecurity. We're seeing major strides in regulations, both federal and state (like NYFDS), to regulate and enforce cybersecurity policies and program-based guidance. What are some of the emerging trends we're seeing in cyber law? Chris - As you know, we recently saw the new National Cyber Strategy, which makes a push for shifting the burden/responsibility for cybersecurity on the vendor or those best positioned to address it. Why do you think it has taken us so long to get to this point? I know you've drawn parallels to other industries such as automobilesChris - On the topic of parallels to other markets and industries, such as automobiles, pharmaceuticals and manufacturing, there are some unique aspects of software, in the sense it isn't tangible or kinetic, and can be very opaque, What impact do you think those characteristics have on trying to regulate it like we have done with other industries?Chris - The National Cyber Strategy also introduces the concept of Software Liability. This part of the strategy got the most aggressive response from industry and the community. Why do you think this makes everyone perk up so much?Chris - Many started to raise questions such as who will define "secure", who and how will it be validated or verified, and where is the line of responsibility between the software supplier and consumer. Any thoughts on these topics and questions?Chris - On the topic of regulation, many consider cybersecurity to be an example of a market failure. Can you explain what that is, and why some feel that way? How do you think think we balance regulation without stifling innovation in the tech industry?Nikki - How do you think the public sector and private sector are seeing cybersecurity laws differently? Do you feel like the private sector is lagging behind in cybersecurity regulations? Chris - I have worked on programs such as FedRAMP before, for Federal Cloud Services and I am familiar with NIST 800-171/CMMC as well for the DIB. Many argue, and I think there is merit to the claim that these sort of frameworks lead to smaller pools of suppliers and potentially a less diverse pool of market participants. Any thoughts on these impacts and if it is worth the trade off?Chris - Many compliance and regulatory schemes either take one of two approaches. The first being a self-attested model where entities self-attest their compliance, such as NIST 800-171 for the DIB was, and the second is a 3PAO model, where a 3rd party verifies compliance, such as in FedRAMP. Each of these models has drawbacks, such as less than truthful or accurate self-assessments, or the 3PAO requirement becoming cumbersome, costly and a bottleneck. What do you think about these two approaches and where do you see us heading with regards to say the National Cyber Strategy, liability and so on?
undefined
Mar 4, 2023 • 42min

S4E7:Jeff Williams - DevSecOps and Application Security (AppSec)

Nikki: I have to start with an article you wrote a couple of years ago, about how we explain and provide context around vulnerabilities. I love the analogy of a 'vulnerability recipe' and how we can step through an explanation of vulnerabilities. Can you talk a little bit about the process and what compelled you to explore this topic? Nikki: I saw you spoke to Ron Ross recently, we had him on the show last year talking about cyber resiliency and of course software supply chain. Can you talk a little bit about security assurance and what that means to both developers and security practitioners? Chris: You've been a leader in the AppSec space for some time, particularly focusing on capabilities and tooling such as IAST. For folks not familiar with IAST, can you explain what it is and the value it adds over say SAST and DAST?Chris: I know you and I have exchanged messages and comments about Software Supply Chain Security and SBOM. What are your thoughts about where were headed on this front as an industry?Chris: With the release of the National Cyber Strategy yesterday I of course have to ask your initial thoughts. First more broadly, about the overall sentiment of the strategy and also about specific areas, such as increased requirements on software vendors and technology providers to produce secure products and the potential for increased liability.Nikki: It looks like you had a pretty lengthy time with OWASP - can you talk about some of the work you did there and the work that OWASP does? I think people typically equate OWASP with the OWASP top ten, but there are so many free resources and tools available for developers and security professionals. Chris: Given your past involvement of a decade with OWASP in its early growth, any thoughts on the recent open letter we saw sent to the OWASP leadership?Nikki: Can you talk a little bit more about Contrast security and the type of work you all do? Would like to hear more about what the company has going on and anything else you may have coming up.Chris: Continuing on with Contrast, I am interested in the founders journey a bit. Contrast has been around for nearly a decade and is now up to several hundreds of employees. What has that journey been like and what are some of the major ways the industry has, or hasn't changed during that time?
undefined
Feb 24, 2023 • 39min

S4E6: Matt Cronin - Cyber Law & National Cyber Strategy

Nikki: I saw you recently did a Cyber Jeopardy Panel at the American Bar Association about cybersecurity and cyber law - can you talk a little bit about the intersection of cybersecurity and law?Chris: Continuing on that thread a little more, and you and I have chatted about this, what are some of the dichotomies or challenges of Cybersecurity in a democratic society versus say an authoritative regime or nation?Chris: I know you have a background with the DoJ and U.S. Attorney's office, are there some challenges with say cyber investigations in the U.S. due to some of our protections for individual freedom, privacy and so on? Nikki: It seems like we're seeing more and more organizations seeing the need for both mature cybersecurity programs and cyber law programs - but I haven't seen a ton of these groups working closely together. How can we build both programs in combination?Chris: It seems like every day we are seeing headlines about catastrophic cyber incidents.  Are there any historical parallels to what we are dealing with today?  Do you think we’ll ever get out of it? Nikki: What do you think major attacks like ransomware in healthcare and even in local and state governments and school are doing to shape cyber legislation?Nikki: If you could give one message to the American people about how we will address this challenge, what would it be?Chris: I would be remiss if I let you off the show without trying to dig into the forthcoming National Cyber Strategy with you. With the extent of what you're able to share, there's been a lot of buzz and rumors about an increased call for regulation, do you have any thoughts on that front?Chris: Many have said that Cybersecurity is a market failure and that it will require government intervention and regulatory measures to change things and have cybersecurity be taken more seriously by businesses and organizations. How do we balance that need for truly addressing cybersecurity risk without at the same time stifling innovation and our free market society?  Nikki: Do you see more legislation potentially coming in the future around security governance and compliance?Nikki: I'm very fascinated by cybersecurity and law terminology - do you think there's some room for us to find a common thread between both disciplines to help people like me understand law terminology and language better?

Get the Snipd
podcast app

Unlock the knowledge in podcasts with the podcast player of the future.
App store bannerPlay store banner

AI-powered
podcast player

Listen to all your favourite podcasts with AI-powered features

Discover
highlights

Listen to the best highlights from the podcasts you love and dive into the full episode

Save any
moment

Hear something you like? Tap your headphones to save it with AI-generated key takeaways

Share
& Export

Send highlights to Twitter, WhatsApp or export them to Notion, Readwise & more

AI-powered
podcast player

Listen to all your favourite podcasts with AI-powered features

Discover
highlights

Listen to the best highlights from the podcasts you love and dive into the full episode