Resilient Cyber

Chris - I have to start with the intersection of law and cybersecurity. We're seeing major strides in regulations, both federal and state (like NYFDS), to regulate and enforce cybersecurity policies and program-based guidance. What are some of the emerging trends we're seeing in cyber law? Chris - As you know, we recently saw the new National Cyber Strategy, which makes a push for shifting the burden/responsibility for cybersecurity on the vendor or those best positioned to address it. Why do you think it has taken us so long to get to this point? I know you've drawn parallels to other industries such as automobilesChris - On the topic of parallels to other markets and industries, such as automobiles, pharmaceuticals and manufacturing, there are some unique aspects of software, in the sense it isn't tangible or kinetic, and can be very opaque, What impact do you think those characteristics have on trying to regulate it like we have done with other industries?Chris - The National Cyber Strategy also introduces the concept of Software Liability. This part of the strategy got the most aggressive response from industry and the community. Why do you think this makes everyone perk up so much?Chris - Many started to raise questions such as who will define "secure", who and how will it be validated or verified, and where is the line of responsibility between the software supplier and consumer. Any thoughts on these topics and questions?Chris - On the topic of regulation, many consider cybersecurity to be an example of a market failure. Can you explain what that is, and why some feel that way? How do you think think we balance regulation without stifling innovation in the tech industry?Nikki - How do you think the public sector and private sector are seeing cybersecurity laws differently? Do you feel like the private sector is lagging behind in cybersecurity regulations? Chris - I have worked on programs such as FedRAMP before, for Federal Cloud Services and I am familiar with NIST 800-171/CMMC as well for the DIB. Many argue, and I think there is merit to the claim that these sort of frameworks lead to smaller pools of suppliers and potentially a less diverse pool of market participants. Any thoughts on these impacts and if it is worth the trade off?Chris - Many compliance and regulatory schemes either take one of two approaches. The first being a self-attested model where entities self-attest their compliance, such as NIST 800-171 for the DIB was, and the second is a 3PAO model, where a 3rd party verifies compliance, such as in FedRAMP. Each of these models has drawbacks, such as less than truthful or accurate self-assessments, or the 3PAO requirement becoming cumbersome, costly and a bottleneck. What do you think about these two approaches and where do you see us heading with regards to say the National Cyber Strategy, liability and so on?

Nikki: I have to start with an article you wrote a couple of years ago, about how we explain and provide context around vulnerabilities. I love the analogy of a 'vulnerability recipe' and how we can step through an explanation of vulnerabilities. Can you talk a little bit about the process and what compelled you to explore this topic? Nikki: I saw you spoke to Ron Ross recently, we had him on the show last year talking about cyber resiliency and of course software supply chain. Can you talk a little bit about security assurance and what that means to both developers and security practitioners? Chris: You've been a leader in the AppSec space for some time, particularly focusing on capabilities and tooling such as IAST. For folks not familiar with IAST, can you explain what it is and the value it adds over say SAST and DAST?Chris: I know you and I have exchanged messages and comments about Software Supply Chain Security and SBOM. What are your thoughts about where were headed on this front as an industry?Chris: With the release of the National Cyber Strategy yesterday I of course have to ask your initial thoughts. First more broadly, about the overall sentiment of the strategy and also about specific areas, such as increased requirements on software vendors and technology providers to produce secure products and the potential for increased liability.Nikki: It looks like you had a pretty lengthy time with OWASP - can you talk about some of the work you did there and the work that OWASP does? I think people typically equate OWASP with the OWASP top ten, but there are so many free resources and tools available for developers and security professionals. Chris: Given your past involvement of a decade with OWASP in its early growth, any thoughts on the recent open letter we saw sent to the OWASP leadership?Nikki: Can you talk a little bit more about Contrast security and the type of work you all do? Would like to hear more about what the company has going on and anything else you may have coming up.Chris: Continuing on with Contrast, I am interested in the founders journey a bit. Contrast has been around for nearly a decade and is now up to several hundreds of employees. What has that journey been like and what are some of the major ways the industry has, or hasn't changed during that time?

Nikki: I saw you recently did a Cyber Jeopardy Panel at the American Bar Association about cybersecurity and cyber law - can you talk a little bit about the intersection of cybersecurity and law?Chris: Continuing on that thread a little more, and you and I have chatted about this, what are some of the dichotomies or challenges of Cybersecurity in a democratic society versus say an authoritative regime or nation?Chris: I know you have a background with the DoJ and U.S. Attorney's office, are there some challenges with say cyber investigations in the U.S. due to some of our protections for individual freedom, privacy and so on? Nikki: It seems like we're seeing more and more organizations seeing the need for both mature cybersecurity programs and cyber law programs - but I haven't seen a ton of these groups working closely together. How can we build both programs in combination?Chris: It seems like every day we are seeing headlines about catastrophic cyber incidents.  Are there any historical parallels to what we are dealing with today?  Do you think we’ll ever get out of it? Nikki: What do you think major attacks like ransomware in healthcare and even in local and state governments and school are doing to shape cyber legislation?Nikki: If you could give one message to the American people about how we will address this challenge, what would it be?Chris: I would be remiss if I let you off the show without trying to dig into the forthcoming National Cyber Strategy with you. With the extent of what you're able to share, there's been a lot of buzz and rumors about an increased call for regulation, do you have any thoughts on that front?Chris: Many have said that Cybersecurity is a market failure and that it will require government intervention and regulatory measures to change things and have cybersecurity be taken more seriously by businesses and organizations. How do we balance that need for truly addressing cybersecurity risk without at the same time stifling innovation and our free market society?  Nikki: Do you see more legislation potentially coming in the future around security governance and compliance?Nikki: I'm very fascinated by cybersecurity and law terminology - do you think there's some room for us to find a common thread between both disciplines to help people like me understand law terminology and language better?

Chris: First off, why do you think soft skills are so often overlooked or undervalued in our field of cybersecurity?Chris: I'm curious your perspective on how to help people build soft skills, much like technical skills, some may have more of an aptitude for technical work or prefer not interacting with people as often. Any advice for folks who may be a bit more of an introvert and finding dealing with people intimidating?Niki: I wanted to first talk about the Learning resources you have on your site - the softsideofcyber.com - I am a big fan of this area because you include everything from books and articles to newsletters. Can you talk a little bit about why you included this section and what you're hoping to do with it in the future? Nikki: This may seem like a silly question - but clarity and definitions for terminology and language are really important. People talk about 'soft skills' in a lot of ways. What does 'soft skills' mean to you and how have these skills aided you in your career? Nikki: What is the perfect balance of technical and 'soft skills' - do you feel like it depends on your role? Or do you feel like this balance is essential, regardless of your role? Chris: You recently wrote an article on CSO online about unleashing the power of an effective security engineering team. While you did discuss technical skills you also wove in content from folks such as Sidney Dekker and Adam Grant. How do you feel like diversifying your learning outside of technical topics has helped you be more successful in your own roles and career?Nikki: Do you feel like 'soft skills' expands from empathy and emotional intelligence to an understanding of cognitive bias, mental workloads, and other psychological phenomena?Chris: What's next for the Soft Side of Cyber? What projects are you working on and what are you hoping to do with this in the next 6 months?Nikki: Since I know what cyber resiliency means to you in a technical context, can you expand on what this means to you in the 'soft skills' and human context?

Nikki: My first question is about your book, The Application Security Handbook - who do you think most benefits from this type of book and why do you think they need it?Nikki: What inspired you to write this? You have a ton of experience from being a security architect, to working in an IAM group, to application security - I would imagine all of that expertise allows you to see application security through a unique lens.Chris: In your book you touch on the dichotomy of shifting security left while minimizing friction between the Security and Development teams. This is a common challenge many security teams face. Can you elaborate on some of your recommendations on this front?Chris: You also emphasize the role of security champions and democratizing security to some extent through this approach. What exactly is a security champion and how do organizations go about doing this?Nikki: You mention threat modeling in your book - what do you think is the best place for Application Security programs to start when building in threat modeling? This is typically a higher level of maturity for programs and I'm curious at what time it's best to integrate threat modeling?Chris: We're obviously seeing a big push for robust CICD pipeline tooling for security such as SAST, DAST, SCA, Secrets Scanning and So on. Of course this tooling all produces noise. You lay out some strategies in the book on dealing with that. Can you touch on some of those here?Chris: I would be remiss if I let you go without discussing Software Supply Chain Security and SBOM's. I know you touch on SCA, OSS and SBOM's in the book. Why do you think it is key for organizations to start including this in their appsec programs? Nikki: What do you think are the greatest concerns when building a mature application security program? What are the biggest impediments? Nikki: What does cyber resiliency mean to you?

- Can you tell us a bit about the book, what made you want to write it and how you settled on this topic?- Historically IT and Security have been at odds, often feeling like the other party is conflicting with their goals and responsibilities. Why do you think this is?- Do you think the push for DevSecOps and breaking down silos between Security and Operations (and Development) has helped at all?- Your book talks about emotional intelligence, empathy and non-technical traits. How critical do you think those are in this situation and why do they not get discussed enough?- What methods do you think IT and Security teams can take to improve their relationships and drive towards a unified outlook and goals?- What do you see as the biggest gaps on this topic as we move into the future?

Nikki - What do you see as emerging trends around cybersecurity guidance and frameworks? With the newer NIST 800-53r5 and the SSDF, there is a TON of literature coming out from NIST. What's next? Chris - I wanted to dig into SSDF a bit. Can you tell us a bit about being involved in that? How it came about after the Cyber EO and your experience writing it? Chris - We know OMB is now requiring Federal agencies to start to self-attest to secure software development practices, specifically SSDF practices. How does it feel to have your work be cited in something this far reaching?Chris - What do you think organizations neglect most when it comes to secure software development, do you think the OMB memo will have a rising tide impact on the ecosystem like other frameworks such as CSF outside of Government?Nikki - What are some of the most fun parts of your job? You've written so much incredible content for not just the cybersecurity industry, but so many SMB's and non-for-profits can use the NIST guidance as a place to build their cybersecurity programs. Nikki - What is one of the biggest challenges in writing something like the SSDF or the Cybersecurity Framework? I would imagine there are so many considerations that go into deciding on everything from format to the type of language you use. Chris - What are your thoughts around the attention as of late on software supply chain security, SBOM's and topics in that domain? Do you think we need more guidance and publications on this front?Nikki - Before taking us to our last question, I wanted to ask you about your blog! It's called Scarfone Cybersecurity and I know you're just getting this going. Can you talk a little bit about why you wanted to start this blog? What are you interested in writing about? Nikki -  What does Cyber Resiliency mean to you?

Nikki: To start us off, I'm curious about your opinion on the current state of vulnerability management guidance and documentation available for organizations. There are some references from NIST, but a lot of it centers around compliance. Chris: How do you think things such as Cloud, DevSecOps and shift-left security have changed vulnerability management? Nikki: Can you talk a little bit about what organizations and their vulnerability management programs should be working on right now? With more sophistication of attacks by malicious actors, we have to create more Chris: Most of us know the Common Vulnerability Scoring System (CVSS) but many critique it saying CVSS scores alone aren't enough to drive vulnerability prioritization. What role do you think things such as Threat Intelligence should play?Chris: In addition to CVSS CISA recently has been making a push to evangelize the Stakeholder-Specific Vulnerability Categorization (SSVC) guide. Can you tell us a bit about it and your thoughts about how it fits into the conversation on vulnerability scoring and prioritization? Nikki: There is a renewed focus on exploitable vulnerabilities, with the Known Exploited Vulnerabilities catalog by CISA, as well as the EPSS, or Exploit Prediction Scoring System - do you think we're headed in the right direction with helping to prioritize vulnerabilities and not just remediate everything?

Nikki - I wanted to start with the major explosion of ransomware and ransomware-as-a-service across all industries. This seems like a good starting point for why cybersecurity advisors belong in the boardroom. Do you think the sophistication and ease of purchase with ransomware should be part of the conversation to bring more cyber experts in?  Nikki - You made a post recently about the vast cybersecurity risk that API's pose to organizations. API security has been top of mind given how prevalent they are and how useful they are to both administrators and developers. Do you think API security will become a more prevalent topic in the coming year? Chris - It seems logical that boards should have cybersecurity expertise in the mix given how critical technology is to most modern businesses. Why do you think it has taken us this long?Chris - What are some of the largest coming changes you think will drive this paradigm shift? I know groups like the SEC are pushing for organizations to disclose to what extent they have cyber expertise among the board. Nikki - What do you think organizations can do that may not have the budget or contacts in place to add cybersecurity expertise to their boards - is there somewhere they can start?Chris - I know you recently have spoken about the incident reporting timeline changes from the SEC and the need to provide insight into the "materiality" of a breach. For those unfamiliar with the term, what does it mean and is the CISO even in a position to know this? If not, who is?Chris - To flip it a bit from the boards perspective, for practitioners aspiring to fill this emerging need for cyber expertise in or among the board, where should folks begin? How do they position themselves as desirable candidates for these board opportunities?

- Before we dive into the technical topics, you're a repeat Founder, including some acquisitions of firms you've founded. Can you tell us a bit about that Founders journey and what leads you to creating organizations?- Something you've been focused on a lot lately is Software Supply Chain Security. Why is this such a complicated topic, and has it always been, or do you feel it is increasingly complex? - One of the challenges organizations have around OSS use is OSS Governance and software component inventory. Can you speak a bit about that challenge and how you are looking to solve it?- A term thrown around a lot is "Dependency Hell" - which is the term developers use when it comes to managing their often large dependency footprints when it comes to updates, patches, versioning and so on. How are you seeing this problem addressed?- There's a lot of hype around SBOM's and VEX. What are your thoughts on SBOM's and how they fit into the conversation around securing the software supply chain?- One issue with the increased transparency is development teams drowning in hundreds or thousands vulnerabilities. As you know, this doesn't actually mean they are exploitable. How do we cut through that noise to drive down risk but also frustration?- We talk a lot about CVE's and Vulnerabilities and so on but I know you recently shared research from Chinmayi Sharma who I've interviewed - and she points out CVE's are just one potential risk of OSS dependencies. Any thoughts on leading indicators of risk, as they're often called?- Moving forward, what are some things you are focusing on at ENDoR Labs and where do we see us heading as an industry on this topic, in say 2-3 years?