Michael McLaughlin

- First off, for those unfamiliar with this problem and situation, what exactly is the challenge here, and why should more people be paying attention to this?- What do you say to those who may say this is just something occurring in the digital realm, and not a physical or real threat, given the ubiquity of software, this seems short sighted, no?- In the book, you touch on malicious actors using U.S. based infrastructure to attack U.S. targets, a topic that was touched on in the NCS, can you expand on that and the challenges with addressing it, particularly in the cloud?- There's fears that these adversaries are looking to persist in U.S. based systems and infrastructure in advance of future conflicts. What could be some of the ramifications of this in the future, and how do we go about rooting out these threats in the here and now?- The Defense Industrial Base (DIB) is often called the "soft under belly" of the DoD. We've seen increased targeting of the DIB by malicious actors and nation states and the emergence of efforts such as NIST 800-171 and now CMMC. How do we go about ensuring improved security posture of the DIB while balancing the cost and burden on SMB's and further constraining the diversity and resiliency of a DIB supplier base?- On the flip side, we see the DoD, IC and Federal Government with deep dependencies on a small handful of technology companies, some, even despite continued exploitation and vulnerabilities impacting these agencies. How do we go about addressing this elephant in the room and demand stronger security outcomes and performance from these critical suppliers, especially with their massive financial and political clout?- Much of these activities occur below the threshold of traditional "declarations or acts of war". How do we get our leadership to realize we're already at war, but in a new paradigm?- You guys talk about how everyone with an internet connection is essentially on the battlefield. How do we address that reality while balancing aspects of our society that are unique, such as freedom and privacy. Citizens continue to use software and applications that expose their data, that of their employers, and in some cases, even of the DoD and national security. How do go about better informing and engaging the citizenry on this front?- Another aspect you touch on, is that this isn't just a technical issue, but there's efforts such as misinformation and such to degrade trust in our institutions, sow resentment and stoke flames of divisiveness in our society. These threats are likely even more concerning, as we tear ourselves apart internally. What are your thoughts on this front?

- First off, for those unfamiliar with this problem and situation, what exactly is the challenge here, and why should more people be paying attention to this? - What do you say to those who may say this is just something occurring in the digital realm, and not a physical or real threat, given the ubiquity of software, this seems short sighted, no? - In the book, you touch on malicious actors using U.S. based infrastructure to attack U.S. targets, a topic that was touched on in the NCS, can you expand on that and the challenges with addressing it, particularly in the cloud? - There's fears that these adversaries are looking to persist in U.S. based systems and infrastructure in advance of future conflicts. What could be some of the ramifications of this in the future, and how do we go about rooting out these threats in the here and now? - The Defense Industrial Base (DIB) is often called the "soft under belly" of the DoD. We've seen increased targeting of the DIB by malicious actors and nation states and the emergence of efforts such as NIST 800-171 and now CMMC. How do we go about ensuring improved security posture of the DIB while balancing the cost and burden on SMB's and further constraining the diversity and resiliency of a DIB supplier base? - On the flip side, we see the DoD, IC and Federal Government with deep dependencies on a small handful of technology companies, some, even despite continued exploitation and vulnerabilities impacting these agencies. How do we go about addressing this elephant in the room and demand stronger security outcomes and performance from these critical suppliers, especially with their massive financial and political clout? - Much of these activities occur below the threshold of traditional "declarations or acts of war". How do we get our leadership to realize we're already at war, but in a new paradigm? - You guys talk about how everyone with an internet connection is essentially on the battlefield. How do we address that reality while balancing aspects of our society that are unique, such as freedom and privacy. Citizens continue to use software and applications that expose their data, that of their employers, and in some cases, even of the DoD and national security. How do go about better informing and engaging the citizenry on this front? - Another aspect you touch on, is that this isn't just a technical issue, but there's efforts such as misinformation and such to degrade trust in our institutions, sow resentment and stoke flames of divisiveness in our society. These threats are likely even more concerning, as we tear ourselves apart internally. What are your thoughts on this front?

S4E24: Michael McLaughlin & Bill Holstein - Battlefield Cyber

Nikki -  In addition to your Senior Policy Advisor role, you are also part of several academic institutions, including one we have in common - Capitol Technology University. Can you talk a little bit about why you wanted to be involved in the technical and academic side? Have their been any benefits you've seen in academia that you've brought to the military space, or vice versa? Nikki -  We're seeing a ton in the news about software supply chain security, zero trust, AI/ML - but not necessarily how they relate to warfare or protecting our critical assets (critical infrastructure). Why do you think we haven't seen as much in this space and what are some of the major risks you're concerned with at the moment? Chris - We know you've contributed to the National Maritime Cybersecurity Plan - why is it so critical to protect maritime activities from a cybersecurity and national security perspective and how do you see this going so far, since the plan was originally published in 2020?Chris - Switching from sea, we know you've contributed to some analysis and reporting from FDD on how space systems should be designated as critical infrastructure. Can you explain why that is, and where we have gaps currently?Nikki -  We recently were talking about the US Cyberspace Solarium Commission and you mentioned you contributed to their report on the designation of space systems as critical infrastructure. Do you think we're missing a cyber space command or more legislation/guidance around this area? Nikki - On the topic of space and cyber, when it comes to critical infrastructure I think we're still lacking in a number of areas for detection/response for critical infrastructure. What are some IR considerations or potentially research we need in this space? Chris - In a previous role you served as the Director of International Cybersecurity Policy. International cyber activities and policies were also emphasized in the recent National Cyber Strategy. Can you tell us a bit about that experience and why international collaboration is key in the cybersecurity realm?Nikki -  Since you went to UMD - I have to ask. Are you getting some MD crabs this summer?6. What does cyber resiliency mean to you

Nikki -  In addition to your Senior Policy Advisor role, you are also part of several academic institutions, including one we have in common - Capitol Technology University. Can you talk a little bit about why you wanted to be involved in the technical and academic side? Have their been any benefits you've seen in academia that you've brought to the military space, or vice versa?  Nikki -  We're seeing a ton in the news about software supply chain security, zero trust, AI/ML - but not necessarily how they relate to warfare or protecting our critical assets (critical infrastructure). Why do you think we haven't seen as much in this space and what are some of the major risks you're concerned with at the moment?  Chris - We know you've contributed to the National Maritime Cybersecurity Plan - why is it so critical to protect maritime activities from a cybersecurity and national security perspective and how do you see this going so far, since the plan was originally published in 2020? Chris - Switching from sea, we know you've contributed to some analysis and reporting from FDD on how space systems should be designated as critical infrastructure. Can you explain why that is, and where we have gaps currently? Nikki -  We recently were talking about the US Cyberspace Solarium Commission and you mentioned you contributed to their report on the designation of space systems as critical infrastructure. Do you think we're missing a cyber space command or more legislation/guidance around this area?  Nikki - On the topic of space and cyber, when it comes to critical infrastructure I think we're still lacking in a number of areas for detection/response for critical infrastructure. What are some IR considerations or potentially research we need in this space?  Chris - In a previous role you served as the Director of International Cybersecurity Policy. International cyber activities and policies were also emphasized in the recent National Cyber Strategy. Can you tell us a bit about that experience and why international collaboration is key in the cybersecurity realm? Nikki -  Since you went to UMD - I have to ask. Are you getting some MD crabs this summer?6. What does cyber resiliency mean to you

S4E23: Michael Klipstein - Cybersecurity from Sea to Space

You are now at the Open Source Security Foundation - but you have a ton of experience (even as a former IBMer) from Google, to JPMorgan, and financial institutions through architecture, management, and engineering. Can you talk a little bit about your leadership journey? Let's dig into OpenSSF a bit more - we're only seeing an increase in software supply chain attacks - what is driving the OpenSSF and any particular threats you're concerned with at the moment? We know the OpenSSF has focused heavily on securing OSS and the ecosystem and even launched the OSS Security Mobilization Plan. Are you able to talk a bit about that plan and what it hopes to accomplish?OpenSSF is obviously one of several organizations such as OWASP and others helping to provide valuable resources to the industry to tackle these challenges. Are you able to speak about any active collaborations with other organizations or institutions, academia etc. or how organizations can look to collaborate with the OpenSSF?You are also a Fellow at the Center for Cybersecurity at the NYU Tandon school. Both Chris and I are also Fellows (at different organizations) - can you talk a little bit about what a Fellow does and how you got involved? Where can organizations really start though? With so many vulnerabilities, libraries, dependencies, and managing software and infrastructure, it is incredibly cumbersome for organizations to get a handle to what to work on first. Where do software teams start? Coming off of Father's Day, I noticed your LinkedIn tagline leads with Dad and Husband. How have you found success in balancing those critical roles and responsibilities while still pursuing your professional endeavors and aspirations?What does cyber resiliency mean to you?

You are now at the Open Source Security Foundation - but you have a ton of experience (even as a former IBMer) from Google, to JPMorgan, and financial institutions through architecture, management, and engineering. Can you talk a little bit about your leadership journey?  Let's dig into OpenSSF a bit more - we're only seeing an increase in software supply chain attacks - what is driving the OpenSSF and any particular threats you're concerned with at the moment?  We know the OpenSSF has focused heavily on securing OSS and the ecosystem and even launched the OSS Security Mobilization Plan. Are you able to talk a bit about that plan and what it hopes to accomplish? OpenSSF is obviously one of several organizations such as OWASP and others helping to provide valuable resources to the industry to tackle these challenges. Are you able to speak about any active collaborations with other organizations or institutions, academia etc. or how organizations can look to collaborate with the OpenSSF? You are also a Fellow at the Center for Cybersecurity at the NYU Tandon school. Both Chris and I are also Fellows (at different organizations) - can you talk a little bit about what a Fellow does and how you got involved?  Where can organizations really start though? With so many vulnerabilities, libraries, dependencies, and managing software and infrastructure, it is incredibly cumbersome for organizations to get a handle to what to work on first. Where do software teams start?  Coming off of Father's Day, I noticed your LinkedIn tagline leads with Dad and Husband. How have you found success in balancing those critical roles and responsibilities while still pursuing your professional endeavors and aspirations? What does cyber resiliency mean to you?

S4E22: Omkhar Arasaratnam - OSS and OpenSSF

Kelly Shortridge

Chris - For those not familiar with Security Chaos Engineering, how would you summarize it, and what made you decide to author the new book on it?Nikki - In one of your sections of Security Chaos Engineering, you talk about what a modern security program looks like. Can you talk about what this means compared to security programs maybe 5 to 10 years ago? Chris - When approaching leadership, it can be tough to sell the concept of being disruptive, what advice do you have for security professionals looking to get buy-in from their leadership to introduce security chaos engineering?Nikki - One of the hallmarks of chaos engineering is actually building resilience into development and application environments, but people here 'chaos engineering' and don't quite know what to make of it. Can you talk about how security chaos engineering can build resiliency into infrastructure?Chris - I've cited several of your articles, such as Markets DGAF Security and others. You often take a counter-culture perspective to some of the groupthink in our industry. Why do you think we tend to rally around concepts even when the data doesn't prove them out and have your views been met with defensiveness among some who hold those views? Nikki - One of my favorite parts of chaos engineering is the hyptohesis-based approach and framework for building a security chaos engineering program. It may seem counter-intuitive to the 'chaos' in 'chaos engineering'. What do you think about the scientific method approach? Chris - Another topic I've been seeing you write and talk about is increasing the burden/cost on malicious actors to drive down their ROI. Can you touch on this topic with us?

Chris - For those not familiar with Security Chaos Engineering, how would you summarize it, and what made you decide to author the new book on it? Nikki - In one of your sections of Security Chaos Engineering, you talk about what a modern security program looks like. Can you talk about what this means compared to security programs maybe 5 to 10 years ago?  Chris - When approaching leadership, it can be tough to sell the concept of being disruptive, what advice do you have for security professionals looking to get buy-in from their leadership to introduce security chaos engineering? Nikki - One of the hallmarks of chaos engineering is actually building resilience into development and application environments, but people here 'chaos engineering' and don't quite know what to make of it. Can you talk about how security chaos engineering can build resiliency into infrastructure? Chris - I've cited several of your articles, such as Markets DGAF Security and others. You often take a counter-culture perspective to some of the groupthink in our industry. Why do you think we tend to rally around concepts even when the data doesn't prove them out and have your views been met with defensiveness among some who hold those views?  Nikki - One of my favorite parts of chaos engineering is the hyptohesis-based approach and framework for building a security chaos engineering program. It may seem counter-intuitive to the 'chaos' in 'chaos engineering'. What do you think about the scientific method approach?  Chris - Another topic I've been seeing you write and talk about is increasing the burden/cost on malicious actors to drive down their ROI. Can you touch on this topic with us?

S4E21: Kelly Shortridge - Security Chaos Engineering & Resilience

Craig McLuckie

- First off, can you each tell us a bit about your backgrounds and experience in the space?- What made you all decide to found Stacklok, what gaps and opportunities in the ecosystem did you see?- What are your thoughts around the industry's response to software supply chain security and how do you see things such as OSS and Sigstore playing a role?- While we've seen tremendous adoption of OSS and for reasons such as speed to market, the robust OSS community, innovation and more, as you both know, OSS has its concerns too, such as pedigree/provenance, known vulnerabilities, lack of maintenance and support etc. How do organizations balance these concerns while still taking advantage of OSS?- No software supply chain security discussions would be complete without touching on SBOM, which has gotten a lot of industry attention on the topics. What are each of your thoughts on SBOM?- Another topic that is around every corner lately is AI and the disruption it will cause. We're seeing organizations integrate and market AI into every possible use case when it comes to cybersecurity while there is also a lot of FUD about malicious actors using AI and even calling it a possible "extinction event". What is your take on AI and the role it is and will have on software supply chain and cyber?

- First off, can you each tell us a bit about your backgrounds and experience in the space? - What made you all decide to found Stacklok, what gaps and opportunities in the ecosystem did you see? - What are your thoughts around the industry's response to software supply chain security and how do you see things such as OSS and Sigstore playing a role? - While we've seen tremendous adoption of OSS and for reasons such as speed to market, the robust OSS community, innovation and more, as you both know, OSS has its concerns too, such as pedigree/provenance, known vulnerabilities, lack of maintenance and support etc. How do organizations balance these concerns while still taking advantage of OSS? - No software supply chain security discussions would be complete without touching on SBOM, which has gotten a lot of industry attention on the topics. What are each of your thoughts on SBOM? - Another topic that is around every corner lately is AI and the disruption it will cause. We're seeing organizations integrate and market AI into every possible use case when it comes to cybersecurity while there is also a lot of FUD about malicious actors using AI and even calling it a possible "extinction event". What is your take on AI and the role it is and will have on software supply chain and cyber?

S4E20: Luke Hinds & Craig McLuckie - The Founders Journey & Software Supply Chain Security

Mark Montgomery

Nikki - What does cyber resiliency mean to you?Nikki - Can you tell us a little bit more about the Cyberspace Solarium Commission or CSC, in particular I'm interested in the promotion of national resilience. Can you talk a little bit about what that means and what's in progress at the moment? Chris - There's been a lot of activity lately with the Cyber EO, OMB Memos, activities by NIST, publications by CISA and of course the National Cyber Strategy. How do you feel about where we're headed as a nation on the Cyber front and do you think we could be doing more, and if so, what in particular?Chris - I recently saw you made comments regarding Cloud Service Providers (CSP) and their lack of being designated as critical infrastructure I believe. I have seen similar comments from the OCND, due to how critical CSP's, especially major IaaS providers are to the nation. Why do you think they have avoided this designation as long as they have?Nikki - There are a lot of us in cybersecurity that got into it to help defend our nation and protect our country (myself included). Are there ways that other cyber defenders or technical professionals can get involved or any resources you would recommend? Nikki - I don't see a ton in legislature or in the Executive Order about the human element behind cybersecurity and our challenges with risk management. Do you foresee any legislation or anything that may come out around how to protect our users and even our security practitioners? Chris - I mentioned the NCS earlier, a big part of that was shifting market forces, the idea of software liability and also safe harbor. What are your thoughts on this topic?Chris - CISA recently released "Secure-by-Design/Default" guidance for software suppliers and manufacturers. I wrote an article recently tracing the advocacy for "secure by design" back 50 years to the Ware Report. Yet here we are, still advocating for the same concepts. What do you think it will take for this to become a requirement rather than a recommendation and how important is this paradigm shift for national security?

Nikki - What does cyber resiliency mean to you? Nikki - Can you tell us a little bit more about the Cyberspace Solarium Commission or CSC, in particular I'm interested in the promotion of national resilience. Can you talk a little bit about what that means and what's in progress at the moment?  Chris - There's been a lot of activity lately with the Cyber EO, OMB Memos, activities by NIST, publications by CISA and of course the National Cyber Strategy. How do you feel about where we're headed as a nation on the Cyber front and do you think we could be doing more, and if so, what in particular? Chris - I recently saw you made comments regarding Cloud Service Providers (CSP) and their lack of being designated as critical infrastructure I believe. I have seen similar comments from the OCND, due to how critical CSP's, especially major IaaS providers are to the nation. Why do you think they have avoided this designation as long as they have? Nikki - There are a lot of us in cybersecurity that got into it to help defend our nation and protect our country (myself included). Are there ways that other cyber defenders or technical professionals can get involved or any resources you would recommend?  Nikki - I don't see a ton in legislature or in the Executive Order about the human element behind cybersecurity and our challenges with risk management. Do you foresee any legislation or anything that may come out around how to protect our users and even our security practitioners?  Chris - I mentioned the NCS earlier, a big part of that was shifting market forces, the idea of software liability and also safe harbor. What are your thoughts on this topic? Chris - CISA recently released "Secure-by-Design/Default" guidance for software suppliers and manufacturers. I wrote an article recently tracing the advocacy for "secure by design" back 50 years to the Ware Report. Yet here we are, still advocating for the same concepts. What do you think it will take for this to become a requirement rather than a recommendation and how important is this paradigm shift for national security?

S4E19: Mark Montgomery - Securing the Digital Democracy

Nikki - You're a newly minted CISO and SES - how's it going? How have the first few months been in the role?  Nikki - With your background in both Academia as an Adjunct Professor and with your cyber and executive leadership experience - how important would you say the intersection of academia, research, and leadership go? Chris - We know you're a big proponent in servant leadership. What does being a Servant Leader in Cybersecurity and more broadly in general mean to you?Chris - We have been discussing soft skills lately with various guests. Why do you feel like soft skills are so often neglected, yet so critical to being a effective leader?Nikki - As someone who is relatively new to a CISO role - what surprised you about the role? Were there any challenges or anything that came up initially that was surprisingly good?  Nikki - What experience do you recommend for anyone who's looking to move into a cyber manager or CISO leadership role at an organization? Any books or references your recommend for anyone around leadership? Chris - As we look at the Federal Cyber landscape, there is a lot of efforts under way from the EO, OMB Memos, Zero Trust, Software Supply Chain and the list goes on. How do you calibrate your focus in your new role?Nikki -  We've seen a lot in the news around the National Cyber Strategy and other federal legislation potentially in the works. Are you seeing things like Zero Trust and Software Supply Chain security being top of mind? Or are you more worried about things like ChatGPT potentially being used by the Government?

Nikki - You're a newly minted CISO and SES - how's it going? How have the first few months been in the role?   Nikki - With your background in both Academia as an Adjunct Professor and with your cyber and executive leadership experience - how important would you say the intersection of academia, research, and leadership go?  Chris - We know you're a big proponent in servant leadership. What does being a Servant Leader in Cybersecurity and more broadly in general mean to you? Chris - We have been discussing soft skills lately with various guests. Why do you feel like soft skills are so often neglected, yet so critical to being a effective leader? Nikki - As someone who is relatively new to a CISO role - what surprised you about the role? Were there any challenges or anything that came up initially that was surprisingly good?   Nikki - What experience do you recommend for anyone who's looking to move into a cyber manager or CISO leadership role at an organization? Any books or references your recommend for anyone around leadership?  Chris - As we look at the Federal Cyber landscape, there is a lot of efforts under way from the EO, OMB Memos, Zero Trust, Software Supply Chain and the list goes on. How do you calibrate your focus in your new role? Nikki -  We've seen a lot in the news around the National Cyber Strategy and other federal legislation potentially in the works. Are you seeing things like Zero Trust and Software Supply Chain security being top of mind? Or are you more worried about things like ChatGPT potentially being used by the Government?

S4E18: Joseph Lewis - Cybersecurity & Servant Leadership

Chris - To set the stage for the discussion of vulnerability management, Rezilion recently had a report that found that organizations had over 100,000 backlogged vulnerabilities. Why do you think things have gotten so bad?Chris - Leaders also stated that they are able to patch less than half of that backlog, thousands of vulnerabilities never get addressed. Doesn't this create a situation ripe for malicious actors to exploit?Nikki - You have a background in both data science and security research - where do you feel like the intersection of both of these areas meets? Do you feel like we need more data science experience in cybersecurity?  Nikki - Vulnerability management - my favorite topic. Why do you think people are just now starting to bring back up vuln mgmt? It seems like it's been almost 10 years since I've seen substantial research and guidance in this area. Nikki - Security research is seen in two distinct ways - in both the vulnerability identification and in academia - but both are looking at different problems and solving in different ways. Where can the two sides of the coin come together and benefit from sharing research? Chris - On the topic of vulnerability prioritization, organizations seem to be struggling. We know going simply based off of CVSS isn't wise, what are some prioritization tactics organizations can take to address vulnerabilities that pose the most risk in that massive backlog we discussed earlier?Chris - We know that less than 1-2% of CVE's are generally exploited by malicious actors, and while that number may sound small, as the number of published vulnerabilities grow, that 1-2% represents more and more exploitable vulnerabilities. What do you think is driving the growth of CVE's, from a few thousand in the 1990s to over 190,000 now?Nikki - What are the top 3 trends you're seeing in vulnerability management and identifying vulnerabilities? What should we be most concerned with? Nikki -  What does cyber resilience mean to you?

Chris - To set the stage for the discussion of vulnerability management, Rezilion recently had a report that found that organizations had over 100,000 backlogged vulnerabilities. Why do you think things have gotten so bad? Chris - Leaders also stated that they are able to patch less than half of that backlog, thousands of vulnerabilities never get addressed. Doesn't this create a situation ripe for malicious actors to exploit? Nikki - You have a background in both data science and security research - where do you feel like the intersection of both of these areas meets? Do you feel like we need more data science experience in cybersecurity?   Nikki - Vulnerability management - my favorite topic. Why do you think people are just now starting to bring back up vuln mgmt? It seems like it's been almost 10 years since I've seen substantial research and guidance in this area.  Nikki - Security research is seen in two distinct ways - in both the vulnerability identification and in academia - but both are looking at different problems and solving in different ways. Where can the two sides of the coin come together and benefit from sharing research?  Chris - On the topic of vulnerability prioritization, organizations seem to be struggling. We know going simply based off of CVSS isn't wise, what are some prioritization tactics organizations can take to address vulnerabilities that pose the most risk in that massive backlog we discussed earlier? Chris - We know that less than 1-2% of CVE's are generally exploited by malicious actors, and while that number may sound small, as the number of published vulnerabilities grow, that 1-2% represents more and more exploitable vulnerabilities. What do you think is driving the growth of CVE's, from a few thousand in the 1990s to over 190,000 now? Nikki - What are the top 3 trends you're seeing in vulnerability management and identifying vulnerabilities? What should we be most concerned with?  Nikki -  What does cyber resilience mean to you?

S4E17: Yotam Perkal - Vulnerability Management and Modernization

Chris - Why do you think SaaS security is so overlooked in the conversation around cloud security, despite SaaS being so pervasive?Chris - SaaS obviously involves a lot of third-party integrations. What are the risks o f these ungoverned integrations and can they have a cascading impact if one of the providers has an incident?Nikki -  Chris and I have talked a lot about software security, SBOM's, and what does open source security look like. As a leader in the cybersecurity community, what are you most concerned with when it comes to third-party risk and software supply chain?Nikki - When we talk about SaaS and application management at organizations, what do you think about how SaaS applies to building relationships and working together with other organizations?  Nikki -  When it comes to integration between SaaS products and a cloud infrastructure, what do you think about as far as risk and how to manage risk within organizations? Chris - If we're trying to handle threats, how important is it to understand integrations from the perspective of who created it, why, what data it involves etc?Chris - How do organizations start to get a handle on governing SaaS and their third-party integrations to mitigate these risks? Nikki -  I see you posting recently about exercise/fitness - this is a topic Chris and I discuss often. The balance of physical well-being and being present at work. What do you think about the balance of physical and mental pursuits?  Nikki -  What does cyber resilience mean to you?

Chris - Why do you think SaaS security is so overlooked in the conversation around cloud security, despite SaaS being so pervasive? Chris - SaaS obviously involves a lot of third-party integrations. What are the risks o f these ungoverned integrations and can they have a cascading impact if one of the providers has an incident? Nikki -  Chris and I have talked a lot about software security, SBOM's, and what does open source security look like. As a leader in the cybersecurity community, what are you most concerned with when it comes to third-party risk and software supply chain? Nikki - When we talk about SaaS and application management at organizations, what do you think about how SaaS applies to building relationships and working together with other organizations?   Nikki -  When it comes to integration between SaaS products and a cloud infrastructure, what do you think about as far as risk and how to manage risk within organizations?  Chris - If we're trying to handle threats, how important is it to understand integrations from the perspective of who created it, why, what data it involves etc? Chris - How do organizations start to get a handle on governing SaaS and their third-party integrations to mitigate these risks?  Nikki -  I see you posting recently about exercise/fitness - this is a topic Chris and I discuss often. The balance of physical well-being and being present at work. What do you think about the balance of physical and mental pursuits?   Nikki -  What does cyber resilience mean to you?

S4E16: Alfredo Hickman - SaaS Security & Third-Party Risk Management

Tom Pace

Chris: First off, tell us a bit about NetRise, what you all do, and what your focus is on?Chris: There's been a tremendous focus as of late on software supply chain security, as you know, but much of it focuses on things such as Cloud, SaaS, Containers etc. at NetRise you all take a focus on Firmware, IoT and Cyber Physical Systems (CPS). Why is that and what are some concerns folks overlook with these vectors?Nikki: You just announced the launch of ETHOS - a cooperation between several organizations to investigate threat indicators and looking into emerging trends in attacks. Can you talk a little bit about how this idea came together and what ETHOS will be doing? Nikki:You have a lot of expertise around IoT and IIoT, can you talk about some emerging trends in cyber threats and concerns around the connectivity of devices? Chris: I know you guys focus a fair bit on SBOM. For those not required to have one due to policy or regulations, what are the benefits of doing so?Chris: I know you all have experience and expertise with vulnerabilities in products. Does SBOM help address scenarios where the product itself may have no identified vulnerabilities or CVE's but components identified in its SBOM do?Chris: I noticed you're also a USMC veteran, so first, thanks for your service. As a fellow veteran, as I recently walked the RSAC floor this past week I noticed how many leaders in the industry had former military experience. Have you noticed anything similar in Cyber and has your military experience served you in any ways as you have went on to go into industry cyber roles and now as a CEO?Nikki: You have such great experience between threat hunting, incident response, to now being a CEO / Co-founder and Advisor to multiple other companies. What has that transition been like and do you have any advice for any other practitioners out there that may be interested in starting their own organization? Nikki: What's your favorite book, podcast, or other media right now? Anything we should be checking out? Nikki: What are some of the big things going on at NetRise right now? Any other projects you and the team are working on that you would like to share?

Chris: First off, tell us a bit about NetRise, what you all do, and what your focus is on? Chris: There's been a tremendous focus as of late on software supply chain security, as you know, but much of it focuses on things such as Cloud, SaaS, Containers etc. at NetRise you all take a focus on Firmware, IoT and Cyber Physical Systems (CPS). Why is that and what are some concerns folks overlook with these vectors? Nikki: You just announced the launch of ETHOS - a cooperation between several organizations to investigate threat indicators and looking into emerging trends in attacks. Can you talk a little bit about how this idea came together and what ETHOS will be doing?  Nikki:You have a lot of expertise around IoT and IIoT, can you talk about some emerging trends in cyber threats and concerns around the connectivity of devices?  Chris: I know you guys focus a fair bit on SBOM. For those not required to have one due to policy or regulations, what are the benefits of doing so? Chris: I know you all have experience and expertise with vulnerabilities in products. Does SBOM help address scenarios where the product itself may have no identified vulnerabilities or CVE's but components identified in its SBOM do? Chris: I noticed you're also a USMC veteran, so first, thanks for your service. As a fellow veteran, as I recently walked the RSAC floor this past week I noticed how many leaders in the industry had former military experience. Have you noticed anything similar in Cyber and has your military experience served you in any ways as you have went on to go into industry cyber roles and now as a CEO? Nikki: You have such great experience between threat hunting, incident response, to now being a CEO / Co-founder and Advisor to multiple other companies. What has that transition been like and do you have any advice for any other practitioners out there that may be interested in starting their own organization?  Nikki: What's your favorite book, podcast, or other media right now? Anything we should be checking out?  Nikki: What are some of the big things going on at NetRise right now? Any other projects you and the team are working on that you would like to share?

S4E15: Tom Pace - Firmware, IoT and Cyber Physical Systems (CPS)

Resilient Cyber brings listeners discussions from a variety of Cybersecurity and Information Technology (IT) Subject Matter Experts (SME) across the Public and Private domains from a variety of industries. As we watch the increased digitalization of our society, striving for a secure and resilient ecosystem is paramount.

Chris: Can you tell us a bit about your background and what the role of the Deputy Principal Cyber Advisor does?Nikki: When we talk about workforce challenges, I think about the types of skills that someone is looking for in a cyber program. What types of skills do you look for in hiring and what kinds of skills do we still need in the cyber profession? Chris: We know you've been focused heavily on the Cybersecurity workforce for DoN.  In our discussions of digital modernization, the focus is often on tech, such as cloud, zero trust, etc. Why do you think the people or workforce aspect is so often overlooked? Nikki: What do you think about the value of education and certifications when it comes to hiring and retaining cybersecurity professionals? Whether it's an analyst or an engineer, there is a lot of back and forth in the industry on whether certifications should be required or if it may be limiting the talent pool  Nikki: I saw you posted recently about North Dakota requiring cybersecurity education in schools - how critical do you think this is for K-12? As a mom this is something I think about all the time Chris: Can you tell us a bit about the DoN's approach to modernizing the workforce around cybersecurity?Chris: There's been some buzz around the DoN's Cyberspace Superiority Vision, what exactly does that entail?Nikki: I have the opportunity to teach my kids but what about all the other children without parents in cybersecurity?  Nikki: One of the other interesting articles that came out recently was around the potential change in cybersecurity leadership we'll be seeing in the next few years. Do you foresee some of these leaders leaving the industry and what kind of effect do you think it will have on the industry? Chris: We know there's rumbles of an upcoming DoN Cyber Strategy. We recently saw the release of the National Cyber Strategy. How will the DoN strategy build on that and what are the synergies between the two? Nikki: What does cyber resiliency mean to you?

Chris: Can you tell us a bit about your background and what the role of the Deputy Principal Cyber Advisor does? Nikki: When we talk about workforce challenges, I think about the types of skills that someone is looking for in a cyber program. What types of skills do you look for in hiring and what kinds of skills do we still need in the cyber profession?  Chris: We know you've been focused heavily on the Cybersecurity workforce for DoN.  In our discussions of digital modernization, the focus is often on tech, such as cloud, zero trust, etc. Why do you think the people or workforce aspect is so often overlooked?  Nikki: What do you think about the value of education and certifications when it comes to hiring and retaining cybersecurity professionals? Whether it's an analyst or an engineer, there is a lot of back and forth in the industry on whether certifications should be required or if it may be limiting the talent pool   Nikki: I saw you posted recently about North Dakota requiring cybersecurity education in schools - how critical do you think this is for K-12? As a mom this is something I think about all the time  Chris: Can you tell us a bit about the DoN's approach to modernizing the workforce around cybersecurity? Chris: There's been some buzz around the DoN's Cyberspace Superiority Vision, what exactly does that entail? Nikki: I have the opportunity to teach my kids but what about all the other children without parents in cybersecurity?   Nikki: One of the other interesting articles that came out recently was around the potential change in cybersecurity leadership we'll be seeing in the next few years. Do you foresee some of these leaders leaving the industry and what kind of effect do you think it will have on the industry?  Chris: We know there's rumbles of an upcoming DoN Cyber Strategy. We recently saw the release of the National Cyber Strategy. How will the DoN strategy build on that and what are the synergies between the two?  Nikki: What does cyber resiliency mean to you?

S4E14: Josh Reiter - U.S. Navy Workforce and Cyber Superiority

S4E13: Chris Kulakowski - Threat Hunting & Detection Engineering

Kristin Saling

Nikki - First - tell me a little bit about yourself and your background  Nikki - You have a ton of experience with the Army, can you talk a little bit about what you like most about working with the military and specifically in HR? Chris - We hear a lot about digital transformation in the DoD, Cloud, Cyber, Zero Trust, and so on - but how critical do you think the workforce is to make all of these transformation efforts successful Chris - We know the DoD has historically struggled to attract and retain technical talent. What specific changes do you think are needed to help resolve this challenge and do you think we're making any headway there? Nikki - One of your previous roles was Deputy Director of People Analytics, I've not heard much about this role before and I'm interested what that type of position entails and what that means to the people in an organization? Nikki - I want to talk to you about health, fitness, and wellness when it comes to IT and cybersecurity positions. There is a ton of research around the burnout and stress that technical positions carry - what can we do to help our technical teams? Chris - I have seen you posting and speaking about the role AI is playing in assigning resources, assistance and leadership to various Army cohorts, what are your thoughts on the role AI is and will play in your area of expertise?Chris - I believe there has been a new Army vision for the future of talent management, can you tell us a bit about that and what it entails? Nikki - Can you talk about the integration of AI/ML into both HR and administrative functions? I could see how beneficial it would be and free up some cycles to focus on the people and their wellbeing. Nikki - Can you talk about some of the other innovation in the HR space?

Nikki - First - tell me a little bit about yourself and your background   Nikki - You have a ton of experience with the Army, can you talk a little bit about what you like most about working with the military and specifically in HR?  Chris - We hear a lot about digital transformation in the DoD, Cloud, Cyber, Zero Trust, and so on - but how critical do you think the workforce is to make all of these transformation efforts successful  Chris - We know the DoD has historically struggled to attract and retain technical talent. What specific changes do you think are needed to help resolve this challenge and do you think we're making any headway there?  Nikki - One of your previous roles was Deputy Director of People Analytics, I've not heard much about this role before and I'm interested what that type of position entails and what that means to the people in an organization?  Nikki - I want to talk to you about health, fitness, and wellness when it comes to IT and cybersecurity positions. There is a ton of research around the burnout and stress that technical positions carry - what can we do to help our technical teams?  Chris - I have seen you posting and speaking about the role AI is playing in assigning resources, assistance and leadership to various Army cohorts, what are your thoughts on the role AI is and will play in your area of expertise? Chris - I believe there has been a new Army vision for the future of talent management, can you tell us a bit about that and what it entails?  Nikki - Can you talk about the integration of AI/ML into both HR and administrative functions? I could see how beneficial it would be and free up some cycles to focus on the people and their wellbeing.  Nikki - Can you talk about some of the other innovation in the HR space?

S4E12: Kristin Saling - U.S. Army Workforce Modernization & Analytics

John Speed

Chris: I have been following your research for several years now, dating back to your role before Chainguard. As you have watched the conversation around Software Supply Chain Security unfold in the industry, do you feel like we're making positive headway?Chris: You have done a lot of research into software supply chain security, and of course SBOM's. One recent study you took a look at the quality of SBOM's in the OSS ecosystem, compared to say the NTIA defined minimum elements for SBOM. Can you tell us a bit about the study and implications of the findings?Chris: In addition to SBOM, we're seeing the emergence of VEX, can you speak a bit about its importance?Chris: I wanted to follow up about OSS, since it has become such a core aspect of the software supply chain conversation. I'm sure based on your studies you know the phrase dubbed Linus' Law, which states that "with enough eyeballs all bugs are shallow" but based on my research for writing a book recently, I realized that the overwhelming majority of OSS projects lack enough eyeballs. Do you think this is a challenge when we look at the widespread adoption of OSS?Chris: Can you tell us a bit about your next/current efforts for software supply chain security research?

Chris: I have been following your research for several years now, dating back to your role before Chainguard. As you have watched the conversation around Software Supply Chain Security unfold in the industry, do you feel like we're making positive headway? Chris: You have done a lot of research into software supply chain security, and of course SBOM's. One recent study you took a look at the quality of SBOM's in the OSS ecosystem, compared to say the NTIA defined minimum elements for SBOM. Can you tell us a bit about the study and implications of the findings? Chris: In addition to SBOM, we're seeing the emergence of VEX, can you speak a bit about its importance? Chris: I wanted to follow up about OSS, since it has become such a core aspect of the software supply chain conversation. I'm sure based on your studies you know the phrase dubbed Linus' Law, which states that "with enough eyeballs all bugs are shallow" but based on my research for writing a book recently, I realized that the overwhelming majority of OSS projects lack enough eyeballs. Do you think this is a challenge when we look at the widespread adoption of OSS? Chris: Can you tell us a bit about your next/current efforts for software supply chain security research?

S4E11: John Speed Meyers - Data Science & Software Supply Chain Security

Lily Zeleke

Chris: Before we dive into some technical topics and questions, we would love to hear a bit about your background and careerChris: - We've now seen the introduction of JWCC into the mix after quite a challenging road to get there. What major changes do you see JWCC playing in the DoD cloud landscape and cloud adoption journey?Nikki: - There's been a tremendous focus on software supply chain security, with a 742% increase in software supply chain attacks in the last three years. What are your thoughts on how the DoD is approaching securing the software supply chain, SBOM's and challenges of that nature?Chris: - We know the DoD CIO office published an Open Source Software (OSS) memo not too long ago. What role do you think OSS plays in the future of the DoD's software and warfighting capabilities?Nikki - We've seen a blossoming ecosystem of software factories across the DoD, now numbering near or beyond 30. How key do you think these software factories have been to the DoD's software modernization efforts?Nikki - I would be remiss if I didn't ask you about the DoD's workforce challenges. We know the DoD has had long standing issues attracting and particularly retaining technical talent. How crucial is remedying those workforce challenges to see successful cloud adoption and software modernization?Chris - Being a longtime Federal and DoD Cyber professional I have to bring up the topic of compliance, RMF and ATO's in any discussion around fielding software. We've seen a push from some senior leaders to try and shift to a culture of cyber readiness and alleviate some of the traditional box-checking/compliance culture we know is pervasive across Government. Any thoughts on how we can modernize Cyber and Compliance in DoD to facilitate getting innovative and modernized software-enabled capabilities into the hands of system and mission owners?

Chris: Before we dive into some technical topics and questions, we would love to hear a bit about your background and career Chris: - We've now seen the introduction of JWCC into the mix after quite a challenging road to get there. What major changes do you see JWCC playing in the DoD cloud landscape and cloud adoption journey? Nikki: - There's been a tremendous focus on software supply chain security, with a 742% increase in software supply chain attacks in the last three years. What are your thoughts on how the DoD is approaching securing the software supply chain, SBOM's and challenges of that nature? Chris: - We know the DoD CIO office published an Open Source Software (OSS) memo not too long ago. What role do you think OSS plays in the future of the DoD's software and warfighting capabilities? Nikki - We've seen a blossoming ecosystem of software factories across the DoD, now numbering near or beyond 30. How key do you think these software factories have been to the DoD's software modernization efforts? Nikki - I would be remiss if I didn't ask you about the DoD's workforce challenges. We know the DoD has had long standing issues attracting and particularly retaining technical talent. How crucial is remedying those workforce challenges to see successful cloud adoption and software modernization? Chris - Being a longtime Federal and DoD Cyber professional I have to bring up the topic of compliance, RMF and ATO's in any discussion around fielding software. We've seen a push from some senior leaders to try and shift to a culture of cyber readiness and alleviate some of the traditional box-checking/compliance culture we know is pervasive across Government. Any thoughts on how we can modernize Cyber and Compliance in DoD to facilitate getting innovative and modernized software-enabled capabilities into the hands of system and mission owners?

S4E10: Lily Zeleke - DoD Cloud & Software Modernization

Nikki - With your experience in various cloud and Cybersecurity roles, what would you say the top 3 concerns are right now for cloud security? Nikki -  I see you do a lot of work Cybersecurity and cloud education, do you feel like we have better tools and resources today than a few years ago? Or too many resources? Chris - We know you have a Detection Engineering background. For folks not familiar with Detection Engineering can you tell us a bit about it and the role it plays in Cloud Security?Chris - It is often said that Detection Engineering builds on the practice of Threat Modeling, in terms of identifying relevant threats and building detections associated with those threats. Do you agree with that and how valuable do you think Threat Modeling is for Cyber and Cloud Security professionals?Nikki -  What would you recommend for anyone getting started in the cloud, moving from on premises or data centers, what should they do first? Nikki - What do you think is next for cloud? I see so many debates in the industry and it seems like there's a trend towards creating systems on prem versus in the cloud.Chris - I know in addition to your professional role you've a huge content creator with over 20,000 folks following you on YouTube. How did you get going down this path?Chris - Do you think it is important in the current industry landscape and remote work paradigm to be out there building a personal brand, creating content and engaging with the community?

Nikki - With your experience in various cloud and Cybersecurity roles, what would you say the top 3 concerns are right now for cloud security?  Nikki -  I see you do a lot of work Cybersecurity and cloud education, do you feel like we have better tools and resources today than a few years ago? Or too many resources?  Chris - We know you have a Detection Engineering background. For folks not familiar with Detection Engineering can you tell us a bit about it and the role it plays in Cloud Security? Chris - It is often said that Detection Engineering builds on the practice of Threat Modeling, in terms of identifying relevant threats and building detections associated with those threats. Do you agree with that and how valuable do you think Threat Modeling is for Cyber and Cloud Security professionals? Nikki -  What would you recommend for anyone getting started in the cloud, moving from on premises or data centers, what should they do first?  Nikki - What do you think is next for cloud? I see so many debates in the industry and it seems like there's a trend towards creating systems on prem versus in the cloud. Chris - I know in addition to your professional role you've a huge content creator with over 20,000 folks following you on YouTube. How did you get going down this path? Chris - Do you think it is important in the current industry landscape and remote work paradigm to be out there building a personal brand, creating content and engaging with the community?

S4E9: Resilient Cyber Show w/ Day Johnson

Jim Dempsey

Chris - I have to start with the intersection of law and cybersecurity. We're seeing major strides in regulations, both federal and state (like NYFDS), to regulate and enforce cybersecurity policies and program-based guidance. What are some of the emerging trends we're seeing in cyber law? Chris - As you know, we recently saw the new National Cyber Strategy, which makes a push for shifting the burden/responsibility for cybersecurity on the vendor or those best positioned to address it. Why do you think it has taken us so long to get to this point? I know you've drawn parallels to other industries such as automobilesChris - On the topic of parallels to other markets and industries, such as automobiles, pharmaceuticals and manufacturing, there are some unique aspects of software, in the sense it isn't tangible or kinetic, and can be very opaque, What impact do you think those characteristics have on trying to regulate it like we have done with other industries?Chris - The National Cyber Strategy also introduces the concept of Software Liability. This part of the strategy got the most aggressive response from industry and the community. Why do you think this makes everyone perk up so much?Chris - Many started to raise questions such as who will define "secure", who and how will it be validated or verified, and where is the line of responsibility between the software supplier and consumer. Any thoughts on these topics and questions?Chris - On the topic of regulation, many consider cybersecurity to be an example of a market failure. Can you explain what that is, and why some feel that way? How do you think think we balance regulation without stifling innovation in the tech industry?Nikki - How do you think the public sector and private sector are seeing cybersecurity laws differently? Do you feel like the private sector is lagging behind in cybersecurity regulations? Chris - I have worked on programs such as FedRAMP before, for Federal Cloud Services and I am familiar with NIST 800-171/CMMC as well for the DIB. Many argue, and I think there is merit to the claim that these sort of frameworks lead to smaller pools of suppliers and potentially a less diverse pool of market participants. Any thoughts on these impacts and if it is worth the trade off?Chris - Many compliance and regulatory schemes either take one of two approaches. The first being a self-attested model where entities self-attest their compliance, such as NIST 800-171 for the DIB was, and the second is a 3PAO model, where a 3rd party verifies compliance, such as in FedRAMP. Each of these models has drawbacks, such as less than truthful or accurate self-assessments, or the 3PAO requirement becoming cumbersome, costly and a bottleneck. What do you think about these two approaches and where do you see us heading with regards to say the National Cyber Strategy, liability and so on?

Chris - I have to start with the intersection of law and cybersecurity. We're seeing major strides in regulations, both federal and state (like NYFDS), to regulate and enforce cybersecurity policies and program-based guidance. What are some of the emerging trends we're seeing in cyber law?  Chris - As you know, we recently saw the new National Cyber Strategy, which makes a push for shifting the burden/responsibility for cybersecurity on the vendor or those best positioned to address it. Why do you think it has taken us so long to get to this point? I know you've drawn parallels to other industries such as automobiles Chris - On the topic of parallels to other markets and industries, such as automobiles, pharmaceuticals and manufacturing, there are some unique aspects of software, in the sense it isn't tangible or kinetic, and can be very opaque, What impact do you think those characteristics have on trying to regulate it like we have done with other industries? Chris - The National Cyber Strategy also introduces the concept of Software Liability. This part of the strategy got the most aggressive response from industry and the community. Why do you think this makes everyone perk up so much? Chris - Many started to raise questions such as who will define "secure", who and how will it be validated or verified, and where is the line of responsibility between the software supplier and consumer. Any thoughts on these topics and questions? Chris - On the topic of regulation, many consider cybersecurity to be an example of a market failure. Can you explain what that is, and why some feel that way? How do you think think we balance regulation without stifling innovation in the tech industry? Nikki - How do you think the public sector and private sector are seeing cybersecurity laws differently? Do you feel like the private sector is lagging behind in cybersecurity regulations?  Chris - I have worked on programs such as FedRAMP before, for Federal Cloud Services and I am familiar with NIST 800-171/CMMC as well for the DIB. Many argue, and I think there is merit to the claim that these sort of frameworks lead to smaller pools of suppliers and potentially a less diverse pool of market participants. Any thoughts on these impacts and if it is worth the trade off? Chris - Many compliance and regulatory schemes either take one of two approaches. The first being a self-attested model where entities self-attest their compliance, such as NIST 800-171 for the DIB was, and the second is a 3PAO model, where a 3rd party verifies compliance, such as in FedRAMP. Each of these models has drawbacks, such as less than truthful or accurate self-assessments, or the 3PAO requirement becoming cumbersome, costly and a bottleneck. What do you think about these two approaches and where do you see us heading with regards to say the National Cyber Strategy, liability and so on?

S4E8: Jim Dempsey - Cyber Policy & Regulation

Jeff Williams

Nikki: I have to start with an article you wrote a couple of years ago, about how we explain and provide context around vulnerabilities. I love the analogy of a 'vulnerability recipe' and how we can step through an explanation of vulnerabilities. Can you talk a little bit about the process and what compelled you to explore this topic? Nikki: I saw you spoke to Ron Ross recently, we had him on the show last year talking about cyber resiliency and of course software supply chain. Can you talk a little bit about security assurance and what that means to both developers and security practitioners? Chris: You've been a leader in the AppSec space for some time, particularly focusing on capabilities and tooling such as IAST. For folks not familiar with IAST, can you explain what it is and the value it adds over say SAST and DAST?Chris: I know you and I have exchanged messages and comments about Software Supply Chain Security and SBOM. What are your thoughts about where were headed on this front as an industry?Chris: With the release of the National Cyber Strategy yesterday I of course have to ask your initial thoughts. First more broadly, about the overall sentiment of the strategy and also about specific areas, such as increased requirements on software vendors and technology providers to produce secure products and the potential for increased liability.Nikki: It looks like you had a pretty lengthy time with OWASP - can you talk about some of the work you did there and the work that OWASP does? I think people typically equate OWASP with the OWASP top ten, but there are so many free resources and tools available for developers and security professionals. Chris: Given your past involvement of a decade with OWASP in its early growth, any thoughts on the recent open letter we saw sent to the OWASP leadership?Nikki: Can you talk a little bit more about Contrast security and the type of work you all do? Would like to hear more about what the company has going on and anything else you may have coming up.Chris: Continuing on with Contrast, I am interested in the founders journey a bit. Contrast has been around for nearly a decade and is now up to several hundreds of employees. What has that journey been like and what are some of the major ways the industry has, or hasn't changed during that time?

Nikki: I have to start with an article you wrote a couple of years ago, about how we explain and provide context around vulnerabilities. I love the analogy of a 'vulnerability recipe' and how we can step through an explanation of vulnerabilities. Can you talk a little bit about the process and what compelled you to explore this topic?  Nikki: I saw you spoke to Ron Ross recently, we had him on the show last year talking about cyber resiliency and of course software supply chain. Can you talk a little bit about security assurance and what that means to both developers and security practitioners?  Chris: You've been a leader in the AppSec space for some time, particularly focusing on capabilities and tooling such as IAST. For folks not familiar with IAST, can you explain what it is and the value it adds over say SAST and DAST? Chris: I know you and I have exchanged messages and comments about Software Supply Chain Security and SBOM. What are your thoughts about where were headed on this front as an industry? Chris: With the release of the National Cyber Strategy yesterday I of course have to ask your initial thoughts. First more broadly, about the overall sentiment of the strategy and also about specific areas, such as increased requirements on software vendors and technology providers to produce secure products and the potential for increased liability. Nikki: It looks like you had a pretty lengthy time with OWASP - can you talk about some of the work you did there and the work that OWASP does? I think people typically equate OWASP with the OWASP top ten, but there are so many free resources and tools available for developers and security professionals.  Chris: Given your past involvement of a decade with OWASP in its early growth, any thoughts on the recent open letter we saw sent to the OWASP leadership? Nikki: Can you talk a little bit more about Contrast security and the type of work you all do? Would like to hear more about what the company has going on and anything else you may have coming up. Chris: Continuing on with Contrast, I am interested in the founders journey a bit. Contrast has been around for nearly a decade and is now up to several hundreds of employees. What has that journey been like and what are some of the major ways the industry has, or hasn't changed during that time?

S4E7:Jeff Williams - DevSecOps and Application Security (AppSec)

Matt Cronin

Nikki: I saw you recently did a Cyber Jeopardy Panel at the American Bar Association about cybersecurity and cyber law - can you talk a little bit about the intersection of cybersecurity and law?Chris: Continuing on that thread a little more, and you and I have chatted about this, what are some of the dichotomies or challenges of Cybersecurity in a democratic society versus say an authoritative regime or nation?Chris: I know you have a background with the DoJ and U.S. Attorney's office, are there some challenges with say cyber investigations in the U.S. due to some of our protections for individual freedom, privacy and so on? Nikki: It seems like we're seeing more and more organizations seeing the need for both mature cybersecurity programs and cyber law programs - but I haven't seen a ton of these groups working closely together. How can we build both programs in combination?Chris: It seems like every day we are seeing headlines about catastrophic cyber incidents.  Are there any historical parallels to what we are dealing with today?  Do you think we’ll ever get out of it? Nikki: What do you think major attacks like ransomware in healthcare and even in local and state governments and school are doing to shape cyber legislation?Nikki: If you could give one message to the American people about how we will address this challenge, what would it be?Chris: I would be remiss if I let you off the show without trying to dig into the forthcoming National Cyber Strategy with you. With the extent of what you're able to share, there's been a lot of buzz and rumors about an increased call for regulation, do you have any thoughts on that front?Chris: Many have said that Cybersecurity is a market failure and that it will require government intervention and regulatory measures to change things and have cybersecurity be taken more seriously by businesses and organizations. How do we balance that need for truly addressing cybersecurity risk without at the same time stifling innovation and our free market society?  Nikki: Do you see more legislation potentially coming in the future around security governance and compliance?Nikki: I'm very fascinated by cybersecurity and law terminology - do you think there's some room for us to find a common thread between both disciplines to help people like me understand law terminology and language better?

Nikki: I saw you recently did a Cyber Jeopardy Panel at the American Bar Association about cybersecurity and cyber law - can you talk a little bit about the intersection of cybersecurity and law? Chris: Continuing on that thread a little more, and you and I have chatted about this, what are some of the dichotomies or challenges of Cybersecurity in a democratic society versus say an authoritative regime or nation? Chris: I know you have a background with the DoJ and U.S. Attorney's office, are there some challenges with say cyber investigations in the U.S. due to some of our protections for individual freedom, privacy and so on?  Nikki: It seems like we're seeing more and more organizations seeing the need for both mature cybersecurity programs and cyber law programs - but I haven't seen a ton of these groups working closely together. How can we build both programs in combination? Chris: It seems like every day we are seeing headlines about catastrophic cyber incidents.  Are there any historical parallels to what we are dealing with today?  Do you think we’ll ever get out of it?  Nikki: What do you think major attacks like ransomware in healthcare and even in local and state governments and school are doing to shape cyber legislation? Nikki: If you could give one message to the American people about how we will address this challenge, what would it be? Chris: I would be remiss if I let you off the show without trying to dig into the forthcoming National Cyber Strategy with you. With the extent of what you're able to share, there's been a lot of buzz and rumors about an increased call for regulation, do you have any thoughts on that front? Chris: Many have said that Cybersecurity is a market failure and that it will require government intervention and regulatory measures to change things and have cybersecurity be taken more seriously by businesses and organizations. How do we balance that need for truly addressing cybersecurity risk without at the same time stifling innovation and our free market society?   Nikki: Do you see more legislation potentially coming in the future around security governance and compliance? Nikki: I'm very fascinated by cybersecurity and law terminology - do you think there's some room for us to find a common thread between both disciplines to help people like me understand law terminology and language better?

S4E6: Matt Cronin - Cyber Law & National Cyber Strategy

Chris: First off, why do you think soft skills are so often overlooked or undervalued in our field of cybersecurity?Chris: I'm curious your perspective on how to help people build soft skills, much like technical skills, some may have more of an aptitude for technical work or prefer not interacting with people as often. Any advice for folks who may be a bit more of an introvert and finding dealing with people intimidating?Niki: I wanted to first talk about the Learning resources you have on your site - the softsideofcyber.com - I am a big fan of this area because you include everything from books and articles to newsletters. Can you talk a little bit about why you included this section and what you're hoping to do with it in the future? Nikki: This may seem like a silly question - but clarity and definitions for terminology and language are really important. People talk about 'soft skills' in a lot of ways. What does 'soft skills' mean to you and how have these skills aided you in your career? Nikki: What is the perfect balance of technical and 'soft skills' - do you feel like it depends on your role? Or do you feel like this balance is essential, regardless of your role? Chris: You recently wrote an article on CSO online about unleashing the power of an effective security engineering team. While you did discuss technical skills you also wove in content from folks such as Sidney Dekker and Adam Grant. How do you feel like diversifying your learning outside of technical topics has helped you be more successful in your own roles and career?Nikki: Do you feel like 'soft skills' expands from empathy and emotional intelligence to an understanding of cognitive bias, mental workloads, and other psychological phenomena?Chris: What's next for the Soft Side of Cyber? What projects are you working on and what are you hoping to do with this in the next 6 months?Nikki: Since I know what cyber resiliency means to you in a technical context, can you expand on what this means to you in the 'soft skills' and human context?

Chris: First off, why do you think soft skills are so often overlooked or undervalued in our field of cybersecurity? Chris: I'm curious your perspective on how to help people build soft skills, much like technical skills, some may have more of an aptitude for technical work or prefer not interacting with people as often. Any advice for folks who may be a bit more of an introvert and finding dealing with people intimidating? Niki: I wanted to first talk about the Learning resources you have on your site - the <a href="https://www.google.com/url?q=http://softsideofcyber.com/&amp;sa=D&amp;source=calendar&amp;ust=1676640847967151&amp;usg=AOvVaw0kgtzu6wuMMOi7vmb9WTE4" rel="nofollow" target="_blank">softsideofcyber.com</a> - I am a big fan of this area because you include everything from books and articles to newsletters. Can you talk a little bit about why you included this section and what you're hoping to do with it in the future?  Nikki: This may seem like a silly question - but clarity and definitions for terminology and language are really important. People talk about 'soft skills' in a lot of ways. What does 'soft skills' mean to you and how have these skills aided you in your career?  Nikki: What is the perfect balance of technical and 'soft skills' - do you feel like it depends on your role? Or do you feel like this balance is essential, regardless of your role?  Chris: You recently wrote an article on CSO online about unleashing the power of an effective security engineering team. While you did discuss technical skills you also wove in content from folks such as Sidney Dekker and Adam Grant. How do you feel like diversifying your learning outside of technical topics has helped you be more successful in your own roles and career? Nikki: Do you feel like 'soft skills' expands from empathy and emotional intelligence to an understanding of cognitive bias, mental workloads, and other psychological phenomena? Chris: What's next for the Soft Side of Cyber? What projects are you working on and what are you hoping to do with this in the next 6 months? Nikki: Since I know what cyber resiliency means to you in a technical context, can you expand on what this means to you in the 'soft skills' and human context?

S4E5: Robert Wood - The Soft Side of Cyber

Resilient Cyber

The best podcasts about ourselves as well as the world through the lense of Science. Specific topics include things about our brain, emotions to biology, physics and more!

Best Episodes on Science, Humans & The World

The best podcast episodes of the most interesting stories and things. From skyping someone while they're in space, to tracking down and meeting a telephone scammer in person, to the story of a Galapagos. These episodes will keep you and all your friends entertained and captivated for hours. Learn something new in every episode! Add episodes you're interested into your queue below!