Chris: For those not familiar with CVSS, what exactly is it, and why is vulnerability scoring important? Chris: What are some of the most notable critiques of CVSS? Nikki: I read your article 'A Closer look at CVSS Scores" and have had a lot of similar thoughts. The CVSS SIG is doing great work, and there are other scoring methods out there to help determine the real threat of vulnerabilities. Do you have any advice for organizations that are struggling with the amount of High and Crit...
Sep 02, 2022•27 min
Chris: So you're a proponent of a term called RegOps, can you explain what that is to us a bit and how it differs from traditional compliance? Nikki: I'm interested in your background from Solutions Architect, to CTO, to Co-founding and running companies. Do you have any advice for other architects or IT and security practitioners for building up leadership skills and transitioning to business ownership? Chris: Do you think the evolution of Cloud and API enabled platforms is positionin...
Sep 02, 2022•27 min
Nikki - In one of your recent posts you speak about how more organizations are looking to leverage service mesh in their own environments. Can you talk a little bit about why a team may be interested in moving to a more service mesh architecture? Nikki: What do you think may impede or stop an organization from adopting updated networking practices and technologies, like service mesh, and how can they get started adopting it? Chris: What role do you think Service Mesh plays in the push for Zero T...
Sep 01, 2022•33 min
Aug 10, 2022•36 min
Nikki: In some ways I think "software supply chain security" has become almost a buzz word, or buzz phrase? But to me it's more of a concern for security programs at large, since so many products and services are being developed in-house at organizations. What are the top three concerns that CISO's or security leaders should know? Chris: We're obviously seeing a lot of buzz around SBOM, and now VEX. What are your thoughts on where things are headed with software componen...
Aug 10, 2022•34 min
Chris: For those not familiar with Kubernetes, can you tell us what it is and why there is so much buzz around it? Chris: Kubernetes, while it has many benefits also is a very complex technology, what are some of the key things organizations should keep in mind when using Kubernetes securely? Nikki: What kind of role do you see RBAC playing with Kubernetes? I don't hear a lot of talk around this subject and I'm curious what you think may be the importance of RBAC around Kubernetes Chri...
Aug 10, 2022•44 min
- For folks that are familiar, what is a CI/CD pipeline and why is it becoming such a hot topic in modern software delivery? - Do you think earlier on in the pursuit of DevOps/DevSecOps organizations overlooked the pipeline as an attack vector? - Any thoughts are notable incidents such as SolarWinds, do you think they brought more attention to the build environment? - What are you thoughts on emerging guidance such as SLSA NIST SSDF or 800-161. Do you think these are helping bring attention to b...
Jul 22, 2022•45 min
- Why do you think Cybersecurity has traditionally been seen as an IT issue? - With more and more of economic activity being tied to digital platforms, do you think organizations are realizing that cybersecurity is tied to business outcomes and value? - What do you think of recent activities by the SEC to require organizations to disclose cyber expertise among their board makeup? - How critical do you think Cybersecurity is for organizations competing in the modern digital economy? - Any advice ...
Jul 11, 2022•45 min
- First off, for those not familiar with Containers and Kubernetes, what are they? - Why are organizations increasingly adopting these technologies over traditional forms of compute? - How does Cybersecurity change with Kubernetes and what are some things practitioners should be sure to keep an eye on? - When organizations are adopting Kubernetes they often are faced with options such as rolling their own or using managed Kubernetes offerings, any thoughts there? - I recently read a report that ...
Jul 07, 2022•30 min
- For those unfamiliar with a vCISO, what is it and how is it different than a traditional CISO? - Do you feel like the SMB market is catching on to the necessity of a vCISO and how it is critical to enabling secure business outcomes? - How do organizations go about ensuring they get a qualified vCISO? Any things in particular to watch out for? - For those looking to get started as serving as a vCISO, any recommendations? - You are a great story teller and communicator on LinkedIn. What made you...
Jul 07, 2022•25 min
Chris - Lets start off with discussing what is Purple Teaming exactly, and what is it not? Nikki - The industry can be somewhat siloed between job roles, and purple teaming really breaks down those barriers - do you see purple teaming being adopted more in the industry? Or do you think that too many industry experts hold too closely to their areas of expertise? Chris - People often conflate Red Teaming, Pen Testing and Purple Teaming - how do we help clear up that confusion? Nikki - Purple teami...
Jun 22, 2022•32 min
- For those not familiar with Threat Modeling, what is it? Also, to clear up potential confusion, what is it not? (e.g. Threat Hunting) - You were part of an effort to create the Threat Modeling Manifesto, can you tell us a bit about that project? - We recently saw NIST both define critical software as part of the Cyber EO and also list Threat Modeling as a key activity for critical software. What are your thoughts on that occurring and if you think that will impact the Threat Modeling community...
Jun 16, 2022•34 min
Nikki - You have some really awesome content on LinkedIn around Vulnerability management - one of my favorite posts you made recently was asking "Is vulnerability management dead". Can you explain a little bit about what you mean? I'm curious on your take, because there isn't a ton of modern guidance around vulnerability management Nikki - One of the biggest challenges I think we face around vulnerability identification, and specifically prioritization, is that a lot of empha...
Jun 16, 2022•28 min
Jun 16, 2022•22 min
Chris - We know there's a massive Cyber workforce challenge, what role do you think academia plays there and how can it improve to close the gap? Nikki - Speaking of the young professionals in cybersecurity, what do you think are some of the in-demand skillsets and career paths available for individuals interested in pursuing a career in cybersecurity? Chris - There's often a debate between academics and practitioners, why do you think that is, and do you think we're seeing that g...
May 23, 2022•34 min
Chris: We're undoubtedly seeing a growing discussion around Software Supply Chain, with several notable events and also now evolving guidance/legislation such as the Cyber EO, NIST guidance etc. Any thoughts on why this is just now becoming such a focused concern? Nikki: When a lot of people discuss software supply chain security, it can quickly turn into a discussion about SBOM or Log4j and SolarWinds. I think about software supply chain security as being part of a really good threat detec...
May 23, 2022•24 min
Nikki - You have a varied background between being a security engineer, consultant, manager, etc. What made you decide to focus more on the compliance aspects of cybersecurity? Chris - It is often said "Compliance doesn't equal Security". Why do you think this phrase has taken hold, do you think its accurate and how do we evolve beyond it? Nikki - Based on some of your posts about compliance - one specifically about implementing frameworks and guidance from NIST and the CMMC stand...
May 23, 2022•33 min
Chris: So let's start with how we've gotten here. With digital systems accounting for 60% of global GDP, how do we still not have requirements or adoption of cyber expertise on public board? Nikki: You mention in your article about the SEC mandating cyber leadership into board rooms - do you think that the type of experience expected on boards should be geared specifically to risk management, or a mix of highly technical and governance experience? Chris: For those looking to fill some ...
May 23, 2022•26 min
A discussion with the Director of the Army Enterprise Cloud Management Agency (ECMA) - Paul Puckett and Cybersecurity Subject Matter Expert (SME) from DoD CIO-IE office, Tyler Gesling on the recent DoD cATO memo.
Mar 31, 2022•1 hr 2 min
- We know you served as the First Federal U.S. CISO, can you tell us a bit about that experience? - In addition to your military and public sector background, you've held various industry roles as well, what are some of the major differences between the two environments you've experienced? - We know you've held various board advisor and even director roles. Do you feel that Cyber is increasingly becoming a boardroom concern? - You're very passionate about Zero Trust. What are...
Mar 30, 2022•39 min
Nikki: I've spent a number of years studying vulnerability chaining and using low and medium vulnerabilities in combination to create very critical attacks. Do you see this as a common method for attacks in the wild? Chris: we're continuing to see the growth of bug bounty programs, such as HackerOne. How do you think these programs contrast (or compliment) companies internal pen test/red teams for example? Nikki: Vulnerability management is an incredibly complex topic for a lot of orga...
Mar 25, 2022•30 min
You hold a variety of roles, from advisor, podcast host, CISO and have a great industry presence. How do you juggle it all, and what drives you to do so much? You recently spoke about emotional intelligence; do you feel it is overlooked in tech and cyber? You speak a lot about leadership in Cybersecurity. What are some of the characteristics you think are the most important for the modern cyber leader? We know you often dive into Cloud security. You recently made some comments about SaaS Securit...
Mar 15, 2022•25 min•Season 2Ep. 22
When you look at the state of the Open-Source Software (OSS) ecosystem, what do you think some of the biggest problems are? Why do you think we're now starting to see so much increased attention on the Software Supply Chain? When it comes to OSS maintainers and contributors, typically this is all done voluntarily and uncompensated in many cases. How is Tidelift looking to changing that paradigm? What are some recommendations you have for organizations as they start to try and get a handle o...
Mar 08, 2022•23 min•Season 2Ep. 20
We know you’ve held several executive roles, we would love to hear your perspective regarding balancing business and organization leadership with the technology side Your recently testified before Congress regarding FISMA reform. Why do you feel this reform is so needed and what do you feel in particular would make the biggest impact? What advice would you have for technology professionals who want to advance to executive roles like you've held? What do you think we as an industry can do to...
Mar 01, 2022•39 min•Season 2Ep. 19
Nikki - What does EDR look like right now and where is it going? Nikki - What are the differences between typical A/V and EDR? Chris - What role do you see EDR playing in the push for Zero Trust? Nikki - How do you integrate EDR into your environments and how do you feel about using EDR with SIEMs? Chris - Do you feel that the boon for working from home has impacted the EDR space? Nikki - Can you talk a little bit about what DLP is and how it relates to EDR roll outs? Chris - Building on EDR, wh...
Feb 23, 2022•28 min•Season 2Ep. 18
Nikki - Can you tell us a little bit about what you're currently working on right now at NIST? Chris - Software Supply Chain Security has become a hot topic lately. We know NIST published 800-161 covering C-SCRM, C-SCRM is a complex topic. Where do you see the industry going forward in terms of maturing C-SCRM practices? Nikki - Speaking of maturing C-SCRM practices, do you feel that there is a need to provide more documentation for maturing other aspects of cybersecurity? I do not see a lo...
Feb 15, 2022•40 min
Nikki - Please tell us a little bit about your dissertation and why you felt like drone forensics needed further research? Chris - We know you have a Doctorate where your focus was UAV systems forensics framework. My background is largely with DoD which is increasingly embracing UAV/Drones etc. Are there any major security concerns a community like that should consider as they embrace these technologies? Nikki - Do you feel like there is still a need to create more comprehensive policies and fra...
Feb 10, 2022•18 min•Season 2Ep. 16
Nikki - First, I need to hear about how you feel about women in technology and any words of encouragement for women who are interested in starting a business? Chris - We know your organization raft is up to some innovative work in the Federal space, can you tell us a bit about that? Nikki - You have such a unique background with business and law and technology, I've actually considered getting a law degree. Do you think that has altered your perspective as a business owner? Chris - In your ...
Feb 02, 2022•29 min
Nikki - You are currently a Fellow with Stanford University - could you talk a little about the journey you've made to this point and how cybersecurity plays into the Fellowship? Chris - We know you served as a Senior Policy Advisor for the U.S. Cyberspace Solarium Commission. Can you speak about that, for those that aren’t familiar with the commission, and knowing the government has acted on some of the commission's recommendations, do you think we’re making the progress needed as a n...
Jan 26, 2022•25 min
- Can you tell us a bit about your background, how you got into the role you're in now? - For those unfamiliar with the term "Chaos Engineering" what is it and why should organizations be practicing it? - You currently support a program named Kessel Run, what do they do? - Performing something disruptive such as Chaos Engineering almost seems unheard of in organizations such as the DoD with low-risk tolerances for disruption, how did this come about? - For people looking to get st...
Jan 19, 2022•26 min
