- For those unfamiliar, please tell us a bit about your background, as well as about RAD Security. What do you all focus on and specialize in? - Your team recently was part of the RSAC Innovation Sandbox. Can you tell us a bit about that experience, and being able to highlight the innovative capabilities of RAD to such a key audience? - You recently published a comprehensive resource on Kubernetes Security Posture Management (KSPM), what are some of the key items in there folks need to be focusi...
Jun 04, 2024•26 min
- You recently presented at Wiz's MisCONfigured at RSA, where you covered some of the most relevant cloud threats and risks, can you touch on what some of those are? - We know Wiz just announced a massive capital raise and there's been talks about M&A plans for Wiz, I know you help with looking at potential products/firms - what are some key things you look at? - When you acquire a new product and team, how does it look to ensure there is a smooth integration with the Wiz team and ...
May 17, 2024•35 min•Season 6Ep. 16
May 01, 2024•38 min
- For folks not familiar with it, can you tell us a bit about the report, its intent, and how it came about? - Some may be asking, what's the big deal, its just software. Can you help explain the pertinent risk we face with increasingly seeing physical systems, infrastructure and society run on software? - The report makes some key recommendations to fortify the resilience of the Nation's critical infrastructure, can you talk about those a bit? - It's often discussed how much of t...
Apr 30, 2024•28 min
- First off, for folks not familiar with your background can you tell us a bit about your background from your journey in your earlier IT/Cyber and military time to eventually being a Founder and CEO? - What made you decide to take that leap and found not just one, but two cybersecurity companies, moving from being a practitioner? - What did you find to be some of the biggest challenges when transitioning from practitioner to business owner? - Have you had to navigate working on versus in the bu...
Apr 13, 2024•36 min•Season 6Ep. 13
Can you each tell us a bit about your background, before we dive in? For those not in the DoD or familiar with the term, what is a “Software Factory”? What is BESPIN? What is the current state of mobile security within the DoD? Why do you think there’s such a delay in maturing policy, process and pathways for mobile in DoD, given the big emphasis the last several years of “edge”, along with the rapid growth of the remote workforce and so on? Are there any official mobile app sec requirements? Ca...
Mar 24, 2024•56 min
- First off, for folks that don't know you can you give them a brief overview of your background/organizations? - Josh, let's start with you. Can you explain some of what is going on with the drama around NVD and what happened that caught everyone's attention? - Dan - I know you've raised concerns around the implications for the community when it comes to the lack of CVE enrichment, how do you see this impacting the vulnerability management ecosystem? - Josh - Your team has s...
Mar 22, 2024•29 min•Season 6Ep. 11
- It is often now said that identity is the new perimeter, why do you think that phrase has taken hold and what does it mean to you? - How much do you think the complicated identity landscape plays a role, for example most organizations have multiple IdP's, as well as external environments such as SaaS and so on that they have identities and permissions tied to - It often feels like SaaS is overwhelmingly overlooked in both conversations about Cloud Security as well as software supply chain...
Mar 15, 2024•32 min•Season 6Ep. 10
- First off, you have an incredible background evolving from software engineer to management roles and ultimately a CISO for some of the industry leading organizations such as Siemen's and HP. I would love to hear about that journey and how you found yourself ultimately becoming an industry leading CISO along the way. - How do you think the CISO role has changed over the years? We're hearing more about speaking the language of the business, potential legal liability, new SEC rules and ...
Mar 14, 2024•38 min•Season 6Ep. 9
- What are some of the most interesting developments in the world of software supply chain security (SSCS) in the last 12 months or so? - It's now been a couple of years since the major fall out of notable incidents such as SolarWinds and Log4j, do you feel like the industry is making headway in addressing software supply chain threats? - For organizations either just starting or looking to mature their software supply chain maturity, where are some key areas you recommend organizations foc...
Mar 06, 2024•47 min•Season 6Ep. 8
- First off, for folks not familiar with your backgrounds, can you please each tell us a bit about yourselves? - Let's set the table a bit, what is software liability and what is driving the increased calls for it? For example the recently released National Cyber Strategy, and commentary by U.S. leaders such as from CISA's Jen Easterly - What are some examples the software industry can pull from to try and establish a foundational liability regime? - What are some of the unique challen...
Feb 18, 2024•50 min•Season 6Ep. 7
- First, please tell us a bit about your background and how you got into the role you are now in your career? What drew you to the marketing side of cybersecurity? - I have to be honest, many in the cyber practitioner community often bemoan cyber marketers, often citing poor tactics or interactions. What do you think has contributed to this systemic feeling and how do you think we get past it? - You've talked about how there is a lot of trash marketing out there and its a threat to national...
Feb 05, 2024•20 min•Season 6Ep. 6
- Let's start off by discussing everyone's favorite topic, vulnerability management. When it comes to AppSec, obviously there's been a big push to "shift security left" which comes with CI/CD pipelines, SAST, DAST, Secrets Scanning, IaC scanning etc. How have you handled scaling AppSec effectively without burdening Dev teams with massive vulnerability lists and being a blocker for production and delivery? - There's a lot of tools to choose from, across a lot of vari...
Jan 26, 2024•37 min•Season 6Ep. 5
- First off, tell us about your journey to the role of the CISO. What did that look like, what steps did you take, what helped prepare you and so on? - To many, the CISO is considered the pinnacle of the cyber career field. How did it feel when you landed the role and looking back a year now, what are some thoughts that come to mind? - We know as you become more of a senior leader, you get less into the nuance and details of the technical activities and more focused on strategy, vision, organiza...
Jan 22, 2024•38 min•Season 6Ep. 4
- First off, tell us a bit about your background and how you got to where you are now in your career - What led you to write the book? Tell us a bit about the process and the experience so far, given you didn't take a traditional route with a standard publisher etc - Your book is broken into different sections, such as security as an industry, understanding the ecosystem and trends shaping the future of cyber. Lets dive into some of those - You talk about how Cyber is horizontal, not vertic...
Jan 20, 2024•1 hr 3 min•Season 6Ep. 3
- For folks not tracking, let's level set a bit, what exactly is NIST 800-171 and CMMC, and what is the succinct background on the evolution of the two? - Are there notable events that led the DoD to pursue CMMC, building on the history of 171? - Obviously the introduction of the 3PAO aspect brings more rigor than previously existed with self-assessments. Many in industry have bemoaned the burden, cost and complexity of the new program and the impact it will have on industry (myself include...
Jan 12, 2024•1 hr 3 min
- You've been heavily involved in the AI dialogue in the industry as it has heated up, how did you get your start specializing in software security and most notably AI? - AI continues to be one of the hottest cybersecurity topics in 2023 and heading into 2024. What do you think are some of the most pressing risks around the rapid growth of AI adoption and use? - We're seeing Governments scramble to regulate AI, with notable efforts like the EU AI Act. Why do you think it is critical fo...
Jan 05, 2024•33 min
- Tell us a bit about your cybersecurity journey, you've held a variety of roles with FFRDC's and industry - You've been talking a good bit about the latest Secure-by-Design push, what do you make of this push? I know you've raised concerns about needing to do some research to determine the effectiveness of these "secure" SDLC's - AI and ML are everywhere we turn in the cyber industry discussions. You've been speaking about the role of ML in cyber detectio...
Dec 22, 2023•44 min
- First off, tell us a bit about yourself, what you're up to and how you have gotten where you are career wise - What are some of the key differences with cloud-native security? - There's a lot of acronyms in the cloud-sec space, such as CWPP, CSPM, KSPM and so on. Can you unpack a few of these for the audience and what they mean? - This also infers there's a lot of different tools and capabilities to manage. Why do you think it is important to have a comprehensive platform to bri...
Dec 15, 2023•21 min
Nikki - Can you tell us a little bit about what interested you in cloud security in the first place? I know you have a particular interest in misconfigurations - was there a singular event that spurred your interest? Chris - What are your thoughts around Guardrails in the cloud and using things such as event based detections? Chris - You interestingly took a Product role, but have a Detection and CloudSec background. How has the Product role been and do you think having the practitioner backgrou...
Nov 14, 2023•30 min
Nikki - I have to start with the fact that you've been looking into the vulnerability management space! This is an area I've been focused on for many years and I'm curious - what are the biggest pain points you see now in VulnMgmt? Chris - I recently saw you had a blog regarding Exposure Management and contrasting it with Vulnerability Management. Can you talk about what Exposure Management is, and the differences between the two? Nikki - What got you interested in research? I&apo...
Oct 20, 2023•26 min
- You recently wrote a book titled Zero Trust and Third Party Risk. Can you tell us a bit about the book, why you wrote it and how you see the convergence of ZT and TPRM? - There's been a lot of discussion lately around Software Supply Chain Security, but also Cybersecurity Supply Chain Risk Management, or C-SCRM. Do you see the former being part of the latter, and what challenges do you think organizations face trying to tackle both? - TPRM often involves manual subjective lengthy question...
Oct 15, 2023•37 min
Nikki - With your current role as a Distinguished Engineer - I know you focus a lot on cloud security. What does being a DE entail? Do you do some research along with your other duties? Chris: We've seen the discussion around data in the security space evolve quite a bit. From legacy environments with a SIEM/SOC centralized approach, oriented around "collecting all the things" to now discussions around data lakes, analytics, and automation among others. Can you discuss the evoluti...
Oct 03, 2023•29 min
Nikki - I wanted to ask you first what got you so passionate about vulnerability management - what was it that first sparked your curiousity and interest into security research? Nikki - You do a lot of awesome graphics and visualizations of vulnerability data from both CISA KEV and around types of CVE's - what kind of statistics do you think are most important for security practitioners to know - and on the other side, what is most important for executives to understand? Chris - You've...
Sep 24, 2023•35 min
Chris: First off, you've been knee deep in CloudSec for several years now, watching trends, incidents and the industry evolve. Where do you think we've made the most headway, and where do you think we still have the largest gaps to close? Nikki: I'm really interested in multi-cloud environments and security - because of the connectivity potential between separate cloud providers. What do you think organizations should be most concerned with when looking at using multiple cloud pro...
Sep 08, 2023•42 min
- For those who haven't met you yet or come across your work, can you tell us a bit about your background? - First off, tell us a bit about OpenPolicy, what is the organizations mission and why did you found it? - Why do you think it's important for there to be tight collaboration and open communication between businesses, startups and policy makers? - Some often say that policy is written by those unfamiliar with the technology it governs or the impact of the regulation and it has uni...
Sep 01, 2023•40 min
- First off, for those unfamiliar with this problem and situation, what exactly is the challenge here, and why should more people be paying attention to this? - What do you say to those who may say this is just something occurring in the digital realm, and not a physical or real threat, given the ubiquity of software, this seems short sighted, no? - In the book, you touch on malicious actors using U.S. based infrastructure to attack U.S. targets, a topic that was touched on in the NCS, can you e...
Aug 04, 2023•59 min
Nikki - In addition to your Senior Policy Advisor role, you are also part of several academic institutions, including one we have in common - Capitol Technology University. Can you talk a little bit about why you wanted to be involved in the technical and academic side? Have their been any benefits you've seen in academia that you've brought to the military space, or vice versa? Nikki - We're seeing a ton in the news about software supply chain security, zero trust, AI/ML - but no...
Jun 30, 2023•30 min
You are now at the Open Source Security Foundation - but you have a ton of experience (even as a former IBMer) from Google, to JPMorgan, and financial institutions through architecture, management, and engineering. Can you talk a little bit about your leadership journey? Let's dig into OpenSSF a bit more - we're only seeing an increase in software supply chain attacks - what is driving the OpenSSF and any particular threats you're concerned with at the moment? We know the OpenSSF ...
Jun 23, 2023•41 min
Chris - For those not familiar with Security Chaos Engineering, how would you summarize it, and what made you decide to author the new book on it? Nikki - In one of your sections of Security Chaos Engineering, you talk about what a modern security program looks like. Can you talk about what this means compared to security programs maybe 5 to 10 years ago? Chris - When approaching leadership, it can be tough to sell the concept of being disruptive, what advice do you have for security professiona...
Jun 09, 2023•42 min
