Resilient Cyber brings listeners discussions from a variety of Cybersecurity and Information Technology (IT) Subject Matter Experts (SME) across the Public and Private domains from a variety of industries. As we watch the increased digitalization of our society, striving for a secure and resilient ecosystem is paramount.
What is vulnerability chaining for those unfamiliar with it? Is it becoming more prevalent among malicious actors? Why do you think we traditionally look at vulnerabilities in isolation? How do we get organizations to shift their mindset of how they look at vulnerabilities? How can organizations get context to understand what vulnerabilities can be chained together and how to mitigate those?
We know the DoD is pushing towards Zero Trust adoption and DISA is playing a key role in that. Can you tell us a bit about that? What do you think some of the biggest hurdles for Zero Trust adoption in the DoD are and how can we start to address them? Zero Trust has inevitably become a bit of a buzzword. If there is something people misunderstand about Zero Trust, what would you say that is? For those looking to learn more about DISA's approach to Zero Trust, and just the topic more broadly...
Chris - There's quite a push for Zero Trust in the Federal Government, with the Cyber EO and ZT publications from CISA. What do you see as some of the biggest impediments for the Government's adoption of ZT? What are some of the biggest opportunities? Nikki - One of your recent posts you mention the difference between zero trust being a concept vs being something to act on. What do you think the right way to implement a zero-trust architecture is? Nikki - Do you have any resources for ...
Nikki - As someone who has such wide ranging experience in cybersecurity from practitioner and business owner to investor - what would you say are the largest concerns in cybersecurity right now? Zero trust? Incident Response? Cloud security? Chris - You hold several advisory and board member roles. For Cybersecurity professionals looking to perform similar roles, do you have any recommendations? Nikki - With your background in a company like Tenable and the security tool industry, do you feel l...
Given your wide range of experience with AWS and cloud security - what would you say are some of the most common types of attacks for cloud platforms? What would you say are the top three skills someone should work on if they're interested in a career on a Red Team or as a penetration tester? Are there some really good resources or open-source tools you recommend for anyone learning about offensive security? Shifting to Purple Teaming, how does Purple Team differ from traditional PenTest/Re...
Chris - You have a book coming out titled The CISO Evolution - Business Knowledge for Cybersecurity Executives. How critical do you think it is for CISO's to understand the business, and how do they balance their technical skills with business acumen? Nikki - I see you've posted several videos on LinkedIn - my favorite so far is the "paralysis-by-analysis" concept. We've discussed before cognitive limitations and just how much data we could actually put into our decision...
Chris - We know you are extremely passionate about DevSecOps in Government. What do you think some of the biggest impediments for widespread Government adoption of DevSecOps is? Nikki - I see you spoke recently about minimum viable continuous delivery - can you tell us a little bit about what that is and what it means? And what you think the possible implications may be on development cycles? Chris - Do you feel there is often a disconnect between leadership and practitioners when it comes to su...
Nikki - I'm so impressed with your wide range of cybersecurity - and with that experience you also are a Co-Founder and CEO. Can you talk a little bit about the transition from full time practitioner to business owner? Chris - If you had to list 1-2 top issues facing the Cybersecurity community within Government in particular? Nikki - What would you say are some of the biggest challenges that you've faced running your own company in the security and intelligence space? Chris - We know ...
For those unaware, what exactly is an SBOM, and why is it so important? One of the presentations you gave mentioned that software supply chain attacks shouldn't be discussed as "emerging threats" - these really have been going on for years. Why do you think we still talk about it as an emerging threat or something novel? We know you've recently talked about an effort dubbed "VEX" which seeks to add context to SBOM information. How is this valuable and how can it be ...
You have just received your first-time role in cybersecurity as a Security Analyst - congratulations! How has your first experience been so far in this new role? LinkedIn can be a powerful method of meeting others. Of all the amazing things you've done - what is the best advice you could give for someone trying to break into cybersecurity? On the flip side - what is something you would like for hiring managers to consider when they are interviewing potential security analysts? Of the confer...
I was reading the CISA document "Defending Against Software Supply Chain" and was curious if the guidance within was helpful or informative for anyone who wants to start a S-SCRM program? What role do you feel compliance frameworks play in SCRM? We are seeing sources such as NIST 800-53 include SCRM specific controls now. Will it help? What would you say is the most resilient component an individual could add to their own organization to recover quickly in the event of a software suppl...
Leadership and Business Accumen, we know you're passionate about these topics. How much do you think these play a role in the success of a person's career in Cyber and do you think these are things some of us may overlook? Organizational Influence is something we know you've spoken about. Can you elaborate on that? How do you go about influencing organizational change for cybersecurity, especially in organizations the size of GDIT? Does this change at all when you're trying t...
-As Founder of the Security Television Network, how did you come up with the idea? -We have so many channels right now in the airwaves, and it seems like every day there is a security incident, why STN? What does STN bring to the security news forum? -Can you tell us a little bit about the Indiegogo campaign? -You also have a Doctorate and teach at Capitol Technology University. Can you explain the significance or interest you have in academic research and technical pursuits? -On top of everythi...
You have some incredible accolades, titles, and roles - but before we dive into those, can you tell us about your journey? We always love hearing about how someone go to where they are, and the hard work, discipline, and sacrifice that went into that As mentioned previously, you have a lot of different titles - Cyber Exec, Professor, Author, Keynote Speaker. How important do you feel personal branding is in our career field? Any advice for other aspiring cyber professionals looking to expand the...
You have quite a bit of experience and a lot of research into implementing secure software - but we'd like to dig into a little bit about where organizations should start - tools, multiple developers? What kind of baselines should be consider? There's an increased focus on secure software supply chains, especially with the recent Executive Order (EO). The EO emphasizes the prevalence of an SBOM and it seems like SBOM's are set to become and industry norm in the not-so-distance fut...
1. You are part of several working groups within the NIST Cloud Computing area - could you tell us a little bit more about the Security and Forensic Sciences groups? For individuals who aren't with NIST but have relevant expertise, is there a way we can contribute to publications? 2. You have recently released the NIST Open Security Controls Assessment Language (OSCAL) document - could you give us some background on how this document came about and how much feedback you received from the OS...
Could you provide some advice for anyone who may want to be a CISO - or even provide some guidance for how and why someone may want to be a CISO? You've written a book called "How to Measure Risk with Anything" - could you maybe provide some advice to cybersecurity professionals who have a topic in mind and want to write a book of their own? With your vast knowledge and experience in cybersecurity leadership - can you give us an example of some of the major challenges or roadblock...
Questions: Can you tell us a little bit about what rThreat does? We spoke a bit about your background in education and curriculum development - can you give us some more information about that and how it has impacted your new role? Can you give us a bit about what it's like to work at a startup and how your interest in security got you into that? How do you feel the threat landscape is changing? Do you think we need to change the way we think about security awareness? (Related to my researc...
Can you tell us a bit about your journey to becoming the CISO at CMS, we know you spent most of your time in the commercial industry prior. How has it helped, what are some of the major differences you've experienced? Can you give us some industry specific guidance on what it means to be a CISO in the healthcare industry? CMS handles the PII of over 50 Million Americans I believe - can you elaborate on the scale/scope of that challenge and how the organization prioritizes this protection gi...
1. You are an active member on LinkedIn as an ally to women wanting to get into or succeed in cybersecurity, can you explain why that is so important to you? 2. You have a number of public speaking engagements under your belt, could you give us some detail into how you came across it and what interested you about it? 3. Could you give some advice to anyone looking to get into speaking at cyber conferences? 4. You participate in a number of local groups, either as a volunteer or an active member,...
For those unfamiliar with Zero Trust, if you had to summarize what Zero Trust is, how would you describe it? Zero trust is in the news quite a bit recently, with NIST even coming out with their own guide just a year ago. Do you think this is really a new topic or more of a maturation of older processes? It seems like every breach we hear Zero Trust could have prevented x, y, and z - Do you think Zero Trust has the potential to mitigate breaches, or at least minimize their impact? I see Zero trus...
In this episode we chat with some of the leadership team from Army Futures Command We discuss: What exactly does a Chief Product and Innovation Officer do and why is a role like this needed in the DoD? How has AFC built on lessons learned from previous efforts, such as Kessel Run? We know there's a push for Soldier-led Software Development, why is that and what is it important for National Security, over traditional ways of doing software development within the DoD? We know there's a p...
Please give us a bit of a background on how you became a vCISO and what responsibilities come with that job? You have built several successful security programs from the ground up - what would you say is the most challenging part of that process? Now that we've talked about some of the challenges around creating a security program, what would you say is the most rewarding or most interesting part of that? Can you talk about some of the flexibility that a vCISO or CISO must have when leading...
Can you tell us a bit about your role as the Director of SW Modernization for the DoD? What does that entail? On the SW Modernization front, at a high-level, what are some of the primary SW modernziation objectives of the DoD? How does SW modernization tie into National Defense and why is it so critical to get right? There's an increased push to adopt DevSecOps, what are your thoughts on that and why there's such an interest among the DoD/Federal community? Jason Weiss Bio: Jason Weiss...
1. Can you give us a brief description of your background in cognitive psychology and how you found your way into cybersecurity? 2. Can you describe how psychology is directly applicable to cybersecurity? 3. Can you discuss how philosophy is also applicable to cybersecurity? 4. How do you feel that neuroscience plays into cybersecurity - and maybe specifically discuss cognitive limitations and how they may affect us in the cybersecurity field? 5. Tell me about your new research! I see you have a...
Today's episode is a conversation between Dr. Nikki Robinson and Chris Hughes on Vulnerability Management. Dr. Nikki has a PhD which focuses in Vulnerability Chaining and the co-hosts discuss the difficulties of Vulnerability Management. What would you say are the biggest reasons why vulnerability management is still so difficult for organizations? Why is it so important to patch or mitigate end-of-life software, and what are some of the challenges around that? Is vulnerability scanning sti...
What is Infrastructure-as-Code (IaC) and how does it differ from traditional ways of provisioning INF? How does IaC fit into the broader push of DevSecOps and pushing security-left? What is Compliance-as-Code (CaC)? What does that look like and how can organizations benefit from implementing it? What are some of the challenges associated with adopting IaC and CaC? Where is the future of IaC/CaC headed and what are some opportunities you think haven't been explored yet? What does "cyber...
You're the Authorizing Official for the USMC, can you explain what you do in that role for those who aren't familiar with the team AO? The DoD is increasingly looking to adopt DevSecOps - can you tell us where the Marine Corps is on that journey, some of the challenges, and what opportunities DevSecOps would provide the USMC? Given your role, and the DoD's continued push to adopt DevSecOps, how do you see processes changing around the implementation of the Risk Management Framewor...
What is Tactical Edge Cloud Computing? How does it apply to the DoD and Military and what advantages/challenges does it provide? I know you're involved with the Defense Entrepreneurs Forum (DEF) and the Joint Software Alliance (JSOFT), can you tell us a bit about those and why you think organizations like those are important for the DoD community? I've heard you say that "The future of national security is digital technology integration" - With the increased growth of things ...
-What first interested you in cloud technology and pursuing a career in cloud security? -Do you feel that learning a cloud platform is essential for todays' IT and security workforce -Do you recommend hybrid cloud environments? Do you think it adds too much complexity to provide proper security controls? -What are some of the biggest threats to cloud and hybrid environments? -What are some emerging trends in cloud security? How do you think cyber resiliency specifically applies to cloud env...
