Resilient Cyber brings listeners discussions from a variety of Cybersecurity and Information Technology (IT) Subject Matter Experts (SME) across the Public and Private domains from a variety of industries. As we watch the increased digitalization of our society, striving for a secure and resilient ecosystem is paramount.
In this episode, I sit down with longtime industry leader and visionary Phil Venables to discuss the evolution of cybersecurity leadership, including Phil's own journey from CISO to Venture Capitalist. We chatted about: A recent interview Phil gave about CISOs transforming into business-critical digital risk leaders and some of the key themes and areas CISOs need to focus on the most when making that transition Some of the key attributes CISOs need to be the most effective in terms of technical, soft skills, financial acumen, and more, leaning on Phil's 30 years of experience in the field and as a multiple-time CISO Phil's transition to Venture Capital with Ballistic Ventures and what drew him to this space from being a security practitioner Some of the product areas and categories Phil is most excited about from an investment perspectiveThe double-edged sword is AI, which is used for security and needs security. Phil's past five years blogging and sharing his practical, hard-earned wisdom at www.philvenables.com, and how that has helped him organize his thinking and contribute to the community.Some specific tactics and strategies Phil finds the most valuable when it comes to maintaining deep domain expertise, but also broader strategic skillsets, and the importance of being in the right environment around the right people to learn and grow
In this episode, I discuss the Model Context Protocol (MCP) with the OWASP GenAI Co-Lead for Agentic Application Security, Vineeth Sai Narajala. We will discuss MCP's potential and pitfalls, its role in the emerging Agentic AI ecosystem, and how security practitioners should consider secure MCP enablement.We discussed: MCP 101, what it is and why it mattersThe role of MCP as a double-edged sword, offering opportunities but additional risks and considerations from a security perspectiveVineeth's work on the "Vulnerable MCP" project is a repository of MCP risks, vulnerabilities, and corresponding mitigations.How MCP is also offering tremendous opportunities on the security-enabling side, extending security capabilities into AI-native platforms such as Claude and Cursor, and security vendors releasing their own MCP serversWhere we see MCP heading from a research and implementation perspectiveAdditional Resources:Anthropic - Introducing the Model Context Protocol (MCP)Enhanced Tool Definition Interface (ETDI): A Security Fortification for the Model Context ProtocolEnterprise-Grade Security for the Model Context Protocol (MCP): Frameworks and Mitigation StrategiesVulnerable MCP Project
In this episode, I sit with long-time vulnerability management and data science experts Jay Jacobs and Michael Roytman, who recently co-founded Empirical Security.We dive into the state of vulnerability management, including:How it is difficult to quantify and evaluate the effectiveness of vulnerability prioritization and scoring schemes, such as CVSS, EPSS, KEV, and proprietary vendor prioritization frameworks, and what can be done betterSystemic challenges include setbacks in the NIST National Vulnerability Database (NVD) program, the MITRE CVE funding fiasco, and the need for a more resilient vulnerability database and reporting ecosystem.Domain-specific considerations when it comes to vulnerability identifiers and vulnerability management, in areas such as AppSec, Cloud, and Configuration Management, and using data to make more effective decisionsThe overuse of the term “single pane of glass” and some alternativesEmpirical's innovative approach to “localized” models when it comes to vulnerability management, which takes unique organizational and environmental considerations into play, such as mitigating controls, threats, tooling, and more, and how they are experimenting with this new approach for the industry
In this episode, we sit down with the Co-Founder and CPO of Seemplicity, Ravid Circus, to discuss tackling the prioritization crisis in cybersecurity and how AI is changing vulnerability management.We dove into a lot of great topics, including:The massive challenge of not just finding and managing vulnerabilities but also remediation, with Seemplicity's Year in Review report finding organizations face 48.6 million vulnerabilities annually and only 1.7% of them are critical. That still means hundreds of thousands to millions of vulnerabilities need to be remedied - and organizations struggle with this, even with the context of what to prioritize.There's a lot of excitement around AI in Cyber, including in GRC, SecOps, and, of course, AppSec and vulnerability management. How do you discern between what is hype and what can provide real outcomes?What practical steps can teams take to bridge the gap between AI's ability to find problems and security teams' ability to fix them?One of the major issues is determining who is responsible for fixing findings in the space of Remediation Operations, where Seemplicity specializes. Ravid talks about how, both technically and culturally, Seemplicity addresses this challenge of finding the fixer.What lies ahead for Seemplicity this year with RSA and beyond
In this episode, we sit down with Varun Badhwar, Founder and CEO of Endor Labs, to discuss the state of AI for AppSec and move beyond the buzzwords. We discussed the rapid adoption of AI-driven development, its implications for AppSec, and how AppSec can leverage AI to address longstanding challenges and mitigate organizational risks at scale.Varun and I dove into a lot of great topics, such as:The rise of GenAI and LLMs and their broad implications on CybersecurityThe dominant use case of AI-driven development with Copilots and LLM written code, leading to a Developer productivity boost. AppSec has struggled to keep up historically, with vulnerability backlogs getting out of control. What will the future look like now?Studies show that AI-driven development and Copilots don't inherently produce secure code, and frontier models are primarily trained on open source software, which has vulnerabilities and other risks. What are the implications of this for AppSec?How can AppSec and Cyber leverage AI and agentic workflows to address systemic security challenges? Developers and attackers are both early adopters of this technology.Navigating vulnerability prioritization, dealing with insecure design decisions and addressing factors such as transitive dependencies.The importance of integrating with developer workflows, reducing cognitive disruption and avoiding imposing a “Developer Tax” with legacy processes and tooling from security.
In this episode, we sit down with David Melamed and Shai Horovitz of the Jit team. We discussed Agentic AI for AppSec and how security teams use it to get real work done.We covered a lot of key topics, including:What some of the systemic problems facing AppSec are, even before the widespread adoption of AI, such as vulnerability prioritization, security technical debt and being outnumbered exponentially by Developers.The surge of interest and investment in AI and agentic workflows for AppSec, and why AppSec is an appealing space for this sort of investment and excitement.How the prior wave of AppSec tooling was focused on findings problems, riding the wave of shift left but how this has led to alert fatigue and overload, and how the next-era of AppSec tools will need to focus on not just finding but actually fixing problems.Some of the unique capabilities and features the Jit team has been working on, such as purpose-built agents in areas such as SecOps, AppSec and Compliance, as well as context-graphs with organizational insights to drive effective remediation.The role of Agentic AI and how it will help tackle some of the systemic challenges in the AppSec industry.Addressing concerns around privacy and security when using AI, by leveraging offerings from CSPs and integrating guardrails and controls to mitigate risks.
We sit with Lasso Security CEO and Co-Founder Elad Schulman in this episode.Lasso focuses on secure enterprise LLM/GenAI adoption, from LLM Applications, GenAI Chatbots, Code Protection, Model Red Teaming, and more. Check them out at https://lasso.securityWe dove into a lot of great topics, such as:Dealing with challenges around visibility and governance of AI, much like previous technological waves such as mobile, Cloud, and SaaSUnique security considerations for different paths of using and building with AI, such as self-hosted models and consuming models as-a-service from SaaS LLM providersPotential vulnerabilities and threats associated with AI-driven development products such as Copilots and Coding assistantsSoftware Supply Chain Security (SSCS) risks such as package hallucinations, and both safeguarding the data that goes out to external coding tools, as well as secure consumption of the data coming into the organizationSecuring AI itself and dealing with risks and threats such as model poisoning and implementing model red teamingLasso discovered several critical concerns in their AI security research, such as Microsoft's Copilot exposing thousands of private GitHub repos
In this episode, we sit down with Piyush Sharrma, CEO and co-founder of the Tuskira team. They're an AI-powered defense optimization platform innovating around leveraging an Agentic Security Mesh.We will dive into topics such as Platform vs. Point Solutions, Security Tool Sprawl, Alert Fatigue, and how AI can create "intelligent" layers to unify and enhance security tooling ROI.We discussed:What drove Piyush to jump back into the startup space after successfully exiting from a previous startup he helped foundThe industry debate around Platform vs. Point Solutions or Best-of-Breed and the perspectives between industry industry leaders and innovative startupsDealing with the challenge of alert fatigue security and development teams and the role of AI in reducing cognitive overload and providing insight into organizational risks across tools, tech stacks, and architecturesThe role of AI in providing intelligence layers or an Agentic Security Mesh across existing security tools and defenses and mitigating organizational risks beyond isolated vulnerability scans by looking at compensating controls, configurations, and more.Shifting security from a reactionary model around incident response and exploitation to a preemptive risk defense model that minimizes attack surface and optimizes existing security investments and architectures
In this episode, we sit with security leader and venture investor Sergej Epp to discuss the Cloud-native Security Landscape. Sergej currently serves as the Global CISO and Executive at Cloud Security leader Sysdig and is a Venture Partner at Picus Capital. We will dive into some insights from Sysdig's recent "2025 Cloud-native Security and Usage Report."Big shout out to our episode sponsor, Yubico!Passwords aren't enough. Cyber threats are evolving, and attackers bypass weak authentication every day. YubiKeys provides phishing-resistant security for individuals and businesses—fast, frictionless, and passwordless.Upgrade your security:https://yubico.comSergj and I dove into a lot of great topics related to Cloud-native Security, including:Some of the key trends in the latest Sysdig 2025 Cloud-native Security Report and trends that have stayed consistent YoY. Sergj points out that while attackers have stayed consistent, organizations have and continue to make improvements to their securitySergj elaborated on his current role as Sysdig's internal CISO and his prior role as a field CISO and the differences between the two roles in terms of how you interact with your organization, customers, and the community.We unpacked the need for automated Incident Response, touching on how modern cloud-native attacks can happen in as little as 10 minutes and how organizations can and do struggle without sufficient visibility and the ability to automate their incident response.The report points out that machine identities, or Non-Human Identities (NHI), are 7.5 times riskier than human identities and that there are 40,000 times more of them to manage. This is a massive problem and gap for the industry, and Sergj and I walked through why this is a challenge and its potential risks.Vulnerability prioritization continues to be crucial, with the latest Sysdig report showing that just 6% of vulnerabilities are “in-use”, or reachable. Still, container bloat has ballooned, quintupling in the last year alone. This presents real problems as organizations continue to expand their attack surface with expanded open-source usage but struggle to determine what vulnerabilities truly present risks and need to be addressed.We covered the challenges with compliance, as organizations wrestle with multiple disparate compliance frameworks, and how compliance can drive better security but also can have inverse impacts when written poorly or not keeping pace with technologies and threats.We rounded out the conversation with discussing AI/ML packages and the fact they have grown by 500% when it comes to usage, but organizations have decreased public exposure of AI/ML workloads by 38% since the year prior, showing some improvements are being made to safeguarding AI workloads from risks as well.
In this episode, we sit down with Investor, Advisor, Board Member, and Cybersecurity Leader Chenxi Wang to discuss the interaction of AI and Cybersecurity, what Agentic AI means for Services-as-a-Software, as well as security in the boardroomChenxi and I covered a lot of ground, including:When we discuss AI for Cybersecurity, it is usually divided into two categories: AI for Cybersecurity and Securing AI. Chenxi and I walk through the potential for each and which one she finds more interesting at the moment.Chenxi believes LLMs are fundamentally changing the nature of software development, and the industry's current state seems to support that. We discussed what this means for Developers and the cybersecurity implications when LLMs and Copilots create the majority of code and applications.LLMs and GenAI are currently being applied to various cybersecurity areas, such as SecOps, GRC, and AppSec. Chenxi and I unpack which areas AI may have the greatest impact on and the areas we see the most investment and innovation in currently.As mentioned above, there is also the need to secure AI itself, which introduces new attack vectors, such as supply chain attacks, model poisoning, prompt injection, and more. We cover how organizations are currently dealing with these new attack vectors and the potential risks.The biggest buzz of 2025 (and beyond) is Agentic AI or AI Agents, and their potential to disrupt traditional services work represents an outsized portion of cybersecurity spending and revenue. Chenxi envisions a future where Agentic AI and Services-as-a-Software may change what cyber services look like and how cyber activities are conducted within an organization.If you aren't already following Chenxi Wang on LinkedIn, I strongly recommend you do. I have a lot of connections, but she is someone when I see a post, I am sure to stop and read because she shares a TON of great insights from the boardroom, investment, cyber, startups, AI, and more.I'm thankful to have her on the show to come chat!
In this episode, we sit down with Lior Div and Nate Burke of 7AI to discuss Agentic AI, Service-as-Software, and the future of Cybersecurity. Lior is the CEO/Co-Founder of 7AI and a former CEO/Co-Founder of Cybereason, while Nate brings a background as a CMO with firms such as Axonius, Nagomi, and now 7AI.Lior and Nate bring a wealth of experience and expertise from various startups and industry-leading firms, which made for an excellent conversation.We discussed:The rise of AI and Agentic AI and its implications for cybersecurity.Why the 7AI team chose to focus on SecOps in particular and the importance of tackling toil work to reduce cognitive overload, address workforce challenges, and improve security outcomes.The importance of distinguishing between Human and Non-Human work, and why the idea of eliminating analysts is the wrong approach.Being reactive and leveraging Agentic AI for threat hunting and proactive security activities.The unique culture that comes from having the 7AI team in-person on-site together, allowing them to go from idea to production in a single day while responding quickly to design partners and customer requests.Challenges of building with Agentic AI and how the space is quickly evolving and growing.Key perspectives from Nate as a CMO regarding messaging around AI and getting security to be an early adopter rather than a laggard when it comes to this emerging technology.Insights from Lior on building 7AI compared to his previous role, founding Cybereason, which went on to become an industry giant and leader in the EDR space.
In this episode, we sit down with Rob Shavell, CEO and Co-Founder of DeleteMe, an organization focused on safeguarding exposed personal data on the public web and addressing user privacy challenges.We dove into a lot of great topics, such as:The rapidly growing problem of personal data ending up on the public web and some of the major risks many may not think about or realizeTrends contributing to personal data exposure, from the Internet itself to social media, mobile phones/apps, IoT devices, COVID, and now AIWhere to get started when it comes to taking control of your personal data and privacyPotential abuses and malicious uses for personal data and how threat actors are leveraging itHow DeleteMe can help, as well as free resources and DIY guides that individuals can use to mitigate risk associated with their personal data being exposed
In this episode of Resilient Cyber, we sit down with Steve Martano, Partner in the cyber Security Practice at Artico Search, to discuss the recent IANS & Artico Search Publications on the 2025 State of the CISO, security budgets, and broader security career dynamics.Steve and I touched on some great topics, including:The 2025 State of the CISO report and key findingsBoard reporting cadences for CISO's and the importance of Boardroom involvement in CybersecurityThe three archetypes of CISO's: Tactical, Functional and StrategicHow security leaders can advance their career to becoming strategic CISO's as well as key considerations for organziation's looking to attract and retain their security talentThe growing scope of responsibility for CISO roles from not just Infosec but to broader IT, business risk, and digital strategy and implications for CISO'sSecurity budget trends, spending, macroeconomic factors and allocationsHere are a list of some of the great resources from IANS and Artico below on various areas of interest for CISO's and Security leaders alike!https://www.iansresearch.com/resources/ians-security-budget-benchmark-reporthttps://www.iansresearch.com/resources/ians-ciso-compensation-benchmark-reporthttps://www.iansresearch.com/resources/ians-state-of-the-ciso-reporthttps://www.iansresearch.com/resources/ians-leadership-organization-benchmark-report
In this episode of Resilient Cyber, we catch up with Katie Norton, an Industry Analyst at IDC who focuses on DevSecOps and Software Supply Chain Security. We will dive into all things AppSec, including 2024 trends and analysis and 2025 predictions.Katie and I discussed:Her role with IDC and transition from Research and Data Analytics into being a Cyber and AppSec Industry Analyst and how that background has served her during her new endeavor.Key themes and reflections in AppSec through 2024, including disruption among Software Composition Analysis (SCA) and broader AppSec testing vendors.The age-old Platform vs. Point product debate concerns the iterative and constant cycle of new entrants and innovations that grow, add capabilities, and become platforms or are acquired by larger platform vendors. The cycle continues infinitely.Katie's key research areas for 2025 include Application Security Posture Management (ASPM), Platform Engineering, SBOM Management, and Securing AI Applications.The concept of a “Developer Tax” and the financial and productivity impact legacy security tools and practices are having on organizations while also building silos between us and our Development peers.The role of AI in corrective code fixes and the ability of AI-assisted automated remediation tooling to drive down remediation timelines and vulnerability backlogs.The importance of storytelling, both as an Industry Analyst and in the broader career field of Cybersecurity.
In this episode of Resilient Cyber, Ed Merrett, Director of Security & TechOps at Harmonic Security, will dive into AI Vendor Transparency.We discussed the nuances of understanding models and data and the potential for customer impact related to AI security risks.Ed and I dove into a lot of interesting GenAI Security topics, including:Harmonic's recent report on GenAI data leakage shows that nearly 10% of all organizational user prompts include sensitive data such as customer information, intellectual property, source code, and access keys.Guardrails and measures to prevent data leakage to external GenAI services and platformsThe intersection of SaaS Governance and Security and GenAI and how GenAI is exacerbating longstanding SaaS security challengesSupply chain risk management considerations with GenAI vendors and services, and key questions and risks organizations should be consideringSome of the nuances between self-hosted GenAI/LLM's and external GenAI SaaS providersThe role of compliance around GenAI and the different approaches we see between examples such as the EU with the EU AI Act, NIS2, DORA, and more, versus the U.S.-based approach
In this episode, we sit down with Sounil Yu, Co-Founder and CTO at Knostic, a security company focusing on need-to-know-based access controls for LLM-based Enterprise AI.Sounil is a recognized industry security leader and the author of the widely popular Cyber Defense Matrix.Sounil and I dug into a lot of interesting topics, such as:The latest news with DeepSeek and some of its implications regarding broader AI, cybersecurity, and the AI arms race, most notably between China and the U.S.The different approaches to AI security and safety we're seeing unfold between the U.S. and EU, with the former being more best-practice and guidance-driven and the latter being more rigorous and including hard requirements.The age-old concept of need-to-know access control, the role it plays, and potentially new challenges implementing it when it comes to LLM'sOrganizations rolling out and adopting LLMs and how they can go about implementing least-permissive access control and need-to-knowSome of the different security considerations betweenSome of the work Knostic is doing around LLM enterprise readiness assessments, focusing on visibility, policy enforcement, and remediation of data exposure risks----------------Interested in sponsoring an issue of Resilient Cyber?This includes reaching over 16,000 subscribers, ranging from Developers, Engineers, Architects, CISO's/Security Leaders and Business ExecutivesReach out below!-> Contact Us! ----------------
SecOps continues to be one of the most challenging areas of cybersecurity. It involves addressing alert fatigue, minimizing dwell time and meantime-to-respond (MTTR), automating repetitive tasks, integrating with existing tools, and leading to ROI.In this episode, we sit with Grant Oviatt, Head of SecOps at Prophet Security and an experienced SecOps leader, to discuss how AI SOC Analysts are reshaping SecOps by addressing systemic security operations challenges and driving down organizational risks.Grant and I dug into a lot of great topics, such as:Systemic issues impacting the SecOps space include alert fatigue, triage, burnout, staffing shortages, and inability to keep up with threats.What makes SecOps such a compelling niche for Agentic AI, and what key ways can AI help with these systemic challenges?How Agentic AI and platforms such as Prophet Security can aid with key metrics such as SLOs or meantime-to-remediation (MTTR) to drive down organizational risks.Addressing the skepticism around AI, including its use in production operational environments and how the human-in-the-loop still plays a critical role for many organizations.Many organizations are using Managed Detection and Response (MDR) providers as well, and how Agentic AI may augment or replace these existing offerings depending on the organization's maturity, complexity, and risk tolerance.How Prophet Security differs from vendor-native offerings such as Microsoft Co-Pilot and the role of cloud-agnostic offerings for Agentic AI.
In this episode, we sit down with Rajan Kapoor, Field CISO of Material Security, to discuss the security risks and shortcomings of native cloud workspace security offerings and the role of modern platforms for email security, data governance, and posture management.Email and Cloud Collaboration Workspace Security continues to be one of the most pervasive and challenging security environments, and Rajan provided a TON of excellent insights. We covered:Why email and cloud workspaces are some of the most highly targeted environments by cyber criminals, what they can do once they do compromise the email environment, and the broad implications.The lack of security features and capabilities of native cloud workspaces such as M365 and Google Workspaces and the technical and resource constraints that drive teams to seek out innovative products such as Material Security.The tug of war between security and productivity and how Material Security helps address challenges of the native workspaces that often make it hard for people to do their work and lead to security being sidestepped.Particularly industries that are targeted and impacted the most, such as healthcare, where there is highly sensitive data, regulatory challenges, and more.Common patterns among threats, attacks, and vulnerabilities and how organizations can work to bolster the security of their cloud workspace environments.This is a fascinating area of security. We often hear “identity is the new perimeter” and see identity play a key role in trends such as zero trust. But, so often, that identity starts with your email, and it can lead to lateral movement, capturing MFA codes, accessing sensitive data, impacting business partners, phishing others in the organization, and more, all of which can have massive consequences for the organizations impacted.Raja brought his expertise as a Field CISO and longtime security practitioner to drop a ton of gems in this one, so be sure to check it out!
While cybercriminals can (and do) infiltrate organizations by exploiting software vulnerabilities and launching brute force attacks, the most direct—and often the most effective—route is via the inbox. As the front door of an enterprise and the gateway upon which employees rely to do their jobs, the inbox represents an ideal access point for attackers.And it seems that, unfortunately, cybercriminals aren't lacking when it comes to identifying new ways to sneak in. Abnormal Security's Field CISO, Mick Leach, will discuss some of the sophisticated threats we anticipate escalating in the coming year—including cryptocurrency fraud, AI-generated business email compromise, and more.Mick and I dove into a lot of great topics, including:The evolution of email based attacks and why traditional tooling may fall shortHow attackers are leveraging GenAI and LLM's to make more compelling email-based attacksHow defenders can utilize AI to improve their defensive capabilitiesThe role of tooling such as Secure Email Gateways and more, and how they still play a role but fail to meet the latest threat landscapeHow Abnormal is tacking email-based attacks and the outcomes they are helping customers achieve with streamlined integration and use
We've heard a ton of excitement about AI Agents, Agentic AI, and its potential for Cybersecurity. This ranges in areas such as GRC, SecOps, and Application Security (AppSec).That is why I was excited to sit down with Ghost Security Co-Founder/CEO Greg Martin.In this episode, we sit down with Ghost Security CEO and Co-Founder Greg Martin to chat about Agentic AI and AppSec. Agentic AI is one of the hottest trends going into 2025, and we will discuss what it is, its role in AppSec, and what system industry challenges it may help tackle.Greg and I chatted about a lot of great topics, including:The hype around Agentic AI and what makes AppSec, in particular, such a promising area and use case for AI to tackle longstanding AppSec challenges such as vulnerabilities, insecure code, backlogs, and workforce constraints.Greg's experience as a multi-time founder, including going through acquisitions, but what continues to draw him back to being a builder and operational founder.The challenges of historical AppSec tooling and why the time for innovation, new ways of thinking, and leveraging AI is due.Whether we think AI will end up helping or hurting more in terms of defenders and attackers and their mutual use of this promising technology.And much more, so be sure to tune in and check it out, as well as check out his team at Ghost Security and what they're up to!
In this episode, we will be sitting down with Filip Stojkovski and Dylan Williams to dive into AI, Agentic AI, and the intersection with cybersecurity, specifically Security Operations (SecOps).I've been following Filip and Dylan for a bit via LinkedIn and really impressed with their perspective on AI and its intersection with Cyber, especially SecOps. We dove into that in this episode including:What exactly Agentic AI and AI Agents are, and how they workWhat a Blueprint for AI Agents in Cybersecurity may look like, using their example in their blog with the same titleThe role of multi-agentic architectures, potential patterns, and examples such as Triage Agents, Threat Hunting Agents, and Response Agents and how they may work in unisonThe potential threats to AI Agents and Agentic AI architectures, including longstanding challenges such as Identity and Access Management (IAM), Least-Permissive Access Control, Exploitation, and Lateral MovementThe current state of adoption across enterprises and the startup landscape and key considerations for CISO's and security leaders looking to potentially leverage Agentic SecOps products and offerings
In this episode, we sit down with StackAware Founder and AI Governance Expert Walter Haydock. Walter specializes in helping companies navigate AI governance and security certifications, frameworks, and risks. We will dive into key frameworks, risks, lessons learned from working directly with organizations on AI Governance, and more.We discussed Walter's pivot with his company StackAware from AppSec and Supply Chain to a focus on AI Governance and from a product-based approach to a services-oriented offering and what that entails.Walter has been actively helping organizations with AI Governance, including helping them meet emerging and newly formed standards such as ISO 42001. Walter provides field notes, lessons learned and some of the most commonly encountered pain points organizations have around AI Governance.Organizations have a ton of AI Governance and Security resources to rally around, from OWASP, Cloud Security Alliance, NIST, and more. Walter discusses how he recommends organizations get started and where.The U.S. and EU have taken drastically different approaches to AI and Cybersecurity, from the EU AI Act, U.S. Cyber EO, Product Liability, and more. We discuss some of the pros and cons of each and why the U.S.'s more relaxed approach may contribute to economic growth, while the EU's approach to being a regulatory superpower may impede their economic growth.Walter lays our key credentials practitioners can explore to demonstrate expertise in AI security, including the IAPP AI Governance credential, which he recently took himself.You can find our more about Walter Haydock by following him on LinkedIn where he shares a lot of great AI Governance and Security insights, as well as his company website www.stackaware.com
In this episode, we sit with the return guest, Jim Dempsey. Jim is the Managing Director of the Cybersecurity Law Center at IAPP, Senior Policy Advisory at Stanford, and Lecturer at UC Berkeley. We will discuss the complex cyber regulatory landscape, where it stands now, and implications for the future based on the recent U.S. Presidential election outcome.We dove into a lot of topics including:The potential impact of the latest U.S. Presidential election, including the fact that while there are parallels between Trump's first term and Joe Biden's, there are also key differences. We're likely to see a deregulatory approach related to commercial industry and consumer tech but much more alignment and firm stances related to cyber and national security.The future of efforts around Software Liability and Safe HarborContrasted differences between the EU's tech regulatory efforts and the U.S. The U.S. has taken a much more voluntary approach. While Jim is an advocate of regulation and thinks it is needed, he simply cannot get behind the heavy-handed approach of the EU and suspects it will continue to widen the tech gap between the U.S. and the EU.What is the potential for regulatory harmonization and the challenges due to the unique aspects of each industry, vertical, data types, and more.Jim leads the recently formed IAPP Cybersecurity Law CenterHe is also the author of the book Cybersecurity Law Fundamentals, Second Edition.
In this episode of Resilient Cyber I will be chatting with industry leaders Tyler Shields and James Berthoty on the topic of "Shift Left".This includes the origins and early days of the shift left movement, as well as some of the current challenges, complaints and if the shift left movement is losing its shine.We dive into a lot of topics such as:Tyler and Jame's high-level thoughts on shift left and where it may have went wrong or run into challengesTyler's thoughts on the evolution of shift left over the last several decades from some of his early Pen Testing roles and working with early legacy applications before the age of Cloud, DevOps and MicroservicesJames' perspective, having started in Cyber in the age of Cloud and how his entire career has come at shift left from a bit of a different perspectiveThe role that Vendors, VC's and products play and why the industry only seems to come at this from the tool perspectiveWhere we think the industry is headed with similar efforts such as Secure-by-Design/Default and its potential as well as possible challenges
In this episode we sit down Shyam Sankar, Chief Technology Officer (CTO) of Palantir Technologies. We will dive into a wide range of topics, from cyber regulation, software liability, navigating Federal/Defense cyber compliance and the need for digital defense of the modern national security ecosystem.- First off, for those unfamiliar with you and your background, can you tell us a bit about yourself, as well as Palantir?You're a big proponent on the role that software plays now, and will play in the future when it comes the fifth domain of warfare, cybersecurity, so let's give into some of those topics.- I know you've voiced some strong opinions on the role of cyber insurance and also compliance when it comes to its static nature, compared to the dynamic activity of malicious actors and the threat landscape. Can you expand on that?- You and I also chatted about the fact that most cyber issues tie back to hygiene, and that there are no silver bullets. Do you feel like this gets lost among the marketing hype of cyber?- I know you've talked about externalizing some of Palantir's software infrastructure to enable more companies with security infrastructure and toolchains. Can you tell us about some of those capabilities?- The enablement of more companies is key, as you know the DIB has seen massive consolidation in the past decade or more, largely with the small handful of players dominating the lions share of the work in the DoD. This arguably poses systemic concentrated risks, as well as doesn't give access for the DoD to commercial innovation.You called the DoD's most powerful ally America's commerical tech sector in a recent piece. We know that times have changed, and unlike eras of the past, most digital innovation comes from the commercial space, but DoD tends to have a not built here syndrome, no doubt driven by incumbents, incentives, fiefdom building and more. What do you think the national security risks of this are?- Given you've been around DoD for some time, you've no doubt been exposed to processes like ATO's and RMF and more. What are your thoughts on the current state of compliance in the DoD and how it could potentially hinder access to commercial innovation?
In this episode we sit down with Mark Simos to dive into his RSA Conference talk "You're Doing It Wrong - Common Security AntiPatterns" to dig into several painfully true anti-patterns in cybersecurity and how we often are our own worst enemy.-- First off, for those not familiar with you or your background, can you tell us a bit about that.- So you delivered this talk at RSA, focused on Cybersecurity "Anti-Patterns". How did the talk come about and how was it received by the audience?We won't be able to name them all, but I would love to discuss some of them.- You talk about the technology-centric thinking, and how folks believe security is about technology instead of business assets. Can you explain this one?- The silver bullet mindset was another that jumped out to me. This is thinking a single solution can 100% solve complex and continuous problems. What ways have you seen this one play out?- The paradox of blame is one that made me laugh because I have seen this play out a lot. You talk about the CYA mentality, how security warns about issues, they are skipped and then security is blamed. This one really stings because I have seen it happen, and in fact, I feel like we're seeing it play out with some of the CISO liability cases and regulations that are emerging. - Perhaps one of the most well known anti-patterns of security being the office of no or resisting trends. I feel like we saw this with Cloud, Mobile, SaaS and now AI. Why do we keep repeating these mistakes?
- First off, for folks not familiar with your background, can you tell us a bit about that and how you got to the role you're in now?- We see rapid adoption of AI and security inevitably trying to keep up, where should folks start?- There are some really interesting intersections when it comes to AI and supply chain, what are some of them?- We see a thriving OSS ecosystem around AI, including communities and platforms like Hugging Face. What are some key things to keep in mind here?- AI BOM's - what are they, how do they differ from SBOM's, and what are some notable efforts underway right now around them?
- First off, for those who don't know you, can you tell us a bit about your background?- You've been providing a deep dive talk into how to become a CISO. I'm curious, what made you put together the presentation, and how has it been received so far when you've had a chance to deliver it?- You have broken down what you call "four stages of the journey" that encompasses skills in areas such as Technical, Management, Leadership and Political. This to me comes across as CISO's need to be multidisciplinary professionals with a variety of skillsets. What do you think makes this so important for CISO's to be successful?- Let's walk through the four stages a bit. You start off with Technical skills. This seems to the foundation many CISO's start with, coming from roles in areas such as engineering, architecture and so on. What makes this foundation so key?- How do CISO's maintain a strong technical foundation and depth, as they get further away from the tactical work and more into the leadership and strategic role?- CISO's of course have to be able to manage the teams they build and/or oversee. What are some of the key management leadership skills you think CISO's must have?- Leading is a fundamental part of what CISO's do. Whether it is direct reports, or the broader security org. What are some of these leadership skills and how can they have a positive or negative impact?- Last but not least is the political side of things. CISO's of course operate among other C Suite peers, the board and within complex organizations with competing interests, personalities and incentives. This could arguably be the most important skill to hone in terms of ensuring you're effective in your role, and have a lasting impact on organizational risks. What are your thoughts on the political skills front? - I'm curious as someone who's been a multiple time CISO and is now advising others on how to obtain the role - where do you see the role of the CISO headed in the future? We see new aspects such as litigation, SEC rules, determining materiality, CISO's needing to speak the language of the business and more - all while needing to manage risks with the ever changing technological landscape, with AI being the latest example. Where is it all headed?
In this episode we sit down with Amir Kessler and Aviram Shmueli of AppSec innovator Jit to dive into the complexities of the modern AppSec landscape and explore the emerging Application Security Posture Management (ASPM) ecosystem.- First off, for folks not familiar with your backgrounds, can you tell us a bit about both of your backgrounds and how you got to the roles you're in now?- We're seeing a ton of interest in the topic of ASPM in the AppSec space. What do you think has led to this emerging category and what key problems is it looking to solve?- I know your team puts a big emphasis on not just the tech but also the DexEx and UX. Why is this so critical to address AppSec risks and securing organizations and their code?- While there is value in ASPM platforms, many Dev teams and engineers are opinionated about their tools, how important is this flexibility and extensibility in the platform that the Jit team has built?- A key challenge includes vulnerability overload. Teams drowning in massive vulnerability backlogs and trying to add vulnerability context and focus on the most relevant risks for developers. How does Jit approach this?- Not all ASPM platforms are the same, but we see many vendors rallying around the category. What do you think makes Jit unique and differentiates what the team has built?
- For those that don't know you, can you tell us a bit about your background and your current role?- I know you help lead the ATLAS project for MITRE, what exactly is ATLAS and how did it come about?- The AI threat landscape is evolving quickly, as organizations are rapidly adopting GenAI, LLM's and AI more broadly. We are still flushing out some fundamental risks, threats and vulnerabilities to consider. Why is it so important to have a way to characterize it all?- When it comes to AI Security, there is also a lot of hype, buzz and dare I say FUD out there. Why are you so adamant that we take a data-driven and actionable approach?- I know you recently helped participate in the first big AI security incident focused TTX, including with CISA and other Government and Industry partners, can you speak a bit about the experience and why exercises like this are important for organizations to do when it comes to AI security?- As someone close to the AI domain, when it comes to security, what are your thoughts on both where we're headed for security of AI, and AI to bolster security? - For folks wanting to learn more about ATLAS, and the work MITRE is doing around AI security, where should folks get started?- What are some key open questions and opportunities for the community to help shape the future of AI security and assurance?https://atlas.mitre.org/ ← Check out MITRE ATLAS!
In this episode we sit down with GenAI and Security Leader Steve Wilson to discuss securing the explosive adoption of GenAI and LLM's. Steve is the leader of the OWASP Top 10 for LLM's and the upcoming book The Developer's Playbook for LLM Security: Building Secure AI Applications-- First off, for those not familiar with your background, can you tell us a bit about yourself and what brought you to focusing on AI Security as you have currently?- Many may not be familiar with the OWASP LLM Top 10, can you tell us how the project came about, and some of the value it provides the community?- I don't want to talk through the list item by item, but I wanted to ask, what are some of the key similarities and key differences when it comes to securing AI systems and applications compared to broader historical AppSec?- Where do you think organizations should look to get started to try and keep pace with the businesses adoption of GenAI and LLM's?- You've also been working on publishing the Developers Playbook to LLM Security which I've been working my way through an early preview edition of and it is great. What are some of the core topics you cover in the book?- One hot topic in GenAI and LLM is the two large paths of either closed and open source models, services and platforms. What are some key considerations from your perspective for those adopting one or the other?- I know software supply chain security is a key part of LLM and GenAI security, why is that, and what should folks keep in mind?- For those wanting to learn more, where can they find more resources, such as the LLM Top 10, your book, any upcoming talks etc?
In this episode we sit down with the Founder/CEO of Horizon3.ai to discuss disrupting the Pen Testing and Offensive Security ecosystem, and building and scaling a security startup - from a founders perspective.From HP, to Splunk to JSOC - all leading to founding Horizon3, Snehal brings a unique perspective of business acumen and technical depth and puts on a masterclass around venture, founding and scaling a team and disrupting the industry!---- For those not familiar with your background who Horizon3AI, can you tell us a bit about both?You are building something special at Horizon3AI and I will dive into that here soon, but you've also been posting some great content about building a security startup, the team, the market dynamics and more, so I wanted to spend a little time chatting about that. - First off, your company was recently listed by Forbes as one of the top 25 venture backed startups likely to reach a $1 billion dollar valuation. How did that feel and what do you think contributed to your team landing on such a prestigious list?- Speaking of venture backed, you recently participated in the Innovators and Investors Summit at BlackHat where you and other panelists dove into the topic of what founders should look for in investors and how VC's can stand out in a highly competitive market. As someone who's navigated that journey and is now being listed on lists such as that from Forbes - what are some of your key lessons learned and recommendations for early-stage founders?- You've stressed the importance of the team over the initial idea and what you've called "pace setters" and "ankle weights" within the team and the importance of both. Can you elaborate on the terms and broader context around building a foundational team to scale the company successfully?- You also have discussed the 4 advantages iconic companies build over time, what are they and why do they help differentiate you?- Pivoting a bit, you have a really unique background, blending both the private and public/defense sector. How do you think that's helped shape you and the way you've build your team and company and approach the market?- Horizon3AI is big on the mantra of "offense informed defense". Why is that critical and why do you think we miss the value in this approach in many spaces in the security ecosystem?- You all have poked some fun at the way many organizations operate, running vuln scans, doing an annual pen test, and having a false sense of security. How is Horizon3AI disrupting the traditional Pen Testing space and leading to more secure organizational outcomes?
In this episode we sit down with Chloe Messdaghi, Head of Threat Intelligence at HiddenLayer, an AI Security startup focused on securing the quickly evolving AI security landscape. HiddenLayer was the 2023 RSAC Innovation Sandbox Winner and offers a robust platform including AI Security, Detection & Response and Model Scanning.- For folks now familiar with you or the HiddenLayer team, can you tell us a bit about your background, as well as that of HiddenLayer?- When you look at the AI landscape, and discussions around securing AI, what is the current state of things as it stands now? I would recommend checking out the "AI Threat Landscape Report" you all recently published.- Many organizations of course are in their infancy in terms of AI adoption and security. I know the HiddenLayer team has really been advocating concepts such as AI Governance. Can you talk about how organizations can get started on this foundational activity?- HiddenLayer published a great two part series on an "AI Step-by-Step Guide for CISO's", can you talk about some of those recommendations a bit?- You all also have been evangelizing practices such as Red Teaming for AI and AI Models. What exactly is AI Red Teaming and why is it so critical to do?- Another interesting topic is how we're beginning to look to Govern AI, both here in the U.S. with things such as the AI EO, and in the EU with the EU AI Act. What are some key takeaways from those, and what do you think about the differences in approaches we're seeing so far?
- For those not familiar with you and ThreatLocker, can you tell us a bit about yourself and the ThreatLocker team?- When we look out at the endpoint protection landscape, what do you feel some of the most pressing threats and risks are?- There of course has been a big push for Zero Trust in the industry being led by CISA, NIST, and industry. How does ThreatLocker approach Zero Trust when it comes to the Endpoint Protection Platform?- Another thing that caught my eye is the ThreatLocker Allowlisting capability. We know Applications remain one of the top attack vectors per sources such as the DBIR. Can you tell us about the ThreatLocker Allowlisting capability and blocking malicious app activity on endpoints?- Taking that a step further, you all often speak about your Ringfencing capability that deals with Zero Day vulnerabilities. As we know, traditional vulnerability management tools can't stop Zero Day exploits. How does the ThreatLocker platform handle Zero Day protection?- I saw you all recently had a webinar focused on CMMC and NIST 800-171, which applies to the Defense Industrial Base. Obviously endpoint threats are a big concern there for the DoD and the DIB. Can you talk about how ThreatLocker is working with that community?- For folks wanting to learn more about ThreatLocker, where should they go, and what are some things to keep an eye out for?Find out more about ThreatLocker!
- For folks not familiar with you and your background, can you tell us a bit about that?- How about Resourcely, how did it come about and what problem did you set out to tackle?- Why do you think Cloud Misconfigurations are still so pervasive, despite being fairly well into the Cloud adoption lifecycle?- How have organizations traditionally tried to handle secure configurations, in terms of establishing them, maintaining them, monitoring for drift and so on?- Where do you think we're headed, I know you all recently had your capability go GA and you discuss concepts such as blueprints, frameworks, paved paths etc. - You've been talking a lot about the Death of DevSecOps. Let's chat about that, what case are you making with regard to DevSecOps and where the industry is headed?
- First off, for folks now familiar with your background, can you tell us a bit about yourself?- You made the leap from working for a firm to founding your own talent and recruiting company. Can you tell us about that decisions and experience?- Before we dive into specific topics, what are some of the biggest workforce trends you are seeing in cyber currently? I have seen you talk about the pendulum shift from workers to employers on aspects like remote roles, and so on. What is the current dynamic across the cyber landscape broadly at the moment?- The cyber workforce is often discussed painfully, with talks of struggles to attract and retain technical talent, but I feel like it isn't just a headcount problem. We also often see absolutely awful PD's and processes that impact organizations hiring abilities. What are your thoughts here?- You're often seeking out some of the best talent for leading organizations. What sort of experiences, qualities and characteristics do you find yourself looking for in candidates that make them stand out from the broader workforce?- Conversely, what are some things you see organizations doing the best that really set them apart from others when it comes to building amazing security teams?- What can folks be doing to try and best position themselves for their dream role? What are key things to keep in mind and emphasize from an expertise, personal branding, resume and other factors perspectives?
- For folks not familiar with you or the Miggo team, can you tell us a bit about your background?- How do you define ADR and why do you think we have seen the need for this new category of security tooling to come about?- Most organizations are struggling with vulnerability overload, with massive vulnerability backlogs and struggles around vulnerability prioritization. Can you share some insights on how you all tackle this problem?- We're increasingly seeing the AppSec space become more complex, with Cloud, API's, Microservices, IaC and more. What do you see as some of the most critical trends in the AppSec space currently?
- First off, for those that don't know you or your work, would you mind telling us a bit about your background?- You recently published a paper titled "Secure-by-Design at Google" which got a lot of attention. Can you tell us about the paper and some of the key themes it emphasizes?- In the paper you discuss some of the unique aspects of software that are different from mass-produced physical systems. Such as their dynamic and iterative nature. On one hand you mention how the risk of introducing a new defect over time for a physical system after manufacturing is low, unlike software. I know Google are big proponents of DORA for example, and past papers have shown organizations that are capable of routinely delivering software to production at-scale also have more resilient outcomes, this seems to be both a risk and a benefit of software over physical systems?- You also discuss the need for Secure Default Configurations. Historically it feels like producers have erred on the side of functionality and usability over secure default configurations, and we have even heard CISA begin using terms like "loosening guides" over hardening guides. Do you feel the two concepts of security and usability at inherently at odds, or need to be?- One aspect of your paper that really jumped out to me is that "developers are users too". I feel like this is even more pertinent with both the rise of software supply chain attacks and the realization that most defects are introduced by Developers and also they are best positioned to address flaws and vulnerabilities. How critical do you think it is to design systems with this in mind?- Some may pushback and say it is easy for Google to say advocate this approach of Secure-by-Design due to their incredible expertise and resources, but obviously, and conversely, Google has a scale in terms of challenges that most organizations can't fathom. How does Google balance the two?- What role do you think leading software suppliers and organizations such as Google have to play when it comes to ensuring a more resilient digital ecosystem for everyone?
- First off, for folks that don't know you, can you tell us a bit about your current role and background?- On that same note, can you tell the audience a bit about Anduril, the mission of the organization and some of the current initiatives it is working on?- What are some of the biggest challenges of being a new entrant in a space such as the DoD, which has longstanding system integrators and large prime contractors who have deep relationships, industry expertise/experience and so on?- I know you're passionate about the ATO process. What are your thoughts on how it stands currently and the impact it has on both new entrants, as well as impacting the ability to get innovative capabilities into the hands of warfighters and mission owners?- CMMC- We know your organization is looking to bring innovative commercial technologies into Defense, what are some of the challenges there beyond the ATO aspect?- Outside of the technical aspect, we know the DoD and Federal space have longstanding challenges with attracting and retaining technical talent. How does that impact your abilities to be effective in this space with your Government peers, and additionally, how does Anduril navigate that when looking to attract modern digital talent to a space like Defense?- Many are now arguing that cybersecurity is a domain of warfare and we're seeing the use of phrases such as "Software-Defined Warfare" by organizations such as The Atlantic Council. How important do you think modern digital capabilities are to national security and why?- DevSecOps thoughts
- For those that don't know you or haven't come across you quite yet, can you tell us a bit about your background in tech/cyber and your role with GitHub?- What exactly is the GitHub Advisory Database and what is the mission of the team there?- There's been a big focus on vulnerability databases, especially lately with some of the challenges of the NVD. What role do you see among the other vulnerability databases in the ecosystem, including GHAD and how it fits into the ecosystem?- GitHub has a very unique position, being the most widely used development platform in the world, boasting millions of users. How do you all use that position and the insights from it to help drive vulnerability awareness across the ecosystem?- There's been a large focus on software supply chain security, including securing OSS. What are your thoughts on these trends and some ways we can combat these risks?- You're also involved with the CVE program, can you tell us about that?- We know you collaborate with another group, out of OpenSSF, known as the Vulnerability Disclosure Working Group. What does that group do and what role do you play?
- For those don't know your background or Nucleus Security, can you start by telling us a bit about both?- You have experience and a background in the Federal environment, and Nucleus recently achieved their FedRAMP authorization, can you tell us a bit about that process?- When you look at the Federal/Defense/IC VulnMgt landscape, what are some of the biggest problems from your experience and where do you think innovative products and solutions can help?- Going broader, we have seen a recent uptick in the interest around VulnMgt, and looking to modernize the way we do things. What do you think is driving this recent focus on VulnMgt and what major innovations or disruptions in the space do you see underway?- What do you feel helps differentiate Nucleus Security from some of the other competitors we see in this space focusing on this problem?- We're seeing a big push for Secure-by-Design software, which of course deals with driving down vulnerabilities, and repeated classes of vulnerabilities. What's your take on this push and do you see it being effective?
- For those unfamiliar, please tell us a bit about your background, as well as about RAD Security. What do you all focus on and specialize in?- Your team recently was part of the RSAC Innovation Sandbox. Can you tell us a bit about that experience, and being able to highlight the innovative capabilities of RAD to such a key audience?- You recently published a comprehensive resource on Kubernetes Security Posture Management (KSPM), what are some of the key items in there folks need to be focusing on?- The RAD security team emphasizes their fingerprint capability for Kubernetes workloads. Can you unpack that this is and how it differs from say signature based security tools and so on?- When thinking about software supply chain security, how does Kubernetes fit in, given the current digital landscape and explosive growth of Kubernetes and Containerized workloads?- You all are big proponents of runtime security, a category that is getting increased attention latest in the security industry. Why do you think runtime is so critical, compared to say some other tools or products that may focus on different aspects of the SDLC or lean into "shifting left" for example?
- For those don't know your background or Nucleus Security, can you start by telling us a bit about both?- You have experience and a background in the Federal environment, and Nucleus recently achieved their FedRAMP authorization, can you tell us a bit about that process?- When you look at the Federal/Defense/IC VulnMgt landscape, what are some of the biggest problems from your experience and where do you think innovative products and solutions can help?- Going broader, we have seen a recent uptick in the interest around VulnMgt, and looking to modernize the way we do things. What do you think is driving this recent focus on VulnMgt and what major innovations or disruptions in the space do you see underway?- What do you feel helps differentiate Nucleus Security from some of the other competitors we see in this space focusing on this problem?- We're seeing a big push for Secure-by-Design software, which of course deals with driving down vulnerabilities, and repeated classes of vulnerabilities. What's your take on this push and do you see it being effective?
- You recently presented at Wiz's MisCONfigured at RSA, where you covered some of the most relevant cloud threats and risks, can you touch on what some of those are?- We know Wiz just announced a massive capital raise and there's been talks about M&A plans for Wiz, I know you help with looking at potential products/firms - what are some key things you look at?- When you acquire a new product and team, how does it look to ensure there is a smooth integration with the Wiz team and platform?- There's a bit of debate in the industry around "platforms" and best of breed. How do you/Wiz think about this approach and how do you ensure as you add new products to the platform that you remain a leader in the space?- We've heard a lot of talk about AI and its implications both for improving security, but also needing to be secured, how do you and Wiz think of AI when it comes to cybersecurity and where do you see the most promise?
- For folks not familiar with it, can you tell us a bit about the report, its intent, and how it came about?- Some may be asking, what's the big deal, its just software. Can you help explain the pertinent risk we face with increasingly seeing physical systems, infrastructure and society run on software?- The report makes some key recommendations to fortify the resilience of the Nation's critical infrastructure, can you talk about those a bit?- It's often discussed how much of the critical infrastructure is privately owned and operated, is that true, and if so, what challenges does that pose?- Do you see this as something that will be increasingly regulated, and if so, how do we balance regulations with some of the constraints and limitations of the critical infrastructure operators and organizations such as financial, expertise and so on?- One thing I noticed is the emphasize on industry, board, CEO and executive accountability. We're seeing a similar trend with recent SEC rules for publicly traded companies as well as CISA's Secure-by-Design publication and public comments, about leadership and executives taking more accountability for secure outcomes. Do you feel this is a major gap, and if so, how do we ensure the message doesn't get diminished from leadership across middle management, and staff?
- First off, for folks not familiar with your background can you tell us a bit about your background from your journey in your earlier IT/Cyber and military time to eventually being a Founder and CEO?- What made you decide to take that leap and found not just one, but two cybersecurity companies, moving from being a practitioner?- What did you find to be some of the biggest challenges when transitioning from practitioner to business owner?- Have you had to navigate working on versus in the business, and what has that looked like for you?- For some aspiring cyber professionals with goals to found a company someday, what would be some of your key pieces of advice?- I know you're also very passionate about the veteran community in cyber, why do you think veterans make up such a share of our community and often make some of the best cyber practitioners?
Can you each tell us a bit about your background, before we dive in?For those not in the DoD or familiar with the term, what is a “Software Factory”?What is BESPIN?What is the current state of mobile security within the DoD?Why do you think there's such a delay in maturing policy, process and pathways for mobile in DoD, given the big emphasis the last several years of “edge”, along with the rapid growth of the remote workforce and so on?Are there any official mobile app sec requirements? Can you tell us a bit about what tools and methodologies you all use to secure the mobile-centric applications you all deliver?Most know that in DoD and Federal there are also a lot of compliance rigor and hurdles to deal with. How has that experience been for a program doing something a bit different from most software factories?Since there are no official mobile requirements you kind of get a second mover advantage, how can you take lessons learned from the Cloud Computing SRGs and apply that to mobile? Can you help our audience understand the importance of secure mobile capabilities for the Airman and warfighter? We know the modern way of fighting looks much different and mobile is a key part of that, whether simply supporting Airman on a form of compute they grew up using, all the way to those on the forward edge, engaging against adversaries, including in the digital domain.
- First off, for folks that don't know you can you give them a brief overview of your background/organizations?- Josh, let's start with you. Can you explain some of what is going on with the drama around NVD and what happened that caught everyone's attention?- Dan - I know you've raised concerns around the implications for the community when it comes to the lack of CVE enrichment, how do you see this impacting the vulnerability management ecosystem?- Josh - Your team has started providing some accompanying resources to try and address the gap, can you tell us a bit about that?Dan - You've spun up an open letter to congress and have kicked off a bit of a grass roots effort to raise awareness around the problem. How is it going so far and what are you hoping to accomplish with the letter?- Why do you both think this is such a big deal, and how can something so critical to the entire software ecosystem be so underfunded, overlooked and taken for granted?- What are some things you all hope to see in the future to resolve this, both from NIST/NVD and the Government but also from industry as well?
- It is often now said that identity is the new perimeter, why do you think that phrase has taken hold and what does it mean to you? - How much do you think the complicated identity landscape plays a role, for example most organizations have multiple IdP's, as well as external environments such as SaaS and so on that they have identities and permissions tied to - It often feels like SaaS is overwhelmingly overlooked in both conversations about Cloud Security as well as software supply chain security - why do you think that is?- You all have published some innovative research around what you dubbed as the "SaaS Attack Matrix" can you tell us a bit about that research and how organizations can use it? - You're also doing some really great work focused on IdP threats, such as OktaJacking, detection, and even response. Can you unpack that for us? - It's been said that the browser is the new OS, and I have seen you all say if that's the case, Push Security is the new EDR. Can you elaborate on that? - I recently saw a headline from LinkedIn's own CISO Georgg Belknap that read "Push Security does for identity what Crowdstrike does for Endpoint". That's quite the endorsement and also catalyst for what you all focus on. How can organizations go about getting a handle on the identity threat landscape given the current complexity?
- First off, you have an incredible background evolving from software engineer to management roles and ultimately a CISO for some of the industry leading organizations such as Siemen's and HP. I would love to hear about that journey and how you found yourself ultimately becoming an industry leading CISO along the way. - How do you think the CISO role has changed over the years? We're hearing more about speaking the language of the business, potential legal liability, new SEC rules and more. What is your perspective on the current challenges and evolution of the CISO role?- You're now out of the CISO seat but still active in the community, serving in various director roles, including with publicly traded companies I believe. We've long heard some state that CISO's would make great board members and bring a long-needed perspective on cyber risk. How has it been transitioning out of the CISO role and into Director type roles?- Many CISO's and cybersecurity leaders now want to pursue a similar path, looking for advisory and board roles with firms and so on. Can you provide some guidance and tips for those looking to do something similar? - I noticed you also have some advisory roles in addition to Director roles. Can you draw a distinction between the two roles for listeners, and what to consider when pursuing one or the other, so folks better understand the potential pathways?- Knowing you've had such an amazing career and are still so passionate about the community and giving back, what are some of the key recommendations you have for both those aspiring to advance their career in cyber and eventually become a CISO, or beyond that, move into board level and advisory roles? What skillsets and expertise should they be focused on the most?