Podcasts about fisma

Send us a textCheck us out at:  https://www.cisspcybertraining.com/Get access to 360 FREE CISSP Questions:  https://www.cisspcybertraining.com/offers/dzHKVcDB/checkoutGet access to my FREE CISSP Self-Study Essentials Videos:  https://www.cisspcybertraining.com/offers/KzBKKouvA single compromised API key can undo months of hard work. We open with a clear-eyed look at a reported Treasury-related incident tied to a privileged access platform and use it to expose a bigger problem: API governance that lags behind development speed. If an API is a doorway into your environment, why do so many teams leave it unlocked, unlogged, and unmanaged? We share a practical blueprint for centralizing API traffic through gateways, tightening authentication, rotating keys, and getting real visibility into what flows in and out.From there, we dive into CISSP Domain 1.6 with crisp, exam-style questions that double as leadership lessons. We compare civil and criminal standards of proof, explain where regulatory investigations fit, and show how penalties differ across case types. You'll hear why chain of custody can make or break a criminal data theft case, how direct and circumstantial evidence complement each other, and what lawful collection requires under search and seizure laws. Along the way, we clarify GDPR's reach, the role of the SEC in insider trading probes, and how ECPA, CFAA, and FISMA divide responsibilities across privacy, computer crime, and federal system security.We also make the case for forensic readiness as a standing control, not a post-breach scramble. Centralized logging, synchronized time, packet capture on critical paths, immutable storage, and clear retention policies give you faster answers and stronger footing with regulators. Inside the organization, administrative investigations live or die by policy clarity, and whistleblower protections keep truth-tellers safe enough to speak. By the end, you'll have tangible steps to harden APIs, gather admissible evidence, and navigate the maze of legal and regulatory expectations with confidence.If this helped sharpen your thinking, follow the show, share it with a teammate who owns APIs or incident response, and leave a quick review so others can find us. Your feedback guides what we tackle next.Gain exclusive access to 360 FREE CISSP Practice Questions at FreeCISSPQuestions.com and have them delivered directly to your inbox! Don't miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!

Send us a textCheck us out at:  https://www.cisspcybertraining.com/Get access to 360 FREE CISSP Questions:  https://www.cisspcybertraining.com/offers/dzHKVcDB/checkoutGet access to my FREE CISSP Self-Study Essentials Videos:  https://www.cisspcybertraining.com/offers/KzBKKouvA tiny payload hidden in a legitimate-looking NuGet package can sit inside an industrial network for years, then trigger cascading failures in minutes. That chilling scenario sets the stage for a hands-on tour of CISSP Domain 1.4, where we show how to turn high-level rules into clear, defensible security controls that protect real systems and pass tough audits. We connect the dots between contracts that demand fast breach notifications, laws with sector-specific obligations, and frameworks that teach you how to structure your program.We break down the essentials: identify the data in scope, pick a backbone framework (ISO 27001 or NIST CSF), and map each requirement to specific controls and evidence. You'll hear practical mappings for HIPAA, GLBA, COPPA, FERPA, NYDFS, DORA, SOX, FISMA, and PCI DSS, plus how to handle extraterritorial reach under GDPR and data localization that shapes your cloud strategy. We also highlight why contractual terms often outrun statutes and how to build a requirements register so operations knows exactly what to log, how fast to notify, and which controls must exist.Then we get tactical. Learn how to create a regulatory register, assemble audit-ready proof (policies, procedures, configs, logs, training, attestations), and run incident tabletop exercises that include vendors and clarify when the notification clock starts. For industrial environments with rare patch windows, we offer pragmatic steps: maintain a software bill of materials, verify package sources, enforce code signing where possible, document every change, and compensate with monitoring and segmentation when upgrades are risky. By the end, you'll have a blueprint to translate compliance into resilience—fast enough for 72-hour breach clocks, strong enough to handle delayed threats, and simple enough to sustain.Subscribe for more CISSP-ready training, share this episode with your security team, and leave a review to help others find the show. What framework are you mapping to today?Gain exclusive access to 360 FREE CISSP Practice Questions at FreeCISSPQuestions.com and have them delivered directly to your inbox! Don't miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!

Welcome to RIMScast. Your host is Justin Smulison, Business Content Manager at RIMS, the Risk and Insurance Management Society.   In this episode, Justin interviews Thomas Brandt, Chief Risk Officer of the Federal Retirement Thrift Investment Board (FRTIB) and one of the 2024 RIMS ERM Award of Distinction winners. Thomas shares some of his experiences at the IRS, where he won the 2021 RIMS ERM Award of Distinction, and how he moved from the IRS to join the FRTIB. Tom covers how he successfully integrated strategy and ERM at the FRTIB. He tells how the FRTIB moved from a high-level to a medium-level cyber risk posture, with improved Federal Information Security Modernization Act (FISMA) scores. Tom shares how the FRTIB  works with a managed services model in a way that's scalable and sustainable. Tom relates his views on risk culture and the portfolio view that a mature ERM program supports.   Listen to learn how to nominate your organization's ERM Program for the RIMS ERM  Award of Distinction.   Key Takeaways: [:01] About RIMS and RIMScast. [:14] RIMScast is a proud nominee of the 20th Annual People's Choice Podcast Awards. We are nominated in the category of Government and Organizations, and we would appreciate your support. [:26] Help us win that award by visiting PodcastAwards.com and the link in this episode's notes.  [:36] About this episode of RIMScast. We will be joined by Thomas Brandt, Chief Risk Officer of the Federal Retirement Thrift Investment Board and one of the 2024 RIMS ERM Award of Distinction winners. [1:05] RIMS-CRMP Workshops! The next Virtual RIMS-CRMP exam prep, co-hosted by Parima, will be held on September 2nd and 3rd. [1:17] The next RIMS-CRMP-FED virtual workshop will be held on November 11th and 12th, and led by Joseph Mayo. Links to these courses can be found on the Certification Page of RIMS.org and through this episode's show notes. [1:34] RIMS Virtual Workshops! On August 5th, we have a day-long course about “Emerging Risks.” [1:42] RIMS has launched a new course, “Intro to ERM for Senior Leaders.” This is a two-day course. The first two-day course will be held on August 12th and 13th and will be led by former RIMS President, Chris Mandel. [1:56] The course will be held again on November 4th and 5th and will be led by Elise Farnham. RIMS members enjoy deep discounts! [2:05] The full schedule of virtual workshops can be found on the RIMS.org/education and RIMS.org/education/online-learning pages. A link is also in this episode's notes. [2:17] Mark your calendars for November 17th and 18th for the RIMS ERM Conference 2025 in Seattle, Washington. The agenda is jam-packed with educational sessions that will resonate with risk practitioners at all stages of their careers. [2:38] See the full agenda at RIMS.org/ERM2025. Nominations are open for the RIMS Global ERM Award of Distinction 2025. The nomination deadline is Saturday, August 16th. The award is presented annually at the RIMS ERM Conference. There is a link in this episode's show notes. [3:05] If your organization's ERM program or one you know of deserves this recognition, we want to hear about it. Remember to send in that nomination form by August 16th. [3:16] RISKWORLD 2026 will be in Philadelphia, Pennsylvania, from May 3rd through May 6th. RIMS members can now lock in the 2025 rate for a full conference pass to RISKWORLD 2026 when registering by September 30th. [3:31] This also lets you enjoy earlier access to the RISKWORLD hotel block. Register by September 30th, and you will also be entered to win a $500 raffle. Don't miss out on this chance to plan and score some extra perks. [3:44] The members-only registration link is in this episode's show notes. If you are not yet a member, this is the time to join us. Visit RIMS.org/membership and build your risk network with us here at RIMS. [3:58] On with the show! Our guest today is one of the winners of the 2024 RIMS ERM Award of Distinction. He is also the Chief Risk Officer for the Federal Retirement Thrift Investment Board (FRTIB). [4:15] Tom Brandt is here to discuss ERM and how it has been a guiding light throughout his risk career, which includes several years at the IRS. He recently participated in the RIMS ERM Q&A Series, and we're going to extend the dialogue beyond those digital pages, so let's get to it. [4:35] Interview! Tom Brandt, welcome to RIMScast! [4:42] At long last, Tom Brandt is here on RIMScast! Tom is one of the members of the Strategic and Enterprise Risk Management Council and one of the recipients of the 2024 ERM Award of Distinction. There's so much to discuss when it comes to ERM! Tom loves ERM. [5:18] Tom was also a 2021 ERM Award of Distinction recipient for his work at the IRS, where he worked for about 27 years, for the last eight of which, he was their Chief Risk Officer. There, he got into the whole ERM space. [5:38] Then, in late 2021, an opportunity opened at the Federal Retirement Thrift Investment Board (FRTIB), and Tom took on the role of Chief Risk Officer. He enjoys the opportunity to work in a small organization with a different focus. [5:55] The FRTIB is sort of the 401(k) for federal employees and uniformed services. They have a singular mission around that plan. [6:13] Tom was brought into the FRTIB to integrate strategy and ERM. He stresses the importance of linking risk and strategy. When Tom started, the offices of Enterprise Planning and Enterprise Risk had just been brought together. [6:51] They were looking for the first Director of Planning and Risk/CRO. Tom applied and was selected for the role. Even though it's a small agency of 250, those functions had been siloed. [7:07] Tom's first area of focus was getting the staff to know each other and learn more about what each process entailed, and then working with the team to look at how to bring these processes together. [7:23] Tom says, when we're identifying risks and needing to mitigate risks, the next question is, where do we get the resources? When the process is not integrated into your planning and budgeting process, that becomes very challenging. [7:36] As we go through our annual planning process, we work with our business offices, and if they're risk owners, we talk about what risks they are managing or mitigating, and if there are related initiatives or resources needed. [7:51] That information gets captured in the annual plan and becomes an input to the budget process. We're not only raising the risks and talking about them, but also identifying initiatives and getting funding, support, and resources to manage and mitigate those risks. [8:16] Tom's risk group has seven or eight people. They also do internal controls, policies, and procedures. They are the agency's anti-fraud group. They do brand monitoring and run the third-party risk monitoring program. They do work beyond the enterprise risk component. [8:51] The FRTIB moved from a high-level to a medium-level cyber risk posture, which improved Federal Information Security Modernization Act (FISMA) scores. FISMA is an annual cybersecurity audit of federal organizations. [9:27] Years ago, the FRTIB was scoring in the 1s and 2s on most domains in this audit, out of a possible score of 5. That coincided with cybersecurity being one of the FRTIB's high risks. They needed to put in place better governance and protections. [9:53] Because cybersecurity had been one of the FRTIB's high risks, they require any of their enterprise risks that are medium high or higher to have a risk treatment plan. They work with their CISO and the cyber team to develop risk treatment plans each year. [10:08] The risk treatment plans identify resource needs and specific areas of focus. They use the FISMA domains, questions, and assessment criteria to keep in mind where they need to shore things up. [10:20] Justin clarifies that FISMA, the Federal Information Security Modernization Act, is a U.S. Federal law that requires federal agencies to develop a document and implement information security programs to protect government information. [10:36] Tom remarks that as a result of great work done by the CISO and the cyber team, the FRTIB scored a 5 in each domain on their 2024 FISMA audit. That moved the cybersecurity risk score down. It's still at a medium level because the threat landscape continues to evolve. [10:56] Threat actors are always out there, trying to stay one step ahead of you, so you have to stay on your game to get ahead of them. [11:15] The cyber threat is so significant that collectively, we all need to be working as hard as we can to maintain our defenses. Tom says the CISO community is working together to integrate the latest technology and developments and understand where the threat is. [11:49] The CISO community is staying on top of what's happening in the AI space to be able to share good practices across agencies and ensure that our posture government-wide is as strong as possible in detecting and preventing the cyber threat. [12:06] One of the strategic goals for FRTIB is the managed services model. Tom speaks about assessing and monitoring third-party and vendor risks in a way that's scalable and sustainable. [12:18] When Tom moved into his position, in December 2021, the agency was about six months away from implementing that managed services model for their record-keeping service. Record keeping is a huge part of the FRTIB's work. They have almost 7.5 million participants. [12:36] Managing participant transactions and keeping their information is a core responsibility for the agency. They were moving to a managed service model. [12:48] When you shift to that type of model, you don't give up accountability and responsibility for the program. You work with a provider. The Agency needed to look at what its mechanism for oversight was, to manage and understand third-party risk. [13:06] The Agency had some capabilities in place for vendor monitoring and supply chain risk management. Tom's area of focus was to build up the third-party risk management program. [13:18] Tom did a maturity assessment to compare what they were doing to good practices and look for opportunities to enhance their capabilities. He brought in some services from external providers to help with access to data about the performance of third-party services. [13:42] Quarterly, Tom reports to the FRTIB board on their top vendors, their overall operations, whether there are any risks he has concerns about, and if so, what is being done to address those risks. That has helped to put in place a strong third-party risk management program. [14:03] When Tom joined the FRTIB, his predecessor had already built a strong, mature ERM program. There was a repeatable process in place with a risk register and a risk profile. [14:22] The opportunity was in integrating risk with planning and looking at how to enhance the program and bring it to the next level of maturity and build out that third-party risk management monitoring capability.  [14:42] RIMS Events! The very first RIMS Texas Regional Conference will be held from August 4th through August 6th in San Antonio at the Henry B. González Convention Center. Public registration is open. The full conference agenda is live, so you can start planning. [15:00] Don't miss the post-conference workshop, the RIMS-CRMP Exam Prep course available on-site. This event is open to any RIMS chapter member. [15:10] If you are local to the area, you might consider becoming a RIMS member today so you can get all the benefits and begin networking with your new RIMS Texas peers. Visit RIMS.org/TexasRegional. [15:22] Just a month later, we will be up North for the RIMS Canada Conference 2025, which will be held from September 14th through the 17th in Calgary. Registration is open. Visit RIMSCanadaConference.ca and lock in those favorable rates. We look forward to seeing you! [15:41] On September 18th, the 10th Annual Chicagoland Risk Forum will be held at The Old Post Office in Chicago. Register at ChicagoRIMS.org. [15:52] Also on September 18th, the Spencer Educational Foundation will host the 2025 Funding Their Future Gala at the Cipriani 42nd Street. Visit SpencerEd.org. [16:03] On October 1st through the 3rd, the RIMS Western Regional Conference will be held in North San Jose at the Santa Clara Marriott. The agenda is live. It looks fantastic! Visit RIMSWesternRegional.com and register today! [16:20] Let's Return to My Interview with RIMS 2024 ERM Award of Distinction Winner, Tom Brandt! [16:37] Shortly after Tom won the 2021 ERM Award of Distinction, along with Melissa Reynard, for his work with the IRS, he left to go to the FRTIB. Tom talks about the switch. [16:57] Tom had a great career with the IRS. He had a range of different roles and responsibilities. For his last eight years with the IRS, he was the CRO. [17:23] Tom was ready to make a change. He learned about the opportunity at FRTIB to help them bring risk and strategy programs into one department. He was happy to be selected and see the value of having risk and strategy come together. [18:12] Tom was the second CRO at the IRS. In 2013, the IRS had a crisis, so they brought in a CRO from the GAO for about a year. Tom had been doing risk work in one of the business units of the IRS. He was chosen for the CRO position in 2014. [18:50] The IRS crisis in 2013 related to concerns about how the agency had been handling applications for tax-exempt status. It led to Congressional hearings and IRS leadership changes. [19:04] Before going to the FRTIB, Tom was contacted by a recruiter. Someone in the risk community knew of the position and suggested Tom for it. He's thankful he was contacted because it has turned out to be an excellent opportunity. [19:35] Through RIMS, Tom connects with public and private sector colleagues. He sees a lot of similarities. The public sector has been practicing ERM for just under a decade. [20:16] The most essential ingredient in ERM is leadership support. Tom has support at FRTIB from leadership and the Board. Without leadership support, ERM is a compliance exercise. If ERM is truly leveraged, it can add a lot of value. [20.42] Tom thinks we're seeing too many instances where organizations have not had robust risk programs and have had risk events that could have been prevented or had the impact lessened, had they had a risk program.  [21:02] Tom thinks the challenge in the public sector is that there isn't much room for government error. Anything that doesn't go according to plan tends to get attention. [21:22] That oversight creates an environment that tends to be more risk-averse. That's not the way we want to run our risk program, because we want to take advantage of the opportunity that risk prevents, but it's a factor of the environment we operate in. [21:44] Part of what led to the establishment of the IRS ERM program was the 2013 crisis and an after-event assessment of what went wrong. Bad news didn't make it to the top quickly enough. Information that leadership should have been made aware of didn't get there in time. [22:05] As a result, issues and problems were allowed to fester and go out of control. In the IRS, people took a lot of pride in fixing and solving their problems. Sometimes you don't have a lot of time to fix an issue before it goes sideways. [22:41] A real benefit from sharing information is that often you can find other parts of the organization that can help because they've experienced a similar type of issue. They might have additional resources. Ignoring or hiding the problem doesn't make it go away. [23:01] The key value of ERM is creating a culture where people are willing to speak up, information gets escalated quickly, and you're able to bring the right people and resources together to work collectively to manage and mitigate those risks. [23:15] At FRTIB, Tom focuses on creating an environment where people feel comfortable speaking about risk, where it's part of the regular way they operate. [23:32] Since starting in risk many years ago and working with his teams, Tom's approach has been doing risk with offices and not doing risk to offices. He wanted to meet them where they were, understand where they needed help, and nudge them, rather than drag them, along. [24:00] Tom says take time to understand the organization, the unique needs of each office, and work with them to help manage and mitigate a risk, versus trying to force something on them. [24:18] A Quick Plug! If you tuned in to the recent episode featuring James Lam, you will know he is hosting a new six-module workshop for us, the “RIMS-CRO Certificate in Advanced Enterprise Risk Management”. [24:33] The inaugural summer course is completely sold out! We are filled to the virtual capacity! Don't worry, in the Fall, the bi-weekly course will begin on October 9th. Registration closes on October 2nd. A link is in this episode's notes. Check it out and register today! [24:52] If you're getting inspired by Tom Brandt and his ERM Award of Distinction win, remember that nominations are now open for the ERM Award of Distinction 2025. Be sure to listen closely for the tips that he offers about what makes a strong nomination! [25:10] The link to the nomination form is in this episode's show notes. Good luck! [25:13] Let's Return to the Conclusion of My Interview with Tom Brandt! [25:18] Before becoming the CRO at the IRS, Tom was the Director of Planning and Research for the Large Business and International Division with responsibility for case selection, determining risk on corporate and international tax returns, and which ones should be selected for audit. [25:52] This was a compliance risk experience. That provided the stepping stone to take on a more strategic, operational view of risk within the division. When the broader CRO opportunity became available at the IRS, he was considered and ultimately selected for that position. [26:14] Tom's view of risk has evolved. Within a business unit, he focused on the day-to-day operational and compliance risk. He didn't take a view of the whole organization or what choices he made for his unit ight create risk for another part of the organization. [26:51] It's a real value for ERM to have a portfolio view of the most critical risks across the organization, and understanding how actions to address risks in one area could create or exacerbate a risk somewhere else. [27:08] Tom tells of reputational risk. Sometimes decisions don't factor in how they will be perceived. Tom helped people at the IRS understand reputational risk and the stakeholders they may need to engage to help them understand why particular decisions are made. [28:22] Tom shares advice for nominating an ERM Program for the ERM Award of Distinction. What are the results? What are the outcomes that the program accomplished that you can talk about? How did ERM help the organization? What value did it bring? [29:07] Take an example of something you can share, and explain how ERM was able to surface the risk and bring the right people together to help with that risk and help the organization. [29:24] It's critical to have letters of recommendation. At the IRS, Tom had two Deputy Commissioners write letters about what they saw as the value that ERM brought to the agency. [29:42] At FRTIB, Tom had letters from the Executive Director and a member of its Board, who had served for over a decade and had historical knowledge of how ERM had helped the Agency. [30:04] Tom notes that the process of going through the application is a great learning opportunity to reflect on accomplishments as well as areas of remaining opportunity. [30:17] If you are fortunate enough to be selected to receive recognition, it's a great way to recognize the team. Tom used the Awards to recognize his teams at the IRS and at FRTIB, who are the ones who make all of this possible. The recognition turns out to be great kudos for them. [30:41] You can learn more about Tom's achievements through the links on this episode's show notes, which feature his recent ERM Q&A from 2025. I've also included one with his former coworker from the IRS, Melissa Reynard, from 2022. [30:58] This should give you a great sense of not just the great work that Tom has done but also, what it takes to have your nomination seen and heard and get the recognition that you deserve. [31:13] Tom, it's been great getting to know you these past few years, and I look forward to seeing you in Seattle. Thank you for joining us here on RIMScast! [31:32] Special thanks again to Tom Brandt for joining us here on RIMScast. Be sure to check out the links in this episode's show notes for recent ERM Q&A interviews about his work with the FRTIB. [31:46] Tom is a recipient of the RIMS ERM Award of Distinction. The Call for Nominations is open through August 16th. Check this episode's show notes for the link and details. [32:00] The Awards will be presented at the RIMS ERM Conference 2025, November 17th and 18th in Seattle. A link to that event is also on this page. [32:08] Plug Time! You can sponsor a RIMScast episode for this, our weekly show, or a dedicated episode. Links to sponsored episodes are in the show notes. [32:36] RIMScast has a global audience of risk and insurance professionals, legal professionals, students, business leaders, C-Suite executives, and more. Let's collaborate and help you reach them! Contact pd@rims.org for more information. [32:54] Become a RIMS member and get access to the tools, thought leadership, and network you need to succeed. Visit RIMS.org/membership or email membershipdept@RIMS.org for more information. [33:12] Risk Knowledge is the RIMS searchable content library that provides relevant information for today's risk professionals. Materials include RIMS executive reports, survey findings, contributed articles, industry research, benchmarking data, and more. [33:29] For the best reporting on the profession of risk management, read Risk Management Magazine at RMMagazine.com. It is written and published by the best minds in risk management. [33:43] Justin Smulison is the Business Content Manager at RIMS. You can email Justin at Content@RIMS.org. [33:50] Thank you all for your continued support and engagement on social media channels! We appreciate all your kind words. Listen every week! Stay safe!   Links: 20th Annual People's Choice Podcast Awards! Vote for RIMScast (Gov't & Organizations) To vote for RIMScast, please sign up with your email, then select RIMScast on the pulldown under Government and Organizations. Thank you! RIMS ERM Conference 2025 — Nov. 17‒18 | RIMS Global ERM Award of Distinction 2025 Nominations Open Through Aug. 16 “Embedding ERM Into One of the World's Largest Retirement Programs.” — RIMS Interview with Tom Brandt (2025) RIMS Texas Regional 2025 — August 3‒5 | Registration open. RIMS-CRMP In-Person Workshop in Texas Aug. 6 & 7 RIMS Canada 2025 — Sept. 14‒17 | Registration open! 10th Annual Chicagoland Risk Forum — Sept. 18 | Registration open! RIMS Western Regional — Oct 1‒3 | Bay Area, California | Registration open! RISKWORLD 2026 — Members-only early registration! Register through Sept 30! RIMS-Certified Risk Management Professional (RIMS-CRMP) The Strategic and Enterprise Risk Center Spencer Educational Foundation 2025 Funding Their Future Gala — Sept. 18, 2025, in NYC! RIMS ERM Conference 2025 — Nov 17‒18 in Seattle! [Save the Date!] RIMS-CRO Certificate in Advanced Enterprise Risk Management — Featuring Instructor James Lam! Summer course sold out! | Next bi-weekly course begins Oct 9. RIMS Diversity Equity Inclusion Council RISK PAC | RIMS Advocacy | RIMS Legislative Summit SAVE THE DATE — March 18‒19, 2026 RIMS Risk Management magazine | Contribute RIMS Now RIMS Webinars: RIMS.org/Webinars   Upcoming RIMS-CRMP Prep Virtual Workshops: RIMS-CRMP Exam Prep Virtual Workshop — Sept 2‒3, 2025 | Presented by RIMS and PARIMA RIMS-CRMP-FED Exam Prep Virtual Workshop — November 11‒12 Full RIMS-CRMP Prep Course Schedule “Emerging Risks” | Aug 5 | Instructor: Joe Mayo “Intro to ERM for Senior Leaders” | Aug. 12‒13 | Instructor: Chris Mandel “Intro to ERM for Senior Leaders” | Nov. 4‒5 | Instructor: Elise Farnham See the full calendar of RIMS Virtual Workshops RIMS-CRMP Prep Workshops   Related RIMScast Episodes: “Risk and Clarity with Huw Edwards, RIMS Texas Keynote” “James Lam on ERM, Strategy, and the Modern CRO” “ERM, Retail, and Risk with Jeff Strege” “Bigger Risks with the Texas State Office of Risk Management” | Sponsored By Hillwood “ERMotivation with Carrie Frandsen, RIMS-CRMP” “Live from the ERM Conference 2024 in Boston!” “Risk Quantification Through Value-Based Frameworks”   Sponsored RIMScast Episodes: “The New Reality of Risk Engineering: From Code Compliance to Resilience” | Sponsored by AXA XL (New!) “Change Management: AI's Role in Loss Control and Property Insurance” | Sponsored by Global Risk Consultants, a TÜV SÜD Company “Demystifying Multinational Fronting Insurance Programs” | Sponsored by Zurich “Understanding Third-Party Litigation Funding” | Sponsored by Zurich “What Risk Managers Can Learn From School Shootings” | Sponsored by Merrill Herzog “Simplifying the Challenges of OSHA Recordkeeping” | Sponsored by Medcor “Risk Management in a Changing World: A Deep Dive into AXA's 2024 Future Risks Report” | Sponsored by AXA XL “How Insurance Builds Resilience Against An Active Assailant Attack” | Sponsored by Merrill Herzog “Third-Party and Cyber Risk Management Tips” | Sponsored by Alliant “RMIS Innovation with Archer” | Sponsored by Archer “Navigating Commercial Property Risks with Captives” | Sponsored by Zurich “Breaking Down Silos: AXA XL's New Approach to Casualty Insurance” | Sponsored by AXA XL “Weathering Today's Property Claims Management Challenges” | Sponsored by AXA XL “Storm Prep 2024: The Growing Impact of Convective Storms and Hail” | Sponsored by Global Risk Consultants, a TÜV SÜD Company “Partnering Against Cyberrisk” | Sponsored by AXA XL “Harnessing the Power of Data and Analytics for Effective Risk Management” | Sponsored by Marsh “Accident Prevention — The Winning Formula For Construction and Insurance” | Sponsored by Otoos “Platinum Protection: Underwriting and Risk Engineering's Role in Protecting Commercial Properties” | Sponsored by AXA XL “Elevating RMIS — The Archer Way” | Sponsored by Archer   RIMS Publications, Content, and Links: RIMS Membership — Whether you are a new member or need to transition, be a part of the global risk management community! RIMS Virtual Workshops On-Demand Webinars RIMS-Certified Risk Management Professional (RIMS-CRMP) RISK PAC | RIMS Advocacy RIMS Strategic & Enterprise Risk Center RIMS-CRMP Stories — Featuring RIMS President Kristen Peed!   RIMS Events, Education, and Services: RIMS Risk Maturity Model®   Sponsor RIMScast: Contact sales@rims.org or pd@rims.org for more information.   Want to Learn More? Keep up with the podcast on RIMS.org, and listen on Spotify and Apple Podcasts.   Have a question or suggestion? Email: Content@rims.org.   Join the Conversation! Follow @RIMSorg on Facebook, Twitter, and LinkedIn.   About our guest: Thomas Brandt, Chief Risk Officer at the Federal Retirement Thrift Investment Board   Production and engineering provided by Podfly.  

Send me a messageIn this episode of the *Sustainable Supply Chain* podcast, I sit down with Karl McDermott, Chief SaaS Officer at DeltaTrak, to dive deep into the complex world of cold chain logistics and explore how data is transforming this critical industry. With 35 years under their belt, DeltaTrak has moved from paper-based temperature monitoring to real-time data, unlocking insights that are reshaping how fresh and frozen goods travel across the globe. Karl unpacks the evolution of temperature tracking tech – from USB loggers to advanced real-time monitoring. These innovations enable better control over temperature-sensitive products, reduce waste, and improve food quality. We also discuss the impact of climate change on the cold chain and how rising global temperatures place added pressure on logistics.An intriguing point Karl brings up is the industry's shift from traditional temperature standards (like -18°C) to more energy-efficient options, as well as the integration of real-time data to predict shelf life, calculate carbon emissions, and enable new insurance and financing models. Plus, with regulations like FISMA 204 in the US and sustainability demands in the EU, there's no doubt compliance is driving change, but DeltaTrak is turning that compliance into competitive advantage.If you're interested in the intersection of technology, sustainability, and supply chain management, this episode is packed with insights. Join us as we unpack the future of cold chain with a seasoned industry leader.Elevate your brand with the ‘Sustainable Supply Chain' podcast, the voice of supply chain sustainability.Last year, this podcast's episodes were downloaded over 113,000 times by senior supply chain executives around the world.Become a sponsor. Lead the conversation.Contact me for sponsorship opportunities and turn downloads into dialogues.Act today. Influence the future.Rumi.aiAll-in-one meeting tool with real-time transcription & searchable Meeting Memory™Support the showPodcast supportersI'd like to sincerely thank this podcast's generous supporters: Lorcan Sheehan Olivier Brusle Alicia Farag Kieran Ognev And remember you too can Support the Podcast - it is really easy and hugely important as it will enable me to continue to create more excellent episodes like this one.Podcast Sponsorship Opportunities:If you/your organisation is interested in sponsoring this podcast - I have several options available. Let's talk!FinallyIf you have any comments/suggestions or questions for the podcast - feel free to just send me a direct message on LinkedIn, or send me a text message using this link.If you liked this show, please don't forget to rate and/or review it. It makes a big difference to help new people discover it. Thanks for listening.

In October 2024, the final CMMC rule was published in the CFR and will be in effect 60 days from the published date.  After many comments received, this final rule is making all contractors ask a lot of questions.  We already knew the three levels of CMMC, NIST Standards, FISMA and FedRAMP compliance, but the question is how will CMMC roll out and what is the cost of compliance?   Listen to what the rule says and what can be challenges to you and your business as a prime, as a sub or as just as a supplier within the supply chain of the Defense Industrial Base (DIB). 

As supply chains become increasingly complex and stringent regulations like DSCSA and FISMA become more prevalent, understanding how to leverage EPCIS (Electronic Product Code Information Services) for granular visibility and efficient data management is more crucial than ever. In this episode, hosts Reid Jackson and Liz Sertl are joined by Matt Andrews, Global Standards Director at GS1 US. Matt unpacks the fundamentals and applications of EPCIS, from its role in modeling supply chain processes to its transformative impact across industries like healthcare, food, retail, and logistics. EPCIS can help your organization achieve unparalleled supply chain visibility, improve compliance, and drive competitive advantage.   In this episode, you'll learn: The intricacies of EPCIS (Electronic Product Code Information Services) and its universal application across industries for enhanced supply chain visibility, compliance, and efficiency. How EPCIS can revolutionize inventory management with real-time data accuracy, from monitoring cycle counts to tracking product movement from back of house to point of sale. How industries such as healthcare and food service leverage EPCIS to comply with regulations like DSCSA and FISMA 204, ensuring traceability down to the unique item level.   Jump into the Conversation: (00:00) Introducing Next Level Supply Chain (06:25) Benefits that organizations are seeing by leveraging EPCIS (08:00) Full granular visibility, item-level tracking, inventory management (13:54) How EPCIS can log events from manufacturing to sales (17:03) Enhanced supply chain visibility through real-time EPCIS data (18:28) Accessing claims compliance through advanced visibility   Connect with GS1 US: Our website - www.gs1us.org GS1 US on LinkedIn   Connect with the guests: Matt Andrews on LinkedIn

SPS Commerce's Nick Schwalbach and Brandon Pierre dive deep into the critical importance of item data accuracy for retailers and brands in today's fast-paced, omnichannel landscape. Discover how gaps in item information can lead to supply chain inefficiencies, missed sales opportunities, and poor customer experiences. Schwalbach and Pierre discuss the challenges retailers face when relying on manual processes and disparate systems like Excel and EDI for managing item data. They emphasize the need for effective vendor collaboration and the adoption of standardized data pools such as GDSN and GS1 to streamline data exchange and ensure consistency across channels. Learn how retailers can tackle specific business problems, such as optimizing freight and reducing dimensional weight charges, by focusing on critical item attributes. The duo also shares best practices for seamless new item setup and the importance of aligning e-commerce and in-store experiences through accurate and complete item data. As consumer demands evolve and government regulations like ESG, FISMA, and traceability requirements come into play, having a solid foundation of item data becomes increasingly crucial. Schwalbach and Pierre offer actionable advice for retailers and brands looking to embark on their item data accuracy journey and position themselves for success in the ever-changing retail landscape. #SPSCommerce #NickSchwalbach #BrandonPierre #ItemDataAccuracy #OmniTalkRetail #Retailers #Brands #ItemInformation #PIMs #EDI #SupplyChain #Excel #ManualProcesses #VendorCollaboration #DataPools #GDSN #ExtendedAttributes #GS1 #SupplierLanguage #RetailLanguage #DataGaps #BusinessProblems #DimensionalAttributes #FreightOptimization #NewItemSetup #Ecommerce #Omnichannel #InStoreDigitalSignage #DataJourney #GovernmentRegulations #ESG #FISMA #Traceability #ConsumerDemands #Sustainability #LinkedIn

  for a limited time only, the FISMA Compliance book is being offered at a discount: https://a.co/d/06493yI   http://convocourses.net  

Ugo Bassi, Director of Financial Markets at FISMA, European Commission, sat down with FIA President and CEO Walt Lukken at our Asia Derivatives Conference in November to discuss the progress of the EU's Capital Markets Union, including digital assets regulation, third-country CCP recognition and equivalence, and other key work that could have an impact on the Asia-Pacific region.

(12/5/23) - On today's Federal Newscast: CENTCOM's got a new chief data officer. A month after the decision was announced, Virginia lawmakers are still fighting to be the site of the new FBI headquarters. And the Internet of Things looms large in OMB's 2024 FISMA guidance. Learn more about your ad choices. Visit megaphone.fm/adchoices

(12/5/23) - On today's Federal Newscast: CENTCOM's got a new chief data officer. A month after the decision was announced, Virginia lawmakers are still fighting to be the site of the new FBI headquarters. And the Internet of Things looms large in OMB's 2024 FISMA guidance. Learn more about your ad choices. Visit podcastchoices.com/adchoicesSee Privacy Policy at https://art19.com/privacy and California Privacy Notice at https://art19.com/privacy#do-not-sell-my-info.

**DISCLAIMER: All of our opinions are our own. They do not represent, nor are they affiliated with the interests and beliefs of the companies we work for. **In this episode, The Cyber Queens are joined by Christa Weik who is a Certified Information Privacy Professional (CIPP), GRC and Cybersecurity Policy and Program Manager. Christa's educational background is in cyber so she did attend a bootcamp before entering the field. She can build, scale, and maintain the GRC and Privacy considerations of any cybersecurity strategy for any sized enterprise and security organization. She also has knowledge of the following regulatory laws, audits, and frameworks: ISO, PCI-DSS, FISMA, HIPAA, GDPR, SOX, SOC2.Key Topics:Christa Weik's Story & How She Became The Cyber Queens First MenteeWhat is GRC?GRC & Privacy Specialist OverviewWhat Does A Career In GRC & Privacy Look Like?How Can Someone Get Into GRC & Privacy?Road To The Cyber Queens Mentorship What Do You Hope To Get Out Of This?What Does The Future Look Like?Sources:What is GRC? https://tinyurl.com/2p8vjktt What is a GRC Analyst? https://tinyurl.com/meh9xu5p What is a Data Privacy Analyst? https://tinyurl.com/ymajpu8x What is GDPR? https://tinyurl.com/yme88xekWhat is CISO? https://tinyurl.com/2pewzrmw What is Data Privacy? https://tinyurl.com/34rh4mvv Forcepoint: https://www.forcepoint.com/ Google: https://www.google.com/ Trello: https://trello.com/What is Jira? https://www.atlassian.com/software/jira ServiceNow: https://www.servicenow.com/ SentinelOne: https://www.sentinelone.com/ SentinelOne SKO: https://tinyurl.com/bd9cdn5f WICyS: https://www.wicys.org/ What is SEO? https://en.wikipedia.org/wiki/Security_engineering Audience 1st Podcast: https://www.audience1st.fm/podcast/episodesWTF Did I Just Read Podcast: https://wtfdidijustread.com/ CISO Distillery:  https://tinyurl.com/5xm8bf9d Get in Touch: Maril Vernon - @SheWhoHacks Erika Eakins - @ErikaEakins Amber DeVilbiss - @EngineerAmber Queens Twitter - @TheCyberQueens Queens LinkedIn Calls to Action: Subscribe to our newsletter for exclusive insight and new episodes! If you love us- share us!

The growth of the modern workforce and the migration to remote work have resulted in a continuous rise in cybercrime, data breaches, data theft, and ransomware attacks. As a result, many experts today believe that a zero-trust cybersecurity model is the best strategy for preventing such threats. Implementing a zero-trust cybersecurity model gives enterprises visibility into their data, applications, and the activity around them, making it simple to notice suspicious activities. Zero-trust adheres to stringent identity verification standards for every person and device that tries to access an enterprise's resources on a network, in contrast to typical network security approaches that concentrate on keeping hackers and cybersecurity risk outside the network. What is a Zero-Trust Cybersecurity Model? A zero-trust cybersecurity model is a comprehensive approach to business network security that includes various techniques and principles to safeguard businesses from cutting-edge attacks and data breaches. This approach ensures that any user or device, within or outside an organization's network, must be authorized, authenticated, and continually validated before attempting or accessing its applications and data. Furthermore, this approach integrates analytics, filtering, and logging to confirm behavior and continuously look for compromised signs. This approach also aids in compliance with other important data privacy or security legislation, such as GDPR, HIPAA, FISMA, and CCPA. View More: What is a Zero-Trust Cybersecurity Model?

Cybersecurity is everyone's responsibility, which means that Capitol Hill is taking a hard look at the role legislation can play in our collective defense. This bipartisan congressional panel will discuss what congressional action is needed to ensure a resilient, secure Federal government – from FedRAMP to FISMA, to other critical cyber considerations. It will also review cyber measures passed in the recent National Defense Authorization Act, such as the reauthorization of the National Computer Forensics Institute.Featured Speakers:Nichole Francis Reynolds, Vice President and Global Head of Government Relations, ServiceNowRep. Mark Green, R-TN 7th District House of Representatives See video recording here: link to YouTube See omnystudio.com/listener for privacy information.

Cybersecurity is everyone's responsibility, which means that Capitol Hill is taking a hard look at the role legislation can play in our collective defense. This bipartisan congressional panel will discuss what congressional action is needed to ensure a resilient, secure Federal government – from FedRAMP to FISMA, to other critical cyber considerations. It will also review cyber measures passed in the recent National Defense Authorization Act, such as the reauthorization of the National Computer Forensics Institute.Featured Speakers:Nichole Francis Reynolds, Vice President and Global Head of Government Relations, ServiceNowRep. Mark Green, R-TN 7th District House of Representatives See video recording here: link to YouTube See omnystudio.com/listener for privacy information.

Pablo Molina, associate vice president of information technology and chief information security officer at Drexel University and adjunct professor at Georgetown University, leads the conversation on the implications of artificial intelligence in higher education.   FASKIANOS: Welcome to CFR's Higher Education Webinar. I'm Irina Faskianos, vice president of the National Program and Outreach here at CFR. Thank you for joining us. Today's discussion is on the record, and the video and transcript will be available on our website, CFR.org/Academic, if you would like to share it with your colleagues. As always, CFR takes no institutional positions on matters of policy. We are delighted to have Pablo Molina with us to discuss implications of artificial intelligence in higher education. Dr. Molina is chief information security officer and associate vice president at Drexel University. He is also an adjunct professor at Georgetown University. Dr. Molina is the founder and executive director of the International Applies Ethics in Technology Association, which aims to raise awareness on ethical issues in technology. He regularly comments on stories about privacy, the ethics of tech companies, and laws related to technology and information management. And he's received numerous awards relating to technology and serves on the board of the Electronic Privacy Information Center and the Center for AI and Digital Policy. So Dr. P, welcome. Thank you very much for being with us today. Obviously, AI is on the top of everyone's mind, with ChatGPT coming out and being in the news, and so many other stories about what AI is going to—how it's going to change the world. So I thought you could focus in specifically on how artificial intelligence will change and is influencing higher education, and what you're seeing, the trends in your community. MOLINA: Irina, thank you very much for the opportunity, to the Council on Foreign Relations, to be here and express my views. Thank you, everybody, for taking time out of your busy schedules to listen to this. And hopefully, I'll have the opportunity to learn much from your questions and answer some of them to the best of my ability. Well, since I'm a professor too, I like to start by giving you homework. And the homework is this: I do not know how much people know about artificial intelligence. In my opinion, anybody who has ever used ChatGPT considers herself or himself an expert. To some extent, you are, because you have used one of the first publicly available artificial intelligence tools out there and you know more than those who haven't. So if you have used ChatGPT, or Google Bard, or other services, you already have a leg up to understand at least one aspect of artificial intelligence, known as generative artificial intelligence. Now, if you want to learn more about this, there's a big textbook about this big. I'm not endorsing it. All I'm saying, for those people who are very curious, there are two great academics, Russell and Norvig. They're in their fourth edition of a wonderful book that covers every aspect of—technical aspect of artificial intelligence, called Artificial Intelligence: A Modern Approach. And if you're really interested in how artificial intelligence can impact higher education, I recommend a report by the U.S. Department of Education that was released earlier this year in Washington, DC from the Office of Education Technology. It's called Artificial Intelligence and Future of Teaching and Learning: Insights and Recommendations. So if you do all these things and you read all these things, you will hopefully transition from being whatever expert you were before—to a pandemic and Ukrainian war expert—to an artificial intelligence expert. So how do I think that all these wonderful things are going to affect artificial intelligence? Well, as human beings, we tend to overestimate the impact of technology in the short run and really underestimate the impact of technology in the long run. And I believe this is also the case with artificial intelligence. We're in a moment where there's a lot of hype about artificial intelligence. It will solve every problem under the sky. But it will also create the most catastrophic future and dystopia that we can imagine. And possibly neither one of these two are true, particularly if we regulate and use these technologies and develop them following some standard guidelines that we have followed in the past, for better or worse. So how is artificial intelligence affecting higher education? Well, number one, there is a great lack of regulation and legislation. So if you know, for example around this, OpenAI released ChatGPT. People started trying it. And all of a sudden there were people like here, where I'm speaking to you from, in Italy. I'm in Rome on vacation right now. And Italian data protection agency said: Listen, we're concerned about the privacy of this tool for citizens of Italy. So the company agreed to establish some rules, some guidelines and guardrails on the tool. And then it reopened to the Italian public, after being closed for a while. The same thing happened with the Canadian data protection authorities. In the United States, well, not much has happened, except that one of the organizations on which board I serve, the Center for Artificial Intelligence and Digital Policy, earlier this year in March of 2023 filed a sixty-four-page complaint with the Federal Trade Commission. Which is basically we're asking the Federal Trade Commission: You do have the authority to investigate how these tools can affect the U.S. consumers. Please do so, because this is your purview, and this is your responsibility. And we're still waiting on the agency to declare what the next steps are going to be. If you look at other bodies of legislation or regulation on artificial intelligence that can help us guide artificial intelligence, well, you can certainly pay attention to the U.S. Congress. And what is the U.S. Congress doing? Yeah, pretty much that, not much, to be honest. They listen to Sam Altman, the founder of ChatGPT, who recently testified before Congress, urging Congress to regulate artificial intelligence. Which is quite clever on his part. So it was on May 17 that he testified that we could be facing catastrophic damage ahead if artificial intelligence technology is not regulated in time. He also sounded the alarm about counterfeit humans, meaning that these machines could replace what we think a person is, at least virtually. And also warned about the end of factual evidence, because with artificial intelligence anything can be fabricated. Not only that, but he pointed out that artificial intelligence could start wars and destroy democracy. Certainly very, very grim predictions. And before this, many of the companies were self-regulating for artificial intelligence. If you look at Google, Microsoft, Facebook now Meta. All of them have their own artificial intelligence self-guiding principles. Most of them were very aspirational. Those could help us in higher education because, at the very least, it can help us create our own policies and guidelines for our community members—faculty, staff, students, researchers, administrators, partners, vendors, alumni—anybody who happens to interact with our institutions of higher learning. Now, what else is happening out there? Well, we have tons, tons of laws that have to do with the technology and regulations. Things like the Gramm-Leach-Bliley Act, or the Securities and Exchange Commission, the Sarbanes-Oxley. Federal regulations like FISMA, and Cybersecurity Maturity Model Certification, Payment Card Industry, there is the Computer Fraud and Abuse Act, there is the Budapest Convention where cybersecurity insurance providers will tells us what to do and what not to do about technology. We have state laws and many privacy laws. But, to be honest, very few artificial intelligence laws. And it's groundbreaking in Europe that the European parliamentarians have agreed to discuss the Artificial Intelligence Act, which could be the first one really to be passed at this level in the world, after some efforts by China and other countries. And, if adopted, could be a landmark change in the adoption of artificial intelligence. In the United States, even though Congress is not doing much, what the White House is trying to position itself in the realm of artificial intelligence. So there's an executive order in February of 2023—that many of us in higher education read because, once again, we're trying to find inspiration for our own rules and regulations—that tells federal agencies that they have to root out bias in the design and use of new technologies, including artificial intelligence, because they have to protect the public from algorithm discrimination. And we all believe this. In higher education, we believe in being fair and transparent and accountable. I would be surprised if any of us is not concerned about making sure that our technology use, our artificial technology use, does not follow these particular principles as proposed by the Organization for Economic Cooperation and Development, and many other bodies of ethics and expertise. Now, the White House also announced new centers—research and development centers with some new national artificial intelligence research institutes. Many of us will collaborate with those in our research projects. A call for public assessments of existing generative artificial intelligence systems, like ChatGPT. And also is trying to enact or is enacting policies to ensure that U.S. government—the U.S. government, the executive branch, is leading by example when mitigating artificial intelligence risks and harnessing artificial intelligence opportunities. Because, in spite of all the concerns about this, it's all about the opportunities that we hope to achieve with artificial intelligence. And when we look at how specifically can we benefit from artificial intelligence in higher education, well, certainly we can start with new and modified academic offerings. I would be surprised if most of us will not have degrees—certainly, we already have degrees—graduate degrees on artificial intelligence, and machine learning, and many others. But I would be surprised if we don't even add some bachelor's degrees in this field, or we don't modify significantly some of our existing academic offerings to incorporate artificial intelligence in various specialties, our courses, or components of the courses that we teach our students. We're looking at amazing research opportunities, things that we'll be able to do with artificial intelligence that we couldn't even think about before, that are going to expand our ability to generate new knowledge to contribute to society, with federal funding, with private funding. We're looking at improved knowledge management, something that librarians are always very concerned about, the preservation and distribution of knowledge. The idea would be that artificial intelligence will help us find better the things that we're looking for, the things that we need in order to conduct our academic work. We're certainly looking at new and modified pedagogical approaches, new ways of learning and teaching, including the promise of adaptive learning, something that really can tell students: Hey, you're not getting this particular concept. Why don't you go back and study it in a different way with a different virtual avatar, using simulations or virtual assistance? In almost every discipline and academic endeavor. We're looking very concerned, because we're concerned about offering, you know, a good value for the money when it comes to education. So we're hoping to achieve extreme efficiencies, better ways to run admissions, better ways to guide students through their academic careers, better way to coach them into professional opportunities. And many of this will be possible thanks to artificial intelligence. And also, let's not forget this, but we still have many underserved students, and they're underserved because they either cannot afford education or maybe they have physical or cognitive disabilities. And artificial intelligence can really help us reach to those students and offer them new opportunities to advance their education and fulfill their academic and professional goals. And I think this is a good introduction. And I'd love to talk about all the things that can go wrong. I'd love to talk about all the things that we should be doing so that things don't go as wrong as predicted. But I think this is a good way to set the stage for the discussion. FASKIANOS: Fantastic. Thank you so much. So we're going to go all of you now for your questions and comments, share best practices. (Gives queuing instructions.) All right. So I'm going first to Gabriel Doncel has a written question, adjunct faculty at the University of Delaware: How do we incentivize students to approach generative AI tools like ChatGPT for text in ways that emphasize critical thinking and analysis? MOLINA: I always like to start with a difficult question, so I very much, Gabriel Doncel, for that particular question. And, as you know, there are several approaches to adopting tools like ChatGPT on campus by students. One of them is to say: No, over my dead body. If you use ChatGPT, you're cheating. Even if you cite ChatGPT, we can consider you to be cheating. And not only that, but some institutions have invested in tools that can detect whether or something was written with ChatGPT or similar rules. There are other faculty members and other academic institutions that are realizing these tools will be available when these students join the workforce. So our job is to help them do the best that they can by using these particular tools, to make sure they avoid some of the mishaps that have already happened. There are a number of lawyers who have used ChatGPT to file legal briefs. And when the judges received those briefs, and read through them, and looked at the citations they realized that some of the citations were completely made up, were not real cases. Hence, the lawyers faced professional disciplinary action because they used the tool without the professional review that is required. So hopefully we're going to educate our students and we're going to set policy and guideline boundaries for them to use these, as well as sometimes the necessary technical controls for those students who may not be that ethically inclined to follow our guidelines and policies. But I think that to hide our heads in the sand and pretend that these tools are not out there for students to use would be—it's a disserve to our institutions, to our students, and the mission that we have of training the next generation of knowledge workers. FASKIANOS: Thank you. I'm going to go next to Meena Bose, who has a raised hand. Meena, if you can unmute yourself and identify yourself. Q: Thank you, Irina. Thank you for this very important talk. And my question is a little—(laughs)—it's formative, but really—I have been thinking about what you were saying about the role of AI in academic life. And I don't—particularly for undergraduates, for admissions, advisement, guidance on curriculum. And I don't want to have my head in the sand about this, as you just said—(laughs)—but it seems to me that any kind of meaningful interaction with students, particularly students who have not had any exposure to college before, depends upon kind of multiple feedback with faculty members, development of mentors, to excel in college and to consider opportunities after. So I'm struggling a little bit to see how AI can be instructive for that part of college life, beyond kind of providing information, I guess. But I guess the web does that already. So welcome your thoughts. Thank you. FASKIANOS: And Meena's at Hofstra University. MOLINA: Thank you. You know, it's a great question. And the idea that everybody is proposing right here is we are not—artificial intelligence companies, at least at first. We'll see in the future because, you know, it depends on how it's regulated. But they're not trying, or so they claim, to replace doctors, or architects, or professors, or mentors, or administrators. They're trying to help those—precisely those people in those professions, and the people they served gain access to more information. And you're right in a sense that that information is already on the web. But we've aways had a problem finding that information regularly on the web. And you may remember that when Google came along, I mean, it swept through every other search engine out there AltaVista, Yahoo, and many others, because, you know, it had a very good search algorithm. And now we're going to the next level. The next level is where you ask ChatGPT in human-natural language. You're not trying to combine the three words that say, OK, is the economics class required? No, no, you're telling ChatGPT, hey, listen, I'm in the master's in business administration at Drexel University and I'm trying to take more economic classes. What recommendations do you have for me? And this is where you can have a preliminary one, and also a caveat there, as most of these search engine—generative AI engines already have, that tell you: We're not here to replace the experts. Make sure you discuss your questions with the experts. We will not give you medical advice. We will not give you educational advice. We're just here, to some extent, for guiding purposes and, even now, for experimental and entertainment purposes. So I think you are absolutely right that we have to be very judicious about how we use these tools to support the students. Now, that said, I had the privilege of working for public universities in the state of Connecticut when I was the CIO. I also had the opportunity early in my career to attend public university in Europe, in Spain, where we were hundreds of students in class. We couldn't get any attention from the faculty. There were no mentors, there were no counselors, or anybody else. Is it better to have nobody to help you or is it better to have at least some technology guidance that can help you find the information that otherwise is spread throughout many different systems that are like ivory towers—emissions on one side, economics on the other, academics advising on the other, and everything else. So thank you for a wonderful question and reflection. FASKIANOS: I'm going to take the next question written from Dr. Russell Thomas, a senior lecturer in the Department of International Relations and Diplomatic Studies at Cavendish University in Uganda: What are the skills and competencies that higher education students and faculty need to develop to think in an AI-driven world? MOLINA: So we could argue here that something very similar has happened already with many information technologies and communication technologies. It is the understanding at first faculty members did not want to use email, or the web, or many other tools because they were too busy with their disciplines. And rightly so. They were brilliant economists, or philosophers, or biologists. They didn't have enough time to learn all these new technologies to interact with the students. But eventually they did learn, because they realized that it was the only way to meet the students where they were and to communicate with them in efficient ways. Now, I have to be honest; when it comes to the use of technology—and we'll unpack the numbers—it was part of my doctoral dissertation, when I expanded the adoption of technology models, that tells you about early adopters, and mainstream adopters, and late adopters, and laggards. But I uncovered a new category for some of the institutions where I worked called the over-my-dead-body adopters. And these were some of the faculty members who say: I will never switch word processors. I will never use this technology. It's only forty years until I retire, probably eighty more until I die. I don't have to do this. And, to be honest, we have a responsibility to understand that those artificial intelligence tools are out there, and to guide the students as to what is the acceptable use of those technologies within the disciplines and the courses that we teach them in. Because they will find those available in a very competitive work market, in a competitive labor market, because they can derive some benefit from them. But also, we don't want to shortchange their educational attainment just because they go behind our backs to copy and paste from ChatGPT, learning nothing. Going back to the question by Gabriel Doncel, not learning to exercise the critical thinking, using citations and material that is unverified, that was borrowed from the internet without any authority, without any attention to the different points of view. I mean, if you've used ChatGPT for a while—and I have personally, even to prepare some basic thank-you speeches, which are all very formal, even to contest a traffic ticket in Washington, DC, when I was speeding but I don't want to pay the ticket anyway. Even for just research purposes, you could realize that most of the writing from ChatGPT has a very, very common style. Which is, oh, on the one hand people say this, on the other hand people say that. Well, the critical thinking will tell you, sure, there are two different opinions, but this is what I think myself, and this is why I think about this. And these are some of the skills, the critical thinking skills, that we must continue to teach the students and not to, you know, put blinds around their eyes to say, oh, continue focusing only on the textbook and the website. No, no. Look at the other tools but use them judiciously. FASKIANOS: Thank you. I'm going to go next to Clemente Abrokwaa. Raised hand, if you can identify yourself, please. Q: Hi. Thanks so much for your talk. It's something that has been—I'm from Penn State University. And this is a very important topic, I think. And some of the earlier speakers have already asked the questions I was going to ask. (Laughs.) But one thing that I would like to say that, as you said, we cannot bury our heads in the sand. No matter what we think, the technology is already here. So we cannot avoid it. My question, though, is what do you think about the artificial intelligence, the use of that in, say, for example, graduate students using it to write dissertations? You did mention about the lawyers that use it to write their briefs, and they were caught. But in dissertations and also in class—for example, you have students—you have about forty students. You give a written assignment. You make—when you start grading, you have grading fatigue. And so at some point you lose interest of actually checking. And so I'm kind of concerned about that how it will affect the students' desire to actually go and research without resorting to the use of AI. MOLINA: Well, Clemente, fellow colleague from the state of Pennsylvania, thank you for that, once again, both a question and a reflection here. Listen, many of us wrote our doctoral dissertations—mine at Georgetown. At one point of time, I was so tired of writing about the same topics, following the wonderful advice, but also the whims of my dissertation committee, that I was this close from outsourcing my thesis to China. I didn't, but I thought about it. And now graduate students are thinking, OK, why am I going through the difficulties of writing this when ChatGPT can do it for me and the deadline is tomorrow? Well, this is what will distinguish the good students and the good professionals from the other ones. And the interesting part is, as you know, when we teach graduate students we're teaching them critical thinking skills, but also teaching them now to express themselves, you know, either orally or in writing. And writing effectively is fundamental in the professions, but also absolutely critical in academic settings. And anybody who's just copying and pasting from ChatGPT to these documents cannot do that level of writing. But you're absolutely right. Let's say that we have an adjunct faculty member who's teaching a hundred students. Will that person go through every single essay to find out whether students were cheating with ChatGPT? Probably not. And this is why there are also enterprising people who are using artificial intelligence to find out and tell you whether a paper was written using artificial intelligence. So it's a little bit like this fighting of different sources and business opportunities for all of them. And we've done this. We've used antiplagiarism tools in the past because we knew that students were copying and pasting using Google Scholar and many other sources. And now oftentimes we run antiplagiarism tools. We didn't write them ourselves. Or we tell the students, you run it yourself and you give it to me. And make sure you are not accidentally not citing things that could end up jeopardizing your ability to get a graduate degree because your work was not up to snuff with the requirements of our stringent academic programs. So I would argue that this antiplagiarism tools that we're using will more often than not, and sooner than expected, incorporate the detection of artificial intelligence writeups. And also the interesting part is to tell the students, well, if you do choose to use any of these tools, what are the rules of engagement? Can you ask it to write a paragraph and then you cite it, and you mention that ChatGPT wrote it? Not to mention, in addition to that, all the issues about artificial intelligence, which the courts are deciding now, regarding the intellectual property of those productions. If a song, a poem, a book is written by an artificial intelligence entity, who owns the intellectual property for those works produced by an artificial intelligence machine? FASKIANOS: Good question. We have a lot of written questions. And I'm sure you don't want to just listen to my voice, so please do raise your hands. But we do have a question from one of your colleagues, Pablo, Pepe Barcega, who's the IT director at Drexel: Considering the potential biases and limitations of AI models, like ChatGPT, do you think relying on such technology in the educational domain can perpetuate existing inequalities and reinforce systemic biases, particularly in terms of access, representation, and fair evaluation of students? And Pepe's question got seven upvotes, we advanced it to the top of the line. MOLINA: All right, well, first I have to wonder whether he used ChatGPT to write the question. But I'm going to leave it that. Thank you. (Laughter.) It's a wonderful question. One of the greatest concerns we have had, those of us who have been working on artificial intelligence digital policy for years—not this year when ChatGPT was released, but for years we've been thinking about this. And even before artificial intelligence, in general with algorithm transparency. And the idea is the following: That two things are happening here. One is that we're programming the algorithms using instructions, instructions created by programmers, with all their biases, and their misunderstandings, and their shortcomings, and their lack of context, and everything else. But with artificial intelligence we're doing something even more concerning than that, which is we have some basic algorithms but then we're feeling a lot of information, a corpus of information, to those algorithms. And the algorithms are fine-tuning the rules based on those. So it's very, very difficult for experts to explain how an artificial intelligence system actually makes decisions, because we know the engine and we know the data that we fed to the engine, but we don't know the real outcome how those decisions are being made through neural networks, through all of the different systems that we have and methods that we have for artificial intelligence. Very, very few people understand how those work. And those are so busy they don't have time to explain how the algorithm works for others, including the regulators. Let's remember some of the failed cases. Amazon tried this early. And they tried this for selecting employees for Amazon. And they fed all the resumes. And guess what? It turned out that most of the recommendations were to hire young white people who had gone to Ivy League schools. Why? Because their first employees were feeding those descriptions, and they had done extremely well at Amazon. Hence, by feeding that information of past successful employees only those were there. And so that puts away the diversity that we need for different academic institutions, large and small, public and private, from different countries, from different genders, from different ages, from different ethnicities. All those things went away because the algorithm was promoting one particular one. Recently I had the opportunity to moderate a panel in Washington, DC, and we had representatives from the Equal Employment Opportunity Commission. And they told us how they investigated a hiring algorithm from a company that was disproportionately recommending that they hired people whose first name was Brian and had played lacrosse in high school because, once again, a disproportionate number of people in that company had done that. And the algorithm realized, oh, this must be important characteristics to hire people for this company. Let's not forget, for example, with the artificial facial recognition and artificial intelligence by Amazon Rekog, you know, the facial recognition software, that the American Civil Liberties Union, decided, OK, I'm going to submit the pictures of all the congressmen to this particular facial recognition engine. And it turned out that it misidentified many of them, particularly African Americans, as felons who had been convicted. So all these artificial—all these biases could have really, really bad consequences. Imagine that you're using this to decide who you admit to your universities, and the algorithm is wrong. You know, you are making really biased decisions that will affect the livelihood of many people, but also will transform society, possibly for the worse, if we don't address this. So this is why the OECD, the European Union, even the White House, everybody is saying: We want this technology. We want to derive the benefits of this technology, while curtailing the abuses. And it's fundamental we achieve transparency. We are sure that these algorithms are not biased against the people who use them. FASKIANOS: Thank you. So I'm going to go next to Emily Edmonds-Poli, who is a professor at the University of San Diego: We hear a lot about providing clear guidelines for students, but for those of us who have not had a lot of experience using ChatGPT it is difficult to know what clear guidelines look like. Can you recommend some sources we might consult as a starting point, or where we might find some sample language? MOLINA: Hmm. Well, certainly this is what we do in higher education. We compete for the best students and the best faculty members. And we sometimes compete a little bit to be first to win groundbreaking research. But we tend to collaborate with everything else, particularly when it comes to policy, and guidance, and rules. So there are many institutions, like mine, who have already assembled—I'm sure that yours has done the same—assembled committees, because assembling committees and subcommittees is something we do very well in higher education, with faculty members, with administrators, even with the student representation to figure out, OK, what should we do about the use of artificial intelligence on our campus? I mentioned before taking a look at the big aspirational declarations by Meta, and Google, and IBM, and Microsoft could be helpful for these communities to look at this. But also, I'm a very active member of an organization known as EDUCAUSE. And EDUCAUSE is for educators—predominantly higher education educators. Administrators, staff members, faculty members, to think about the adoption of information technology. And EDUCAUSE has done good work on this front and continues to do good work on this front. So once again, EDUCAUSE and some of the institutions have already published their guidelines on how to use artificial intelligence and incorporate that within their academic lives. And now, that said, we also know that even though all higher education institutions are the same, they're all different. We all have different values. We all believe in different uses of technology. We trust more or less the students. Hence, it's very important that whatever inspiration you would take, you work internally on campus—as you have done with many other issues in the past—to make sure it really reflects the values of your institution. FASKIANOS: So, Pablo, would you point to a specific college or university that has developed a code of ethics that addresses the use of AI for their academic community beyond your own, but that is publicly available? MOLINA: Yeah, I'm going to be honest, I don't want to put anybody on the spot. FASKIANOS: OK. MOLINA: Because, once again, there many reasons. But, once again, let me repeat a couple resources. One is of them is from the U.S. Department of Education, from the Office of Educational Technology. And the article is Artificial Intelligence and Future of Teaching and Learning: Insights and Recommendations, published earlier this year. The other source really is educause.edu. And if you look at educause.edu on artificial intelligence, you'll find links to articles, you'll find links to universities. It would be presumptuous of me to evaluate whose policies are better than others, but I would argue that the general principles of nonbiased, transparency, accountability, and also integration of these tools within the academic life of the institution in a morally responsible way—with concepts by privacy by design, security by design, and responsible computing—all of those are good words to have in there. Now, the other problem with policies and guidelines is that, let's be honest, many of those have no teeth in our institutions. You know, we promulgate them. They're very nice. They look beautiful. They are beautifully written. But oftentimes when people don't follow them, there's not a big penalty. And this is why, in addition to having the policies, educating the campus community is important. But it's difficult to do because we need to educate them about so many things. About cybersecurity threats, about sexual harassment, about nondiscriminatory policies, about responsible behavior on campus regarding drugs and alcohol, about crime. So many things that they have to learn about. It's hard to get at another topic for them to spend their time on, instead of researching the core subject matter that they chose to pursue for their lives. FASKIANOS: Thank you. And we will be sending out a link to this video, the transcript, as well as the resources that you have mentioned. So if you didn't get them, we'll include them in the follow-up email. So I'm going to go to Dorian Brown Crosby who has a raised hand. Q: Yes. Thank you so much. I put one question in the chat but I have another question that I would like to go ahead and ask now. So thank you so much for this presentation. You mentioned algorithm biases with individuals. And I appreciate you pointing that out, especially when we talk about face recognition, also in terms of forced migration, which is my area of research. But I also wanted you to speak to, or could you talk about the challenges that some institutions in higher education would have in terms of support for some of the things that you mentioned in terms of potential curricula, or certificates, or other ways that AI would be woven into the new offerings of institutions of higher education. How would that look specifically for institutions that might be challenged to access those resources, such as Historically Black Colleges and Universities? Thank you. MOLINA: Well, very interesting question, and a really fascinating point of view. Because we all tend to look at things from our own perspective and perhaps not consider the perspective of others. Those who have much more money and resources than us, and those who have fewer resources and less funding available. So this is a very interesting line. What is it that we do in higher education when we have these problems? Well, as I mentioned before, we build committees and subcommittees. Usually we also do campus surveys. I don't know why we love doing campus surveys and asking everybody what they think about this. Those are useful tools to discuss. And oftentimes the thing that we do also, that we've done for many other topics, well, we hire people and we create new offices—either academic or administrative offices. With all of those, you know, they have certain limitations to how useful and functional they can be. And they also continue to require resources. Resources that, in the end, are paid for by students with, you know, federal financing. But this is the truth of the matter. So if you start creating offices of artificial intelligence on our campuses, however important the work may be on their guidance and however much extra work can be assigned to them instead of distributed to every faculty and the staff members out there, the truth of the matter is that these are not perfect solutions. So what is it that we do? Oftentimes, we work with partners. And our partners love to take—(inaudible)—vendors. But the truth of the matter is that sometimes they have much more—they have much more expertise on some of these topics. So for example, if you're thinking about incorporating artificial intelligence to some of the academic materials that you use in class, well, I'm going to take a guess that if you already work with McGraw Hill in economics, or accounting, or some of the other books and websites that they put that you recommend to your students or you make mandatory for your students, that you start discussing with them, hey, listen, are you going to use artificial intelligence? How? Are you going to tell me ahead of time? Because, as a faculty member, you may have a choice to decide: I want to work with this publisher and not this particular publisher because of the way they approach this. And let's be honest, we've seen a number of these vendors with major information security problems. McGraw Hill recently left a repository of data misconfigured out there on the internet, and almost anybody could access that. But many others before them, like Chegg and others, were notorious for their information security breaches. Can we imagine that these people are going to adopt artificial intelligence and not do such a good job of securing the information, the privacy, and the nonbiased approaches that we hold dear for students? I think they require a lot of supervision. But in the end, these publishers have the economies of scale for you to recommend those educational materials instead of developing your own for every course, for every class, and for every institution. So perhaps we're going to have to continue to work together, as we've done in higher education, in consortia, which would be local, or regional. It could be based on institutions of the same interest, or on student population, on trying to do this. And, you know, hopefully we'll get grants, grants from the federal government, that can be used in order to develop some of the materials and guidelines that are going to help us precisely embrace this and embracing not only to operate better as institutions and fulfill our mission, but also to make sure that our students are better prepared to join society and compete globally, which is what we have to do. FASKIANOS: So I'm going to combine questions. Dr. Lance Hunter, who is an associate professor at Augusta University. There's been a lot of debate regarding if plagiarism detection software tools like Turnitin can accurately detect AI-generated text. What is your opinion regarding the accuracy of AI text generation detection plagiarism tools? And then Rama Lohani-Chase, at Union County College, wants recommendations on what plagiarism checker devices you would recommend—or, you know, plagiarism detection for AI would you recommend? MOLINA: Sure. So, number one, I'm not going to endorse any particular company because if I do that I would ask them for money, or the other way around. I'm not sure how it works. I could be seen as biased, particularly here. But there are many there and your institutions are using them. Sometimes they are integrated with your learning management system. And, as I mentioned, sometimes we ask the students to use them themselves and then either produce the plagiarism report for us or simply know themselves this. I'm going to be honest; when I teach ethics and technology, I tell the students about the antiplagiarism tools at the universities. But I also tell them, listen, if you're cheating in an ethics and technology class, I failed miserably. So please don't. Take extra time if you have to take it, but—you know, and if you want, use the antiplagiarism tool yourself. But the question stands and is critical, which is right now those tools are trying to improve the recognition of artificial intelligence written text, but they're not as good as they could be. So like every other technology and, what I'm going to call, antitechnology, used to control the damage of the first technology, is an escalation where we start trying to identify this. And I think they will continue to do this, and they will be successful in doing this. There are people who have written ad hoc tools using ChatGPT to identify things written by ChatGPT. I tried them. They're remarkably good for the handful of papers that I tried myself, but I haven't conducted enough research myself to tell you if they're really effective tools for this. So I would argue that for the timing you must assume that those tools, as we assume all the time, will not catch all of the cases, only some of the most obvious ones. FASKIANOS: So a question from John Dedie, who is an assistant professor at the Community College of Baltimore County: To combat AI issues, shouldn't we rethink assignments? Instead of papers, have students do PowerPoints, ask students to offer their opinions and defend them? And then there was an interesting comment from Mark Habeeb at Georgetown University School of Foreign Service. Knowledge has been cheap for many years now because it is so readily available. With AI, we have a tool that can aggregate the knowledge and create written products. So, you know, what needs to be the focus now is critical thinking and assessing values. We need to teach our students how to assess and use that knowledge rather than how to find the knowledge and aggregate that knowledge. So maybe you could react to those two—the question and comment. MOLINA: So let me start with the Georgetown one, not only because he's a colleague of mine. I also teach at Georgetown, and where I obtained my doctoral degree a number of years ago. I completely agree. I completely agree with the issue that we have to teach new skills. And one of the programs in which I teach at Georgetown is our master's of analysis. Which are basically for people who want to work in the intelligence community. And these people have to find the information and they have to draw inferences, and try to figure out whether it is a nation-state that is threatening the United States, or another, or a corporation, or something like that. And they do all of those critical thinking, and intuition, and all the tools that we have developed in the intelligence community for many, many years. And artificial intelligence, if they suspend their judgement and they only use artificial intelligence, they will miss very important information that is critical for national security. And the same is true for something like our flagship school, the School of Foreign Service at Georgetown, one of the best in the world in that particular field, where you want to train the diplomats, and the heads of state, and the great strategical thinkers on policy and politics in the international arena to precisely think not in the mechanical way that a machine can think, but also to connect those dots. And, sure they should be using those tools in order to, you know, get the most favorable position and the starting position, But they should also use their critical thinking always, and their capabilities of analysis in order to produce good outcomes and good conclusions. Regarding redoing the assignments, absolutely true. But that is hard. It is a lot of work. We're very busy faculty members. We have to grade. We have to be on committees. We have to do research. And now they ask us to redo our entire assessment strategy, with new assignments that we need to grade again and account for artificial intelligence. And I don't think that any provost out there is saying, you know what? You can take two semesters off to work on this and retool all your courses. That doesn't happen in the institutions that I know of. If you get time off because you're entitled to it, you want to devote that time to do research because that is really what you sign up for when you pursued an academic career, in many cases. I can tell you one thing, that here in Europe where oftentimes they look at these problems with fewer resources than we do in the United States, a lot of faculty members at the high school level, at the college level, are moving to oral examinations because it's much harder to cheat with ChatGPT with an oral examination. Because they will ask you interactive, adaptive questions—like the ones we suffered when we were defending our doctoral dissertations. And they will realize, the faculty members, whether or not you know the material and you understand the material. Now, imagine oral examinations for a class of one hundred, two hundred, four hundred. Do you do one for the entire semester, with one topic chosen and run them? Or do you do several throughout the semester? Do you end up using a ChatGPT virtual assistance to conduct your oral examinations? I think these are complex questions. But certainly redoing our assignments and redoing the way we teach and the way we evaluate our students is perhaps a necessary consequence of the advent of artificial intelligence. FASKIANOS: So next question from Damian Odunze, who is an assistant professor at Delta State University in Cleveland, Mississippi: Who should safeguard ethical concerns and misuse of AI by criminals? Should the onus fall on the creators and companies like Apple, Google, and Microsoft to ensure security and not pass it on to the end users of the product? And I think you mentioned at the top in your remarks, Pablo, about how the founder of ChatGPT was urging the Congress to put into place some regulation. What is the onus on ChatGPT to protect against some of this as well? MOLINA: Well, I'm going to recycle more of the material from my doctoral dissertation. In this case it was the Molina cycle of innovation and regulation. It goes like this, basically there are—you know, there are engineers and scientists who create new information technologies. And then there are entrepreneurs and businesspeople and executives to figure out, OK, I know how to package this so that people are going to use it, buy it, subscribe to it, or look at it, so that I can sell the advertisement to others. And, you know, this begins and very, very soon the abuses start. And the abuses are that criminals are using these platforms for reasons that were not envisioned before. Even the executives, as we've seen with Google, and Facebook, and others, decide to invade the privacy of the people because they only have to pay a big fine, but they make much more money than the fines or they expect not to be caught. And what happened in this cycle is that eventually there is so much noise in the media, congressional hearings, that eventually regulators step in and they try to pass new laws to do this, or the regulatory agencies try to investigate using the powers given to them. And then all of these new rules have to be tested in courts of law, which could take years by the time it reaches sometimes all the way to the Supreme Court. Some of them are even knocked down on the way to the Supreme Court when they realize this is not constitutional, it's a conflict of laws, and things like that. Now, by the time we regulate these new technologies, not only many years have gone by, but the technologies have changed. The marketing products and services have changed, the abuses have changed, and the criminals have changed. So this is why we're always living in a loosely regulated space when it comes to information technology. And this is an issue of accountability. We're finding this, for example, with information security. If my phone is my hacked, or my computer, my email, is it the fault of Microsoft, and Apple, and Dell, and everybody else? Why am I the one paying the consequences and not any of these companies? Because it's unregulated. So morally speaking, yes. These companies are accountable. Morally speaking also the users are accountable, because we're using these tools because we're incorporating them professionally. Legally speaking, so far, nobody is accountable except the lawyers who submitted briefs that were not correct in a court of law and were disciplined for that. But other than that, right now, it is a very gray space. So in my mind, it requires everybody. It takes a village to do the morally correct thing. It starts with the companies and the inventors. It involves the regulators, who should do their job and make sure that there's no unnecessary harm created by these tools. But it also involves every company executive, every professional, every student, and professor who decides to use these tools. FASKIANOS: OK. I'm going to take—combine a couple questions from Dorothy Marinucci and Venky Venkatachalam about the effect of AI on jobs. Dorothy talks about—she's from Fordham University—about she read something about Germany's best-selling newspaper Bild reportedly adopting artificial intelligence to replace certain editorial roles in an effort to cut costs. Does this mean that the field of journalism communication will change? And Venky's question is: AI—one of the impacts is in the area of automation, leading to elimination of certain types of jobs. Can you talk about both the elimination of jobs and what new types of jobs you think will be created as AI matures into the business world with more value-added applications? MOLINA: Well, what I like about predicting the future, and I've done this before in conferences and papers, is that, you know, when the future comes ten years from now people will either not remember what I said, or, you know, maybe I was lucky and my prediction was correct. In the specific field of journalism, and we've seen it, the journalism and communications field, decimated because the money that they used to make with advertising—and, you know, certainly a bit part of that were in the form of corporate profits. But many other one in the form of hiring good journalists, and investigative journalism, and these people could be six months writing a story when right now they have six hours to write a story, because there are no resources. And all the advertisement money went instead to Facebook, and Google, and many others because they work very well for advertisements. But now the lifeblood of journalism organizations has been really, you know, undermined. And there's good journalism in other places, in newspapers, but sadly this is a great temptation to replace some of the journalists with more artificial intelligence, particularly the most—on the least important pieces. I would argue that editorial pieces are the most important in newspapers, the ones requiring ideology, and critical thinking, and many others. Whereas there are others that tell you about traffic changes that perhaps do not—or weather patterns, without offending any meteorologists, that maybe require a more mechanical approach. I would argue that a lot of professions are going to be transformed because, well, if ChatGPT can write real estate announcements that work very well, well, you may need fewer people doing this. And yet, I think that what we're going to find is the same thing we found when technology arrived. We all thought that the arrival of computers would mean that everybody would be without a job. Guess what? It meant something different. It meant that in order to do our jobs, we had to learn how to use computers. So I would argue that this is going to be the same case. To be a good doctor, to be a good lawyer, to be a good economist, to be a good knowledge worker you're going to have to learn also how to use whatever artificial intelligence tools are available out there, and use them professionally within the moral and the ontological concerns that apply to your particular profession. Those are the kind of jobs that I think are going to be very important. And, of course, all the technical jobs, as I mentioned. There are tons of people who consider themselves artificial intelligence experts. Only a few at the very top understand these systems. But there are many others in the pyramid that help with preparing these systems, with the support, the maintenance, the marketing, preparing the datasets to go into these particular models, working with regulators and legislators and compliance organizations to make sure that the algorithms and the tools are not running afoul of existing regulations. All of those, I think, are going to be interesting jobs that will be part of the arrival of artificial intelligence. FASKIANOS: Great. We have so many questions left and we just couldn't get to them all. I'm just going to ask you just to maybe reflect on how the use of artificial intelligence in higher education will affect U.S. foreign policy and international relations. I know you touched upon it a little bit in reacting to the comment from our Georgetown University colleague, but any additional thoughts you might want to add before we close? MOLINA: Well, let's be honest, one particular one that applies to education and to everything else, there is a race—a worldwide race for artificial intelligence progress. The big companies are fighting—you know, Google, and Meta, many others, are really putting—Amazon—putting resources into that, trying to be first in this particular race. But it's also a national race. For example, it's very clear that there are executive orders from the United States as well as regulations and declarations from China that basically are indicating these two big nations are trying to be first in dominating the use of artificial intelligence. And let's be honest, in order to do well in artificial intelligence you need not only the scientists who are going to create those models and refine them, but you also need the bodies of data that you need to feed these algorithms in order to have good algorithms. So the barriers to entry for other nations and the barriers to entry by all the technology companies are going to be very, very high. It's not going to be easy for any small company to say: Oh, now I'm a huge player in artificial intelligence. Because even if you may have created an interesting new algorithmic procedure, you don't have the datasets that the huge companies have been able to amass and work on for the longest time. Every time you submit a question to ChatGPT, the ChatGPT experts are using their questions to refine the tool. The same way that when we were using voice recognition with Apple or Android or other companies, that we're using those voices and our accents and our mistakes in order to refine their voice recognition technologies. So this is the power. We'll see that the early bird gets the worm of those who are investing, those who are aggressively going for it, and those who are also judiciously regulating this can really do very well in the international arena when it comes to artificial intelligence. And so will their universities, because they will be able to really train those knowledge workers, they'll be able to get the money generated from artificial intelligence, and they will be able to, you know, feedback one with the other. The advances in the technology will result in more need for students, more students graduating will propel the industry. And there will also be—we'll always have a fight for talent where companies and countries will attract those people who really know about these wonderful things. Now, keep in mind that artificial intelligence was the core of this, but there are so many other emerging issues in information technology. And some of them are critical to higher education. So we're still, you know, lots of hype, but we think that virtual reality will have an amazing impact on the way we teach and we conduct research and we train for certain skills. We think that quantum computing has the ability to revolutionize the way we conduct research, allowing us to do competitions that were not even thinkable today. We'll look at things like robotics. And if you ask me about what is going to take many jobs away, I would say that robotics can take a lot of jobs away. Now, we thought that there would be no factory workers left because of robots, but that hasn't happened. But keep adding robots with artificial intelligence to serve you a cappuccino, or your meal, or take care of your laundry, or many other things, or maybe clean your hotel room, and you realize, oh, there are lots of jobs out there that no longer will be there. Think about artificial intelligence for self-driving vehicles, boats, planes, cargo ships, commercial airplanes. Think about the thousands of taxi drivers and truck drivers who may end up being out of jobs because, listen, the machines drive safer, and they don't get tired, and they can be driving twenty-four by seven, and they don't require health benefits, or retirement. They don't get depressed. They never miss. Think about many of the technologies out there that have an impact on what we do. So, but artificial intelligence is a multiplier to technologies, a contributor to many other fields and many other technologies. And this is why we're so—spending so much time and so much energy thinking about these particular issues. FASKIANOS: Well, thank you, Pablo Molina. We really appreciate it. Again, my apologies that we couldn't get to all of the questions and comments in the chat, but we appreciate all of you for your questions and, of course, your insights were really terrific, Dr. P. So we will, again, be sending out the link to this video and transcript, as well as the resources that you mentioned during this discussion. I hope you all enjoy the Fourth of July. And I encourage you to follow @CFR_Academic on Twitter and visit CFR.org, ForeignAffairs.com, and ThinkGlobalHealth.org for research and analysis on global issues. Again, you send us comments, feedback, suggestions to CFRacademic@CFR.org. And, again, thank you all for joining us. We look forward to your continued participation in CFR Academic programming. Have a great day. MOLINA: Adios. (END)

Today Kevin and Laura talk with Chris Roberts, Boom Supersonic's CISO, about aviation technology, the Concorde, hacking all the things (including the Mars Rover!), building planes, epic beards, DefCon, Back to the Future, hover boards and flying cars!  Chris also casually confessed to breaking into prison, money laundering and robbing banks.   Chris is the CISO for Boom Supersonic and works as an advisor for several entities and organizations around the globe.  His most recent projects are focused within the aerospace, deception, identity, cryptography, Artificial Intelligence, and services sectors. Over the years, he's founded or worked with several folks specializing in OSINT/SIGINT/HUMINT research, intelligence gathering, cryptography, and deception technologies. These days he's working on spreading the risk, maturity, collaboration, and communication word across the industry. Since the late 90's Chris has been deeply involved with security R&D, consulting, and advisory services in his quest to protect and defend businesses and individuals against various types of attack. Prior to that he jumped out of planes for a living, visiting all sorts of interesting countries and cultures while doing his best to avoid getting shot at too often. He's considered one of the world's foremost experts on counter threat intelligence and vulnerability research within the Information Security industry. He's also gotten a name for himself in the transportation arena, basically anything with wings, wheels, tracks, tyres, fins, props or paddles has been the target for research for the last 15 years.Chris has led or been involved in information security assessments and engagements for the better part of 25 years and has a wealth of experience with regulations such as GLBA, GDPR, HIPAA, HITECH, FISMA, and NERC/FERC.  He has also worked with government, state, and federal authorities on standards such as CMS, ISO, CMMC, and NIST.Chris has been credentialed in many of the top IT and information security disciplines and as a CyberSecurity advocate and passionate industry voice, he is regularly featured in national newspapers, television news, industry publications and several documentaries. And worst case, to jog the memory, Chris was the researcher who gained global attention in 2015 for demonstrating the linkage between various aviation systems, both on the ground and while in the air that allowed the exploitation of attacks against flight control system.

On this episode of Tech Trek, Lisa Hall, Chief Information Security Officer, talks about her experiences building a security program at the genetic testing company. The program covers infrastructure security, application security, product security, governance, risk, and compliance. Lisa discusses the challenges and strategies in building and maintaining a security program in a constantly evolving landscape. Highlights [00:02:29] Building security strategies. [00:03:42] Adapting to different company cultures. [00:07:16] Engineering first organizations. [00:11:16] Finding security champions. [00:14:30] Celebrating quick wins. [00:17:25] Finding the right leadership voice. [00:20:49] Cybersecurity and Business Impact. [00:23:55] Productivity and motivation. [00:27:47] Call-to-action for engagement. With over 16 years of experience in information security, Lisa Hall has built security programs from the ground up and optimized existing security and compliance initiatives at scale. She focuses on building holistic security strategies and comprehensive information security management programs- ensuring products and business systems are developed with security in mind. Lisa has experience building and growing teams, leading companies through IPO, acquisitions & mergers, and leading Application/Product Security, Infrastructure Security, and Compliance programs (SOX, SOC2, ISO 27001, FISMA, FedRAMP, & HITRUST). She believes security should make it easy to do the right thing. Lisa has previously held Information Security roles at PagerDuty, Twilio, and EY. Lisa is a Venture Advisor at YL Ventures and an Advisory Board Member for Day of Shecurity. She is also a co-author in "Reinventing Cybersecurity"- A JupiterOne book authored by female and non-binary security practitioners. --- Thank you so much for checking out this episode of The Tech Trek, and we would appreciate it if you would take a minute to rate and review us on your favorite podcast player. Want to learn more about us? Head over at https://www.elevano.com Have questions or want to cover specific topics with our future guests? Please message me at  https://www.linkedin.com/in/amirbormand (Amir Bormand)

Chris DeRusha, the federal chief information security officer, said new FISMA metrics will ask agencies for more granular data on how they are meeting administration priorities.

Podcast: Control System Cyber Security Association International: (CS)²AIEpisode: 42: How Skills Outside of the CyberSecurity Space Lay the Groundwork for a Great CyberSecurity Career with Art ConklinPub date: 2022-06-14Derek Harp is happy to have Art Conklin, another legendary ICS control systems cybersecurity figure joining him on the show today! Art is an experienced Information Systems Security professional. He has a background in software development, systems science, and information security. He is qualified with CISSP, GICSP, GRID, GCIP, GCFA, GCIA, GCDA, CSSLP, CRISC, and Security+.His specialties include information systems security management, network, and systems security, intrusion detection and intrusion detection monitoring, penetration testing, Incident Response, security policy and procedures, risk/threat assessments, Security training/awareness, user interface design and evaluation, FISMA, Secure code design/software engineering, cyber-physical systems security, and security metrics.Art is a hacker at heart. Art was born in St. Louis, Missouri, in 1960. He has been a professor at the University of Houston for many years! He is also a well-known speaker, military veteran, technologist, author, sailor, rocket scientist, father, husband, and grandfather. In this episode of the (CS)²AI Podcast, he talks about his formative years, a life-changing Navy experience, taking advantage of learning situations outside of college, the application of knowledge, the benefits of getting an MBA, and the benefits of on the job training,If you want to get into the cybersecurity space, you will not want to miss this episode - even if you have qualifications in a different area. Show highlights:There is a different level of thinking that gets taught and applied today. (5:49)After doing courses at different universities and then starting med school, Art realized it was not where he wanted to go because it was science, not tech, and it was very theory-driven. (8:10)Art wanted a career where he could do stuff, so he was advised to get an MBA from Harvard or join the military to learn how to lead men, manage a budget, and learn the difference between those things. Harvard was out of reach, so he joined the Navy. (9:07)Art talks about the unique military experience that changed his perspective and made him who he is today. (11:05)The cyber-world can benefit from people with no college degree who have problem-solving abilities, communication skills, and the ability to lead. (15:08)Learning is about more than just knowledge because knowledge needs to be applied. (18:38)Art wanted to leave the Navy to join IBM, but the Admiral did not want him to leave and offered him the opportunity to go to Navy Post Graduate School with no payback. So Art spent three years studying space system engineering, got a Ph.D. equivalent, and flew on a spacecraft. (20:40)In some respects, transitioning out of the military is not easy, from a job perspective. (24:01)Art explains why he did another degree after getting his doctorate. (27:44)Art talks about the qualities of his various mentors and the importance of having connections with people with aspects that will broaden you and make you smarter. (29:14)What he has done and is currently doing at the University of Houston. (32:32)If you want to work in cybersecurity and you have a breadth of knowledge and experience, you are likely to succeed in the space. (39:16)If you want to learn more about OT, many resources are available. Use and apply them. You can also email Art for local resources at waconklin@uh.edu. Most people are willing to share their knowledge and become mentors, so reach out to those you look up to. (44:42)How to invest in yourself. (46:20)Links:(CS)²AIArt Conklin on LinkedInThe University of Houston (Search for cybersecurity)The podcast and artwork embedded on this page are from Derek Harp, which is the property of its owner and not affiliated with or endorsed by Listen Notes, Inc.

Derek Harp is happy to have Art Conklin, another legendary ICS control systems cybersecurity figure joining him on the show today!  Art is an experienced Information Systems Security professional. He has a background in software development, systems science, and information security.  He is qualified with CISSP, GICSP, GRID, GCIP, GCFA, GCIA, GCDA, CSSLP, CRISC, and Security+. His specialties include information systems security management, network, and systems security, intrusion detection and intrusion detection monitoring, penetration testing, Incident Response, security policy and procedures, risk/threat assessments, Security training/awareness, user interface design and evaluation, FISMA, Secure code design/software engineering, cyber-physical systems security, and security metrics. Art is a hacker at heart. Art was born in St. Louis, Missouri, in 1960. He has been a professor at the University of Houston for many years! He is also a well-known speaker, military veteran, technologist, author, sailor, rocket scientist, father, husband, and grandfather. In this episode of the (CS)²AI Podcast, he talks about his formative years, a life-changing Navy experience, taking advantage of learning situations outside of college, the application of knowledge, the benefits of getting an MBA, and the benefits of on the job training, If you want to get into the cybersecurity space, you will not want to miss this episode - even if you have qualifications in a different area.  Show highlights: There is a different level of thinking that gets taught and applied today. (5:49) After doing courses at different universities and then starting med school, Art realized it was not where he wanted to go because it was science, not tech, and it was very theory-driven. (8:10) Art wanted a career where he could do stuff, so he was advised to get an MBA from Harvard or join the military to learn how to lead men, manage a budget, and learn the difference between those things. Harvard was out of reach, so he joined the Navy. (9:07) Art talks about the unique military experience that changed his perspective and made him who he is today. (11:05) The cyber-world can benefit from people with no college degree who have problem-solving abilities, communication skills, and the ability to lead. (15:08) Learning is about more than just knowledge because knowledge needs to be applied. (18:38) Art wanted to leave the Navy to join IBM, but the Admiral did not want him to leave and offered him the opportunity to go to Navy Post Graduate School with no payback. So Art spent three years studying space system engineering, got a Ph.D. equivalent, and flew on a spacecraft. (20:40) In some respects, transitioning out of the military is not easy, from a job perspective. (24:01) Art explains why he did another degree after getting his doctorate. (27:44) Art talks about the qualities of his various mentors and the importance of having connections with people with aspects that will broaden you and make you smarter. (29:14) What he has done and is currently doing at the University of Houston. (32:32) If you want to work in cybersecurity and you have a breadth of knowledge and experience, you are likely to succeed in the space. (39:16) If you want to learn more about OT, many resources are available. Use and apply them. You can also email Art for local resources at waconklin@uh.edu.  Most people are willing to share their knowledge and become mentors, so reach out to those you look up to. (44:42) How to invest in yourself. (46:20) Links: https://www.cs2ai.org/ ((CS)²AI) https://www.linkedin.com/in/waconklin/ (Art Conklin on LinkedIn) https://uh.edu/ (The University of Houston) (Search for cybersecurity) Mentioned in this episode: Our Sponsors: We'd like to thank our sponsors for their faithful support of this podcast. Without their support we would not be able to bring you this valuable content. We'd appreciate it if...

What's it like to be a facilities manager running the IT infrastructure of a leading global research university?In this engaging Nomad Futurist podcast, Raymond Parpart, Director of Data Center Operations and Strategy at the University of Chicago shares a journey that led from theater to technology and draws us into the fascinating world of critical infrastructure and supercomputers within a multi-faceted academic environment. Parpart, a theater major, began his career working on the road doing lights and sound and then opted for a different lifestyle. His wife-to-be suggested he apply for an available mailroom position at Aon. As Parpart already had programming experience, he was hired instead as a programmer to work on Y2K compliance. Programming led to networking which led to data centers. “From a technology perspective, I've always managed to latch onto whatever the next thing was...I'm a hungry learner… I want to know!” Parpart then went into consulting. He subsequently joined General Motors where he managed infrastructure and networking.  Parpart's work at the University of Chicago involves managing many types of systems ranging from administrative databases to facilities that are responsible for computing for high-end research projects. This requires that he be able to manage different types of facilities depending on the need.  “If you want to see the world of cooling or racks or power…we're doing all kinds of crazy things with them. Come see me. I've got all kinds of crazy stuff!” Parpart talks about the pros and cons of working in the world of education versus the corporate environment. “In education the politics are particularly challenging and require patience! I also need to be a partner or a support person and make sure that I'm not seen as an impediment.” He talks about how he applies lessons learned in the world of business.  “You never give anybody one option. You give them two because they'll pick one. And hopefully you can sell it so they pick the right one!” Parpart does enjoy the camaraderie of being able to share insights with peers at other big research universities which would be difficult to achieve in the competitive business environment where trade secrets cannot be shared. For newcomers to the space, Papert highlights the importance of being willing to learn, willing to listen, and being transparent about what you know and don't know. For those who are further along in their careers, he particularly stresses the importance of being a good listener.  “Are you really listening? Don't be the smartest person in the room, even if you think you are. If you are, take the time to mentor those around you and to draw them into the conversation, to draw them into the solution. Help them think, but let them think!”  Raymond Parpart serves as Director of Data Center Operations and Strategy at the University of Chicago where he is responsible for mission critical data center facilities, delivering expertise from system/facility design to operational support, to government compliance for areas such as HIPPA, FISMA, and PCI. Parpart works closely with stakeholders to ensure 7x24 reliability and the constant improvement of system hosting, colocation services, and energy efficiency in complex computing environments. His purview extends to outsourcing and cloud integration strategy.   Parpart has over 20 years of global experience with technology. Prior to joining the University in 2007, Parpart was a Global Architect responsible for global infrastructure, data center operations, desktop, and server standards for General Motors where he developed cost saving innovations in the areas of voice, video, and data networking. Earlier in his career, he served in both technical and management roles for a major, regional bank and global consulting company delivering infrastructure design and operations solutions to resolve business...

On today's episode of The Daily Scoop Podcast, the Department of Veterans Affairs receives $10.5 million from the Technology Modernization Fund to support the agency's transition to Login.gov. The Air Force will look at restructuring the 16 software factories it has now. Lt. Gen. Bill Bender (USAF, ret.), senior vice president for strategic accounts and government relations at Leidos and former chief information officer at the Air Force, explains what the collaboration across the organization should look like to sort out what's next. Dave Wennergren, CEO at ACT-IAC and former chief information officer at the Navy, discusses what else could be on the way from the TMF Board as the Biden administration requests an additional $300 million for the fund in fiscal year 2023. Less than a third of CFO Act agencies have effective security programs as of FY20. Jennifer Franks, director of information technology and cybersecurity issues at the Government Accountability Office, breaks down agencies struggles with implementing required safety programs. The Daily Scoop Podcast is available every weekday afternoon. If you want to hear more of the latest from Washington, subscribe to The Daily Scoop Podcast on Apple Podcasts, Google Podcasts, Spotify and Stitcher. And if you like what you hear, please let us know in the comments.

This week will be a standout performance for your IT Bingo card! Blake and James are jumping into the world of compliance. Almost all industries now deal with some form of regulation and they all seemingly touch IT. Tune in and see how you can keep your lions, tigers, and bears in line and keep your company safe from the flying monkeys! 

How does sustainable finance regulation represent a sea change for investors? Listen to Jason Mitchell talk to Alain Deckers, European Commission Directorate-General for Financial Stability, Financial Services and Capital Markets Union (DG FISMA), about greenwashing, enforcement, materiality, regulatory harmonisation and how the European Commission's Sustainable Finance Strategy is bringing transparency to the ESG space. Alain Deckers is the newly-appointed Head of the Asset Management Unit within the European Commission's Directorate-General for Financial Stability, Financial Services and Capital Markets Union or DG-FISMA. He was the Vice-Chairman of the EFRAG European Lab Steering Group. With over 20 years of experience at the European Commission, Alain has been responsible for policy reviews and policy development in areas including trade in goods, environmental policy, public procurement and financial services regulation.   * The views set out in this podcast are those of Alain and not the official position of the European Commission, nor the views of individual Commissioners or other officials of the European Commission. Learn more about your ad choices. Visit megaphone.fm/adchoices

Congratulations are in order for our next guest, Jasson Walker, Jr. The Founder and CEO of cFocus Software, a $10M in Revenue Company located in the Washington DC region was featured in Microsoft's Black Partner Growth Initiative Black History Month 2022 Campaign. Jasson joined Twins Talk it Up to share about his entrepreneurial journey within the Tech and Government Contracting space. We touch on how his ATO as a Service™ helps to automate FISMA, RMF, and FedRAMP compliance and reporting. We dive into some of the partnerships he has, including Microsoft (Gold-Certified), Black Channel Partner Alliance (BCPA) and AppMeetup. We ask Jasson to share his best tips for winning contracts with the Federal Government. Jasson mentions two keys for success:-Cultivating relationships with Decision Makers-Ability to write and articulate your value proposition with ProposalsHe also adds that working with the government is all about 'risk-management' and with bringing in the best talent who align with your vision. Acknowledging strengths and placing leadership on the right seats on the bus lead to success. Jasson echoes what we've been hearing from other entrepreneurs we've had on the program, in that you must be willing to let go, have repeatable processes, and scale with the right leaders. He did not become an entrepreneur to gain freedom as much as he did to gain flexibility. To learn more about Jasson and cFocus Software, visit https://cfocussoftware.com/Support and Follow us by Sponsoring, Subscribing & Downloading.--- more ---If you are looking to learn the art of audience engagement while listening for methods to conquer speaking anxiety, deliver persuasive presentations, and close more deals, then this is the podcast for you.Twins Talk it Up is a podcast where identical twin brothers Danny Suk Brown and David Suk Brown discuss leadership communication strategies to support professionals who believe in the power of their own authentic voice. Together, we will explore tips and tools to increase both your influence and value. Along the way, let's crush some goals, deliver winning sales pitches, and enjoy some laughs.Danny Suk Brown and David Suk Brown train on speaking and presentation skills. They also share from their keynote entitled, “Identically Opposite: the Pursuit of Identity”.Support and Follow us:YouTube: youtube.com/channel/UCL18KYXdzVdzEwMH8uwLf6gInstagram: @twinstalkitupInstagram: @dsbleadershipgroupTwitter: @dsbleadershipLinkedIn: linkedin.com/company/twins-talk-it-up/LinkedIn: linkedin.com/company/dsbleadershipgroup/Facebook: facebook.com/TwinsTalkitUpFacebook: facebook.com/dsbleadership/Website: dsbleadershipgroup.com/TwinsTalkitUp

We know you've held several executive roles, we would love to hear your perspective regarding balancing business and organization leadership with the technology sideYour recently testified before Congress regarding FISMA reform. Why do you feel this reform is so needed and what do you feel in particular would make the biggest impact? What advice would you have for technology professionals who want to advance to executive roles like you've held? What do you think we as an industry can do to help encourage more women into STEM and tech fields? 

Interview with Hisham Alhakim about FedRAMP, FISMA, Nist, FIPS, SBOM, Zero Trust, collaboration with engineers.

In a world where cyber-attacks are ever-changing, cybersecurity has to adapt accordingly. Joining us today to delve into the world of cloud security for federal agencies is Sandeep Shilawat, Vice President of Cloud and Edge Computing at ManTech. Sandeep has extensive experience in both Commercial and Federal technology markets. We'll get to hear his predictions on where the cloud world is heading, as well as what the Federal Authority to Operate (ATO) process will look like in the future. We learn the benefits of cloud compliance standards, as well as how FedRAMP is leveling the playing field in federal cloud computing. We also touch on the role of 5G in cloud computing, and why its presence will disrupt going forward. Join us as we pick Sandeep's brain for some insights into the present and future of federal cybersecurity.Tweetables“Visibility has become [the] single biggest challenge and nobody's dealing with cloud management in a multi-cloud perspective from cradle to grave.” — @Shilawat [0:09:03]“I think that having a managed cloud service is probably the first approach that should be considered by an agency head. I do think that that's where the market is heading. Sooner or later, it will probably become a de facto way of doing cloud security.” — @Shilawat [0:19:43]Comprehensive, full-stack cloud security Secure infrastructure, apps and data across hybrid and multi-cloud environments with Prisma Cloud.

On today's episode of The Daily Scoop Podcast, former New York City Mayor Michael Bloomberg has been nominated to lead the Pentagon's Defense Innovation Board. As you heard yesterday, new cyber legislation in Congress combines aspects of FISMA, FedRAMP and cybersecurity reporting. John Zangardi, president and CEO of Redhorse Corporation and former chief information officer at the Department of Homeland Security, explains the impact this legislation would have on federal CIOs. The Army calls its new climate strategy “a roadmap of actions that will enhance unit and installation readiness and resilience in the face of climate-related threats.” John Conger, director emeritus of the Center for Climate and Security and senior advisor to the Council on Strategic Risk, discusses the significance of the new strategy. Federal agency back to office plans so far include a mix of in-office time and remote work time for lots of employees. Dan Mathews, head of federal sales at WeWork and former commissioner of the Public Buildings Service at the General Services Administration, discusses how the government will need to adjust office spaces to fit the workplace of the future. The Daily Scoop Podcast is available every weekday afternoon. If you want to hear more of the latest from Washington, subscribe to The Daily Scoop Podcast on Apple Podcasts, Google Podcasts, Spotify and Stitcher. And if you like what you hear, please let us know in the comments.

O-Line Security is a Cyber Security Consultancy and a CompTIA Authorized Training Organization. We provide high quality training and services. We have a great history of customer satisfaction as evidenced by our online reviews, and we pride ourselves on being able to provide first-class services and education at a fantastic value. Our consulting services help you create a robust security environment that combats against current and emerging threats, ensures your most valuable assets are identified and protected, and effectively develops and matures your security policies to support your business goals.Our training academy equips you with the skills, confidence, and ability to pass industry certifications and excel in the workplace. O-Line Security is where professionals come to advance their careers with certifications and skills training. It's where employers and employees implement best security practices supported by FISMA and NIST publications. We are here to empower you with technical expertise and knowledge to combat your most concerning security issues.

Members of Congress are pushing to overhaul federal cybersecurity standards. But agencies are already starting to measure security a lot differently this year. That's because the White House made some big revisions to quarterly cybersecurity metrics. Federal News Network's Justin Doubleday reported on Federal Drive with Tom Temin.

On today's episode of The Daily Scoop Podcast, agencies should start asking employees about their booster status, according to the Safer Federal Workforce Task Force. The State Department says a “technical explanation” is behind an email problem it suffered Thursday. Dave Nyczepir explains what that means. The Federal Chief Information Security Officer would get new budget authority under new FISMA legislation in the House. Former Federal CISO Grant Schneider testified about it in the House, and tells you what he told Congress about what he thinks about the idea. The Cybersecurity and Infrastructure Security Agency will be one of the pivot points of this week's Zero Trust Strategy for the federal government. The agency is working its own zero trust items too. Robert Costello is Chief Information Officer of CISA. He talked about it with Scoop News Group's Wyatt Kash.

On today's episode of The Daily Scoop Podcast, a new IT modernization caucus in the House of Representatives. Dan Chenok, executive director at the IBM Center for The Business of Government and former branch chief for information policy and technology for the Office of Management and Budget, explains how integrating automation can help improve government's delivery of the recent customer experience executive order. Gordon Bitko, senior vice president at Information Technology Industry Council and former FBI chief information officer, discusses his recommendations to Congress for modernizing FISMA. Dave Powner, executive director of the Center for Data-Driven Policy at MITRE and former director for IT Issues at GAO, talks with Francis about his takeaways from the new FITARA scorecard and what to look for in FITARA 14. The Daily Scoop Podcast is available every weekday afternoon. If you want to hear more of the latest from Washington, subscribe to The Daily Scoop Podcast on Apple Podcasts, Google Podcasts, Spotify and Stitcher. And if you like what you hear, please let us know in the comments.

On today's episode of The Daily Scoop Podcast, the new FITARA scorecard is out. Congress is moving to reform the Federal Information Security Management Act. Former NASA Chief Information Officer Renee Wynn explains her recommendations to the House Oversight and Reform Committee. FISMA reform in Congress could change several things about how agencies do the business of cybersecurity and how they show their work. Jennifer Franks, director of information technology and cybersecurity issues at the Government Accountability Office, gives an update on the implementation of FISMA requirements across government. Kristina Balaam, senior threat researcher for threat intelligence at Lookout, explains steps organizations can take to make sure their employees avoid cyberattacks. This interview is sponsored by Lookout. The Daily Scoop Podcast is available every weekday afternoon. If you want to hear more of the latest from Washington, subscribe to The Daily Scoop Podcast on Apple Podcasts, Google Podcasts, Spotify and Stitcher. And if you like what you hear, please let us know in the comments.

On today's episode of The Daily Scoop Podcast, a new federal website for requesting COVID-19 rapid tests should be online this weekend. Ari Schwartz, managing director for cybersecurity at Venable and former special assistant to the President and White House senior director for cybersecurity, joins Francis to discuss legislation on Capitol Hill to modernize the Federal Information Security Management Act and improve federal responses to cyber breaches. The Cyberspace Solarium Commission transitioned to a non-profit organization at the start of the new year. Chris Cummiskey,CEO at Cummiskey Strategic Solutions and former acting under secretary for management at the Department of Homeland Security, explains the legacy of the commission and the continued push from the federal government for a unified cybersecurity infrastructure. The Daily Scoop Podcast is available every weekday afternoon. If you want to hear more of the latest from Washington, subscribe to The Daily Scoop Podcast on Apple Podcasts, Google Podcasts, Spotify and Stitcher. And if you like what you hear, please let us know in the comments.

During this Cloud and Coffee session, Ryan will share his experience being being a part of SBA's first cloud project (Certify.SBA.gov), assisting SBA with their scale from 0 cloud to 4 FISMA classified systems in AWS, architecting the account structure and enterprise setup, and implementing server-less technology on SBA.gov and then spreading it out to the 4x other systems.

On today's episode of The Daily Scoop Podcast, the Department of Homeland Security is overhauling how it hires cybersecurity professionals. Richard Spires, Principal, Richard A. Spires Consulting, former Chief Information Officer, DHS and IRS, discusses the coming update to the Federal Information Security Management Act as Congress a potential overhaul to FISMA. David Berteau, President and CEO, Professional Services Council, breaks down the logistical complications as the deadline approaches for federal contractors to get the COVID-19 vaccine. Alvin “Tony” Plater, Acting Chief Information Security Officer, Dept. of Navy and Rear Adm. Bob Day (USCG, ret.), former Chief Information Officer, U.S. Coast Guard and President, BlackBerry Government Solutions, join FedScoop Editor-in-Chief Billy Mitchell during SNG Live: Modernizing Federal Cybersecurity, to chat about securing the Navy's weapons systems. The Daily Scoop Podcast is available every weekday afternoon. If you want to hear more of the latest from Washington, subscribe to The Daily Scoop Podcast on Apple Podcasts, Google Podcasts, Spotify and Stitcher. And if you like what you hear, please let us know in the comments.

Links: Microsoft Azure Cloud Vulnerability Exposed Thousands of Databases: https://www.darkreading.com/cloud/microsoft-azure-cloud-vulnerability-exposed-thousands-of-databases Google, Amazon, Microsoft Share New Security Efforts After White House Summit: https://www.darkreading.com/operations/google-amazon-microsoft-share-new-security-efforts-post-white-house-summit New Data-Driven Study Reveals 40% of SaaS Data Access is Unmanaged, Creating Significant Insider and External Threats to Global Organizations: https://www.darkreading.com/cloud/new-data-driven-study-reveals-40-of-saas-data-access-is-unmanaged-creating-significant-insider-and-external-threats-to-global-organizations Researchers Share Common Tactics of ShinyHunters Threat Group: https://www.darkreading.com/attacks-breaches/researchers-share-common-tactics-of-shinyhunters-threat-group How to automate forensic disk collection in AWS: https://aws.amazon.com/blogs/security/ Confidential computing: an AWS perspective: https://aws.amazon.com/blogs/security/ New in October: AWS Security Awareness Training and AWS Multi-factor Authentication available at no cost: https://aws.amazon.com/blogs/security/amazon-security-awareness-training-and-aws-multi-factor-authentication-tokens-to-be-made-available-at-no-cost/ Use IAM Access Analyzer to generate IAM policies based on access activity found in your organization trail: https://aws.amazon.com/blogs/security/ TranscriptJesse: Welcome to Meanwhile in Security where I, your host Jesse Trucks, guides you to better security in the cloud.Corey: This episode is sponsored in part by Thinkst Canary. This might take a little bit to explain, so bear with me. I linked against an early version of their tool, canarytokens.org, in the very early days of my newsletter, and what it does is relatively simple and straightforward. It winds up embedding credentials, files, or anything else like that that you can generate in various parts of your environment, wherever you want them to live; it gives you fake AWS API credentials, for example. And the only thing that these things do is alert you whenever someone attempts to use them. It's an awesome approach to detecting breaches. I've used something similar for years myself before I found them. Check them out. But wait, there's more because they also have an enterprise option that you should be very much aware of: canary.tools. You can take a look at this, but what it does is it provides an enterprise approach to drive these things throughout your entire environment and manage them centrally. You can get a physical device that hangs out on your network and impersonates whatever you want to. When it gets Nmap scanned, or someone attempts to log into it, or access files that it presents on a fake file store, you get instant alerts. It's awesome. If you don't do something like this, instead you're likely to find out that you've gotten breached the very hard way. So, check it out. It's one of those few things that I look at and say, “Wow, that is an amazing idea. I am so glad I found them. I love it.” Again, those URLs are canarytokens.org and canary.tools. And the first one is free because of course it is. The second one is enterprise-y. You'll know which one of those you fall into. Take a look. I'm a big fan. More to come from Thinkst Canary weeks ahead.Jesse: Disaster befell much of the middle south of the US when Ida slammed into the coast and plowed its way up north through the land. What does a hurricane have to do with security? Business continuity. Business continuity is the discipline of maintaining business operations, even in the face of disasters of any kind, such as a hurricane-driven storm surge running over the levees and flooding whole towns. If you have all your computing systems in the cloud in multiple regions, then such a disaster won't fully halt your business operations.However, you still might have connectivity issues and possibly either temporary or permanent loss of non-cloud systems. Be sure your non-cloud systems have appropriate backups off-site to another geographically disparate location. Better yet, push backups into your cloud infrastructure and consider ways to utilize that data with your cloud systems during a crisis. Hmm, perhaps you'll like it so much you will push everything else up to the cloud that isn't a laptop, tablet, or phone.Meanwhile in the news, Microsoft Azure Cloud Vulnerability Exposed Thousands of Databases. Security for cloud providers can potentially have catastrophic and large scale repercussions. Keep an eye out for any problems that come up that might affect your operations and your data. Do keep in mind your platform has a direct impact on your own risk profile.Google, Amazon, Microsoft Share New Security Efforts After White House Summit. The National Institute of Standards and Technology—or NIST—is building a technology supply chain framework with the big tech companies, including Apple, Amazon, Google, IBM, and Microsoft, and this is a big deal. I'm sure the fighting amongst those companies will make this initiative die on the vine, but I hope I'm wrong.New Data-Driven Study Reveals 40% of SaaS Data Access is Unmanaged, Creating Significant Insider and External Threats to Global Organizations. Back to basics: secure your data; lock down those buckets; don't be stupid. Also, when we're talking cloud apps and services, there should be no assumption that anyone accessing the application via an obfuscated link or permissions too broad to effectively secure the data therein.Announcer: Have you implemented industry best practices for securely accessing SSH servers, databases, or Kubernetes? It takes time and expertise to set up. Teleport makes it easy. It is an identity-aware access proxy that brings automatically expiring credentials for everything you need, including role-based access controls, access requests, and the audit log. It helps prevent data exfiltration and helps implement PCI and FedRAMP compliance. And best of all, teleport is open-source and a pleasure to use. Download teleport at goteleport.com. That's goteleport.com.Researchers Share Common Tactics of ShinyHunters Threat Group. Put Indicators of Compromise—or IOC—data for the latest APT group or malware into your monitoring tool or tools. It's possible, depending on the vendor, that there are already detections you can add to your production monitoring. Save some time and look for those pre-made searches, configurations, and scripts before you make your own.How to automate forensic disk collection in AWS. Automating forensic data gathering is incredibly valuable. This not only has obvious value in security incident response, but it has value in teaching us how these parts in AWS work. This is worth a close read—several times if you need to—to understand how EBS, S3, automating EC2 actions, CloudWatch logging—among other services—operate. There are other pieces to the glue here to learn, as well.Confidential computing: an AWS perspective. If you use EC2, you need to understand the AWS Nitro System. Their hardware-based approach to their hypervisor for virtualization combined with hardware-based security and encryption is quite well made. Everyone worried about security at all while using EC2—which I argue should be all of you—should know the concepts of how Nitro works.New in October: AWS Security Awareness Training and AWS Multi-factor Authentication available at no cost. Now, this has value. Free basic security training for average users on fundamental computer security, including things like phishing and social engineering, is an amazing gift. Also, how many times have I wanted to point someone into an easy-to-understand multi-factor authentication tutorial? Oh, not often; only every single day.Use IAM Access Analyzer to generate IAM policies based on access activity found in your organization trail. Creating solid IAM access policies is hard because you have to know all things an account needs to touch to perform an operation or deliver a service. The IAM Access Analyzer is a total game-changer.You can review the activity to ensure you don't see anything nefarious happening, then apply the config generated. Now, you have a working app that has the bare minimum permissions required to function, but blocking all operations outside those things. This prevents many malware from sneakily doing other things.And now for the tip of the week. Know your compliance requirements; are you a school, preschool, K-12, college? FERPA; are you a medical facility? HIPAA; are you a US government entity? FISMA; are you conducting credit card transactions? PCI; are you storing data on an EU citizen? GDPR. The list goes on, and on, and on.You need to know every single one of the compliance requirements your systems and people touch. Most of these compliance rules and laws cover a fair amount of the same ground, so compliance with several of them isn't an order of magnitude more work than compliance with one or two of them. However, it is critical that you have clear documentation for each one on how you are compliant and what processes, or data, or report proves compliance. If you build these processes into your IT or security operations monitoring or reporting system, your life will be far better off than doing it by hand every single time someone asks—or demands—proof of compliance. And that it for the week, folks. Securely yours, Jesse Trucks.Jesse: Thanks for listening. Please subscribe and rate us on Apple and Google Podcast, Spotify, or wherever you listen to podcasts.Announcer: This has been a HumblePod production. Stay humble.

A new Senate report lays the groundwork for potential reforms to the law governing federal cybersecurity standards. Lawmakers said many federal agencies are still struggling to comply with the law as it stands, leaving sensitive data at risk. The White House is also contemplating changes to how it oversees agency cybersecurity efforts. For the latest, Federal News Network's Justin Doubleday spoke to Federal Drive with Tom Temin.

Chris DeRusha, the federal chief information security officer, said the annual Federal Information Security Management Act (FISMA) report to Congress further highlights why the administration is focusing on some key areas to improve.

Agencies faced more than 30,000 cyber incidents in fiscal 2020, an 8% increase over the year before. Email phishing and website authentication continue to be among the biggest attack vectors hackers are using to get to agency networks and data. But despite this escalation, the annual Federal Information Security Management Act or FISMA report to Congress, highlights real progress. Chris DeRusha is the federal chief information security officer. He tells executive editor Jason Miller why the report, along with the recent executive order, lays out the cybersecurity path forward.

¡Aprende SecTY!  Verifica cuáles regulaciones de la industria aplican a tu negocio. Cada una aplica a las compañías dependiendo de la información que manejen. Es importante conocer cuales te aplican para poder cumplir con ellas y evitar multas. SOX : https://www.ucipfg.com/Repositorio/MAES/MAES-04/BLOQUE-ACADEMICO/Unidad-3/lecturas/Caso_Enron_2.pdf https://www.soxlaw.com/ GLBA: https://www.ftc.gov/tips-advice/business-center/privacy-and-security/gramm-leach-bliley-act PCI-DSS : https://www.pcihispano.com/que-es-pci-dss/#:~:text=El%20est%C3%A1ndar%20PCI%20DSS%20se,Comerciantes%20(merchants)&text=Entidades%20emisoras%20(issuers) https://www.pcisecuritystandards.org/ HIPAA: https://www.hhs.gov/hipaa/for-professionals/security/index.html https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/combined-regulation-text/omnibus-hipaa-rulemaking/index.html GDPR: https://gdpr-info.eu/ FISMA: https://csrc.nist.gov/projects/risk-management Enseñamos a mejorar la seguridad de información en tu negocio y en tu vida. Síguenos en Facebook, Instagram, Twitter y LinkedIN como @SecTYCS Envíame tus preguntas o recomendaciones a: itsec@sectycs.com Deja tu reseña en iTunes/Apple Podcast y compártelo con personas que necesiten mejorar la seguridad en su negocio y en su vida. Puedes escucharnos por medio de: iTunes/Apple Podcast, Spotify, Stitcher y Google Podcast.

Security is inherently dichotomous because it involves hardening an application to protect it from external threats, while at the same time ensuring agility and the ability to iterate as fast as possible. This in-built tension is the major focal point of today’s show, where we talk about all things security. From our discussion, we discover that there are several reasons for this tension. The overarching problem with security is that the starting point is often rules and parameters, rather than understanding what the system is used for. This results in security being heavily constraining. For this to change, a culture shift is necessary, where security people and developers come around the same table and define what optimizing to each of them means. This, however, is much easier said than done as security is usually only brought in at the later stages of development. We also discuss why the problem of security needs to be reframed, the importance of defining what normal functionality is and issues around response and detection, along with many other security insights. The intersection of cloud native and security is an interesting one, so tune in today! Follow us: https://twitter.com/thepodlets Website: https://thepodlets.io Feeback: info@thepodlets.io https://github.com/vmware-tanzu/thepodlets/issues Hosts: Carlisia Campos Duffie Cooley Bryan Liles Nicholas Lane Key Points From This Episode: Often application and program security constrain optimum functionality. Generally, when security is talked about, it relates to the symptoms, not the root problem. Developers have not adapted internal interfaces to security. Look at what a framework or tool might be used for and then make constraints from there. The three frameworks people point to when talking about security: FISMA, NIST, and CIS. Trying to abide by all of the parameters is impossible. It is important to define what normal access is to understand what constraints look like. Why it is useful to use auditing logs in pre-production. There needs to be a discussion between developers and security people. How security with Kubernetes and other cloud native programs work. There has been some growth in securing secrets in Kubernetes over the past year. Blast radius – why understanding the extent of security malfunction effect is important. Chaos engineering is a useful framework for understanding vulnerability. Reaching across the table – why open conversations are the best solution to the dichotomy. Security and developers need to have the same goals and jargon from the outset. The current model only brings security in at the end stages of development. There needs to be a place to learn what normal functionality looks like outside of production. How Google manages to run everything in production. It is difficult to come up with security solutions for differing contexts. Why people want service meshes. Quotes: “You’re not able to actually make use of the platform as it was designed to be made use of, when those constraints are too tight.” — @mauilion [0:02:21] “The reason that people are scared of security is because security is opaque and security is opaque because a lot of people like to keep it opaque but it doesn’t have to be that way.” — @bryanl [0:04:15] “Defining what that normal access looks like is critical to us to our ability to constrain it.” — @mauilion [0:08:21] “Understanding all the avenues that you could be impacted is a daunting task.” — @apinick [0:18:44] “There has to be a place where you can go play and learn what normal is and then you can move into a world in which you can actually enforce what that normal looks like with reasonable constraints.” — @mauilion [0:33:04] “You don’t learn to ride a motorcycle on the street. You’d learn to ride a motorcycle on the dirt.” — @apinick [0:33:57] Links Mentioned in Today’s Episode: AWS — https://aws.amazon.com/Kubernetes https://kubernetes.io/IAM https://aws.amazon.com/iam/Securing a Cluster — https://kubernetes.io/docs/tasks/administer-cluster/securing-a-cluster/TGI Kubernetes 065 — https://www.youtube.com/watch?v=0uy2V2kYl4U&list=PL7bmigfV0EqQzxcNpmcdTJ9eFRPBe-iZa&index=33&t=0sTGI Kubernetes 066 —https://www.youtube.com/watch?v=C-vRlW7VYio&list=PL7bmigfV0EqQzxcNpmcdTJ9eFRPBe-iZa&index=32&t=0sBitnami — https://bitnami.com/Target — https://www.target.com/Netflix — https://www.netflix.com/HashiCorp — https://www.hashicorp.com/Aqua Sec — https://www.aquasec.com/CyberArk — https://www.cyberark.com/Jeff Bezos — https://www.forbes.com/profile/jeff-bezos/#4c3104291b23Istio — https://istio.io/Linkerd — https://linkerd.io/ Transcript: EPISODE 10 [INTRODUCTION] [0:00:08.7] ANNOUNCER: Welcome to The Podlets Podcast, a weekly show that explores cloud native one buzzword at a time. Each week, experts in the field will discuss and contrast distributed systems concepts, practices, tradeoffs and lessons learned to help you on your cloud native journey. This space moves fast and we shouldn’t reinvent the wheel. If you’re an engineer, operator or technically minded decision maker, this podcast is for you. [EPISODE] [0:00:41.2] NL: Hello and welcome back to The Kubelets Podcast. My name is Nicholas Lane and this time, we’re going to be talking about the dichotomy of security. And to talk about such an interesting topic, joining me are Duffie Coolie. [0:00:54.3] DC: Hey, everybody. [0:00:55.6] NL: Bryan Liles. [0:00:57.0] BM: Hello [0:00:57.5] NL: And Carlisia Campos. [0:00:59.4] CC: Glad to be here. [0:01:00.8] NL: So, how’s it going everybody? [0:01:01.8] DC: Great. [0:01:03.2] NL: Yeah, this I think is an interesting topic. Duffie, you introduced us to this topic. And basically, what I understand, what you wanted to talk about, we’re calling it the dichotomy of security because it’s the relationship between security, like hardening your application to protect it from attack and influence from outside actors and agility to be able to create something that’s useful, the ability to iterate as fast as possible. [0:01:30.2] DC: Exactly. I mean, the idea from this came from putting together a talks for the security conference coming up here in a couple of weeks. And I was noticing that obviously, if you look at the job of somebody who is trying to provide some security for applications on their particular platform, whether that be AWS or GCE or OpenStack or Kubernetes or anything of these things. It’s frequently in their domain to kind of define constraints for all of the applications that would be deployed there, right? Such that you can provide rational defaults for things, right? Maybe you want to make sure that things can’t do a particular action because you don’t want to allow that for any application within your platform or you want to provide some constraint around quota or all of these things. And some of those constraints make total sense and some of them I think actually do impact your ability to design the systems or to consume that platform directly, right? You’re not able to actually make use of the platform as it was designed to be made use of, when those constraints are too tight. [0:02:27.1] DC: Yeah. I totally agree. There’s kind of a joke that we have in certain tech fields which is the primary responsibility of security is to halt productivity. It isn’t actually true, right? But there are tradeoffs, right? If security is too tight, you can’t move forward, right? Example of this that kind of mind are like, if you’re too tight on your firewall rules where you can’t actually use anything of value. That’s a quick example of like security gone haywire. That’s too controlling, I think. [0:02:58.2] BM: Actually. This is an interesting topic just in general but I think that before we fall prey to what everyone does when they talk about security, let’s take a step back and understand why things are the way they are. Because all we’re talking about are the symptoms of what’s going on and I’ll give you one quick example of why I say this. Things are the way they are because we haven’t made them any better. In developer land, whenever we consume external resources, what we were supposed to do and what we should be doing but what we don’t do is we should create our internal interfaces. Only program to those interfaces and then let that interface of that adapt or talk to the external service and in security world, we should be doing the same thing and we don’t do this. My canonical example for this is IAM on AWS. It’s hard to create a secure IM configuration and it’s even harder to keep it over time and it’s even harder to do it whenever you have 150, 100, 5,000 people dealing with this. What companies do is they actually create interfaces where they could describe the part of IAM they want to use and then they translate that over. The reason I bring this up is because the reason that people are scared of security is because security is opaque and security is opaque because a lot of people like to keep it opaque. But it doesn’t have to be that way. [0:04:24.3] NL: That’s a good point, that’s a reasonable design and wherever I see that devoted actually is very helpful, right? Because you highlight a critical point in that these constraints have to be understood by the people who are constrained by them, right? It will just continue to kind of like drive that wedge between the people who are responsible for them top finding t hem and the people who are being affected by them, right? That transparency, I think it’s definitely key. [0:04:48.0] BM: Right, this is our cloud native discussion, any idea of where we should start thinking about this in cloud native land? [0:04:56.0] DC: For my part, I think it’s important to understand if you can like what the consumer of a particular framework or tool might need, right? And then, just take it from there and figure out what rational constraints are. Rather than the opposite which is frequently where people go and evaluate a set of rules as defined by some particular, some third-part company. Like you look at CIS packs and you look at like a lot of these other tooling. I feel like a lot of people look at those as like, these are the hard rules, we must comply to all of these things. Legally, in some cases, that’s the case. But frequently, I think they’re just kind of like casting about for some semblance of a way to start defining constraint and they go too far, they’re no longer taking into account what the consumers of that particular platform might meet, right? Kubernetes is a great example of this. If you look at the CIS spec for Kubernetes or if you look at a lot of the talks that I’ve seen kind of around how to secure Kubernetes, we defined like best practices for security and a lot of them are incredibly restrictive, right? I think of the problem there is that restriction comes at a cost of agility. You’re no longer able to use Kubernetes as a platform for developing microservices because you provided so much constraints that it breaks the model, you know? [0:06:12.4] NL: Okay. Let’s break this down again. I can think of a top of my head, three types of things people point to when I’m thinking about security. And spoiler alert, I am going to do some acronyms but don’t worry about the acronyms are, just understand they are security things. The first one I’ll bring up is FISMA and then I’ll think about NIST and the next one is CIS like you brought up. Really, the reason they’re so prevalent is because depending on where you are, whether you’re in a highly regulated place like a bank or you’re working for the government or you have some kind of automate concern to say a PIPA or something like that. These are the words that the auditors will use with you. There is good in those because people don’t like the CIS benchmarks because sometimes, we don’t understand why they’re there. But, from someone who is starting from nothing, those are actually great, there’s at least a great set of suggestions. But the problem is you have to understand that they’re only suggestions and they are trying to get you to a better place than you might need. But, the other side of this is that, we should never start with NIST or CIS or FISMA. What we really should do is our CISO or our Chief Security Officer or the person in charge of security. Or even just our – people who are in charge, making sure our stack, they should be defining, they should be taking what they know, whether it’s the standards and they should be building up this security posture in this security document and these rules that are built to protect whatever we’re trying to do. And then, the developers of whoever else can operate within that rather than everything literally. [0:07:46.4] DC: Yeah, agreed. Another thing I’ve spent some time talking to people about like when they start rationalizing how to implement these things or even just think about the secure surface or develop a threat model or any of those things, right? One of the things that I think it’s important is the ability to define kind of like what normal looks like, right? What normal access between applications or normal access of resources looks like. I think that your point earlier, maybe provides some abstraction in front of a secure resource such that you can actually just share that same fraction across all the things that might try to consume that external resource is a great example of the thing. Defining what that normal access looks like is critical to us to our ability to constrain it, right? I think that frequently people don’t start there, they start with the other side, they’re saying, here are all the constraints, you need to tell me which ones are too tight. You need to tell me which ones to loosen up so that you can do your job. You need to tell me which application needs access to whichever application so that I can open the firewall for you. I’m like, we need to turn that on its head. We need the environments that are perhaps less secure so that we can actually define what normal looks like and then take that definition and move it into a more secured state, perhaps by defining these across different environments, right? [0:08:58.1] BM: A good example of that would be in larger organizations, at every part of the organization does this but there is environments running your application where there are really no rules applied. What we do with that is we turn on auditing in those environments so you have two applications or a single application that talks to something and you let that application run and then after the application run, you go take a look at the audit logs and then you determine at that point what a good profile of this application is. Whenever it’s in production, you set up the security parameters, whether it be identity access or network, based on what you saw in auditing in your preproduction environment. That’s all you could run because we tested it fully in our preproduction environment, it should not do any more than that. And that’s actually something – I’ve seen tools that will do it for AWS IM. I’m sure you can do for anything else that creates auditing law. That’s a good way to get started. [0:09:54.5] NL: It sounds like what we’re coming to is that the breakdown of security or the way that security has impacted agility is when people don’t take a rational look at their own use case. instead, rely too much on the guidance of other people essentially. Instead of using things like the CIS benchmarking or NIST or FISMA, that’s one that I knew the other two and I’m like, I don’t know this other one. If they follow them less as guidelines and more as like hard set rules, that’s when we get impacts or agility. Instead of like, “Hey. This is what my application needs like you’re saying, let’s go from there.” What does this one look like? Duffie is for saying. I’m kind of curious, let’s flip that on its head a little bit, are there examples of times when agility impacts security? [0:10:39.7] BM: You want to move fast and moving fast is counter to being secure? [0:10:44.5] NL: Yes. [0:10:46.0] DC: Yeah, literally every single time we run software. When it comes down to is developers are going to want to develop and then security people are going to want to secure. And generally, I’m looking at it from a developer who has written security software that a lot of people have used, you guys had know that. Really, there needs to be a conversation, it’s the same thing as we had this dev ops conversation for a year – and then over the last couple of years, this whole dev set ops conversation has been happening. We need to have this conversation because from a security person’s point of view, you know, no access is great access. No data, you can’t get owned if you don’t have any data going across the wire. You know what? Can’t get into that server if there’s no ports opened. But practically, that doesn’t work and we find is that there is actually a failing on both sides to understand what the other person was optimizing for. [0:11:41.2] BM: That’s actually where a lot of this comes from. I will offer up that the only default secure posture is no access to anything and you should be working from that direction to where you want to be rather than working from, what should we close down? You should close down everything and then you work with allowing this list for other than block list. [0:12:00.9] NL: Yeah, I agree with that model but I think that there’s an important step that has to happen before that and that’s you know, the tooling or thee wireless phone to define what the application looks like when it’s in a normal state or the running state and if we can accomplish that, then I feel like we’re in a better position to find what that LOI list looks like and I think that one of the other challenges there of course, let’s backup for a second. I have actually worked on a platform that supported many services, hundreds of services, right? Clearly, if I needed to define what normal looked like for a hundred services or a thousand services or 2,000 services, that’s going to be difficult in a way that people approach the problem, right? How do you define for each individual service? I need to have some decoration of intent. I need the developer to engage here and tell me, what they’re expecting, to set some assumptions about the application like what it’s going to connect to, those dependences are – That sort of stuff. And I also need tooling to verify that. I need to be able to kind of like build up the whole thing so that I have some way of automatically, you know, maybe with oversight, defining what that security context looks like for this particular service on this particular platform. Trying to do it holistically is actually I think where we get into trouble, right? Obviously, we can’t scale the number of people that it takes to actually understand all of these individual services. We need to actually scale this stuff as software problem instead. [0:13:22.4] CC: With the cloud native architecture and infrastructure, I wonder if it makes it more restrictive because let’s say, these are running on Kubernetes, everything is running at Kubernetes. Things are more connected because it’s a Kubernetes, right? It’s this one huge thing that you’re running on and Kubernetes makes it easier to have access to different notes and when the nodes took those apart, of course, you have to find this connection. Still, it’s supposed to make it easy. I wonder if security from a perspective of somebody, needing to put a restriction and add miff or example, makes it harder or if it makes it easier to just delegate, you have this entire area here for you and because your app is constrained to this space or name space or this part, this node, then you can have as much access as you need, is there any difference? Do you know what I mean? Does it make sense what I said? [0:14:23.9] BM: There was actually, it’s exactly the same thing as we had before. We need to make sure that applications have access to what they need and don’t have access to what they don’t need. Now, Kubernetes does make it easier because you can have network policies and you can apply those and they’re easier to manage than who knows what networking management is holding you have. Kubernetes also has pod security policies which again, actually confederates this knowledge around my pod should be able to do this or should not be able to run its root, it shouldn’t be able to do this and be able to do that. It’s still the same practice Carlisia, but the way that we can control it is now with a standard set off tools. We still have not cracked the whole nut because the whole thing of turning auditing on to understand and then having great tool that can read audit locks from Kubernetes, just still aren’t there. Just to add one more last thing that before we add VMWare and we were Heptio, we had a coworker who wrote basically dynamic audit and that was probably one of the first steps that we would need to be able to employ this at scale. We are early, early, super early in our journey and getting this right, we just don’t have all the necessary tools yet. That’s why it’s hard and that’s why people don’t do it. [0:15:39.6] NL: I do think it is nice to have t hose and primitives are available to people who are making use of that platform though, right? Because again, kind of opens up that conversation, right? Around transparency. The goal being, if you understood the tools that we’re defining that constraint, perhaps you’d have access to view what the constraints are and understand if they’re actually rational or not with your applications. When you’re trying to resolve like I have deployed my application in dev and it’s the wild west, there’s no constraints anywhere. I can do anything within dev, right? When I’m trying to actually promote my application to staging, it gives you some platform around which you can actually sa, “If you want to get to staging, I do have to enforce these things and I have a way and again, all still part of that same API, I still have that same user experience that I had when just deploying or designing the application to getting them deployed.” I could still look at again and understand what the constraints are being applied and make sure that they’re reasonable for my application. Does my application run, does it have access to the network resources that it needs to? If not, can I see where the gaps are, you know? [0:16:38.6] DC: For anyone listening to this. Kubernetes doesn’t have all the documentation we need and no one has actually written this book yet. But on Kubernetes.io, there are a couple of documents about security and if we have shownotes, I will make sure those get included in our shownotes because I think there are things that you should at least understand what’s in a pod security policy. You should at least understand what’s in a network security policy. You should at least understand how roles and role bindings work. You should understand what you’re going to do for certificate management. How do you manage this certificate authority in Kubernetes? How do you actually work these things out? This is where you should start before you do anything else really fancy. At least, understand your landscape. [0:17:22.7] CC: Jeffrey did a TGI K talk on secrets. I think was that a series? There were a couple of them, Duffie? [0:17:29.7] DC: Yeah, there were. I need to get back and do a little more but yeah. [0:17:33.4] BM: We should then add those to our shownotes too. Hopefully they actually exist or I’m willing to see to it because in assistance. [0:17:40.3] CC: We are going to have shownotes, yes. [0:17:44.0] NL: That is interesting point, bringing up secrets and secret management and also, like secured Inexhibit. There are some tools that exist that we can use now in a cloud native world, at least in the container world. Things like vault exist, things like well, now, KBDM you can roll certificate which is really nice. We are getting to a place where we have more tooling available and I’m really happy about it. Because I remember using Kubernetes a year ago and everyone’s like, “Well. How do you secure a secret in Kubernetes?” And I’m like, “Well, it sure is basics for you to encode it. That’s on an all secure.” [0:18:15.5] BM: I would do credit Bitnami has been doing sealed secrets, that’s been out for quite a while but the problem is that how do you suppose to know about that and how are you supposed to know if it’s a good standard? And then also, how are you supposed to benchmark against that? How do you know if your secrets are okay? We haven’t talked about the other side which is response or detection of issues. We’re just talking about starting out, what do you do? [0:18:42.3] DC: That’s right. [0:18:42.6] NL: It is tricky. We’re just saying like, understanding all the avenues that you could be impacted is kind of a daunting task. Let’s talk about like the Target breach that occurred a few years ago? If anybody doesn’t remember this, basically, Target had a huge credit card breach from their database and basically, what happened is that t heir – If I recalled properly, their OIDC token had a – not expired but the audience for it was so broad that someone had hacked into one computer essentially like a register or something and they were able to get the OIDC token form the local machine. The authentication audience for that whole token was so broad that they were able to access the database that had all of the credit card information into it. These are one of these things that you don’t think about when you’re setting up security, when you’re just maybe getting started or something like that. What are the avenues of attack, right? You’d say like, “OIDC is just pure authentication mechanism, why would we need to concern ourselves with this?” And then but not understanding kind of what we were talking about last because the networking and the broadcasting, what is the blast radius of something like this and so, I feel like this is a good example of sometimes security can be really hard and getting started can be really daunting. [0:19:54.6] DC: Yeah, I agree. To Bryan’s point, it’s like, how do you test against this? How do you know that what you’ve defined is enough, right? We can define all of these constraints and we can even think that they’re pretty reasonable or rational and the application may come up and operate but how do you know? How can you verify that? What you’ve done is enough? And then also, remember. With OIDC has its own foundations and loft. You realize that it’s a very strong door but it’s only a strong door, it also do things that you can’t walk around a wall and that it’s protecting or climb over the wall that it’s protecting. There’s a bit of trust and when you get into things like the target breach, you really have to understand blast radius for anything that you’re going to do. A good example would be if you’re using shared key kind of things or like public share key. You have certificate authorities and you’re generating certificates. You should probably have multiple certificate authorities and you can have a basically, a hierarchy of these so you could have basically the root one controlled by just a few people in security. And then, each department has their own certificate authority and then you should also have things like revocation, you should be able to say that, “Hey, all this is bad and it should all go away and it probably should have every revocation list,” which a lot of us don’t have believe it or not, internally. Where if I actually kill our own certificate, a certificate was generated and I put it in my revocation list, it should not be served and in our clients that are accepting that our service is to see that, if we’re using client side certificates, we should reject these instantly. Really, what we need to do is stop looking at security as this one big thing and we need to figure out what are our blast radius. Firecracker, blowing up in my hand, it’s going to hurt me. But Nick, it’s not going to hurt you, you know? If someone drops in a huge nuclear bomb on the United States or the west coast United States, I’m talking to myself right now. You got to think about it like that. What’s the worst that can happen if this thing gets busted or get shared or someone finds that this should not happen? Every piece off data that you have that you consider secure or sensitive, you should be able to figure out what that means and that is how whenever you are defining a security posture that’s butchered to me. Because that is why you’ll notice that a lot of companies some of them do run open within a contained zone. So, within this contained zone you could talk to whomever you want. We don’t actually have to be secure here because if we lose one, we lost them all so who cares? So, we need to think about that and how do we do that in Kubernetes? Well, we use things like name spaces first of all and then we use things like this network policies and then we use things like pod security policies. We can lock some access down to just name spaces if need be. You can only talk to pods and your name space. And I am not telling you how to do this but you need to figure out talking with your developer, talking to the security people. But if you are in security you need to talk to your product management staff and your software engineering staff to figure out really how does this need to work? So, you realize that security is fun and we have all sorts of neat tools depending on what side you’re on. You know if you are on red team, you’re half knee in, you’re blue team you are saving things. We need to figure out these conversations and tooling comes from these conversations but we need to have these conversation first. [0:23:11.0] DC: I feel like a little bit of a broken record on this one but I am going to go back to chaos engineering again because I feel like it is critical to stuff like this because it enables a culture in which you can explore both the behavior of applications itself but why not also use this model to explore different ways of accessing that information? Or coming up with theories about the way the system might be vulnerable based on a particular attack or a type of attack, right? I think that this is actually one of the movements within our space that I think provides because then most hope in this particular scenario because a reasonable chaos engineering practice within an organization enables that ability to explore all of the things. You don’t have to be red team or blue team. You can just be somebody who understands this application well and the question for the day is, “How can we attack this application?” Let’s come up with theories about the way that perhaps this application could be attacked. Think about the problem differently instead of thinking about it as an access problem, think about it as the way that you extend trust to the other components within your particular distributed system like do they have access that they don’t need. Come up with a theory around being able to use some proxy component of another system to attack yet a third system. You know start playing with those ideas and prove them out within your application. A culture that embraces that I think is going to be by far a more secure culture because it lets developers and engineers explore these systems in ways that we don’t generally explore them. [0:24:36.0] BM: Right. But also, if I could operate on myself I would never need a doctor. And the reason I bring that up is because we use terms like chaos engineering and this is no disrespect to you Duffie, so don’t take it as this is panacea or this idea that we make things better and true. That is fine, it will make us better but the little secret behind chaos engineering is that it is hard. It is hard to build these experiments first of all, it is hard to collect results from these experiments. And then it is hard to extrapolate what you got out of the experiments to apply to whatever you are working on to repeat and what I would like to see is what people in our space is talking about how we can apply such techniques. But whether it is giving us more words or giving us more software that we can employ because I hate to say it, it is pretty chaotic in chaos engineering right now for Kubernetes. Because if you look at all the people out there who have done it well. And so, you look at what Netflix has done with pioneering this and then you listen to what, a company such us like Gremlin is talking about it is all fine and dandy. You need to realize that it is another piece of complexity that you have to own and just like any other things in the security world, you need to rationalize how much time you are going to spend on it first is the bottom line because if I have a “Hello, World!” app, I don’t really care about network access to that. Unless it is a “Hello, World!” app running on the same subnet as some doing some PCI data then you know it is a different conversation. [0:26:05.5] DC: Yeah. I agree and I am certainly not trying to version as a panacea but what I am trying to describe is that I feel like I am having a culture that embraces that sort of thinking is going to enable us to be in a better position to secure these applications or to handle a breach or to deal with very hard to understand or resolve problems at scale, you know? Whether that is a number of connections per second or whether that is a number of applications that we have horizontally scaled. You know like being able to embrace that sort of a culture where we asked why where we say “well, what if…” or if we actually come up you know embracing the idea of that curiosity that got you into this field, you know what I mean like the thing that is so frequently our cultures are opposite of that, right? It becomes a race to the finish and in that race to the finish, lots of pieces fall off that we are not even aware of, you know? That is what I am highlighting here when I talk about it. [0:26:56.5] NL: And so, it seems maybe the best solution to the dichotomy between security and agility is really just open conversation, in a way. People actually reaching across the aisle to talk to each other. So, if you are embracing this culture as you are saying Duffie the security team should be having constant communication with the application team instead of just like the team doing something wrong and the security team coming down and smacking their hand. And being like, “Oh you can’t do it this way because of our draconian rules” right? These people are working together and almost playing together a little bit inside of their own environment to create also a better environment. And I am sorry.I didn’t mean to cut you off there, Bryan. [0:27:34.9] BM: Oh man, I thought it was fleeting like all my thoughts. But more about what you are saying is, is that you know it is not just more conversations because we can still have conversations and I am talking about sider and subnets and attack vectors and buffer overflows and things like that. But my developer isn’t talking, “Well, I just need to be able to serve this data so accounting can do this.” And that’s what happens a lot in security conversations. You have two groups of individuals who have wholly different goals and part of that conversation needs to be aligning or jargon and then aligning on those goals but what happens with pretty much everything in the development world, we always bring our networking, our security and our operations people in right at the end, right when we are ready to ship, “Hey make this thing work.” And really it is where a lot of our problems come out. Now security either could or wanted to be involved at the beginning of a software project what we actually are talking about what we are trying to do. We are trying to open up this service to talk to this, share this kind of data. Security can be in there early saying, “Oh no you know, we are using this resource in our cloud provider. It doesn’t really matter what cloud provider and we need to protect this. This data is sitting here at rest.” If we get those conversations earlier, it would be easier to engineer solutions that to be hopefully reused so we don’t have to have that conversation in the future. [0:29:02.5] CC: But then it goes back to the issue of agility, right? Like Duffie was saying, wow you can develop, I guess a development cluster which has much less restrictive restrictions and they move to a production environment where the proper restrictions are then – then you find out or maybe station environment let’s say. And then you find out, “Oh whoops. There are a bunch of restrictions I didn’t deal with but I didn’t move a lot faster because I didn’t have them but now, I have to deal with them.” [0:29:29.5] DC: Yeah, do you think it is important to have a promotion model in which you are able to move toward a more secure deployment right? Because I guess a parallel to this is like I have heard it said that you should develop your monolith first and then when you actually have the working prototype of what you’re trying to create then consider carefully whether it is time to break this thing up into a set of distinct services, right? And consider carefully also what the value of that might be? And I think that the reason that that’s said is because it is easier. It is going to be a lower cognitive load with everything all right there in the same codebase. You understand how all of these pieces interconnect and you can quickly develop or prototype what you are working on. Whereas if you are trying to develop these things into individual micro services first, it is harder to figure out where the line is. Like where to divide all of the business logic. I think this is also important when you are thinking about the security aspects of this right? Being able to do a thing when which you are not constrained, define all of these services and your application in the model for how they communicate without constraint is important. And once you have that when you actually understand what normal looks like from that set of applications then enforce them, right? If you are able to declare that intent you are going to say like these are the ports on the list on for these things, these are the things that they are going to access, this is the way that they are going to go about accessing them. You know if you can declare that intent then that is actually that is a reasonable body of knowledge for which the security people can come along and say, “Okay well, you have told us. You informed us. You have worked with us to tell us like what your intent is. We are going to enforce that intent and see what falls out and we can iterate there.” [0:31:01.9] CC: Yeah everything you said makes sense to me. Starting with build the monolith first. I mean when you start out why which ones will have abstract things that you don’t really – I mean you might think you know but you’re only really knowing practice what you are going to need to abstract. So, don’t abstract things too early. I am a big fan of that idea. So yeah, start with the monolith and then you figure out how to break it down based on what you need. With security I would imagine the same idea resonates with me. Don’t secure things that you don’t need you don’t know just yet that needs securing except the deal breaker things. Like there is some things we know like we don’t want production that are being accessed some types of production that are some things we know we need to secure so from the beginning. [0:31:51.9] BM: Right. But I will still iterate that it is always denied by default, just remember that. It is security is actually the opposite way. We want to make sure that we have the least amount and even if it is harder for us you always want to start with un-allowed TCP communication on port 443 or UDP as well. That is what I would allow rather than saying shut everything else off. But this, I would rather have the way that we only allow that and that also goes in with our declarative nature in cloud native things we like anyways. We just say what we want and everything else doesn’t exists. [0:32:27.6] DC: I do want to clarify though because I think what you and I, we are the representative of the dichotomy right at this moment, right? I feel like what you are saying is the constraint should be the normal, being able to drop all traffic, do not allow anything is normal and then you have to declare intent to open anything up and what I am saying is frequently developers don’t know what normal looks like yet. They need to be able to explore what normal looks like by developing these patterns and then enforce them, right, which is turning the model on its head. And this is actually I think the kernel that I am trying to get to in this conversation is that there has to be a place where you can go play and learn what normal is and then you can move into a world in which you can actually enforce what that normal looks like with reasonable constraint. But until you know what that is, until you have that opportunity to learn it, all we are doing here is restricting your ability to learn. We are adding friction to the process. [0:33:25.1] BM: Right, well I think what I am trying to say here layer on top of this is that yes, I agree but then I understand what a breach can do and what bad security can do. So I will say, “Yeah, go learn. Go play all you want but not on software that will ever make it to production. Go learn these practices but you are going to have to do it outside of” – you are going to have a sandbox and that sandbox is going to be unconnected from the world I mean from our obelisk and you are going to have to learn but you are not going to practice here. This is not where you learn how to do this. [0:33:56.8] NL: Exactly right, yeah. You don’t learn to ride a motorcycle on the street you know? You’d learn to ride a motorcycle on the dirt and then you could take those skills later you know? But yeah I think we are in agreement like production is a place where we do have to enforce all of those things and having some promotion level in which you can come from a place where you learned it to a place where you are beginning to enforce it to a place where it is enforced I think is also important. And I frequently describe this as like development, staging and production, right? Staging is where you are going to hit the edges from because this is where you’re actually defining that constraint and it has to be right before it can be promoted to production, right? And I feel like the middle ground is also important. [0:34:33.6] BM: And remember that production is any environment production can reach. Any environment that can reach production is production and that is including that we do data backup dumps and we clean them up from production and we use it as data in our staging environment. If production can directly reach staging or vice versa, it is all production. That is your attack vector. That is also what is going to get in and steal your production data. [0:34:59.1] NL: That is absolutely right. Google actually makes an interesting not of caveat to that but like side point to that where like if I understand the way that Google runs, they run everything in production, right? Like dev, staging and production are all the same environment. I am more positing this is a question because I don’t know if anybody of us have the answer but I wonder how they secure their infrastructure, their environment well enough to allow people to play to learn these things? And also, to deploy production level code all in the same area? That seems really interesting to be and then if I understood that I probably would be making a lot more money. [0:35:32.6] BM: Well it is simple really. There were huge people process at Google that access gatekeeper for a lot of these stuff. So, I have never worked in Google. I have no intrinsic knowledge of Google or have talked to anyone who has given me this insight, this is all speculation disclaimer over. But you can actually run a big cluster that if you can actually prove that you have network and memory and CPU isolation between containers, which they can in certain cases and certain things that can do this. What you can do is you can use your people process and your approvals to make sure that software gets to where it needs to be. So, you can still play on the same clusters but we have great handles on network that you can’t talk to these networks or you can’t use this much network data. We have great things on CPU that this CPU would be a PCI data. We will not allow it unless it’s tied to CPU or it is PCI. Once you have that in place, you do have a lot more flexibility. But to do that, you will have to have some pretty complex approval structures and then software to back that up. So, the burden on it is not on the normal developer and that is actually what Google has done. They have so many tools and they have so many processes where if you use this tool it actually does the process for you. You don’t have to think about it. And that is what we want our developers to be. We want them to be able to use either our networking libraries or whenever they are building their containers or their Kubernetes manifest, use our tools and we will make sure based on either inspection or just explicit settings that we will build something that is as secure as we can given the inputs. And what I am saying is hard and it is capital H hard and I am actually just pitting where we want to be and where a lot of us are not. You know most people are not there. [0:37:21.9] NL: Yeah, it would be nice if we had like we said earlier like more tooling around security and the processes and all of these things. One thing I think that people seem to balk on or at least I feel is developing it for their own use case, right? It seems like people want an overarching tool to solve all the use cases in the world. And I think with the rise of cloud native applications and things like container orchestration, I would like to see people more developing for themselves around their own processes, around Kubernetes and things like that. I want to see more perspective into how people are solving their security problems, instead of just like relying on let’s say like HashiCorp or like Aqua Sec to provide all the answers like I want to see more answers of what people are doing. [0:38:06.5] BM: Oh, it is because tools like Vault are hard to write and hard to maintain and hard to keep correct because you think about other large competitors to vault and they are out there like tools like CyberArk. I have a secret and I want to make sure only certain will keep it. That is a very difficult tool but the HashiCorp advantage here is that they have made tools to speak to people who write software or people who understand ops not just as a checkbox. It is not hard to get. If you are using vault it is not hard to get a secret out if you have the right credentials. Other tools is super hard to get the secret out if you even have the right credential because they have a weird API or they just make it very hard for you or they expect you to go click on some gooey somewhere. And that is what we need to do. We need to have better programming interfaces and better operator interfaces, which extends to better security people are basis for you to use these tools. You know I don’t know how well this works in practice. But the Jeff Bezos, how teams at AWS or Amazon or forums, you know teams communicate on API and I am not saying that you shouldn’t talk, but we should definitely make sure that our API’s between teams and team who owns security stuff and teams who are writing developer stuff that we can talk on the same level of fidelity that we can having an in person conversation, we should be able to do that through our software as well. Whether that be for asking for ports or asking for our resources or just talking about the problem that we have that is my thought-leadering answer to this. This is “Bryan wants to be a VP of something one day” and that is the answer I am giving. I’m going to be the CIO that is my CIO answer. [0:39:43.8] DC: I like it. So cool. [0:39:45.5] BM: Is there anything else on this subject that we wanted to hit? [0:39:48.5] NL: No, I think we have actually touched on pretty much everything. We got a lot out of this and I am always impressed with the direction that we go and I did not expect us to go down this route and I was very pleased with the discussion we have had so far. [0:39:59.6] DC: Me too. I think if we are going to explore anything else that we talked about like you know, get it more into that state where we are talking about like that we need more feedback loops. We need people developers to talk to security people. We need security people talk to developers. We need to have some way of actually pushing that feedback loop much like some of the other cultural changes that we have seen in our industry are trying to allow for better feedback loops and other spaces. And you’ve brought up dev spec ops which is another move to try and open up that feedback loop but the problem I think is still going to be that even if we improved that feedback loop, we are at an age where – especially if you ended up in some of the larger organizations, there are too many applications to solve this problem for and I don’t know yet how to address this problem in that context, right? If you are in a state where you are a 20-person, 30-person security team and your responsibility is to secure a platform that is running a number of Kubernetes clusters, a number of Vsphere clusters, a number of cloud provider implementations whether that would be AWS or GC, I mean that is a set of problems that is very difficult. It is like I am not sure that improving the feedback loop really solves it. I know that I helps but I definitely you know, I have empathy for those folks for sure. [0:41:13.0] CC: Security is not my forte at all because whenever I am developing, I have a narrow need. You know I have to access a cluster.I have to access a machine or I have to be able to access the database. And it is usually a no brainer but I get a lot of the issues that were brought up. But as a builder of software, I have empathy for people who use software, consume software, mine and others and how can’t they have any visibility as far as security goes? For example, in the world of cloud native let’s say you are using Kubernetes, I sort of start thinking, “Well, shouldn’t there be a scanner that just lets me declare?” I think I am starting an episode right now –should there be a scanner that lets me declare for example this node can only access this set of nodes like a graph. But you just declare and then you run it periodically and you make sure of course this goes down to part of an app can only access part of the database. It can get very granular but maybe at a very high level I mean how hard can this be? For example, this pod can only access that pods but this pod cannot access this name space and just keep checking what if the name spaces changes, the permission changes. Or for example would allow only these answers can do a backup because they are the same users who will have access to the restore so they have access to all the data, you know what I mean? Just keep checking that is in place and it only changes when you want to. [0:42:48.9] BM: So, I mean I know we are at the end of this call and I want to start a whole new conversation but this is actually is why there are applications out there like Istio and Linkerd. This is why people want service meshes because they can turn off all network access and then just use the service mesh to do the communication and then they can use, they can make sure that it is encrypted on both sides and that is a honey cave on all both sides. That is why this is operated. [0:43:15.1] CC: We’ll definitely going to have an episode or multiple on service mesh but we are on the top of the hour. Nick, do your thing. [0:43:23.8] NL: All right, well, thank you so much for joining us on another interesting discussion at The Kubelets Podcast. I am Nicholas Lane, Duffie any final thoughts? [0:43:32.9] DC: There is a whole lot to discuss, I really enjoyed our conversations today. Thank you everybody. [0:43:36.5] NL: And Bryan? [0:43:37.4] BM: Oh it was good being here. Now it is lunch time. [0:43:41.1] NL: And Carlisia. [0:43:42.9] CC: I love learning from you all, thank you. Glad to be here. [0:43:46.2] NL: Totally agree. Thank you again for joining us and we’ll see you next time. Bye. [0:43:51.0] CC: Bye. [0:43:52.1] DC: Bye. [0:43:52.6] BM: Bye. [END OF EPISODE] [0:43:54.7] ANNOUNCER: Thank you for listening to The Podlets Cloud Native Podcast. Find us on Twitter at https://twitter.com/ThePodlets and on the http://thepodlets.io/ website, where you'll find transcripts and show notes. We'll be back next week. Stay tuned by subscribing. [END]See omnystudio.com/listener for privacy information.

Sponsored by: LookingGlassCyber, ScienceLogic, and Fairfax City Nakul Munjal has worked in the cybersecurity industry since 2003. In 2006, he administered the first computer-based bar exam in the country. In 2009, as part of the founding team for IBM Security Systems in New York, he helped multiple Wall Street banks, insurance companies and rating agencies navigate new cybersecurity requirements resulting from the 2008 financial crisis. He is regarded as a subject matter expert in Identity and Access Management technologies, where he was an executive covering North America and Latin America for Micro Focus. Nakul began Status Identity after observing Chief Security Officers often struggle with inconvenient security controls that cause productivity losses in their organizations. With increasingly stringent cybersecurity policies through GDPR, NYDFS, FISMA and others; this problem was compounding. Nakul is passionate about reducing the security burden on individuals while preserving their privacy and digital rights. He believes that the distribution of personal data must be limited; and can be effectively used to empower users. Nakul holds a Bachelors in Biology and Economics from the University of Colorado, Boulder and an MBA with Honors from Babson College

Don't break out the party hats quite yet, but the results in the latest Federal Information Security Modernization Act (FISMA) report to Congress does deserve some celebrating. The Office of Management and Budget said for the first time agencies suffered from no major cyber incidents in 2018. On top of that, agencies also saw fewer overall cyber attacks last year. Federal News Network's Executive Editor Jason Miller had the details about why agencies deserve a little pat on the back for their cyber efforts. Hear more on Federal Drive with Tom Temin.

Description: If you are in the market for a security information event management (SIEM) tool, this podcast will be of value. Three security evangelists share their collective experience and insight regarding the need for such a tool, what to look for in a solution, deployment options, how to get started and key factors in driving the value from investing in SIEM. Speakers: James "Butch" Spencer is a Network Engineer at Jackson Kelly PLLC. He is an IT security expert with extensive practical experience in information management systems, security, networking, virtualization, optimization, e-business and programming. Butch is a member of numerous groups delving into and debating on the security and control of the Internet of Things (IoT). Jon Hanny is a strategic information security leader with over 15 years of experience in information security, risk management, governance and compliance. Skilled at building information security and IT risk management programs from inception, he successfully fostered paradigm shifts in higher education, financial services and legal verticals to instill an information security mindset across all levels of an organization, improving their security postures. Jon holds several security certifications including the C|CISO, CISM and CISSP, and has a proven track record leveraging ISO27001, NIST and FISMA. Prabhakar Chandrasekaran is a goal- and ethics-driven security and technology leader with over 20 years of experience in managing critical infrastructure services in IT production environments. He has a solid understanding and application of security and privacy regulations, risk assessments and security audit processes. Prabhakar is also a specialist in achieving reliability and availability through structure and process improvement, with a proven ability to achieve business objectives by establishing partnerships across departments.