- For folks not tracking, let's level set a bit, what exactly is NIST 800-171 and CMMC, and what is the succinct background on the evolution of the two?- Are there notable events that led the DoD to pursue CMMC, building on the history of 171?- Obviously the introduction of the 3PAO aspect brings more rigor than previously existed with self-assessments. Many in industry have bemoaned the burden, cost and complexity of the new program and the impact it will have on industry (myself included). What are your thoughts on the potential to impact the DoD supplier base and lead to further consolidation?- Many DIB suppliers are of course SMB's who rely on CSP's and MSP's to meet these requirements, or conduct their daily operations, leveraging various external parties. How does CMMC handle entities like CSP's and MSPs?- There was recently a memo from the DoD CIO clarifying some language around "FedRAMP equivalency" for DFARS 7012. First off, what is 7012, how does it tie to 171 and CMMC and what did the DoD CIO memo essentially say?- Most SMB's in the DIB lack internal cyber expertise and resources, and of course this has led to a booming industry of 171/CMMC consultants and 3PAO's. What are your thoughts on that growing ecosystem and how do SMB's ensure they're working with the right advisors and assessors?- What are some of the details on the timelines and rollout of the finalized CMMC rule? When and how should folks be preparing?- Many of course are quick to claim "compliance isn't security" when discussing stuff like 171 and CMMC. What's your initial reaction to those claims, and how do we help folks understand that industry will not just voluntarily spend and focus on security requirements without being required to do so?- CMMC of course has a ConMon aspect, right now that is does via annual self-assessments/reporting as I understand it. What do you think CMMC gets right on this front, and what could be done better?

- You've been heavily involved in the AI dialogue in the industry as it has heated up, how did you get your start specializing in software security and most notably AI?- AI continues to be one of the hottest cybersecurity topics in 2023 and heading into 2024. What do you think are some of the most pressing risks around the rapid growth of AI adoption and use?- We're seeing Governments scramble to regulate AI, with notable efforts like the EU AI Act. Why do you think it is critical for Governments to act so quickly on this emerging technology, especially when Government is historically reactionary and slow to adapt?- What are some of the key considerations that must be kept in mind to help securely govern and regulate AI without hindering innovation and economic prosperity and potential that AI may bring?- You're involved in efforts such as the OWASP AI Exchange, can you tell usa bit about that effort, how it came about and how practitioners can learn from and leverage it?- Compliance can be cumbersome with many overlapping and often duplicative compliance frameworks that industry has to wrestle with. You've been working on an effort dubbed "OpenCRE" can you tell us a bit about that and what the goals are?

- Tell us a bit about your cybersecurity journey, you've held a variety of roles with FFRDC's and industry- You've been talking a good bit about the latest Secure-by-Design push, what do you make of this push? I know you've raised concerns about needing to do some research to determine the effectiveness of these "secure" SDLC's- AI and ML are everywhere we turn in the cyber industry discussions. You've been speaking about the role of ML in cyber detection for example going back several years. There's a lot of focus on the risks of AI, but what do you think about the promise of AI and ML to help with defending organizations and agencies?- I know you've been discussing threat informed defense and even took a swing at NIST 800-53/FedRAMP and its relevance. Can you elaborate on this, and how you think we're getting it wrong as an industry with regard to compliance and security?- You recently had awesome comments about the risks in public cloud attack surfaces and implications for national security, let's dive into that one, give us some thoughts on this front?- We're heading into 2024, so let me ask, what are some of your top predictions we may see in cybersecurity over the next year?

- First off, tell us a bit about yourself, what you're up to and how you have gotten where you are career wise- What are some of the key differences with cloud-native security?- There's a lot of acronyms in the cloud-sec space, such as CWPP, CSPM, KSPM and so on. Can you unpack a few of these for the audience and what they mean?- This also infers there's a lot of different tools and capabilities to manage. Why do you think it is important to have a comprehensive platform to bring it together, to avoid tool sprawl and cognitive and alert fatigue?- There's a lot of focus of course on shifting security left, and CI/CD pipelines and so on, but I know you also focus on runtime security. What makes runtime security so crucial in the cloud context?- Can you tell us a bit about Aqua Security, what you all do and what makes you unique from some of the other platform providers and security companies out there?- What does the term "cyber resilience" mean to you?

Nikki -  Can you tell us a little bit about what interested you in cloud security in the first place? I know you have a particular interest in misconfigurations - was there a singular event that spurred your interest? Chris - What are your thoughts around Guardrails in the cloud and using things such as event based detections?Chris - You interestingly took a Product role, but have a Detection and CloudSec background. How has the Product role been and do you think having the practitioner background helps you be a more effective Product Manager and leader?Nikki - There's a lot of talk around DataOps and SecOps - we're really seeing a bridging of fields and concepts to bring teams together. I wanted to talk a little bit about the human element here - do you see more of these blending of fields/disciplines?Chris - I know you've taken a new role recently with Monad, which focuses on Security Data Lake. What made you interested in this role and why do you think we're seeing the focus on Security Data Lakes in the industry so much? Nikki -  What are some of the emerging trends you see in cyber attacks against cloud? What should people be most concerned with and focus on first when it comes to cloud security? Chris - You also lead the Cyber Pulse newsletter, which I read and strongly recommend for news and market trends. What made you start the newsletter and have you found it helps keep you sharp due to needing to stay on top of relevant topics and trends?Nikki -  What does cyber resiliency mean to you?

Nikki - I have to start with the fact that you've been looking into the vulnerability management space! This is an area I've been focused on for many years and I'm curious - what are the biggest pain points you see now in VulnMgmt? Chris - I recently saw you had a blog regarding Exposure Management and contrasting it with Vulnerability Management. Can you talk about what Exposure Management is, and the differences between the two? Nikki - What got you interested in research? I'm always curious because there is such a niche space within cybersecurity and I love meeting other researchers. How do you think cyber benefits from research and vice versa?Chris - You also recently had some content regarding doing a deep dive into Nation State threats. We're increasingly seeing cyber play a part in nation state conflicts, why do you think that is, and can you touch on how this plays into regulatory fallout as well?  Nikki - I want to talk about your blog post about "The Blob" - you talk about how people use some similar terminology and language (false messaging) to steer the conversation in security tooling. Can you talk a little bit more about this concept and what you think it means to the industry? Chris - You have been having conversations about Detection Engineering. Can you talk about how it is different from legacy/traditional SecOps and what the future of Detection Engineering and Detections-as-Code looks like? Nikki -  What does cyber resiliency mean to you?

- You recently wrote a book titled Zero Trust and Third Party Risk. Can you tell us a bit about the book, why you wrote it and how you see the convergence of ZT and TPRM?- There's been a lot of discussion lately around Software Supply Chain Security, but also Cybersecurity Supply Chain Risk Management, or C-SCRM. Do you see the former being part of the latter, and what challenges do you think organizations face trying to tackle both?- TPRM often involves manual subjective lengthy questionnaires that we are all painfully familiar with. How effective do you think these are and do you think we are going to see a future based on machine-readable attestations and more automated assessments to augment some of the traditional manual questionnaire type activities?- Most organizations struggle to implement fundamental security practices and processes within their own organization, let alone thoroughly ensuring all of their 3rd and nth tier suppliers are, is this a gordian knot type situation?- What are your thoughts on first party self-attestations vs 3rd party assessments? Each has its pros and cons and challenges. - The name Zero Trust is a bit of a misnomer, as we know it means no implicit trust, and it also seems a little counter-intuitive in our increasingly inter-connected ecosystem and society. How do you see the push for Zero Trust playing out when we look at the broader supply chain ecosystem?

Nikki - With your current role as a Distinguished Engineer - I know you focus a lot on cloud security. What does being a DE entail? Do you do some research along with your other duties?Chris: We've seen the discussion around data in the security space evolve quite a bit. From legacy environments with a SIEM/SOC centralized approach, oriented around "collecting all the things" to now discussions around data lakes, analytics, and automation among others. Can you discuss the evolution a bit with us and your thoughts on it?Chris: I've been reading pieces lately that are pushing the narrative that there isn't "security" data, there's just business/organizational data, some of which has security context/use. What are your thoughts on this? It seems to be in-line with a push for security to be more tightly coupled with and speak the language of the business.Nikki - Recently you were posting about the AWS IR guide and even getting into some logging with AWS. Logging is one of those areas that I'm super interested in - especially from an IR perspective. What do you think about where we are with security logging guidance and what should organizations know about setting up complex logging environments? Chris: As we continue to watch the security data space evolve I know you've been championing the concept of, and even have written extensively about the term "SecDataOps". What is this exactly, and why do you feel like it is the time to have the industry move this direction?Chris: We're also seeing a push for standardized logging formats, such as the Open Cybersecurity Schema Framework (OCSF), which has gotten support from some of the largest tech companies. How important is it for the industry to rally around a standardized cybersecurity schema/framework and what are the challenges of not doing so? Nikki - You have also done some Board Advising and taken on several Advisory roles for Boards. Two part question - what got you interested in taking on an advisory role and what would you suggest for other technical practitioners who want to get more involved at the Board or executive level?  Nikki - What does cyber resiliency mean to you?

Nikki -  I wanted to ask you first what got you so passionate about vulnerability management - what was it that first sparked your curiousity and interest into security research?  Nikki -  You do a lot of awesome graphics and visualizations of vulnerability data from both CISA KEV and around types of CVE's - what kind of statistics do you think are most important for security practitioners to know - and on the other side, what is most important for executives to understand? Chris - You've now begun to even start to submit known exploited vulnerabilities to CISA to be added to the KEV, can you tell us about that experience, how you're identifying them and how the process has been?Chris - We talk a lot about the need for vulnerability context, going beyond CVSS and using things such as KEV and EPSS. In your work, how do you see organizations leveraging context to help vulnerability prioritization?Nikki -  We know that organizations could have a backlog of up to 10k vulnerabilities - based on some recent statistics. Where do organizations start? How do they get a handle on vulnerability management? Chris - What are some other trends you see in Vulnerability Management that organizations can use to start to get a handle on things?Chris - You've made the transition from marketing to vulnerability research, visualization and some would say industry leader. Can you speak about the journey and advice for others looking to follow a similar path?Nikki -  What's next for you - besides being the pre-eminent vulnerability researcher in this space?

Chris: First off, you've been knee deep in CloudSec for several years now, watching trends, incidents and the industry evolve. Where do you think we've made the most headway, and where do you think we still have the largest gaps to close?Nikki: I'm really interested in multi-cloud environments and security - because of the connectivity potential between separate cloud providers. What do you think organizations should be most concerned with when looking at using multiple cloud providers? Chris: You recently contributed to a report with the Atlantic Council about the systemic risks of Cloud and Critical Infrastructure. Can you speak on that a bit? What are your thoughts about systemic risks are more and more of our critical infrastructure and national security systems now become reliant on cloud?Chris: While we know most cloud security incidents are due to customer misconfigurations, we've recently seen some major hyperscaler CSP's experience some very damaging incidents that impacted many. Do you think these incidents are causing some organizations and industries to second guess their plans for cloud adoption or lead to trust issues in Cloud?Nikki:  One of my biggest concerns in cloud environments is Identity and Access Management (IAM) - especially in complex development environments. What are some of the major configuration challenges around IAM in cloud?  Nikki: What is your favorite cloud security statistic?Nikki:  I have to bring in the people angle - do you think that current tech teams have the skills and tools they need to manage cloud environments? Do you have any references or skills you recommend as teams build bigger cloud environments?Chris: On the people front, we know misconfigurations reign supreme for cloud security incidents. Do you think organizations are waking up the reality that they have to invest in their workforce when it comes to adopting technologies such as Cloud?Chris: We know you have your fwd:cloudsec event which has become an industry staple for learning and information sharing on cloud security. How did the event come about and what does the future look like for it?

- For those who haven't met you yet or come across your work, can you tell us a bit about your background?- First off, tell us a bit about OpenPolicy, what is the organizations mission and why did you found it?- Why do you think it's important for there to be tight collaboration and open communication between businesses, startups and policy makers? - Some often say that policy is written by those unfamiliar with the technology it governs or the impact of the regulation and it has unintended consequences. Do you think this occurs and how do we go about avoiding it?- You were recently involved in the launch of the U.S. Cyber Trust Mark program launch for IoT labeling, can you tell us a bit about that?- We're seeing increased calls and efforts for regulating technology and software, especially around software supply chain security, Secure-by-Design products and not leaving risk to the consumers. How do we balance the regulatory push without stifling innovation, which is often the concern?- I recently saw you launch your own show and interview Jim Dempsey, who I've interviewed in the past. Among other topics, you all touched on the recent SEC rule changes and the increased push for cybersecurity to be a key consideration and activity for governing publicly trading companies. Why do you think we're seeing such a push?- For those looking to learn more about Open Policy, and your efforts around digital policy and regulation, where can folks learn more and potentially even get involved?

- First off, for those unfamiliar with this problem and situation, what exactly is the challenge here, and why should more people be paying attention to this?- What do you say to those who may say this is just something occurring in the digital realm, and not a physical or real threat, given the ubiquity of software, this seems short sighted, no?- In the book, you touch on malicious actors using U.S. based infrastructure to attack U.S. targets, a topic that was touched on in the NCS, can you expand on that and the challenges with addressing it, particularly in the cloud?- There's fears that these adversaries are looking to persist in U.S. based systems and infrastructure in advance of future conflicts. What could be some of the ramifications of this in the future, and how do we go about rooting out these threats in the here and now?- The Defense Industrial Base (DIB) is often called the "soft under belly" of the DoD. We've seen increased targeting of the DIB by malicious actors and nation states and the emergence of efforts such as NIST 800-171 and now CMMC. How do we go about ensuring improved security posture of the DIB while balancing the cost and burden on SMB's and further constraining the diversity and resiliency of a DIB supplier base?- On the flip side, we see the DoD, IC and Federal Government with deep dependencies on a small handful of technology companies, some, even despite continued exploitation and vulnerabilities impacting these agencies. How do we go about addressing this elephant in the room and demand stronger security outcomes and performance from these critical suppliers, especially with their massive financial and political clout?- Much of these activities occur below the threshold of traditional "declarations or acts of war". How do we get our leadership to realize we're already at war, but in a new paradigm?- You guys talk about how everyone with an internet connection is essentially on the battlefield. How do we address that reality while balancing aspects of our society that are unique, such as freedom and privacy. Citizens continue to use software and applications that expose their data, that of their employers, and in some cases, even of the DoD and national security. How do go about better informing and engaging the citizenry on this front?- Another aspect you touch on, is that this isn't just a technical issue, but there's efforts such as misinformation and such to degrade trust in our institutions, sow resentment and stoke flames of divisiveness in our society. These threats are likely even more concerning, as we tear ourselves apart internally. What are your thoughts on this front?

Nikki -  In addition to your Senior Policy Advisor role, you are also part of several academic institutions, including one we have in common - Capitol Technology University. Can you talk a little bit about why you wanted to be involved in the technical and academic side? Have their been any benefits you've seen in academia that you've brought to the military space, or vice versa? Nikki -  We're seeing a ton in the news about software supply chain security, zero trust, AI/ML - but not necessarily how they relate to warfare or protecting our critical assets (critical infrastructure). Why do you think we haven't seen as much in this space and what are some of the major risks you're concerned with at the moment? Chris - We know you've contributed to the National Maritime Cybersecurity Plan - why is it so critical to protect maritime activities from a cybersecurity and national security perspective and how do you see this going so far, since the plan was originally published in 2020?Chris - Switching from sea, we know you've contributed to some analysis and reporting from FDD on how space systems should be designated as critical infrastructure. Can you explain why that is, and where we have gaps currently?Nikki -  We recently were talking about the US Cyberspace Solarium Commission and you mentioned you contributed to their report on the designation of space systems as critical infrastructure. Do you think we're missing a cyber space command or more legislation/guidance around this area? Nikki - On the topic of space and cyber, when it comes to critical infrastructure I think we're still lacking in a number of areas for detection/response for critical infrastructure. What are some IR considerations or potentially research we need in this space? Chris - In a previous role you served as the Director of International Cybersecurity Policy. International cyber activities and policies were also emphasized in the recent National Cyber Strategy. Can you tell us a bit about that experience and why international collaboration is key in the cybersecurity realm?Nikki -  Since you went to UMD - I have to ask. Are you getting some MD crabs this summer?6. What does cyber resiliency mean to you

You are now at the Open Source Security Foundation - but you have a ton of experience (even as a former IBMer) from Google, to JPMorgan, and financial institutions through architecture, management, and engineering. Can you talk a little bit about your leadership journey? Let's dig into OpenSSF a bit more - we're only seeing an increase in software supply chain attacks - what is driving the OpenSSF and any particular threats you're concerned with at the moment? We know the OpenSSF has focused heavily on securing OSS and the ecosystem and even launched the OSS Security Mobilization Plan. Are you able to talk a bit about that plan and what it hopes to accomplish?OpenSSF is obviously one of several organizations such as OWASP and others helping to provide valuable resources to the industry to tackle these challenges. Are you able to speak about any active collaborations with other organizations or institutions, academia etc. or how organizations can look to collaborate with the OpenSSF?You are also a Fellow at the Center for Cybersecurity at the NYU Tandon school. Both Chris and I are also Fellows (at different organizations) - can you talk a little bit about what a Fellow does and how you got involved? Where can organizations really start though? With so many vulnerabilities, libraries, dependencies, and managing software and infrastructure, it is incredibly cumbersome for organizations to get a handle to what to work on first. Where do software teams start? Coming off of Father's Day, I noticed your LinkedIn tagline leads with Dad and Husband. How have you found success in balancing those critical roles and responsibilities while still pursuing your professional endeavors and aspirations?What does cyber resiliency mean to you?

Chris - For those not familiar with Security Chaos Engineering, how would you summarize it, and what made you decide to author the new book on it?Nikki - In one of your sections of Security Chaos Engineering, you talk about what a modern security program looks like. Can you talk about what this means compared to security programs maybe 5 to 10 years ago? Chris - When approaching leadership, it can be tough to sell the concept of being disruptive, what advice do you have for security professionals looking to get buy-in from their leadership to introduce security chaos engineering?Nikki - One of the hallmarks of chaos engineering is actually building resilience into development and application environments, but people here 'chaos engineering' and don't quite know what to make of it. Can you talk about how security chaos engineering can build resiliency into infrastructure?Chris - I've cited several of your articles, such as Markets DGAF Security and others. You often take a counter-culture perspective to some of the groupthink in our industry. Why do you think we tend to rally around concepts even when the data doesn't prove them out and have your views been met with defensiveness among some who hold those views? Nikki - One of my favorite parts of chaos engineering is the hyptohesis-based approach and framework for building a security chaos engineering program. It may seem counter-intuitive to the 'chaos' in 'chaos engineering'. What do you think about the scientific method approach? Chris - Another topic I've been seeing you write and talk about is increasing the burden/cost on malicious actors to drive down their ROI. Can you touch on this topic with us?

- First off, can you each tell us a bit about your backgrounds and experience in the space?- What made you all decide to found Stacklok, what gaps and opportunities in the ecosystem did you see?- What are your thoughts around the industry's response to software supply chain security and how do you see things such as OSS and Sigstore playing a role?- While we've seen tremendous adoption of OSS and for reasons such as speed to market, the robust OSS community, innovation and more, as you both know, OSS has its concerns too, such as pedigree/provenance, known vulnerabilities, lack of maintenance and support etc. How do organizations balance these concerns while still taking advantage of OSS?- No software supply chain security discussions would be complete without touching on SBOM, which has gotten a lot of industry attention on the topics. What are each of your thoughts on SBOM?- Another topic that is around every corner lately is AI and the disruption it will cause. We're seeing organizations integrate and market AI into every possible use case when it comes to cybersecurity while there is also a lot of FUD about malicious actors using AI and even calling it a possible "extinction event". What is your take on AI and the role it is and will have on software supply chain and cyber?

Nikki - What does cyber resiliency mean to you?Nikki - Can you tell us a little bit more about the Cyberspace Solarium Commission or CSC, in particular I'm interested in the promotion of national resilience. Can you talk a little bit about what that means and what's in progress at the moment? Chris - There's been a lot of activity lately with the Cyber EO, OMB Memos, activities by NIST, publications by CISA and of course the National Cyber Strategy. How do you feel about where we're headed as a nation on the Cyber front and do you think we could be doing more, and if so, what in particular?Chris - I recently saw you made comments regarding Cloud Service Providers (CSP) and their lack of being designated as critical infrastructure I believe. I have seen similar comments from the OCND, due to how critical CSP's, especially major IaaS providers are to the nation. Why do you think they have avoided this designation as long as they have?Nikki - There are a lot of us in cybersecurity that got into it to help defend our nation and protect our country (myself included). Are there ways that other cyber defenders or technical professionals can get involved or any resources you would recommend? Nikki - I don't see a ton in legislature or in the Executive Order about the human element behind cybersecurity and our challenges with risk management. Do you foresee any legislation or anything that may come out around how to protect our users and even our security practitioners? Chris - I mentioned the NCS earlier, a big part of that was shifting market forces, the idea of software liability and also safe harbor. What are your thoughts on this topic?Chris - CISA recently released "Secure-by-Design/Default" guidance for software suppliers and manufacturers. I wrote an article recently tracing the advocacy for "secure by design" back 50 years to the Ware Report. Yet here we are, still advocating for the same concepts. What do you think it will take for this to become a requirement rather than a recommendation and how important is this paradigm shift for national security?

Nikki - You're a newly minted CISO and SES - how's it going? How have the first few months been in the role?  Nikki - With your background in both Academia as an Adjunct Professor and with your cyber and executive leadership experience - how important would you say the intersection of academia, research, and leadership go? Chris - We know you're a big proponent in servant leadership. What does being a Servant Leader in Cybersecurity and more broadly in general mean to you?Chris - We have been discussing soft skills lately with various guests. Why do you feel like soft skills are so often neglected, yet so critical to being a effective leader?Nikki - As someone who is relatively new to a CISO role - what surprised you about the role? Were there any challenges or anything that came up initially that was surprisingly good?  Nikki - What experience do you recommend for anyone who's looking to move into a cyber manager or CISO leadership role at an organization? Any books or references your recommend for anyone around leadership? Chris - As we look at the Federal Cyber landscape, there is a lot of efforts under way from the EO, OMB Memos, Zero Trust, Software Supply Chain and the list goes on. How do you calibrate your focus in your new role?Nikki -  We've seen a lot in the news around the National Cyber Strategy and other federal legislation potentially in the works. Are you seeing things like Zero Trust and Software Supply Chain security being top of mind? Or are you more worried about things like ChatGPT potentially being used by the Government?

Chris - To set the stage for the discussion of vulnerability management, Rezilion recently had a report that found that organizations had over 100,000 backlogged vulnerabilities. Why do you think things have gotten so bad?Chris - Leaders also stated that they are able to patch less than half of that backlog, thousands of vulnerabilities never get addressed. Doesn't this create a situation ripe for malicious actors to exploit?Nikki - You have a background in both data science and security research - where do you feel like the intersection of both of these areas meets? Do you feel like we need more data science experience in cybersecurity?  Nikki - Vulnerability management - my favorite topic. Why do you think people are just now starting to bring back up vuln mgmt? It seems like it's been almost 10 years since I've seen substantial research and guidance in this area. Nikki - Security research is seen in two distinct ways - in both the vulnerability identification and in academia - but both are looking at different problems and solving in different ways. Where can the two sides of the coin come together and benefit from sharing research? Chris - On the topic of vulnerability prioritization, organizations seem to be struggling. We know going simply based off of CVSS isn't wise, what are some prioritization tactics organizations can take to address vulnerabilities that pose the most risk in that massive backlog we discussed earlier?Chris - We know that less than 1-2% of CVE's are generally exploited by malicious actors, and while that number may sound small, as the number of published vulnerabilities grow, that 1-2% represents more and more exploitable vulnerabilities. What do you think is driving the growth of CVE's, from a few thousand in the 1990s to over 190,000 now?Nikki - What are the top 3 trends you're seeing in vulnerability management and identifying vulnerabilities? What should we be most concerned with? Nikki -  What does cyber resilience mean to you?

Chris - Why do you think SaaS security is so overlooked in the conversation around cloud security, despite SaaS being so pervasive?Chris - SaaS obviously involves a lot of third-party integrations. What are the risks o f these ungoverned integrations and can they have a cascading impact if one of the providers has an incident?Nikki -  Chris and I have talked a lot about software security, SBOM's, and what does open source security look like. As a leader in the cybersecurity community, what are you most concerned with when it comes to third-party risk and software supply chain?Nikki - When we talk about SaaS and application management at organizations, what do you think about how SaaS applies to building relationships and working together with other organizations?  Nikki -  When it comes to integration between SaaS products and a cloud infrastructure, what do you think about as far as risk and how to manage risk within organizations? Chris - If we're trying to handle threats, how important is it to understand integrations from the perspective of who created it, why, what data it involves etc?Chris - How do organizations start to get a handle on governing SaaS and their third-party integrations to mitigate these risks? Nikki -  I see you posting recently about exercise/fitness - this is a topic Chris and I discuss often. The balance of physical well-being and being present at work. What do you think about the balance of physical and mental pursuits?  Nikki -  What does cyber resilience mean to you?

Chris: First off, tell us a bit about NetRise, what you all do, and what your focus is on?Chris: There's been a tremendous focus as of late on software supply chain security, as you know, but much of it focuses on things such as Cloud, SaaS, Containers etc. at NetRise you all take a focus on Firmware, IoT and Cyber Physical Systems (CPS). Why is that and what are some concerns folks overlook with these vectors?Nikki: You just announced the launch of ETHOS - a cooperation between several organizations to investigate threat indicators and looking into emerging trends in attacks. Can you talk a little bit about how this idea came together and what ETHOS will be doing? Nikki:You have a lot of expertise around IoT and IIoT, can you talk about some emerging trends in cyber threats and concerns around the connectivity of devices? Chris: I know you guys focus a fair bit on SBOM. For those not required to have one due to policy or regulations, what are the benefits of doing so?Chris: I know you all have experience and expertise with vulnerabilities in products. Does SBOM help address scenarios where the product itself may have no identified vulnerabilities or CVE's but components identified in its SBOM do?Chris: I noticed you're also a USMC veteran, so first, thanks for your service. As a fellow veteran, as I recently walked the RSAC floor this past week I noticed how many leaders in the industry had former military experience. Have you noticed anything similar in Cyber and has your military experience served you in any ways as you have went on to go into industry cyber roles and now as a CEO?Nikki: You have such great experience between threat hunting, incident response, to now being a CEO / Co-founder and Advisor to multiple other companies. What has that transition been like and do you have any advice for any other practitioners out there that may be interested in starting their own organization? Nikki: What's your favorite book, podcast, or other media right now? Anything we should be checking out? Nikki: What are some of the big things going on at NetRise right now? Any other projects you and the team are working on that you would like to share?

Chris: Can you tell us a bit about your background and what the role of the Deputy Principal Cyber Advisor does?Nikki: When we talk about workforce challenges, I think about the types of skills that someone is looking for in a cyber program. What types of skills do you look for in hiring and what kinds of skills do we still need in the cyber profession? Chris: We know you've been focused heavily on the Cybersecurity workforce for DoN.  In our discussions of digital modernization, the focus is often on tech, such as cloud, zero trust, etc. Why do you think the people or workforce aspect is so often overlooked? Nikki: What do you think about the value of education and certifications when it comes to hiring and retaining cybersecurity professionals? Whether it's an analyst or an engineer, there is a lot of back and forth in the industry on whether certifications should be required or if it may be limiting the talent pool  Nikki: I saw you posted recently about North Dakota requiring cybersecurity education in schools - how critical do you think this is for K-12? As a mom this is something I think about all the time Chris: Can you tell us a bit about the DoN's approach to modernizing the workforce around cybersecurity?Chris: There's been some buzz around the DoN's Cyberspace Superiority Vision, what exactly does that entail?Nikki: I have the opportunity to teach my kids but what about all the other children without parents in cybersecurity?  Nikki: One of the other interesting articles that came out recently was around the potential change in cybersecurity leadership we'll be seeing in the next few years. Do you foresee some of these leaders leaving the industry and what kind of effect do you think it will have on the industry? Chris: We know there's rumbles of an upcoming DoN Cyber Strategy. We recently saw the release of the National Cyber Strategy. How will the DoN strategy build on that and what are the synergies between the two? Nikki: What does cyber resiliency mean to you?

Nikki - First - tell me a little bit about yourself and your background  Nikki - You have a ton of experience with the Army, can you talk a little bit about what you like most about working with the military and specifically in HR? Chris - We hear a lot about digital transformation in the DoD, Cloud, Cyber, Zero Trust, and so on - but how critical do you think the workforce is to make all of these transformation efforts successful Chris - We know the DoD has historically struggled to attract and retain technical talent. What specific changes do you think are needed to help resolve this challenge and do you think we're making any headway there? Nikki - One of your previous roles was Deputy Director of People Analytics, I've not heard much about this role before and I'm interested what that type of position entails and what that means to the people in an organization? Nikki - I want to talk to you about health, fitness, and wellness when it comes to IT and cybersecurity positions. There is a ton of research around the burnout and stress that technical positions carry - what can we do to help our technical teams? Chris - I have seen you posting and speaking about the role AI is playing in assigning resources, assistance and leadership to various Army cohorts, what are your thoughts on the role AI is and will play in your area of expertise?Chris - I believe there has been a new Army vision for the future of talent management, can you tell us a bit about that and what it entails? Nikki - Can you talk about the integration of AI/ML into both HR and administrative functions? I could see how beneficial it would be and free up some cycles to focus on the people and their wellbeing. Nikki - Can you talk about some of the other innovation in the HR space?

Chris: Before we dive into some technical topics and questions, we would love to hear a bit about your background and careerChris: - We've now seen the introduction of JWCC into the mix after quite a challenging road to get there. What major changes do you see JWCC playing in the DoD cloud landscape and cloud adoption journey?Nikki: - There's been a tremendous focus on software supply chain security, with a 742% increase in software supply chain attacks in the last three years. What are your thoughts on how the DoD is approaching securing the software supply chain, SBOM's and challenges of that nature?Chris: - We know the DoD CIO office published an Open Source Software (OSS) memo not too long ago. What role do you think OSS plays in the future of the DoD's software and warfighting capabilities?Nikki - We've seen a blossoming ecosystem of software factories across the DoD, now numbering near or beyond 30. How key do you think these software factories have been to the DoD's software modernization efforts?Nikki - I would be remiss if I didn't ask you about the DoD's workforce challenges. We know the DoD has had long standing issues attracting and particularly retaining technical talent. How crucial is remedying those workforce challenges to see successful cloud adoption and software modernization?Chris - Being a longtime Federal and DoD Cyber professional I have to bring up the topic of compliance, RMF and ATO's in any discussion around fielding software. We've seen a push from some senior leaders to try and shift to a culture of cyber readiness and alleviate some of the traditional box-checking/compliance culture we know is pervasive across Government. Any thoughts on how we can modernize Cyber and Compliance in DoD to facilitate getting innovative and modernized software-enabled capabilities into the hands of system and mission owners?

Nikki - With your experience in various cloud and Cybersecurity roles, what would you say the top 3 concerns are right now for cloud security? Nikki -  I see you do a lot of work Cybersecurity and cloud education, do you feel like we have better tools and resources today than a few years ago? Or too many resources? Chris - We know you have a Detection Engineering background. For folks not familiar with Detection Engineering can you tell us a bit about it and the role it plays in Cloud Security?Chris - It is often said that Detection Engineering builds on the practice of Threat Modeling, in terms of identifying relevant threats and building detections associated with those threats. Do you agree with that and how valuable do you think Threat Modeling is for Cyber and Cloud Security professionals?Nikki -  What would you recommend for anyone getting started in the cloud, moving from on premises or data centers, what should they do first? Nikki - What do you think is next for cloud? I see so many debates in the industry and it seems like there's a trend towards creating systems on prem versus in the cloud.Chris - I know in addition to your professional role you've a huge content creator with over 20,000 folks following you on YouTube. How did you get going down this path?Chris - Do you think it is important in the current industry landscape and remote work paradigm to be out there building a personal brand, creating content and engaging with the community?

Chris - I have to start with the intersection of law and cybersecurity. We're seeing major strides in regulations, both federal and state (like NYFDS), to regulate and enforce cybersecurity policies and program-based guidance. What are some of the emerging trends we're seeing in cyber law? Chris - As you know, we recently saw the new National Cyber Strategy, which makes a push for shifting the burden/responsibility for cybersecurity on the vendor or those best positioned to address it. Why do you think it has taken us so long to get to this point? I know you've drawn parallels to other industries such as automobilesChris - On the topic of parallels to other markets and industries, such as automobiles, pharmaceuticals and manufacturing, there are some unique aspects of software, in the sense it isn't tangible or kinetic, and can be very opaque, What impact do you think those characteristics have on trying to regulate it like we have done with other industries?Chris - The National Cyber Strategy also introduces the concept of Software Liability. This part of the strategy got the most aggressive response from industry and the community. Why do you think this makes everyone perk up so much?Chris - Many started to raise questions such as who will define "secure", who and how will it be validated or verified, and where is the line of responsibility between the software supplier and consumer. Any thoughts on these topics and questions?Chris - On the topic of regulation, many consider cybersecurity to be an example of a market failure. Can you explain what that is, and why some feel that way? How do you think think we balance regulation without stifling innovation in the tech industry?Nikki - How do you think the public sector and private sector are seeing cybersecurity laws differently? Do you feel like the private sector is lagging behind in cybersecurity regulations? Chris - I have worked on programs such as FedRAMP before, for Federal Cloud Services and I am familiar with NIST 800-171/CMMC as well for the DIB. Many argue, and I think there is merit to the claim that these sort of frameworks lead to smaller pools of suppliers and potentially a less diverse pool of market participants. Any thoughts on these impacts and if it is worth the trade off?Chris - Many compliance and regulatory schemes either take one of two approaches. The first being a self-attested model where entities self-attest their compliance, such as NIST 800-171 for the DIB was, and the second is a 3PAO model, where a 3rd party verifies compliance, such as in FedRAMP. Each of these models has drawbacks, such as less than truthful or accurate self-assessments, or the 3PAO requirement becoming cumbersome, costly and a bottleneck. What do you think about these two approaches and where do you see us heading with regards to say the National Cyber Strategy, liability and so on?

Nikki: I have to start with an article you wrote a couple of years ago, about how we explain and provide context around vulnerabilities. I love the analogy of a 'vulnerability recipe' and how we can step through an explanation of vulnerabilities. Can you talk a little bit about the process and what compelled you to explore this topic? Nikki: I saw you spoke to Ron Ross recently, we had him on the show last year talking about cyber resiliency and of course software supply chain. Can you talk a little bit about security assurance and what that means to both developers and security practitioners? Chris: You've been a leader in the AppSec space for some time, particularly focusing on capabilities and tooling such as IAST. For folks not familiar with IAST, can you explain what it is and the value it adds over say SAST and DAST?Chris: I know you and I have exchanged messages and comments about Software Supply Chain Security and SBOM. What are your thoughts about where were headed on this front as an industry?Chris: With the release of the National Cyber Strategy yesterday I of course have to ask your initial thoughts. First more broadly, about the overall sentiment of the strategy and also about specific areas, such as increased requirements on software vendors and technology providers to produce secure products and the potential for increased liability.Nikki: It looks like you had a pretty lengthy time with OWASP - can you talk about some of the work you did there and the work that OWASP does? I think people typically equate OWASP with the OWASP top ten, but there are so many free resources and tools available for developers and security professionals. Chris: Given your past involvement of a decade with OWASP in its early growth, any thoughts on the recent open letter we saw sent to the OWASP leadership?Nikki: Can you talk a little bit more about Contrast security and the type of work you all do? Would like to hear more about what the company has going on and anything else you may have coming up.Chris: Continuing on with Contrast, I am interested in the founders journey a bit. Contrast has been around for nearly a decade and is now up to several hundreds of employees. What has that journey been like and what are some of the major ways the industry has, or hasn't changed during that time?

Nikki: I saw you recently did a Cyber Jeopardy Panel at the American Bar Association about cybersecurity and cyber law - can you talk a little bit about the intersection of cybersecurity and law?Chris: Continuing on that thread a little more, and you and I have chatted about this, what are some of the dichotomies or challenges of Cybersecurity in a democratic society versus say an authoritative regime or nation?Chris: I know you have a background with the DoJ and U.S. Attorney's office, are there some challenges with say cyber investigations in the U.S. due to some of our protections for individual freedom, privacy and so on? Nikki: It seems like we're seeing more and more organizations seeing the need for both mature cybersecurity programs and cyber law programs - but I haven't seen a ton of these groups working closely together. How can we build both programs in combination?Chris: It seems like every day we are seeing headlines about catastrophic cyber incidents.  Are there any historical parallels to what we are dealing with today?  Do you think we’ll ever get out of it? Nikki: What do you think major attacks like ransomware in healthcare and even in local and state governments and school are doing to shape cyber legislation?Nikki: If you could give one message to the American people about how we will address this challenge, what would it be?Chris: I would be remiss if I let you off the show without trying to dig into the forthcoming National Cyber Strategy with you. With the extent of what you're able to share, there's been a lot of buzz and rumors about an increased call for regulation, do you have any thoughts on that front?Chris: Many have said that Cybersecurity is a market failure and that it will require government intervention and regulatory measures to change things and have cybersecurity be taken more seriously by businesses and organizations. How do we balance that need for truly addressing cybersecurity risk without at the same time stifling innovation and our free market society?  Nikki: Do you see more legislation potentially coming in the future around security governance and compliance?Nikki: I'm very fascinated by cybersecurity and law terminology - do you think there's some room for us to find a common thread between both disciplines to help people like me understand law terminology and language better?

Chris: First off, why do you think soft skills are so often overlooked or undervalued in our field of cybersecurity?Chris: I'm curious your perspective on how to help people build soft skills, much like technical skills, some may have more of an aptitude for technical work or prefer not interacting with people as often. Any advice for folks who may be a bit more of an introvert and finding dealing with people intimidating?Niki: I wanted to first talk about the Learning resources you have on your site - the softsideofcyber.com - I am a big fan of this area because you include everything from books and articles to newsletters. Can you talk a little bit about why you included this section and what you're hoping to do with it in the future? Nikki: This may seem like a silly question - but clarity and definitions for terminology and language are really important. People talk about 'soft skills' in a lot of ways. What does 'soft skills' mean to you and how have these skills aided you in your career? Nikki: What is the perfect balance of technical and 'soft skills' - do you feel like it depends on your role? Or do you feel like this balance is essential, regardless of your role? Chris: You recently wrote an article on CSO online about unleashing the power of an effective security engineering team. While you did discuss technical skills you also wove in content from folks such as Sidney Dekker and Adam Grant. How do you feel like diversifying your learning outside of technical topics has helped you be more successful in your own roles and career?Nikki: Do you feel like 'soft skills' expands from empathy and emotional intelligence to an understanding of cognitive bias, mental workloads, and other psychological phenomena?Chris: What's next for the Soft Side of Cyber? What projects are you working on and what are you hoping to do with this in the next 6 months?Nikki: Since I know what cyber resiliency means to you in a technical context, can you expand on what this means to you in the 'soft skills' and human context?

Nikki: My first question is about your book, The Application Security Handbook - who do you think most benefits from this type of book and why do you think they need it?Nikki: What inspired you to write this? You have a ton of experience from being a security architect, to working in an IAM group, to application security - I would imagine all of that expertise allows you to see application security through a unique lens.Chris: In your book you touch on the dichotomy of shifting security left while minimizing friction between the Security and Development teams. This is a common challenge many security teams face. Can you elaborate on some of your recommendations on this front?Chris: You also emphasize the role of security champions and democratizing security to some extent through this approach. What exactly is a security champion and how do organizations go about doing this?Nikki: You mention threat modeling in your book - what do you think is the best place for Application Security programs to start when building in threat modeling? This is typically a higher level of maturity for programs and I'm curious at what time it's best to integrate threat modeling?Chris: We're obviously seeing a big push for robust CICD pipeline tooling for security such as SAST, DAST, SCA, Secrets Scanning and So on. Of course this tooling all produces noise. You lay out some strategies in the book on dealing with that. Can you touch on some of those here?Chris: I would be remiss if I let you go without discussing Software Supply Chain Security and SBOM's. I know you touch on SCA, OSS and SBOM's in the book. Why do you think it is key for organizations to start including this in their appsec programs? Nikki: What do you think are the greatest concerns when building a mature application security program? What are the biggest impediments? Nikki: What does cyber resiliency mean to you?

- Can you tell us a bit about the book, what made you want to write it and how you settled on this topic?- Historically IT and Security have been at odds, often feeling like the other party is conflicting with their goals and responsibilities. Why do you think this is?- Do you think the push for DevSecOps and breaking down silos between Security and Operations (and Development) has helped at all?- Your book talks about emotional intelligence, empathy and non-technical traits. How critical do you think those are in this situation and why do they not get discussed enough?- What methods do you think IT and Security teams can take to improve their relationships and drive towards a unified outlook and goals?- What do you see as the biggest gaps on this topic as we move into the future?

Nikki - What do you see as emerging trends around cybersecurity guidance and frameworks? With the newer NIST 800-53r5 and the SSDF, there is a TON of literature coming out from NIST. What's next? Chris - I wanted to dig into SSDF a bit. Can you tell us a bit about being involved in that? How it came about after the Cyber EO and your experience writing it? Chris - We know OMB is now requiring Federal agencies to start to self-attest to secure software development practices, specifically SSDF practices. How does it feel to have your work be cited in something this far reaching?Chris - What do you think organizations neglect most when it comes to secure software development, do you think the OMB memo will have a rising tide impact on the ecosystem like other frameworks such as CSF outside of Government?Nikki - What are some of the most fun parts of your job? You've written so much incredible content for not just the cybersecurity industry, but so many SMB's and non-for-profits can use the NIST guidance as a place to build their cybersecurity programs. Nikki - What is one of the biggest challenges in writing something like the SSDF or the Cybersecurity Framework? I would imagine there are so many considerations that go into deciding on everything from format to the type of language you use. Chris - What are your thoughts around the attention as of late on software supply chain security, SBOM's and topics in that domain? Do you think we need more guidance and publications on this front?Nikki - Before taking us to our last question, I wanted to ask you about your blog! It's called Scarfone Cybersecurity and I know you're just getting this going. Can you talk a little bit about why you wanted to start this blog? What are you interested in writing about? Nikki -  What does Cyber Resiliency mean to you?

Nikki: To start us off, I'm curious about your opinion on the current state of vulnerability management guidance and documentation available for organizations. There are some references from NIST, but a lot of it centers around compliance. Chris: How do you think things such as Cloud, DevSecOps and shift-left security have changed vulnerability management? Nikki: Can you talk a little bit about what organizations and their vulnerability management programs should be working on right now? With more sophistication of attacks by malicious actors, we have to create more Chris: Most of us know the Common Vulnerability Scoring System (CVSS) but many critique it saying CVSS scores alone aren't enough to drive vulnerability prioritization. What role do you think things such as Threat Intelligence should play?Chris: In addition to CVSS CISA recently has been making a push to evangelize the Stakeholder-Specific Vulnerability Categorization (SSVC) guide. Can you tell us a bit about it and your thoughts about how it fits into the conversation on vulnerability scoring and prioritization? Nikki: There is a renewed focus on exploitable vulnerabilities, with the Known Exploited Vulnerabilities catalog by CISA, as well as the EPSS, or Exploit Prediction Scoring System - do you think we're headed in the right direction with helping to prioritize vulnerabilities and not just remediate everything?

Nikki - I wanted to start with the major explosion of ransomware and ransomware-as-a-service across all industries. This seems like a good starting point for why cybersecurity advisors belong in the boardroom. Do you think the sophistication and ease of purchase with ransomware should be part of the conversation to bring more cyber experts in?  Nikki - You made a post recently about the vast cybersecurity risk that API's pose to organizations. API security has been top of mind given how prevalent they are and how useful they are to both administrators and developers. Do you think API security will become a more prevalent topic in the coming year? Chris - It seems logical that boards should have cybersecurity expertise in the mix given how critical technology is to most modern businesses. Why do you think it has taken us this long?Chris - What are some of the largest coming changes you think will drive this paradigm shift? I know groups like the SEC are pushing for organizations to disclose to what extent they have cyber expertise among the board. Nikki - What do you think organizations can do that may not have the budget or contacts in place to add cybersecurity expertise to their boards - is there somewhere they can start?Chris - I know you recently have spoken about the incident reporting timeline changes from the SEC and the need to provide insight into the "materiality" of a breach. For those unfamiliar with the term, what does it mean and is the CISO even in a position to know this? If not, who is?Chris - To flip it a bit from the boards perspective, for practitioners aspiring to fill this emerging need for cyber expertise in or among the board, where should folks begin? How do they position themselves as desirable candidates for these board opportunities?

- Before we dive into the technical topics, you're a repeat Founder, including some acquisitions of firms you've founded. Can you tell us a bit about that Founders journey and what leads you to creating organizations?- Something you've been focused on a lot lately is Software Supply Chain Security. Why is this such a complicated topic, and has it always been, or do you feel it is increasingly complex? - One of the challenges organizations have around OSS use is OSS Governance and software component inventory. Can you speak a bit about that challenge and how you are looking to solve it?- A term thrown around a lot is "Dependency Hell" - which is the term developers use when it comes to managing their often large dependency footprints when it comes to updates, patches, versioning and so on. How are you seeing this problem addressed?- There's a lot of hype around SBOM's and VEX. What are your thoughts on SBOM's and how they fit into the conversation around securing the software supply chain?- One issue with the increased transparency is development teams drowning in hundreds or thousands vulnerabilities. As you know, this doesn't actually mean they are exploitable. How do we cut through that noise to drive down risk but also frustration?- We talk a lot about CVE's and Vulnerabilities and so on but I know you recently shared research from Chinmayi Sharma who I've interviewed - and she points out CVE's are just one potential risk of OSS dependencies. Any thoughts on leading indicators of risk, as they're often called?- Moving forward, what are some things you are focusing on at ENDoR Labs and where do we see us heading as an industry on this topic, in say 2-3 years? 

Nikki: With your latest book, the Security Yearbook for 2022 ,this is the third iteration of the series right? It started in 2020 and has only grown since then. Can you talk a little bit about why you started this annual compilation of research? Nikki: For any other security practitioners or anyone in the field who's interested in writing a book or putting together a comprehensive manuscript or research, do you have any tips or advice for them to get started?Chris: Can you tell us about your endeavors with IT-Harvest and your IT industry research, what is it and how did you get started?Chris: I know you serve in various advisory roles. How does your industry research help inform your advisory perspective?Chris: Based on your current IT industry research what are some of the most alarming or interesting trends around vendors, investors and M&A you see currently? Nikki: What is one of the most surprising statistics that you've uncovered year after year? I know one that continues to surprise me is just how prevalent and SUCCESSFUL phishing attacks are. What about you? Nikki: What are your top recommendations, based on your research, for security practitioners and business owners to be aware of and focus on when it comes to risk mitigation?Chris: Looking at the current IT industry and trends, what is one prediction you have for some of the most significant changes we can expect in say 3-5 years?

- You recently wrote an article about the SBOM Frenzy being Pre-Mature. For those not familiar with SBOM's, what is an SBOM and what has led to the frenzy as you call it?- In your article you discuss challenges related to the build environments and hosts that can cause different outputs and SBOM's unless a build occurs on two identical machines. Can you explain why that is? - What role do you think emerging frameworks such as SLSA or SSDF and higher maturity requirements for things such as Reproducible Builds or Hermitic Builds play in alleviating some of these concerns?- Given the challenges of dynamic ephemeral build environments and hosts, do you think this undermines the usefulness of SBOM's as an industry artifact related to software supply chain security?- You also recently wrote a follow-up article about why Software Composition Analysis (SCA) is really hard. What are some of the reasons you think that is the case?- You mentioned challenges with CVE's and their accuracy. As many know, CVE's are created via CNA's and as part of NVD. Do you think alternative vulnerability databases such as the Global Security Database (GSD) or OSV will alleviate any of the vulnerability issues in the industry? - You were involved in founding OWASP. I personally, and I suspect many others would love to hear about that a bit, given just how much of an industry staple OWASP is from Top 10 lists, CycloneDX and countless other widely used projects.- You recently ran a campaign to be elected to the OWASP Board to try and modernize it and address many gaps you state lead to OWASP being on a path to irrelevance. Can you tell us what some of those issues are and your plan to address it to keep such a great organization a key part of our industry in the modern era of Cloud-native and DevSecOps?

- First off, tell us a bit about your background, you were a developer prior to focusing on Law. Why the change and do you feel that technical background helps you in your legal and academic career?- Before we dive into the specifics of the paper and topics, what led you to focus on this issue for research and publication?- You penned an article about how modern digital infrastructure is built on a "house of cards". Can you elaborate on that?- Your paper is broken down into several sections, so let's step through those and dissect each area a bit.- You touch on the unique aspects of OSS from proprietary code and discuss the benefits and also the risks. Can you discuss some of those?- You claim that OSS should be designated critical infrastructure and arguably under areas such as the IT Sector. First off, why do you think it should be, and why do you think it already hasn't been?- In part II of your paper you went into topics around the origins of OSS security issues and barriers to resolution. What are some of the major issues and barriers to resolving them?- You touch on economic theory such as the least-cost avoider. What exactly is that, and why do you think software vendors in this case are best-suited to fix some of the core OSS security issues?- In part III of the paper you discuss some of the current interventions and efforts. Can you touch on what some of those major efforts are?- You discuss emerging things such as the Open Source Software Security Act as well as the OMB Memo requiring vendors to self-attest to NIST's SSDF and even provide SBOM's. What are your thoughts on these emerging requirements?- How do you think we balance the need to keep the spirit of OSS, in terms of being open to everyone, cultivate a society of citizen developers and a thriving FOSS ecosystem while also pushing for more rigor and governance? Do we risk constraining the ecosystem and limiting the Federal government (and industry's) access to small innovative software projects and initiatives? 

- Looking at your background, you've held a lot of Identity-centric roles and positions in the industry. How do you think Identity and associated security is evolving with the continued adoption of Cloud?- Identity is obviously at the core of the conversation around Zero Trust, what do you think some of the fundamental things organizations get wrong when it comes IAM at-scale?- You recently made the pivot from roles with a strong Identity focus to API and API Security. What drove you to make that shift? - What do you think some of the most interesting challenges are in the current API Security landscape?- I noticed you also have an Army background. It is very common to see veterans make their way into Cybersecurity. Why do you think that is, and there are any lessons from the Army you feel have benefited you in your Cyber career?

Chris: Before we dive into too many specific topics, one thing I wanted to ask is, you've been working in/around the topic of SBOM and Software Supply Chain for sometime via NTIA, CycloneDX, SCVS etc. How did you have the foresight or what drove you to focus on this topic well before many others in the industry?Nikki: You mentioned recently about the SBOM Forum and their recommendation of the NVD adopt Package URL. I think the recommendations are great for NVD, because the NVD, CVE ID mechanisms, and CWE's weren't technically built for al ot of the updated vulnerabilities and concerns we see today, especially in the software supply chain. Can you talk a little bit about the challenges around vulnerability management when it comes to software supply chain?Chris: I wanted to ask you about SaaSBOM which has been a topic of discussion in the CISA SBOM WG that I know you and I participate in. What is a SaaSBOM in your mind and where does it begin and end, given most of the Cloud, including Infrastructure is software-defined.  Nikki: I liked your article titled "SBOM should not exist! Long live the SBOM" - what really caught me was the idea that BOM's or Bill of Materials have been around for a while, and in other industries as well. I'm curious because there are a lot of potential implications for using BOM's outside of software. What are you thoughts on how we could potentially use the idea of BOMs in other cybersecurity or software development areas? Chris: I want to discuss some critiques of SBOM. VEX Is promising but of course requires information from software producers, and then of course trusting their assertions. VEX: Do you see a future where both SBOM and VEX and automated in terms of generation and ingestion to inform organizational vulnerability management and potentially procurement activities? Nikki: I would be re-missed if I didn't ask you about the human element in all of this. I fee like the complexity of the software supply chain, on top of infrastructure, operations, cloud deployments, etc, can get somewhat complex. How do you think the increased complexity around software supply chain is affecting the management and operations groups?Chris: You have long been the lead on the wildly popular Dependency Track project. Can you tell us a bit about its origins, where it stands today and where it is headed?Chris: There has been a lot of guidance lately on Software Supply Chain, such as NIST EO outputs from Section 4, NIST SSDF, guidance from CSA, CNCF et. al - how does SCVS fit into the mix and do you see organizations using all, or rallying around some of the guidance? Chris Follow Up: Some have claimed that these requirements are simply impractical for anyone except large enterprise organizations and software producers. Any thoughts on the practicality of the guidance for smaller organizations who still play a major role in the software ecosystem?

Chris: To start us off, why do you think OSS and the software supply chain are now beginning to get so much attention, despite being widely used for years now?Chris: When it comes to OSS, any thoughts on how we balance security while also not stifling the innovative creative environment that is the OSS ecosystem?Nikki: On one of your recent podcast episodes, you discussed how open source can be unfair, whether that's to users or to developers. Can you break that down a little bit for our audience?Nikki: I think there are a lot of valuable lessons from the past that inform future trends. What would you say some of the top emerging trends are around open-source software - what should we be concerned about today versus a year from now?Chris: What are your thoughts on the current state of Vulnerability Databases, we know you have some strong opinions and have been involved in an effort titled the Global Security Database with CSA - can you tell us a bit about that and why it is needed?Chris: Do you think the emerging frameworks such as NIST 800 161 R1, SSDF, SLSA etc. are going in the right direction?Chris: We couldn't let you go without discussing SBOM. What are your thoughts on the current state and direction of both SBOM and VEX. Do you think this increased level of transparency and granularity of vulnerabilities will be something most organizations can manage successfully?Nikki: You have 341 episodes of your podcast - can you talk a little bit about why you wanted to get into podcasting? And also if you have any tips or advice for anyone who wants to start their own podcast?Nikki: One of the major areas I don't hear being discussed around open source software is the 'human factor'. I see the integration of open source software as alleviating some of the mental workloads and information processing for developers and teams, but may also introduce other concerns. How do you feel about the human factor around OSS?

Chris: What do you think some of the fundamental changes of IAM are from on-prem to cloud?Chris: What are some of the key tradeoffs and considerations for using IDaaS offerings?Nikki: There are a lot of solutions out there that discuss zero trust as a product or a service that can be leveraged to 'bake in' zero trust into an environment. But I'm curious on your perspective - do you think we need additional tools to configure zero trust principles, or leverage the technology at hand to implement zero trust?Nikki: There's this move towards passwordless solutions - I can see that being a big boost to zero trust architectures, but I think we're still missing the need for trusted identities, whether it's passwords, pins, or tokens. How do you feel about the passwordless movement and do you think more products will move in that direction?Chris: You've been a part of the FICAM group and efforts in the CIO Council. Can you tell us a bit about that and where it is headed?Chris: It is said Identity is the new perimeter in the age of Zero Trust, why do you think this is and how can organizations address it?Nikki: There was an interesting research publication I read, titled "Beyond zero trust: Trust is a vulnerability" by M. Campbell in the IEEE Computer journal. I like the idea of considering zero trust principles, like least privilege, or limited permissions, as potential vulnerabilities instead of security controls. Do you think the language is important when discussing vulnerabilities versus security controls?Chris: What role do you think NPE's play in the modern threat landscape?Chris: If people want to learn more about the Federal FICAM/ZT Strategies, where do you recommend they begin?

- What do you think some of the primary factors are that contributed to GRC not coming along initially with the DevOps movement?- Traditionally, what factors have plagued compliance when it comes to software delivery?- How do some of those factors change in the era of DevOps and Cloud-native?- Do you think regulation has a significant impact, and how can policy and regulation be improved?- How important is it for the workforce aspect of GRC to be addressed when it comes to compliance innovation and new technologies and ways of work?- Can incentives play a part, and if so, what can we do to improve that?- Andres - What was the impetus of the book and can you tell us a bit about the writing experience?- Where can people find out more about the book?

Chris: For those not familiar with CVSS, what exactly is it, and why is vulnerability scoring important?Chris: What are some of the most notable critiques of CVSS?Nikki: I read your article 'A Closer look at CVSS Scores" and have had a lot of similar thoughts. The CVSS SIG is doing great work, and there are other scoring methods out there to help determine the real threat of vulnerabilities. Do you have any advice for organizations that are struggling with the amount of High and Critical vulnerabilities they see based on this scoring method? Chris: Do you think organizations approaching Vulnerability Management using CVSS strictly from base scores is an effective approach?Nikki:  Do you think that the industry needs a shift as far as vulnerability scoring systems? Not from a mathematical or quantification space, because we have some great people working on that. But from the understanding of how those vulnerabilities actually impact their businesses? Nikki: Where do you see vulnerability scoring and vulnerability management activities heading? Do you think we need some other methods for scoring insider threat and accumulating those scores with hardware and software vulnerabilities?Chris: Pivoting a bit from vulnerability scoring, I know you're also involved with groups such as OpenSSF. Can you tell us a bit about that work?Chris: What are your thoughts on Software Supply Chain Security more broadly, in terms of SBOM's, VEX, and the uptick in Software Supply Chain Attacks. Do you think we're trending in the right direction to respond to the rise in these attacks?

Chris: So you're a proponent of a term called RegOps, can you explain what that is to us a bit and how it differs from traditional compliance?Nikki: I'm interested in your background from Solutions Architect, to CTO, to Co-founding and running companies. Do you have any advice for other architects or IT and security practitioners for building up leadership skills and transitioning to business ownership? Chris: Do you think the evolution of Cloud and API enabled platforms is positioning us to innovate in compliance and potentially keep pace with DevSecOps? Nikki: What are some of the biggest reasons that organizations fail audits - do you feel like GRC/compliance and framework adoption is too challenging? Do you think that organizations are underwater with missing controls and where can they start? Chris: We know you're a big proponent of OSCAL and your organization RegScale has contributed to some of the OSCAL working groups. For those not familiar, can you explain what OSCAL is and the potential impact it can have on compliance?Nikki: What do you see as some of the emerging trends around solving compliance issues - do you think we need a mix of tooling, processes, and orienting our practitioners/users to adapt? Or do we have too many different frameworks/guidelines that it can be difficult for us to keep up?Chris: Looking at the future of compliance in say 3-5 years, how different do you think it will be and do you think this push towards automation, API's, codified artifacts and such will change compliance forever?

Nikki - In one of your recent posts you speak about how more organizations are looking to leverage service mesh in their own environments. Can you talk a little bit about why a team may be interested in moving to a more service mesh architecture? Nikki: What do you think may impede or stop an organization from adopting updated networking practices and technologies, like service mesh, and how can they get started adopting it?Chris: What role do you think Service Mesh plays in the push for Zero Trust and maturing security in cloud-native environments?Chris: I've heard you use the team Secure Service Networking, what exactly is this, and is it different than Service Mesh? We know there are the four pillars of Service Networking: Service Discovery, Secure Network, Automate Network, Access Service. What are these exactly? Chris: In the context of micro-services and Kubernetes, how does networking change? Nikki: The field of engineering is growing more and more, we have Infrastructure Engineers, Application Engineers, versus the traditional job roles of Systems or Software Engineers. Do you see an industry trend moving to expanding the engineering field into different disciplines, like Platform Engineers? Or do you think some of these roles are similar but are getting updated titles?Chris: HashiCorp has some excellent offerings such as Terraform, Vault, Consul and so on. What resources can folks use to upskill in these technologies?Nikki: I saw you recently did a talk on securing service level networking for the DoD - do you feel like a lot of those principles apply outside of the DOD or federal space? Or do you see the private sector using more of these technologies?

 Nikki: In some ways I think "software supply chain security" has become almost a buzz word, or buzz phrase? But to me it's more of a concern for security programs at large, since so many products and services are being developed in-house at organizations. What are the top three concerns that CISO's or security leaders should know? Chris: We're obviously seeing a lot of buzz around SBOM, and now VEX. What are your thoughts on where things are headed with software component inventory and SBOM as part of cyber vulnerability management?Chris: You were involved in the CNCF Secure Software Factory Reference Architecture. How was that experience and do you think organizations will be able to adopt the practices and guidance laid out there? There are a lot of moving parts. Nikki: How do you feel about how pentests should be involved in a software supply chain security program? I personally am curious about possible implications and benefits of actively (and consistently) testing dependencies and potentially finding unknown vulnerabilities.Chris: So we've talked about frameworks and guidance. Another big one is SLSA, Supply Chain Levels for Software Artifacts. What are your thoughts on SLSA and it's utility in the broader software supply chain security conversation.Chris: SCRM can be like eating an elephant when you look at CSP's, MSP's, Software, and so on - what are your thoughts for organizations that don't have the resources of say a CitiBank, such as an SMB. Where do they start?Nikki: I think we're still missing the human element of what a software supply chain security program looks like - how do you feel about that? Do you think we need to take more into account how people are using software, from a developer and a user perspective?Chris: There has been a lot of focus on Containers of course in the conversation around Cloud-native ecosystems, coupled with Kubernetes, IaC and so on. Do you think these innovations make the challenge of software supply chain easier, or more difficult to manage?

Chris: For those not familiar with Kubernetes, can you tell us what it is and why there is so much buzz around it?Chris: Kubernetes, while it has many benefits also is a very complex technology, what are some of the key things organizations should keep in mind when using Kubernetes securely?Nikki: What kind of role do you see RBAC playing with Kubernetes? I don't hear a lot of talk around this subject and I'm curious what you think may be the importance of RBAC around KubernetesChris: Any nuances or recommendations to those rolling their own versus using managed Kubernetes offerings?Nikki: What does governance look like around Kubernetes - specifically around large, multi-cluster environmentsChris: From a compliance perspective, what are some resources organizations can use to securely provision and operate Kubernetes from a compliance perspective?Nikki: Can we also chat about Kubernetes API logs when it comes to auditing and assessments?Chris: You lead the Kubernetes Top 10 project with OWASP, can you tell us a bit about that?Nikki: Where do you think kubernetes, clusters, etc are heading? What does the future look like for security teams to not only understand these new technology areas, but to understand how to secure them properly?Chris: Do you feel like security practitioners are keeping pace with the rate of innovative technologies like Kubernetes, and if now, how can we fix that?Chris: We know you are the CTO and Co-Founder of KSOC - tell us a bit about the firm and what you all specialize in and what led you to founding it?

- For folks that are familiar, what is a CI/CD pipeline and why is it becoming such a hot topic in modern software delivery?- Do you think earlier on in the pursuit of DevOps/DevSecOps organizations overlooked the pipeline as an attack vector?- Any thoughts are notable incidents such as SolarWinds, do you think they brought more attention to the build environment?- What are you thoughts on emerging guidance such as SLSA NIST SSDF or 800-161. Do you think these are helping bring attention to best practices on securing pipelines?- In the context of software supply chain security, why do you think pipelines are so critical?- Keeping on the theme of SBOM, what are your thoughts on the rising adoption and push for SBOM, and now VEX and how can pipelines help facilitate that?- Cider has produced some excellent resources such as articles and also CICD Goat - how do you all keep innovating on the knowledge and tooling front and how has it been received by the community?- One of those resources is the Top 10 CICD security risks. Do you want to touch on the list and maybe a couple of the leading risks from the list?- Any recommendations on learning resources for folks wanting to learn more about pipeline security, best practices and why it is important?

- Why do you think Cybersecurity has traditionally been seen as an IT issue?- With more and more of economic activity being tied to digital platforms, do you think organizations are realizing that cybersecurity is tied to business outcomes and value?- What do you think of recent activities by the SEC to require organizations to disclose cyber expertise among their board makeup?- How critical do you think Cybersecurity is for organizations competing in the modern digital economy?- Any advice or recommendations for Cyber professionals trying to communicate risks with their business peers?- How do you see the role of the CISO evolving with the push for Cyber at the C-Suite and beyond?- Where can folks find out more about the ISA?

- For those unfamiliar with a vCISO, what is it and how is it different than a traditional CISO?- Do you feel like the SMB market is catching on to the necessity of a vCISO and how it is critical to enabling secure business outcomes?- How do organizations go about ensuring they get a qualified vCISO? Any things in particular to watch out for?- For those looking to get started as serving as a vCISO, any recommendations?- You are a great story teller and communicator on LinkedIn. What made you start making your videos?- How important do you think communication is to helping drive secure business outcomes for Cyber professionals?

- First off, for those not familiar with Containers and Kubernetes, what are they?- Why are organizations increasingly adopting these technologies over traditional forms of compute?- How does Cybersecurity change with Kubernetes and what are some things practitioners should be sure to keep an eye on?- When organizations are adopting Kubernetes they often are faced with options such as rolling their own or using managed Kubernetes offerings, any thoughts there?- I recently read a report that researchers found 380,000 publicly exposed Kubernetes API servers, do you think people simply are spinning up these new technologies with security as an afterthought?- Kubernetes is incredibly complex, do you think this leads to challenges around properly configuring and securing it?- Any thoughts on software supply chain security as it relates to Kubernetes and Containers?- For those looking to learn more about Kubernetes and Container Security, do you have any recommended resources?

Chris - Lets start off with discussing what is Purple Teaming exactly, and what is it not?Nikki - The industry can be somewhat siloed between job roles, and purple teaming really breaks down those barriers - do you see purple teaming being adopted more in the industry? Or do you think that too many industry experts hold too closely to their areas of expertise? Chris - People often conflate Red Teaming, Pen Testing and Purple Teaming - how do we help clear up that confusion? Nikki - Purple teaming is supposed to be an iterative continuous process between red teams and blue teams. Do you feel like this continuous flow of information should be consistent between the teams? Do you feel like there is more value in one direction versus another?  Nikki - The purple team concept is centered around blue teams and red teams, but this type of iterative and cooperative concept could be applied outside of red teamers and network defenders. Do you see value between using this type of cooperation between security assessment and audit teams and network defense teams?Chris: You've been someone I have watched who has been really effective at personal branding through platforms like LI. Can you discuss how you approach that and why it is valuable?Chris: For those looking to get into Purple Teaming or more broadly OffSec or even Blue Team, what are some of your primary recommendations resource wise for learning?

- For those not familiar with Threat Modeling, what is it? Also, to clear up potential confusion, what is it not? (e.g. Threat Hunting)- You were part of an effort to create the Threat Modeling Manifesto, can you tell us a bit about that project?- We recently saw NIST both define critical software as part of the Cyber EO and also list Threat Modeling as a key activity for critical software. What are your thoughts on that occurring and if you think that will impact the Threat Modeling community?- Some folks have made comments about Threat Modeling being too cumbersome for methodologies/cultures such as DevOps/DevSecOps. Why do you think that is an opinion among some and is it true? - Can Threat Modeling be applied to any sort of architecture or system? Are there any major differences for same on-prem vs cloud systems?- For organizations looking to get started with Threat Modeling, where do you recommend they start? - Moving on from getting started, have you seen large organizations with successful, or unsuccessful Threat Modeling programs, and what were some major themes either way?

Nikki - You have some really awesome content on LinkedIn around Vulnerability management - one of my favorite posts you made recently was asking "Is vulnerability management dead". Can you explain a little bit about what you mean? I'm curious on your take, because there isn't a ton of modern guidance around vulnerability management  Nikki - One of the biggest challenges I think we face around vulnerability identification, and specifically prioritization, is that a lot of emphasis is put around CVSS scores and CVE ID's specifically. And while an incredibly helpful tool, plenty of vulnerabilities are not ID'ed or are not seen in traditional vulnerability scanners. What do you think the industry can do to better use other tools/techniques to identify and remediate vulnerabilities?  Nikki - Can you talk a little bit about where you think we could use more guidance or leadership around vulnerability management? I really don't hear about it when we talk cloud security or AI/ML, but it still incredibly relevantChris - We know another topic you're passionate about is software supply chain security. Can you share your thoughts on where the industry is headed with SBOM, VEX and other efforts to bring transparency and better governance to the SW supply chain?Chris - You've also written and spoken a fair bit about broader Supply Chain Risk, partners, MSP's, CSP's etc. Do you think organizations are just now waking up to the exponential risk due to the interconnected and as-a-Service orientation we've taken as an industry?Chris - As we mentioned, you do a ton of writing on LinkedIn, as well as your substack distro. How do you keep up the pace and what led you to start the substack originally? Where can people follow it and stay informed? 

Chris - We know there's a massive Cyber workforce challenge, what role do you think academia plays there and how can it improve to close the gap?Nikki - Speaking of the young professionals in cybersecurity, what do you think are some of the in-demand skillsets and career paths available for individuals interested in pursuing a career in cybersecurity?Chris - There's often a debate between academics and practitioners, why do you think that is, and do you think we're seeing that gap dissolve with new degree programs and more practitioner focused curriculum?  Nikki - On the subject of academia - do you feel like there is enough focus on research in cybersecurity fields? Do you think that research is getting to private and public partners or is there something we can be doing to strengthen those relationships?Chris - What do you think the future of Cybersecurity education looks like? What role does non-traditional education such as certifications, bootcamps, online courses and content etc. play in the hiring qualifications of the future?

Nikki - You have a varied background between being a security engineer, consultant, manager, etc. What made you decide to focus more on the compliance aspects of cybersecurity?Chris - It is often said "Compliance doesn't equal Security". Why do you think this phrase has taken hold, do you think its accurate and how do we evolve beyond it? Nikki -  Based on some of your posts about compliance - one specifically about implementing frameworks and guidance from NIST and the CMMC standards - do you think there's a need in the industry to focus more on implementation guides or do you feel like organizations are to complex to create guides? Chris - On the topic of compliance frameworks, we seem to be so reactionary, with new frameworks coming after incidents etc. and organizations struggle to keep up. Do you think we have a framework sprawl problem?Chris - On the topic of 800-171 and CMMC, there's a lot of talk on the topic of affordability and cost and the impact to the small businesses in the DIB, which has already seen massive consolidation. What are your thoughts on this, and how do we balance compliance/security with the need for a robust DIB of suppliers?Nikki -  What do you think the future of compliance looks like? CMMC and otherwise - do you foresee more legislation around compliance coming down the pike?

Chris: We're undoubtedly seeing a growing discussion around Software Supply Chain, with several notable events and also now evolving guidance/legislation such as the Cyber EO, NIST guidance etc. Any thoughts on why this is just now becoming such a focused concern?Nikki: When a lot of people discuss software supply chain security, it can quickly turn into a discussion about SBOM or Log4j and SolarWinds. I think about software supply chain security as being part of a really good threat detection and response program - what are your thoughts on that?Nikki: I also wanted to address, expanding on the topic of threat detection and moving into threat modeling - do you think that with the attack surface expanding through the software supply chain that there are threat modeling techniques that can be used to understand and account for that growing attack surface?Chris: You've been pretty involved in efforts around software supply chain and DevSecOps, most notably sigstore - can you tell us what that is and why it is important or useful? Nikki: In the last couple of years ' technical debt' has become a bigger concern for organizations, but this includes software supply chain, dependencies, EOL or outdated software, etc. How do you think organizations can account for their software inventory better and more efficiently?Chris: As we look to the future of Software Supply Chain, with efforts such as SBOM, VEX, Sigstore, SLSA and more, where do you think we're headed? What does the state of software supply chain look like in say 3 years?

Chris: So let's start with how we've gotten here. With digital systems accounting for 60% of global GDP, how do we still not have requirements or adoption of cyber expertise on public board?Nikki: You mention in your article about the SEC mandating cyber leadership into board rooms - do you think that the type of experience expected on boards should be geared specifically to risk management, or a mix of highly technical and governance experience?Chris: For those looking to fill some of those upcoming board opportunities, what recommendations do you have?Nikki: For your book the Great Reboot - you recommend that not only leadership but employees read it as well - do you think there's a gap in knowledge or maybe awareness of how risk impacts the business from a practitioner level? Would you encourage junior and senior personnel to read this book?Chris: On the flip side, for boards and publicly traded companies looking to bring cyber expertise into the fold, what competencies and skills should they be looking for? Where do they start?Nikki: Risk is bigger than one vulnerability or one misconfiguration but can have a number of definitions - how do you define risk management and do you think there's a need to define 'risk' more aptly in organizations?Chris: You often speak about systemic risk. Do you think the modern digitally driven economy and ecosystem is inherently insecure and vulnerable? 

A discussion with the Director of the Army Enterprise Cloud Management Agency (ECMA) - Paul Puckett and Cybersecurity Subject Matter Expert (SME) from DoD CIO-IE office, Tyler Gesling on the recent DoD cATO memo.

- We know you served as the First Federal U.S. CISO, can you tell us a bit about that experience?- In addition to your military and public sector background, you've held various industry roles as well, what are some of the major differences between the two environments you've experienced?- We know you've held various board advisor and even director roles. Do you feel that Cyber is increasingly becoming a boardroom concern?- You're very passionate about Zero Trust. What are your thoughts on the Federal push to adopt Zero Trust in an environment as big and complex as the Federal and DoD space?- You've served as the highest levels of Cybersecurity leadership for several years - any advise for aspiring security leaders?- What do you think the CISO of the future looks like in terms of skillsets and competencies?- Can you tell us a bit about what you're up to these days with the CERT Division at SEI?

Nikki: I've spent a number of years studying vulnerability chaining and using low and medium vulnerabilities in combination to create very critical attacks. Do you see this as a common method for attacks in the wild?Chris: we're continuing to see the growth of bug bounty programs, such as HackerOne. How do you think these programs contrast (or compliment) companies internal pen test/red teams for example? Nikki: Vulnerability management is an incredibly complex topic for a lot of organizations. Do you think bug bounty programs and Vulnerability Disclosure Programs (VDP) are helping to mature those programs?Chris: How do companies have a level of assurance that the hackers will conduct the activities ethically? Nikki: I think there's still sometimes a disconnect between what hackers and pentesters know about vulnerabilities and the actual attack paths, and the remediation teams that are working to prevent these types of attacks. Do you think there's a need to educate more Blue teamers on specific types of attacks and how they are conducted?Chris: on the flip side, for hackers interested in bug bounty, how can they best go about getting started?Nikki: we're starting to see more development teams taking responsibility for security — we frequently hear the term "shifting left." Is that a trend you are observing as well?Chris: thoughts on log4shell?

Nikki - Can you tell us a little bit about what you're currently working on right now at NIST?Chris - Software Supply Chain Security has become a hot topic lately. We know NIST published 800-161 covering C-SCRM, C-SCRM is a complex topic. Where do you see the industry going forward in terms of maturing C-SCRM practices?Nikki - Speaking of maturing C-SCRM practices, do you feel that there is a need to provide more documentation for maturing other aspects of cybersecurity? I do not see a lot of people in the industry discussing vulnerability management programs, but it continues to be a challenging undertaking for organizations. Chris - NIST 800-160 focuses on developing Cyber Resilient Systems. The DoD's Software Modernization Strategy focuses on Cyber Survivability as well. Do you feel the focus on resilience is critical, knowing that no system is infallible?Chris - The Government is making a big push for DevSecOps. Many argue that the Governments approach to compliance, with RMF is too cumbersome for DevSecOps. Do you disagree with this? If so, why, and do you think there's any changes we can make to better facilitate DevSecOps adoption?Nikki - NIST is very well known for their inclusion of public collaboration with practitioners, researchers, and academic institutions - do you feel that there is more that can be done to increase collaboration between public, private, and academic institutions?Chris - There's tons of buzz about cATO. Despite this recent buzz, Ongoing Authorization has been part of the RMF lexicon for quite some time.  Do you feel that modern technologies such as Cloud can better help agencies and systems achieve a cATO?Nikki - NIST has been on an absolute roll lately with publishing guidance, much of it tied to the Cyber EO. From Zero Trust, SSDF, and more. How does the organization keep such a pace on publishing industry guidance? What can we look for next in terms of big publications from NIST?Chris - What's next for Ron Ross? You've been involved in countless major publications and methodologies. What do you see the legacy of Ron Ross being when you finally step away from being such a pillar in our community?Nikki - What does cyber resiliency mean to you?

Nikki -  First, I need to hear about how you feel about women in technology and any words of encouragement for women who are interested in starting a business? Chris - We know your organization raft is up to some innovative work in the Federal space, can you tell us a bit about that?Nikki - You have such a unique background with business and law and technology, I've actually considered getting a law degree. Do you think that has altered your perspective as a business owner?Chris - In your experience what have been some of the biggest impediments to digital transformation efforts in Government and do you have any recommendations for industry partners of Government on how to overcome them?Nikki - Why do you feel it's so important to connect women in executive positions? Do you think there's a disconnect with how women are able to connect once they reach a certain level?Chris - I know raft has several SBIR awards. For folks now familiar with SBIR, what is it and how is it different than traditional government contracts? 

Nikki - You are currently a Fellow with Stanford University - could you talk a little about the journey you've made to this point and how cybersecurity plays into the Fellowship?Chris - We know you served as a Senior Policy Advisor for the U.S. Cyberspace Solarium Commission. Can you speak about that, for those that aren’t familiar with the commission, and knowing the government has acted on some of the commission's recommendations, do you think we’re making the progress needed as a nation when it comes to Cyber?Nikki - Do you feel that we're doing enough to blend academic, industry, and public sector pursuits in cybersecurity? Chris - You recently spoke about why deterrence isn’t the right approach for national security, can you elaborate on that, and what direction we may look to take instead?Nikki - Given your background with the Air Force - do you think there are any lessons learned that we could use or, at the very least consider in other organizations when it comes to protecting systems?Chris - We know you have an extensive background as a cybersecurity researcher and advisor, how do you go about ensuring you keep a pulse on the practitioner aspect of cybersecurity in addition to the research and academic aspect of cybersecurity?

- Can you tell us a bit about your background, how you got into the role you're in now?- For those unfamiliar with the term "Chaos Engineering" what is it and why should organizations be practicing it?- You currently support a program named Kessel Run, what do they do?- Performing something disruptive such as Chaos Engineering almost seems unheard of in organizations such as the DoD with low-risk tolerances for disruption, how did this come about?- For people looking to get started with Chaos Engineering, where should they begin? Any recommended learning resources? How do they approach their leadership to propose implementing the practices of Chaos Engineering and get buy in?

What is vulnerability chaining for those unfamiliar with it? Is it becoming more prevalent among malicious actors?Why do you think we traditionally look at vulnerabilities in isolation?How do we get organizations to shift their mindset of how they look at vulnerabilities?How can organizations get context to understand what vulnerabilities can be chained together and how to mitigate those?

We know the DoD is pushing towards Zero Trust adoption and DISA is playing a key role in that. Can you tell us a bit about that?What do you think some of the biggest hurdles for Zero Trust adoption in the DoD are and how can we start to address them?Zero Trust has inevitably become a bit of a buzzword. If there is something people misunderstand about Zero Trust, what would you say that is?For those looking to learn more about DISA's approach to Zero Trust, and just the topic more broadly, do you have any specific recommendations?DISA's new network architecture project Thunderdome, what will it be and what does it consist of? 

Chris - There's quite a push for Zero Trust in the Federal Government, with the Cyber EO and ZT publications from CISA. What do you see as some of the biggest impediments for the Government's adoption of ZT? What are some of the biggest opportunities?Nikki - One of your recent posts you mention the difference between zero trust being a concept vs being something to act on. What do you think the right way to implement a zero-trust architecture is?Nikki - Do you have any resources for practitioners who are looking to ensure they are meeting a zero trust architecture framework?Chris - You commented recently about Compliance NOT being Security. This is something that many of us who have been in the field long enough agree with. That said, the Government's approach to cybersecurity largely revolves around Compliance. Why is that, and how do we go about changing that to a focus on real security?Chris - You recently had some comments about the CISO reporting relationship, in the Federal space, reporting to the CIO. Do you want to share any thoughts on who you think the CISO should report to and how CISO's can help influence who they report to, to support their security initiatives?Nikki You mention a need for CIO/CISO partnership - can you expand on why that's so important in an organization? How can the organization benefit from this partnership?Chris - As you know, there's a big push for DevSecOps both in Government and Industry. What can Security teams learn from their Development peers and how do we successfully facilitate the push for DevSecOps?

Nikki - As someone who has such wide ranging experience in cybersecurity from practitioner and business owner to investor - what would you say are the largest concerns in cybersecurity right now? Zero trust? Incident Response? Cloud security?Chris - You hold several advisory and board member roles. For Cybersecurity professionals looking to perform similar roles, do you have any recommendations?Nikki - With your background in a company like Tenable and the security tool industry, do you feel like cybersecurity practitioners have the tools that they need to perform tasks? Do you think there are any gaps between technology, process, and the people?Chris - Having been around the cybersecurity industry for quite a bit, what do you think some of the biggest emerging changes are, and also, something that has remained relatively consistent?Nikki - With all of the amazing nonprofit work you do - why do you think we still have such a skills gap and a need for more people in the security industry? How can we close that gap?Nikki - Do you have anything in particular you're working on right now you'd like to share with our audience?

Chris - You have a book coming out titled The CISO Evolution - Business Knowledge for Cybersecurity Executives. How critical do you think it is for CISO's to understand the business, and how do they balance their technical skills with business acumen?Nikki - I see you've posted several videos on LinkedIn - my favorite so far is the "paralysis-by-analysis" concept. We've discussed before cognitive limitations and just how much data we could actually put into our decision making when it comes to risk. Where do you think the sweet spot is with amount of data vs quality of data?Chris - You and I participated in the Qualified Technical Expert course from Bob Zukis together. Do you think we will see boards required to obtain QTE's and why do you think boards lack technical fluency now, when so much of GDP and business is tied to technology?Nikki - You spoke at the SANS Cybersecurity Leadership Summit on Translating cyber risk into business risk. What would you say are the biggest takeaways for practitioners to be able to explain and express risk properly to improve security and hopefully, lower risk across the organization?Chris - Do you think Cybersecurity is a business enabler? If so, how do we as cyber professionals help the business view Cybersecurity as an enabler and protecting of revenue?Chris - Do you have any recommendations for Cybersecurity professionals looking to transition into a CISO role in the future? Any key business books or resources to familiarize themselves with?What Does Cyber Resilient mean to you?

Chris - We know you are extremely passionate about DevSecOps in Government. What do you think some of the biggest impediments for widespread Government adoption of DevSecOps is?Nikki - I see you spoke recently about minimum viable continuous delivery - can you tell us a little bit about what that is and what it means? And what you think the possible implications may be on development cycles? Chris - Do you feel there is often a disconnect between leadership and practitioners when it comes to successful DevSecOps implementation, and if so, what do you think that disconnect entails?Nikki - I also saw in one of your recent talks you discuss how industry and the public sector need to work more closely together. This is something I'm also very passionate about - can you talk about why this partnership is so needed? Not just from a cybersecurity perspective but from an emerging tech perspective as well?Chris - What can organizations do to help provide their workforce the space and grace to grow and learn to help facilitate the push for DevSecOps and Digital Transformation to ensure its success?What does Cyber Resilience mean to you?

Nikki - I'm so impressed with your wide range of cybersecurity - and with that experience you also are a Co-Founder and CEO. Can you talk a little bit about the transition from full time practitioner to business owner? Chris - If you had to list 1-2 top issues facing the Cybersecurity community within Government in particular?Nikki - What would you say are some of the biggest challenges that you've faced running your own company in the security and intelligence space? Chris - We know there is a big push for cATO/Ongoing Authorization in Government. Do you think this is something that can be achieved? Any thoughts on the key factors to help it be successful?Nikki - Would you have some advice for security practitioners that are thinking about starting their own business or moving up to a more managerial role from a technical role?Chris - You have started and now lead a successful company in the Public Sector space. Any tips for your fellow entrepreneurs who may want to do something similar?

I was reading the CISA document "Defending Against Software Supply Chain" and was curious if the guidance within was helpful or informative for anyone who wants to start a S-SCRM program? What role do you feel compliance frameworks play in SCRM? We are seeing sources such as NIST 800-53 include SCRM specific controls now. Will it help?What would you say is the most resilient component an individual could add to their own organization to recover quickly in the event of a software supply chain attack?From the perspective of Cloud, do you feel cloud adoption can help, or hinder when it comes to driving down risk associated with the supply chain?What are the biggest concerns / risks when it comes to building a secure software supply chain programI know you've been involved with projects such as TUF and in-toto. Can you help folks understand what those are and why they are valuable?What does the term "Cyber Resilient" mean to you?Find out more from Cole at Testify Sec - https://www.testifysec.com/