- For folks not familiar with it, can you tell us a bit about the report, its intent, and how it came about?- Some may be asking, what's the big deal, its just software. Can you help explain the pertinent risk we face with increasingly seeing physical systems, infrastructure and society run on software?- The report makes some key recommendations to fortify the resilience of the Nation's critical infrastructure, can you talk about those a bit?- It's often discussed how much of the critical infrastructure is privately owned and operated, is that true, and if so, what challenges does that pose?- Do you see this as something that will be increasingly regulated, and if so, how do we balance regulations with some of the constraints and limitations of the critical infrastructure operators and organizations such as financial, expertise and so on?- One thing I noticed is the emphasize on industry, board, CEO and executive accountability. We're seeing a similar trend with recent SEC rules for publicly traded companies as well as CISA's Secure-by-Design publication and public comments, about leadership and executives taking more accountability for secure outcomes. Do you feel this is a major gap, and if so, how do we ensure the message doesn't get diminished from leadership across middle management, and staff?

- First off, for folks not familiar with your background can you tell us a bit about your background from your journey in your earlier IT/Cyber and military time to eventually being a Founder and CEO?- What made you decide to take that leap and found not just one, but two cybersecurity companies, moving from being a practitioner?- What did you find to be some of the biggest challenges when transitioning from practitioner to business owner?- Have you had to navigate working on versus in the business, and what has that looked like for you?- For some aspiring cyber professionals with goals to found a company someday, what would be some of your key pieces of advice?- I know you're also very passionate about the veteran community in cyber, why do you think veterans make up such a share of our community and often make some of the best cyber practitioners?

Can you each tell us a bit about your background, before we dive in?For those not in the DoD or familiar with the term, what is a “Software Factory”?What is BESPIN?What is the current state of mobile security within the DoD?Why do you think there’s such a delay in maturing policy, process and pathways for mobile in DoD, given the big emphasis the last several years of “edge”, along with the rapid growth of the remote workforce and so on?Are there any official mobile app sec requirements? Can you tell us a bit about what tools and methodologies you all use to secure the mobile-centric applications you all deliver?Most know that in DoD and Federal there are also a lot of compliance rigor and hurdles to deal with. How has that experience been for a program doing something a bit different from most software factories?Since there are no official mobile requirements you kind of get a second mover advantage, how can you take lessons learned from the Cloud Computing SRGs and apply that to mobile? Can you help our audience understand the importance of secure mobile capabilities for the Airman and warfighter? We know the modern way of fighting looks much different and mobile is a key part of that, whether simply supporting Airman on a form of compute they grew up using, all the way to those on the forward edge, engaging against adversaries, including in the digital domain.

- First off, for folks that don't know you can you give them a brief overview of your background/organizations?- Josh, let's start with you. Can you explain some of what is going on with the drama around NVD and what happened that caught everyone's attention?- Dan - I know you've raised concerns around the implications for the community when it comes to the lack of CVE enrichment, how do you see this impacting the vulnerability management ecosystem?- Josh - Your team has started providing some accompanying resources to try and address the gap, can you tell us a bit about that?Dan - You've spun up an open letter to congress and have kicked off a bit of a grass roots effort to raise awareness around the problem. How is it going so far and what are you hoping to accomplish with the letter?- Why do you both think this is such a big deal, and how can something so critical to the entire software ecosystem be so underfunded, overlooked and taken for granted?- What are some things you all hope to see in the future to resolve this, both from NIST/NVD and the Government but also from industry as well?

- It is often now said that identity is the new perimeter, why do you think that phrase has taken hold and what does it mean to you? - How much do you think the complicated identity landscape plays a role, for example most organizations have multiple IdP's, as well as external environments such as SaaS and so on that they have identities and permissions tied to  - It often feels like SaaS is overwhelmingly overlooked in both conversations about Cloud Security as well as software supply chain security - why do you think that is?- You all have published some innovative research around what you dubbed as the "SaaS Attack Matrix" can you tell us a bit about that research and how organizations can use it?  - You're also doing some really great work focused on IdP threats, such as OktaJacking, detection, and even response. Can you unpack that for us? - It's been said that the browser is the new OS, and I have seen you all say if that's the case, Push Security is the new EDR. Can you elaborate on that?  - I recently saw a headline from LinkedIn's own CISO Georgg Belknap that read "Push Security does for identity what Crowdstrike does for Endpoint". That's quite the endorsement and also catalyst for what you all focus on. How can organizations go about getting a handle on the identity threat landscape given the current complexity?

- First off, you have an incredible background evolving from software engineer to management roles and ultimately a CISO for some of the industry leading organizations such as Siemen's and HP. I would love to hear about that journey and how you found yourself ultimately becoming an industry leading CISO along the way. - How do you think the CISO role has changed over the years? We're hearing more about speaking the language of the business, potential legal liability, new SEC rules and more. What is your perspective on the current challenges and evolution of the CISO role?- You're now out of the CISO seat but still active in the community, serving in various director roles, including with publicly traded companies I believe. We've long heard some state that CISO's would make great board members and bring a long-needed perspective on cyber risk. How has it been transitioning out of the CISO role and into Director type roles?- Many CISO's and cybersecurity leaders now want to pursue a similar path, looking for advisory and board roles with firms and so on. Can you provide some guidance and tips for those looking to do something similar? - I noticed you also have some advisory roles in addition to Director roles. Can you draw a distinction between the two roles for listeners, and what to consider when pursuing one or the other, so folks better understand the potential pathways?- Knowing you've had such an amazing career and are still so passionate about the community and giving back, what are some of the key recommendations you have for both those aspiring to advance their career in cyber and eventually become a CISO, or beyond that, move into board level and advisory roles? What skillsets and expertise should they be focused on the most?

- What are some of the most interesting developments in the world of software supply chain security (SSCS) in the last 12 months or so?- It's now been a couple of years since the major fall out of notable incidents such as SolarWinds and Log4j, do you feel like the industry is making headway in addressing software supply chain threats?- For organizations either just starting or looking to mature their software supply chain maturity, where are some key areas you recommend organizations focus their attention?- We have a complex landscape from extensive use of open source, SaaS and Cloud providers, partners and third parties, how have you seen firms successfully handle this complexity when it comes to activities such as incident response? - There's a bit of a heated debate in the industry underway on point products vs. platforms. I know Checkmarx has a comprehensive AppSec platform. How do you view this debate, and do you think we will always have and see the need for point products, best of breed and comprehensive platforms in the industry?- You spend a fair bit of time focused on SSCS research, how does your team approach these activities and sharing the insights with the community?- Checkmarx shares a tremendous amount of informative and insightful research around SSCS. Where can folks learn more and what are some of the interesting projects you all are currently working on?

- First off, for folks not familiar with your backgrounds, can you please each tell us a bit about yourselves?- Let's set the table a bit, what is software liability and what is driving the increased calls for it? For example the recently released National Cyber Strategy, and commentary by U.S. leaders such as from CISA's Jen Easterly- What are some examples the software industry can pull from to try and establish a foundational liability regime?- What are some of the unique challenges that make software a nuanced domain to try and implement something like this in, compared to some other industries?- Jim - you recently wrote a paper about "establishing the floor", can you elaborate on that for us a bit? How about you Chinmayi, any thoughts?- Some of have of course exclaimed something like this could/would kill innovation and have major economic consequences, or lead to "ambulance chasing" type behavior pursuing litigation as a weapon against vendors. What do you think about that? - Chinmayi - you had a paper titled "A Bug in the Software Liability Debate", where you talked about challenges of defining a duty of care, can you elaborate, and dealing with unknown vulnerabilities. Can you expand on that a bit?Jim - You've talked about focusing on the outcomes/product, not the process, why do you think that's important?- Another equally critical part of the conversation is Safe Harbor, that is protections for those who due perform the duty of care or act responsible. Can you touch on that topic, and each give your thoughts on what that may look like if it were to take shape?

- First, please tell us a bit about your background and how you got into the role you are now in your career? What drew you to the marketing side of cybersecurity?- I have to be honest, many in the cyber practitioner community often bemoan cyber marketers, often citing poor tactics or interactions. What do you think has contributed to this systemic feeling and how do you think we get past it?- You've talked about how there is a lot of trash marketing out there and its a threat to national security, and the need to become more cyber literate as an industry, and civilians as well. Let's hear your take on that!- What differentiates a "good" cybersecurity marketer? - How do you find yourself effectively working with product teams, and bridging the gap between the deeply technical engineering and development types and the broader cyber business community, and activities such as sales and GTM?- I feel there is a lot cyber practitioners, including CISO's could learn from cyber marketers. For example, we often hear about the need for soft skills in cyber, things like communication, story telling, relationship building, empathy and more. What do you think about that, and what lessons can practitioners, including CISO's learn from our marketing peers?

- Let's start off by discussing everyone's favorite topic, vulnerability management. When it comes to AppSec, obviously there's been a big push to "shift security left" which comes with CI/CD pipelines, SAST, DAST, Secrets Scanning, IaC scanning etc. How have you handled scaling AppSec effectively without burdening Dev teams with massive vulnerability lists and being a blocker for production and delivery? - There's a lot of tools to choose from, across a lot of various categories, from source, build and runtime. How have you navigated selecting the right tools for the job? What about actually integrating, tuning and optimizing them when the team is often already stretched thing?- On the tooling front, what has been your experience between vendor tools, vs. OSS options? What are some of the pros and cons you have seen from each?- Behind all the technology is people. How have you approached building your AppSec teams?- There's some nuances between existing team members and building the team. When you begin a new role, how have you approached building rapport among the team, getting trust, understanding historical team and org context and so on?- You seem to continue to find yourself in various leadership roles in AppSec, event after a recent move back to an IC role. Why do you think that is, and what skills have helped you stand out as someone others want to work with, and even for in some cases, as a leader?- What are some of your go-to resources for learning more about AppSec and keeping up to date on such a fast moving and dynamic space?

- First off, tell us about your journey to the role of the CISO. What did that look like, what steps did you take, what helped prepare you and so on?- To many, the CISO is considered the pinnacle of the cyber career field. How did it feel when you landed the role and looking back a year now, what are some thoughts that come to mind?- We know as you become more of a senior leader, you get less into the nuance and details of the technical activities and more focused on strategy, vision, organizational objectives and so on. Can you speak about balancing the technical expertise and experience with learning to better engage your business peers and fellow leaders across the organizations?- A key part of being a CISO is building and empowering the team around you to ensure security is successful. How do you approach building and leading a team as a CISO?- Something worth calling out is you aren't the CISO of a SMB of commercial product company, you're the CISO if a Federal agency. That comes with its own unique challenges, demands and complexity, from resources, requirements, compliance rigor and more. Can you speak a bit about the unique aspects of being a Federal CISO and how you've navigated those so far?- What are some of your biggest lessons learned, challenges and recommendations around being an effective leader? - For those aspiring to become a CISO, what resources and steps do you recommend?- Let's talk a bit about your current role and organization, many of course are interested to hear about that. What are some key strategic objectives you're focused on at CDC, to the extent you're able to speak about them publicly?

- First off, tell us a bit about your background and how you got to where you are now in your career- What led you to write the book? Tell us a bit about the process and the experience so far, given you didn't take a traditional route with a standard publisher etc- Your book is broken into different sections, such as security as an industry, understanding the ecosystem and trends shaping the future of cyber. Lets dive into some of those- You talk about how Cyber is horizontal, not vertical and the role of trust. Can you elaborate on that and how it makes our field unique?- You talk extensively about the role of capital, the different types of capital/investors and how it prevents cyber companies from failing at standard rates, or avoiding natural selection as you call it. I suspect this contributes to what some perceive as having "too many security vendors". Do you think that's the case, and is there any merit to the too many vendors argument?- You dive deep into the role of industry analysts, how they impact purchasing decisions especially among large established firms and organizations. Do you think industry analyst firms have the same impact as they did a decade ago? What impact do you think social media, and "influencers" and practitioners themselves being more vocal about products, tools and methodologies is having?- One topic you speak about that I really enjoy is moving from promise based to evidence based security. You talk about outcomes over promises and buzzwords, but we also know it is hard to quickly determine if a tool or vendor keeps promises, and it isn't only on tools, there are resources, staffing, internal expertise and bandwidth that all play a part. Can we delve into that topic a bit?- Do you think security practitioners being more involved in the buying process is also driving change?- Let's pivot a bit to founders. You have produced incredible pieces of the founder ecosystem, pioneer firms who led the way, the role of large publicly traded cyber firms and the role of networks among military, Israeli and repeat founders. It feels like the old saying success begets more success. Do you think there's lessons from these pioneer and repeat founders that some new founders neglect and are there opportunities for new founders to disrupt the way things worked in the past?- You also stress the need to validate problems before going all in on a company focus and product. This is one I am passionate about, as often cyber feels like a hammer looking for a nail. You discuss how problems experienced among the cyber "1%" such as silicon valley and cloud-native startups are much different than big enterprise firms, but the latter is where the money is. I assume it is tempting to focus on the sexy and shiny issues but not realize it's not always where the money is?- Looking to the future, you discuss the convergence of software and engineering with security, with the push to everything become as-Code, the adoption of DevOps, now DevSecOps and the Cloud of course. What do you think security practitioners of the future look like in terms of key differences from today?- I personally think it is very important for security practitioners to step back and actually understand the ecosystem they operate in, as it is easy to get caught up in a specific product, platform, or cyber role and lose the bigger picture. Your articles are among the best on this topic in my opinion, especially for products, vendors, capital and more. What advice do you have for security practitioners when it comes to needing to better understand the broader aspects of the ecosystem they operate in?

- For folks not tracking, let's level set a bit, what exactly is NIST 800-171 and CMMC, and what is the succinct background on the evolution of the two?- Are there notable events that led the DoD to pursue CMMC, building on the history of 171?- Obviously the introduction of the 3PAO aspect brings more rigor than previously existed with self-assessments. Many in industry have bemoaned the burden, cost and complexity of the new program and the impact it will have on industry (myself included). What are your thoughts on the potential to impact the DoD supplier base and lead to further consolidation?- Many DIB suppliers are of course SMB's who rely on CSP's and MSP's to meet these requirements, or conduct their daily operations, leveraging various external parties. How does CMMC handle entities like CSP's and MSPs?- There was recently a memo from the DoD CIO clarifying some language around "FedRAMP equivalency" for DFARS 7012. First off, what is 7012, how does it tie to 171 and CMMC and what did the DoD CIO memo essentially say?- Most SMB's in the DIB lack internal cyber expertise and resources, and of course this has led to a booming industry of 171/CMMC consultants and 3PAO's. What are your thoughts on that growing ecosystem and how do SMB's ensure they're working with the right advisors and assessors?- What are some of the details on the timelines and rollout of the finalized CMMC rule? When and how should folks be preparing?- Many of course are quick to claim "compliance isn't security" when discussing stuff like 171 and CMMC. What's your initial reaction to those claims, and how do we help folks understand that industry will not just voluntarily spend and focus on security requirements without being required to do so?- CMMC of course has a ConMon aspect, right now that is does via annual self-assessments/reporting as I understand it. What do you think CMMC gets right on this front, and what could be done better?

- You've been heavily involved in the AI dialogue in the industry as it has heated up, how did you get your start specializing in software security and most notably AI?- AI continues to be one of the hottest cybersecurity topics in 2023 and heading into 2024. What do you think are some of the most pressing risks around the rapid growth of AI adoption and use?- We're seeing Governments scramble to regulate AI, with notable efforts like the EU AI Act. Why do you think it is critical for Governments to act so quickly on this emerging technology, especially when Government is historically reactionary and slow to adapt?- What are some of the key considerations that must be kept in mind to help securely govern and regulate AI without hindering innovation and economic prosperity and potential that AI may bring?- You're involved in efforts such as the OWASP AI Exchange, can you tell usa bit about that effort, how it came about and how practitioners can learn from and leverage it?- Compliance can be cumbersome with many overlapping and often duplicative compliance frameworks that industry has to wrestle with. You've been working on an effort dubbed "OpenCRE" can you tell us a bit about that and what the goals are?

- Tell us a bit about your cybersecurity journey, you've held a variety of roles with FFRDC's and industry- You've been talking a good bit about the latest Secure-by-Design push, what do you make of this push? I know you've raised concerns about needing to do some research to determine the effectiveness of these "secure" SDLC's- AI and ML are everywhere we turn in the cyber industry discussions. You've been speaking about the role of ML in cyber detection for example going back several years. There's a lot of focus on the risks of AI, but what do you think about the promise of AI and ML to help with defending organizations and agencies?- I know you've been discussing threat informed defense and even took a swing at NIST 800-53/FedRAMP and its relevance. Can you elaborate on this, and how you think we're getting it wrong as an industry with regard to compliance and security?- You recently had awesome comments about the risks in public cloud attack surfaces and implications for national security, let's dive into that one, give us some thoughts on this front?- We're heading into 2024, so let me ask, what are some of your top predictions we may see in cybersecurity over the next year?

- First off, tell us a bit about yourself, what you're up to and how you have gotten where you are career wise- What are some of the key differences with cloud-native security?- There's a lot of acronyms in the cloud-sec space, such as CWPP, CSPM, KSPM and so on. Can you unpack a few of these for the audience and what they mean?- This also infers there's a lot of different tools and capabilities to manage. Why do you think it is important to have a comprehensive platform to bring it together, to avoid tool sprawl and cognitive and alert fatigue?- There's a lot of focus of course on shifting security left, and CI/CD pipelines and so on, but I know you also focus on runtime security. What makes runtime security so crucial in the cloud context?- Can you tell us a bit about Aqua Security, what you all do and what makes you unique from some of the other platform providers and security companies out there?- What does the term "cyber resilience" mean to you?

Nikki -  Can you tell us a little bit about what interested you in cloud security in the first place? I know you have a particular interest in misconfigurations - was there a singular event that spurred your interest? Chris - What are your thoughts around Guardrails in the cloud and using things such as event based detections?Chris - You interestingly took a Product role, but have a Detection and CloudSec background. How has the Product role been and do you think having the practitioner background helps you be a more effective Product Manager and leader?Nikki - There's a lot of talk around DataOps and SecOps - we're really seeing a bridging of fields and concepts to bring teams together. I wanted to talk a little bit about the human element here - do you see more of these blending of fields/disciplines?Chris - I know you've taken a new role recently with Monad, which focuses on Security Data Lake. What made you interested in this role and why do you think we're seeing the focus on Security Data Lakes in the industry so much? Nikki -  What are some of the emerging trends you see in cyber attacks against cloud? What should people be most concerned with and focus on first when it comes to cloud security? Chris - You also lead the Cyber Pulse newsletter, which I read and strongly recommend for news and market trends. What made you start the newsletter and have you found it helps keep you sharp due to needing to stay on top of relevant topics and trends?Nikki -  What does cyber resiliency mean to you?

Nikki - I have to start with the fact that you've been looking into the vulnerability management space! This is an area I've been focused on for many years and I'm curious - what are the biggest pain points you see now in VulnMgmt? Chris - I recently saw you had a blog regarding Exposure Management and contrasting it with Vulnerability Management. Can you talk about what Exposure Management is, and the differences between the two? Nikki - What got you interested in research? I'm always curious because there is such a niche space within cybersecurity and I love meeting other researchers. How do you think cyber benefits from research and vice versa?Chris - You also recently had some content regarding doing a deep dive into Nation State threats. We're increasingly seeing cyber play a part in nation state conflicts, why do you think that is, and can you touch on how this plays into regulatory fallout as well?  Nikki - I want to talk about your blog post about "The Blob" - you talk about how people use some similar terminology and language (false messaging) to steer the conversation in security tooling. Can you talk a little bit more about this concept and what you think it means to the industry? Chris - You have been having conversations about Detection Engineering. Can you talk about how it is different from legacy/traditional SecOps and what the future of Detection Engineering and Detections-as-Code looks like? Nikki -  What does cyber resiliency mean to you?

- You recently wrote a book titled Zero Trust and Third Party Risk. Can you tell us a bit about the book, why you wrote it and how you see the convergence of ZT and TPRM?- There's been a lot of discussion lately around Software Supply Chain Security, but also Cybersecurity Supply Chain Risk Management, or C-SCRM. Do you see the former being part of the latter, and what challenges do you think organizations face trying to tackle both?- TPRM often involves manual subjective lengthy questionnaires that we are all painfully familiar with. How effective do you think these are and do you think we are going to see a future based on machine-readable attestations and more automated assessments to augment some of the traditional manual questionnaire type activities?- Most organizations struggle to implement fundamental security practices and processes within their own organization, let alone thoroughly ensuring all of their 3rd and nth tier suppliers are, is this a gordian knot type situation?- What are your thoughts on first party self-attestations vs 3rd party assessments? Each has its pros and cons and challenges. - The name Zero Trust is a bit of a misnomer, as we know it means no implicit trust, and it also seems a little counter-intuitive in our increasingly inter-connected ecosystem and society. How do you see the push for Zero Trust playing out when we look at the broader supply chain ecosystem?

Nikki - With your current role as a Distinguished Engineer - I know you focus a lot on cloud security. What does being a DE entail? Do you do some research along with your other duties?Chris: We've seen the discussion around data in the security space evolve quite a bit. From legacy environments with a SIEM/SOC centralized approach, oriented around "collecting all the things" to now discussions around data lakes, analytics, and automation among others. Can you discuss the evolution a bit with us and your thoughts on it?Chris: I've been reading pieces lately that are pushing the narrative that there isn't "security" data, there's just business/organizational data, some of which has security context/use. What are your thoughts on this? It seems to be in-line with a push for security to be more tightly coupled with and speak the language of the business.Nikki - Recently you were posting about the AWS IR guide and even getting into some logging with AWS. Logging is one of those areas that I'm super interested in - especially from an IR perspective. What do you think about where we are with security logging guidance and what should organizations know about setting up complex logging environments? Chris: As we continue to watch the security data space evolve I know you've been championing the concept of, and even have written extensively about the term "SecDataOps". What is this exactly, and why do you feel like it is the time to have the industry move this direction?Chris: We're also seeing a push for standardized logging formats, such as the Open Cybersecurity Schema Framework (OCSF), which has gotten support from some of the largest tech companies. How important is it for the industry to rally around a standardized cybersecurity schema/framework and what are the challenges of not doing so? Nikki - You have also done some Board Advising and taken on several Advisory roles for Boards. Two part question - what got you interested in taking on an advisory role and what would you suggest for other technical practitioners who want to get more involved at the Board or executive level?  Nikki - What does cyber resiliency mean to you?