Resilient Cyber Chris Hughes

- For folks not familiar with it, can you tell us a bit about the report, its intent, and how it came about?

- Some may be asking, what's the big deal, its just software. Can you help explain the pertinent risk we face with increasingly seeing physical systems, infrastructure and society run on software?

- The report makes some key recommendations to fortify the resilience of the Nation's critical infrastructure, can you talk about those a bit?

- It's often discussed how much of the critical infrastructure is privately owned and operated, is that true, and if so, what challenges does that pose?

- Do you see this as something that will be increasingly regulated, and if so, how do we balance regulations with some of the constraints and limitations of the critical infrastructure operators and organizations such as financial, expertise and so on?

- One thing I noticed is the emphasize on industry, board, CEO and executive accountability. We're seeing a similar trend with recent SEC rules for publicly traded companies as well as CISA's Secure-by-Design publication and public comments, about leadership and executives taking more accountability for secure outcomes. Do you feel this is a major gap, and if so, how do we ensure the message doesn't get diminished from leadership across middle management, and staff?

- First off, for folks not familiar with your background can you tell us a bit about your background from your journey in your earlier IT/Cyber and military time to eventually being a Founder and CEO?

- What made you decide to take that leap and found not just one, but two cybersecurity companies, moving from being a practitioner?

- What did you find to be some of the biggest challenges when transitioning from practitioner to business owner?

- Have you had to navigate working on versus in the business, and what has that looked like for you?

- For some aspiring cyber professionals with goals to found a company someday, what would be some of your key pieces of advice?

- I know you're also very passionate about the veteran community in cyber, why do you think veterans make up such a share of our community and often make some of the best cyber practitioners?

Can you each tell us a bit about your background, before we dive in?For those not in the DoD or familiar with the term, what is a “Software Factory”?What is BESPIN?What is the current state of mobile security within the DoD?Why do you think there’s such a delay in maturing policy, process and pathways for mobile in DoD, given the big emphasis the last several years of “edge”, along with the rapid growth of the remote workforce and so on?Are there any official mobile app sec requirements? Can you tell us a bit about what tools and methodologies you all use to secure the mobile-centric applications you all deliver?Most know that in DoD and Federal there are also a lot of compliance rigor and hurdles to deal with. How has that experience been for a program doing something a bit different from most software factories?Since there are no official mobile requirements you kind of get a second mover advantage, how can you take lessons learned from the Cloud Computing SRGs and apply that to mobile? Can you help our audience understand the importance of secure mobile capabilities for the Airman and warfighter? We know the modern way of fighting looks much different and mobile is a key part of that, whether simply supporting Airman on a form of compute they grew up using, all the way to those on the forward edge, engaging against adversaries, including in the digital domain.

- First off, for folks that don't know you can you give them a brief overview of your background/organizations?

- Josh, let's start with you. Can you explain some of what is going on with the drama around NVD and what happened that caught everyone's attention?

- Dan - I know you've raised concerns around the implications for the community when it comes to the lack of CVE enrichment, how do you see this impacting the vulnerability management ecosystem?

- Josh - Your team has started providing some accompanying resources to try and address the gap, can you tell us a bit about that?

Dan - You've spun up an open letter to congress and have kicked off a bit of a grass roots effort to raise awareness around the problem. How is it going so far and what are you hoping to accomplish with the letter?

- Why do you both think this is such a big deal, and how can something so critical to the entire software ecosystem be so underfunded, overlooked and taken for granted?

- What are some things you all hope to see in the future to resolve this, both from NIST/NVD and the Government but also from industry as well?

- It is often now said that identity is the new perimeter, why do you think that phrase has taken hold and what does it mean to you?

 - How much do you think the complicated identity landscape plays a role, for example most organizations have multiple IdP's, as well as external environments such as SaaS and so on that they have identities and permissions tied to 

 - It often feels like SaaS is overwhelmingly overlooked in both conversations about Cloud Security as well as software supply chain security - why do you think that is?- You all have published some innovative research around what you dubbed as the "SaaS Attack Matrix" can you tell us a bit about that research and how organizations can use it? 

 - You're also doing some really great work focused on IdP threats, such as OktaJacking, detection, and even response. Can you unpack that for us? 

- It's been said that the browser is the new OS, and I have seen you all say if that's the case, Push Security is the new EDR. Can you elaborate on that? 

 - I recently saw a headline from LinkedIn's own CISO Georgg Belknap that read "Push Security does for identity what Crowdstrike does for Endpoint". That's quite the endorsement and also catalyst for what you all focus on. How can organizations go about getting a handle on the identity threat landscape given the current complexity?