Resilient Cyber brings listeners discussions from a variety of Cybersecurity and Information Technology (IT) Subject Matter Experts (SME) across the Public and Private domains from a variety of industries. As we watch the increased digitalization of our society, striving for a secure and resilient ecosystem is paramount.
S2E8: John D'Abruzzo - Offensive Security & Purple Teaming
Given your wide range of experience with AWS and cloud security - what would you say are some of the most common types of attacks for cloud platforms?
What would you say are the top three skills someone should work on if they're interested in a career on a Red Team or as a penetration tester?
Are there some really good resources or open-source tools you recommend for anyone learning about offensive security?
Shifting to Purple Teaming, how does Purple Team differ from traditional PenTest/Red Team activities?
For organizations looking to build out a purple team, where do you recommend they begin?
What does the term Cyber Resilience mean to you?
S2E7: Rock Lambros - Cybersecurity, Business & The Evolution of The CISO
Chris - You have a book coming out titled The CISO Evolution - Business Knowledge for Cybersecurity Executives. How critical do you think it is for CISO's to understand the business, and how do they balance their technical skills with business acumen?
Nikki - I see you've posted several videos on LinkedIn - my favorite so far is the "paralysis-by-analysis" concept. We've discussed before cognitive limitations and just how much data we could actually put into our decision making when it comes to risk. Where do you think the sweet spot is with amount of data vs quality of data?
Chris - You and I participated in the Qualified Technical Expert course from Bob Zukis together. Do you think we will see boards required to obtain QTE's and why do you think boards lack technical fluency now, when so much of GDP and business is tied to technology?
Nikki - You spoke at the SANS Cybersecurity Leadership Summit on Translating cyber risk into business risk. What would you say are the biggest takeaways for practitioners to be able to explain and express risk properly to improve security and hopefully, lower risk across the organization?
Chris - Do you think Cybersecurity is a business enabler? If so, how do we as cyber professionals help the business view Cybersecurity as an enabler and protecting of revenue?
Chris - Do you have any recommendations for Cybersecurity professionals looking to transition into a CISO role in the future? Any key business books or resources to familiarize themselves with?
What Does Cyber Resilient mean to you?
S2E6: Tracy Bannon - DevSecOps, Innovation & The Public Sector
Chris - We know you are extremely passionate about DevSecOps in Government. What do you think some of the biggest impediments for widespread Government adoption of DevSecOps is?
Nikki - I see you spoke recently about minimum viable continuous delivery - can you tell us a little bit about what that is and what it means? And what you think the possible implications may be on development cycles?
Chris - Do you feel there is often a disconnect between leadership and practitioners when it comes to successful DevSecOps implementation, and if so, what do you think that disconnect entails?
Nikki - I also saw in one of your recent talks you discuss how industry and the public sector need to work more closely together. This is something I'm also very passionate about - can you talk about why this partnership is so needed? Not just from a cybersecurity perspective but from an emerging tech perspective as well?
Chris - What can organizations do to help provide their workforce the space and grace to grow and learn to help facilitate the push for DevSecOps and Digital Transformation to ensure its success?
What does Cyber Resilience mean to you?
S2E5: Lonye Ford - Cybersecurity Workforce & Leadership
Nikki - I'm so impressed with your wide range of cybersecurity - and with that experience you also are a Co-Founder and CEO. Can you talk a little bit about the transition from full time practitioner to business owner?
Chris - If you had to list 1-2 top issues facing the Cybersecurity community within Government in particular?
Nikki - What would you say are some of the biggest challenges that you've faced running your own company in the security and intelligence space?
Chris - We know there is a big push for cATO/Ongoing Authorization in Government. Do you think this is something that can be achieved? Any thoughts on the key factors to help it be successful?
Nikki - Would you have some advice for security practitioners that are thinking about starting their own business or moving up to a more managerial role from a technical role?
Chris - You have started and now lead a successful company in the Public Sector space. Any tips for your fellow entrepreneurs who may want to do something similar?
S2E4: Dr. Allan Friedman - CISA - SBOM and the Art of Possible
For those unaware, what exactly is an SBOM, and why is it so important?
One of the presentations you gave mentioned that software supply chain attacks shouldn't be discussed as "emerging threats" - these really have been going on for years. Why do you think we still talk about it as an emerging threat or something novel?
We know you've recently talked about an effort dubbed "VEX" which seeks to add context to SBOM information. How is this valuable and how can it be used to reduce risk?
What would you say are the top 3 things that organizations could do today to be aware of in regards to software supply chain attacks?
In regards to SBOMs for complex environments such as SaaS where you have several parties involved and interdependencies, how do you see the SBOM evolving in that space?
How do you see organizations operationalizing SBOM's from a Cyber practitioner perspective? How will it fit in to a robust cybersecurity program?
S2E3: Meghan Jacquot - Breaking in to Cybersecurity
You have just received your first-time role in cybersecurity as a Security Analyst - congratulations! How has your first experience been so far in this new role?
LinkedIn can be a powerful method of meeting others. Of all the amazing things you've done - what is the best advice you could give for someone trying to break into cybersecurity?
On the flip side - what is something you would like for hiring managers to consider when they are interviewing potential security analysts?
Of the conference volunteering, speaking at conferences, networking, and certifications that you've been working towards, what do you feel like was the most helpful to land your first job?
As someone who's been trying to break into cyber, what did you find were the biggest impediments?
What can we do as an industry to make the field more inclusive to aspiring entrants of all backgrounds?