- First off, for folks not familiar with your background can you tell us a bit about your background from your journey in your earlier IT/Cyber and military time to eventually being a Founder and CEO? - What made you decide to take that leap and found not just one, but two cybersecurity companies, moving from being a practitioner? - What did you find to be some of the biggest challenges when transitioning from practitioner to business owner? - Have you had to navigate working on versus in...

Can you each tell us a bit about your background, before we dive in?For those not in the DoD or familiar with the term, what is a “Software Factory”?What is BESPIN?What is the current state of mobile security within the DoD?Why do you think there’s such a delay in maturing policy, process and pathways for mobile in DoD, given the big emphasis the last several years of “edge”, along with the rapid growth of the remote workforce and so on?Are there any official mobile app sec requirements? Can...

- First off, for folks that don't know you can you give them a brief overview of your background/organizations? - Josh, let's start with you. Can you explain some of what is going on with the drama around NVD and what happened that caught everyone's attention? - Dan - I know you've raised concerns around the implications for the community when it comes to the lack of CVE enrichment, how do you see this impacting the vulnerability management ecosystem? - Josh - Your team has started...

- It is often now said that identity is the new perimeter, why do you think that phrase has taken hold and what does it mean to you?  - How much do you think the complicated identity landscape plays a role, for example most organizations have multiple IdP's, as well as external environments such as SaaS and so on that they have identities and permissions tied to   - It often feels like SaaS is overwhelmingly overlooked in both conversations about Cloud Security as well as software supply...

- First off, you have an incredible background evolving from software engineer to management roles and ultimately a CISO for some of the industry leading organizations such as Siemen's and HP. I would love to hear about that journey and how you found yourself ultimately becoming an industry leading CISO along the way.  - How do you think the CISO role has changed over the years? We're hearing more about speaking the language of the business, potential legal liability, new SEC rules and more....

- What are some of the most interesting developments in the world of software supply chain security (SSCS) in the last 12 months or so? - It's now been a couple of years since the major fall out of notable incidents such as SolarWinds and Log4j, do you feel like the industry is making headway in addressing software supply chain threats? - For organizations either just starting or looking to mature their software supply chain maturity, where are some key areas you recommend organizations...

- First off, for folks not familiar with your backgrounds, can you please each tell us a bit about yourselves? - Let's set the table a bit, what is software liability and what is driving the increased calls for it? For example the recently released National Cyber Strategy, and commentary by U.S. leaders such as from CISA's Jen Easterly - What are some examples the software industry can pull from to try and establish a foundational liability regime? - What are some of the unique challenges...

- First, please tell us a bit about your background and how you got into the role you are now in your career? What drew you to the marketing side of cybersecurity? - I have to be honest, many in the cyber practitioner community often bemoan cyber marketers, often citing poor tactics or interactions. What do you think has contributed to this systemic feeling and how do you think we get past it? - You've talked about how there is a lot of trash marketing out there and its a threat to national...

- Let's start off by discussing everyone's favorite topic, vulnerability management. When it comes to AppSec, obviously there's been a big push to "shift security left" which comes with CI/CD pipelines, SAST, DAST, Secrets Scanning, IaC scanning etc. How have you handled scaling AppSec effectively without burdening Dev teams with massive vulnerability lists and being a blocker for production and delivery?  - There's a lot of tools to choose from, across a lot of various categories, from...

- First off, tell us about your journey to the role of the CISO. What did that look like, what steps did you take, what helped prepare you and so on? - To many, the CISO is considered the pinnacle of the cyber career field. How did it feel when you landed the role and looking back a year now, what are some thoughts that come to mind? - We know as you become more of a senior leader, you get less into the nuance and details of the technical activities and more focused on strategy, vision,...

- First off, tell us a bit about your background and how you got to where you are now in your career - What led you to write the book? Tell us a bit about the process and the experience so far, given you didn't take a traditional route with a standard publisher etc - Your book is broken into different sections, such as security as an industry, understanding the ecosystem and trends shaping the future of cyber. Lets dive into some of those - You talk about how Cyber is horizontal, not...

- For folks not tracking, let's level set a bit, what exactly is NIST 800-171 and CMMC, and what is the succinct background on the evolution of the two? - Are there notable events that led the DoD to pursue CMMC, building on the history of 171? - Obviously the introduction of the 3PAO aspect brings more rigor than previously existed with self-assessments. Many in industry have bemoaned the burden, cost and complexity of the new program and the impact it will have on industry (myself...

- You've been heavily involved in the AI dialogue in the industry as it has heated up, how did you get your start specializing in software security and most notably AI? - AI continues to be one of the hottest cybersecurity topics in 2023 and heading into 2024. What do you think are some of the most pressing risks around the rapid growth of AI adoption and use? - We're seeing Governments scramble to regulate AI, with notable efforts like the EU AI Act. Why do you think it is critical for...

- Tell us a bit about your cybersecurity journey, you've held a variety of roles with FFRDC's and industry - You've been talking a good bit about the latest Secure-by-Design push, what do you make of this push? I know you've raised concerns about needing to do some research to determine the effectiveness of these "secure" SDLC's - AI and ML are everywhere we turn in the cyber industry discussions. You've been speaking about the role of ML in cyber detection for example going back several...

- First off, tell us a bit about yourself, what you're up to and how you have gotten where you are career wise - What are some of the key differences with cloud-native security? - There's a lot of acronyms in the cloud-sec space, such as CWPP, CSPM, KSPM and so on. Can you unpack a few of these for the audience and what they mean? - This also infers there's a lot of different tools and capabilities to manage. Why do you think it is important to have a comprehensive platform to bring it...

Nikki -  Can you tell us a little bit about what interested you in cloud security in the first place? I know you have a particular interest in misconfigurations - was there a singular event that spurred your interest?  Chris - What are your thoughts around Guardrails in the cloud and using things such as event based detections? Chris - You interestingly took a Product role, but have a Detection and CloudSec background. How has the Product role been and do you think having the practitioner...

Nikki - I have to start with the fact that you've been looking into the vulnerability management space! This is an area I've been focused on for many years and I'm curious - what are the biggest pain points you see now in VulnMgmt?  Chris - I recently saw you had a blog regarding Exposure Management and contrasting it with Vulnerability Management. Can you talk about what Exposure Management is, and the differences between the two?  Nikki - What got you interested in research? I'm always...

- You recently wrote a book titled Zero Trust and Third Party Risk. Can you tell us a bit about the book, why you wrote it and how you see the convergence of ZT and TPRM? - There's been a lot of discussion lately around Software Supply Chain Security, but also Cybersecurity Supply Chain Risk Management, or C-SCRM. Do you see the former being part of the latter, and what challenges do you think organizations face trying to tackle both? - TPRM often involves manual subjective lengthy...

Nikki - With your current role as a Distinguished Engineer - I know you focus a lot on cloud security. What does being a DE entail? Do you do some research along with your other duties? Chris: We've seen the discussion around data in the security space evolve quite a bit. From legacy environments with a SIEM/SOC centralized approach, oriented around "collecting all the things" to now discussions around data lakes, analytics, and automation among others. Can you discuss the evolution a bit...

Nikki -  I wanted to ask you first what got you so passionate about vulnerability management - what was it that first sparked your curiousity and interest into security research?   Nikki -  You do a lot of awesome graphics and visualizations of vulnerability data from both CISA KEV and around types of CVE's - what kind of statistics do you think are most important for security practitioners to know - and on the other side, what is most important for executives to understand?  Chris - You've...

Chris: First off, you've been knee deep in CloudSec for several years now, watching trends, incidents and the industry evolve. Where do you think we've made the most headway, and where do you think we still have the largest gaps to close? Nikki: I'm really interested in multi-cloud environments and security - because of the connectivity potential between separate cloud providers. What do you think organizations should be most concerned with when looking at using multiple cloud...

- For those who haven't met you yet or come across your work, can you tell us a bit about your background? - First off, tell us a bit about OpenPolicy, what is the organizations mission and why did you found it? - Why do you think it's important for there to be tight collaboration and open communication between businesses, startups and policy makers?  - Some often say that policy is written by those unfamiliar with the technology it governs or the impact of the regulation and it has...

- First off, for those unfamiliar with this problem and situation, what exactly is the challenge here, and why should more people be paying attention to this? - What do you say to those who may say this is just something occurring in the digital realm, and not a physical or real threat, given the ubiquity of software, this seems short sighted, no? - In the book, you touch on malicious actors using U.S. based infrastructure to attack U.S. targets, a topic that was touched on in the NCS, can...

Nikki -  In addition to your Senior Policy Advisor role, you are also part of several academic institutions, including one we have in common - Capitol Technology University. Can you talk a little bit about why you wanted to be involved in the technical and academic side? Have their been any benefits you've seen in academia that you've brought to the military space, or vice versa?  Nikki -  We're seeing a ton in the news about software supply chain security, zero trust, AI/ML - but not...