In this episode of Resilient Cyber, I sit down with my friend and the Founder of Return on Security (RoS), 💰 Mike Privette.

Mike is the among the best our community has to offer when it comes to analyzing the macroeconomic trends of the cybersecurity ecosystem, from M&A, fundraising, startups, innovation, and venture capital.

We will dig into the macroeconomics of cyber this past year, key trends, takeaways, the outsized role AI has or hasn’t had and what 2026 may hold as we look ahead.

In this episode I sit down with my friend and Vulnerability Researcher Patrick Garrity 👾🛹💙 of VulnCheck to do a roundup of the latest trends, analysis and insights into the vulnerability and exploitation ecosystem throughout the past year.

We covered a lot of great topics, including:

- The most notable vulnerability trends over 2025, including what has changed, or stayed the same in the past year.

- Continued challenges around the NIST NVD and CVE, the sprawl of competing vulnerability databases and vulnerability identification schemes, challenges with funding, centralized vs. decentralized approaches and what the future holds. 

- What the life of a vulnerability researcher looks like under the hood, including participating in coordinated vulnerability disclosure.

- Efforts from Patrick's team at VulnCheck, including their Known Exploited Vulnerability catalog, covering gaps from the CISA KEV, as well as https://research.vulncheck.com that provides excellent graphs and visualizations.

- Patrick's thoughts on what the vulnerability management landscape may look like in 2026. 

In this episode of Resilient Cyber, I sit down with Binalyze Founder/CEO Emre Tinaztepe.

We will discuss how AI and automation are impacting the future of the SOC and the role that forensics-level data can play in incident response and recovery, as well as proactive threat hunting.

Chris - Why do you think SaaS security is so overlooked in the conversation around cloud security, despite SaaS being so pervasive?

Chris - SaaS obviously involves a lot of third-party integrations. What are the risks o f these ungoverned integrations and can they have a cascading impact if one of the providers has an incident?

Nikki -  Chris and I have talked a lot about software security, SBOM's, and what does open source security look like. As a leader in the cybersecurity community, what are you most concerned with when it comes to third-party risk and software supply chain?

Nikki - When we talk about SaaS and application management at organizations, what do you think about how SaaS applies to building relationships and working together with other organizations? 

 Nikki -  When it comes to integration between SaaS products and a cloud infrastructure, what do you think about as far as risk and how to manage risk within organizations? 

Chris - If we're trying to handle threats, how important is it to understand integrations from the perspective of who created it, why, what data it involves etc?

Chris - How do organizations start to get a handle on governing SaaS and their third-party integrations to mitigate these risks?

 Nikki -  I see you posting recently about exercise/fitness - this is a topic Chris and I discuss often. The balance of physical well-being and being present at work. What do you think about the balance of physical and mental pursuits? 

 Nikki -  What does cyber resilience mean to you?

Chris: First off, tell us a bit about NetRise, what you all do, and what your focus is on?

Chris: There's been a tremendous focus as of late on software supply chain security, as you know, but much of it focuses on things such as Cloud, SaaS, Containers etc. at NetRise you all take a focus on Firmware, IoT and Cyber Physical Systems (CPS). Why is that and what are some concerns folks overlook with these vectors?

Nikki: You just announced the launch of ETHOS - a cooperation between several organizations to investigate threat indicators and looking into emerging trends in attacks. Can you talk a little bit about how this idea came together and what ETHOS will be doing? 

Nikki:You have a lot of expertise around IoT and IIoT, can you talk about some emerging trends in cyber threats and concerns around the connectivity of devices? 


Chris: I know you guys focus a fair bit on SBOM. For those not required to have one due to policy or regulations, what are the benefits of doing so?


Chris: I know you all have experience and expertise with vulnerabilities in products. Does SBOM help address scenarios where the product itself may have no identified vulnerabilities or CVE's but components identified in its SBOM do?

Chris: I noticed you're also a USMC veteran, so first, thanks for your service. As a fellow veteran, as I recently walked the RSAC floor this past week I noticed how many leaders in the industry had former military experience. Have you noticed anything similar in Cyber and has your military experience served you in any ways as you have went on to go into industry cyber roles and now as a CEO?

Nikki: You have such great experience between threat hunting, incident response, to now being a CEO / Co-founder and Advisor to multiple other companies. What has that transition been like and do you have any advice for any other practitioners out there that may be interested in starting their own organization? 

Nikki: What's your favorite book, podcast, or other media right now? Anything we should be checking out? 

Nikki: What are some of the big things going on at NetRise right now? Any other projects you and the team are working on that you would like to share?

Chris: Can you tell us a bit about your background and what the role of the Deputy Principal Cyber Advisor does?

Nikki: When we talk about workforce challenges, I think about the types of skills that someone is looking for in a cyber program. What types of skills do you look for in hiring and what kinds of skills do we still need in the cyber profession? 

Chris: We know you've been focused heavily on the Cybersecurity workforce for DoN.  In our discussions of digital modernization, the focus is often on tech, such as cloud, zero trust, etc. Why do you think the people or workforce aspect is so often overlooked?

 Nikki: What do you think about the value of education and certifications when it comes to hiring and retaining cybersecurity professionals? Whether it's an analyst or an engineer, there is a lot of back and forth in the industry on whether certifications should be required or if it may be limiting the talent pool 

 Nikki: I saw you posted recently about North Dakota requiring cybersecurity education in schools - how critical do you think this is for K-12? As a mom this is something I think about all the time 

Chris: Can you tell us a bit about the DoN's approach to modernizing the workforce around cybersecurity?

Chris: There's been some buzz around the DoN's Cyberspace Superiority Vision, what exactly does that entail?

Nikki: I have the opportunity to teach my kids but what about all the other children without parents in cybersecurity? 

 Nikki: One of the other interesting articles that came out recently was around the potential change in cybersecurity leadership we'll be seeing in the next few years. Do you foresee some of these leaders leaving the industry and what kind of effect do you think it will have on the industry? 

Chris: We know there's rumbles of an upcoming DoN Cyber Strategy. We recently saw the release of the National Cyber Strategy. How will the DoN strategy build on that and what are the synergies between the two?

 Nikki: What does cyber resiliency mean to you?

Nikki - First - tell me a little bit about yourself and your background 

 Nikki - You have a ton of experience with the Army, can you talk a little bit about what you like most about working with the military and specifically in HR? 

Chris - We hear a lot about digital transformation in the DoD, Cloud, Cyber, Zero Trust, and so on - but how critical do you think the workforce is to make all of these transformation efforts successful 

Chris - We know the DoD has historically struggled to attract and retain technical talent. What specific changes do you think are needed to help resolve this challenge and do you think we're making any headway there?

 Nikki - One of your previous roles was Deputy Director of People Analytics, I've not heard much about this role before and I'm interested what that type of position entails and what that means to the people in an organization? 

Nikki - I want to talk to you about health, fitness, and wellness when it comes to IT and cybersecurity positions. There is a ton of research around the burnout and stress that technical positions carry - what can we do to help our technical teams? 

Chris - I have seen you posting and speaking about the role AI is playing in assigning resources, assistance and leadership to various Army cohorts, what are your thoughts on the role AI is and will play in your area of expertise?

Chris - I believe there has been a new Army vision for the future of talent management, can you tell us a bit about that and what it entails?

 Nikki - Can you talk about the integration of AI/ML into both HR and administrative functions? I could see how beneficial it would be and free up some cycles to focus on the people and their wellbeing. 

Nikki - Can you talk about some of the other innovation in the HR space?

Chris: I have been following your research for several years now, dating back to your role before Chainguard. As you have watched the conversation around Software Supply Chain Security unfold in the industry, do you feel like we're making positive headway?

Chris: You have done a lot of research into software supply chain security, and of course SBOM's. One recent study you took a look at the quality of SBOM's in the OSS ecosystem, compared to say the NTIA defined minimum elements for SBOM. Can you tell us a bit about the study and implications of the findings?

Chris: In addition to SBOM, we're seeing the emergence of VEX, can you speak a bit about its importance?

Chris: I wanted to follow up about OSS, since it has become such a core aspect of the software supply chain conversation. I'm sure based on your studies you know the phrase dubbed Linus' Law, which states that "with enough eyeballs all bugs are shallow" but based on my research for writing a book recently, I realized that the overwhelming majority of OSS projects lack enough eyeballs. Do you think this is a challenge when we look at the widespread adoption of OSS?

Chris: Can you tell us a bit about your next/current efforts for software supply chain security research?

Chris: Before we dive into some technical topics and questions, we would love to hear a bit about your background and career

Chris: - We've now seen the introduction of JWCC into the mix after quite a challenging road to get there. What major changes do you see JWCC playing in the DoD cloud landscape and cloud adoption journey?

Nikki: - There's been a tremendous focus on software supply chain security, with a 742% increase in software supply chain attacks in the last three years. What are your thoughts on how the DoD is approaching securing the software supply chain, SBOM's and challenges of that nature?

Chris: - We know the DoD CIO office published an Open Source Software (OSS) memo not too long ago. What role do you think OSS plays in the future of the DoD's software and warfighting capabilities?

Nikki - We've seen a blossoming ecosystem of software factories across the DoD, now numbering near or beyond 30. How key do you think these software factories have been to the DoD's software modernization efforts?

Nikki - I would be remiss if I didn't ask you about the DoD's workforce challenges. We know the DoD has had long standing issues attracting and particularly retaining technical talent. How crucial is remedying those workforce challenges to see successful cloud adoption and software modernization?

Chris - Being a longtime Federal and DoD Cyber professional I have to bring up the topic of compliance, RMF and ATO's in any discussion around fielding software. We've seen a push from some senior leaders to try and shift to a culture of cyber readiness and alleviate some of the traditional box-checking/compliance culture we know is pervasive across Government. Any thoughts on how we can modernize Cyber and Compliance in DoD to facilitate getting innovative and modernized software-enabled capabilities into the hands of system and mission owners?

Nikki - With your experience in various cloud and Cybersecurity roles, what would you say the top 3 concerns are right now for cloud security? 

Nikki -  I see you do a lot of work Cybersecurity and cloud education, do you feel like we have better tools and resources today than a few years ago? Or too many resources? 

Chris - We know you have a Detection Engineering background. For folks not familiar with Detection Engineering can you tell us a bit about it and the role it plays in Cloud Security?

Chris - It is often said that Detection Engineering builds on the practice of Threat Modeling, in terms of identifying relevant threats and building detections associated with those threats. Do you agree with that and how valuable do you think Threat Modeling is for Cyber and Cloud Security professionals?

Nikki -  What would you recommend for anyone getting started in the cloud, moving from on premises or data centers, what should they do first? 

Nikki - What do you think is next for cloud? I see so many debates in the industry and it seems like there's a trend towards creating systems on prem versus in the cloud.

Chris - I know in addition to your professional role you've a huge content creator with over 20,000 folks following you on YouTube. How did you get going down this path?

Chris - Do you think it is important in the current industry landscape and remote work paradigm to be out there building a personal brand, creating content and engaging with the community?

Chris - I have to start with the intersection of law and cybersecurity. We're seeing major strides in regulations, both federal and state (like NYFDS), to regulate and enforce cybersecurity policies and program-based guidance. What are some of the emerging trends we're seeing in cyber law? 

Chris - As you know, we recently saw the new National Cyber Strategy, which makes a push for shifting the burden/responsibility for cybersecurity on the vendor or those best positioned to address it. Why do you think it has taken us so long to get to this point? I know you've drawn parallels to other industries such as automobiles

Chris - On the topic of parallels to other markets and industries, such as automobiles, pharmaceuticals and manufacturing, there are some unique aspects of software, in the sense it isn't tangible or kinetic, and can be very opaque, What impact do you think those characteristics have on trying to regulate it like we have done with other industries?

Chris - The National Cyber Strategy also introduces the concept of Software Liability. This part of the strategy got the most aggressive response from industry and the community. Why do you think this makes everyone perk up so much?

Chris - Many started to raise questions such as who will define "secure", who and how will it be validated or verified, and where is the line of responsibility between the software supplier and consumer. Any thoughts on these topics and questions?

Chris - On the topic of regulation, many consider cybersecurity to be an example of a market failure. Can you explain what that is, and why some feel that way? How do you think think we balance regulation without stifling innovation in the tech industry?

Nikki - How do you think the public sector and private sector are seeing cybersecurity laws differently? Do you feel like the private sector is lagging behind in cybersecurity regulations? 

Chris - I have worked on programs such as FedRAMP before, for Federal Cloud Services and I am familiar with NIST 800-171/CMMC as well for the DIB. Many argue, and I think there is merit to the claim that these sort of frameworks lead to smaller pools of suppliers and potentially a less diverse pool of market participants. Any thoughts on these impacts and if it is worth the trade off?

Chris - Many compliance and regulatory schemes either take one of two approaches. The first being a self-attested model where entities self-attest their compliance, such as NIST 800-171 for the DIB was, and the second is a 3PAO model, where a 3rd party verifies compliance, such as in FedRAMP. Each of these models has drawbacks, such as less than truthful or accurate self-assessments, or the 3PAO requirement becoming cumbersome, costly and a bottleneck. What do you think about these two approaches and where do you see us heading with regards to say the National Cyber Strategy, liability and so on?

Nikki: I have to start with an article you wrote a couple of years ago, about how we explain and provide context around vulnerabilities. I love the analogy of a 'vulnerability recipe' and how we can step through an explanation of vulnerabilities. Can you talk a little bit about the process and what compelled you to explore this topic? 

Nikki: I saw you spoke to Ron Ross recently, we had him on the show last year talking about cyber resiliency and of course software supply chain. Can you talk a little bit about security assurance and what that means to both developers and security practitioners? 

Chris: You've been a leader in the AppSec space for some time, particularly focusing on capabilities and tooling such as IAST. For folks not familiar with IAST, can you explain what it is and the value it adds over say SAST and DAST?

Chris: I know you and I have exchanged messages and comments about Software Supply Chain Security and SBOM. What are your thoughts about where were headed on this front as an industry?

Chris: With the release of the National Cyber Strategy yesterday I of course have to ask your initial thoughts. First more broadly, about the overall sentiment of the strategy and also about specific areas, such as increased requirements on software vendors and technology providers to produce secure products and the potential for increased liability.

Nikki: It looks like you had a pretty lengthy time with OWASP - can you talk about some of the work you did there and the work that OWASP does? I think people typically equate OWASP with the OWASP top ten, but there are so many free resources and tools available for developers and security professionals. 

Chris: Given your past involvement of a decade with OWASP in its early growth, any thoughts on the recent open letter we saw sent to the OWASP leadership?

Nikki: Can you talk a little bit more about Contrast security and the type of work you all do? Would like to hear more about what the company has going on and anything else you may have coming up.

Chris: Continuing on with Contrast, I am interested in the founders journey a bit. Contrast has been around for nearly a decade and is now up to several hundreds of employees. What has that journey been like and what are some of the major ways the industry has, or hasn't changed during that time?

In this episode, I sit down with Andy Ellis, a longtime industry security leader who has turned investor, advisor, and mentor. We will discuss how security vendors can build effective marketing and sales teams and Andy's experience identifying and investing in industry-leading security startups. 

Don't miss this chance to hear from an industry legend who has worn multiple hats and excelled as an operating, investor, and overall security leader.

Nikki: I saw you recently did a Cyber Jeopardy Panel at the American Bar Association about cybersecurity and cyber law - can you talk a little bit about the intersection of cybersecurity and law?

Chris: Continuing on that thread a little more, and you and I have chatted about this, what are some of the dichotomies or challenges of Cybersecurity in a democratic society versus say an authoritative regime or nation?

Chris: I know you have a background with the DoJ and U.S. Attorney's office, are there some challenges with say cyber investigations in the U.S. due to some of our protections for individual freedom, privacy and so on?

 Nikki: It seems like we're seeing more and more organizations seeing the need for both mature cybersecurity programs and cyber law programs - but I haven't seen a ton of these groups working closely together. How can we build both programs in combination?

Chris: It seems like every day we are seeing headlines about catastrophic cyber incidents.  Are there any historical parallels to what we are dealing with today?  Do you think we’ll ever get out of it? 

Nikki: What do you think major attacks like ransomware in healthcare and even in local and state governments and school are doing to shape cyber legislation?

Nikki: If you could give one message to the American people about how we will address this challenge, what would it be?

Chris: I would be remiss if I let you off the show without trying to dig into the forthcoming National Cyber Strategy with you. With the extent of what you're able to share, there's been a lot of buzz and rumors about an increased call for regulation, do you have any thoughts on that front?

Chris: Many have said that Cybersecurity is a market failure and that it will require government intervention and regulatory measures to change things and have cybersecurity be taken more seriously by businesses and organizations. How do we balance that need for truly addressing cybersecurity risk without at the same time stifling innovation and our free market society? 

 Nikki: Do you see more legislation potentially coming in the future around security governance and compliance?

Nikki: I'm very fascinated by cybersecurity and law terminology - do you think there's some room for us to find a common thread between both disciplines to help people like me understand law terminology and language better?

Chris: First off, why do you think soft skills are so often overlooked or undervalued in our field of cybersecurity?

Chris: I'm curious your perspective on how to help people build soft skills, much like technical skills, some may have more of an aptitude for technical work or prefer not interacting with people as often. Any advice for folks who may be a bit more of an introvert and finding dealing with people intimidating?

Niki: I wanted to first talk about the Learning resources you have on your site - the softsideofcyber.com - I am a big fan of this area because you include everything from books and articles to newsletters. Can you talk a little bit about why you included this section and what you're hoping to do with it in the future? 

Nikki: This may seem like a silly question - but clarity and definitions for terminology and language are really important. People talk about 'soft skills' in a lot of ways. What does 'soft skills' mean to you and how have these skills aided you in your career? 

Nikki: What is the perfect balance of technical and 'soft skills' - do you feel like it depends on your role? Or do you feel like this balance is essential, regardless of your role? 

Chris: You recently wrote an article on CSO online about unleashing the power of an effective security engineering team. While you did discuss technical skills you also wove in content from folks such as Sidney Dekker and Adam Grant. How do you feel like diversifying your learning outside of technical topics has helped you be more successful in your own roles and career?

Nikki: Do you feel like 'soft skills' expands from empathy and emotional intelligence to an understanding of cognitive bias, mental workloads, and other psychological phenomena?

Chris: What's next for the Soft Side of Cyber? What projects are you working on and what are you hoping to do with this in the next 6 months?

Nikki: Since I know what cyber resiliency means to you in a technical context, can you expand on what this means to you in the 'soft skills' and human context?

Nikki: My first question is about your book, The Application Security Handbook - who do you think most benefits from this type of book and why do you think they need it?

Nikki: What inspired you to write this? You have a ton of experience from being a security architect, to working in an IAM group, to application security - I would imagine all of that expertise allows you to see application security through a unique lens.

Chris: In your book you touch on the dichotomy of shifting security left while minimizing friction between the Security and Development teams. This is a common challenge many security teams face. Can you elaborate on some of your recommendations on this front?

Chris: You also emphasize the role of security champions and democratizing security to some extent through this approach. What exactly is a security champion and how do organizations go about doing this?

Nikki: You mention threat modeling in your book - what do you think is the best place for Application Security programs to start when building in threat modeling? This is typically a higher level of maturity for programs and I'm curious at what time it's best to integrate threat modeling?

Chris: We're obviously seeing a big push for robust CICD pipeline tooling for security such as SAST, DAST, SCA, Secrets Scanning and So on. Of course this tooling all produces noise. You lay out some strategies in the book on dealing with that. Can you touch on some of those here?

Chris: I would be remiss if I let you go without discussing Software Supply Chain Security and SBOM's. I know you touch on SCA, OSS and SBOM's in the book. Why do you think it is key for organizations to start including this in their appsec programs?

 Nikki: What do you think are the greatest concerns when building a mature application security program? What are the biggest impediments? 

Nikki: What does cyber resiliency mean to you?

- Can you tell us a bit about the book, what made you want to write it and how you settled on this topic?

- Historically IT and Security have been at odds, often feeling like the other party is conflicting with their goals and responsibilities. Why do you think this is?

- Do you think the push for DevSecOps and breaking down silos between Security and Operations (and Development) has helped at all?

- Your book talks about emotional intelligence, empathy and non-technical traits. How critical do you think those are in this situation and why do they not get discussed enough?

- What methods do you think IT and Security teams can take to improve their relationships and drive towards a unified outlook and goals?

- What do you see as the biggest gaps on this topic as we move into the future?

Nikki - What do you see as emerging trends around cybersecurity guidance and frameworks? With the newer NIST 800-53r5 and the SSDF, there is a TON of literature coming out from NIST. What's next? 

Chris - I wanted to dig into SSDF a bit. Can you tell us a bit about being involved in that? How it came about after the Cyber EO and your experience writing it? 

Chris - We know OMB is now requiring Federal agencies to start to self-attest to secure software development practices, specifically SSDF practices. How does it feel to have your work be cited in something this far reaching?

Chris - What do you think organizations neglect most when it comes to secure software development, do you think the OMB memo will have a rising tide impact on the ecosystem like other frameworks such as CSF outside of Government?

Nikki - What are some of the most fun parts of your job? You've written so much incredible content for not just the cybersecurity industry, but so many SMB's and non-for-profits can use the NIST guidance as a place to build their cybersecurity programs. 

Nikki - What is one of the biggest challenges in writing something like the SSDF or the Cybersecurity Framework? I would imagine there are so many considerations that go into deciding on everything from format to the type of language you use. 

Chris - What are your thoughts around the attention as of late on software supply chain security, SBOM's and topics in that domain? Do you think we need more guidance and publications on this front?

Nikki - Before taking us to our last question, I wanted to ask you about your blog! It's called Scarfone Cybersecurity and I know you're just getting this going. Can you talk a little bit about why you wanted to start this blog? What are you interested in writing about? 

Nikki -  What does Cyber Resiliency mean to you?

Nikki: To start us off, I'm curious about your opinion on the current state of vulnerability management guidance and documentation available for organizations. There are some references from NIST, but a lot of it centers around compliance. 

Chris: How do you think things such as Cloud, DevSecOps and shift-left security have changed vulnerability management?

 Nikki: Can you talk a little bit about what organizations and their vulnerability management programs should be working on right now? With more sophistication of attacks by malicious actors, we have to create more 

Chris: Most of us know the Common Vulnerability Scoring System (CVSS) but many critique it saying CVSS scores alone aren't enough to drive vulnerability prioritization. What role do you think things such as Threat Intelligence should play?

Chris: In addition to CVSS CISA recently has been making a push to evangelize the Stakeholder-Specific Vulnerability Categorization (SSVC) guide. Can you tell us a bit about it and your thoughts about how it fits into the conversation on vulnerability scoring and prioritization? 

Nikki: There is a renewed focus on exploitable vulnerabilities, with the Known Exploited Vulnerabilities catalog by CISA, as well as the EPSS, or Exploit Prediction Scoring System - do you think we're headed in the right direction with helping to prioritize vulnerabilities and not just remediate everything?

- Before we dive into the technical topics, you're a repeat Founder, including some acquisitions of firms you've founded. Can you tell us a bit about that Founders journey and what leads you to creating organizations?

- Something you've been focused on a lot lately is Software Supply Chain Security. Why is this such a complicated topic, and has it always been, or do you feel it is increasingly complex? 

- One of the challenges organizations have around OSS use is OSS Governance and software component inventory. Can you speak a bit about that challenge and how you are looking to solve it?

- A term thrown around a lot is "Dependency Hell" - which is the term developers use when it comes to managing their often large dependency footprints when it comes to updates, patches, versioning and so on. How are you seeing this problem addressed?

- There's a lot of hype around SBOM's and VEX. What are your thoughts on SBOM's and how they fit into the conversation around securing the software supply chain?

- One issue with the increased transparency is development teams drowning in hundreds or thousands vulnerabilities. As you know, this doesn't actually mean they are exploitable. How do we cut through that noise to drive down risk but also frustration?

- We talk a lot about CVE's and Vulnerabilities and so on but I know you recently shared research from Chinmayi Sharma who I've interviewed - and she points out CVE's are just one potential risk of OSS dependencies. Any thoughts on leading indicators of risk, as they're often called?

- Moving forward, what are some things you are focusing on at ENDoR Labs and where do we see us heading as an industry on this topic, in say 2-3 years? 

- You recently wrote an article about the SBOM Frenzy being Pre-Mature. For those not familiar with SBOM's, what is an SBOM and what has led to the frenzy as you call it?

- In your article you discuss challenges related to the build environments and hosts that can cause different outputs and SBOM's unless a build occurs on two identical machines. Can you explain why that is? 

- What role do you think emerging frameworks such as SLSA or SSDF and higher maturity requirements for things such as Reproducible Builds or Hermitic Builds play in alleviating some of these concerns?

- Given the challenges of dynamic ephemeral build environments and hosts, do you think this undermines the usefulness of SBOM's as an industry artifact related to software supply chain security?

- You also recently wrote a follow-up article about why Software Composition Analysis (SCA) is really hard. What are some of the reasons you think that is the case?

- You mentioned challenges with CVE's and their accuracy. As many know, CVE's are created via CNA's and as part of NVD. Do you think alternative vulnerability databases such as the Global Security Database (GSD) or OSV will alleviate any of the vulnerability issues in the industry? 

- You were involved in founding OWASP. I personally, and I suspect many others would love to hear about that a bit, given just how much of an industry staple OWASP is from Top 10 lists, CycloneDX and countless other widely used projects.

- You recently ran a campaign to be elected to the OWASP Board to try and modernize it and address many gaps you state lead to OWASP being on a path to irrelevance. Can you tell us what some of those issues are and your plan to address it to keep such a great organization a key part of our industry in the modern era of Cloud-native and DevSecOps?

Nikki: With your latest book, the Security Yearbook for 2022 ,this is the third iteration of the series right? It started in 2020 and has only grown since then. Can you talk a little bit about why you started this annual compilation of research? 

Nikki: For any other security practitioners or anyone in the field who's interested in writing a book or putting together a comprehensive manuscript or research, do you have any tips or advice for them to get started?

Chris: Can you tell us about your endeavors with IT-Harvest and your IT industry research, what is it and how did you get started?

Chris: I know you serve in various advisory roles. How does your industry research help inform your advisory perspective?

Chris: Based on your current IT industry research what are some of the most alarming or interesting trends around vendors, investors and M&A you see currently?

 Nikki: What is one of the most surprising statistics that you've uncovered year after year? I know one that continues to surprise me is just how prevalent and SUCCESSFUL phishing attacks are. What about you? 

Nikki: What are your top recommendations, based on your research, for security practitioners and business owners to be aware of and focus on when it comes to risk mitigation?

Chris: Looking at the current IT industry and trends, what is one prediction you have for some of the most significant changes we can expect in say 3-5 years?

- One of the biggest SaaS security incidents recently of course is the Salesloft Drive/Salesforce incident, which impacted hundreds of organizations and involved compromised OAuth tokens. Can you tell us a bit about the incident and the fallout?

- In an AppOmni blog on the incident, you all discuss attackers taking advantage of persistent OAuth access, over-permissive access, limited monitoring, and unsecured secrets. Why do these problems continue to plague organizations despite incidents like this?

This is part of a broader trend of increased SaaS supply chain attacks. What makes these attacks so enticing for malicious actors and challenging for organizations to prevent entirely?

You recently published your State of SaaS Security Report, which projects SaaS to grow 20% YoY between 2025 and 2032. This is despite 75% of organizations reporting a SaaS security incident in the past year. Why do you think we're seeing continued growth in adoption but still lagging in SaaS security to accompany the adoption?

The report discusses the rise of NHIs and GenAI and how this will exacerbate problems around SaaS Access and incidents. Can you unpack that for us?

I was shocked to see the report find that just 13% of organizations use SSPM tooling despite SaaS's widespread adoption. When you talk to enterprises, for example, nearly everyone is doing some CSPM activity for IaaS. Why are so many neglecting hygiene and posture for their SaaS footprint?

- First off, tell us a bit about your background, you were a developer prior to focusing on Law. Why the change and do you feel that technical background helps you in your legal and academic career?

- Before we dive into the specifics of the paper and topics, what led you to focus on this issue for research and publication?

- You penned an article about how modern digital infrastructure is built on a "house of cards". Can you elaborate on that?

- Your paper is broken down into several sections, so let's step through those and dissect each area a bit.

- You touch on the unique aspects of OSS from proprietary code and discuss the benefits and also the risks. Can you discuss some of those?

- You claim that OSS should be designated critical infrastructure and arguably under areas such as the IT Sector. First off, why do you think it should be, and why do you think it already hasn't been?

- In part II of your paper you went into topics around the origins of OSS security issues and barriers to resolution. What are some of the major issues and barriers to resolving them?

- You touch on economic theory such as the least-cost avoider. What exactly is that, and why do you think software vendors in this case are best-suited to fix some of the core OSS security issues?

- In part III of the paper you discuss some of the current interventions and efforts. Can you touch on what some of those major efforts are?

- You discuss emerging things such as the Open Source Software Security Act as well as the OMB Memo requiring vendors to self-attest to NIST's SSDF and even provide SBOM's. What are your thoughts on these emerging requirements?

- How do you think we balance the need to keep the spirit of OSS, in terms of being open to everyone, cultivate a society of citizen developers and a thriving FOSS ecosystem while also pushing for more rigor and governance? 

Do we risk constraining the ecosystem and limiting the Federal government (and industry's) access to small innovative software projects and initiatives? 

- Looking at your background, you've held a lot of Identity-centric roles and positions in the industry. How do you think Identity and associated security is evolving with the continued adoption of Cloud?

- Identity is obviously at the core of the conversation around Zero Trust, what do you think some of the fundamental things organizations get wrong when it comes IAM at-scale?

- You recently made the pivot from roles with a strong Identity focus to API and API Security. What drove you to make that shift? 

- What do you think some of the most interesting challenges are in the current API Security landscape?

- I noticed you also have an Army background. It is very common to see veterans make their way into Cybersecurity. Why do you think that is, and there are any lessons from the Army you feel have benefited you in your Cyber career?

Chris: Before we dive into too many specific topics, one thing I wanted to ask is, you've been working in/around the topic of SBOM and Software Supply Chain for sometime via NTIA, CycloneDX, SCVS etc. How did you have the foresight or what drove you to focus on this topic well before many others in the industry?

Nikki: You mentioned recently about the SBOM Forum and their recommendation of the NVD adopt Package URL. I think the recommendations are great for NVD, because the NVD, CVE ID mechanisms, and CWE's weren't technically built for al ot of the updated vulnerabilities and concerns we see today, especially in the software supply chain. Can you talk a little bit about the challenges around vulnerability management when it comes to software supply chain?

Chris: I wanted to ask you about SaaSBOM which has been a topic of discussion in the CISA SBOM WG that I know you and I participate in. What is a SaaSBOM in your mind and where does it begin and end, given most of the Cloud, including Infrastructure is software-defined. 

 Nikki: I liked your article titled "SBOM should not exist! Long live the SBOM" - what really caught me was the idea that BOM's or Bill of Materials have been around for a while, and in other industries as well. I'm curious because there are a lot of potential implications for using BOM's outside of software. What are you thoughts on how we could potentially use the idea of BOMs in other cybersecurity or software development areas? 

Chris: I want to discuss some critiques of SBOM. VEX Is promising but of course requires information from software producers, and then of course trusting their assertions. 

VEX: Do you see a future where both SBOM and VEX and automated in terms of generation and ingestion to inform organizational vulnerability management and potentially procurement activities? 

Nikki: I would be re-missed if I didn't ask you about the human element in all of this. I fee like the complexity of the software supply chain, on top of infrastructure, operations, cloud deployments, etc, can get somewhat complex. How do you think the increased complexity around software supply chain is affecting the management and operations groups?

Chris: You have long been the lead on the wildly popular Dependency Track project. Can you tell us a bit about its origins, where it stands today and where it is headed?

Chris: There has been a lot of guidance lately on Software Supply Chain, such as NIST EO outputs from Section 4, NIST SSDF, guidance from CSA, CNCF et. al - how does SCVS fit into the mix and do you see organizations using all, or rallying around some of the guidance? 

Chris Follow Up: Some have claimed that these requirements are simply impractical for anyone except large enterprise organizations and software producers. Any thoughts on the practicality of the guidance for smaller organizations who still play a major role in the software ecosystem?

Chris: To start us off, why do you think OSS and the software supply chain are now beginning to get so much attention, despite being widely used for years now?

Chris: When it comes to OSS, any thoughts on how we balance security while also not stifling the innovative creative environment that is the OSS ecosystem?

Nikki: On one of your recent podcast episodes, you discussed how open source can be unfair, whether that's to users or to developers. Can you break that down a little bit for our audience?

Nikki: I think there are a lot of valuable lessons from the past that inform future trends. What would you say some of the top emerging trends are around open-source software - what should we be concerned about today versus a year from now?

Chris: What are your thoughts on the current state of Vulnerability Databases, we know you have some strong opinions and have been involved in an effort titled the Global Security Database with CSA - can you tell us a bit about that and why it is needed?

Chris: Do you think the emerging frameworks such as NIST 800 161 R1, SSDF, SLSA etc. are going in the right direction?

Chris: We couldn't let you go without discussing SBOM. What are your thoughts on the current state and direction of both SBOM and VEX. Do you think this increased level of transparency and granularity of vulnerabilities will be something most organizations can manage successfully?

Nikki: You have 341 episodes of your podcast - can you talk a little bit about why you wanted to get into podcasting? And also if you have any tips or advice for anyone who wants to start their own podcast?

Nikki: One of the major areas I don't hear being discussed around open source software is the 'human factor'. I see the integration of open source software as alleviating some of the mental workloads and information processing for developers and teams, but may also introduce other concerns. How do you feel about the human factor around OSS?

Chris: What do you think some of the fundamental changes of IAM are from on-prem to cloud?

Chris: What are some of the key tradeoffs and considerations for using IDaaS offerings?

Nikki: There are a lot of solutions out there that discuss zero trust as a product or a service that can be leveraged to 'bake in' zero trust into an environment. But I'm curious on your perspective - do you think we need additional tools to configure zero trust principles, or leverage the technology at hand to implement zero trust?

Nikki: There's this move towards passwordless solutions - I can see that being a big boost to zero trust architectures, but I think we're still missing the need for trusted identities, whether it's passwords, pins, or tokens. How do you feel about the passwordless movement and do you think more products will move in that direction?

Chris: You've been a part of the FICAM group and efforts in the CIO Council. Can you tell us a bit about that and where it is headed?

Chris: It is said Identity is the new perimeter in the age of Zero Trust, why do you think this is and how can organizations address it?

Nikki: There was an interesting research publication I read, titled "Beyond zero trust: Trust is a vulnerability" by M. Campbell in the IEEE Computer journal. I like the idea of considering zero trust principles, like least privilege, or limited permissions, as potential vulnerabilities instead of security controls. Do you think the language is important when discussing vulnerabilities versus security controls?

Chris: What role do you think NPE's play in the modern threat landscape?

Chris: If people want to learn more about the Federal FICAM/ZT Strategies, where do you recommend they begin?

- What do you think some of the primary factors are that contributed to GRC not coming along initially with the DevOps movement?

- Traditionally, what factors have plagued compliance when it comes to software delivery?

- How do some of those factors change in the era of DevOps and Cloud-native?

- Do you think regulation has a significant impact, and how can policy and regulation be improved?

- How important is it for the workforce aspect of GRC to be addressed when it comes to compliance innovation and new technologies and ways of work?

- Can incentives play a part, and if so, what can we do to improve that?

- Andres - What was the impetus of the book and can you tell us a bit about the writing experience?

- Where can people find out more about the book?

Chris: For those not familiar with CVSS, what exactly is it, and why is vulnerability scoring important?

Chris: What are some of the most notable critiques of CVSS?

Nikki: I read your article 'A Closer look at CVSS Scores" and have had a lot of similar thoughts. The CVSS SIG is doing great work, and there are other scoring methods out there to help determine the real threat of vulnerabilities. Do you have any advice for organizations that are struggling with the amount of High and Critical vulnerabilities they see based on this scoring method? 

Chris: Do you think organizations approaching Vulnerability Management using CVSS strictly from base scores is an effective approach?

Nikki:  Do you think that the industry needs a shift as far as vulnerability scoring systems? Not from a mathematical or quantification space, because we have some great people working on that. But from the understanding of how those vulnerabilities actually impact their businesses? 

Nikki: Where do you see vulnerability scoring and vulnerability management activities heading? Do you think we need some other methods for scoring insider threat and accumulating those scores with hardware and software vulnerabilities?

Chris: Pivoting a bit from vulnerability scoring, I know you're also involved with groups such as OpenSSF. Can you tell us a bit about that work?

Chris: What are your thoughts on Software Supply Chain Security more broadly, in terms of SBOM's, VEX, and the uptick in Software Supply Chain Attacks. Do you think we're trending in the right direction to respond to the rise in these attacks?

Chris: So you're a proponent of a term called RegOps, can you explain what that is to us a bit and how it differs from traditional compliance?

Nikki: I'm interested in your background from Solutions Architect, to CTO, to Co-founding and running companies. Do you have any advice for other architects or IT and security practitioners for building up leadership skills and transitioning to business ownership? 

Chris: Do you think the evolution of Cloud and API enabled platforms is positioning us to innovate in compliance and potentially keep pace with DevSecOps?

 Nikki: What are some of the biggest reasons that organizations fail audits - do you feel like GRC/compliance and framework adoption is too challenging? Do you think that organizations are underwater with missing controls and where can they start? 

Chris: We know you're a big proponent of OSCAL and your organization RegScale has contributed to some of the OSCAL working groups. For those not familiar, can you explain what OSCAL is and the potential impact it can have on compliance?

Nikki: What do you see as some of the emerging trends around solving compliance issues - do you think we need a mix of tooling, processes, and orienting our practitioners/users to adapt? Or do we have too many different frameworks/guidelines that it can be difficult for us to keep up?

Chris: Looking at the future of compliance in say 3-5 years, how different do you think it will be and do you think this push towards automation, API's, codified artifacts and such will change compliance forever?

Nikki - In one of your recent posts you speak about how more organizations are looking to leverage service mesh in their own environments. Can you talk a little bit about why a team may be interested in moving to a more service mesh architecture? 

Nikki: What do you think may impede or stop an organization from adopting updated networking practices and technologies, like service mesh, and how can they get started adopting it?

Chris: What role do you think Service Mesh plays in the push for Zero Trust and maturing security in cloud-native environments?

Chris: I've heard you use the team Secure Service Networking, what exactly is this, and is it different than Service Mesh? We know there are the four pillars of Service Networking: Service Discovery, Secure Network, Automate Network, Access Service. What are these exactly? 

Chris: In the context of micro-services and Kubernetes, how does networking change? 

Nikki: The field of engineering is growing more and more, we have Infrastructure Engineers, Application Engineers, versus the traditional job roles of Systems or Software Engineers. Do you see an industry trend moving to expanding the engineering field into different disciplines, like Platform Engineers? Or do you think some of these roles are similar but are getting updated titles?

Chris: HashiCorp has some excellent offerings such as Terraform, Vault, Consul and so on. What resources can folks use to upskill in these technologies?

Nikki: I saw you recently did a talk on securing service level networking for the DoD - do you feel like a lot of those principles apply outside of the DOD or federal space? Or do you see the private sector using more of these technologies?

In this episode of Resilient Cyber, I sit down with the SANS Institute's Chief of Research (COR) & Chief AI Officer (CAIO), Rob T. Lee to discuss AI's impact on cybersecurity and the workforce. 

We will discuss SANS Critical AI Security Guidelines, the opportunities and obstacles AI presents for cybersecurity, and how practitioners should navigate AI's impact on the workforce.

 Nikki: In some ways I think "software supply chain security" has become almost a buzz word, or buzz phrase? But to me it's more of a concern for security programs at large, since so many products and services are being developed in-house at organizations. What are the top three concerns that CISO's or security leaders should know? 

Chris: We're obviously seeing a lot of buzz around SBOM, and now VEX. What are your thoughts on where things are headed with software component inventory and SBOM as part of cyber vulnerability management?

Chris: You were involved in the CNCF Secure Software Factory Reference Architecture. How was that experience and do you think organizations will be able to adopt the practices and guidance laid out there? There are a lot of moving parts. 

Nikki: How do you feel about how pentests should be involved in a software supply chain security program? I personally am curious about possible implications and benefits of actively (and consistently) testing dependencies and potentially finding unknown vulnerabilities.


Chris: So we've talked about frameworks and guidance. Another big one is SLSA, Supply Chain Levels for Software Artifacts. What are your thoughts on SLSA and it's utility in the broader software supply chain security conversation.

Chris: SCRM can be like eating an elephant when you look at CSP's, MSP's, Software, and so on - what are your thoughts for organizations that don't have the resources of say a CitiBank, such as an SMB. Where do they start?

Nikki: I think we're still missing the human element of what a software supply chain security program looks like - how do you feel about that? Do you think we need to take more into account how people are using software, from a developer and a user perspective?

Chris: There has been a lot of focus on Containers of course in the conversation around Cloud-native ecosystems, coupled with Kubernetes, IaC and so on. Do you think these innovations make the challenge of software supply chain easier, or more difficult to manage?

Chris: For those not familiar with Kubernetes, can you tell us what it is and why there is so much buzz around it?

Chris: Kubernetes, while it has many benefits also is a very complex technology, what are some of the key things organizations should keep in mind when using Kubernetes securely?

Nikki: What kind of role do you see RBAC playing with Kubernetes? I don't hear a lot of talk around this subject and I'm curious what you think may be the importance of RBAC around Kubernetes

Chris: Any nuances or recommendations to those rolling their own versus using managed Kubernetes offerings?

Nikki: What does governance look like around Kubernetes - specifically around large, multi-cluster environments

Chris: From a compliance perspective, what are some resources organizations can use to securely provision and operate Kubernetes from a compliance perspective?

Nikki: Can we also chat about Kubernetes API logs when it comes to auditing and assessments?

Chris: You lead the Kubernetes Top 10 project with OWASP, can you tell us a bit about that?

Nikki: Where do you think kubernetes, clusters, etc are heading? What does the future look like for security teams to not only understand these new technology areas, but to understand how to secure them properly?

Chris: Do you feel like security practitioners are keeping pace with the rate of innovative technologies like Kubernetes, and if now, how can we fix that?

Chris: We know you are the CTO and Co-Founder of KSOC - tell us a bit about the firm and what you all specialize in and what led you to founding it?

- For folks that are familiar, what is a CI/CD pipeline and why is it becoming such a hot topic in modern software delivery?

- Do you think earlier on in the pursuit of DevOps/DevSecOps organizations overlooked the pipeline as an attack vector?

- Any thoughts are notable incidents such as SolarWinds, do you think they brought more attention to the build environment?

- What are you thoughts on emerging guidance such as SLSA NIST SSDF or 800-161. Do you think these are helping bring attention to best practices on securing pipelines?

- In the context of software supply chain security, why do you think pipelines are so critical?

- Keeping on the theme of SBOM, what are your thoughts on the rising adoption and push for SBOM, and now VEX and how can pipelines help facilitate that?

- Cider has produced some excellent resources such as articles and also CICD Goat - how do you all keep innovating on the knowledge and tooling front and how has it been received by the community?

- One of those resources is the Top 10 CICD security risks. Do you want to touch on the list and maybe a couple of the leading risks from the list?

- Any recommendations on learning resources for folks wanting to learn more about pipeline security, best practices and why it is important?

- Why do you think Cybersecurity has traditionally been seen as an IT issue?

- With more and more of economic activity being tied to digital platforms, do you think organizations are realizing that cybersecurity is tied to business outcomes and value?

- What do you think of recent activities by the SEC to require organizations to disclose cyber expertise among their board makeup?

- How critical do you think Cybersecurity is for organizations competing in the modern digital economy?

- Any advice or recommendations for Cyber professionals trying to communicate risks with their business peers?

- How do you see the role of the CISO evolving with the push for Cyber at the C-Suite and beyond?

- Where can folks find out more about the ISA?

- First off, for those not familiar with Containers and Kubernetes, what are they?

- Why are organizations increasingly adopting these technologies over traditional forms of compute?

- How does Cybersecurity change with Kubernetes and what are some things practitioners should be sure to keep an eye on?

- When organizations are adopting Kubernetes they often are faced with options such as rolling their own or using managed Kubernetes offerings, any thoughts there?

- I recently read a report that researchers found 380,000 publicly exposed Kubernetes API servers, do you think people simply are spinning up these new technologies with security as an afterthought?

- Kubernetes is incredibly complex, do you think this leads to challenges around properly configuring and securing it?

- Any thoughts on software supply chain security as it relates to Kubernetes and Containers?

- For those looking to learn more about Kubernetes and Container Security, do you have any recommended resources?

- For those unfamiliar with a vCISO, what is it and how is it different than a traditional CISO?

- Do you feel like the SMB market is catching on to the necessity of a vCISO and how it is critical to enabling secure business outcomes?

- How do organizations go about ensuring they get a qualified vCISO? Any things in particular to watch out for?

- For those looking to get started as serving as a vCISO, any recommendations?

- You are a great story teller and communicator on LinkedIn. What made you start making your videos?

- How important do you think communication is to helping drive secure business outcomes for Cyber professionals?

• Chris - Lets start off with discussing what is Purple Teaming exactly, and what is it not?

• Nikki - The industry can be somewhat siloed between job roles, and purple teaming really breaks down those barriers - do you see purple teaming being adopted more in the industry? Or do you think that too many industry experts hold too closely to their areas of expertise? 
• Chris - People often conflate Red Teaming, Pen Testing and Purple Teaming - how do we help clear up that confusion?
•  Nikki - Purple teaming is supposed to be an iterative continuous process between red teams and blue teams. Do you feel like this continuous flow of information should be consistent between the teams? Do you feel like there is more value in one direction versus another? 
•  Nikki - The purple team concept is centered around blue teams and red teams, but this type of iterative and cooperative concept could be applied outside of red teamers and network defenders. Do you see value between using this type of cooperation between security assessment and audit teams and network defense teams?
• Chris: You've been someone I have watched who has been really effective at personal branding through platforms like LI. Can you discuss how you approach that and why it is valuable?
• Chris: For those looking to get into Purple Teaming or more broadly OffSec or even Blue Team, what are some of your primary recommendations resource wise for learning?

- For those not familiar with Threat Modeling, what is it? Also, to clear up potential confusion, what is it not? (e.g. Threat Hunting)

- You were part of an effort to create the Threat Modeling Manifesto, can you tell us a bit about that project?

- We recently saw NIST both define critical software as part of the Cyber EO and also list Threat Modeling as a key activity for critical software. What are your thoughts on that occurring and if you think that will impact the Threat Modeling community?

- Some folks have made comments about Threat Modeling being too cumbersome for methodologies/cultures such as DevOps/DevSecOps. Why do you think that is an opinion among some and is it true? 

- Can Threat Modeling be applied to any sort of architecture or system? Are there any major differences for same on-prem vs cloud systems?

- For organizations looking to get started with Threat Modeling, where do you recommend they start? 

- Moving on from getting started, have you seen large organizations with successful, or unsuccessful Threat Modeling programs, and what were some major themes either way?

Nikki - You have some really awesome content on LinkedIn around Vulnerability management - one of my favorite posts you made recently was asking "Is vulnerability management dead". Can you explain a little bit about what you mean? I'm curious on your take, because there isn't a ton of modern guidance around vulnerability management 

 Nikki - One of the biggest challenges I think we face around vulnerability identification, and specifically prioritization, is that a lot of emphasis is put around CVSS scores and CVE ID's specifically. And while an incredibly helpful tool, plenty of vulnerabilities are not ID'ed or are not seen in traditional vulnerability scanners. What do you think the industry can do to better use other tools/techniques to identify and remediate vulnerabilities? 

 Nikki - Can you talk a little bit about where you think we could use more guidance or leadership around vulnerability management? I really don't hear about it when we talk cloud security or AI/ML, but it still incredibly relevant

Chris - We know another topic you're passionate about is software supply chain security. Can you share your thoughts on where the industry is headed with SBOM, VEX and other efforts to bring transparency and better governance to the SW supply chain?

Chris - You've also written and spoken a fair bit about broader Supply Chain Risk, partners, MSP's, CSP's etc. Do you think organizations are just now waking up to the exponential risk due to the interconnected and as-a-Service orientation we've taken as an industry?

Chris - As we mentioned, you do a ton of writing on LinkedIn, as well as your substack distro. How do you keep up the pace and what led you to start the substack originally? Where can people follow it and stay informed? 

In this episode of Resilient Cyber, I sit down with Gianna Whitver and Maria Velasquez to chat about the state of marketing in the cybersecurity industry, as well as their popular event "Cyber Marketing Con"

In this episode, we discussed:

• The background of the CyberMarketingCon and what led Gianna and Maria to co-found the event and community
• Where marketers typically fall short and what can be done to drive more effective marketing and selling to security practitioners and leaders
• What practitioners can learn their marketing peers when it comes to communication, empathy, story telling, and building relationships
• The importance of marketing, brand and broader GTM for security vendors to stand out from their competitors
• What to keep an eye out for at the upcoming CyberMarketingCon in December in Austin Texas

Chris - We know there's a massive Cyber workforce challenge, what role do you think academia plays there and how can it improve to close the gap?

Nikki - Speaking of the young professionals in cybersecurity, what do you think are some of the in-demand skillsets and career paths available for individuals interested in pursuing a career in cybersecurity?

Chris - There's often a debate between academics and practitioners, why do you think that is, and do you think we're seeing that gap dissolve with new degree programs and more practitioner focused curriculum?  

Nikki - On the subject of academia - do you feel like there is enough focus on research in cybersecurity fields? Do you think that research is getting to private and public partners or is there something we can be doing to strengthen those relationships?

Chris - What do you think the future of Cybersecurity education looks like? What role does non-traditional education such as certifications, bootcamps, online courses and content etc. play in the hiring qualifications of the future?

Chris: We're undoubtedly seeing a growing discussion around Software Supply Chain, with several notable events and also now evolving guidance/legislation such as the Cyber EO, NIST guidance etc. Any thoughts on why this is just now becoming such a focused concern?

Nikki: When a lot of people discuss software supply chain security, it can quickly turn into a discussion about SBOM or Log4j and SolarWinds. I think about software supply chain security as being part of a really good threat detection and response program - what are your thoughts on that?

Nikki: I also wanted to address, expanding on the topic of threat detection and moving into threat modeling - do you think that with the attack surface expanding through the software supply chain that there are threat modeling techniques that can be used to understand and account for that growing attack surface?

Chris: You've been pretty involved in efforts around software supply chain and DevSecOps, most notably sigstore - can you tell us what that is and why it is important or useful?

 Nikki: In the last couple of years ' technical debt' has become a bigger concern for organizations, but this includes software supply chain, dependencies, EOL or outdated software, etc. How do you think organizations can account for their software inventory better and more efficiently?

Chris: As we look to the future of Software Supply Chain, with efforts such as SBOM, VEX, Sigstore, SLSA and more, where do you think we're headed? What does the state of software supply chain look like in say 3 years?

Nikki - You have a varied background between being a security engineer, consultant, manager, etc. What made you decide to focus more on the compliance aspects of cybersecurity?

Chris - It is often said "Compliance doesn't equal Security". Why do you think this phrase has taken hold, do you think its accurate and how do we evolve beyond it? 

Nikki -  Based on some of your posts about compliance - one specifically about implementing frameworks and guidance from NIST and the CMMC standards - do you think there's a need in the industry to focus more on implementation guides or do you feel like organizations are to complex to create guides? 

Chris - On the topic of compliance frameworks, we seem to be so reactionary, with new frameworks coming after incidents etc. and organizations struggle to keep up. Do you think we have a framework sprawl problem?

Chris - On the topic of 800-171 and CMMC, there's a lot of talk on the topic of affordability and cost and the impact to the small businesses in the DIB, which has already seen massive consolidation. What are your thoughts on this, and how do we balance compliance/security with the need for a robust DIB of suppliers?

Nikki -  What do you think the future of compliance looks like? CMMC and otherwise - do you foresee more legislation around compliance coming down the pike?