Resilient Cyber – Details, episodes & analysis

In this episode of Resilient Cyber, I sit down with my friend and the Founder of Return on Security (RoS), 💰 Mike Privette.

Mike is the among the best our community has to offer when it comes to analyzing the macroeconomic trends of the cybersecurity ecosystem, from M&A, fundraising, startups, innovation, and venture capital.

We will dig into the macroeconomics of cyber this past year, key trends, takeaways, the outsized role AI has or hasn’t had and what 2026 may hold as we look ahead.

In this episode I sit down with my friend and Vulnerability Researcher Patrick Garrity 👾🛹💙 of VulnCheck to do a roundup of the latest trends, analysis and insights into the vulnerability and exploitation ecosystem throughout the past year.

We covered a lot of great topics, including:

- The most notable vulnerability trends over 2025, including what has changed, or stayed the same in the past year.

- Continued challenges around the NIST NVD and CVE, the sprawl of competing vulnerability databases and vulnerability identification schemes, challenges with funding, centralized vs. decentralized approaches and what the future holds. 

- What the life of a vulnerability researcher looks like under the hood, including participating in coordinated vulnerability disclosure.

- Efforts from Patrick's team at VulnCheck, including their Known Exploited Vulnerability catalog, covering gaps from the CISA KEV, as well as https://research.vulncheck.com that provides excellent graphs and visualizations.

- Patrick's thoughts on what the vulnerability management landscape may look like in 2026. 

In this episode of Resilient Cyber, I sit down with Binalyze Founder/CEO Emre Tinaztepe.

We will discuss how AI and automation are impacting the future of the SOC and the role that forensics-level data can play in incident response and recovery, as well as proactive threat hunting.

Chris - Why do you think SaaS security is so overlooked in the conversation around cloud security, despite SaaS being so pervasive?

Chris - SaaS obviously involves a lot of third-party integrations. What are the risks o f these ungoverned integrations and can they have a cascading impact if one of the providers has an incident?

Nikki -  Chris and I have talked a lot about software security, SBOM's, and what does open source security look like. As a leader in the cybersecurity community, what are you most concerned with when it comes to third-party risk and software supply chain?

Nikki - When we talk about SaaS and application management at organizations, what do you think about how SaaS applies to building relationships and working together with other organizations? 

 Nikki -  When it comes to integration between SaaS products and a cloud infrastructure, what do you think about as far as risk and how to manage risk within organizations? 

Chris - If we're trying to handle threats, how important is it to understand integrations from the perspective of who created it, why, what data it involves etc?

Chris - How do organizations start to get a handle on governing SaaS and their third-party integrations to mitigate these risks?

 Nikki -  I see you posting recently about exercise/fitness - this is a topic Chris and I discuss often. The balance of physical well-being and being present at work. What do you think about the balance of physical and mental pursuits? 

 Nikki -  What does cyber resilience mean to you?

Chris: First off, tell us a bit about NetRise, what you all do, and what your focus is on?

Chris: There's been a tremendous focus as of late on software supply chain security, as you know, but much of it focuses on things such as Cloud, SaaS, Containers etc. at NetRise you all take a focus on Firmware, IoT and Cyber Physical Systems (CPS). Why is that and what are some concerns folks overlook with these vectors?

Nikki: You just announced the launch of ETHOS - a cooperation between several organizations to investigate threat indicators and looking into emerging trends in attacks. Can you talk a little bit about how this idea came together and what ETHOS will be doing? 

Nikki:You have a lot of expertise around IoT and IIoT, can you talk about some emerging trends in cyber threats and concerns around the connectivity of devices? 


Chris: I know you guys focus a fair bit on SBOM. For those not required to have one due to policy or regulations, what are the benefits of doing so?


Chris: I know you all have experience and expertise with vulnerabilities in products. Does SBOM help address scenarios where the product itself may have no identified vulnerabilities or CVE's but components identified in its SBOM do?

Chris: I noticed you're also a USMC veteran, so first, thanks for your service. As a fellow veteran, as I recently walked the RSAC floor this past week I noticed how many leaders in the industry had former military experience. Have you noticed anything similar in Cyber and has your military experience served you in any ways as you have went on to go into industry cyber roles and now as a CEO?

Nikki: You have such great experience between threat hunting, incident response, to now being a CEO / Co-founder and Advisor to multiple other companies. What has that transition been like and do you have any advice for any other practitioners out there that may be interested in starting their own organization? 

Nikki: What's your favorite book, podcast, or other media right now? Anything we should be checking out? 

Nikki: What are some of the big things going on at NetRise right now? Any other projects you and the team are working on that you would like to share?

Chris: Can you tell us a bit about your background and what the role of the Deputy Principal Cyber Advisor does?

Nikki: When we talk about workforce challenges, I think about the types of skills that someone is looking for in a cyber program. What types of skills do you look for in hiring and what kinds of skills do we still need in the cyber profession? 

Chris: We know you've been focused heavily on the Cybersecurity workforce for DoN.  In our discussions of digital modernization, the focus is often on tech, such as cloud, zero trust, etc. Why do you think the people or workforce aspect is so often overlooked?

 Nikki: What do you think about the value of education and certifications when it comes to hiring and retaining cybersecurity professionals? Whether it's an analyst or an engineer, there is a lot of back and forth in the industry on whether certifications should be required or if it may be limiting the talent pool 

 Nikki: I saw you posted recently about North Dakota requiring cybersecurity education in schools - how critical do you think this is for K-12? As a mom this is something I think about all the time 

Chris: Can you tell us a bit about the DoN's approach to modernizing the workforce around cybersecurity?

Chris: There's been some buzz around the DoN's Cyberspace Superiority Vision, what exactly does that entail?

Nikki: I have the opportunity to teach my kids but what about all the other children without parents in cybersecurity? 

 Nikki: One of the other interesting articles that came out recently was around the potential change in cybersecurity leadership we'll be seeing in the next few years. Do you foresee some of these leaders leaving the industry and what kind of effect do you think it will have on the industry? 

Chris: We know there's rumbles of an upcoming DoN Cyber Strategy. We recently saw the release of the National Cyber Strategy. How will the DoN strategy build on that and what are the synergies between the two?

 Nikki: What does cyber resiliency mean to you?

Nikki - First - tell me a little bit about yourself and your background 

 Nikki - You have a ton of experience with the Army, can you talk a little bit about what you like most about working with the military and specifically in HR? 

Chris - We hear a lot about digital transformation in the DoD, Cloud, Cyber, Zero Trust, and so on - but how critical do you think the workforce is to make all of these transformation efforts successful 

Chris - We know the DoD has historically struggled to attract and retain technical talent. What specific changes do you think are needed to help resolve this challenge and do you think we're making any headway there?

 Nikki - One of your previous roles was Deputy Director of People Analytics, I've not heard much about this role before and I'm interested what that type of position entails and what that means to the people in an organization? 

Nikki - I want to talk to you about health, fitness, and wellness when it comes to IT and cybersecurity positions. There is a ton of research around the burnout and stress that technical positions carry - what can we do to help our technical teams? 

Chris - I have seen you posting and speaking about the role AI is playing in assigning resources, assistance and leadership to various Army cohorts, what are your thoughts on the role AI is and will play in your area of expertise?

Chris - I believe there has been a new Army vision for the future of talent management, can you tell us a bit about that and what it entails?

 Nikki - Can you talk about the integration of AI/ML into both HR and administrative functions? I could see how beneficial it would be and free up some cycles to focus on the people and their wellbeing. 

Nikki - Can you talk about some of the other innovation in the HR space?

Chris: I have been following your research for several years now, dating back to your role before Chainguard. As you have watched the conversation around Software Supply Chain Security unfold in the industry, do you feel like we're making positive headway?

Chris: You have done a lot of research into software supply chain security, and of course SBOM's. One recent study you took a look at the quality of SBOM's in the OSS ecosystem, compared to say the NTIA defined minimum elements for SBOM. Can you tell us a bit about the study and implications of the findings?

Chris: In addition to SBOM, we're seeing the emergence of VEX, can you speak a bit about its importance?

Chris: I wanted to follow up about OSS, since it has become such a core aspect of the software supply chain conversation. I'm sure based on your studies you know the phrase dubbed Linus' Law, which states that "with enough eyeballs all bugs are shallow" but based on my research for writing a book recently, I realized that the overwhelming majority of OSS projects lack enough eyeballs. Do you think this is a challenge when we look at the widespread adoption of OSS?

Chris: Can you tell us a bit about your next/current efforts for software supply chain security research?

Chris: Before we dive into some technical topics and questions, we would love to hear a bit about your background and career

Chris: - We've now seen the introduction of JWCC into the mix after quite a challenging road to get there. What major changes do you see JWCC playing in the DoD cloud landscape and cloud adoption journey?

Nikki: - There's been a tremendous focus on software supply chain security, with a 742% increase in software supply chain attacks in the last three years. What are your thoughts on how the DoD is approaching securing the software supply chain, SBOM's and challenges of that nature?

Chris: - We know the DoD CIO office published an Open Source Software (OSS) memo not too long ago. What role do you think OSS plays in the future of the DoD's software and warfighting capabilities?

Nikki - We've seen a blossoming ecosystem of software factories across the DoD, now numbering near or beyond 30. How key do you think these software factories have been to the DoD's software modernization efforts?

Nikki - I would be remiss if I didn't ask you about the DoD's workforce challenges. We know the DoD has had long standing issues attracting and particularly retaining technical talent. How crucial is remedying those workforce challenges to see successful cloud adoption and software modernization?

Chris - Being a longtime Federal and DoD Cyber professional I have to bring up the topic of compliance, RMF and ATO's in any discussion around fielding software. We've seen a push from some senior leaders to try and shift to a culture of cyber readiness and alleviate some of the traditional box-checking/compliance culture we know is pervasive across Government. Any thoughts on how we can modernize Cyber and Compliance in DoD to facilitate getting innovative and modernized software-enabled capabilities into the hands of system and mission owners?