Resilient Cyber Chris Hughes

- First off, for folks not familiar with your background can you tell us a bit about your background from your journey in your earlier IT/Cyber and military time to eventually being a Founder and CEO?

- What made you decide to take that leap and found not just one, but two cybersecurity companies, moving from being a practitioner?

- What did you find to be some of the biggest challenges when transitioning from practitioner to business owner?

- Have you had to navigate working on versus in the business, and what has that looked like for you?

- For some aspiring cyber professionals with goals to found a company someday, what would be some of your key pieces of advice?

- I know you're also very passionate about the veteran community in cyber, why do you think veterans make up such a share of our community and often make some of the best cyber practitioners?

Can you each tell us a bit about your background, before we dive in?For those not in the DoD or familiar with the term, what is a “Software Factory”?What is BESPIN?What is the current state of mobile security within the DoD?Why do you think there’s such a delay in maturing policy, process and pathways for mobile in DoD, given the big emphasis the last several years of “edge”, along with the rapid growth of the remote workforce and so on?Are there any official mobile app sec requirements? Can you tell us a bit about what tools and methodologies you all use to secure the mobile-centric applications you all deliver?Most know that in DoD and Federal there are also a lot of compliance rigor and hurdles to deal with. How has that experience been for a program doing something a bit different from most software factories?Since there are no official mobile requirements you kind of get a second mover advantage, how can you take lessons learned from the Cloud Computing SRGs and apply that to mobile? Can you help our audience understand the importance of secure mobile capabilities for the Airman and warfighter? We know the modern way of fighting looks much different and mobile is a key part of that, whether simply supporting Airman on a form of compute they grew up using, all the way to those on the forward edge, engaging against adversaries, including in the digital domain.

- First off, for folks that don't know you can you give them a brief overview of your background/organizations?

- Josh, let's start with you. Can you explain some of what is going on with the drama around NVD and what happened that caught everyone's attention?

- Dan - I know you've raised concerns around the implications for the community when it comes to the lack of CVE enrichment, how do you see this impacting the vulnerability management ecosystem?

- Josh - Your team has started providing some accompanying resources to try and address the gap, can you tell us a bit about that?

Dan - You've spun up an open letter to congress and have kicked off a bit of a grass roots effort to raise awareness around the problem. How is it going so far and what are you hoping to accomplish with the letter?

- Why do you both think this is such a big deal, and how can something so critical to the entire software ecosystem be so underfunded, overlooked and taken for granted?

- What are some things you all hope to see in the future to resolve this, both from NIST/NVD and the Government but also from industry as well?

- It is often now said that identity is the new perimeter, why do you think that phrase has taken hold and what does it mean to you?

 - How much do you think the complicated identity landscape plays a role, for example most organizations have multiple IdP's, as well as external environments such as SaaS and so on that they have identities and permissions tied to 

 - It often feels like SaaS is overwhelmingly overlooked in both conversations about Cloud Security as well as software supply chain security - why do you think that is?- You all have published some innovative research around what you dubbed as the "SaaS Attack Matrix" can you tell us a bit about that research and how organizations can use it? 

 - You're also doing some really great work focused on IdP threats, such as OktaJacking, detection, and even response. Can you unpack that for us? 

- It's been said that the browser is the new OS, and I have seen you all say if that's the case, Push Security is the new EDR. Can you elaborate on that? 

 - I recently saw a headline from LinkedIn's own CISO Georgg Belknap that read "Push Security does for identity what Crowdstrike does for Endpoint". That's quite the endorsement and also catalyst for what you all focus on. How can organizations go about getting a handle on the identity threat landscape given the current complexity?

- First off, you have an incredible background evolving from software engineer to management roles and ultimately a CISO for some of the industry leading organizations such as Siemen's and HP. I would love to hear about that journey and how you found yourself ultimately becoming an industry leading CISO along the way. 

- How do you think the CISO role has changed over the years? We're hearing more about speaking the language of the business, potential legal liability, new SEC rules and more. What is your perspective on the current challenges and evolution of the CISO role?

- You're now out of the CISO seat but still active in the community, serving in various director roles, including with publicly traded companies I believe. We've long heard some state that CISO's would make great board members and bring a long-needed perspective on cyber risk. How has it been transitioning out of the CISO role and into Director type roles?

- Many CISO's and cybersecurity leaders now want to pursue a similar path, looking for advisory and board roles with firms and so on. Can you provide some guidance and tips for those looking to do something similar? 

- I noticed you also have some advisory roles in addition to Director roles. Can you draw a distinction between the two roles for listeners, and what to consider when pursuing one or the other, so folks better understand the potential pathways?

- Knowing you've had such an amazing career and are still so passionate about the community and giving back, what are some of the key recommendations you have for both those aspiring to advance their career in cyber and eventually become a CISO, or beyond that, move into board level and advisory roles? What skillsets and expertise should they be focused on the most?

- What are some of the most interesting developments in the world of software supply chain security (SSCS) in the last 12 months or so?

- It's now been a couple of years since the major fall out of notable incidents such as SolarWinds and Log4j, do you feel like the industry is making headway in addressing software supply chain threats?

- For organizations either just starting or looking to mature their software supply chain maturity, where are some key areas you recommend organizations focus their attention?

- We have a complex landscape from extensive use of open source, SaaS and Cloud providers, partners and third parties, how have you seen firms successfully handle this complexity when it comes to activities such as incident response? 

- There's a bit of a heated debate in the industry underway on point products vs. platforms. I know Checkmarx has a comprehensive AppSec platform. How do you view this debate, and do you think we will always have and see the need for point products, best of breed and comprehensive platforms in the industry?

- You spend a fair bit of time focused on SSCS research, how does your team approach these activities and sharing the insights with the community?

- Checkmarx shares a tremendous amount of informative and insightful research around SSCS. Where can folks learn more and what are some of the interesting projects you all are currently working on?