In this episode, we sit down with StackAware Founder and AI Governance Expert Walter Haydock. Walter specializes in helping companies navigate AI governance and security certifications, frameworks, and risks. We will dive into key frameworks, risks, lessons learned from working directly with organizations on AI Governance, and more.

• We discussed Walter’s pivot with his company StackAware from AppSec and Supply Chain to a focus on AI Governance and from a product-based approach to a services-oriented offering and what that entails.
• Walter has been actively helping organizations with AI Governance, including helping them meet emerging and newly formed standards such as ISO 42001. Walter provides field notes, lessons learned and some of the most commonly encountered pain points organizations have around AI Governance.
• Organizations have a ton of AI Governance and Security resources to rally around, from OWASP, Cloud Security Alliance, NIST, and more. Walter discusses how he recommends organizations get started and where.
• The U.S. and EU have taken drastically different approaches to AI and Cybersecurity, from the EU AI Act, U.S. Cyber EO, Product Liability, and more. We discuss some of the pros and cons of each and why the U.S.’s more relaxed approach may contribute to economic growth, while the EU’s approach to being a regulatory superpower may impede their economic growth.
• Walter lays our key credentials practitioners can explore to demonstrate expertise in AI security, including the IAPP AI Governance credential, which he recently took himself.

You can find our more about Walter Haydock by following him on LinkedIn where he shares a lot of great AI Governance and Security insights, as well as his company website www.stackaware.com

In this episode, we sit with the return guest, Jim Dempsey. Jim is the Managing Director of the Cybersecurity Law Center at IAPP, Senior Policy Advisory at Stanford, and Lecturer at UC Berkeley. We will discuss the complex cyber regulatory landscape, where it stands now, and implications for the future based on the recent U.S. Presidential election outcome.

We dove into a lot of topics including:

• The potential impact of the latest U.S. Presidential election, including the fact that while there are parallels between Trump’s first term and Joe Biden’s, there are also key differences. We’re likely to see a deregulatory approach related to commercial industry and consumer tech but much more alignment and firm stances related to cyber and national security.
• The future of efforts around Software Liability and Safe Harbor
• Contrasted differences between the EU’s tech regulatory efforts and the U.S. The U.S. has taken a much more voluntary approach. While Jim is an advocate of regulation and thinks it is needed, he simply cannot get behind the heavy-handed approach of the EU and suspects it will continue to widen the tech gap between the U.S. and the EU.
• What is the potential for regulatory harmonization and the challenges due to the unique aspects of each industry, vertical, data types, and more.

Jim leads the recently formed IAPP Cybersecurity Law Center

He is also the author of the book Cybersecurity Law Fundamentals, Second Edition.

In this episode of Resilient Cyber I will be chatting with industry leaders Tyler Shields and James Berthoty on the topic of "Shift Left".

This includes the origins and early days of the shift left movement, as well as some of the current challenges, complaints and if the shift left movement is losing its shine.

We dive into a lot of topics such as:

• Tyler and Jame’s high-level thoughts on shift left and where it may have went wrong or run into challenges
• Tyler’s thoughts on the evolution of shift left over the last several decades from some of his early Pen Testing roles and working with early legacy applications before the age of Cloud, DevOps and Microservices
• James’ perspective, having started in Cyber in the age of Cloud and how his entire career has come at shift left from a bit of a different perspective
• The role that Vendors, VC’s and products play and why the industry only seems to come at this from the tool perspective
• Where we think the industry is headed with similar efforts such as Secure-by-Design/Default and its potential as well as possible challenges

In this episode we sit down Shyam Sankar, Chief Technology Officer (CTO) of Palantir Technologies. We will dive into a wide range of topics, from cyber regulation, software liability, navigating Federal/Defense cyber compliance and the need for digital defense of the modern national security ecosystem.

- First off, for those unfamiliar with you and your background, can you tell us a bit about yourself, as well as Palantir?

You're a big proponent on the role that software plays now, and will play in the future when it comes the fifth domain of warfare, cybersecurity, so let's give into some of those topics.

- I know you've voiced some strong opinions on the role of cyber insurance and also compliance when it comes to its static nature, compared to the dynamic activity of malicious actors and the threat landscape. Can you expand on that?

- You and I also chatted about the fact that most cyber issues tie back to hygiene, and that there are no silver bullets. Do you feel like this gets lost among the marketing hype of cyber?

- I know you've talked about externalizing some of Palantir's software infrastructure to enable more companies with security infrastructure and toolchains. Can you tell us about some of those capabilities?

- The enablement of more companies is key, as you know the DIB has seen massive consolidation in the past decade or more, largely with the small handful of players dominating the lions share of the work in the DoD. This arguably poses systemic concentrated risks, as well as doesn't give access for the DoD to commercial innovation.

You called the DoD's most powerful ally America's commerical tech sector in a recent piece. We know that times have changed, and unlike eras of the past, most digital innovation comes from the commercial space, but DoD tends to have a not built here syndrome, no doubt driven by incumbents, incentives, fiefdom building and more. What do you think the national security risks of this are?

- Given you've been around DoD for some time, you've no doubt been exposed to processes like ATO's and RMF and more. What are your thoughts on the current state of compliance in the DoD and how it could potentially hinder access to commercial innovation?

In this episode we sit down with Mark Simos to dive into his RSA Conference talk "You're Doing It Wrong - Common Security AntiPatterns" to dig into several painfully true anti-patterns in cybersecurity and how we often are our own worst enemy.

-

- First off, for those not familiar with you or your background, can you tell us a bit about that.

- So you delivered this talk at RSA, focused on Cybersecurity "Anti-Patterns". How did the talk come about and how was it received by the audience?

We won't be able to name them all, but I would love to discuss some of them.

- You talk about the technology-centric thinking, and how folks believe security is about technology instead of business assets. Can you explain this one?

- The silver bullet mindset was another that jumped out to me. This is thinking a single solution can 100% solve complex and continuous problems. What ways have you seen this one play out?

- The paradox of blame is one that made me laugh because I have seen this play out a lot. You talk about the CYA mentality, how security warns about issues, they are skipped and then security is blamed. This one really stings because I have seen it happen, and in fact, I feel like we're seeing it play out with some of the CISO liability cases and regulations that are emerging.

- Perhaps one of the most well known anti-patterns of security being the office of no or resisting trends. I feel like we saw this with Cloud, Mobile, SaaS and now AI. Why do we keep repeating these mistakes?

- First off, for folks not familiar with your background, can you tell us a bit about that and how you got to the role you're in now?

- We see rapid adoption of AI and security inevitably trying to keep up, where should folks start?

- There are some really interesting intersections when it comes to AI and supply chain, what are some of them?

- We see a thriving OSS ecosystem around AI, including communities and platforms like Hugging Face. What are some key things to keep in mind here?

- AI BOM's - what are they, how do they differ from SBOM's, and what are some notable efforts underway right now around them?

- First off, for those who don't know you, can you tell us a bit about your background?

- You've been providing a deep dive talk into how to become a CISO. I'm curious, what made you put together the presentation, and how has it been received so far when you've had a chance to deliver it?

- You have broken down what you call "four stages of the journey" that encompasses skills in areas such as Technical, Management, Leadership and Political. This to me comes across as CISO's need to be multidisciplinary professionals with a variety of skillsets. What do you think makes this so important for CISO's to be successful?

- Let's walk through the four stages a bit. You start off with Technical skills. This seems to the foundation many CISO's start with, coming from roles in areas such as engineering, architecture and so on. What makes this foundation so key?

- How do CISO's maintain a strong technical foundation and depth, as they get further away from the tactical work and more into the leadership and strategic role?

- CISO's of course have to be able to manage the teams they build and/or oversee. What are some of the key management leadership skills you think CISO's must have?

- Leading is a fundamental part of what CISO's do. Whether it is direct reports, or the broader security org. What are some of these leadership skills and how can they have a positive or negative impact?

- Last but not least is the political side of things. CISO's of course operate among other C Suite peers, the board and within complex organizations with competing interests, personalities and incentives. This could arguably be the most important skill to hone in terms of ensuring you're effective in your role, and have a lasting impact on organizational risks. What are your thoughts on the political skills front?

- I'm curious as someone who's been a multiple time CISO and is now advising others on how to obtain the role - where do you see the role of the CISO headed in the future? We see new aspects such as litigation, SEC rules, determining materiality, CISO's needing to speak the language of the business and more - all while needing to manage risks with the ever changing technological landscape, with AI being the latest example. Where is it all headed?

In this episode we sit down with Amir Kessler and Aviram Shmueli of AppSec innovator Jit to dive into the complexities of the modern AppSec landscape and explore the emerging Application Security Posture Management (ASPM) ecosystem.

- First off, for folks not familiar with your backgrounds, can you tell us a bit about both of your backgrounds and how you got to the roles you're in now?

- We're seeing a ton of interest in the topic of ASPM in the AppSec space. What do you think has led to this emerging category and what key problems is it looking to solve?

- I know your team puts a big emphasis on not just the tech but also the DexEx and UX. Why is this so critical to address AppSec risks and securing organizations and their code?

- While there is value in ASPM platforms, many Dev teams and engineers are opinionated about their tools, how important is this flexibility and extensibility in the platform that the Jit team has built?

- A key challenge includes vulnerability overload. Teams drowning in massive vulnerability backlogs and trying to add vulnerability context and focus on the most relevant risks for developers. How does Jit approach this?

- Not all ASPM platforms are the same, but we see many vendors rallying around the category. What do you think makes Jit unique and differentiates what the team has built?