The Security Podcast of Silicon Valley

Episodes

About

Blog

Subscribe

The Security Podcast of Silicon Valley

The Security Podcast of Silicon Valley

Episodes

About

Blog

Subscribe

The Security Podcast of Silicon Valley

Episodes

About

Blog

Subscribe

48. Dr. Georgianna, Chief Technologist at Foundation for Defensive Democracies, Advancing National Cybersecurity Through Innovation and Policy.

Hello, everyone, and welcome to another episode of the Security Podcast of Silicon Valley. I'm your host, John McLaughlin, and I'm here today with a very special guest, Dr. Georgiana. Welcome to the show, George.

Thank you. Thank you for having me. It's a pleasure to be here. You bring a ton of great experience to the table.

Looks like you were a chief engineer at MITRE. You were a thought leader, a critical thinker, a team leader. Where you have actually had some good experience as an adjunct instructor, University of Maine, and as well as the Colorado Technical University, which I believe is also where you got your PhD. Technically, it's a doctor of computer science.

Oh, doctors of computer science. Yeah, not a lot of people know what a DCS is. I let it slide, but then I was feeling a little guilty like I'm misleading people. PhD is going to be your doctor in philosophy.

A doctor of computer science is more of a practitioner degree. So you're not just philosophizing about computers. You put your hands on them. Did you have a particular area of study?

Information assurance in cybersecurity. I've been working in cybersecurity for over 20 years. My bachelor's is in computer science. I started working in cybersecurity.

My master's in information technology, focusing on security. And my doctorate is in computer science with a focus on information assurance and cybersecurity. And you are also a contributor to Cyber Wire as a freelancer. Yes.

As well as Cyber Security Cannon. Yes. And it looks like you're on the board of and an advisor to many promising startups, including American Binary. Great companies.

And today you are at the Foundation for Defense of Democracies. And you are their chief technologist of transformative cyber innovation. Yes. Incredible.

So what's a typical thing? I feel like I should explain what all of that means a little bit. Oops. More than just the resume bullets.

I have worked in cybersecurity for over 20 years. And in that time, I've been advancing my own degree. So now I've got the doctorate in computer science. I recently, this is not recently anymore.

For the past three years, I've been working at FDD. But prior to those three years, I've primarily supported the Department of Defense. I did a lot of defense cyber support work with the Marine Corps, the Air Force, Space Force, the Office of Secretary of Defense. A lot of operationalizing kind of things and instruments actually of those systems.

And so now at FDD, it's a little different. And at FDD, Foundations for Defensive Democracy is a think tank located in the D. C. area.

And my job isn't to build or ensure a particular system has cybersecurity or check it or audit it or recommend how they do it. It's really to advance cybersecurity for the purpose of national security through recommendations to policy legislation. It's been a lot of fun. A little different, but a lot of fun.

Incredible. And you've been there for almost three years now. Correct. So what's a typical day look like for you at FDD?

I tell people it's an incredible job. And I look at it. If they fire me tomorrow, I'm grateful for the opportunity to be there because it's been so amazing. I bring up my past experience because I need to work for a company.

I work for minor, writer companies. And you work for a particular sponsor or a particular customer. And then you fall under what they want you to work on. At FDD, I get to work on whatever I want to work on.

So it's fantastic. And if you were to tell me right now, if there's this thing going on and here's this way we can make server security better, I would say, let me hear more of that. Let's dig into this and how can we make that happen? So I'm allowed to really branch out and make things happen.

Whereas before in my career, I'm going to just give you an example. Maybe I saw something and I'm like, oh, here's a charter world tender. Then you can have your manager say, that's not in our school. That's not our job.

We're not doing that. We're supposed to do A and B by the time this happens under this budget, that this is what we're doing. Which makes sense. But it really confines the person and their thought and their interactions.

So at FDD, I don't have that kind of constraint. I really get to explore and branch out and look at different things. So a typical day for me, depending on which day it is, but they're all the same. I will have reoccurring, I call them sync meetings, which is where I will find a really interesting person.

Someone I'm talking to, someone I highly admire and respect, an expert in one particular area. And I will ask them, do we meet on a regular basis? Maybe once every six weeks, maybe once a month, maybe once a quarter, depending on what their schedule is, because I really respect their time. And then I have, of course, standing at FDD meetings where I will talk to my immediate department.

What am I working on? And then I will collaborate with the rest of the organization. What are they working on? So people know some of the projects I'm working on and I understand what they're working on.

So again, we can see where there's any overlap or possible collaboration. And then I, because I get to work on so many different things and I'm not confined by a particular sponsor. We're paid through U. S.

philanthropy. So again, I don't have a person telling me this is what I need to work on. Right. I work on various community efforts, which is really fantastic.

And just a couple of them. One is under the Presidential Council for Advisors of Science and Technology under the White House, which is an incredible group of the nation's top science and technology folks. People like Phil Venables from Google, Eric Horvitz from Microsoft, Kathy Sullivan, former astronaut, Richard Danzig, former Secretary of the Navy. They look at, there's a working group we're working on for cyber physical systems resilience.

They've asked me to join this working group to identify recommendations to the president to ensure resilience of our cyber physical system. So that's something I do regularly to recognize any meeting. I'll go to different, I guess, just individual meetings we're having with folks in industry to give us their perspective. We meet alone as a group or we recently had an in-person event.

I also work on another community working group out of the GRF, the Global Resilience Federation, which is an organization that helps tie together all the different ISACs, the Information Sharing Analysis Centers. They have a Business Resilience Council, the BRC, that has developed an operational resilience framework that helps organizations recognize how to maintain resilience. I got to work on that, which was pretty exciting. So again, standing meetings with them and I'm currently involved in a group out of what I'm saying, a project under OASIS Open, which is an international standards body that helps develop these international standards.

And I'm working on a project called DADCDM, which stands for the Depending Against Disinformation Common Data Model. I'm working with a group of really incredible people that are putting the requirements together that will hopefully be adopted as a international standard, much like skits for the minor attack, the Destruction Information Exchange, but for information objects. So that's the different kind of community projects that I work with. And then on top of that, I run pilot projects.

So the purpose of my position and my job is to, like I said, advance cybersecurity or national security through bridging the gap between existing technology, policy, and governance to drive change within legislation or policy decisions, decision makers. So I do that by running a pilot on a particular thing and demonstrating lessons learned or how this works so it can scale or to help people better understand what some of these more complex things really mean. So that when you start talking about quantum or S-BOM, they don't just glaze over like, oh, I understand what you're talking about. Because yeah, at first, yeah.

For our listeners, what are those things? Quorum and S-BOM. So S-BOM, it's a software bill of materials. And it's actually a topic I really love talking about because of my background within DOD.

I have a test and evaluation background. So you have to understand, I think, first, how do you evaluate software and what does that look like? So if I'm a program within the Department of Defense, let's just say the highest classified system, tippy-top secret system, whatever it is. Top secret, yes.

Yeah. I like it. That's the official term, the tippy-top secret. A weapon system of some kind.

If they're building it or buying parts of it, there's a test and evaluation process that takes place for everything being built and bought, the acquisition process. And within the software piece, in software testing, pretty much where everything is, test the software. Does it work? Does it do A, B, and C?

Yes, it does. Okay, wonderful. Okay, so now I'm going to need a software. Does it have any known vulnerabilities?

Right. So I have to stress the word known because if it hasn't been discovered yet, you're not looking for it. That's right. Yeah.

So that's another test. So if it hasn't been discovered, the test is up. It's good. No known vulnerabilities.

Something's not discovered. It's still not discovered. It's still doing whatever it is it was doing. And then another aspect of software testing is looking at the efficiency of the code.

Is there dead code? I mean, code can be thousands of lines of text and maybe sometimes there's a module or object in there that was going to do something, but it stopped it. So there's what you call dead code. So what's with the efficiency of the code?

But if there's working, dormant, and passive code in there, you're probably not going to see it because there's not a test in place to know what to look for. And the way software is developed, it's much to people like building a car. You have a company, but they outsource. They just go buy tires from wherever.

They're not building the tires. So in software, you can do the same thing. You can just grab these objects online, these open source software objects like that. A time function, a logging function.

These commonly used things that are going to take more time and effort from programmers. And they just grab it off the shelf as it's out there and we're just going to plug it in. Yeah. As an engineer, one of the sayings that I've heard over and over again is don't reinvent the wheel.

Don't reinvent the wheel. Yeah. Yeah. But at least look at how the wheel was made.

Who made the wheel? Where'd it come from? What's inside the wheel? Yes.

These are good questions. Is it made of rubber or is it made of plastic? So that's what an S-bomb is. It's the software building material that takes not just the, I'll just say general contractor who wrote the software for your tippy top secret and said, here's software.

It's saying, here's the software and here's all the components of the software that we got from someplace else. And then you could find that your software. And one of my pilot projects was on me as bomb. I took a piece of, it's actually Air Force developed software.

So it was the DOD themselves and they developed it for a particular usage. And then I had a company go through and analyze it and they said, oh, there's four underlying components that they're relying on. So you're like, oh, that's not too bad. But then when you started to dig into those four components, there were then like thousands of other components.

And then you start to look at, well, who wrote this code? And again, where did it come from? And then what's the, what's going on in this code? The argument isn't to stop the use of open source software.

The argument from my standpoint is if you're receiving that software, know what you're getting, understand what the risk is, ask the question, accept or deny that. Yes. So now S-bomb has become a major topic. It's one I've been working on since the SolarWinds attack a couple of years ago.

And that's what an S-bomb is. It's just the- No, I appreciate that. In terms of national security, you probably always are considering not just like the typical cybersecurity use cases that I think most cybersecurity folks are thinking about, but you're also thinking about like national threat actors and a set of adversaries that maybe don't cross everyone's plate on a daily basis, but they cross their plate all of the time. Yeah, exactly.

So I would say on the cybersecurity side of the, and I don't know if you noticed, I use the word resilience a lot. You do. You were talking about that global resilience federation or foundation. I really push for resilience.

I wish it would be at cyber resilience versus cybersecurity because there's a framework for cybersecurity. There's a regulation for cybersecurity and people can just protect, protect it, put this wall, put up the mold, put these things that are going to stop the attacker from getting in, put all these protections in place. And that's what they thought that. And so a lot of the folks, I would say the cybersecurity defense industry, it becomes a compliance job.

So do you have the security controls in place? Did you do these things that you're supposed to do? You do this check mark kind of exercise. Okay, we did all these things.

So therefore we're secure. No, absolutely not. Because when you look on the offensive side of cyber, the adversary isn't following that checklist. They're not opening the book on NIST-853 controls and saying, okay, let's see if we can get through the password.

Okay, let's see if we can do this. No, let's think completely outside the box. How can we get in regardless of whatever the compliance requirements are, whatever the regulation is, whatever the legislation is, they don't care. So they're not following the checklist.

So they do look for those new and novel ways to get in. And supply chain has been one of those super difficult things. How to test supply chain, how you look at supply chain, how do you ensure that you don't have a third tier supplier and it's putting something into the supply chain that's going to be dormant and passive, it's going to pop up later or get activated when touched with something else to do something later. These are very advanced nation state tactics that I just assume are happy.

I'll just assume that are happy. I'm not saying I've been read into anything. That would be illegal. But it's not beyond the realm of possibility.

I would imagine. Yeah. There's things that happen. That's what makes cyber really exciting because if you sink it, you can do it.

If you build it, you can break it. It's just a constant puzzle of figuring out the way in. It is. It takes a little bit of crazy to get into security and cybersecurity and all of this stuff.

Maybe. How did you get involved? Like, where did that drive that passion come from? I really feel it when you speak about it, but maybe there's a story there.

I don't know if it's much of a story. I think I fell into it, honestly. I hate it when you trip and you fall into cybersecurity. It's just.

. . Yeah. I fell into it.

It was. . . I don't say just luck.

So I think it'd be a little bit about my early sternum years. When I was in high school, I really. . .

Actually, I was high school. I would say as far back as like sixth grade, I always liked math because I was good at it. I like math because I feel like you could never be wrong with math. Once you know it, you're not going to find two plus two when someone's saying, no, that's six.

And then tell you how you're wrong. You're like, no, it's math. Like, that's how it is. It's a closed system.

There's rules. It works. There you go. It's very binary.

It's math. Yeah. Yes. You're right.

Whereas literature, there's interpretation. And then I found in classes, it's always, doesn't it matter what your interpretation is? What's the teacher's interpretation? And you're getting the teacher's interpretation.

Same thing with history. I don't think they. . .

I did not experience history and literature where it was the broad concepts and what's going on. Okay. Memorize these chapters. And then hopefully you know what the teacher's looking for.

Is it the date? Is it the name? I don't know. So it's just a lot of what's important here.

And there's no. . . I never really found the relationship to others.

Same thing. I have as an adult. But in school, it was a harder concept. It's just memorizing chapters.

And honestly, I do a lot of memorization. So math was always the easiest class for me. Okay. Got it.

Done. So that worked well for physics. Even in physics, you have all these different formulas you have to have. I didn't memorize them.

I would just constantly read or write in some. I'm like, okay, I'm looking for this equation. I know this so I can derive it. Here's the equation.

Right. So it was almost, again, very logical for me. I ended up joining the Army the day after I graduated from high school. I was gone for four years.

I got to see the importance of national security. And then once I got out of the Army, I was then pursuing my college degree. And I looked at the degree programs. I don't really know what I want to work on, but I'm good at math.

So I'm going to work on math. And I don't really know, honestly, the time. What does that mean in terms of a career? Does she become a math teacher?

You don't really want to be a math teacher, but I like that. So I get into math. And then I find that all of the math classes I've taken are required for the cyber and a computer science degree. So I'm like, if I just take a couple of programming classes, I have a computer science degree.

And that seemed to be a little more transferable into the workforce of opportunity. And I know you can do things with math now. I don't want to leave this interview saying you can't do stuff with math. No, first off, math is a stepping stone towards all sorts of different, really interesting, pragmatic.

So I would just say my exposure was very limited at the time with different careers and jobs. And then I saw the computer science degree. I started working on that. And it happened to be the same time, right around the same time as President Clinton had signed the Presidential Decision Directive 63 to protect critical infrastructure.

At the time, there wasn't network monitoring going on for all of the Department of Defense and organizations. But there was a new directive we need to start worrying about computer threats and looking at if people are breaking in or how that works. So I happened to be living in Hawaii at the time. And the Pacific Computer Emergency Response Team, the Army's PAC-ARC, they were standing up their initial group of, OK, we've got this directive to stand up an organization to protect the PACOM network for the Army.

While I was in my last couple of classes graduating, I had interviewed for this position and they hired me as a network analyst. And I loved it because I love numbers. I love that. I love looking at IPs.

I love looking at patterns. And it was really looking at logs all day. And then what you're doing this for a while, I would find that, oh, I just saw this IP maybe a month ago because it was a strange IP and I remember the activity. So then you'd start to build these profiles up.

So it's very human intensive. Now there's a lot of technologies around finding these things, but that's it. Develop some of these profiles, dig into what was really going on. And then just the, I guess the patterns of the traffic, the analysis was a lot of fun.

There's always these different tools out there to look at different things. But my favorite was always Excel. So I could go through and manipulate the data myself, throw data into the finance table and I'm super happy. I'll find a million things to pull out of it.

And that was a lot of fun. So I got into it from that job. And that was military. Yeah.

And I wasn't military, but I still got to support the military. And it was, yeah. So I would say I was probably hired because I had a secret clearance at the time, getting out of the military. And I had a minor in mathematics with a major in computer science.

So I think the requirement of what they were looking for, they wanted a mathematician, they wanted a computer science. They wanted a, I think, an electrical engineer. They wanted prior military. And I put a lot of those locks so high underneath.

And that was the start of my career. Amazing. And it really sounds like you focused on your strengths and you led with that and you let that guide your career and a lot of your decision-making, which is really. .

. No, it's funny. No. So it's funny you say that because I will get very comfortable with a particular, like, what I'm doing.

And then throughout my career, I've had the opportunity to work on different things. And I would say at first, it was very intimidating. Hey, we need someone to work on. I'm going to test and evaluation.

I have no test and evaluation experience whatsoever. So I'm like, I'm in. Absolutely. Sign me up, huh?

Yeah. I will flounder the best stuff for the first couple months. But I guarantee after I've been there for a year doing it, I'm going to know something. I love that you bring your strengths to the table and you push yourself outside your comfort zone.

So I've always discovered that's where the good, that's where really good growth happens. Absolutely. I ended up going to FDD because I felt like I was, I'd been with MITRE for about 13 years in. I'm in Colorado Springs and I felt like I wasn't going anywhere else.

I don't say I was topped out, but it's harder to progress within the company when you're not at the headquarters. And the customers are very, it can be DOD. But since I moved to FDD, it's been not just DOD, it's been all sectors of critical infrastructure. It's been the civilian sector.

It's been just a huge firehose of exposure to so many different areas. It's been just fantastic. And it really probably puts you in a position where you can have a much broader impact across the nation and even the world, because the States is a leading technology. So I mentioned earlier that I find that a lot of the cybersecurity world is very compliance driven.

It's very compliance driven. Yes. You've got a law, you've got policy, then you have directives. You've got your CCPA and your GDPR and companies trying not to find whatever.

So when you live in the compliance world, it's like you have a three degree sector of a circle and that's what you look at the whole time. But when you get out and you run your horizons, you see the richness of the full spectrum of cyber and how they can relate. And I'll give you an example. So I mentioned the software bill of materials and I work with the ice bomb community, different folks, how do we advance it?

How do we get people to adopt it? How do you transfer S-bombs? How do you develop S-bombs? What do you do when you get them?

Is there a standard format for all S-bombs everywhere? So these are all things that the community is very working out. And one of the questions that comes out, comes up a lot in this stage of the conversation is, what are you doing when you have an S-bomb? So you're an organization and you said, yeah, we're required because we've announced went on.

So now you have it. Well, what do you do with it? Right. And so that question, is it something that the software developers could answer for developing S-bomb?

I don't know. What do we do? I don't know. Just take it.

Yeah. Now what? You run the required units. But then on the back to the compliance side, there's a process required for all federal systems called the risk management framework.

And you talk to the risk management framework folks who go through and determine this baseline of the cyber compliance under national standard. They're not software developers. They're the ones who go through and ensure that those controls are in place. So they don't know necessarily anything about S-bomb.

And looking at the requirements for RMF, looking at what S-bomb can do, and they're like, this isn't a natural integration point for the two. This is exactly where the S-bomb should go. So in your risk management framework, there's seven steps of assessing a system. So you take the system, put it a classification of it, you determine what controls have to be on the system.

You implement the controls, you test the controls, and it goes in for approval. Super short. But it doesn't get into what's the history of the software. And did you look at that?

And you need to put controls in to mitigate some of those issues with the software. And for each step in the risk management framework, there's particular tasks that you have to achieve. Task what, two, three, first step two, which might be the supply chain risk. And then the supply chain risk gives you various specific steps of who developed the system, what were the requirements.

But it doesn't get into the software. Who developed the software? It only is just one tier level. Oh, this company developed it.

That company maybe used some open source software that was licensed for commercial use. So there's another task in there is like the continuous monitoring of that. So continuous monitoring of that. But you can also continuously monitor those open source software components that are within the system.

So when you have things like, I know if you're familiar here, the Log4j incident that happened earlier last year. So Log4j was a huge deal that also helped put S-BOM on the map because you talk to a company, organization, department, and you're like, oh, you're vulnerable if you have Log4j. And the first question is, do we have Log4j? We've got this package of software, but we don't necessarily know what's in it.

Do we have it? So then they got to go through and figure out if they have one or not. That early risk management framework practice that people are doing in the federal systems, they could incorporate things like S-BOM to have a greater understanding of the risk. But those two communities are separate communities.

So when I talk to S-BOM people, I'm like, why don't you work on implementation of RMS? I get the question, what's RMS? And when I talk to the RMS community, I'm like, oh, why don't you guys implement the requirement for S-BOM? We're like, what's an S-BOM?

We've siloed our cyber security folks. Right. Yeah, absolutely. That at such a high level, do you recommend policies for changing or improving these things to how do you see your impact trickle down?

Oh, that's actually very exciting. I almost hate to keep talking about S-BOM, but it's an important topic. We'll run with the themes. Yeah, because people are familiar with it.

So I started working on S-BOM a couple of years ago, right after the solar winds compromised, stressing the importance of knowing the supply chain, ensuring supply chain security. And I had written some draft legislation and recommendation for the National Defense Authorization Act. And I also got to talk to the- Were you tapped by a congressperson or an executive? Or maybe DOD asked for it.

Well, no one asked for it. No one asked for it. You just volunteered. So yes or no.

That's my job. I find the gaps when I push it. But I also did get to talk to the Senate Select Committee for Intelligence. They asked for a small technical roundtable on, if we could do one thing in tech and cyber to really make an impact against compromises, hacking and things like that, what would it be?

And I was there promoting software bill materials. So I was pushing it through the Senate Select Committee for Intelligence that way. But then I was also within my own organization were a think tank. And that's what think tanks do.

And I will- Honestly, before I came to FDDM, it's not think tank smart. If you had asked me before, what's a think tank? What do I do? I'm like, I don't know.

It's where Jack Ryan works. I guess you get on a helicopter. And you fly over to other countries and get to shoot people. That's what think tanks do.

Because you're so smart. And you know everything. But that's not really what we do. We look at those future threats and the gaps in current policy, what's going on in the practitioner world.

And we try to bridge that gap. So that's what I do with cybersecurity. And I found FDDM to be one of those areas. So that was one of the areas I did my pilot on it.

I included recommendations that I felt they should be included in federal requirements. They should be included in testing, especially for things like our weapon systems within DRD. And it didn't make it into, like I said, the Draft National Defense Authorization Act of 23. But then it got pulled out.

There's a whole bureaucracy behind it, but it was too much, too soon. So it got pulled out. But I was very thrilled that it made it into the NDAA. But it had a voice.

And you were behind that voice. And not me alone. There's a community of folks. There's an organization.

Oh, there's definitely a community. Yeah. Allen 3 Limit and Sisa. I would say the different companies out there, Sidebeats, Ion Channel.

Everyone who is familiar with an S-bog is pushing the goodness of S-bog. So we're trying to educate other folks on the usefulness of it. But so back to the compliance piece, the National Defense Authorization Act is that law then DOD has to meet the requirement, too. So everybody who's being done in DOD for cybersecurity, they'll point to section whatever of the NDAA.

So I thought that was hugely impactful that it made it into the draft. It did get pulled out. However, because the recommendations we're seeing, it didn't make it into DOD policy, their cyber survivability attributes, which I was thrilled with. Because the law is there saying you have to do it.

That didn't happen. But DOD saw it and said, that's a good idea. We're going to do it anyway. We don't have to have a law.

So there is a mention of the use of requiring, recommendation of requiring S-bogs in systems under acquisition. And that was, I found, extremely impactful. Yeah. And I was thrilled with it.

So that was very rewarding for me. Awesome. Do you see this making its way into, or maybe it's already there, in FedRAM? Yes, it's, I see it making its way into everything.

It's actually, it just recently became a requirement for the medical devices. FDA has put it in. Oh, excellent. It's so funny when you look at that.

Something goes inside my body. I really don't want it to have no vulnerabilities. I would say I've been a little spoiled supporting DOD for so long because there's always a policy, a person, a belly button, something that you look to and point to. But when you get into other sectors, medical, water, energy, you're like, isn't there an organization here that does penetration testing of these things?

But, you know, we recommend it, though. That would be good, but no. Speaking of, so if someone comes to you and says, okay, George, I'm sold. I want to do the right thing.

I want to do this justice and I want to do it the right way. I don't have in-house expertise to help me with this. What's the first step? Where's my starting step?

Do you have a preferred vendor that you recommend folks? For SBOMs? For coming up with an SBOM for, let's say I'm a Series A or a Series B startup. I don't know if I can.

I'm on the board of advisors for Cybeats, which is a great SBOM company and I highly recommend them. But then there's also other great companies out there. I worked on my pilot with Ion Channel and a fantastic company. And all of the people I've worked with and all the pilots I've worked with, these different companies, I said, the experts.

I think I mentioned it's always a coalition of the willing. So it's people who are passionate about the process, the security, what they're doing. Yeah. Not about selling their product or making a dollar.

I would say if someone came to me, I know it's really come to me looking for vendor advice. But I would definitely push them towards those passionate folks in those communities, not the salespeople. Salespeople, yeah, exactly. That are passionate about helping.

There was a founder that I had on. I actually just recorded him a couple of days ago. Name is Ferdos Abuka DJ. And he was building something and it was like a security thing.

And he realized that this was a problem. And it was a very serious problem. And it was a difficult problem. And he wasn't happy with anything that was out there already.

And he started to solve this problem in-house. Just extremely smart guy. He knew what he wanted to see. Nothing had it.

He started to build it. And it turned out that the thing that he was trying to secure didn't really catch. But the thing that he ended up building to help with SBOM and scanning for known vulnerabilities and getting your bill of materials and watching things come in the JavaScript world really caught. And he open sourced the whole thing and it has like billions of downloads.

And he was like, with this community, maybe we should build a company around that. It's really funny how things work out that way. But every once in a while they do. What would you say has been your best day?

If you have a single best day at FDD? I don't know if I had a single best day, but I have had some just absolutely incredible experiences. Moments. Yeah.

So I mentioned I'm on a working group under the PCAST, the Presidential Council for Advisors of Science and Technology. So we had an in-person symposium on the White House grounds at the Eisenhower Executive Office building. And I got to spend the entire day there meeting and listening to cyber leaders throughout our government and the different organizations give us feedback on the recommendations we came up with. So it was one of those kind of pinching moments.

Like, I can't believe I'm here. I can't believe I'm talking to these people. This is incredible. I was talking to the senior cyber decision makers from government, from ISACs, from think tanks, academia.

Just an incredible pool of people that see the issues, see the problems, see where we need to go. And I was just like, wow, this is just absolutely incredible. I'm just honored to be here. That sounds like amazing.

Yeah, it really was. But then I'll also say I had a really exciting day. We had put together, my company, FDD, my team, I put together a very short video on SBOM. And when I was here, it got published and pushed out.

I was so excited to see it because it's this super simple three-minute cartoon video that takes something very complex like supply chain insurance and vulnerabilities of software. And it breaks it down so that your six-year-old can understand it, which is, I hate to put it that way, but that means a converse can understand it. That means a decision maker can understand it. That means that a non-technical person out there who's making a decision can say, oh, hey, it's stuff like this.

This is really bipartisan, right? It really is. And that's another great part about my company and my position. Cyber is a non-partisan organization think tank.

And then we bring together both sides of the aisle. And nobody's really got, I guess, a party issue with cyber. Like a social agenda. It's not the point of the org, right?

Yeah. At least I'm very, like I said, logical. And cyber is not, I don't think, a political issue. I will also mention that the Cyberspace Solarian Commission is housed at a BD&E.

And we've had the cabinet commissioner, a couple of different congressmen, to a Republican and to Democrat. So we ensure that it's a bipartisan issue through efforts to push out. And the Cyberspace Solarian Commission, I'll just give them a plug. It's the congressionally mandated organization that was stood up under John McCain to address cybersecurity.

So it's comprised of various commissioners, congressmen, lawmakers, two of my colleagues at FDD, Mark Montgomery and Samantha Ravitch, that push recommendations to Congress on things like put an S-bomb in the NBA. I don't know if that wasn't one of theirs, but they have a whole list of things that need to be addressed. Things like get the water, industry, sector secure, workforce development, things like that. So they put out a number of different high-level recommendations to Congress.

And that's their blueprint of where they need to take action. Because there's not, and this is always a surprise to everyone, not a ton of cybersecurity experts in Congress. Oh, that's a huge shocker. I'm happy that we've got smart people that care and that are familiar with these issues, like bringing them up, let's say, in a national forum.

All of the gratitude in the world. When you look into the future for yourself and your organization and, I don't know, the nation in general, what does success look like? What does that feel like when you get there? You can look as far into the future as you might like.

Yeah, I don't think problems go away. Gaps don't go away. Issues don't go away. So success is really when I see that there's been an impact and someone understands something and they can take action.

So like the C-S bombs in DOD policy or C-S bombs in DOD policy or C-S bombs in DOD policy or talking to, I had a conversation with a medical device CEO a couple weeks ago. He was texting there. Very strict requirements for medical device testing. But he wasn't aware of the software requirements.

He was opening his eyes to, yeah, and making sure we have those requirements as well. That's success to me. It's just getting people to understand how to best assess risk so that things are more secure. It's not a stagnant field where I can say where we are today, what we're working on in the future.

That's where we're going to be because the issues continue to advance as well. We've got quantum computing, we've got artificial intelligence, we've got so many factors that are being exacerbated. We need to exacerbate the issues of cybersecurity. We still need to understand where those intersections are, what that means, where those vulnerabilities are, how we mitigate those.

Which part of the future gets you most excited? What do you mean, which part of it? The problem part or the solution part? Like quantum computing or AI or like maybe there's something else out there.

It's very exciting. Let me know. So those are two of my other big areas. Yeah, the Web3 technologies.

I think the future is coming so quickly. It's amazing. I think that it's just taking off. I almost can't fathom the issues that are going to be upon us in five years or 10 years.

I look at quantum computing. Next year, NIST is supposed to be putting out the guidance for the news post-quantum algorithms. Oh, yeah. Yeah.

It's all of the encryption is going to be changing. And if it doesn't change, then it's going to be compromised. So then you look at, okay, let's just get people on board and you don't get this updated. We miss that window.

We don't have the workforce to sustain this. What does that mean for national security? That means that there's, I have a colleague from IBM. He calls it the day of no secrets.

The day of no secrets comes. That means that your banking information is no longer classified or secret. You were healthcare information or national secrets. Everything is just wide open.

So you look at the doodling gloom of scariness with quantum, worst case scenario. And then you look at overlaid on that things like artificial intelligence. So then in the cybersecurity world, I think these scenarios in my head. Actually, I just did an op-ed that was published last week on the convergence of artificial intelligence and cybersecurity.

So in artificial intelligence, it's a big equivalent. We'll put a link to that. Yeah, we'll put a link to that in the description. Yeah.

So the quantum just speeds everything up. So if it was going to take you a billion years before, now it's going to take you a second. So now if you have artificial intelligence, you can take things like, let's just say a deep stake of your boss. They are chatting you and saying, Kayleigh, I need you to send me this.

I'm at the airport. This is obviously my face. I'm talking to you, log into my account, do whatever. And the person, yeah, sure, of course.

Yeah. I saw it and I talked to him. So it's no longer just tricking you through words that I read and interpreting. It's no, I saw the person.

I talked to the person. We had an interactive conversation because they've got artificial intelligence can respond to those things. It becomes super sci-fi, super scary. Even on the test and test evaluations, you've penetration tested before.

If you're a pen tester, you'll look at a system and it takes you a long time to go through. So what's the system? What's the hardware? What's the software?

How's it work? How can I find that way in the out of the box thinking? How's the adversary doing this? It takes a long time to come up with that.

But you push all that into artificial intelligence. I don't know, put it in a data model of great hackers. Okay. Three seconds later, here's your tax surface analysis.

You went perfect. That would have taken a year. Now it's, here it is. This is how you get in.

They're using this version of this software. We know this because they maybe advertised for somebody with a skill set on, I don't know, wreathed in with experience in this job. You pull all those things together and then it tells you this is how you get it. You're running low for J.

There you go. Yep. Yeah. No, that's incredibly scary, incredibly exciting all at the same time.

I always tell people like, what's job security? And it's always exciting. My job is always exciting. Yeah.

And I don't know. I'm an optimist. I believe that there's going to be smart people thinking through all of these things. And no matter what the future has in store for us, we're going to figure it out.

We're going to be resilient. And what doesn't kill us will make us stronger. I want to stress again, resilience. I did mention.

Resilience. Yeah. Let's dive into that. You have a lot of community involvement in the resilience space.

You have the Global Resilience Federation, it was. And then the Business Resilience Council you're part of. What are those things? What are you excited about?

I'm excited about it because I mentioned earlier, I think it was a thought that I didn't finish. But the cybersecurity alliance with the protection is you protect the systems, but you will inevitably be compromised. Right. Inevitably, once the quantum and I be here, yeah, you're going to be compromised.

So you're going to compromise and you have to realize, okay, how do I continue business as usual while uncompromised? How do I continue to meet the mission in a compromised state? So that's resilient. That's what I really try to push forward with organizations.

You can't just say, yeah, we quit with firewalls. So now we're secure. Okay. What do you have an inside and threat?

What are you buying the firewall? How does that work? So it's ensuring the mission success and all those critical functions are met and those critical systems that support this critical function continue to operate even under advisory companies. Under Black Swan.

You don't even know what it is like. I will also point out the operational resilience framework under the GRF. It takes me a step further in not just looking at what your requirements are for resilience, your organization. I don't know, you build shoes or you provide water or you're a weapon system, whatever your critical mission is that you do, your organization.

Right. But if you have downstream customers, what are they requiring from you to do their job? So they're incorporating their requirements as well to ensure that, you know, that resilience strategy includes prioritizing those customers based on, you know, maybe one's a hospital and one is a concert venue and you provide water. Like maybe you don't provide water to the concert venue and you provide it to the hospital.

Maybe that's one more important. I don't know. But you understand what that looks like and you understand where your priority data is and if there is an issue, you can bring up that priority information that ensures resilience, not just for you, but for your customers. No, that's incredible.

I love the holistic approach, taking more than just your own interest into account and thinking about those things, that space. Yeah. Right. So one of the things that great leaders do is that they build amazing teams.

And I'm just curious if you have any favorite interview questions that you've developed over the years and, or what is this that you look for when you're hiring? I look for motivation. Yeah. Yeah.

I find people to be on my team at, in previous companies. At FDD, we're a very small organization and I'll bring on interns. I'm very excited about helping and promoting people get into the field. And I understand that with that experience, if you don't know, you don't know.

Until you have the experience and you have the exposure. I don't have particular questions like, okay, I want you to explain to me how the TCP handshake works. Explain the OSI monitor. Those things you can memorize and they don't really mean anything to me.

I need to know that you're motivated, you're curious, and you're eager. And you're in this space and you want to learn. So that's really what I'm for. It's drive.

Yeah. Really the drive. Because everything else, I can expose you to. I can teach you.

You will pick up. I've had a number of interns. And one of my questions is usually something about their familiarity with NIST. And college doesn't really teach NIST.

So I've had a number of students from a number of fantastic universities. What's NIST? They're like, okay, what's, okay. But then by the time they finish working with me, I know what it is.

So they're better prepared and they know how to do research. They know how to ask questions. They know how to find the answers. And that just waiting for somebody gives them the direction.

So that's why I'm looking for it. It's really the drive. Yeah. That's also what I look for.

And I've always thought that's the most important thing. Even when you're looking for someone to help with a very specific task. Maybe you need someone to help write a C++ module for an HSM that integrates with Java, like top level server. But still, like it's the drive that can push, not push someone, but we can use to push ourselves over the finish line.

Yeah. If you love what you're doing, what is he saying? If you love what you're doing, you never work with the end of your life. That's so true.

And when you find it patching. I mentioned before, like the spreadsheets and pinnate tables. Some people might, on their leisure time, sit around and do crossword puzzles or play Scramble or video games. You know, it's important.

It's important to ensure to do what you love. I love looking at pinnate tables for data. I love doing analysis. I love digging into those things.

So those are the people I want to work with in the network that are going to have that same passion of, oh, you didn't tell me to do this. The analysis, like my experience in the Army, there's a lot of no one told me. No one explained this to me. There's a, um, I, I would say, but, uh.

You didn't give me that order. Uh. Or whatever. Like their excuse might be.

A lot of playing dumb when you don't want to do something. A lot of playing dumb when you don't want to do something. And you don't want to do it. You can find ways of, oh, can you explain it to me more?

Can you help me do this? Or show me. There's a lot of not taking individual responsibility or initiative for something. And I, I love initiative.

So, if you have a question, Google it. You can figure it out. And then I can help you with it. Don't, don't rely on me to lay out the breadcrumbs for absolutely everything.

Exactly. And that's where drive will push people to discover how the world works for themselves. And then when they do come to you with questions. Not just that, but they also teach me because then they have that passion out.

Maybe in a different direction. And we're like, oh, let's jump into this. So, then I get to learn. Yeah.

Diversity in every sense of the word is super important. I find like folks that are newer to the field, they're going to ask those really basic questions that force us as leaders to really revisit the fundamentals and think from first principles back to why are we doing this way? Or why are we thinking about this way? If you have to, oh, what is this?

So, I was like, I was like, I'm going to say first principles. There we go. There's the book for all of our listeners. So, I have to plug this book because you said first principles.

So, the cybersecurity first principles are Rebirth of Strategy and Tactics by Rick Cowart. I highly recommend it. And he, it was published earlier this year and it gets into what those principles are. I mentioned before, things are very compliance driven, but he gets into the principles of things.

Think about it holistically and approach it with a strategy, which I'm like. And he encouraged me in the book. So, my name is I here. I just went.

Oh, amazing. Do you know him? That's my claim to fame. I do know him.

So, he is, he runs a podcast from Cyber Wire. And he, before that, was a CISO at Palo Alto. And before that, he was an army leader in the cyberspace where I first met him. So, I've known Rick for probably 20 years.

And he's also the founder of the Cyber Security Canon, which is the book review, Clever. And you contributed to this. Yes. Yeah.

I remember. Yeah. So, I do various interviews, papers. You let me review one of his chapters.

It is such a small world. And it's an honor to work with such smart, interesting, committed, driven folks. It really is a small world. Because I remember in, like I said, 2000 when I started this, my first job, my boss had given me and another person a credit card.

So, here's his credit card. Go to the bookstore. Buy every book on computer security. And back then, they had stores, bookstores.

Bars and all. Bookstores. Yeah. Borders.

Borders. Borders. Borders. Bit places with books that you would go and buy them from.

So, we went in. Bookstores. I know. It's like ancient history.

There was one book in the entire store. And it was Stephen Worthcutt's book on intrusion detection analyst guide or analyst book. It had talked about us. With a Cisco book, was it?

It was about Snort. Snort. Snort. Okay.

The detection system written for, developed by Stephen Northcutt. So, it was it. That was the only book. And so, now I go into, I haven't been into a bookstore in a long time, but you can look online and there's tons of books.

Look at the cybersecurity canon. You're going to put a link in there. That'd be great. All the great cyber books that are written.

And I look at all these books. I'm like, oh, I know that author. Oh, I know that author. Oh, I work with that author.

Oh, I know that author. Because all of these people, we came up during the same time. And they were smart enough to write a book. And they've been captured some of that history and put it out there.

So, it really is amazing when I look at what's out there now and how much the field has grown. I want to be super respectful of your time. But do you have time for one more question? Yeah, absolutely.

A fun one. If you could go back in time and visit your younger self, and I'll let you decide how far back in time you'd like to go. And you could give yourself some advice or share a story or something with your younger self. Would you?

And what would it be? So, I'm assuming my younger self is my younger self in my career. Not my younger self, like way early. It could be way early.

It could be way early. It would be things like invest in Google or Microsoft or. . .

Oh, there you go. Okay. Here's your $5 allowance. These companies are going to go IPO.

You buy them with your $20 allowance. Allowance. Right. Yeah.

And then you won't have to worry about money. $0. 93 you found in your car cushions. Yeah.

You invest that in this company. No. But in my early career years, to myself, it would be, yeah, don't wait to take the initiative and don't wait for permission for taking initiative. Don't wait for permission.

Yeah. I found that my work history, again, you have a manager, you have a manager's manager, so there's a hierarchy. And then you have a job and do your job. And if you have an idea, you bring it to a level, again, not in school.

This is what we're working on. Right. You're like, okay, all right, move on. And then you continue that job.

But the world is so interconnected now. I look at LinkedIn. I was having a conversation with a colleague of mine before when I was working with a company. Networking meant I'm reaching across the different departments.

I know people on different teams, different projects, different departments, but they're all still within my company. That's it. And it's very, you know, spiraled when you look at it. And there's absolutely nothing was preventing me from having an idea or being interested in something.

And then jumping to a LinkedIn communication or community and seeing what's going on and how they're developing it and getting involved on something I had a passion with. I do that now regularly. No one's, again, telling me what to do. I get to then reach out to, again, not just people in my company, but those thought leaders, decision makers, those startup companies, those very experienced folks all across the industry.

I just have a shared passion. And no one ever asks me, what's your rank or who are you or why am I talking to you? No, no one cares. They just want to move the ball over and work with people who are interested.

So there's really nothing stopping anyone. But I feel like when you're in that sort of rat race, nine to five, super structured, you're waiting for someone to recognize. Yeah. It's easy to get sucked into the grind.

It really is. And I found that I would always do my best in a job. So then you expect everyone to recognize like, oh, yeah, you're doing a great job. No, no one's there.

Yeah. You just become. They're just. Cognitive machine.

Yeah. And expect it. And they depend on you to do that. So you don't really break out.

But it sounds like at the core, you have the entrepreneurial spirit to nudge yourself outside that comfort zone to not wait for permission to do something and to just go for it. I would say I do now. I would say earlier in my career, there was a lot of don't recognize how what I'm doing and how great my ideas are. So another example, this is a better example I found earlier in my career.

I mean, the other thing, Aaron, this is going to be hard to believe because we're in the interview. I've been talking for the entire time. But I'm usually the quiet person in the meeting. I'm more of an introvert.

I love the I'm going to speak louder and most often just so I'm heard. And I'm very thoughtful, very analytic. So I like to hear things and process things and run through the course of the idea. So maybe I get dismissed because I'm quiet.

But if I say something, I found that I was often just overlooked or dismissed. And then maybe someone else would repeat what I said. I'm like, I literally just said that. And he just rephrased it.

That's that's what I said. Or maybe I said it and they didn't repeat it. But we'll get to that conclusion maybe two months later. I'm like, that's right.

Two months ago. So I've learned write things down. Don't be dismissed by other people. Don't be discouraged by other people.

I just leave yourself a little bit. Happy rainbow sunshine kind of stuff. But write things down. So you don't have to be right.

But you can definitely pursue direction and explore things without permission. Absolutely, you can. And I love that. And sometimes as a leader, we have to say things like repeatedly before people hear it.

I don't know. It's something about being human. You have to like, we have to repeat ourselves sometimes. It's just.

I can't. People listen from where they are, from where they are, not from where we are sometimes. So to speak. Thank you so much, though.

This has been an absolute honor and a pleasure to have you on the show. Likewise. Thank you. It has been an honor and pleasure.

Thank you for having me. Would you like to leave the listeners with any final pearls of wisdom? I don't have any pearls of wisdom. No?

No. I hate to say no, but. No, that's okay. I don't understand.

It's all good. Nothing off the top of my head. Pursue what you're passionate about and find a way to make a difference. Find a way to make a difference.

I love it. That's great advice. Thank you again. This has been an absolute joy.

Thank you. And thank you for all of our listeners for tuning into another episode of the security podcast in Silicon Valley and stay tuned for the next one.

‹ 49. Vivek Ramachandran, Founder and CEO of SquareX, Pioneering Browser-Based Security Solutions

47. Clea Ostendorf, CISO of Code42, Securing the Unseen: on the Frontlines of Data Protection ›