0:02

Welcome to the cybersecurity and cloud podcast.

0:05

The podcast where we learn from cybersecurity experts, how to stay safe,

0:09

private and secure on the cloud and in code CS CP is hosted by Francesco sip alone your

0:16

cybersecurity friend with a passion for all things cyber

0:19

and sharing stories of other professionals with you.

0:22

This episode is brought to you by the generosity of phoenix.

0:25

Security limited phoenix helps startups and enterprises solve complex software security,

0:30

supply chain visibility by leveraging the

0:32

power of correlation and contextual ization,

0:35

discover how phoenix security helps.

0:38

Isso and security engineers act fast,

0:40

prevent burnout and implement dev sec ops at the speed of cloud phoenix security,

0:46

correlate contextualize

0:48

and act on risk with one click, let's dive in.

1:02

Hello everyone and welcome back to the cybersecurity and cloud podcast,

1:07

this is your host Francesco and this is probably the

1:11

last last episode that we do in 2022 is 29 of

1:17

December 2022 we're almost on the end of the years

1:21

but we managed to squeeze in a last episode with chris

1:23

Hughes and it's an absolute pleasure because we chris we've

1:27

been interacting a lot of linking teasing each other over a

1:30

number of topics and we said you know it's the time

1:33

to come on the show and do a proper episode.

1:35

So chris, thank you very much for coming on the show.

1:39

Chris is uh is a consultant to direct robot via and it's been in Air force previously,

1:45

so it's very heavily involved with a lot of us

1:48

regulation around storm and around cybersecurity and the U.

1:52

S. Has faced a lot of change in late and today

1:56

in the episode we're gonna dig in and explore this.

1:59

But before digging in in the exciting topic of storm and software

2:03

supply chain chris tell us a little bit more about you,

2:06

how did you start? -- How did you get us to the point where you are -- today?

2:10

Yeah definitely. I'm happy to give you some background.

2:13

I start off active duty Air Force you know prior to

2:15

that I always had an interest in computers and technology but

2:18

got joined the Air Force and and got put in the

2:20

cybersecurity and at the time I didn't really realize the opportunity.

2:23

You know you're just a young kid you know.

2:26

Uh And and then like I started really taking an interest

2:28

in it because it was fascinating career field and like I've

2:30

never stopped you know I did four years in the Air Force and then I've been a federal employee with the U.

2:35

S. Government twice once with the Navy doing cloud and deficit cops.

2:39

And you know cyber security for them. And then also with an organization known as G. S. A.

2:44

The General Services Administration which probably isn't too familiar for many.

2:48

But like if you've heard of Fed ramp, I was part of the Fed ramp team reviewing cloud services coming to

2:52

the you know us federal market there as a security to me.

2:56

Uh And then you know worked at a couple different industry organizations in the D. O.

3:00

D. Space, you know on the software factories and things

3:03

like cloud and kubernetes and containerized environments and

3:05

all those kind of things for like Space force and Air force and so on.

3:09

Um and then ultimately just you know, decided to give it a chance myself and you know,

3:13

co founder acquia where I'm at now with a

3:16

couple of partners and you know doing cybersecurity consulting

3:18

in the in the public sector but also a little bit in the commercial but definitely mostly U.

3:22

S. Public sector focused and uh you know I mean outside that like you mentioned,

3:26

I'm really active on linkedin. I host a show myself called Resident cyber and I'm

3:31

pretty engaged with groups like cloud native Computing Foundation,

3:34

Cloud Security alliance for example have

3:37

contributed to several white papers and publications

3:39

with them and yeah just really

3:41

passionate about all things cybersecurity honestly.

3:44

And there isn't a new article regulation that comes out and

3:47

there is a whole competition of who can write a vlog before

3:51

that and I really appreciate that because I think it is

3:54

pushing everybody out to the edge to actually write even faster.

3:58

Yeah there's I mean there's some awesome people out

4:00

there to put out a lot of great information that I read that you know folks that you know you and I know like walter Haddock and such.

4:06

So sometimes you know I enjoy writing and and for me learning like

4:10

I like to read something and write about it while I'm reading it.

4:12

So like if something new comes out, I like to try to quickly get an article out there and try to push other people,

4:19

you know, but it's all, it's all in good fun honestly.

4:22

Yeah, I think, I think it's a good,

4:24

it's a good point and it's a good competition to actually write even faster and quicker,

4:29

but maybe back in the day, um

4:31

you know what, what made you decide to actually engage this into a full on career?

4:37

You know, you started in cyber, you start going more into cyber and then,

4:42

and then as a full on question, how did you saw the regulation and the industry changing?

4:48

Especially in the, in the federal space of late?

4:52

Yeah, I mean for me, for me initially it was, you know, just kind of happenstance,

4:55

like I said, I got put into cyber, I was in the Air Force, I got out and uh you know,

4:59

kind of just stuck with it just because it was easy to find a job doing what I did in the military.

5:02

Um and then I saw like the economic opportunity

5:05

that the career field has a great career field,

5:07

you know, a lot of good job stability. It's, you know, it's very high demand for example,

5:11

and I was always really interested in it and then, you know,

5:13

I got married and started a family, I have four young kids and once I started having kids like, you know,

5:19

my motivation to work harder to learn to grow.

5:21

You know, my career just took off from that point

5:23

and I've never stopped working hard since then.

5:26

Um, and as you mentioned, I think we're definitely seeing like an evolution of the regulation in this space,

5:30

you know, in our, in our environment, in the public sector.

5:33

You know, we've always had things like Nist and uh, you know,

5:35

risk management framework, Nist 853 and and you know, think of Nist 871 for defense,

5:40

industrial base and then see mm see that people are talking about a lot now,

5:44

thinking about, you know, not just software supply chain but supply chain risk management in general,

5:49

you're under your suppliers. That was a topic that's gotten a lot of attention as of late and then, you know,

5:54

obviously software supply chain, you know, it's not necessarily a new topic.

5:58

You know, you can date new google.

6:00

Actually had white paper recently, they started like an incident from 1980 you know,

6:04

for something where the United States did something

6:06

that Russia with software and it's like, wow, this issue has been around for a long time,

6:10

but it's gotten more and more attention I think is, you know,

6:13

we've seen open source adoption kind of accelerate and go, you know, go crazy,

6:16

everyone's using open source software. Most modern applications are made of open source

6:20

software and I think people are realizing like,

6:22

you know, I think prototype for example, had a study showing that in the last three years

6:26

it's like a 742% increase in software supply chain attacks.

6:30

So malicious actors are definitely paying attention.

6:32

And now I think that's making organizations regulators, you know,

6:35

the industry pay attention and try to respond to this

6:38

brilliant. And I think I saw as well and an almost change in that, but I saw the US taking,

6:44

I mean with the change of command in caesAR,

6:48

a really strong stand in the software supply chain and that's

6:52

when the whole industry kind of start paying attention on O.

6:56

S. S and in general on the software supply chain and start to bring with stone and the

7:01

new regulations on Stone with with I think was the 22 01 or zero to that.

7:08

They brought out the whole topic of vulnerability management,

7:11

but not just in infrastructure, but across the software security lifecycle that really, really break the cars.

7:18

Um, and, and change the paradigm on,

7:21

you know, this is something that we need to pay attention now.

7:23

And, and you know, when there is a regulation behind it,

7:27

the whole public and private industry stopped paying attention.

7:30

That's, that generated the the whole debate and topic. Um,

7:36

and as you rightly say that it's not a new thing, I mean software,

7:40

we've been writing software since forever, but right now we've been really paying attention to it.

7:46

So what do you think was that was the kind of singularity that make

7:51

everything change and us really paying attention

7:54

now to solve the supply chain attacks.

7:58

Yeah, I mean I think like we've talked about the momentum has been slowly growing.

8:01

There's been folks like josh Corman, if you're familiar with him,

8:04

who was kind of warning about this issue almost a decade ago,

8:07

uh you know in the medical device community for example.

8:09

But there's no arguing that, you know solar winds and the fallout from that

8:13

thousands of organizations that impacted kind of like,

8:16

you know, precipitated the whole follow on executive order.

8:18

Uh you know things executive order on cybersecurity,

8:22

which had an entire section section four dedicated software supply chain security.

8:25

Uh And then out of that came a whole slew of activity

8:28

where you had organizations like nice producing a new version of S.

8:32

S. D. F. To secure software development framework O. M. B.

8:35

Office of management and Budget. Now kind of dictating that all suppliers selling software to

8:40

the federal government start to attest to align with S.

8:42

S. D. F. Providing things like S. Bombs.

8:45

And then you had, you know organizations like N. T. I. A.

8:48

Where you had dr alan Freeman and folks, you know,

8:50

working on these s bomb working groups, you know, two or three years ago uh you know building that interest,

8:55

building that maturity around S bombs with their working groups with industry.

8:59

And then of course he moved over to cisa and kind of has kept up that, you know,

9:03

that momentum since then. So I think, you know, definitely solar winds was kind of the watershed moment,

9:08

I think from an attention perspective and then

9:10

the cyber street executive order and all the,

9:12

all the activity has come come after that.

9:15

And as you mentioned, like, you know, I think regulation is gonna has and will continue to play a big part in this.

9:19

Like, you know, without regulation forcing the issue,

9:22

suppliers are not necessarily incentivized to provide

9:24

this information that transparency and many,

9:27

you know, I've been really focused or interested in the economic factors of cyber.

9:31

Many consider cyber to be a market failure.

9:33

They said, you know, regulation is required for the, for things to change.

9:37

Um, and I think it's, you know, it's hard to argue with that because if we just leave it up to the industry,

9:42

they're not going to necessarily provide this information. Why why would they, you know, just put some additional risk or scrutiny.

9:47

So, yeah, I think, I think we're definitely seeing a lot of changes

9:51

And security resolve doesn't seem as a massive cost.

9:55

So if there isn't a regulation behind it, there isn't a business justification to a ship with a bomb in particular.

10:01

I think attack of one of the big topic

10:05

in cyber that is the asset management in general.

10:07

That is a huge debated and often avoided topic in,

10:12

in cyber or in generally 90 is not even a cyber problem.

10:16

And I think this bone kind of industry has now brought to the topic a problem that is like,

10:22

what do we do with, what do we do with this asset and you know, asset of asset and who used those assets?

10:28

So I think it has opened the Pandora box around asset management in

10:32

-- the supply chain and known what's your thought -- around it?

10:35

You know, I think you're spot on, like, you know, I've been writing and talking about this recently and just

10:39

digging in and reading reading a lot about it, looking back across my own career, you know, uh,

10:43

asset inventory has been a best practice for a long time.

10:46

You think of black sands, critical controls, critical controls, hardware, software,

10:50

asset inventory has been around for a long time and

10:52

we've always sucked at it and it's always been difficult,

10:55

you know, and then you bring in like, you know, the modern environment with the open source software, you know,

10:59

you have managed service providers, cloud service providers, you know,

11:01

software delivered as sas you know, software is increasingly complex and most modern environments and uh, you know,

11:08

you look at like S bomb as you mentioned now, you kind of open that Pandora's box of,

11:11

you know, it's not just like one app, it's all these components that are involved in the app and then

11:15

you have all your dependencies and your transitive dependencies and it just,

11:18

you know, it's a it's a very complicated issue.

11:20

Yeah, we and we kind of just had been burying our head in

11:23

the sand or ignoring it and pretending it didn't exist and now,

11:25

you know that the light is on the issue and there's no ignoring

11:28

it now and organizations are really starting to try to grapple with like,

11:31

okay, how do we how do we get our hands around this? How do we understand like what our software supply chain

11:34

is our components that we're using if we're a supplier,

11:37

you know, what are we using our software for consumer,

11:39

what's in the software that we're consuming? What are the vulnerabilities associated with that?

11:43

So it's kind of open that Pandora's box like you said.

11:46

Yeah, I totally agree. And

11:49

I think after this bomb, there will be a whole,

11:52

like you've wrote a really very important article about the SARS

11:57

platform and this bowman who depend on on the dependency that

12:01

is kind of on the topic as well of softer supply

12:03

chain but on on chaining fundamentally talk party supply chain,

12:07

there is there's a whole debate of

12:11

who depends on what from a software perspective, but in general,

12:16

and I think going forward is even gonna be

12:18

more because of being more attack around them.

12:23

What do you, what's your thought about why the Attackers focused on more

12:27

on the softer side of things rather than in the

12:30

infrastructure didn't get better at infrastructure and defending infrastructure assets

12:36

and or have been been ignoring completely the softer aspect.

12:40

Yeah, it's actually uh it's a very hotly discussed and debated topic, you know,

12:44

there have been some claims, you know, even by organizations like O N D and I,

12:48

which is the office Director of, what is the Director of National Intelligence in the United States, for example.

12:53

You know, they kind of stated that, you know, organizations as organizations get better at doing the basics, the fundamentals,

12:59

you know, Attackers have gone upstream for example, but then again,

13:02

if you look at the headlines, you know, we still have fishing, we still have,

13:05

you know, lack of M. F. A. So we're still very bad the fundamentals as an industry it seems.

13:09

But if you look at it from the attacker's perspective, like, you know,

13:12

they can target you as an individual organization or they

13:15

can target your supplier and have a casket across hundreds,

13:18

thousands of consumers downstream,

13:20

uh and they may do that indiscriminately just, you know, whoever we get,

13:23

we get whoever the consumers are, or they may look targeted,

13:26

li like say solar winds and say who's using that.

13:28

Okay, great, we want to get to them, let's let's target the supplier and then have that downstream impact, you know,

13:34

on to the consumers downstream that we know are using them,

13:37

I think it's kind of like uh you know, it's just an efficiency thing, you know,

13:40

if they can see that it's way more efficient to target a supplier and have that cascading impact across the industry thousands,

13:46

you know, of, of consumers versus targeting a single organization.

13:49

So it's just an efficiency thing, an economy of scale thing from a malicious actors perspective.

13:54

And then also I think they've realized like as an industry,

13:57

we just have really poor supply chain risk management

13:59

practices and so why not take advantage of it?

14:02

You know, they're always looking for the most efficient way to carry out their goals,

14:06

you know, so they just kind of have taken advantage of that reality.

14:09

And I think you brought up a topic that really fascinated me that nowadays,

14:13

attacker and and individual group works as a business.

14:17

So they look at the unit of economics and what the smallest number of,

14:22

of lines of code that can produce, They're gonna hit the majority of the masses.

14:26

And I think they talk

14:29

-- y more than blue team -- does.

14:32

Yeah, no, I mean, your, your your spot on, like the, you know,

14:35

malicious actors are organized, cybercrime is becoming very mature.

14:39

You know, it's, it's a massive industry that generates a lot of revenue for, for,

14:42

you know, like malicious actors around the world. You know, whether it's organized nation states doing it for purposes like that or just,

14:47

you know, crime groups doing it to make revenue and profits.

14:51

Um and as you said like they're gonna look for the most efficient way to do that,

14:54

you know, you know, for all the hype of you know uh you know,

14:57

things like uh advanced quantum resistant, you know,

15:00

encryption for example like those kind of things like you know yes that exists,

15:03

but they're gonna look for a more efficient like you know, they don't have M.

15:06

F. A. Or they have like a poor password, you know, hygiene for example, they didn't match,

15:10

they didn't patch known vulnerable software that has a patch available for like four years now,

15:14

you know, like just take advantage of the most efficient thing they can um you know,

15:18

it's just easier and makes more sense for them. This episode is brought to you by the generosity of phoenix

15:24

security limited phoenix helps startups and

15:27

enterprises solve complex software security,

15:29

supply chain visibility by leveraging the power of correlation

15:33

and contextual ization phoenix platform connects to your repositories,

15:38

scanners and cloud correlates all the information and provide it's you with a

15:42

prioritized list of vulnerabilities that need to be addressed.

15:45

First discover how phoenix security helps

15:48

ISOS and developers remove friction and maximize

15:51

the use of deV sec ops professionals

15:54

at phoenix dot security phoenix security correlate

15:58

contextualize and act on risk with one click

16:03

No and I totally agree and I think I was reading the other day,

16:07

an article about the fact that 76% of ransomware

16:11

is leveraging vulnerability of more than two years old?

16:15

So it's it's not like zero day is not as quantum encryption breaking.

16:20

I mean it was a cool topic to discuss about

16:22

but it's like again attacking on the basics and I think

16:27

Maybe on on the topic that you brought,

16:29

we haven't been paying a lot of attention on software supply chain

16:34

or in general software security and if you consider even always,

16:39

always been around just 20 years.

16:41

So we haven't had any standards or any kind of way to agree among us as an industry

16:47

on what software is. And then on the flip side we had a lot of c so that comes from traditional, you know,

16:53

fouling and securing service or software wasn't really

16:57

their thing or maybe in their agenda,

16:59

you know how you grow structure,

17:01

the way how you structure your security strategy and your cybersecurity strategy,

17:05

what do you think about that? No, I think you're you're spot on.

17:09

And and you know, I actually talked to marker fi you know

17:12

from the foundation and he talked about how long

17:14

they've been around but how many problems we still

17:16

have as an industry at the basic level. Um and then you talked about, you know like that,

17:20

I think software supply can actually present something unique.

17:23

You talked about like it's been two years, you know, two year old vulnerabilities,

17:25

that sectors taking advantage of. Another unique thing about software supply chain attacks is like, you know,

17:30

how long have we heard just patch? You gotta patch right.

17:33

What happens when the patch is actually that the attack vector is poisonous?

17:36

So now you're like finding the best practice that could compromise you.

17:39

So that's a very difficult dichotomy there if your suppliers patches compromised.

17:44

Um, and as you said, like, you know, coming from different backgrounds depending on the organization, you know,

17:48

the city. So the industry that they're in, you know,

17:50

the focus on software supply chain may not be there.

17:52

They may be looking at security from a different angle around,

17:54

you know when it comes to like you said software verse traditional security,

17:58

you know this this modern ecosystem that we have of a P.

18:00

I. S and SAS providers and open source software

18:03

consumption a lot that's new to you know,

18:05

security professionals or at least organizations haven't

18:07

necessarily always paid attention to that stuff. But it's rapidly growing.

18:11

The industry is changing so much so fast that you know,

18:14

a lot of these things are just simply new. We haven't matured as an industry to address them quite yet.

18:18

Right? And I think you share you share the attack surface the other day

18:22

of software supply chain and if you compare that to mother an attack,

18:28

those are completely two total different way to attack.

18:32

If you better to attack fundamentally organization.

18:36

So softer supply chain attacks are totally

18:39

new breed and methodology and technique.

18:43

I think if you come from an infrastructure, you you struggle to get ahead of the curve and and understand

18:50

how a library has the same name of another library co fundamentally

18:56

match or be a vulnerable to your organization versus, you know,

19:00

you have a vulnerable service, a lot of security,

19:02

traditional security for relate to the vulnerable server, They don't relate to

19:07

a repository somewhere or an account takeover or things like that.

19:11

Yeah, I think you're you're raising interesting point.

19:14

I've been talking a little bit about it's like, you know, we see the big push for zero trust for example, but if you look at zero trust,

19:19

at least how it's typically discussed, it's very network centric architecture centric to the organization.

19:24

You know, our endpoints are authentication, you know,

19:27

all those kind of things about the architecture, uh,

19:29

and you may be securing all those things and doing, you know,

19:31

doing those things right. And then look at like open source

19:34

software consumption and you're just voluntarily pull

19:36

things in that you have no understanding of the pedigree,

19:38

the provenance who contributed to it.

19:41

You know, if it's secure or not, if it has vulnerabilities,

19:43

so you may be doing all these things right from an architectural perspective and then you just voluntarily pulling things in with,

19:48

you know, you're just implicitly trusting things when

19:51

you think about software supply chain, which is kind of anti pattern for zero trust.

19:55

Um, so yeah, so it's a new paradigm in a way of thinking about

19:58

things that we just historically haven't done as an industry.

20:01

No I agree. And I think maybe back in the back in the podcast where we discussed with walter on

20:09

are we still silent as an industry to think where

20:13

you run software and what and how you build software.

20:16

So you still have the debate between software security folks that

20:21

things in a specific way and infrastructural cloud security folks.

20:24

I see things in a complete way. So are we still looking at software in

20:27

a compartmentalized way versus full stack way?

20:32

Yeah I think it definitely could be argued you know and I've you

20:35

know I kind of like you I started off in traditional I.

20:37

T. And then you got into the cloud and things like that and

20:41

you know I'm not a big fan of like you'll hear arguments

20:43

of cloud is less secure than on prem or cloud is more

20:47

secure than on prem and this simply doesn't work like that.

20:50

There's a lot of factors that play the supply, the maturity of supplier.

20:52

You know for example me self hosting something is

20:55

not going to be in comparison to like say git hub that's used by millions of people and

20:59

has a massive organization of security expertise behind it.

21:03

You know there's a lot of factors that contribute to whether something is secure now it's

21:06

just it's not so black and white there's a lot of gray in their nuance in there

21:12

and maybe a question for you. So what do you think is,

21:20

well, as a security industry, what what do you think we're facing in the next probably couple of years?

21:27

Yeah, it's a good question. We have a lot of, we have a question.

21:31

Yeah, we have a lot of problems, you know, it's, it's,

21:34

we're coming up on 2023 as you said, it's a prediction season and you can look around

21:37

and see a lot of great predictions that, you know, a lot of these things are true or will likely be true.

21:41

We have a lot of problems, but you know, looking at where we're headed,

21:44

I think that we have a lot of maturing to do around how we look at the software supply chain.

21:48

You know, we have great things and efforts underway.

21:50

Like you talked about like S bomb, of course we have to kind of competing standards there, S P D X and cyclone dX depend,

21:56

you know, we'll see how adoption of both those go, how organizations go about,

22:00

you know, not just producing S bomb, but like what do I do with it now?

22:04

You know, like how do I, how do I aggregate all of these and look at them across the enterprise that

22:07

I have and and understand and make informed

22:09

decisions around risk and procurement and acquisition,

22:12

how do I better get my suppliers and understand my suppliers suppliers.

22:16

So it's just a very, you know, we have a complex problem set ahead of us with a lot of things to mature around.

22:21

I think as you said like it's a new new paradigm for us in a lot

22:25

of ways around security and there's a lot of things that we need to figure out,

22:28

mature as an industry still and then that's that's all great. But

22:34

it's a very complex topics and we struggle a lot to

22:37

actually bring the whole organization together along on the security journey.

22:42

And now we're facing kind of a singularity where we have

22:47

augmenting the complexity of what we deal with

22:50

for the nature of software that is complex.

22:53

How do we translate all this complexity to

22:57

a business decision makers and need to decide,

22:59

okay, and invest X amount to actually keep on building my software secure,

23:05

keep on running my organization securely.

23:09

So how do we shield the organization to the amount

23:12

-- the sheer amount of complexities that all this -- has?

23:17

Yeah, I like I like the word that you use, I think you use the word shield the organization.

23:20

I think it's like, you know, to an extent it's kind of securities responsibility

23:23

to abstract away a lot of the complexity.

23:26

Like, you know, we shouldn't be expecting the border business

23:28

leaders to be cybersecurity experts for example.

23:31

And that's where I think, you know, think of things like risk quantification if you look at how we communicate risk,

23:35

it's almost all qualitative, it's very subjective,

23:38

it's based on your gut instinct and experience and it doesn't really, you know,

23:41

we haven't really done a great job of mature how we communicate business risk and dollars,

23:45

you know, and communications that they understand as a business uh you know,

23:49

we have great books like how to measure, you know,

23:51

cybersecurity risk from folks like Doug Hubbard that came out many

23:55

years ago and then there's already a version two coming out.

23:57

But if you look at the industry like we have fair and we have things like that,

23:59

but they're not really adopted very well in many organizations are

24:02

not implemented at scale that I've seen in the industry.

24:05

So I think as as an organization or as an industry, in terms of cyber,

24:10

we again need to mature how we communicate with the business,

24:12

putting things in the business terms, you know, you you often hear about the sizzle having a seat at the table and need

24:17

to speak the language of the business or the business speaks dollars and cents.

24:21

So we need to, we need to put that risk in that kind of terms so that they understand it,

24:25

the implications of it and can make, you know, risk informed decisions about it.

24:28

We shouldn't expect them to be security experts

24:30

and they're not gonna understand the software supply chain

24:33

when when we as a as a profession are still getting our hands around it ourselves,

24:37

you know? Right. So translating fundamentally the whole traditional problem,

24:43

attack vector and vulnerability and into probability of exploitation and

24:47

to impact and the probability of that impact to happen.

24:50

Those are terms that fundamentally any business minded person can relate to and can

24:56

understand into move risk and do something about it like mitigate risk with dollar.

25:01

Yeah. Yeah, I mean you're you're using the terms that like you know,

25:04

I think back to a decade ago or more when I took like C.

25:06

I. S. S. P and there was a likelihood and probability

25:09

of exploitation and and likelihood of occurrence and

25:12

like no one ever really talks about those

25:14

things for some reason in the practical world,

25:16

you know like we just you know knew me and others have talked about a lot on linkedin is like,

25:20

you know, we talk about CVS s based scores and so

25:22

very but there's no context or nuance behind it,

25:25

like is it actually exploitable? How likely is it to be exploited if there is an exploit available?

25:29

What's the maturity of the exploit is a proof of concept, you know,

25:32

is it is it known to be exploited if you look at like resources like cisa has their known

25:36

exploited vulnerability list for example or you have things like

25:39

E P S s starting to grow and mature,

25:41

you know to see what's the probability that this vulnerable will be exploited and then understand

25:46

like organizationally what kind of factors do we have in place to mitigate the risk,

25:49

you know what's our environment set up our our configurations in place that may

25:52

make this vulnerability exploitable or not even

25:55

exploitable and totally irrelevant for us now.

25:57

So those are things that we need to really get down to the bottom of.

25:59

But that all takes a lot of time, energy and effort to get you know kind of flush those details out.

26:04

So it's a it's a tough challenge. No I totally agree. And you know that's that's my pet peeve.

26:09

That's that's the thing that I talk

26:12

about because I've been I've been in finance organization for long and

26:16

that's that's all they want to talk about you know raise quantification,

26:19

investing X. Amount of money to actually explore X. Amount of opportunity

26:23

and you know business people don't talk vulnerability, don't talk cyber,

26:28

they talk money and money against money.

26:30

So I think I've seen the paradigm shift a lot around context realization,

26:37

cyber risk quantification but I still haven't seen I've seen a

26:40

lot of talk about it but I've seen a struggling adoption.

26:44

What do you think? Yeah no I mean that's actually my experience as well as like I said

26:49

like there's you know great great material out there and cyber risk quantification,

26:53

we need to speak the language of the business. You know they have things like fair and

26:56

the risk institute and other things like that.

26:58

You know when we hear probability like E. P. S. S and so on and and putting things in the

27:02

business term and quantifying it to dollars and cents.

27:05

But as an industry, I I haven't seen that at scale in any large organization.

27:09

Uh at least in my personal experience,

27:12

you know that I've run into in the public or private sector quite yet.

27:14

You know, some people have had pilot programs or efforts to try to do that,

27:17

but I haven't really seen it done at scale quite yet.

27:19

And I think it's uh it's got to be a hill that we climb if we're gonna move past,

27:23

you know, being siloed and being part of the business,

27:25

the part of the leadership team communicating in

27:27

business terms and understand how we can, you know, communicate with our peers,

27:31

-- we need regulation around it. -- Yeah, exactly.

27:35

Maybe that's another factor that drives you know,

27:38

forcing us to communicate in those terms and

27:40

actually quantify things and and you know put those

27:42

metrics out there because otherwise maybe we continue to

27:45

go on as we have doing qualitative subjective,

27:47

you know, assessments and kind of speculation.

27:50

I agree chris we're coming to a close and

27:53

we have a brilliant tradition in the show that is

27:56

not live on a doom and gloom like we always do inside but live on a positive note.

28:00

So in your opinion,

28:03

how has the industry changed or what is the positive sign that that

28:08

we start seeing and to leave fundamentally audience on a positive note.

28:12

Yeah, I think while we've talked about a lot of the challenges and problems,

28:16

you know, I think the fact that we're even talking about

28:18

these is a good sign cause there's been years, like it's not as if the use of open source

28:21

software or software supply chain as a concept is new.

28:25

We just simply didn't address it previously as an industry.

28:28

And so we're seeing a lot of momentum from groups like links, foundation,

28:31

open ssf since, you know, the federal Government, the United States,

28:33

we're seeing european regulations start to come out

28:35

around software supply chain suppliers s bombs.

28:38

So we have a lot of great momentum underway. Same thing on the cyber risk quantification.

28:42

We're seeing a push for, you know, having cyber expertise in the boardroom from groups like sec, for example,

28:48

I think we're moving in the right direction and and

28:50

we have a lot of problems ahead of us, but that's also exciting.

28:53

We have a lot of things we get to solve and tinker with and try to, you know,

28:55

try to solve as an industry as professionals

28:57

and that makes me interested and engaged and,

29:00

you know, I hope everyone else's along on the journey

29:02

and excited as I am about the opportunity. Absolutely.

29:05

I've seen, I've seen the problem shift and I'm and I'm super excitable,

29:09

what's after con, but if if folks want to follow more about the

29:14

US set of regulation of what you talk about,

29:16

where they can find more about you. Yeah, I mean for me, I'm super active as I said on linkedin, you know,

29:21

just find me at chris Hughes, I think it's at resilient cyber on linkedin is my kind

29:25

of guy you are l and then same thing on twitter,

29:27

although I don't really use twitter too much. It's it's a little bit different than Lincoln in a different world.

29:31

Um but that's that. I also have a sub stack I started a couple months ago where I talk about these topics,

29:36

you know, on a weekly basis. It's resilient cyber dot substack dot com.

29:39

And then I have resilient cyber the podcast as well.

29:42

Um and I'm happy to connect and chat with anybody, anyone about all these topics.

29:46

You know, I'm always learning myself and looking to learn from others

29:48

and and pass along what I learned as I said,

29:50

we're all in this together. So I'm definitely open to chat with anyone.

29:53

Fantastic chris thank you so much for coming on the show and everybody, you know,

29:58

there is a ton of material out there, put your organization towards adopting.

30:03

I'm more mature maybe surface because it can make you more reputable and

30:08

more solid even before regulation comes around because then you'll be prepared.

30:13

Yeah, I mean we always talk about like just a closing note, we hear about like,

30:16

you know, shifting security left, this is the opportunity to do that,

30:19

wait instead of being reactive waiting for regulation

30:21

to come along and then kind of encourage you to do these best practices or things that we're seeing emerge as you know,

30:26

things that we should be doing, get ahead of that curve.

30:28

You know, if we know we need to start quantifying cyber risk, we need to start talking about software

30:31

supply chain security as an organization or business

30:34

now is your opportunity to get in there and start doing those kind of things.

30:37

Fantastic. Thank you very much Chris for coming on the show and everybody

30:40

stay safe out there and I wish you everybody fantastic 2023.

30:44

Thank you. We hope you enjoyed today's episode.

30:53

Please leave us a review on Apple podcast and post it on social media,

30:57

tagging cybersecurity cloud podcast for a chance to win a $100 amazon gift card,