Episode 117: Leading Cyber Change: Allan Friedman on the Revolution of SBOM & Future Cybersecurity Initiatives

OODAcast - A podcast by Matt Devost & Bob Gourley

Categories:

Allan Friedman is a senior strategist at CISA (the Cyber Security and Infrastructure Security Agency) where he coordinates all of their cross-sector activities on the topic of SBOM: The Software Bill of Materials. Allan is widely known as a change agent in both the public and private sector. In government he led initiatives that created positive change in major community-wide initiatives around vulnerability disclosure and vulnerability management. He also championed efforts that made dramatic improvements in the ability to reduce risk due to the proliferation of Internet of Things devices including championing ways to keep these devices patched in the field. Now at CISA his SBOM efforts have produced action across a sector that few other initiatives have. We discuss: - What executive leaders need to know about SBOM and how to explain its benefits to any non-technical executive. - How a small team can establish a vision and make change across government, industry and academia. - What new initiatives may be coming that will support needs of the security and technology communities. Related Reading: Technology Convergence and Market Disruption: Rapid advancements in technology are changing market dynamics and user expectations. See: Disruptive and Exponential Technologies. Corporate Board Accountability for Cyber Risks: With a combination of market forces, regulatory changes, and strategic shifts, corporate boards and their directors are now accountable for cyber risks in their firms. See: Corporate Directors and Risk Geopolitical-Cyber Risk Nexus: The interconnectivity brought by the Internet has made regional issues affect global cyberspace. Now, every significant event has cyber implications, making it imperative for leaders to recognize and act upon the symbiosis between geopolitical and cyber risks. See The Cyber Threat Challenges in Cyber “Net Assessment”: While leaders have long tried to gauge both cyber risk and security, actionable metrics remain elusive. Current metrics mainly determine if a system can be compromised, without guaranteeing its invulnerability. It’s imperative not just to develop action plans against risks but to contextualize the state of cybersecurity concerning cyber threats. Despite its importance, achieving a reliable net assessment is increasingly challenging due to the pervasive nature of modern technology. See: Cyber Threat