IT Ops Query

Sigstore creator, Chainguard CEO, OpenSSF TAC member and Season 1 guest Dan Lorenc returns to discuss the year in open source and security. Topics range from software supply chain management, hardening container images and SBOMs in limbo to open product companies and business models, including his own company's shift in focus this year. Plus: a look ahead to SecOps and AI in 2025. 

S&P Global Market Intelligence principal research analyst Daniel Kennedy discusses what the results of his Voice of the Enterprise research project dating back to 2015 reveal about the notion of a cybersecurity skills shortage; the effects of the Crowdstrike outage on a long-running debate about unified cybersecurity platforms vs best-of-breed vendors; and hopeful signs heading in to the next decade of SecOps. 

SecOps, developers and infrastructure ops teams are often encouraged to work more closely together within IT, but for one industry analyst, the CrowdStrike outage exposed an even more significant gap between IT and businesses. 
Charles Betz is vice president and principal analyst for enterprise architecture at Forrester Research. He has also worked as an adjunct professor at the University of St. Thomas in St. Paul, Minnesota, and as an enterprise architect at AT&T, Wells Fargo, Best Buy and Target. Following the CrowdStrike outage, Betz and a dozen other Forrester analysts collaborated on a report calling for a redefinition of enterprise resilience in the wake of the incident.
For Betz, the experience of Delta Airlines in the CrowdStrike aftermath is potentially instructive for improving business resilience. 
"This was not a failure of IT disaster recovery," he said in this episode of Delta's weeklong ordeal. "This was truly a failure of business continuity…a shock to the physical system that couldn't be unwound without a lot of hard work."

In October, the Cybersecurity and Infrastructure Security Agency (CISA) issued a report that's still generating buzz in the security world – it questioned the data sources in often-cited reports about the value of "shifting left". Another section of the CISA report called into question the idea that security flaws cause people to stop using products and concluded that "In general, it seems that quality failures don’t always affect customer loyalty." 
In this episode, guest Adrian Sanabria, the host of the Enterprise Security Weekly podcast and principal researcher at The Defenders Initiative, discusses the fallout from CISA's report on the last decade's notions of organizational security roles and how changing technology will also change the roles organizations assign to those responsible for cybersecurity and risk.

Doug Merritt was CEO of Splunk from 2015 to 2021 and led the company's transition from an on-premises software company to a cloud-based service provider. After two years in the venture capital and board advisory space, Merritt joined multi-cloud networking company Aviatrix as CEO in 2023. That company introduced its first security product, a distributed firewall for Kubernetes, in May, and rolled out a managed version of its multi-cloud network and security control plane this week.
Merritt identifies two ways generative AI is shifting multi-cloud security: first, data gravity and the costs of generative AI mean cloud computing is becoming increasingly distributed, often including hybrid and edge environments, which he says calls for a new approach to centralized network management. Secondly, Merritt said he's a believer that generative AI will help network and SecOps pros keep pace with these changes – and in the coming weeks, Aviatrix will roll out the first of its own GenAI-powered features for security incident management and event reduction.

Robert Slaughter is CEO of Defense Unicorns, a defense tech startup specializing in Airgap software delivery in highly secure and sensitive environments in the military and federal government. Previously, he was director of the U.S. Department of Defense's Platform One DevSecOps project and co-founder at Space CAMP, a predecessor of Platform One for the US Space Force. Prior to starting Defense Unicorns, he served 12 years in the US Air Force.
If companies think threats to the security of critical national infrastructure don't involve them, Slaughter says, they should think again. And he suggests they might adopt some of the techniques familiar to military and government cyberdefense pros, from proactive threat hunting to air gaps.

Joshua Corman is executive in residence for public safety & resilience at The Institute for Security and Technology (IST), a non-profit think tank based in the San Francisco Bay Area. He is also co-leader of a Cybersecurity and Infrastructure Security Agency (CISA) community working group for SBOM on-ramps & adoption. Previously, he was vice president of cybersecurity strategy for Claroty, an IoT security company; chief strategist on the CISA COVID task force; director of the Atlantic Council's Cyber Statecraft Initiative; and CTO at security software vendor Sonatype.
In August, Corman delivered a presentation at CISA's SBOM-a-Rama event warning that time is running out to more effectively protect critical infrastructure systems such as the water and power supply that rely on potentially vulnerable software to operate. Corman emphasized the urgent need to more effectively identify vulnerabilities and defend against attacks such as China's Volt Typhoon nation-state threat group. An initiative Corman is leading at IST under the working title UnDisruptable27 now looks to address these threats.
"We live in glass houses," he said in this episode's interview. "And people are about to start throwing rocks."

Chris Steffen is vice president of research for information security at analyst firm Enterprise Management Associates. He previously held a variety of IT leadership roles at companies including Hewlett Packard Enterprise, and DXC Technology. He is a regular speaker at industry conferences, the host of the Cybersecurity Awesomeness podcast and a frequent guest on other IT security podcasts.
The day of the CrowdStrike outage, Steffen posted on LinkedIn, "Not trying to kick anyone while they are down, but those that equate resiliency with public cloud computing really need to re-evaluate those beliefs, especially for mission critical workloads. The outages being reported today were some of the exact same issues that we have seen before, but - as an industry - don't seem to learn from."
In this episode, Steffen discusses the lessons on data center resilience he says have been lost in the cloud era and why IT orgs must re-evaluate their cloud risk.

Esteban Gutierrez is chief information security officer and vice president of information security at observability vendor New Relic. Previously, he was an enterprise information security strategist at Intel, and he managed the network operations and security center for the US Army Corps of Engineers.
He shares takeaways from New Relic's recent State of Observability survey, lessons learned from his career in cybersecurity about bridging the SecOps / IT Ops gap and why he believes data is crucial to the future of both DevSecOps and AI.

Rich Lane is currently IT director at the City of Medford, Massachusetts, and has had a varied career in IT infrastructure and operations. He served as VP of digital operations strategy for data security software vendor Netenrich from 2021 to 2022, and as a Forrester Research analyst from 2018 to 2021. Before that, Lane worked as a professional services consultant for observability vendor Splunk, and as IT infrastructure and operations manager at Bain Capital.
From Lane's perspective, the CrowdStrike outage reflected an organizational disconnect at many companies between the IT security teams that choose tools and the infrastructure operations teams that must support those tools in production. In Lane's experience, this rift began to grow after the high-profile Sony Pictures data breach ten years ago as enterprises re-emphasized cybersecurity.
Now, he says, CrowdStrike should be a sign it's time for the two groups to come together again and come up with more resilient ways to operate security tools, demand better communication from vendors during incidents, and to better account for the human factor in cyberattacks.