- You recently presented at Wiz's MisCONfigured at RSA, where you covered some of the most relevant cloud threats and risks, can you touch on what some of those are?

- We know Wiz just announced a massive capital raise and there's been talks about M&A plans for Wiz, I know you help with looking at potential products/firms - what are some key things you look at?

- When you acquire a new product and team, how does it look to ensure there is a smooth integration with the Wiz team and platform?

- There's a bit of debate in the industry around "platforms" and best of breed. How do you/Wiz think about this approach and how do you ensure as you add new products to the platform that you remain a leader in the space?

- We've heard a lot of talk about AI and its implications both for improving security, but also needing to be secured, how do you and Wiz think of AI when it comes to cybersecurity and where do you see the most promise?

- For folks not familiar with it, can you tell us a bit about the report, its intent, and how it came about?

- Some may be asking, what's the big deal, its just software. Can you help explain the pertinent risk we face with increasingly seeing physical systems, infrastructure and society run on software?

- The report makes some key recommendations to fortify the resilience of the Nation's critical infrastructure, can you talk about those a bit?

- It's often discussed how much of the critical infrastructure is privately owned and operated, is that true, and if so, what challenges does that pose?

- Do you see this as something that will be increasingly regulated, and if so, how do we balance regulations with some of the constraints and limitations of the critical infrastructure operators and organizations such as financial, expertise and so on?

- One thing I noticed is the emphasize on industry, board, CEO and executive accountability. We're seeing a similar trend with recent SEC rules for publicly traded companies as well as CISA's Secure-by-Design publication and public comments, about leadership and executives taking more accountability for secure outcomes. Do you feel this is a major gap, and if so, how do we ensure the message doesn't get diminished from leadership across middle management, and staff?

- First off, for folks not familiar with your background can you tell us a bit about your background from your journey in your earlier IT/Cyber and military time to eventually being a Founder and CEO?

- What made you decide to take that leap and found not just one, but two cybersecurity companies, moving from being a practitioner?

- What did you find to be some of the biggest challenges when transitioning from practitioner to business owner?

- Have you had to navigate working on versus in the business, and what has that looked like for you?

- For some aspiring cyber professionals with goals to found a company someday, what would be some of your key pieces of advice?

- I know you're also very passionate about the veteran community in cyber, why do you think veterans make up such a share of our community and often make some of the best cyber practitioners?

1. Can you each tell us a bit about your background, before we dive in?
2. For those not in the DoD or familiar with the term, what is a “Software Factory”?
3. What is BESPIN?
4. What is the current state of mobile security within the DoD?
5. Why do you think there’s such a delay in maturing policy, process and pathways for mobile in DoD, given the big emphasis the last several years of “edge”, along with the rapid growth of the remote workforce and so on?
6. Are there any official mobile app sec requirements?
7. Can you tell us a bit about what tools and methodologies you all use to secure the mobile-centric applications you all deliver?
8. Most know that in DoD and Federal there are also a lot of compliance rigor and hurdles to deal with. How has that experience been for a program doing something a bit different from most software factories?
9. Since there are no official mobile requirements you kind of get a second mover advantage, how can you take lessons learned from the Cloud Computing SRGs and apply that to mobile?
10. Can you help our audience understand the importance of secure mobile capabilities for the Airman and warfighter? We know the modern way of fighting looks much different and mobile is a key part of that, whether simply supporting Airman on a form of compute they grew up using, all the way to those on the forward edge, engaging against adversaries, including in the digital domain.

- First off, for folks that don't know you can you give them a brief overview of your background/organizations?

- Josh, let's start with you. Can you explain some of what is going on with the drama around NVD and what happened that caught everyone's attention?

- Dan - I know you've raised concerns around the implications for the community when it comes to the lack of CVE enrichment, how do you see this impacting the vulnerability management ecosystem?

- Josh - Your team has started providing some accompanying resources to try and address the gap, can you tell us a bit about that?

Dan - You've spun up an open letter to congress and have kicked off a bit of a grass roots effort to raise awareness around the problem. How is it going so far and what are you hoping to accomplish with the letter?

- Why do you both think this is such a big deal, and how can something so critical to the entire software ecosystem be so underfunded, overlooked and taken for granted?

- What are some things you all hope to see in the future to resolve this, both from NIST/NVD and the Government but also from industry as well?

- It is often now said that identity is the new perimeter, why do you think that phrase has taken hold and what does it mean to you?

- How much do you think the complicated identity landscape plays a role, for example most organizations have multiple IdP's, as well as external environments such as SaaS and so on that they have identities and permissions tied to

- It often feels like SaaS is overwhelmingly overlooked in both conversations about Cloud Security as well as software supply chain security - why do you think that is?- You all have published some innovative research around what you dubbed as the "SaaS Attack Matrix" can you tell us a bit about that research and how organizations can use it?

- You're also doing some really great work focused on IdP threats, such as OktaJacking, detection, and even response. Can you unpack that for us?

- It's been said that the browser is the new OS, and I have seen you all say if that's the case, Push Security is the new EDR. Can you elaborate on that?

- I recently saw a headline from LinkedIn's own CISO Georgg Belknap that read "Push Security does for identity what Crowdstrike does for Endpoint". That's quite the endorsement and also catalyst for what you all focus on. How can organizations go about getting a handle on the identity threat landscape given the current complexity?

- First off, you have an incredible background evolving from software engineer to management roles and ultimately a CISO for some of the industry leading organizations such as Siemen's and HP. I would love to hear about that journey and how you found yourself ultimately becoming an industry leading CISO along the way.

- How do you think the CISO role has changed over the years? We're hearing more about speaking the language of the business, potential legal liability, new SEC rules and more. What is your perspective on the current challenges and evolution of the CISO role?

- You're now out of the CISO seat but still active in the community, serving in various director roles, including with publicly traded companies I believe. We've long heard some state that CISO's would make great board members and bring a long-needed perspective on cyber risk. How has it been transitioning out of the CISO role and into Director type roles?

- Many CISO's and cybersecurity leaders now want to pursue a similar path, looking for advisory and board roles with firms and so on. Can you provide some guidance and tips for those looking to do something similar?

- I noticed you also have some advisory roles in addition to Director roles. Can you draw a distinction between the two roles for listeners, and what to consider when pursuing one or the other, so folks better understand the potential pathways?

- Knowing you've had such an amazing career and are still so passionate about the community and giving back, what are some of the key recommendations you have for both those aspiring to advance their career in cyber and eventually become a CISO, or beyond that, move into board level and advisory roles? What skillsets and expertise should they be focused on the most?