In this digital age, leaving your data unprotected will surely invite cyber attackers to take advantage of your precious information. On top of ensuring a foolproof strategy that keeps away hackers, you must also be wary of insider threats that may jeopardize your data. Matthew Stephenson chats with Christine Gadsby, the Vice President of Product Security Operations at BlackBerry, to discuss how organizations can find vulnerabilities within their security practices and the best ways to use technology to mitigate them. Christine shares her experiences working with business owners in addressing the cracks in their digital armor while balancing product and organizational development. She also talks about Chief, a community where women executives come together to learn from each other and collectively improve the cybersecurity industry.
Listen to the podcast here
Christine Gadsby: Are Insider Threats Always Intentional?
This episode is exciting because there is potentially catastrophic weather that our intrepid guest has somehow punched her way through to make sure that she is here to help all of us to do all the things that help all of us. For some of you that might be new, welcome. You may know me from PM73Media, perhaps the InSecurity Podcast. We are going to find out maybe one other thing I have in common with my guests, and all of the different things around the world over the years when I used to wear bow ties and have fun, but we don’t do that anymore.
Here on the show, we are bringing you the top experts in the industry for a chat about all that is interesting in keeping our world secure. Speaking of keeping our world secure, we’ve got a good one for you. We are excited to welcome Christine Gadsby. She is the Vice President of Product Security Operations at BlackBerry, having spent several years at BlackBerry across multiple security operations teams, which include product incident response and organizational development, which means she has seen it all in previous lives for good measure, a little quality time at Microsoft in security operations. Perhaps you have heard of them.
Maybe you have seen her because she has keynoted at some events like RSA and Black Hat. Maybe you have read some of her stuff at places like CISO Magazine, SiliconANGLE, Dark Reading, and the list is too long for me to get into the rest of it because it is time for her to start talking instead of me. What I think is interesting is that she is also a member of Chief, which is an incredible network of women in senior leadership positions in the world. Google it because any description I would offer won’t do it justice. Trust me, this is an organization you need to be aware of. Christine, welcome to the show.
Thank you for having me.
I want to talk about Chief, but we’ve got a lot of other things that we need to get into that are security relevant first. Let’s do that, and don’t let me forget to ask you about Chief as we get toward the back end of the show. You have been part of a company that was the original Secure BYOD, which has transitioned into one of the world’s largest security companies. Given the evolution of what has happened at BlackBerry, where it used to be people bringing things into offices, and now people go into offices not even knowing how much of what you do keeps them secure. How has that approach to insider threat evolved? If we think about it, it used to be a handset. Now it is a car or train. That is heavy.
As far as it relates to insider threat, what we have done has evolved. The industry has evolved. Attack surface has evolved. Our understanding of how risk permeates a landscape has evolved with time. I remember back when the handset didn’t even have a web kit on it. It was all proprietary code, and everything was such a deep dark secret.
Since then, time to market, and revenue-generating, lots of companies have had to look at software development differently. The spread itself has evolved and matured in the industry itself. The attacks are different. We know a lot more than we did several years ago about how security manifests, how attackers think and how exploits happen. You can see us evolve with time.
I spent some time at BlackBerry. Unfortunately, Christine and I did not meet while we were there. Every BlackBerry person is tired of talking about this. The notion of what BlackBerry does when we think about a mobile device. Once upon a time, it was a mobile device. Mobile devices are things like cars, trains and autonomous vehicles. These things are different. It is one thing if you have someone bringing a handset into the SOC. It is different when you have a semi-truck that is hauling however many tens of thousands of pounds they weigh. When we think about the idea of attack surfaces, how different is that in the approach, or is it different? Am I asking terrible questions, and I should get out of your way?
If you take a step back and look at the footprint of what the handset was, where we were good is what we do. We lifted and shifted the best parts of BlackBerry in a security setting out of it and made it available in all of the endpoint zones versus just in a handset. It was always hard. As we were doing the wizardry back then, we looked at that as a handset, and it was always like, “Wow.” The value for managing an attack surface is going to go way beyond the handset. This is where the market and that evolution are taking us. You are dead set on it.
All of those values were the securest handset to market and making sure that we had all of those highly regulated customers that could trust us to know what we were bringing into their environment because the key there is an attack surface in an environment. The environment is going to be whatever you are exposing yourself to.
As an enterprise company or as a small to medium business, you can’t look at a phone, and this is the thing. It is all the things. You have to partner, think about, think through and evolve as a company with how you are going to look at that holistic attack surface. It is not just a phone. A phone is an important part of it. What you put in your network isn’t part of it. You have to look outside of the phone and realize it is a piece of your network and own supply chain. When we look at where BlackBerry’s expertise lies, it is extremely vast because we are with QNX and the embedded side of looking at medical devices and software-defined vehicles.
It is fascinating to go and look at where they are headed. It is incredible. With BlackBerry IVY, they are looking at defining the inside of the vehicle. It is fascinating. There is that side, and our cybersecurity business unit with more of the mentality of what came out of the handset, pulling out the greatest parts of the handset and making that for all endpoints. Looking at handset security and how we model that, but for all endpoints.
It has always been fascinating and fun to be a part of BlackBerry as a whole. Fast forwarding to the latest evolution on that point, which is machine learning and AI. Why do we look at the silence and where we are now? The forefront of that is how do we teach ourselves to be smarter, better, faster, to make better use of those resources? The other thing is you can spend an incredible amount of time and money on this. If you are not learning how your enterprise models, you could have to redo that. It is operational in its sense. You do have to look at how, as a company, you are going to be involved in that strategy.
If you’re not learning how your enterprise model works, you would have to redo it over and over again.
It is vast. It is such a wide array of scenarios and critical infrastructure. You said the word “things” which means now I have to use the worst trope ever, The Internet of Things, and things like automotive. What has your attention when it comes to the human element there because it is spread across many diverse things? I hate asking yes or no questions. Where are the commonalities across these disparate things as opposed to where are the differentiators? How do you have to think about the different ways that when you add the chaos of humanity to them, you have to consider how to protect people from themselves and attackers?
There are two great key elements to that question. The first thing I want to talk about is critical event management. This is where I feel one of the biggest areas we are looking at, but we are looking at it deeply enough. Critical event management for everything, not just there has been coming from where I live, tornadoes, and things like that, but looking at how your company is set up to deal with a massive security incident Because it can start from anywhere.
Do you have the critical management infrastructure in place where you are able to get a hold of your employees? What if you have no access to anything? This is something that we have been working on for a little while with one of our brands with AtHoc. It is incredible to see how customers are taking that. We needed to respond to this chemical fire in their security posture. They are saying, “What if we can’t access any of our critical infrastructures? How are we going to get our employees? What if you can’t access your bond plan? What if you can’t access your BSMP? That is a real thing. That has been fascinating to work through.
On the embedded software side, the future of that is because I look at critical event management, and that is the now. The future of all of that goes. What about medical devices and software-defined vehicles? That attack surface is going to keep growing. That is one of the things on our embedded side that QNX is deeply embedded in things like ISO 21434 or how do we put security controls into those embedded systems. That is the future of that attack surface. If we look at it from the past, we are in the handset with a crystal ball. That is the crystal ball I see for the future of the human element.
That is something we have not talked about. We have had some incredible guests, and we have talked about a lot of different things on dealing with the chaos of humanity, but the idea of notification. When an organization gets hit, what do you do? How do you let people know, especially if you are global? I don’t care how big you are, but if you are spread across multiple time zones, some people are going to be asleep, and their machines might be on, they might be set for automatic updates, and that might be where the vulnerability is. In the idea of building products and planning for that thing, how weird do you have to get in order to plan for things that you have no idea what might be happening?
I don’t think you have to get far. That is a real scenario. It can be driven. We could tie this back to the insider accidental threat. The mistake, we have seen it. You can pull up headlines from 2021, where large companies are like, “That happened. How are they?” “You don’t have to plan for that. It is too late when it is happening,” says the critical response person, but it is the truth. We are seeing customer stories that are amazing.
I’m proud of that for me being able to be a part of that at this company. I have been brought to tears a few times listening to some of the customer stories saying, “We are glad we planned for this because we needed it. You are right. Laptops are off.” In living in a tornado DFW area, I can tell you that laptops sometimes are off and phones aren’t available, or at least you are not connected to your corporate network, and they are available. If I’m looking at rapid response and criticality, that critical event management is an area where you are going to see a lot more come out of that over the next several years.
Without giving up your OPSEC, we did mention in the open that you were dealing with some severe weather. If you don’t mind me adding, you did mention that you spent some time in the storm shelter. Does that come into play with that type of thinking when you are working with your teams, considering anything that might happen to an organization? Any crack in the armor is where somebody is going to think, “Right now, weather, let’s go?” They send in the malware and do the thing. What can we do? How do you plan for that?
Taking advantage of the weak link in the chain, 1,000%. That is one of the reasons why we are going to tie this. The critical event management piece that gets tied back into the security is going to be the opportunistic attacker. We have to be right every time. The attacker only has to be one. It would be naive for us to think that they are not out there waiting. Whether they are taking advantage of the insider threat person making a mistake or they are taking advantage of a poorly left open door, it doesn’t matter at that point.
Cyber attackers only have to be right once. Business owners have to be right every time to protect their data.
Yes, if there is a target on something or an attacker that is going to wait, and we saw this with things like SolarWinds. They are going to wait for the right open door, and that could be any amount of time. We do have to think about that critical event management of what if that were now, how are you going to find your CISO? How are you going to find anybody? I do think that is going to be a key focus area.
A quick shout-out for the Friendly Fire Podcast. We do have an upcoming episode with the CISO of SolarWinds talking about that thing. What is the weirdest thing that you do not have to choose to consider when you are looking at the idea of how to secure your users? You get to do both because you’ve got to think about the interior of a security business that makes security products for people. How out there do you like to go on this stuff? Between you, me, and our tens of thousands of readers, do you have a zombie apocalypse plan in place? Can you tell me if you do? How about that?
I know someone who wrote a book on this. Outside of that, the one thing that I guess I tell people when they ask or when I talk is to remember that telemetry is a key thing that I don’t think gets focused on enough. When you are in my seat where you are looking at software suppliers, software consumers, and software producers, and you have to wear all the different hats of what threats could happen, what insider threats could accidentally happen? What could attackers take advantage of? Where are those low-hanging fruit open doors?
One thing that comes out in common is telemetry. If you don’t know what you don’t know, you won’t know. We talk about this a lot. You put all the hats on and ask yourself the question, “Do you know what you are securing?” I can tell you that it is between friends and the industry. That is a big challenge that we talk a lot about.
Telemetry has to be an interesting thing for your team and your leading teams to wrestle with, especially in a post-Cambridge analytics era where everybody wants to keep their personal data, safe and private, but at the same time, the solutions that they are investing in, they have demands of performance. You are saying that telemetry is a key part of this. How do you negotiate with that mogul where we need more information in order to provide you with better security while respecting the privacy of the people who you are asking, “Can I have more information about you?”
Need to know basis is important, and we always have to respect that. If you are an enterprise and you are a consumer of people’s data, that has to be a top priority for you to figure out how to siphon out what you need and what you don’t need. What you need to give security is different as far as what the widget is doing with the data and how it is operating. Is the widget itself secure? Is the widget itself gone through its own security checks to make sure whatever it is hosting, doing or looking at remains secure in somebody else’s network?
We are talking a lot about the supply chain and what that means if you are a widget in the supply chain somewhere. That is a hot topic nowadays. Looking at our friendly car driver company, who I won’t mention because I love that. They are impacted by a third-party vendor. It wasn’t even their decision. You have to think through your supply chain as a company. You consume things in your supply chain. You produce things in others’ supply chains. If you are that company, you wake up and realize it is a third-party vendor that caused that. You are scratching your head, going, “Where did I go wrong?”
As we talk about evolution, I cannot stress enough for the readers. They are not who you think they are. They are not who you remember. They are more deeply involved in your lives than you have any idea. When we get into the supply chain for perhaps one of these ride-share services, or maybe 87% of the vehicles that are on the road, your fingerprints are on when protecting users from themselves, but presenting solutions to companies deep into the supply chain. I have to say, “Should they go?” Yes, they should read all 12,000 pages of the supply chain. Nobody is going to do that. How do you help bring peace of mind into this thing and say, “Here is where we sit, here is who we are and what we do, you know, we are good at this?” Trust and belief.
This is the root of our company. If you look now, you cannot see all of the efforts going to secure the software supply chain. If you look at Executive Order 14028 and start reading, some of the things that the supply chain is going to be held to in order for US Federal and likely highly regulated to adopt your trust. It is eye-opening. These are things that we have been thinking about for a long time.
What does that translate into? There are a couple of areas for us we are focused on, which is the Software Bill of Materials. It is a two-way street. For a long time, that has not been talked about because it is easy. You can hit the easy button and produce a software bill of materials and spit that out, but it is hard to consume them.
It is hard to consume a twelve-meg text doc that is single spaced and 1,000 pages long.
What are you going to do with all of those? What are you going to do with what is in it? Number one, we are going to look at Software Bills of Material. I don’t think there is an argument that that is a great idea. It is more like we are going to defy gravity. How we consume them as an enterprise and realize as a company, you are a part of the supply chain.
For a company like BlackBerry, we have to produce software bills of material. We have to consume them from vendors as a company. We have a corporate hat, supplier hat, and producer hat, an embedded software where we are selling the end product. We fit everywhere into that. It is complicated. I see the industry headed and where the biggest challenges are twofold in that. One, what are the baselines out of that software material that you are going to require or what is the industry going to standardize on? Is that an old library version that they don’t like? Is it a vulnerability posture?
SBOM isn’t looking at exploitability. It is looking at a version of stuff in a piece of software. We are going to explain all of that away. It is false, positive, and heavy. It tells a lot of stuff but is also noisy, and it is hard for companies to deal with that. We happen to benefit. We have been doing this forever because we have been in a highly regulated industry forever. It is hard to come to grips with that reality, but it’s necessary.
As a company, my advice back to the telemetry thing is to know what you are producing and consuming. We did a white paper on the software supply chain and the major challenges for security in the software supply chain. One of the things that I was most surprised about, and it still surprised me, is that 80% of businesses uncovered hidden members of their supply chain that they weren’t aware of when they started looking at cross-directional software bills with materials. Gathering them from their vendors and also producing them if they ship software, 80% uncovered stuff they didn’t even know was in there, either in their environment or the supply chain they are creating. How can you secure it if you don’t know it? That right there should tell you where we are as an industry.
80% of businesses uncovered hidden members of their supply chain that they weren’t aware of when they started looking at cross-direction software bills with materials.
Tell me this is a stupid question, and if it is too stupid, we will cut it out in the post. When companies are willing to do a deep dive into the SBOM and realize that they are using solutions that have contributions from their competitors, does that ever get in the way? I pulled that one out of nowhere. We didn’t talk about that upfront.
That and licensing is probably the tough ones because you also have to look at all of your licensing reality. If you are not doing that work, that could be another huge lift. We haven’t run into that internally. These are all the things that, if you are not looking at your telemetry now, you are going to get surprised. You are going to be licensing surprised, a free or third-party contributor surprised, vulnerability surprised, and old surprised. You are going to end up with this picture that you didn’t know existed, which is for security operations. That is the tough part. We want to know so that we can solve it and we don’t want to be surprised because that is when things bump in the night, and we don’t want that.
I love the idea we want to know. That is something coming a little more from your personal experience. You have such a diverse background across this, as we said in the open, “Product incident response and organizational development.” A lot of people tend to grow up siloed and become incredibly influential and successful and do amazing things inside of this one thing, but that is a wide range of experience.
As you look at this stuff, how do they influence each other? You always want to have diverse experiences, but the difference between product and organizational development is huge. Let’s throw an incident response where you have to have people coming in like Tom Cruise and Mission Impossible in a helicopter to solve a problem.
I honestly think the value is operational. It is no longer an option for security not to be baked into business. This is reality. The reality is every single thing you do from the board level down has to have security thought into it. It cannot be an afterthought because of two reasons. First of all, it was expensive. If you play Whack-a-Mole and you are through a bunch of tools at a bunch of problems, soon you have tools, overlapping tools and nobody knows what is valuable, and you are spending a ton of money that doesn’t have a value proposition in it. At the end of the day, you are doing some reflection, going, “I dropped a couple of million here but did I solve my security problems?” Maybe not.
Security is no longer an option not to be baked into businesses these days. Every single thing you do from the board level down needs to have security thought into it.
The second is a go-to-market strategy. For companies that are developing products that have to have security embedded in that, it is a go-to-market strategy. You have to embed it along the way at every step because it is too expensive to break up concrete as a product and add it at the end. I’m not the only one that has this diverse broad set of experience. It is because we like the knob turning.
I love embedding efficient security practices so that it doesn’t cost and we think about it at the right time. That organizational play comes in very much. I think operational, as a software developer, as a company, and as a revenue generator. That is the value for people like me. We want to make it scalable, efficient and not necessarily a Whack-a-Mole as a one-time thought. The organizational development side helps in that I can think through how we get to market. That is what the value is for, especially our team.
This is a terrible analogy, but because we are in the college football season, you think about how many of these programs have. They have fired two previous coaches that they are still paying off and the third one is now in there. When being aware of what you have in your system, you may not even know. We have dumped two previous endpoints because they weren’t getting the job done, and now we have a third one, but we are still paying off the licensing on the last one.
When security is a speed bump, that is the natural reaction for any C-Suite. It is going to be, “Why is that a speed bump?” We got to build it in. If it is not efficient, it doesn’t survive. That is the reality for security in general. It is way more important as the ecosystem transitions to this larger security picture that companies are realizing. It is not a one-shot deal. It is an all-encompassing governance model. We are going to see a lot more of that because it simply has to be efficient, or it won’t last.
You have had an incredible career to be involved in all of this amazing evolving technology throughout mobile to cloud to AI to all these types of things. Anything got your eye right now that may not be quite ready for prime time but you are thinking pretty cool. Please don’t say NFTs because we are going to express the needle and be out of here, but anything other than that.
We have always been blessed to have an awesome crystal ball. If you look back on what we were talking about in 2017 or 2018, we are here right now, which has been awesome to see.
The future delivered.
Sometimes it does. We have been fortunate to be able to look at this future because, for BlackBerry, it is awesome. The future is what we are working on. That is the future of our products. Our team gets to dabble in. Everything is futuristic and where security is headed. We have this feedback mechanism where we are able to plug that back in. Who has the coolest job in the world? I do.
The future of where we are headed, and I’m going to mark this down, is this larger telemetry. We have a security budget, and we are managing this thing. We are doing this high-level scanning to see what futuristic things we need to be looking at; maybe tomorrow. What I see happening is the need to do a couple of things.
One is noise reduction. BlackBerry is a great example of this because we are in everything, and we are a company. We have a corporate thing we need to worry about for our company, but we are also selling into environments. I have to worry about customers, which is where my main focus is. When I look at all of that telemetry, it is noisy, and when I look at the supply chain.
Security is going to take a much more supply chain approach, where companies are forced to look at where they fit into other supply chains and where they are consuming into the supply chain. As a company, if you are making a web app, you have to have products that are security focused. You have to worry about vulnerabilities in your web app. If an attacker or security researcher finds something, do you have a front door? Is there somewhere that can be disclosed?
You also have to worry about what you are consuming and putting into that thing. How are your shipping updates? What does your build system look like? It is all security if you think about it. It creates this massive attack surface, and you have to watch all the things. If my favorite rideshare company now, I am like, “That was a third party.” That wasn’t even them. If you think about that holistic attack surface, you have to think about your vendors. Do you have areas where you can have coordinated vulnerability disclosure with other vendors?
This bigger holistic picture is going to emerge where companies have a single lens of attack surface. How they treat that and how they look at that is going to be a noise reduction in a focused effort. If I look at all that telemetry and I have all this noise coming in, what is my signal-to-noise ratio? What do I pay attention to? How do I prioritize that? What does that mean to the attack surface? What is the likelihood of things happening? What do I have to focus my dollars on or my board focus?
All those things are going to have to have a much more centralized approach because it can be fractured. I have seen companies that have a corporate mandate and a separate software mandate. How do you prioritize spending? How do you reduce your attack surface? How do you prioritize a risk model? As a company adopts zero trust, it is going to force vendors to look at that whole thing. That is my crystal ball. We will have to meet and see if I was right.
Tune into episodes 2 through 9 of these special Christine Gadsby miniseries, where we address each one of those questions as its own two-hour show because that is a lot. When you are in everything, and when you are part of the blood’s hemoglobin that makes things go, you have to think about all that stuff.
With that being said, this is the worst part. Out of this outline and we put it together, we got through about 20% of it, and we had to jump into all of the amazing reactions to the replies that you have already had. I want to get into the leadership corner because you are in something else that is cool. Ironically, I only learned of it in between when we did the prep call and doing this, but you are a part of Chief. Chief is amazing. I am not allowed to be a part of Chief, but you are. Please, I’m going to get out of the way, and this is the worst question ever. Tell us more about Chief.
Chief is amazing! It is a place where women executives can get together and learn from each other. The guest speaker lineup that we have for Chief to talk to women executives is phenomenal. It is about empowering women to take the power seat, to get to the C-Suite, to break through those glass ceilings, and to know how to do that and what is better to learn to do, than from other women that have done it before us. It is about driving that ability. It is from a tactical level. I had a call with another Chief member. They had some questions around securing the software supply chain, and I’m helping her bring some high-level things like, “Here are the things to think about,” back to her own board.
There is a separate function in Chief to empower women to be on board seats. They are teaching women how to get those board seats because it is not inherent. There is no playbook or map that you can call. That has typically been a pretty male-dominated side of company governance has been board seats. It is looking at how you do that. It has been amazing.
There are core working groups where different industries get together once a month for an hour. We talk about challenges that we are having in the industry. It is led by an executive coach. It is amazing. It has been game-changing for me. I have to admit, I’m a huge fan. Anybody reading this, if you have any questions about Chief, please feel free to reach out to me on LinkedIn. I’m happy to talk about it forever.
Inside our industry, cybersecurity, and this is sticking with the Chief conversation, have you seen advancements from the embarrassment of RSA a few years ago, where there were zero female keynotes that led to Our RSA day?
Within Chief, there are different little pockets of pods of groups of people that are organized by industry. There is a cybersecurity niche in there with amazing women in it. There are areas you can go into to focus on other things. Yes, I am seeing quite a bit of forward momentum there, and I am welcoming it. I don’t talk about this a lot, but it is difficult. My running joke is I never have to wait in line for the bathroom at a security conference. I never do because I’m usually the only one there.
It is sad that I’m laughing at that, but I recognize it. The men’s room has a line. The only place where the men’s room line is longer.
That is what I would have said several years ago. Now, it is better. There are more women getting into cybersecurity in general. We still have pockets where I think we could be doing better, but the message is resonating. Not just Chief, but there are a lot of women in security groups that have sprung up that are trying to move this narrative forward, especially at the executive side. It is still sparsely populated but several years ago, where we were to where we are now was huge.
It is minimal progress, and it is incremental progress, but let’s at least say, “There is progress.” Let’s not in any way, me, as the right-handed straight CIS male American born, not pat ourselves on the back because I had nothing to do with it. You guys are the ones that are breaking all of these barriers and doing this because you are good.
I appreciate that a lot. It is people like you who help people like me. It is the truth. It is a cultural ecosystem that needs to be developed, not the people itself.
Continuing on the leadership corner thing, what else is going on? What is on your Spotify playlist? Anything interesting that you are reading? I’m going to straight up cue you up because we talked about it. You got interesting office in the background, and dear readers, you can’t see it, but I’m going to get out of the way because Christine does some cool stuff when she is not securing the world from attacks.
I don’t have anything on my podcast playlist now because I’m a mom.
It could not be a podcast. It is okay if you listed Guns and Roses or something.
My Spotify playlist is usually the ‘70s rock stuff because I’m that mom. That will also tell you my age. I reread every year, and I am blessed to mentor some people. If you are reading and I have mentored you, I say this a lot, Crucial Conversations is a great book. I read it yearly. It is a book that you can pick up and read. It will help you tomorrow. It helps you have hard conversations, especially if you are trying to be an executive. It is hard when you are the only woman, and that is where I will go back and say it is hard when you are the only woman in the room. Learn to lead like that. Read that book, Crucial Conversations. It is excellent.
In my office, I have a bunch of essential oils back here. If you know me, I’m a breast cancer survivor. I do like to make my own potions. I do have four daughters. We are often here whipping up wizardry and potions for headaches or whatever. We make soap and things like that for Christmas. That is what we are doing now, peppermint soap. This is the Betty White Golden Book that came out shortly after she passed. Someone gave me that, which is sitting up there because I’m a huge Betty White fan. There is a mermaid tail on a pen too. My girls are swimmers.
You won’t be able to see it, but so you know, she is pointing at various things.
You can’t see this.
That is fine. I will be here to annotate.
On the right of my screen, which you can’t see because you are listening, are all of the conference badges that I have saved over the years.
You are one of them.
I have an awesome plant that I like down here that sits by my window. That is my office tour. It is busy, but there is a lot that happens in my home office because I’m also a mom.
How many lanyards have you got back there? I had no idea what that was. That is massive.
It is probably 100. I don’t know. I would have to count them.
That is the last several years before COVID. I have a feeling that there are more than 100.
I don’t put all of them back there. If I remember to put them there, yes, and if it is cool enough to save, some of them have stickers and fun memories on them. Security is a tight-knit group, especially on the software side. If you know people, you want to go see your people.
I got to go to the last RSA before and the first one after. The difference was shocking. Getting to see people again, you want to come in for hugs, and everybody was like, “No.”
I know people were wearing stickers like, “I’m a hugger.” Everybody who knows me knows I’m a hugger. I hug everybody. That was going to be hard.
Officially, we didn’t even come close to all the things that we wanted to talk about. This is an invitation back for you for episodes 2, 3, 4, and 5. Shameless plugs, whatever you want to include that you are involved with, appearances, writing, Chief, other mentoring things, any of that thing, I’m going to be as quiet as I am capable of, which is not much, but I’m going to try to get out of your way.
There are a couple of things. One, we authored an awesome white paper on software supply chain challenges. If anybody wants to report, reach out to me on LinkedIn. It is fascinating to read all of the information that was responded to. We are mature on this side, but we learned a ton, which means you would learn something too.
Join BlackBerry at CES. We are in Booth 4025 in Las Vegas from January 5th to 8th, 2023. You can come and see software-defined vehicle demos, which are going to be super awesome. Learn more about IVY. If you haven’t looked at IVY, check out IVY online. That is the newest and greatest in the software-defined vehicle platforms for the car. Those are the two things I want to highlight.
You can find me @ChristineGadsby on Twitter. You can find @BlackBerry on Twitter. You can find me on LinkedIn. If you want to know more about actual Blackberry products, you can go to BlackBerry.com. There are many great security products and translating all that goodness out of the handset into standalone software.
These are supposed to be shameless plugs where the guests talk about themselves. This is what I’m talking about with people like Christine, where she was like, “This is all for the greater good. This is part of the organization that I’m with.”
It is, but I love my job.
I wouldn’t have noticed. We could go for another hour, but Producer Sheron was like, “We’ve got to go.” Let me one time vouch for the notion of hitting the BlackBerry booth at CES. When I was at BlackBerry several years ago, we had an electric motorcycle in there that went 200 miles an hour that had a 200-mile range on one electric charge. That is the type of cool automotive thing that is happening in that booth. That is my shameless plug for BlackBerry.
It is always a lot of fun.
Christine is out there. She is doing all kinds of amazing work. Make sure that you look for her on LinkedIn because she answers, which is shocking anymore because nobody wants to talk to anybody for any reason at all. That is it for now because we have stolen enough of her life, and otherwise, this would go for four hours, and it would be like Joe Rogan. Nobody likes Joe Rogan, even though everybody pretends they like Joe Rogan. Christine, thank you so much for taking the time. We’ve got a lot more to talk about. Can we get you back?
I’m looking forward to it. Thanks for having me. It was fun.
I’m going to put this out there because I know he is going to listen to John McClurg. We are coming for you. That is it for now. Thank you for joining us on the show. A general reminder, all comments reflect the personal opinions of the participants that are not necessarily those of their employers or organizations, but whatever you get from me is 100% mine.
For more information and all that is good in the world of cybersecurity, make sure you check us out. You could find us on LinkedIn, Facebook, and the mothership, ElevateSecurity.com. My name is Matt Stephenson. You can find me @PackMatt73 across all of the socials. All we ask is that you subscribe, rate, and review. You will never miss the great folks who are coming on the show because they keep getting better. This one is going to be tough to top. Next guest, pressure is on you. Until then, we will see you next time.
- LinkedIn – Elevate Security
- Facebook – Elevate Security
- LinkedIn – Christine Gadsby
- @ChristineGadsby – Twitter
- @BlackBerry – Twitter
- BlackBerry IVY
- ISO 21434
- Crucial Conversations
- Betty White Golden Book
- @PackMatt73 – Instagram
About Christine Gadsby
Christine is an accomplished Software Security Operations Executive highly regarded for strategically orchestrating software security programs, including SDLC capabilities, security communications, security research, automation and security tooling, risk mitigation strategies, and coordinated incident response. Her current primary focus at BlackBerry is driving the secure software supply chain efforts focusing on the NIST SSDF and Cybersecurity Executive Order 14028, ISO 29147, ISO 30111, open source software licensing and compliance, and Software Bill of Material [SBOM] efforts. She is a known keynote industry expert speaker and thought leader and has contributed to several security industry conferences, including RSA, CCTX, Black Hat, IoTSF, ISACA, WomeninIT, and FIRST.