Cloud Security Today

The Software Factory

August 22, 2022 Matthew Chiodi Season 2 Episode 8
The Software Factory
Cloud Security Today
More Info
Cloud Security Today
The Software Factory
Aug 22, 2022 Season 2 Episode 8
Matthew Chiodi

Send us a Text Message.

S2E8 - The Software Factory with Chris Hughes

Episode Summary

On this episode, CISO and Co-Founder of Aquia, Chris Hughes, joins Matt to talk about building security in the cloud using automation and compliance. Chris’s career spans over 20 years in the IT/Cybersecurity industry, as well as in active service in the US Military.

Chris talks about licensing and certifications, Cloud innovation, and achieving continuous ATO. How are software factories created and operationalized? Hear about the people side of the business, effectively building a community, and get Chris’s formula for personal growth.


Timestamp Segments

·       [01:19] Chris’s 28 licenses and certifications.

·       [02:44] The value of certifications.

·       [05:08] Chris’s Air Force experience.

·       [06:25] About Aquia.

·       [07:46] DoD vs the federal civilian space.

·       [09:01] BatCave.

·       [10:04] Federal DoD compliance.

·       [12:55] How do agencies achieve Continuous ATO in the cloud?

·       [16:04] Software Factories.

·       [21:07] How it’s gone wrong.

·       [23:12] What it looks like to stand up a Software Factory.

·       [25:24] What works on the people side?

·       [28:42] What is an effective way to build a community?

·       [32:30] Why Chris reads physical books.

·       [35:07] Chis’s formula for personal growth.


Notable Quotes

·       “The journey is going to be unique to the organization. It’s not going to be the same for everyone.”

·       “Just be real.”


Relevant Links



 GutHub: Federal DoD Software Factory Compliance

Secure applications from code to cloud.
Prisma Cloud, the most complete cloud-native application protection platform (CNAPP).

Disclaimer: This post contains affiliate links. If you make a purchase, I may receive a commission at no extra cost to you.

Show Notes Transcript

Send us a Text Message.

S2E8 - The Software Factory with Chris Hughes

Episode Summary

On this episode, CISO and Co-Founder of Aquia, Chris Hughes, joins Matt to talk about building security in the cloud using automation and compliance. Chris’s career spans over 20 years in the IT/Cybersecurity industry, as well as in active service in the US Military.

Chris talks about licensing and certifications, Cloud innovation, and achieving continuous ATO. How are software factories created and operationalized? Hear about the people side of the business, effectively building a community, and get Chris’s formula for personal growth.


Timestamp Segments

·       [01:19] Chris’s 28 licenses and certifications.

·       [02:44] The value of certifications.

·       [05:08] Chris’s Air Force experience.

·       [06:25] About Aquia.

·       [07:46] DoD vs the federal civilian space.

·       [09:01] BatCave.

·       [10:04] Federal DoD compliance.

·       [12:55] How do agencies achieve Continuous ATO in the cloud?

·       [16:04] Software Factories.

·       [21:07] How it’s gone wrong.

·       [23:12] What it looks like to stand up a Software Factory.

·       [25:24] What works on the people side?

·       [28:42] What is an effective way to build a community?

·       [32:30] Why Chris reads physical books.

·       [35:07] Chis’s formula for personal growth.


Notable Quotes

·       “The journey is going to be unique to the organization. It’s not going to be the same for everyone.”

·       “Just be real.”


Relevant Links



 GutHub: Federal DoD Software Factory Compliance

Secure applications from code to cloud.
Prisma Cloud, the most complete cloud-native application protection platform (CNAPP).

Disclaimer: This post contains affiliate links. If you make a purchase, I may receive a commission at no extra cost to you.

Narrator (00:02):

This is The Cloud Security Today Podcast where leaders learn how to get cloud security done. And now your host, Matt Chiodi.

Matt Chiodi (00:13):

In this month's episode, we feature Chris Hughes, who is the CISO and co-founder of Acquia which is helping federal civilian organizations and the department of defense achieve secure digital transformations. Now, before you think, "Ah, I'm not in federal, this won't have any applicability to me," I'd encourage you to listen because the concepts that Chris talks about with DevSecOps talking about software factories are 100% applicable to all spaces. And so I think you should listen, listen deeply, take notes, as I always say, and get ready to learn about how to build security in the cloud at scale, using automation and compliance.


Thank you for joining us today, and we have an awesome guest, Chris Hughes joining us, Chris, thanks for joining us.

Chris Hughes (01:08):

Absolutely, I'm happy to be here.

Matt Chiodi (01:10):

So let's just jump right into it, I like to start off all my guests on LinkedIn. I have been following you for a long time, but according to LinkedIn, you have 28 licenses and certifications and these range from security plus to an AWS solutions architect professional, and I have a couple of questions. What drove you to get all of these and how have you used them practically at work?

Chris Hughes (01:40):

Yes, it's definitely a few factors at play, one is, that I've just been in the career field for quite a while, like over 15 years, so I've accumulated them over the years. And then two, for me when it comes to learning I tend to do better when I have a defined goal and something to work towards, like maybe a test deadline or an exam. It pushes the pressure on me to really buckle down and study and learn something. We just always want to continue to grow in our career field, because as you know, things change. When I got security plus AWS wasn't even a thing, so things in the career field changed quite a bit, so I'm always trying to just keep learning, stay on top of that, and just keep the pressure on myself to keep growing.


With that said, though, I love your comment about you practically using them because you can go overboard, you can start studying, and get certifications for things that you're not even using in your day-to-day job. It's likely you may never encounter these and it can be an intimidating thing for someone looking at it, they'll say, "He has 28 certifications, I'll never have that many." You don't need that many, you just need to know what you need to know for your job and where the organizations you're working with are headed in my opinion.

Matt Chiodi (02:40):

This is not a part of our script, but I'm going to ask, where do you stand on the whole certification debate? Obviously, you have 28 of them so you see value in them. I think I posted something on LinkedIn a while ago, and I'm always surprised by what catches fire, I screenshot my notification from (Inaudible name 2:57) saying, "Hey, we've suspended your CIS's pay." And it was like the most viewed thing I've ever posted on LinkedIn, and there was a debate like, ah, it's not worth it or it's worth it, where do you stand? Especially if somebody's early on in their career, would you tell them to get them? Where do you stand on that?

Chris Hughes (03:18):

I kind of hate how we argue everything in black and white, like our binary in our curriculum and in society in general. We're so polarized, it's like compliance vs. security or certifications vs. experience, and it could be both, right? Someone could have a lot of experience and some certifications along the way, so I don't discourage people from getting certifications.


I think it's a great way to have a structured learning path or endeavor toward learning a certain topic or technology. I definitely encourage it, especially if you're new to the career field, but like folks like you, or I who have been around a long time, you likely don't have as much of a need for certifications, if you have a lot of experience under your belt. So I don't fall on one side or the other, I don't think certifications are inherently bad, but I do think only focusing on certifications with no relevant experience to back it up is definitely not a good thing either. So I don't think it's bad or good, it's just part of the career field and one method of learning.

Matt Chiodi (04:11):

I love that, it's funny, it brings back a memory of when I was in college, I won't say when because people can look at my LinkedIn profile. Back when I was in college, I went out and I got a couple of Microsoft certifications and I had no experience other than playing around with, I won't even say what operating system it was, but a Microsoft operating system that won't be named. And I remember thinking, yeah, that kind of got some of the technical concepts down, but I've never actually done anything really with this. So yes, I hear you, it kind of help.

Chris Hughes (04:40):

It's a catch-22, to be honest with you too, when I started learning AWS, I hadn't really got a chance to work with AWS quite yet, but I wanted to, I wanted to work in the cloud, I wanted to be a cloud security professional. So I started learning as much as I could about AWS and getting certified in AWS, and then I got an opportunity to work with the cloud. Because people say, "Oh, he's been learning this, he's been immersing himself in this and really eager to learn this," so I got an opportunity to get hands-on experience. So sometimes it can be a way to get your foot in the door as well.

Matt Chiodi (05:09):

Okay, so let's back up for a minute, you started your career in cyber security; it looks like back in 2008, when you were in the US air force. Talk about how that experience shaped the next 10 years or so, or maybe even more up until your time at Acquia, and I'll ask you about Acquia in a minute.

Chris Hughes (05:28):

Yes, it definitely played a critical part; going into the air force I had a background in technology. I had worked with technology at a couple of companies prior, and I always played with computers as a kid, but I didn't know much about cyber security or how great of a career fit or great of an opportunity it would be for me to be honest with you. Then when I went into the air force I learned a ton, I started at the help desk and worked all the way from that to system administration, to network admin, so here we are with cloud and CISO and things like that.


So it was a great opportunity to get my foot in the door of the career field and learn how technology and how cyber security work in large enterprises, and highly regulated environments. And it kind of set the trajectory for my career, here I am all these years later and I've kind of stuck around the public sector, and that's just because I am passionate about the mission; when you talk about the department of defense, you talk about the federal government providing civil services and critical things to society. That's always kept me around this space, to be honest with you.

Matt Chiodi (06:23):

I love that, so now you've co-founded a company that goes by the name Acquia about roughly, a year ago. Tell us about what you do there, what's the mission, and what problems are you solving.

Chris Hughes (06:36):

Yes, definitely, as I said, I started in the air force, and then I had a couple of government jobs actually with the Navy and the FedRAMP teams, for those who are that are familiar with FedRAMP. And I worked on the industry side at a couple of other companies, and then I started asking myself, why don't I try to do this myself when it comes to cyber security? And I saw things that went well and things that didn't go well from a company's perspective and how I did things. And I had an opportunity to team up with a couple of partners and bring what we feel is a different brand of cyber security, technical rigor, and expertise to the public sector.


For example, we've kind of blended the best of commercial talent that we've brought, people from the commercial side of things, and mesh that with people who have deep expertise in the federal domain when it comes to compliance and cyber security, and some of the nuance that comes with working with the government. And we've really been focusing on transformational-type efforts, things such as cloud, cloud security, DevSecOps, application security, and threat modeling, you've seen me share quite a bit around zero trusts, and that is another area we've been focusing on. So we really have a bias for that transformational type of work, work that's really going to you changes the status quo in the way that government operates technology and cyber security.

Matt Chiodi (07:42):

I know I didn't ask you this beforehand, using a baseball analogy, I don't know if you're a baseball fan or not, but where generally speaking, if you look at where DOD is today with the use of cloud, versus let's say civilian part of the federal space. Where are they in the analogy in terms of innings, do you see DOD is one ahead of the other, or are they about in the same place? What's that look like?

Chris Hughes (08:10):

It's hard to say because it is such a massive ecosystem of different agencies, you can take one agency versus another on the federal civilian side and they could be drastically different in terms of their cloud maturity or cloud security maturity. And then like even the DOD, you definitely have some laggards, laggards, and massive legacy footprints, but you also have programs like Platform One and Kessel Run and the space force who are trying to do some really innovative things when it comes to cloud.


I'd be reluctant to kind of put one ending on the entire department of defense, but I will say there are some entities that are doing really innovative things, even for the commercial space. When you compared to some of the stuff coming out of places like Platform One on the civilian side, look at programs like Bat Cave at Centers for Medicare and Medicaid, they're doing really innovative work that's on par with many large commercial organizations from what I've seen.

Matt Chiodi (09:00):

What are they doing? I'm not familiar with Bat Cave, but I love the name, so I want to know more about it immediately.

Chris Hughes (09:05):

If you're in the government you've got to bring a cool name to jazz it up and make it exciting. You've likely heard the term software factory, so Bat Cave; much like Platform One and Kessel Run is a software factory in the federal government space. And what they're doing is they're building a platform as a service, think of a Kubernetes containerized orchestration type of environment building on top of cloud, utilizing infrastructure as code (Inaudible 9:28) containers and building robust CIC, CD security pipelines. SAS, DAS, secret scanning, SBAM, things like that, and bringing that kind of way of delivering software to the agency or department of defense in DOD’s case.


It's a really innovative way of doing things and it can streamline a lot of the traditional security controls that you have to meet if you're an individual system owner. If I can work in a platform as a service type environment, that's already authorized, I can inherit a lot of controls from the cloud provider, from the organizational level, from the platform level, and ultimately focus on my app and delivering value to my stakeholders, my constituents.

Matt Chiodi (10:05):

So back in February, you created a GitHub repo for federal DOD compliance innovation; I think that's what you called it. And I'll put a link to this in the show notes. First, not everybody in our audience is federal specific, they're not focused on the public sector, so tell us what that means and then how it relates to the cloud and maybe what your vision is for how it might be used in the future.

Chris Hughes (10:29):

Yeah, definitely, to give some context, anyone that has worked in the federal domain when it comes to compliance can attest that it's often one of the most, if not the most tedious, burdensome processes of getting software and systems in a production environment. Going through what they call the risk management framework, the ATO authority to operate process, it's usually this three-year cyclical, massive process. You have to go through and meet all of these controls from (Inaudible 10:56) 100 publications, hundreds, and thousands of sub-controls and you have to document all of those in traditional paper-based compliance document formats.


It could be a really heavy and burdensome process, so I created that repo because there are innovators, like I said, on the DOD on the federal side who are doing a newer way of doing things, looking at efforts like Oscal which is kind of compliance and documentation as code that's being pushed by groups like QSA, FedRAMP, CMS and DOD now as well. Take traditional RMF or cyber security compliance documentation and put it in machine-readable formats so that you can bring it closer to kind of the DevOps way of working everything as a code-type model.


That's a big part of it, and then building on some of the concepts I talked about earlier, like inheriting security controls, building these shared development platforms where people can go in and just work on their application and inherit controls from the infrastructure and the platform layer when you think of like cloud deployment models. And then also building those robust security pipelines is another aspect of it because you can facilitate security automation in that sense. So if I want to deliver software to production, I don't have to go through this massive paperwork process.


I can simply push it through a pipeline that has defined the risk thresholds and security criteria via the security tooling and push it right into production and have a level of assurance around the risk I've introduced to a production environment versus a traditional three-year massive burdensome process. You have likely heard the term continuous ATO going around, this is kind of built around that way of thinking.

Matt Chiodi (12:30):

Okay, and while we're on that point, you brought up the continuous ATO, right? So again, if you're not in the federal space this is something having to do specifically with federal, but I think there are parallels definitely in the commercial space, so don't tune out. So this is one of the most discussed subjects in probably all federal right now that continuous ATO or the CA ATO. So first and foremost, this obviously is a cloud podcast, but based on your experience, how do agencies go about achieving continuous ATO in the cloud? Is there a roadmap you recommend, what have you seen work best, not work well, tell us a story, what have you seen?

Chris Hughes (13:12):

Yes, definitely, to start off with historically there hasn't necessarily been one defined way of doing it, organizations have done it themselves, places like Kessel Run and Platform One, and others have done it organically themselves. Also, Army cloud, if you look at the enterprise cloud management agency and Army, for example, is another entity pursuing this and they've done it organically. But with that said, DOD, CIO's office, and the chief information officer's office just recently released a CATO memo that laid out three criteria when it comes to pursuing a CATO which revolved around things like the continuous monitoring of the environment, getting that real-time compliance monitoring. You talked about parallels to the commercial space, I know you work at Palo Alto, and you had massive cloud involvement, right?


When you look at native services from the cloud providers, things such as Azure security center or AWS, security hub or AWS audit manager, getting that near real-time telemetry when it comes to security control. This is applicable when you look at something like a SOC too, or another kind of commercial compliance framework. And even then it was like a snapshot in time, you come in, you assess something, you come back again, you assess it again several months later, that's not really giving you real-time assurance of your compliance hygiene or your compliance adherence.


Leaning into those native cloud services is a key aspect of that, and then another aspect of things is what they call defense or cyber operations, so having visibility in your environment, watching for malicious activity, malicious actors or nefarious actors, or even insider threats. Keeping an eye on things and seeing if we have malicious behavior occurring from a cyber-security perspective and being able to respond to that, and near real-time is another critical aspect of achieving that continuous ATO.


So those are some of the fundamental things that traditionally weren't done in a legacy ATO type of framework, and that is now being pushed. Now we've moved into this cloud native DevSecOps type environment that we didn't have previously.

Matt Chiodi (15:02):

If somebody's not in federal and they're thinking continuous ATO, I don't know what that is, continuous authority to operate our authorization to operate. It sounds like it's the same thing as what we talk about in commercial in terms of continuous compliance; it's the same thing, right?

Chris Hughes (15:17):

Yes, absolutely, there's a ton of innovators that are starting up, there are startups around SAS-based startups, for example, that integrate with your multiple cloud service providers to try to give you that near real-time, ongoing visibility of your compliance adherence. Whether you're talking PCI or HIPAA or SOC two or whatever the framework is, in the federal government space RMF and (Inaudible 15:38)100 for example. Having that visibility in near real-time via the cloud integration and that ongoing monitoring that we didn't traditionally have, if even in the SOC two, you may get a visit again in six months and say, "Yeah, they're operating the controls and the continuous basis." But you know the evaluation was coming, you know you're going to get ready to get audited, but it's a lot different when you're getting audited and near real-time, in minute intervals, for example versus every so many month.

Matt Chiodi (16:05):

So one of the things that I read about and we touched on this a little earlier; is the whole concept of a software factory. I saw that back in May of 21 the DOD enterprise DevSecOps strategy guide, this appeared in there and I'll pull a quote out, so this is a direct quote, and it says, quote, "To deliver resilient software capability at the speed of relevance the department needs to implement strategies that focus on cyber security and survivability across the development process." It goes on to say "The DOD CIO and the office of the undersecretary defense recognize the urgent need to rethink our software development practices and culture by leveraging the commercial sector for new approaches and best practices." So why don't you kind of break that down a little bit for us, what's the software factory, and how are they created and operationalized? Let's just start there.

Chris Hughes (17:02):

Yes, it's definitely a nuanced specific term to the federal government, but that said, if you look to other industry groups like cloud native computing foundation, they even have a software factory kind of reference architecture that's in the draft which is not in particular specific to the government. So that's something to go check out, but in my opinion, you know, I'm sure you get a lot of different opinions on this topic, but a software factory is kind of a standardized approach to how you kind of collectively operate as a team and deliver software. In other words, how you deliver value to your stakeholders, I think that's the best way to put it at a high level.


How they're created and operationalized is going to be different in every environment, but it's breaking down those silos, between your development, security, and operations teams, bringing a standardized way of operating when you think of the infrastructure as code using DevOps type of deployment models where you're switching from manually logging into things, everything is kind of managed as code configured, and as code and deployed as code. And delivering in a standardized fashion is the best way I can put it, and I think you talked about how you get there and it's going to look a little different for everyone because it's the same thing as the DevSecOps or zero trust. The journey is going to be unique to the organization, it's not going to be the same for everyone, but you ultimately know that you're working around fundamental methodologies and fundamental practices, and you're trying to improve and expedite the way you deliver value for your respective organization or industry.

Matt Chiodi (18:17):

So it sounds like, that software factory, they're trying to kind of bring in some ideas around maybe industrial age type of things. Or if you think of a factory that produces a widget, and I remember using this analogy probably a long time ago with cloud, we were talking about the fact that everybody talks about with cloud that, "Hey, it's great, you can scale things up." And I always like to say to people, "That's true, but you have to be able to build the automation and the processes just like you would have in a physical factory." So if you've got, let's say a Tesla manufacturing plan or whatever it might be, they only have a certain ability to crank production up and down, but the reason that they can do that is they've standardized processes and procedures and materials. So it sounds like they're trying to extend that concept into the world of software, is that accurate?

Chris Hughes (19:05):

Yes, it's definitely accurate; I actually just spoke at DevSecOps Pittsburgh for Carnegie Mellon this week. And I used an image that I got from the DevOps Institute, there are a lot of DevOps organizations and terms there, but it laid out the history of DevSecOps and they did pull from lean manufacturing concepts. What you just talked about kind of traces back to that, that kind of heritage, and how they try to pull these concepts into the software world. And bringing a standardized way of doing things in the way you operate in your processes and something, I think that is important to call out as you talked about the way that you can do things at scale when you have standardization or when you have repeatable processes, infrastructure is code or cloud.


For example, as you talked about Palo Alto’s unit 42 puts out a ton of great studies as you know, because I see you sharing them as I do. When you look at their threat report, they talked about the software supply chain, for example, if you look at infrastructure as code or container images, you can use those to scale quickly. But if you have a misconfiguration in theirs, you have vulnerable configurations or vulnerabilities baked into those, all you've done is scaled those out faster than you previously could have done, at a pace that you normally wouldn't have done. So it is important to have security and proper rigor and governance baked into those processes because otherwise, you're just scaling your problems faster than (Inaudible 20:18).

Commercial  (20:19):

Prisma Cloud secures the infrastructure, applications, data, and entitlements across the world's largest clouds, all from a single unified solution. With a combination of cloud service provider APIs in a unified agent, framework users gain unmatched visibility and protection. Prisma Cloud also integrates with any continuous integration and continuous delivery workflow to secure cloud infrastructure and applications early in development. You can scan infrastructure's code templates, container images, server-less functions, and more while gaining powerful, full-stack runtime protection. This is unified security for DevOps and security teams, to find out more, go to

Matt Chiodi (21:07):

I know you're a big fan of infrastructure code and obviously, that's a key component of a software factory or any type of DevSecOps type of approach. But when it comes to security in the supply chain, it doesn't always guarantee success, and I think you mentioned a previous Palo Alto report where they actually went through some of those things and pointed out some of those numbers, but maybe tell us a story about how you've seen it go wrong. And then the other side of that would be what have you seen work to fix that?

Chris Hughes (21:37):

Yes, just using basic examples, looking at cloudy things, things like security groups or AMI like Amazon machine images, for example. I've seen those infrastructures code templates deployed that are using vulnerable AMI or AMI that hasn't been hardened or haven't had vulnerability scanning conducted against them and remediated for example, or have overly permissive IAM access controls for users in the environment. I've seen that happen many times, and I think what I've seen organizations start to do about it is, just like everything else is code, if you look at traditional code and you're using SAS and DAS and things like that, we're now seeing infrastructure as code and Kubernetes manifest scanning tools come into the ecosystem.


Start to scan those things before you put them in a production environment and see, what are the vulnerabilities in these infrastructures, as code manifests, as Kubernetes manifests, and that we're getting ready to deploy. And catching that, you think about shift left security, the same concept applies when you think of infrastructure as code and it is kind of catching those things earlier in the life cycle.


And then obviously Palo Alto, if I'm not mistaken acquired a group named bridge crew, right? Who are very big on compliance as code, so if you think about how you used to do security, you'd go around and try to get people to tidy you up their permissions or configurations and align with some organizational policy or regulatory controls and things like that. Well, what if you can bake those into your infrastructure as code templates, knowing that you have certain restrictions around how we allow networking to happen or how we allow access control and identity management to be done at our organization. If you can bake those things into your infrastructure as code earlier in the life cycle you're saving a ton of time and a ton of money, and you're actually catching them before they ever get to a runtime environment to be exploded by a malicious actor.

Matt Chiodi (23:12):

What examples do you have? I'm curious and obviously, if you can't say the specific client name, that's totally understandable, but maybe as you've worked through this, either with Acquia, your company started in the last year or so, even in the last maybe number of years, give us a little bit of insight into what that actually looks like to stand up a software factor. Because I think this concept, whether someone's in commercial or whether they're on the federal side, I think they're the same concepts, right? I mean, obviously what they're shooting for in terms of compliance might look different, but I think the way to get there, I would guess is likely some of those same things, so what have you seen?

Chris Hughes (23:52):

Yes, definitely, there are some differences in terms of regulatory requirements, and different frameworks you may have to adhere to if you're in the public sector versus private sector, versus healthcare, versus finance, or whatever. But there are standardized technologies and processes that you're going to be orienting yourself around. Some of those are going to be fundamental things such as what cloud or cloud environments will we be operating in. What kind of CI platforms will we be using?


What's our infrastructure as code baseline going to be, those are all fundamental things that people start to get in order as they start to build out these software factories. What teams will we have, what responsibilities will be among the teams and how do we reduce silos? Because we obviously have seen in the past security has been kind of an afterthought or comes in after the fact and tries to tidy things up or propose a new way of doing things that's more secure.


So breaking that down and building those cohesive cross-functional teams is another fundamental aspect of building these software factories, whether you're in the public or private sector. So those are some fundamental things, it's just getting a standardized way of doing things. What are your teams going to look like? What clouds are you going to operate in? What is your CI's platform going to look like? What are you going to put in your pipeline when it comes to security tooling and automation, what kind of thresholds are you going to set?


What will we allow to go through the pipeline and be deployed versus what are we going to break a build or break a deployment on and go back and have to have to develop or kind of remediate something before it can go to production? And while those thresholds, in terms of risk, may look different depending on your organization or if you're operating in the intelligence community versus, you're in the commercial space, your threshold for risk may look different, but ultimately those fundamental concepts are going to be the same.

Matt Chiodi (25:21):

I get this question a lot and it's, we want to do DevSecOps, I want to get the tools, I want to do the software factory component, but I'm struggling with the people side of it. The people are the hardest, I can't tell you how many calls I've done around this, trying to help people work through this. In terms of getting this through organizationally, really getting the buy-in, what have you seen work on the people side? Obviously, they can go out and get tools, there are a hundred different vendors that make tools around this, and I always tell people that's like the easy part; building the business case to buy a tool but getting those people to use the tool. What about the people's side of it?

Chris Hughes (26:02):

Yes, I think you're hitting on, in my opinion, the biggest problem and it's being validated by people asking that question. If you look at security spending, for example, we spend roughly 3% of our security spend on people-related stuff, and yet 85% of security incidents involve a human factor. So we disproportionately spend on technology and I've seen it happen many, many times, I actually have more, I hate to say it, but I have more horror stories than success stories when it comes to this because I think it's so pervasive across all industries and all organizations, but people have a plan to move to the cloud or a plan to implement DevSecOps and they get so wound up on focusing on the cloud platform or the CIC tool chain, what tools we're going to use, what technologies we're going to use to tackle this, and it is the same thing with zero trust.


They forget, we have a workforce, we have a culture at play here, and how do we upscale the workforce? How do we prepare them to use these new technologies? How do we change the way we operate as a team and teams within our organization to facilitate the goals that we're trying to achieve? And I think it's so often that, that's just often overlooked, we think we can just buy our way out of things. It's like all we've got to do is get a pipeline or we get in the cloud and we're good to go, and it's like, no, you still have people that are making decisions. These people are deciding the tools, they're configuring the tools, and they're getting the tools to integrate and communicate and work together. And they're working together as teams, so it's like the people aspect is so overlooked and it's really harming our pursuit of digital transformation. It's a bit ironic because digital transformation sounds super technology-centric, but ultimately it comes back to your people.

Matt Chiodi (27:30):

It's changing your processes; the process is such a big part of it. I think it was on LinkedIn fairly recently, I was dialoguing with somebody and they asked me the fruit answer to have a similar question. And I said, "It’s the same answer as always, its people, process, and technology in that order." And unfortunately, as security professionals, we love to jump right to technology, we love to go buy the shiny toy and it's like, yes, you need that shiny toy, but if you're not going to also address the people and the process side, which is, unfortunately, the hardest side of my view, that tool's probably not going to give you a good return on investment.

Chris Hughes (28:06):

Yes, it's a hundred percent right, and it's ironic you said that because my first slide for the presentation I talked about earlier this week said people, process, and technology in that order. So I agree with you a hundred percent and like it is so true because we think we can just buy a technology and it will fix everything, and it's just simply not the case. And then a lot of what I see on the federal side is like they have these ambitions to move to a software factory or move to DevSecOps, but they don't change their processes. They want to use these two new technologies in the same way they operate legacy technologies, and that causes a lot of friction intention and ultimately hard lessons learned to be honest, in many cases.

Matt Chiodi (28:40):

So let's switch gears a little bit, so I've followed you for a while on LinkedIn, you are a prolific poster. You and I have talked about this through direct messages that you generate a lot of engagement. So first of all, I appreciate watching you because I've learned a lot from you and you've actually shared a lot with me too around kind of how you do it. So I hear this question a lot, usually, it's coming from somebody who's like, "Hey, I'm looking for a job, I've heard that I've got to do everything on LinkedIn, otherwise I'm not going to get a job anywhere else." So here's my question, what have you found an effective way to kind of build a following on LinkedIn, but also what do you think is an effective way to build a community?

Chris Hughes (29:22):

Yeah, honestly it comes down to being authentic, you and I talked a little bit before we went on air and you talked about how people appreciate authenticity, and I find that's really true. When it goes back to the certification thing, for example, I've shared passing certifications, but I've also shared failing certifications. And I think those kinds of things like just being real and transparent with people, resonates with people. And then as far as building a community, not just being authentic, but being consistent, a lot of people think like I have to have everything perfect before I make a post, but just go man, just do it.


You'll learn as you go, you'll post something that'll be a total flop, and you'll post something else that would be great, and that's just part of the process. And also look to other people that are doing it. I have a great following on there and I've been lucky to have that, but it's just been like three or four years of being consistent, like every day or almost every day, I'm trying to share something that I'm learning as I'm learning, as I'm reading, as I'm tinkering with things I'm trying to share that with the community. And then as my following has grown, ironically enough, I've learned more and more from them because I have more and more stuff popping up in my feed of other like-minded individuals. They are sharing things, but go look at people like yourself, there are people like AJ Yon, Mike Miller, and Jerrick Beson, these folks are out there every day, just sharing open dialogue around things in our community and in our industry as cyber security, both the good and the bad.


And they're just being really transparent about that, being open and having normal conversations, I think can be really powerful. And it just resonates with people in this world of social media, where we're so used to seeing the highlight real and everything is perfect, just be real. And I think that's the best, you can do that and be consistent and, and show that you're actually passionate about helping people, and it can go so far.

Matt Chiodi (31:03):

I love that, so its consistent authenticity, sounds like that's your formula.

Chris Hughes (31:07):

Yes, I think that's it, you learn as you go, like I said, you're not getting everything right. Sometimes I'll realize I could have said something better, I could have shared something in a more informative way, but just continuing to iterate on that and continue to show up is really the most powerful thing you can do.

Matt Chiodi (31:22):

I've also found that no matter how hard I try, I have not been able to game the LinkedIn algorithm yet. So sometimes like you said, I'll take time, I'll craft something and I'm like okay, this is going to be great. And it's like, nobody pays attention to it, and I'm like, "What happened?" And then I'll post something that I'm sitting on a plane and I've got five minutes for taking off, and I see something that I'm like, this is really interesting. And I have a thought on this and I just quick tap it out, I hit send, and by the time I land, the thing is blown up. It's like you said, it's like the most authentic you can be, almost just off the top of your head, not thought out. It seems like that's the stuff that people really want to engage with.

Chris Hughes (32:00):

Yes, a hundred percent, obviously there's a method to the madness in terms of like, what time of the day you post or share versus posting something original and those kinds of things, but like really the hot takes and the off-the-cuff open thoughts is what really resonates. As you said, I've had things where I really crafted, I'm like, oh, people are going to love this, and I share it and there's nothing. And then like other times, I'll go on a little rant or something about something, and I just throw it up there, and the next thing you know it really started a ton of great discussion, it's a great debate about a topic. So yes, that authenticity is really, really what resonates, I think.

Matt Chiodi (32:30):

I know you're a big fan of reading physical books and so am I, and when I say physical books, I know there are some people who probably don't even know what that is anymore, but the actual paper book, not something on Kindle, not reading it on screen, not even listening. What's your reason behind reading physical books on paper?

Chris Hughes (32:49):

It's a couple of things, one is, we stare at a screen all damn day, and sometimes I just don't want to be looking at a screen and I want to hold something and touch it. And then also, I have four young kids, I have an eight-year-old, a six-year-old, a three-year-old, and a 10-month-old, and I started to notice I was a big person like, "Oh, I got everything in my old Riley library and just put up on my phone or my tablet or whatever, wherever I want, whenever I want." And I realized wait, they're seeing me all the time staring at a screen and not seeing like me being engaged. And the same could be said, obviously from reading a book, but it's just a little different, I think it shows them that you're actually into reading. They don't really comprehend at a young age that, "Oh, he is reading a book," they think that you're just on an electronic device.


They start to try to emulate that, and I found that if I started reading physical books and collecting them, then I can share them or give them to someone else when I am finished with them, that's something else that I like to do. And I've noticed my eight-year-old, for example, now she's starting to carry around a book or she's supposed to be in bed and she's in the hallway reading a book with a light. And I want to yell at her to go to bed, but at the same time, I'm like, well, she's actually doing something pretty good, so it puts me in a tough spot. I just think feeling something physical, having something in your hand, after staring at a screen all day and just trying to show my kids, it's good to read, I think that resonates better with them with a physical book versus like an electronic device.

Matt Chiodi (34:04):

I read a study a while ago and I'd have to follow up to see if they've got additional data on it, but it actually showed that the way that you absorb material from something that is physically in your hand, because of the tactile response, you actually remember it longer. So that's one of my main reasons, but also, I agree with you, I have two kids, they're older now, but when they were younger, I remember my son, he was like "You're always staring at your phone, you're always working." And I'm like, "I'm not actually working, I'm actually reading something leisurely that I enjoy." So for that one conversation that he had with me actually caused me to really focus on physical paper books, just so the kids could say, "oh yeah Dad, isn't working all the time, he is reading, he's reading something, oh, what is that book?" I think kids assume that you're playing on your phone, Candy Crush or whatever it might be, or you're working, so I agree with you on that one.

Chris Hughes (35:03):

Yes, definitely.

Matt Chiodi (35:05):

A lot of reading obviously that's the way that you grow, but in terms of your personal growth, what's the formula, what works for you?

Chris Hughes (35:17):

Honestly, like I've talked about, setting goals, whether it's an exam or something to aim towards is a big thing. And then just being persistent, it's the same thing with the LinkedIn thing; I just like staying persistent with my learning. A lot of people will think like, "Oh, you're so smart, you know all these things" and they think it's just inherent really, it's just like being diligent and being committed to learning and always staying on top of that, and just being committed to the process and understanding it's a journey you're never going to know everything. But also knowing that you want to be your best, whether it's for your family or for your organization, or for yourself, just trying to push yourself to a higher standard is the way I look at it, and I'm always trying to show up and be a little bit better than I was the day before.


If that means even reading a few pages or something like that, having a conversation with someone that I can learn from, or I can give some information to that benefits them. That's my strategy; always wanting to be a little bit better than I was the day before, and diligently working at that.

Matt Chiodi (36:10):

Do you have a process that you follow for setting goals? What does that look like for you?

Chris Hughes (36:15):

Typically I have done like the whole, it's a new year, I'm going to set these, I want to X, Y, and Z and that kind of stuff, but it could be a good thing and a bad thing. You can become a taskmaster and you can burn yourself out in that way, and then you set unrealistic goals like that because you can't hold yourself to over a 12-month period. So I just try to break it down in much smaller increments, for me personally, right now I've been focusing a lot on the software supply chain, so for the next three months most of what I read or, or take in, or digest is going to be around the software supply chain. I just really want to learn more about that topic, and you'll be surprised like even 10/15 minutes a day of just immersing yourself in a certain topic after a few months, you could be surprised how much you can truly learn just from that little change in your daily habit.

Matt Chiodi (37:01):

Well, Chris, I've loved having you on it's been a really great far-ranging kind of conversation. Are there any parting words that you would have for our listeners or maybe perhaps something you wanted to share that I didn't ask you about?

Chris Hughes (37:13):

No, I think we touched on a lot of great things, I'm really honored to have the opportunity to come on and I appreciate what you're doing for the community. And also, what your organization does and the research that they put out for people like me and others to keep learning. And that's all I'd say is, I love the community that we have in cyber-security and I'm really thankfully engaged with everyone and look forward to continuing to do so.

Matt Chiodi (37:31):

Awesome, well, I loved having you on Chris, thanks for joining us.

Chris Hughes (37:34):

Awesome, thank you.

Narrator (37:35):

Thank you for joining us for today's episode, to find out more, please visit us at