In this episode we sit down Shyam Sankar, Chief Technology Officer (CTO) of Palantir Technologies. We will dive into a wide range of topics, from cyber regulation, software liability, navigating Federal/Defense cyber compliance and the need for digital defense of the modern national security ecosystem.

- First off, for those unfamiliar with you and your background, can you tell us a bit about yourself, as well as Palantir?

You're a big proponent on the role that software plays now, and will play in the future when it comes the fifth domain of warfare, cybersecurity, so let's give into some of those topics.

- I know you've voiced some strong opinions on the role of cyber insurance and also compliance when it comes to its static nature, compared to the dynamic activity of malicious actors and the threat landscape. Can you expand on that?

- You and I also chatted about the fact that most cyber issues tie back to hygiene, and that there are no silver bullets. Do you feel like this gets lost among the marketing hype of cyber?

- I know you've talked about externalizing some of Palantir's software infrastructure to enable more companies with security infrastructure and toolchains. Can you tell us about some of those capabilities?

- The enablement of more companies is key, as you know the DIB has seen massive consolidation in the past decade or more, largely with the small handful of players dominating the lions share of the work in the DoD. This arguably poses systemic concentrated risks, as well as doesn't give access for the DoD to commercial innovation.

You called the DoD's most powerful ally America's commerical tech sector in a recent piece. We know that times have changed, and unlike eras of the past, most digital innovation comes from the commercial space, but DoD tends to have a not built here syndrome, no doubt driven by incumbents, incentives, fiefdom building and more. What do you think the national security risks of this are?

- Given you've been around DoD for some time, you've no doubt been exposed to processes like ATO's and RMF and more. What are your thoughts on the current state of compliance in the DoD and how it could potentially hinder access to commercial innovation?

In this episode we sit down with Mark Simos to dive into his RSA Conference talk "You're Doing It Wrong - Common Security AntiPatterns" to dig into several painfully true anti-patterns in cybersecurity and how we often are our own worst enemy.

-

- First off, for those not familiar with you or your background, can you tell us a bit about that.

- So you delivered this talk at RSA, focused on Cybersecurity "Anti-Patterns". How did the talk come about and how was it received by the audience?

We won't be able to name them all, but I would love to discuss some of them.

- You talk about the technology-centric thinking, and how folks believe security is about technology instead of business assets. Can you explain this one?

- The silver bullet mindset was another that jumped out to me. This is thinking a single solution can 100% solve complex and continuous problems. What ways have you seen this one play out?

- The paradox of blame is one that made me laugh because I have seen this play out a lot. You talk about the CYA mentality, how security warns about issues, they are skipped and then security is blamed. This one really stings because I have seen it happen, and in fact, I feel like we're seeing it play out with some of the CISO liability cases and regulations that are emerging.

- Perhaps one of the most well known anti-patterns of security being the office of no or resisting trends. I feel like we saw this with Cloud, Mobile, SaaS and now AI. Why do we keep repeating these mistakes?

- First off, for folks not familiar with your background, can you tell us a bit about that and how you got to the role you're in now?

- We see rapid adoption of AI and security inevitably trying to keep up, where should folks start?

- There are some really interesting intersections when it comes to AI and supply chain, what are some of them?

- We see a thriving OSS ecosystem around AI, including communities and platforms like Hugging Face. What are some key things to keep in mind here?

- AI BOM's - what are they, how do they differ from SBOM's, and what are some notable efforts underway right now around them?