 Okay, we're here talking about how you can better understand and manage the risks associated with the digital supply chain. How in this day and age where software comes from so many different places and sources throughout the ecosystem, how can organizations manage the risks associated with our dependence on software? And with me now are two great guests, Andrea Hall, who is a specialist solution architect and project manager for security and compliance at Red Hat, just got to focus on public sector. And Andrew Block who's a distinguished architect at Red Hat Consulting folks, welcome. Welcome. Thanks for having us. You're very welcome. Andrea, let's start with you. Let's talk about regulations. What exists today that we should be aware of that organizations should be paying attention to? Oh, sure. So the thing that comes to mind first being in the US is the presidential executive order on cybersecurity that came out a few months ago. Organizations are really paying attention to that. And in the US it's having a ripple effect with policy but we're also seeing policy considerations pop up in other countries, Australia and England. So the supply chain is a big focus right now, of course. But we see these changes coming down the road as more and more government organizations are trying to secure their critical infrastructure. Is there kind of a leadership approach? In other words, somebody saying what the UK does and saying, okay, we're going to follow that template or is it sort of just a variety and a mishmash with no sort of consolidation? How is that sort of playing out? I see a lot of organizations kind of basing their requirements on NIST 800153. However, each organization has its own nuances. Each agency has its own nuances to how it wants and implemented. Great. Andrew, maybe you could chime in here. What are you seeing when you talk to customers that are tuned into this issue? No, as Andrew just mentioned, having that North Star in terms of regulations is so fundamentally great for them because many of them especially in regulatory industries look to these regulations on how they apply their own policies. So at least we have some guidance on how to move forward because as we all know, the secure software supply chain is getting news every day and how they act to it is something that I know all their leaders are asking themselves, especially those IT leaders. So Andrea, when I talk to practitioners, sometimes they're frustrated. They understand they have to comply. They know new regulations are coming out but sometimes it's hard for them to keep up. So it would be helpful if you're sitting across the table from somebody who's frustrated and they ask you, what are your expectations? How do you see, what are the trends in regulations? How do you see the current regulations evolving to specifically accommodate the digital supply chain and the security exposures and corollary requirements there? I see a lot of organizations struggling in the sense of trying to understand what the policy actually wants. Definitions are still a little bit vague but implementation is also difficult because sometimes organizations will add more tools to their toolkit, adding a layer of complexity there. It's really automation has to be pulled in that's key to implementing this instead of adding more workload and more burden to your folks. It's really important for these organizations to pull the stakeholders in the organization together. So the IT leaders bring together the developers, the security operations sit at the same table, talk about whether or not what needs to be implemented or what's proposed to be implemented will affect the mission in any way or disrupt operations. It's important for everybody to be on the same page so it doesn't slow anything down as you're trying to roll it out. And one of the things here is that we're seeing a lot of change with these new regulations and a lot of organizations. Any type of change is scary. And that is one area that they're looking for guidance not only in the tooling, but also how they apply it in the organization. Well, I'll add on to that and say, organizations really need to take into account the people side of things too. People need to understand what the impact is to the organization. So that they don't try to find the loopholes. They're buying into what needs to be done. They understand the why behind it. For example, like if you walk into your house, you normally close the door behind you. Security needs to be seen as that as well. That's the culture and it's the habit and it's ingrained in the fabric of the organization to live this way. Not just implement the tools to do it. Right, and the number of doors you have in your infrastructure, a lot more than just a couple. Andrew mentioned sort of guidance. Governments are obviously taking a more active role. I mean, sometimes I'm a cynic. I mean, great that President Biden signs an executive order, but the swipe of a pen doesn't really give us enough to go on. Do you think, Andrea, that we're going to see new guidance from governments in the very near future? What are you expecting? I expect to see more conversations happening. So I know that organizations, agencies who develop the policies are pulling together stakeholders and getting input, but I do see in the not too distant future that mandates will be rolling out, yes. Well, so Andrew, of course, Andrea, if you have a thought on this as well, how do you see organizations dealing with adopting these new policies? Slowly. Don't boil the ocean is one thing I tell what to every one of them because a lot of these tooling, a lot of these concepts are foreign to brand new. How they adopt those and how they implement them needs to be done in a very agile fashion, very slow and prescriptive. Go ahead and try to find one area of improvement and go ahead and work upon it and build upon it. Because not only does that not only make your organization more successful and secure, but also helps your organization just from a more outstanding point. One thing that you need to emphasize is that don't blame anyone. There's a lot of times when you're going through this, you're reassessing your own supply chain and might find where you could see improvements that need to be done. Don't blame things that may have occurred in the past. See how you can benefit from these lessons learned in the future. You know, it's interesting you say that about the blame game. I mean, it used to be that failure meant you get fired and that's obviously has changed. It's not about, as many have said, you know you're going to have incidents. It's how you respond to those incidents, what you learn from them. Do you have Andrew any insights from specifically working with customers on securing their software supply chain? What can you tell us about what leading practitioners are doing today? They're going in and not only assessing what their software components consist of. Using tools like an S-bomb, a software build materials to understand where all the components of their ecosystem and their lineage comes from. So we're hearing almost every single day new vulnerabilities that are being introduced in various software packages. By having that understanding of what is in your ecosystem, you can then better understand how to mitigate those concerns will be forward. So Andrea, Andrew was just saying one of the things is you don't just dive in, you got to be careful. There's got to be ripple effects is what I'm inferring. But at the same time, you know, there's a mandate to move quickly. So are there things that could accelerate the adoption of regulation or even the creation of regulations and that guidance in your view, what could accelerate this? As far as accelerating it goes, I think it's having those conversations proactively with the stakeholders in your organization and understanding the environment. Like Andrew said, go ahead and get that baseline and just know that whatever changes you make are maybe going to be audited down the road because as we were moving towards this kind of third party verification that you're actually implementing things in order to do business with another organization. So the importance of that, if organizations see that gravity to this, I think they will try to speed things up. I think that if organizations and the people in those organizations understand that why that I talked about earlier and they understand how things like solar winds or things like the oil disruption that happened earlier this year, the personal effects, the cyber events will help your organization move forward. Again, everybody's bought into the concept, everybody's working towards the same goals and they understand that why behind it. In addition to that, having tooling available that makes it easy for them. You have a lot of individuals who this is all foreign providing that base level tooling that aligns to a lot of the regulations that might be applicable within their realm and their domain makes it easier for them to start to combine and taking less burden off of them to be able to be successful. So it's a hard problem because how do you, Andrew, how do you deal with sort of the comment more tools? Okay, but I look at that the Optif map if you've seen that, it makes your eyes cross. So you've got so many tools, so much fragmentation. You're introducing new tools, can automation help that? Is there a hope for consolidation of that tool's portfolio? Right now, this space is very emerging, very emerging and very fluid to be honest because these actually mandates only a year or two as they come over the course of time. However, I do see these types of tooling starting to consolidate where right now it seems like every vendor has a tool that tries to address this. It's being able to have the people work together, have more regulations that will come out that will allow us to start to redefine and solidify on certain tools like ISO standards. There's certain ones that I mentioned on S-Bombs previously. There's now a ISO standard on S-Bombs. There wasn't previously. So as more and more of these regulations come out it makes it easier to provide that recommended set of tooling that organizations are leveraging instead of vendor A, vendor B. So Andrea, I said before I was a cynic, we'll give you the last word. Give us some hope. I mean, obviously public policy is very important, a partnership between governments and industry, both the practitioners, the organizations that are buying these tools, as well as the technology industry got to work together in an ecosystem. Give us some hope. The hope I think will come from realizing that as you're doing this, as you are implementing these changes, you're in a sense trying to prevent those future incidents from happening. So there's some assurance that you're doing everything that you can do here. It's a situation, it can be daunting. I'll put it that way. It can be really daunting for organizations but just know that organizations like Red Hat are doing what we can to help you down the road. And really it's just continuing this whole shifting left mentality. That's all for supply chain, just one component but really introducing DevSecOps security at the beginning that really will make the organizations become successful because this is not just a technology problem, it's a people issue as well and being able to kind of package them all up together will help organizations as a whole. Yeah, so that's a really important point. You hear that term shift left. For years, people say, hey, you can't just bolt security on as an afterthought, that's problematic. And that's really, that's the answer to that problem. It's shifting left, meaning designing it in at the point of code, infrastructure as code, DevSecOps, that's where it starts, right? Exactly, being able to have security at the forefront and then have everything afterwards, propagate from your security mindset. Excellent. Okay, Andrea, Andrew, thanks so much for coming to the program today. Thank you for having us. Thank you. You're very welcome. And thanks for watching. This is Dave Vellante for theCUBE, your global leader in enterprise tech coverage.