Allan Friedman, Ph.D with CISA

On this week's Industrial Talk we're onsite at IoT Solutions World Congress and talking to Allan Friedman, Ph.D, Senior Advisor and Strategist with CISA about “SBOM – Software Bill of Materials”.  Learn about SBOM information along with Allan's unique insight into the cyber security technology on this Industrial Talk interview!

Finally, get your exclusive free access to the Industrial Academy and a series on “Why You Need To Podcast” for Greater Success in 2023. All links designed for keeping you current in this rapidly changing Industrial Market. Learn! Grow! Enjoy!


Personal LinkedIn:

Company LinkedIn:

Company Website:








Hitachi Vantara:

Industrial Marketing Solutions:

Industrial Academy:

Industrial Dojo:

We the 15:


LifterLMS: Get One Month Free for $1 –

Active Campaign: Active Campaign Link

Social Jukebox:

Industrial Academy (One Month Free Access And One Free License For Future Industrial Leader):

Business Beatitude the Book

Do you desire a more joy-filled, deeply-enduring sense of accomplishment and success? Live your business the way you want to live with the BUSINESS BEATITUDES…The Bridge connecting sacrifice to success. YOU NEED THE BUSINESS BEATITUDES!


Reserve My Copy and My 25% Discount



Welcome to the industrial talk podcast with Scott Mackenzie. Scott is a passionate industry professional dedicated to transferring cutting edge industry focused innovations and trends while highlighting the men and women who keep the world moving. So put on your hard hat, grab your work boots, and let's go.


Alright, once again, thank you very much for joining industrial talk a platform dedicated to industrial professionals all around the world because you are bold, yes, for abs daring greatly. Absolutely. You collaborate, you you solve problems, and you're making my life a better place me in making my world better. So thank you very much. And that's why this platform is for you, industry professionals all around the world. There is buzz in the background, maybe a little jest to picking that up. And we are broadcasting from IoT solutions World Congress here in Barcelona, and this is 2023. And you need to put this on your calendar. We have in the hot seat. His name is Allan Friedman. CISA it's a cyber conversation, which you have to take in. Let's get cracking. Yeah, you do. Somebody has to have a conversation around cyber.


No one else was doing it. So I think


no one. Nope. They are. But it's always interesting. Allan, it's it's like one of those conversations you have to happen. Nobody really wants to have it. Sometimes it's like, I'm just I'm, uh, I'm on the manufacturing floor. Do I have to have this conversation? And it's always so difficult for me to understand.


And who would want to attack little old me?


Who would want to attack? Look? I'm gonna put that down on the old bumper sticker because they do. It's true. And it's yeah, it's okay. Before we get into it, give us a little background on who Allan is.


I'm a failed professor who got suckered into joining government. My background is in, in tech encryption and a number of other tech things. But my PhD is in Applied Economics. And so a lot of what we do at CISA is thinking about how do we actually changed the world not just proposing technical solutions, but telling a story about how we get those into the world.


So you can't just leave that there. Acronym CISA. What does that stand for?


Cybersecurity and Infrastructure Security Agency, we are the United States government's lead cybersecurity agency. And we both work across the US government, but more importantly, with the private sector to make it easier and cheaper to defend ourselves.


So back to what you said in your intro, and it was making the world better making. How do you explain just expand upon that? What does that mean? Sure.


Well, cybersecurity covers a huge range of topics. And it covers everything from workforce, how do we make sure that we have a couple more generations of people who want to do it? By the way, quick plug, cybersecurity has massive negative unemployment. So if anyone is advising young people, or if you're contemplating a career, change yourself, it's not too late to get involved. And Cisco is hiring. I hope that's where the government so hopefully, that is, okay.


We're a podcast, which is absolutely fine plug.


And but there's a lot of discussion going on. And it covers everything from the very high end. So when Russia invaded Ukraine, last year, we developed a posture called shields up to help the industrial control system, community sort of figure out, how do we make sure that we're ready for attacks that may come against Americans. And then there's a lot of more specific detailed approaches, such as maintaining lists of resources. So one thing that my team does, is we have a list of known exploited vulnerabilities. It's not just enough to know what's vulnerable. But it's saying, Hey, we know that there are bad guys who are going out in the world and trying to break into systems using these flaws. And that helps us prioritize


what I always, I'm always dazzled by, it always seems like, the cyber side of the world is always reactive, not not you, but the business. I have to react because I was breached or whatever it might be, but there's a reactive Is there a way of becoming proactive? Like, hey, we see you out there. That's.


So there's a buzzword in industry called shifting to the left, right, we have a imagine you've got a boom, right? This is something from military that operations world has sort of model, which is to say, the things that are happening after the boom, those are important, and we need to have good processes. But what we really want to do is shift to the left of boom to make sure that we're prepared. And there are two ways we can do that. One is fixing things now. And then the other is to make sure that we have a posture to respond quickly. When something bad Bad habits. And that's this magical resilience


seat, you brought up a couple of really, one, there is such an education component that it's a people, right? It's a people conversation. So that that would be the left side, trying to educate and keep on educating, because I don't know. But that speed, that speed is huge. To compress it.


And by the way, it's also a cost thing, right? If you have the processes in place, if you have the people in place, if you've done your preparation, if you have good data and good visibility, then when the inevitable bad thing does happen, or maybe it just, Hey, be prepared for this new bad thing that could happen, it's going to be so much cheaper. And and it's something that you're not going to have to panic and spend too much money on.


See, that's brilliant. And, and I know that


I'll take being brilliant any day, thank you. You're


brilliant. It's brilliant. Go for it. But it's let's put it this way. If I'm if I have a business. And I see all these this document, I don't even know if I'm reading this documentation, and I hear what you're saying, I want to be left a booth. I want to do everything I can to be left to boom, and I hear its people. I hear its processes. I understand all that. It's overwhelming. And don't tell me to go out to you and pull down some Cisco document and they have me understand what it means. Where do I go?


You know, part of the Challenges right cybersecurity, right now, visit And there are a lot of resources out there first is of course, use one of the many cybersecurity cliches out there, don't try to eat the whole elephant, right, there are different things that we're trying to focus on today. And there are real resources out there for ot security, it from CISA, my press team is going to be very sad that I can't rattle off that URL off the top of my head. But since it does, if you load our brand new web page, there are going to be a lot of links that will help you sort of figure out how to get started. But more importantly, if you're just the cybersecurity person. That's that for everything, then we've got a lot of problems, right, which is to say, you're not going to be able to eat the whole elephant. No, you're not. And so but there are going to be some priorities, one of them is going to be to start with the NIST cybersecurity framework. Acronym decorative. Thank you. Yes, NIST is the National Institute for Standards and Technology. They're a colleague of ours in the US government, they're based in the Department of Commerce. So that's the first point. They're here to help businesses. That's great. And one of the things they do is they help you start to think about it. And there are five categories that are in the NIST framework. List them the identify, protect, defend, respond, recover. Okay, so those are five buckets, got it. And each of those has some further advice. So that's, that's if you're starting your cybersecurity journey, that's one of the key pieces. And then as you mature, there's a lot more things that we should be paying attention to. So one of the things that I personally spend a lot of time thinking about is the supply chain of our software.


CIO, I had a conversation about that. And it, it just blew my mind because you're just going, Oh, I get the supply chain of, you know, this mic going from here, A to B eight is you know where it is. But then when we start talking about the supply chain of, of the, this, this, the software it's like, again, stopped thinking


well, so in software is not hewn out of alabaster, marble by tonsured, monks and Greek islands, right, it's assembled. So we're,


well done. It's


conflict. Your Legos. Yeah. And those Legos are made up of smaller Legos and so on. And one of the things that I've always found fascinating about software security, is they stole their ideas from heavy industry. People have been thinking about responsible supply chains since the late 1940s, with Deming, and the supply chain revolution. Now in the software world, really starting in the early 2000s. It took us that long to say, hey, maybe heavy industry has some ideas that we can copy. And one of those ideas is track your suppliers know where things


see. I heard somebody talking about island hopping. Yeah, how about that? I know about island hopping and it scared me to death.


He's well and part of the focus of why are we talking about supply chain now. And one of them is just because it took us a long time to sort of get into this focus across the entire software world. And to, there is now software in everything right? No one in the world is using a passive process. Without software, we're all dependent on it. And the final piece is, attackers are starting to go after the supply chain. And that's a good thing. It's a good thing, because it means that the front door is getting better defended. Oh, so not everything, there's still a lot of insecure software out there. But people who make software are starting to pay attention to making sure that they don't have as many vulnerabilities and that it's harder to for the bad guys to exploit it, whether it's criminal gangs, or national adversaries trying to hurt national interest everywhere around the world. So the vision is to say, let's start with transparency, you need to know what you have, and what that's based on. Now, we use a turn, again, from industry from manufacturing, called a bill of materials. But today we talk about a software bill of materials or


continue. So I'm enjoying this conversation.


So what is an Esbat? An SBOM is the dependency graph. It's like a tree. My product is based on these software components. Maybe they're open source, maybe they're licensed or proprietary, that's fine, or the one is good. Those in turn, use other pieces of software. So you have a big bridge where this relies on this, which relies on this, which relies on this. And once you have that data, right, the vision is not to create regulations saying you can do this, you can't use that. It's about saying, Let's track what we have. And then different organizations can focus on different kinds of risks. So for example, if you're about to buy a big new software project for your company, are a big new of operational technology that's built on software. Wouldn't you want to know if what you're buying has vulnerabilities already in it? Right? You say? Well, I'm about to spend his money. I'm gonna ask some questions. Yeah. So that transparency, allows organizations to start saying, let's ask questions. So one, one thing is, why would you buy from someone who didn't know what they have? Right? Would you go to the store and get?


Yeah, absolutely. You're right.


I like the example of a packet of Twinkies. I go to the store and buy Twinkies, it's gonna come with a list of ingredients. Why don't we expect the same level as delicious ingredients? Why don't we expect the same level of transparency that we asked from a non-biodegradable snack for our critical infrastructure. And that's the vision that we're trying to advance, which is, hey, let's get used to that. Now, let's go back to that Twinkie example. Because knowing that list of ingredients won't magically keep you on your diet, it won't by itself, protect your family from something that they're allergic to. But good luck doing any of those things without that list of ingredients. So transparency enables better risk management.


See, all I want, because I just give me the starting line. And I needed, I needed in consumable chunks. And, and, and not big syllable words that I don't know about. And it's just, but I think that's where the success if you can simplify to the, to the best of your ability, a very complex subject, I think you guys have something and I like that I like where you're going with that


we're trying to get there. Now we're trying to make this apply to literally all software on the planet. Because we all use the same underlying components, we all use the same open source, but that means meeting the needs of a lot of different communities. And so that's what I like to do to sort of engage with the OT world and the manufacturing world and the industrial control system world is what are the challenges that we face in those domains, that maybe the fancy high tech software companies don't. And that's why we at CES search are trying to build this global effort. But it's not just Americans. We were participants in this discussion around the world.


It has to be I have that question all the time. It's like, Hey, I found something right over here. And then then what do you do with it? It benefits the community, whatever that is, to know about it, like it's bad.


And this effort started as sort of a convening of industry. So we basically said, Hey, we want industry leadership, and we still have that and CISA Has this model where we want to talk to nurses, but we also run different working groups that are focused on technical details. But this isn't staying as a purely voluntary thing. Government, Ghana government, we know this. And we're starting to see this entering regulation. So in 2021, the President issued an executive order that said that pretty soon everything the US government buys, is going to have to have this SBOM. Now, I'll give you a hint. The US government buys Oh, things.


Yeah, I, good thumbs up.


And we're also seeing this. So if anyone out there is in the medical device space, right, that's the FDA, which regulates medical devices, is saying anything that you want to sell anything that you want to put on the market new, gonna have to have an SBOM, you gotta make sure that you have it. So. And since we're here in Barcelona, the European Commission has said they propose something called the cyber resiliency Act says everything that's going to be sold in the European Union, take place is going to, you're going to have to have an SBOM to give to your regulator.


You are great. I don't know if I'm, I don't know where to go now. But still, there's a lot of lot of stuff. I'm glad people like you, and others do this. I mean, I look at it strictly from a from a perspective that you're really trying to help protect business. And it's just business.


Well, thank you. I'm really happy to be here, we have to be able to tell a story of what change looks like and how do we make the world?


Awesome. How did they get a hold of you? Help us be the best way?


Please? Email


We're gonna have, we're gonna have that email out there. And industrial talk. Allan, you were fantastic. Thanks so much for having me. Once again, we're here at IoT Solutions World Congress 23. You need to put this on your calendar. It is a great event. You get people like Allan, he's pretty cool. You get to talk to him. Yeah, you want that? Reach out to him. All right, we're gonna wrap it up on the other side. Thank you very much for joining. We will be right back.


You're listening to the industrial talk Podcast Network.


How about that for a conversation? Allan is his name IoT solutions World Congress put that on your bucket list to attend in 2024. Because you know why? You don't why you need to attend to get people like Allan Allan delivering the goods in cybersecurity. So I'm gonna have all his contact information out there. But we were talking about as far as bonds, you need to be a part of that. And part of that discussion, because if you're in the world of digital transformation, yes, you've got connected assets. Yes, they need to be protected. And yes, you need people like Allan to help you along with that journey, and his community and the community within CISA. We're there to help you succeed. Software bill of materials, I thought that was pretty cool. His email is asbach SBOM. All right. Reach out. Industrial talk. All right, we've got a couple got a couple of a couple of three. How about that? Events plan. And their webinars? One is, of course, augmented reality, and how that looks from an industrial perspective, augmented reality, which is a really interesting and topic that people have been asking me about, too. We're going to be doing a series on supply chain, and challenges. And of course, that was a very high end interest for many people within manufacturing. And then finally, quantum computing. I don't and web three, don't know too much about it. But a lot of people are really intrigued with what that means. And how is that impacting industry? Or is it even going to impact industry? I don't have the answers, but the people that will be talking about it, do all right. Be bold, be brave, dare greatly I say it all the time hanging out with Allan with an A, and you will be changing the world. We're gonna have another great conversation coming from IoT solutions World Congress, so stay tuned.

Scott MacKenzie

About the author, Scott

I am Scott MacKenzie, husband, father, and passionate industry educator. From humble beginnings as a lathing contractor and certified journeyman/lineman to an Undergraduate and Master’s Degree in Business Administration, I have applied every aspect of my education and training to lead and influence. I believe in serving and adding value wherever I am called.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.