Section 1.1: Jim Hyman's Journey into Cybersecurity

Thank you for participating in this interview series, Jim! To kick things off, could you share your background and what motivated you to pursue a career in cybersecurity?

"My initial interest in cybersecurity stemmed from my passion for securing information. Today’s cybercriminals are sophisticated and well-funded, unlike the stereotypical hacker. The rapid evolution of technology to combat these threats captivated me. From my tenure in email security at IronPort to web security at Zscaler, and now at Ordr focusing on connected device security, I've been fortunate to develop tools that enhance enterprise safety."

Section 1.2: Key Traits for Success

What character traits have been pivotal to your success? Could you illustrate each with an example?

"It’s intriguing to reflect on my career through the lens of character traits. Three key themes emerge: maintaining optimism, surrounding myself with talented individuals, and fostering transparency. For instance, I once lost a significant RFP for a Fortune 100 bank, but my optimism remained intact. Just weeks later, we were contacted by someone from the review team who informed us that another division needed our services, leading to a fruitful partnership.

Working alongside brilliant individuals has been another highlight of my career. Regardless of their title, everyone contributes to the collective success.

Transparency is crucial too. People are drawn to organizations that demonstrate honesty and clarity. It’s rare for someone to leave because of a single incident; more often, it's about how situations are managed."

Section 2.1: Current Trends in Cybersecurity

How has the cybersecurity landscape transformed since you began your career, and what trends do you foresee in the future?

"In recent years, we have witnessed a surge in connected devices due to digital transformation. Today’s enterprise networks are filled with not just traditional IT, but also vulnerable IoT and operational technology lacking built-in security. It’s critical to track assets in real-time to differentiate between normal behavior and potential security breaches."

Section 2.2: Ordr’s Mission

Are there any exciting projects you're currently working on that could benefit people?

"At Ordr, our goal is to enhance the safety of the connected world. We aim to secure the vast number of connected devices that organizations deploy, including IoT, IoMT, and operational technologies. Our efforts ensure that healthcare facilities can provide quality care, while also safeguarding critical infrastructure and manufacturing operations."

Section 3.1: Definition and Purpose of SBOMs

What qualifies you as an authority on SBOMs?

"My two decades of experience in enterprise software and cybersecurity uniquely position me to discuss SBOMs. At Synack, we pinpointed vulnerabilities in devices and applications, revealing that even seemingly insignificant devices can harbor serious flaws. An understanding of all components is vital for effective protection."

Section 3.2: What is an SBOM?

Can you explain what an SBOM is and its primary function?

"An SBOM details the software applications running on a device, including their specific types, versions, and subcomponents. This enables organizations to verify against known vulnerabilities."

Section 3.3: Enhancing Security with SBOMs

How do SBOMs enhance our security?

"SBOMs help security teams identify which devices may be vulnerable. When acquiring a new device, the security team can use the SBOM to compile an inventory of the software, allowing them to react promptly to vulnerability disclosures."

Section 3.4: Limitations of SBOMs

What limitations exist with SBOMs?

"SBOMs are inherently static, representing a snapshot of software at a given moment. Without a connected device security solution, they must be manually monitored. It's crucial that manufacturers provide timely updates to their SBOMs, as many organizations operate with numerous connected devices."

Section 4.1: Who Needs SBOMs?

Which organizations should prioritize SBOMs?

"Any organization utilizing software applications or devices needs an SBOM. Although the concept has been around in IT and manufacturing, the healthcare sector is gradually catching up under governmental pressure."

Section 4.2: Common Misconceptions

What misconceptions about SBOMs have you encountered?

"Many believe SBOMs will quickly resolve cybersecurity risks and that legislation will compel manufacturers to release them. The truth is, a global standard for sharing this information must first be established, and legislation will only apply to new devices."

Section 4.3: Best Practices for SBOM Implementation

Could you share five best practices for organizations looking to effectively implement SBOMs?

1. Automate the tracking process using connected device security technology to ingest SBOMs seamlessly.
2. Ensure SBOMs are stored in a searchable and indexable format.
3. Hold manufacturers accountable; do not proceed with purchases without SBOM information.
4. Keep SBOM details current, especially when software changes occur on devices.
5. Encourage manufacturers who provide SBOMs by choosing to purchase their products.

Section 4.4: Follow Jim Hyman’s Work

How can readers stay updated on your work?

This interview provided valuable insights into SBOMs and their role in enhancing cybersecurity. Thank you for sharing your expertise, Jim!