About Matt Wyckhouse: Matt Wyckhouse is a renowned cybersecurity expert with over 15 years of experience in offensive and defensive cyber operations. He is the co-founder and CEO of Finite State, a cybersecurity startup that focuses on illuminating the vulnerabilities and threats within complex software supply chains to protect the devices that power our modern lives. Prior to founding Finite State, Matt spent most of his career at Battelle, where he was the technical founder and CTO of their Cyber Security Division. Matt oversaw dozens of intelligence and security programs supporting strategic global missions, many of which were focused on discovering vulnerabilities in IoT and other embedded devices. Through his work, he recognized the potential devastation of IoT device attacks, leading him to create Finite State. Matt holds a BS in Computer Science and Engineering from The Ohio State University.In this episode, Aaron and Matt Wyckhouse discuss:The challenges of securing software in critical infrastructure.What is SBOM and how can it be used to manage the risk in the software supply chain?The importance of collaboration between asset owners and vendors to mitigate risk in industrial control systems.The value of integrating vulnerability management into a larger program and understanding the value of accurate asset inventories in OT networks.Key Takeaways:Matt was motivated to create his cybersecurity startup because he saw a world where the most critical devices were also the most vulnerable, due to the shift from specific hardware functionality to general-purpose computers running software and operating systems inside of devices, making them easier to exploit.An SBOM (Software Bill of Materials) is like a nutrition label for software, allowing asset owners to know what third-party software is inside a product to manage their own personal risk, and it is best to request an SBOM when purchasing software to understand the risk posture and evaluate different products.Collaboration between asset owners and vendors is essential to mitigate risks associated with legacy equipment and ensure the safety of employees and customers, which can be achieved through standardization, approval, and testing of security solutions and a more open collaboration to mitigate risks.Managing cybersecurity risks requires a well-rounded program involving people, processes, and technology, without any one solution, but rather multiple factors that work together to decrease vulnerabilities and handle incidents.  "I'm actually very optimistic about the security investments that vendors are making especially in the OT space. It might not feel like it today, but I can tell you, we work with a lot of vendors who are supplying OT equipment. And when we look at what's happened over the last few years, the amount of investment in this product security is going up a lot." — Matt Wyckhouse Connect with Matt Wyckhouse:  Website: https://finitestate.io/ LinkedIn: https://www.linkedin.com/in/mattwyckhouse/ Twitter: https://twitter.com/mattwyckhouse Connect with Aaron:LinkedIn: https://www.linkedin.com/in/aaronccrowLearn more about Industrial Defender:Website: https://www.industrialdefender.com/podcast LinkedIn: https://www.linkedin.com/company/industrial-defender-inc/Twitter: https://twitter.com/iDefend_ICSYouTube: https://www.youtube.com/@industrialdefender7120Audio production by Turnkey Podcast Productions. You're the expert. Your podcast will prove it.