Understanding SBOMs and Their Importance

In an age where cyber threats are escalating, organizations need effective tools to safeguard their systems. One such tool is the Software Bill of Materials (SBOM). This interview series explores how SBOMs can fortify security measures, their limitations, and the best practices for implementation. I had the privilege of speaking with Timothy Miller, an authority in this field.

Timothy Miller is a seasoned executive with a robust background in information technology and services. His expertise spans leadership, risk management, and disaster recovery, accumulated over more than three decades. He earned his bachelor's degree in computer science from the University of Southern California and a PhD from the University of Oxford.

Before we delve into the specifics, could you share a bit about your upbringing and how it shaped your career?

My childhood was spent along the South Carolina coast, where my father served as a Marine Corps Drill Instructor. Many ask what it's like having a drill instructor as a parent. Saturday mornings were dedicated to discipline—lining up with my siblings and cleaning up the yard. Most of my formative years were spent with my grandparents, who owned a hotel in Myrtle Beach. I began working there at seven, assisting my grandfather with construction and maintenance.

During high school, I balanced football, college courses in Technical Accounting, and multiple jobs, graduating with an associate degree in Technical Accounting at just 16. I needed my father's signature to enlist in the military. After completing boot camp at Parris Island and serving as an Aviation Ordnance Officer, I was stationed at MCAS El Toro, where I also pursued my bachelor's in computer science and later a master's in information systems management.

What motivated you to pursue a career in technology or cybersecurity?

My journey at IBM began with a role in Tampa, FL, providing disaster recovery services globally. We had five sites mirroring systems for quick recovery, ensuring companies could resume operations within 24 hours after an incident.

In the late '90s, while supporting major insurance firms, I encountered the "AIDS Trojan," an early form of ransomware. Many of my clients were affected, and instead of deploying recovery trucks, IBM sent data encryption experts to recover their files. This experience ignited my passion for security.

Can you share a memorable experience from your career?

One of the most impactful experiences was in January 2010, when a devastating earthquake struck Haiti, claiming over 300,000 lives. Within 72 hours, I was in Santo Domingo, joining a disaster recovery team from the World Health Organization. My prior involvement in a group that distributed aid globally prepared me for this challenge.

I spent nearly a year ensuring secure installations of generators and satellite internet in clinics across Haiti. While security was often overlooked in the chaos, our team successfully restored services to twelve facilities, making a significant difference.

What key traits do you believe have contributed to your success as a leader?

1. Approachability: I’ve observed that leaders often create barriers between themselves and their teams. Being approachable fosters an environment where employees feel comfortable sharing ideas and concerns.
2. Servant Leadership: True leaders prioritize the needs of their teams, helping them grow. This management style promotes empowerment and facilitates individual and organizational success.
3. Integrity: Leadership grounded in integrity builds trust and loyalty among employees. It's essential for leaders to engage honestly with peers, employees, and clients.

Are there any exciting projects you are currently working on?

Yes, I’m developing a networking initiative for CIOs and CISOs. Frustrated with traditional networking events dominated by sales pitches, I established the CIO and CISO Quorums. These groups allow executives to share insights without vendor interference, fostering genuine collaboration.

How has the cybersecurity landscape changed since you began your career?

I've witnessed the evolution from a small internet user base to a world where almost everyone is online. Cyber threats have grown exponentially, requiring a new generation of security professionals. The rise of Cybercrime as a Service (CaaS) has made it easier for criminals to customize attacks.

During a recent conference, I discovered that 82% of leaders believe their organizations are vulnerable to cyberattacks, highlighting the urgency of implementing regulations like SBOM.

What qualifies you as an authority on SBOMs?

My involvement in the HITRUST Alliance and the NTIA's multistakeholder group on software transparency has given me extensive insights into SBOMs. My professional history includes decades of experience in software development and security compliance.

Let’s clarify what an SBOM is and its purpose.

An SBOM is essentially a hierarchical inventory of the software components used in a solution. It functions like an ingredient list, allowing organizations to track the origins of each component, which helps identify vulnerabilities.

How does an SBOM enhance security?

The inclusion of SBOMs in Executive Order 14028 aims to establish a source map for software used by federal agencies. It builds trust through continuous integration, compliance, and testing.

Which companies must implement SBOMs, and who can benefit from them?

All companies providing consumer software or IoT to the U.S. Federal Government need an SBOM. However, non-software manufacturers may not require one unless their products involve connected technology.

Are retailers responsible for creating SBOMs?

Developers should inherently have SBOM tools, but retailers only need to create them when they enhance products with their own intellectual property.

What common misconceptions exist about SBOMs?

Many believe every company must comply with SBOM regulations or face fines, which is misleading. An SBOM is not a product but a transparency tool for software components.

What errors do companies make when creating SBOMs, and how can they avoid them?

A major error is failing to provide complete data. Companies should ensure that their SBOMs are not only comprehensive but also authenticated to prevent misuse.

What best practices should organizations follow for effective SBOM implementation?

1. Automate SBOM Creation: Integrate SBOM generation into the CI/CD pipeline to minimize errors.
2. Continuous Vulnerability Monitoring: Involve security teams from the start to monitor code vulnerabilities.
3. Incorporate SBOM in Lifecycle Scans: Link scan results to the SBOM to manage open-source risks.
4. Include Comprehensive Metadata: Ensure SBOMs contain all necessary data fields as outlined by NIST.
5. Exercise Caution When Sharing SBOMs: Protect sensitive information and share SBOMs only for compliance purposes.

If you could inspire a movement to benefit society, what would it be?

I believe everyone has the potential for greatness if supported. The Leadership Quorums I initiated aim to connect leaders to foster collaboration and mentorship. It's vital for seasoned leaders to guide the next generation, promoting a culture of mutual growth and understanding.

Thank you for sharing your insights with us!

Thank you for the opportunity to discuss these important topics.