Defense in Depth: Why Do So Many Cybersecurity Products Suck?

Why do we end up with so many bad security products? Who is to blame and how can we fight back an ecosystem that may be fostering subpar products?

Check out this post for the discussions that are the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Our sponsored guest is Haroon Meer (@HaroonMeer), founder and researcher, Thinkst Canary.

From the episode, here is my tweet asking “What cybersecurity awards are not complete BS?” And here is Haroon’s presentation along with Adrian Sanabria. This is a must watch.

Got feedback? Join the conversation on LinkedIn.

Huge thanks to our sponsor Thinkst Canary


Most Companies find out way too late that they’ve been breached. Thinkst Canary changes this.
Deploy Canaries in minutes and then forget about them. Attackers tip their hand by touching ’em giving you the one alert, when it matters. With 0 admin overhead and almost no false-positives, Canaries are deployed (and loved) on all 7 continents.

Full transcript

[David Spark] Why do we end up with so many bad security products? Who is to blame, and how can we fight back an ecosystem that may be fostering subpar products?

[Voiceover] You’re listening to Defense in Depth.

[David Spark] Welcome to Defense in Depth. My name is David Spark. I’m the producer of the CISO Series. And joining me for this very episode is Geoff Belknap. You may also know him as the CISO for LinkedIn. Geoff, thank you for joining us again today.

[Geoff Belknap] David, thank you for fixing the key so my key unlocked the door to the studio again. I appreciate that. I’m glad we’re over that unpleasantness.

[David Spark] I’m sorry we had to go through that, but you had to learn, Geoff. Didn’t you?

[Geoff Belknap] Lesson learned. Thank you.

[David Spark] Our sponsor for today’s episode is Thinkst Canary, who by the way, a little bit of CISO Series trivia for you – they were our second sponsor ever when we started CISO Series. And they are also responsible for bringing our guest today, who is phenomenal, who you know, and I know. And if our audience doesn’t know who this person is, they’re going to know now. So, they are in for a treat on this episode. But I want to bring up our discussion today, which has to do with a presentation that our guest, Haroon Meer, who is the founder of Thinkst Canary, did with one of his colleagues who I also know. Who by the way, I should also mention his colleague, Adrian Sanabria, is the one who introduced me to Mike Johnson, who I found out the whole story of Mike Johnson. So, there’s a lot of ties going on in here. Anyways. The two of them did a presentation, and this goes back a few years ago. And they posited that the security ecosystem, so the investors, the vendors, and the buyers, are creating a bevvy of unhealthy behavior that is allowing subpar products to exist in the ecosystem longer than they should. Now, products are unnecessarily complex. It’s difficult to know if a product is any good. And vendor marketing is often misleading or just confusing. Now, that’s just a taste, and we’ll have a link to the whole presentation, which I highly recommend our listeners watch. So, I posed this question to the community, and I got a lot of great responses. Now, we’re going to talk about this at great lengths. But give me the headline in your view, Geoff, of what do you think is heavily broken in the security ecosystem.

[Geoff Belknap] The main thing that stands out to me is that there is so much noise in the ecosystem. There is so many products and so many services, and this is… There is an entire podcast started about building relationships between vendors and CISOs because…

[David Spark] I’m aware of that podcast.

[Geoff Belknap] Yeah. If you haven’t heard it, you should go take a listen. Produced wonderfully, hosted very well. But anyway, there is so much noise, it’s impossible to figure out what is good and what isn’t. And I think the reason there’s so much noise is security is a very complex space. There is a ton of investment. And there is no shortage of demand. So, we just have a very difficult economic problem to solve, and I think no one better to talk about this problem than Haroon.

[David Spark] I am thrilled that he has joined us. I’m thrilled that they sponsored us. Our sponsor guest is Haroon Meer, the founder of Thinkst Canary. Haroon, thank you for joining us today.

[Haroon Meer] Thanks so much for having me. After an introduction like that, I am sure to disappoint.

[David Spark] No, you won’t.

[Geoff Belknap] Usually my job, but I’m going to let you try.

Why is this happening?

3:19.966

[David Spark] Robert Wood, who is the CISO for the Centers for Medicare and Medicaid Services, said, “The security industry is naturally reactive in some ways which leads to surges in funding to rapidly solve problems.” I have to heavily agree with that one. Antonio Tenorio of CSC said, “FOMO or fear of missing out has security professionals scrambling to invest preferential time with the latest and most “unicorn” vendors in the name of “innovation.” And Duane Gran, Blue Ridge ESOP Associates, said, “I think a lot of products start out good or at least fill some niche, but the threat landscape changes more rapidly than the tools.” So, there’s sort of a mishmash of answers here, Geoff, but it goes to your comment of there’s too much… It’s confusing. What say you to Robert, Antonio, and Duane’s comments?

[Geoff Belknap] I think all of these are great points. So, Robert’s perspective, the industry is very reactive. There’s very little… I was going to say there’s very little effort to be proactive, but there’s very little ability to be proactive. Sort of what the next threat is sort of figures it out itself. It’s sort of natural selection. I think Antonio has a great point here. I remember back to the days when FireEye was very new, and everybody felt like, “I got to get one of these FireEye things. If you’re not running one of these FireEye things, are you even running a security program?” And I remember being one of those people, and it’s a very visceral feeling when you have this transformative technology. But now it’s like not everything is transformative like that. You get one of those kind of transformative technologies like a decade or something like that. But everybody who is marketing a product wants to be that transformative technology, and I think Duane hit the mark perfectly. The threat landscape changes incredibly rapidly, and it is accelerating over time. So, you might have a great piece of technology, and I’m sure Haroon and I have both sat in pitches and listened to technologists that sounded awesome. But by the time they can get something to market and by the time I can consume something, it’s irrelevant.

[David Spark] Haroon, I throw this to you. These touched upon things that you didn’t exactly talk about in your presentation. What are your thoughts here?

[Haroon Meer] I’ll tell you, I think you guys are being too kind to vendors. When I read those comments, one of the things… My reaction to almost all three of them was I wouldn’t mind if they actually were solving the problem. If there were surges in funding to solve problems, and they solved the problems, that would be awesome. But lots of the time there’s surges in funding, and all we get are new products, and nothing has really been solved. Even when you talk about the landscape changing… We’ve got problems that haven’t been resolved from the 90’s that are still not solved.

[David Spark] I know, you brought that up. What do you think are some of the biggest problems that we don’t have good solutions for today?

[Haroon Meer] [Laughs] I think there are tons. I think people talk about general hygiene, but hygiene is not going to magically happen. What we need are systems with better defaults. I think one of the big things that we rail against or I rail against when I get a chance is security products that themselves introduce weaknesses. And for me, part of the reason I rail against it is because it’s such a pure symptom of the problem. If the product hasn’t dedicated enough time to product you from itself, is it meaningfully helping solve the rest of your needs? And I think lots of the time the stuff just doesn’t. I think security vendors have just gotten away with it for a really long time.

[David Spark] But how intentional do you think this is? Because one of the comments I think… Let me just… This point is that with regards to investing, when one company all of a sudden succeeds in a new space, there is a lot of “me, too” behavior, and the attitude is, “This is a huge space. If we can just carve out five percent of it, we’re going to be doing really, really well.” New space in terms of this category of products, which is a traditional behavior in any product development – security or not. So, that could be damaging.

[David Spark] Yeah. So, I don’t think any of it is intentional in the sense that you have someone sitting at home and twirling their mustache and thinking up Machiavellian plans. But I do think… And almost what we tried to get in the presentation was that the ecosystem is built to end up with a bad solution because you’ve got all of this vying for attention. You’ve got all of this inability to actually tell what’s good and what’s bad. You’ve got all this noise that vendors are able to generate. And so like from my point, it almost doesn’t matter why we get to market failure. But I think we’re pretty close to it. That many products and still having that many problems, I think just objectively is pretty close to market failure.

Why is this so darn hard?

8:35.527

[David Spark] Stephen Carter of Nucleus said, “A product evaluation/PoC/trial/etc. done well should uncover a lot of badness in both the product and maybe most importantly the team behind it.” And Adrian Sanabria of Thinkst Canary, that’s your colleague, Haroon, said, “In organizations that are doing a lot of firefighting and don’t have a ton of staff, bad products get purchased because they don’t have time.” I think Adrian’s point is on the money, and I would also make the comment with Stephen Carter’s thing is you can have a successful PoC, but what we hear a lot of is the PoC doesn’t show the scale problem that can happen as well. Geoff, your thoughts?

[Geoff Belknap] Yeah, not only does it not show the scale. If you’re not running in real world, most PoCs aren’t going to uncover a problem with the product. It’s going to take you a long time living with that product before you find that it introduced any additional risk to your environment, that it might cause other failures. Or now with security technology, most of it is in the critical path for whatever your production environment is. And there can be a lot of unintended consequences. There are famously tech companies that have written their own security telemetry tooling because it was the only way to run tooling that was optimized for their production environment that would continue to let their platform run. And not everybody can do that. Not everybody can run a PoC that discovers all the problems with the product. A PoC is really just, “Does this thing work? Do we think it will detect bad stuff?” Most people are not running a PoC going, “How much of a security risk is this product going to create?” And I think that’s the point Adrian is making, right on the money. It’s if you have gotten that precious time with a CISO or their security organization, and they’re piloting your product, wow, you’ve gotten through to them because you’ve spoken to a problem they’re having. And I don’t want to say they’re desperate ,but they really need to solve the problem that your product addresses. They’re probably not focusing on all the other things like does it SSO, does it logs, how often does it patch, does the vendor know what all their open source dependencies are. These are all really important questions that don’t usually get answered in a PoC.

[David Spark] Haroon, this lack of time to do in the PoC is not enough. What else need to happen?

[Haroon Meer] It’s super interesting because it’s one of those times when I strongly feel… And I know everyone is overworked. But I think there’s a huge responsibility here on the defender CISO ecosystem where I think those defenders and CISOs who do have time and do have the skills need to find a way to push back. So, it’s not enough to just reject bad products, but actually they should actively push back to punish bad practices from vendors. And I know what I’m asking for is unpaid work, but it’s a genuine need in the ecosystem where the herd actually needs protection that they can get from good CISOs and good practitioners actually calling out bad practices. I think it’s something that we don’t see enough of. And when you don’t see enough of this pushback, there’s no downside to vendors behaving badly. Because from their calculus, the smart companies are not going to use you. They weren’t going to use you anyway. But everyone else will. And what you actually need is that pushback that actively says, “No, if you’re going to make BS claims, we don’t want this. If you’re going to choose unsafe [Inaudible 00:12:17], we don’t want this.” And then it actually affects vendors’ bottom lines, and they’ll be forced to change.

[Geoff Belknap] The important thing to note here is there are a lot of people building products, building companies that have a genuine interest in making people like my lives’ easier and making security teams easier. But there are also a significant number of people out there that are just looking to capture some of the market share out there.

[David Spark] Like what I said earlier. Like if I can just get a small percentage.

[Geoff Belknap] Exactly. And from a business perspective, that’s very much encouraged. But sometimes lives are on the line, and many times they’re not. But it’s like there is no way for people like me to easily tell the difference between a company that actually cares and wants to make a difference, because they all say they do, and a company that’s just like, “Eh, we just slapped a bunch of technology together. It checks all the boxes. This should be able to capture us a good billion dollars in market cap.” And that’s hard. It’s also part of why we have this distrust of the ecosystem.

What aspects haven’t been considered?

13:15.174

[David Spark] Fernando Montenegro over at Omdia said, “The problem is that security outcomes are heavily dependent on organizational issues, not necessarily related to buying new products.” And Mike Wilkes, CISO of SecurityScorecard, said, “All products can be implemented well or implemented poorly. Many security products are implemented poorly, and that’s why they are ineffective or provide a false sense of control.” Now, Haroon, I want to throw the buyer into this equation because I don’t think you talked enough about the buyer’s responsibility for successful cyber security product. That’s what Fernando and Mike are really talking about here is that the failure can be on user error essentially.

[Haroon Meer] I’ll tell you honestly. There are certainly things that I think the buyer needs to do. Even in the talk, I said there’s some pushback that the buyer needs to do. But for both these topics, I actually place this fault…and there’s enough blame to go around…again on vendors. And I think historically we’ve gotten away…vendors have gotten away with, “My product is great, but the company had these issues. And this is why they didn’t install us.” Like, “My product is perfect, but those stupid users turned all the dials one way.” And I think that becomes almost a classic case of my solution works if you use [Inaudible 00:14:46] in a vacuum. Nobody is paying for idealized solutions that only work in a eutopia. Vendors should be building products that work for you, the enterprise as it stands. And I think over the last 20 years, one of the things that we’ve learned is in the rest of the world, good products make it. Nobody has to tell a bajillion people to use Facebook. They use it like it’s crack. People go on LinkedIn and live on LinkedIn. Like for all of those products, people go and use it, or those companies don’t make it.

[David Spark] So, let me throw this out at you, Haroon. We had one of our “what’s worse” scenarios on our other show was, “What’s worse? Having a great product with horrible marketing or a mediocre product with great marketing.” And the worst was a great product with horrible marketing, sadly.

[Haroon Meer] So, I’ll tell you on that… And people can go watch the presentation. Some people thought that the presentation, we were negative. But actually it’s a pretty optimistic presentation. Because while I talk about all that badness, part of what I’m saying is I think there’s a very real change. I think we are a tiny, tiny company, and we’ve been able to survive pretty well with one salesperson. And mostly we’ve survived by word of mouth, and we’re going pretty strong. And so I think that the old days where it didn’t matter if you had a great product, what mattered was whether you had 20 salespeople in blue suits to go take buying departments [Inaudible 00:16:27], I think those days are coming to an end. I think there’s a new way… Companies like Slack and GitHub have shown almost a new way that companies can be, and all the VCs are talking about product led growth and bottoms up growth. But even though we produce more, we’re a good example of it. You start to see that stuff more and more where companies can choose to do it differently, and can survive, and can hold their own. So, for the most part I’m hopeful.

[David Spark] Let me ask this. Haroon, one of the things I was impressed… You’re operating a small team. I’m assuming most of your business is through referrals, yes?

[Haroon Meer] Yes, all of it.

[David Spark] And I remember you had this feed… I’m assuming you still… That feed of Twitter comments where people talk about how much they love Thinkst Canary.

[Haroon Meer] Yep.

[David Spark] You talk also about pushback, and I want to talk a little bit more about pushback in our next segment. But we can mention now, what is the pushback you’ve gotten from your customers, and how has that improved your product?

[Haroon Meer] That’s such a great question. Certainly along the way, we’ve taken feedback from customers that said, “Hey, we really need this.” Or, “Hey, we need more of that.” So, when we started with Canary V1, essentially we could imitate three different systems. And now the permeations would be some ridiculously high number, like in the tens of thousands. And that’s largely customer requests. There was some design choices that we made early on. One of them, we didn’t think anyone would ever trust us to configure Canary’s deployed on networks remotely, so we built them so that Canaries could only be configured with Bluetooth access. And almost all customers deployed them in a data center far, far away and said, “Don’t make me walk over to that Canary. Allow me to configure it from the internet.”

[David Spark] By the way, we haven’t even mentioned what your product is. It is a deception device. Give a quick 30-second high overview of that.

[Haroon Meer] So, Canaries are devices that you drop on your network. And probably the biggest thing is that you should be able to deploy it in minutes. Initially it used to be four minutes. Now it’s under two. So, you drop it on your network. You say, “Hey, this is a file server,” or, “This is a NAS device,” or, “This is an IBM mainframe.” And the point is that you forget about it. And then weeks or months from now, you get a message that tells you, “Hey, listen. At two in the morning, Bob tried to access these files on the mainframe and copied them off of these files on the server.” The whole logic is that your regular users shouldn’t be touching them. But any attacker, whether it’s a pen tester or serious attacker inside who lands on a network actually has to orient themselves to figure out what’s going on. And in doing so, they’ve got to map things out and inevitably touch the system. And so the logic is that even the NSA didn’t know when they had their Snowden, but he was just going from server to server, looking for loot. And if one of those servers he touched was a Canary then really early you get a message telling you, “Hey, there’s badness going on.” And yeah, for the most part, we’ve just been built on referrals. But one of our earliest referrals was actually Geoff, who happily wore our sticker on his laptop. But yeah, it’s all inbound, all referrals. And one of the reasons I have hope for this model is because the model inherently forces us to keep honest. The way it works right now is we behave like good internet citizens, and we keep making the product better. And people keep saying nice things about us. When we stop, they’ll stop, and our income will dry up. And so it creates this almost forced positive loop that says we have to keep innovative. We have to keep up. Because if we don’t, people just won’t subscribe. And yeah, I think it’s inherently honest.

How are the vendors handling this?

20:27.829

[David Spark] Andy Kaplan of HackBack Gaming said, “I found that the time required up front for installation, tweaking, and training is a great indicator of the amount of time required over the longer term to keep the product running affectively.” Rob Osborn of Orca Security said, “There are very few reviews of enterprise security products out there. That right there I think is a critical problem.” And Ryan Franklin of SAP said, “As mush as we all love to be wined and dined,” or as you say, strippers and steaks, “I would much rather see a vendor building more meaningful relationships with the people that have to use their products.” And this last thing I think is key, “Feedback is hugely important.” That’s why I asked you the question, “What pushback?” I’m going to go to you first though, Geoff. This is just like when you do the PoC, when you’re first engaging with them, if you’re not providing feedback, if you’re not writing reviews, it’s not adding to the industry. And so we all hurt as a result. What do you think?

[Geoff Belknap] I’ve never really thought about it like that. It’s a great point. And I think, man, we did a show not too along where somebody suggested there’s no Yelp for security companies. And I was like, “There definitely isn’t, and I wish there was.”

[David Spark] Well, I would say G2 is trying to do that for enterprise software in general.

[Geoff Belknap] And it’s a really complicated space. Honestly, I hope they’re successful because I think it would help immensely. And really it comes back to this thing Haroon was talking about earlier. The most trusted and loved products are these products where it sort of meets two criteria. One, they just work. And not the Apple, cutesy, they just work. But like your team can pretty much figure out how to implement them on their own without a three-week long, consultants flying out to you sort of ordeal of implementing them. You can just implement them. And two, the company… And I think Thinkst falls into this. I think Duo certainly fell into this, and there’s been some other companies like that where it was like, “You know what? There’s a free version of the product. Try it out. Just try it out and implement it.” And I remember when Duo first did this, it was game changing. It was like, “Wow, I can just get five free 2FA? This is awesome.” And you’d implement it, and you’d figure out if it worked on your own with no interaction from the sales team. And that was enough. That was like you figured out if it worked, and now you were interested, or you weren’t. And the product spoke for itself. There’s not enough of that. Now, why is there not enough of that? That’s probably a whole podcast in and of itself. But I think a lot of it is… We talked about this at the beginning of the show. People have pressure to grow, and fight, and be heard against the noise of all the other security companies. And you can’t always just relax and fall back… You don’t always have the comfort of falling back on, “If people love us, we’ll grow.” You have a lot of other pressures going on. And we really just have to think about that long-term. Your product has to just work. You have to be able to build good long-term relationships with your customers. And it’s got to be easy. And if it’s not, you’re swimming against all the other fish in the sea.

[David Spark] Haroon, so two questions here, and I’d like your answered to kind of leave this with our audience. Either what one way can people push back against any level of the behavior that you brought up in your presentation we discussed? And/or what way can we contribute to making it better?

[Haroon Meer] I’m totally going to get on a soapbox because I’ve got the microphone. I think we mention it in the presentation, but there’s this whole class of vendor awards, of fake vendor awards that vendors go for.

[David Spark] Oh, by the way, can I just pause you for a second? I’m going to describe this to our audience so they know. In your presentation, I found this fascinating. You created a fictional person who worked for a fictional company. You paid for a number of awards. I can’t believe you spent the money to do this, but you did. Paid for it, and this person won. They don’t exist. Their company doesn’t exist. They won a bunch of awards.

[Haroon Meer] Sure. The vendor awards are so amazing to me because everyone knows it’s BS. Everyone sees them. And I know there’s several things like this that I get wrong. But I’m so amazed that we can trust a vendor who shows that they’re okay lying. It’s one of those things that we’ve all normalized that that’s how the game is played. But literally we’re trusting our security to people who we know lie when it suits their purpose.

[Geoff Belknap] But the sillier thing though is nobody is buying a product because it won some award you’ve never heard of.

[Haroon Meer] It’s such a stupid lie. Specifically in security, people go nuts with these awards because it gives them something to blog about or Tweet about every week, so every week they’re winning. And most of those awards are so visibly junk. I think it’s a whole complex thing. Like [Inaudible 00:25:28] and his wife were trying to create a lab to try to get a sniff test on products, like can there easily be consumer reports for binary. But that’s like a deep academic problem to get the solution for, but I think we can get… You can do a sniff test with much less work. Again, this is not for everyone. There’s the security poverty line. But if you’ve got a decent security team, you can ask a vendor a handful of real questions that kind of get to is this person thinking about security at all. We had AV vendors for the better part of 20 years writing C code that ran at Colonel Level [Phonetic 00:26:13] without sandboxes. You are not thinking about the security of all my endpoints. If you want me to run that, you just haven’t thought about it. And if some vendor comes to you and says all they need to do is you need to run their agent… This is not ready for us. And there’s a bunch of things like that… We make security tradeoffs also, right? Like at some point vendors ask us, “If I run your software, can you hack me?” I’m like, “Yes, we totally can.” Because if you run anyone’s software, they can hack you. But here’s the things that we do so that you can check up on us, and here’s the things that we can do so that it’s not likely that someone else is hacking you through our software. But I think vendors need to start realizing that that’s useful. I think SolarWinds and stuff like that should have started showing that the third party security questionnaire is absolutely not worth the paper it’s…

[Crosstalk 00:27:07]

[David Spark] We’ve had plenty of complaints about that. I’m with you 100%, Haroon. And I will also tell you that I actually posed the question on Twitter, “What cyber security awards are not complete BS?” And one of the most common answers was the Pawnees [Phonetic 00:27:22].

[Laughter]

[Geoff Belknap] And those are complete BS.

[Crosstalk 00:27:29]

[David Spark] It’s kind of an inside joke there. Yes, the BS joke [Inaudible 00:27:32] are.

Closing

27:34.170

[David Spark] Anyways, thank you very much, Haroon. This is fascinating. I’m going to, by the way, provide a link to your full presentation so people can check it out. Because by the way, what we discuss here is such a sliver of this really fascinating and very detailed and organized sort of explanation you gave to your theory of all this. It’s really right on the money. And I think the final thing of… And I think it is we should push back against the behavior. If you see it, just push back. And we’ve gotten a lot… By the way, with our own show… I don’t want to toot my horn too much, but we’ve got a lot of positive response from the community saying that we’re helping sort of open up the dialogue and the conversation. So, I appreciate that others are trying to do that as well. I’m going to let you have the very last word, Haroon. And you can make another pitch for Thinkst Canary so people know all about your awesome deception devices as well. So, huge thanks to your company for sponsoring this show. All right, Geoff, your favorite quote and why.

[Geoff Belknap] I’m going to pick Ryan Franklin, best for last here. “As much as we all love to be wined and dined,” Ryan would much rather see a vendor building more meaningful relationships with the people that have to use their products, and feedback is hugely important.” I think that’s why Haroon and I have had a relationship for so long. Not just because his product is fantastic and one of the very few products that I would personally recommend to others but because companies like Thinkst are there building that long-term relationship and not solely focused on growth. We just need more of that.

[David Spark] All right, Haroon, your favorite quote and why.

[Haroon Meer] Right now my favorite quote is Geoff saying, “Haroon’s company is fantastic.”

[David Spark] Of course.

[Laughter]

[Haroon Meer] Thanks for that. I think there were lots of nice points in the discussion. I’m going to totally steal the quote that I quoted, so it’s not my words. But just the thing that says simplicity is a virtue. I think security products have largely gotten too complex, and complexity has never worked. It’s one of those things that we can bet on. And in some ways, we just need to see turns back to simplicity. Vendors need to simplify things. And simple isn’t easy, and that’s maybe why people end up with complex. I think things need to be simpler before we can count on them.

[David Spark] All right, thank you very much, Haroon. Thank you very much, Geoff. Geoff, I will just quickly mention he’s always hiring over at LinkedIn. Haroon, any last thoughts, and a pitch, and how someone can actually test a Thinkst Canary and try it out for themselves?

[Haroon Meer] Visit us at canary.tools or see the nice things that people say about us at canary.love. Ping us on Twitter to tell us why I said something that was stupid @thinkstcanary. But yeah, try us. Smart people say we don’t suck.

[David Spark] People like Geoff Belknap. There you go.

[Geoff Belknap] No, smart people.

[David Spark] Yeah, smart people and Geoff Belknap.

[Geoff Belknap] There you go.

[Laughter]

[David Spark] Thank you very much, Haroon. Thank you to Thinkst Canary. Thank you to Geoff Belknap. Thank you to our audience, as always, for all your contributions and listening to Defense in Depth.

[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows – Super Cyber Friday, our virtual meet up, and Cyber Security Headlines – Week in Review. We’re always looking for fascinating discussions for Defense in Depth. If you’ve seen one or started one yourself, send us the link. We’d love to see it. And when any of our hosts posts a discussion on LinkedIn, participate. Your comment could be heard in a future episode. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thanks for listening to the CISO Series Podcast.