For years we’ve heard mantras like “patch all the things.” But with limited resources, how do you actually focus your patching efforts on the vulnerabilities that are seen as universally holding the most risk? It’s one thing to see a vulnerability described as critical, it’s another thing to contextualize the actual exposure it causes to your organization.
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Joining us is our guest, David Christensen, VP, CISO, PlanSource.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, SpyCloud
Full Transcript
Intro
[David Spark] For years we’ve heard mantras like “patch all the things” or “patch the most critical vulnerabilities.” But with limited resources, how do you actually focus your patching efforts on the vulnerabilities that are actually seen as universally holding the most risk?
[Voiceover] You’re listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. My name is David Spark, I’m the producer of the CISO Series. And joining me, our friendly CISO from the world of LinkedIn, it’s Geoff Belknap. Say hello to the audience, Geoff.
[Geoff Belknap] Hello, audience, and welcome to another crazy edition of Defense in Depth.
[David Spark] It may not be that crazy, but we’ll see where it goes.
[Geoff Belknap] I’m trying to draw people in, David.
[David Spark] You are doing a good job. You’re giving them what we call a tease.
[Geoff Belknap] Mm-hmm. All right, be teased, but stay listening.
[David Spark] Well, we better pay off. Our sponsor for today’s episode is SpyCloud – act on what criminals know about your business. We’re going to tell you how SpyCloud does it a little bit later in the show. First, our topic today, and this comes from Walter Haydock of StackAware. He had this post on LinkedIn, essentially, he was complaining about whenever a critical vulnerability is revealed, it’s like these huge alarms go off like, “Warning! Warning! Warning! Stop everything! Deal with this!.”
And even though it gets a CVE, it gets a critical designation, and it raises a lot of eyebrows, just because they’re critical doesn’t mean that they represent real risk for your organization.
So, a recent report from Kenna Security found that only 5% of all CVEs actually represent risk to most firms. So, simply going off CVSS metrics, you know, this is a scoring system for the vulnerabilities, can actually waste time and effort on vulnerabilities that don’t meaningfully impact risk. So, I ask you, Geoff, how do we go about focusing patch efforts to fix the most vital issues quickly?
And I will also ask, if there is a huge critical vulnerability that’s just sort of announced universally, “This is critical, you must patch it,” is that in your awareness or is it like that needs to be treated like all other vulnerabilities?
[Geoff Belknap] The important thing to point out here is the premise, which is you still do need to fix your critical vulnerabilities, but we don’t have an endless amount of time, money, or capacity to patch all those things. So, while we will eventually get to those ones that are critical vulnerabilities even if they’re not exposed to the internet, we really need a way to prioritize.
And the way we do that today is smart people sit down and go, “All right, I have this really critical vulnerability. Is it exposed to the internet? Is it exposed to customers? How fast do I need to address this? What do we need to do?” And I think the discussion today is something that lots of CISOs have, which is how do we do that?
How do you do that?
[David Spark] This is something many try to deal with, many vendors try to solve this problem. But one of the things I also want to address in our discussion is this theory of, “This is the one vulnerability we all have to fix. It’s critical and everyone needs to fix this,” kind of a thing. Do those exist?
And my feeling, they do, there’s plenty of those. But when do those like, “All right, bring it to the top of the queue because it truly is.”
[Geoff Belknap] I think there are those ones all the time. So, you still have to fix them.
[David Spark] Exactly.
[Geoff Belknap] Yeah.
[David Spark] The person who’s going to help us in this conversation is the VP CISO over at PlanSource, thrilled to have him onboard, a big fan of the show. And I said, “Heck, why haven’t you been on the show?” And so that’s what we’re solving right now. It’s David Christensen. David, thank you so much for joining us.
[David Christensen] Well, thank you, and thank you for having me on the show, definitely a big fan of the show and love everything you do.
Would this work?
3:55.479
[David Spark] David Ethington of Paramount said, “If you can’t identify which threats will directly impact your organization outside of simply looking at a CVSS score, what exactly are you being paid for?” I like that line, by the way.
[Geoff Belknap] A little harsh.
[David Spark] It’s harsh but [Laughter] he’s right, I think. “It’s all contextual to your own infrastructure. If someone can’t figure that part out, they probably don’t belong in that role.” Again, tough love here from David Ethington. Chris Galvan of HARMAN International said, “Critical and high are important, yet relying solely on CVSS alone is not sufficient.
In order to capture what really matters and has impact, it requires determining which CVEs have public and easily accessible exploits that can be used against your company. This will reduce 80% of the noise. There are lots of tools that do this, yet it’s a good practice to do it manually first.” That’s an interesting point.
Is it a good practice to learn how to do this manually, Geoff, when you got the tools?
[Geoff Belknap] It’s absolutely essential to learn how to do it manually because you all need to do this. You’re 100% correct. You cannot just look at the score and then blindly go and fix it because a lot of these things can be very disruptive. I’ll point out the other thing that’s really important to keep in mind is, Chris sort of mentions, “If the CVE isn’t public, then you don’t have to worry about it.” That’s not really true.
If you have a critical CVE and all your employees could exploit it, well, that’s a concern your customers and the people who depend on you probably have as well, but learning how to do this manually is really great. Learning or investing in some tooling or a vendor that can help you do it much more faster, even better.
[David Spark] David, I really like this last comment about do it manually first and the understanding. I had to learn how to do long division. You know when the last time I actually manually did long division? I was in grade school.
[David Christensen] [Laughter] It’s been a while, I’m sure.
[David Spark] I pretty much use a calculator or a computer any time I need to do that now. It’s so funny because I was sitting down with my kids doing it, and I’m like, “Oh, my…” I was really racking my brain, I’m like, “I think this is how it’s done.” [Laughter] But is this kind of the equivalent of you really kind of first need to do long division to start to understand this, and then over time let the tools start to do the work for you?
[David Christensen] Yeah, absolutely. I mean, I kind of look at it as sort of that same mantra that security practitioners have, “Trust but verify.” You want to trust the platform, but you need to be able to verify what it’s telling you is accurate, and until you have that trust you’re not going to know whether it’s giving you the right information unless you have the experience and the time behind you to manage those types of understandings and in that context, right?
I think Geoff kind of pointed out earlier, right, the contextual awareness of a vulnerability is important, and no system that I’ve seen so far even provides that. So, even if it does provide you some level of understanding of exploitation, or it’s been weaponized, you still need the understanding of your environment, and a tool won’t give you that.
So, that experience, that background that you have, will give you the confidence to trust the tool to a certain degree, but you can’t rely on a tool 100%.
What’s the best tool for the job?
7:15.321
[David Spark] Now, I have a few quotes here mentioning EPSS, which is Exploit Prediction Scoring System, which is designed to help prioritize vulnerabilities. CVSS tells us how dangerous a particular vulnerability might be if it’s exploited. So, Bryan Kavanagh of RPMI Railpen said, “I don’t like the EPSS for many reasons, and I’d suggest using version 4 of CVSS when it’s released as there are many improvements including nomenclature to identify combinations of CVSS scores.
People are using CVSS all wrong and just looking at the base score and not the environmental factors.” And given when this was posted… No, it hasn’t been, this was posted recently. So, my assumption is version 4 is not out yet of CVSS. Nicki Møller of Accenture Czech Republic said, “It’s not really feasible to do a technical investigation on millions of vulnerabilities.
EPSS is good, and even better when combined with CVSS. Commercial prioritization tools also use CVSS as base but add advanced filters.” All right. Interested to know how you’re using EPSS and CVSS, if at all, and what are the advanced filters you throw on, David?
[David Christensen] I haven’t quite yet used the EPSS. I’m familiar with it, but I guess it goes back to what I was saying earlier, right? From a contextual perspective, neither the EPSS or even this new version of CVSS is going to be able to give you a contextual awareness of your environment. How is it going to measure the business impacts?
How is it going to measure how you operate? I think they’re good data points, and I think they’re useful, but I don’t think you can rely on any of these as a single point of reference.
[David Spark] So, pushing it forward, what are the filters you use to get that contextual reference then?
[David Christensen] It’s a combination of, well, first of all, understand the business, right? You’ve got to understand how your business operates, where your critical parts of your environment are, what type of users access and use your services, both internally and externally. It’s also a matter of what sort of external exposure do you have.
What internal exposure do you have? What kind of lateral movement exists in your environment? What kind of users do you have managing your environment, both from an administration and a customer support perspective, whether it’s external or internal users? I think it’s, again, it’s around the idea of understanding how you operate before you can apply any sort of filter.
Because you could push buttons, flip switches, and have all these filters on there, but at the end of the day, somebody else decided what those filters were, right? If you’re talking about these systems and these guidelines, you still need to take that – goes back to the original conversation around the experience – you need to have that experience to understand when you’re reading something, what does this actually mean to your business?
What does it mean to you as a security practitioner, not just what the industry is telling you to believe?
[David Spark] All right, I’m going to come back to you, David, on this, because I want you to answer the question of what are the actual filters you’re putting on, but I’m going to ask that very question of you, Geoff. All right. You have to put certain filters in the way that David was describing, assuming that you agree there, what are some examples of, and you don’t have to give me all, but just give me an example like, “I know I’m doing this, so I want to put on this kind of filter to contextualize all this noise that I have.”
[Geoff Belknap] Yeah. I don’t know what the specific filters everybody have available to them, but the things that I look at, that my teams look at, are who has access to this vulnerability, right? So, if it’s a web server vulnerability, is this exposed internally, externally? Is it exposed to everyone with that auth?
Is it exposed to only a subset of people that have auth? Is there a WAF? Is there some sort of effective mitigation or control enforcement point in between people that might exploit this and the vulnerability? All of these things, if they’re present, might be a reason that maybe you don’t have to rush out and do this immediately.
Maybe there’s a workaround or something you can put in place there. If you have all of these things ticked true, that’s probably something you need to hurry up and fix right away.
[David Spark] All right, David, coming back to you, closing this out. Is there – and again, you don’t have to give me all, I’m trying to understand how you’re applying either a filter or a path, or like, “Okay, this vulnerability exists. How do I discover whether it’s an issue or not?”
[David Christensen] I look at it as sort of a compensating control evaluation. Do I have something that would allow me the, I don’t want to call it leeway, but would it allow me the time to actually understand my environment before applying a fix? Or do I need to rush out because I have no control that can protect me?
Geoff mentioned WAF, right? It may be still exploitable, but you could at least detect that somebody’s trying to, to take action, versus I don’t know if somebody’s actually actively exploiting something because I don’t have any controls in place that gives me that visibility. Because in a lot of cases, even with the known vulnerability, there may not be an actual fix to fix it.
It comes down to awareness of it exists in my environment, and can I detect if somebody’s exploiting it until there’s either a patch that removes it and eliminates it or a compensated control that I can put in place to prevent it from being exploited.
[Geoff Belknap] It also comes down to what’s going to happen if somebody exploits this? If it’s remote command execution, and it can happen without auth, anyone in the internet can do that against you, you’re probably not going to evaluate this long. You’re just going to rush out and fix it no matter what.
If it’s information disclosure, most people are just going to blow past that and ignore it, but depending on your business, maybe it’s really important that you don’t disclose that information, you don’t want to give out information about your web server or something like that. Nobody can tell you exactly what is important in your environment other than you.
[David Christensen] Correct, and that’s the same thing with like zero days. When zero days come out, right, I mean, they’re important to fix, but it may not necessarily impact you, or you may have it, say, in your development environment, but it’s not actually been exposed to the internet. So, it’s a concern, but it’s not something I need to do right now.
But if it was a concern, to your point, will it create data exposure, will it create a pathway into my environment that leads to lateral movement, those kind of things, absolutely.
Sponsor – SpyCloud
13:37.330
[David Spark] Before I go on any further, I want to share some really interesting research from our sponsor, SpyCloud, about what we’re missing when it comes to ransomware prevention. What predicts the likelihood of an attack? So, the team at SpyCloud has pored over the data from ransomware attacks, and what they found should and will give you goosebumps, listen to this.
Nearly a third of ransomware victim companies this year were infected with infostealer malware beforehand. Now, you may have heard of Raccoon Stealer, Vidar, RedLine. SpyCloud found that these stealers increased the probability of ransomware even more. So, clearly, we all need to pay closer attention to infostealers as an early warning signal for ransomware.
SpyCloud specializes in recapturing the data stolen from infostealer-infected systems and alerts your team to take action before compromised authentication data can be used by criminals to target your business. Now, my favorite thing about their solution is that you get data that’s actually actionable and relevant to your business, and it feeds into your existing security tools for fast remediation.
That’s what you want. So, it’s pretty crazy what these folks can tell you about your existing infostealer exposures. If you didn’t even know what infostealers are, just check out their free tool you can use to check your risk at, remember this, spycloud.com/ciso. Be sure to go there, grab their new research, and check your exposure so you can act on it before the criminals do.
Remember, here’s the web address, spycloud.com/ciso. Check it out.
What are the risks we are dealing with?
15:35.502
[David Spark] Carmine Fontana of the Federal Reserve Bank of Richmond said, “If you aren’t considering the value of the asset that could be impacted by a vulnerability when prioritizing, then you are probably not running an effective vulnerability management program.” I think Carmine echoes what the two of you were just talking about.
Then Carmine goes on to say, “Not many organizations have a goal to remediate everything. Identify your business risk tolerance level and remediate above that.” That’s a good way of putting it. “That means spending time categorizing assets and their dependencies as a factor to that calculation.” I think Carmine echoed everything that was just said.
Peter Dowdall of Mintel said, “One of the headaches with nuance is that compliance and third-party world doesn’t like it. It’s kind of embedded in that world, and describing to each and every client, ‘Well, actually we do this instead…’ leads you down a windy path of back and forth. The practicalities are a pain and that isn’t changing tomorrow.” So, I saw a lot of nodding the head from both of you.
Geoff, I will start with you. Carmine pretty much agrees with everything you said, and Peter’s saying, “Well, now when we deal with all the reliance we have on other products, it turns this into a giant mess.”
[Geoff Belknap] One of the biggest frustrations that I have is even if we do a great job at assessing the risk in our environment for a certain vulnerability and set our risk tolerance at the right level and decide at the right timing and urgency to patch something, I run an enterprise business, and I have a lot of enterprise customers, and they all have different opinions about how and when and how often I should patch these things.
And inevitably, if there’s a scary-sounding CVE that comes out, I will within 24 hours get multiple requests from all of my enterprise customers that would like to know, “You have patched this, right? Like, confirm that you have completed mitigating this.” And while I’ll leave that whole discussion about whether that’s a great trend for the industry aside, I’ll say there are a lot of other pressures on you as a business that you have to take into consideration other than just, is this exploitable?
Is it exposed? Do I need to make it a priority on a technical merit? You also have to consider the business context of the decision that you’re making.
[David Spark] Because here’s the thing. That’s an interesting point you just made. You get a dozen calls from your customers. And the thing is, at that point, really, you’re not doing research. You’re like, “This is now business relations.”
[Geoff Belknap] That’s right. Now, if this is important to my customers, now we’re having a slightly different conversation internally about whether I need to rush out and fix this, and it’s just one more factor as we have that discussion.
[David Spark] Yes. All right, David, this whole world of third party, I actually was just at an event where someone said, “We found a vulnerability. We found an exploit through a sixth party.”
[David Christensen] A sixth party?
[David Spark] Essentially, it was just chain to chain to chain to chain, and it bubbled all the way up through all these vendors to them. You don’t search that far down. Right, David?
[David Christensen] No.
[Laughter]
[David Christensen] No, I mean, I think I take those kind of references or recommendations with a grain of salt. I don’t discard them, but I think if I did that for every single time someone mentioned a vulnerability, I think that’s all my job would be.
[David Spark] Well, there’s many people and that is all their job is.
[David Christensen] Well, right, right. I mean, and if you have a staff of people that’s doing that, then great. But if I have every customer or a vendor or a friend of a friend of a friend giving me that information, I would be doing research on probably a lot of things that end up being without merit.
I wasted time without… Instead of providing the leadership and the focus for the business and the things that really do matter, again, it doesn’t mean that I’m not looking at it, but I think in a lot of cases unless it’s something that has blown up to a degree where either my team or a trusted partner has given me that information, yeah, I have to take it with a grain of salt.
[Geoff Belknap] Not everything people are going crazy about on Twitter or LinkedIn is something that you need to take immediate action on. We all have different threat models. We all have different circumstances.
[David Spark] I want to know is there an outside pressure that you do react to, and you have reacted to?
[David Christensen] Oh, yeah. I mean, I have customers that’ll call me up after a zero-day that has nothing to do with us because that’s not our operating system and say, “Does this impact you?” and they want me to write a huge essay on exactly what it is we’re mediating, and I’m like, “It’s not a problem for us because we don’t run that operating system.” So, yeah, it happens.
We have customers, a lot of customers will contact us.
[David Spark] Because they read something in the paper, or someone said they need to call this and…
[David Christensen] Right. Well, there’s a focus on supply chain, right? And rightfully so, there should be. But I think people read something and then they say, “Well, I need to make sure my suppliers aren’t running into this.” So, they do an email blast, every vendor they work with, and they want a response in 24 to 48 hours on something.
And when you give them a response, you’re hoping that they’re going to take what you told them as, “It’s not a problem for us.” But in some cases, they want a full-blown essay with executive leadership sign-off on this is not a problem for you. And I get some of the reason why they do that, but in some cases, I feel like it’s over the top for little reward.
[Geoff Belknap] I would very much like to see those things come with evidence attached that the requesting party has also already mitigated this thing that they were writing you about.
[David Christensen] Yeah, good point. Right.
[David Spark] Very good point.
[David Christensen] Good point.
[Geoff Belknap] Not any of my customers, any of my current customers, you’re all perfectly good and wonderful and nothing has ever gone wrong between us.
[David Spark] You hear about other CISOs who have these difficult customers.
[Geoff Belknap] Other CISOs.
[David Christensen] Yeah, it’s on Reddit. That’s where I read all that.
[Geoff Belknap] That’s right. Other customers.
[Laughter]
What’s the CISO’s role?
21:44.829
[David Spark] Eric Stoever said, “There is no ‘perfect’ universal patching practice that can be applied to every organization. Whatever your practice, document it, and be able to support your advice, conscious choices because your auditors and examiners will look to your practice documentation before they look to your evidence of compliance with your practices.
They will hit you for not following your practices before they hit you with the effectiveness of them.” Very interesting point by Eric. Chris Harland of RSM said, “There is a fine art to working out how to answer questions from your cyber insurance and cyber essentials audits if you choose not to remediate CVSS 7+ vulnerabilities.” So, this is very interesting is have your plan and commit to it, and if you have a convincing “your plan,” then sounds like you can win people over.
Yes, Geoff?
[Geoff Belknap] Yes, although the really important part here is follow through to the plan. It’s very easy to draft a plan and say, “Yes, I solemnly swear I will follow that plan.” It is much more challenging when the plan meets chaos. I would just say whatever your plan is, and I encourage you to be very aggressive and try to commit to patching vulnerabilities maybe all the way down to CVSS 4 or something like that, but you have to practice it and you have to be able to execute it, otherwise you are just making hollow promises to people.
[David Spark] Good point. David, I do like, though, this idea of have your plan, commit to your plan, and be bold and confident about that. And you brought up a thing of, “I do that, but it depends on how the customer feels.”
[David Christensen] Yeah, I think from a customer’s perspective, you’re always going to run into difference of opinion. I mean, and you do sort of the same thing with an auditor, but I think it is true. You need to have that plan. You need to have confidence that plan is what you’re actually doing, and evidence that you are doing it, but it comes down to…
And I’ve done this plenty of times where I’ve spoken to an assessor, and we’re not going to patch critical and highs just because they exist. We’re taking a risk-based approach. We’re looking at it from how it impacts the business, the exposure, exploitability, those things.
And I’d say maybe five, six years ago, it was a little difficult conversation to have. But now, I think it’s evolved to that risk-based approach is much more accepted. I’ve had less pushback when I’ve had those conversations, when I’ve shown those plans, and this is how we’re going to do it. Because I’ve had situations where in an agreement, we’ve had customers ask for an SLA for criticals in a short period of time.
I’m not going to be able to meet that. We’re a big organization with a platform that’s multi-tenant. I have to worry about all my customers, so I can’t just meet your SLA that I’m going to fail every single time. But I will guarantee that we’re going to take a risk-based approach and evaluate the vulnerability and make sure that we’re protected, and you’re protected at the same time, not just based on the score.
[David Spark] Here’s what I’ve been enjoying so far about today’s episode, is I’ve talked about this whole vulnerability thing to death on our shows, we’ve talked about it endlessly, but what is really unique about this conversation is how much the customer impact is involved here in the process. Because it’s not just a security issue, it’s also a business relationship issue as well.
[Geoff Belknap] Well, it highlights the fact that InfoSec is not a special offshoot of IT. We are a generic part of the business, or maybe a better way to put that is we’re a significant part of the business’s success, and we have to be good risk managers, and we have to take all of these components about how to help the business succeed, not just how to help the business do the rote, most dogmatically correct security decision, but how to make the best decision for the business.
And this is a great example of where the business intersects with what might be dogmatically the most correct security advice, which is if you get a high or critical CVE, or a CVSS score on a high or critical vulnerability, you just fix it. But the reality is like, “No, you don’t.” Maybe you don’t need to.
Maybe it’s really costly. Maybe customers don’t care. Maybe it doesn’t impact them. You have to make the best decision for the business. And for your customers because ultimately, that’s probably why you’re in business.
Closing
26:25.814
[David Spark] David, we’ve come to the point of the show where I’m going to ask you, which quote was your favorite and why? And so I throw it to you. Tell me whose quote you like. You can just sort of summarize it and tell me why you liked it.
[David Christensen] I think my favorite quote is because it’s really kind of summarized, even though it’s kind of funny, but it still summarizes, I think, the position that security practitioners and leaders are in, which is the one from David.
[David Spark] At the top, from Paramount, David Ethington from Paramount?
[David Christensen] Yeah, it’s, “If you can’t identify which threats will really impact your organization outside of simply looking at CVSS scores, what exactly are you being paid for?” That’s true. To me, that says concise, it’s in a sort of concise way, are you aligned with the business? Do you understand the business and what really are risks to the business?
[David Spark] All right, good point. I like that one as well. All right, Geoff, now your turn. Your favorite quote and why?
[Geoff Belknap] I’m going to go with Chris from HARMAN International here that talks about, “Critical and high is important, yet relying solely on CVSS alone is not sufficient. In order to capture what really matters and has an impact, it requires determining which CVEs have public and easily accessible exploits that can be used against your company.
That will reduce the noise. There’s tools for this. You should learn how to do it manually first.” I think this is really important. You do, as an organization, depending on where you are on your journey to being a mature information security organization, have to learn how to do some of these basics, these fundamentals on your own manually.
Once you get good at that, it’s time to bring in some tools to help you do that in a more automated way, at a higher scale way. But regardless, you have to sort of take all this information in and decide for yourself what to do. No one is going to spoon feed you or give you proscriptive advice that’s going to work perfectly for your organization.
You have to be the expert.
[David Spark] And yes, there are plenty of tools out there that can help you with that. But like long division, you got to learn how to do this yourself.
[Geoff Belknap] You got to learn the basics. I just want to underscore this is really important what you said. There are a lot of tools out there that do this, that will help you with this. And I know I’m usually like, “Learn to go it yourself,” but there’s a lot of help out there for you if you need help with this.
Some of them probably sponsor this show.
[David Spark] We appreciate them a lot. And that brings us to the end of the show. Huge thanks to our sponsor, SpyCloud. Greatly appreciate them sponsoring the CISO Series. Please go out to their website, spycloud.com/ciso, get the free scan to see what your infostealer exposure is, and check out their new research, spycloud.com/ciso.
David, I want to thank you as well. I’m going to let you have the very last word. Geoff, as always, I greatly appreciate you being on. If you’re looking for a job in cybersecurity, LinkedIn has this great job information out there, and you can go there and look for jobs. David, if you are hiring or anything else you want to talk about or sort of close on today’s discussion, we would love to hear it.
Please give us the final word.
[David Christensen] Always looking for new talent, new interest in the security space. Not necessarily hiring right now, but we’re always looking for new people.
[David Spark] Awesome. Well, thank you very much, David. Thank you very much, Geoff. That was David Christensen who is the VP CISO over at PlanSource. I’m assuming you can find David over on LinkedIn. We will have a link to his profile from our blog post of this episode. And again, to our audience, we greatly appreciate your contributions, letting us know about awesome discussions like the one that was brought to us by Walter Haydock, and thank you so much for listening to Defense in Depth.
[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cybersecurity. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site CISOseries.com where you’ll also see plenty of ways to participate, including recording a question or a comment for the show.
If you’re interested in sponsoring the podcast, contact David Spark directly at [email protected]. Thank you for listening to Defense in Depth.