We’re seeing increasing regulations and legal responsibilities applying to CISOs. But are CISOs set up to succeed in meeting these within their organizations? And do regulators realize this?
Check out these posts for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Joining us is Allan Cockriel, group CISO, Shell.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, SpyCloud
Full Transcript
Intro
0:00.000
[David Spark] We’re seeing increasing regulations and legal responsibilities applying to CISOs, but are CISOs set up to succeed in meeting these within their organizations? And do regulators realize this?
[Voiceover] You’re listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. My name is David Spark. I’m the producer of the CISO Series. And guess what? My co-host, he’s here. His name is Steve Zalewski. Steve, say hello to the nice, friendly audience.
[Steve Zalewski] Hello, audience.
[David Spark] You’ll hear that voice a lot more during this show. Our sponsor for today’s episode is SpyCloud. Thrilled to have SpyCloud back on the CISO Series network. Act on what criminals know about your business – that’s what SpyCloud can do. They know what the criminals know, and they let you know, so you can defend against it.
First, Steve, let’s get to the topic at hand. It’s the SEC, and they are increasingly holding CISOs accountable, and that’s freaking a lot of CISOs out. But does it actually know how CISOs operate in an organization? It seems like the SEC doesn’t realize how little many CISOs can do to fix materially systematic issues, argued Mike Lockhart, who’s the CISO over at EagleView, in a recent LinkedIn post.
So, I’ll ask you, Steve, if regulators don’t hold upstream leadership accountable, is the CISO being set up to fail?
[Steve Zalewski] I really like what Mike did here, which was the fear of the unknown. We don’t understand what we are being held accountable for, and so we’re asking a lot of open questions. And I would argue right now, and what we’re going to talk about, is the way the SEC works, they only have certain ways that they can enforce to make changes.
And they’re working within the purview of how they understand how to operate, and in the case of this, they’re kind of outside of their comfort zone as well. So, you have both sides of the equation outside of their comfort zone, which is why we’re asking a lot of open questions.
[David Spark] Well, to help us answer these questions as best as we can because we don’t necessarily have all the answers, but we’re going to do our best here, it’s a gentleman I did a live show with in Nashville, Tennessee. Thrilled to have him on this show. It is none other than the group CISO over at Shell, Allan Cockriel.
Allan, thank you so much for joining us.
[Allan Cockriel] Happy to be here. Good to see you, David. Steve, pleasure to meet you.
What are they doing wrong?
2:39.810
[David Spark] Ted Heiman, who’s the CISO Guru said, “The CISO is not Superman. He does not have special powers, and he is only as good as the team he has in place around him. He has a limited budget, a shortage of talent, and has to contend with nation-state actors that have nearly unlimited budgets, unlimited manpower, and unlimited MIPS.
How can you hold a CISO accountable when the company has been breached by a nation-state? Holding CISOs accountable for a breach is ridiculous unless there was true negligence.” And Jonathan Waldrop, who’s the CISO over at The Weather Company said, “The SEC is now demanding full transparency, and boards of publicly traded companies are now on notice to over-communicate.
It can be difficult though in a public disclosure to provide enough detail to outline the risk without showing all of one’s cards. Where’s the balance in how much info to disclose?” Yeah, this is kind of the thing that we’ve heard is like, come on, the CISOs can’t control all of this. You’re asking something very unreasonable.
And also, what can they do here, Steve?
[Steve Zalewski] So, the first thing I’m going to say is the CISO role is evolving. We’ve talked about this. And so what I see here is as the role is evolving, it’s going up and down, which is it’s becoming more important or less important depending upon what the executive team wants. And so when I look at Jonathan’s quote, right, the realization here is, hey, both sides are understanding we’re having to go through change.
We’re not sure how to do this. We’re really nervous that you’re asking us to do something that we either don’t know how to do or are not empowered to do. And so now we’re having what I’m hoping is going to be an intelligent discussion, right, between the industry players to figure this out.
[David Spark] And I mean, Allan, I mean, pretty much every company we speak with is the CISO isn’t directly making public announcements. They are going through the communications department or they’re just advising someone else who makes the more public announcements. So, I mean, isn’t the job of the CISO to be a risk advisor really in all these situations, yes?
[Allan Cockriel] I think Steve nails it. This role is in flux. CIOs and CISOs have wanted to be elevated from a leadership perspective for many, many years, and the CISO is now being elevated in terms of importance, in terms of visibility, and in the US in terms of liability. And it’s one of those things, be careful what you wish for because you just might get it.
And I liken the changes that are happening now similar to CFOs in the early 2000s when you had Enron. Now, did we go and have a cyber version of SOX? Probably not. I think what was actually passed is probably maybe under what it could have been in terms of holding the board and senior leadership accountable, but it does elevate the risk of cybersecurity.
It does make sure that companies are held accountable to have a baseline expectation of cybersecurity. And I think, as Steve mentioned, we’re going to have to find our way to find the right balance. I don’t think we’ve seen the end of regulations, and I don’t think the current situation is reflective of what the future will be like in the very near future.
[David Spark] I brought this up on another show, and most of the CISOs are turning to the two cases that we know of, one of Tim Brown with SolarWinds and Joe Sullivan with Uber. And my feeling because things are always so unclear at the beginning, and I think the parallel you said with Enron and SOX with CFOs is very apt, do you feel that because things are unclear, and either one of you jump in on this, that they’re just waiting for the CISO guinea pigs, and like Tim and Joe were the first of them, and we essentially learn from the first guinea pigs, and nobody kind of knows who’s going to be the first ones?
Steve, you’re nodding your head.
[Steve Zalewski] So, one of the things we talked about is, and the SEC will agree, they’re not experts in cybersecurity, okay? They’re not. They don’t have a set of experts. But what they can do, right, is if you lie and money is made, white-collar crime, we can do something about that. And they’re applying that pattern to cybersecurity now with Tim Brown because that is the way that they can enforce the law, so to speak, and demand that we have this conversation around risk management.
And so this is a case where I say what are they doing right versus what are they doing wrong, which is within their purview of how they know how to prosecute, they’re forcing the conversation for us.
[Allan Cockriel] Yeah, and to build on that, and again, I won’t comment on the individual cases of those two gentlemen, when I’ve had interactions with the SEC and similar regulatory agencies internationally, they want companies to do the right thing. So, they will use the tools that they have within their arsenal to be able to achieve their outcome.
And this outcome is elevating the risk of cybersecurity, having an increasing standard of expectations for companies, more rigorous reporting and disclosure obligations. And they’re using the tools that they have to get that done. They may not be the best tools, but I genuinely see them trying to do the right thing, but I do think there’s going to have to be an adjustment and tuning as we work our way into this new reality.
Where does the solution fall flat?
8:31.113
[David Spark] Mike Pedrick of Nuspire said, “I am unclear on the motivations of the SEC in this case. I appreciate the need for ethical behavior, especially in publicly traded organizations, but being overly heavy-handed with CISOs does not in any way help the cause against external threats, rather the opposite when good CISOs find their way out of the industry in an abundance of caution and self-preservation.” And Damian A.
Golladay of Leonardo DRS said, “This sets a tone for how the SEC views unaddressed cyber risk and how they will prosecute it. There will be a mass exodus of CISOs, companies without CISOs will lose investors, and then there will be a huge need for new CISOs.”
So, actually, I’m glad you made that last comment, Allan, because this is all about how you view the issue or what team you’re on here. These people are obviously looking at it from the CISO’s viewpoint. It’s unclear. CISOs are going to leave because it’s unclear and they’re fearing for their jobs. But as you just said, like, hey, the SEC wants to do a good job.
They want everyone to be ethical. They are just using the tools that they have currently. So, these people are just understandably fearful because, well, heck, they’re not regulators themselves and they don’t know what that job entails. What do you think?
[Allan Cockriel] Well, I like to keep things very simple. And I think the role of the CISO is going to get very difficult. There was a push to elevate the role of cyber and the role and profile of the CISO, and again, as I mentioned earlier, be careful what you wish for because you just might get it.
And for CISOs that leave the industry, again, that’s on their own judgment. However, I do see this role being very challenging. And if I take a bigger step back and I look at what I perceive the SEC and other regulatory agencies trying to do in the US, it comes down to trying to keep the country safe, to step into the role of collective defense because the reality is large.
US in certain cases and in a lot of cases, actually, Western corporates are facing an unprecedented rise in nation-state attacks. And the reality is the US government and the agencies need to be able to understand how they elevate the foundational cyber expectations, how do they control and identify ransomware payments?
So, hence the reason having to report ransomware payments.
And then from a disclosure perspective, as an investor, it’s important to understand if there’s been a material event in the companies you’re choosing to invest in. And if I pick the pieces of the regulations that I see, it aligns to those general strategies to increase basic expectations, to identify when cyber events are out there so we can raise the collective defense and collective security of Western corporates.
And then last but not least, it’s accountability in companies to start to raise the bar on cyber.
[David Spark] Yeah, I mean, look, it’s all our responsibility. But I’m going to get back to some of the original comments with you, Steve, here, which is what Mike and Damien said, which is we’re going to lose CISOs because of this. I think that’s an extreme fear. I mean, CISOs have been leaving just because they’re exhausted with the stress of just the job.
Forget the new aspect of the SEC. I mean, there’s just a lot of stress for the job, period. Yes? I mean, I don’t think this is pushing anyone over the edge. What do you think, Steve?
[Steve Zalewski] I don’t think you’re going to see a mass exodus. But here’s where’s this effort fall flat, which is what they’ve done is forced a formalization of the definition of a CISO by giving them authority, if you want, to sign off on documents that if they lie, they can go to jail. That’s good.
But we don’t actually have as an industry that formalization of a CISO as a named executive officer or as that executive. And so some of the consequences here, being very practical, is for a lot of CISOs, right? They’ve been appointed or anointed for CISO, but now that this formalization exercise is going to go through, you’re actually going to see a lot of CISOs become directors of security because it’ll be the CFO or it’ll be chief legal counsel that will actually be assigned the CISO role if they have to sign off on documents, and it’ll be a subset of CISOs that are also then brought up to the executive ranks.
So, I see this actually is it’s great that they’re formalizing the CISO role with regards to accountability. But we’ve got a lot to learn now to formalize what that looks like. Do you get certifications? How do you do that? And many companies, I think, are going to lower the CISO title in the organization and transfer that risk somewhere else.
Sponsor – SpyCloud
13:38.648
[David Spark] Before I go any further, I do want to tell you about our absolutely spectacular sponsor, and that would be SpyCloud. Now, it’s no surprise to our listening audience that given the constant news about high-profile data breaches, that the criminal underground is booming, but the reality why they’re booming is it’s the growth of stolen identity data.
We’re talking passwords, session cookies, and PII. That is what is fueling the fire. Now, if you’re relying on threat intelligence to understand the risk that your stolen employee and customer data poses to your company’s risk of cyber attacks, we have news for you. It’s not enough. What you really need is to understand exactly what criminals know about your users, the stolen identity data they’re using to target your business right now.
So, our friends over at SpyCloud, they’re the leaders in cybercrime analytics, and today’s sponsor, they know this information, and they actually arm your security team with the identity intelligence you need to act on stolen data. Now, whether this was exposed in a breach, an info-stealer infection, or a phishing attack, their automated solutions integrate with your favorite tools, so you act on the exact information criminals are using to target your business now.
Now, without massive effort or overhead, I mean, it’s actually quite easy to use. Put an end to account takeover, an end to session hijacking, and even ransomware with SpyCloud. Now, here’s what you’re going to want to do. You’re going to want to get a report of your users so this is tailored to you, your users’ exposed identity data, and you can get it for free over at spycloud.com.
I’ve seen it, and it was totally worth the free. I can’t stress that enough. You will want to see this. It’s going to scare you a little bit, but trust me, that information will be extraordinarily valuable to you. So, go to spycloud.com. Go check it out.
What must a security leader be able to do?
15:43.629
[David Spark] Charles Herring of WitFoo said, “CFO can’t blame the CEO for making knowingly fraudulent accounting disclosures, and neither can the CISO on cyber disclosures. If the CFO reports to management and they still publish fraud, he must report it to law enforcement. CISO is no different. Fiduciary officers cannot defraud the government or shareholders.
Every corporate officer either is always mindful of staying far away from a Wells notice or is heading towards one.” That’s a good line there. Jennifer Bayuk said, “In my experience with the SEC, sending in paperwork on the people who have specific job titles is a regulatory requirement, and the individual has to personally sign the paperwork.
The message for CISO should be if you cannot personally vouch for living inside best practices, when they ask you to sign, look for another job.” I mean, I think both Charles and Jennifer put it pretty clear here. It’s like it’s part of your job to report things as legitimately and as well as you know, whether you’re the CISO or the CFO.
Yes, Allan?
[Allan Cockriel] I agree. Yeah, there’d be one tweak to the last comment that I would make, and I would say it’s less in terms of operating within best practices, but it’s operating within your company’s control framework. I genuinely believe that large corporates should have some sort of control framework to, again, manage risk within the organization.
And the cyber leader, the CRO, the CSO, depending on how it’s articulated in that company, needs to make sure that what they report is analytically accurate, so it’s fair and balanced, but then it also reflects the company’s control structure and risk appetite. And I think for cyber leaders and security leaders, if you do that and you lead with transparency, then I don’t see you having much to worry about.
So, I think our industry, our experts need to be driving transparency in the organization and then stepping into a risk partnership role and out of the kind of compliance tick boxing structure that some security and assurance organizations can find themselves in.
[David Spark] Steve, I’m going to ask a question that’s going to ask you to sort of prophesize of what do you think happened with the SEC. Do you think it’s just because cyber has risen so much as an important role, kind of like money is an important role – so the CFOs, so they have to regulate how money is flowing – that cyber has reached such an important role that they have to start putting the same pressures on CISOs like they do CFOs and CEOs, or I’m not going to say same, but somewhat similar, if you will.
What do you think?
[Steve Zalewski] So, we have a lot of policies that have been coming out of government internationally, all of which are saying cybersecurity is very important. We got to get better at it. Data privacy is important. The problem is the policies that come out aren’t enforceable. They’re just best practices, so to speak.
So, for folks like the FTC and the SEC, right, those are more of the enforcing arms, and so what they’re doing is looking at those policies and figuring out how can I enforce them? What is my part in the security village, right, to improve our collective defense? And that’s what they’re doing, and they’re executing within, like we talked about, the ways that they know how to do this.
This is all good, right? This is it.
Part of that conversation now is as a “CISO,” if you really have a pretty broad band of experience, you understand being a CISO for a Fortune 500, being a CISO for a SaaS company, being a CISO for a small to medium enterprise are not all one and the same. There’s a lot of variability in how that CISO is perceived as well as how they want to execute their job.
And an example for that is, is my job to build the most mature security organization I can, or is my job to have good enough security for this company to make payroll for another week? It’s not either/or, okay? It’s and. And that’s now where we’re having a lot of angst because CISOs that are working for SaaS companies, right, that are cloud-native application, that are trying to figure out what to do there, versus a Fortune 200, where they have a lot of legal and regulatory compliance and evidence of compliance and large teams, they both “have a CISO,” but the definition of success and what they can just basically report on and the maturity, this is where we’re having this conversation around.
It’s not one size fits all, and that’s where I’m saying it’s positive that a lot of people that don’t understand cybersecurity are going to now help us and the industry understand all the variations of what a CISO is, and where it makes sense that they be elevated or where they be deprecated in the organization based on the organization’s risk profile.
[David Spark] And the framework that they create that Allan just talked about, yes?
[Steve Zalewski] Yeah, and that’s just it, and what’s the framework? So, the way I say this is, is my job as a CISO to secure the company? Is it to protect the business? Or is it to enable it to sell more jeans? That simple statement of which of those three are you being held accountable for, and how do you see the value, perceived value of what you do, result in very different security postures and can result in very different outcomes, yet all three of those are legitimate CISO directives that we’re trying to come to grips with.
[Allan Cockriel] Yeah, I fully agree with that. And just building on that is when you start to look outside of your corporate, one thing that actually makes me very nervous is the security of our supply chain. And that is our vendors, that’s the people that provide hardware and software, the companies that we do business with, and that’s where I think smart regulation – my personal view – where smart regulation and targeted enforcement makes a lot of sense because it raises that collective expectation of cybersecurity and helps to get at improving the overall security posture of the ecosystems in which we work.
And that, for me, is one of the big risks that I see this helping to at least narrow. It won’t solve it, but it’ll narrow it by, again, making sure that there’s at least a base expectation of what cybersecurity is like.
No one said it would be easy.
22:31.395
[David Spark] Bryan Becker of Class IV said, “On one hand, Tim of SolarWinds might not have had the support of his upstream leadership, and I hope he had a story and a CYA documentation he can bring to the table. If he signed these documents and portrayed a false picture publicly under pressure from executives, he might have a case.
If he doesn’t, then fraud is fraud, and I’ll watch his case closely. On the other hand, no individual is on an island as a CISO. It takes a village, and there should be a heavy hand for not just the CISO, but everyone involved, C-level, risk management, especially the board of directors, clear lack of oversight and due care here by the management team.” I think the attitude is just stripping away the CISO and only blaming him or her I think would be misguided, and I fear what we’ve seen in these cases – and again, I don’t know the full cases here.
I’ll start with you, Steve, but it looks like they’re being stripped away, and the only ones blamed.
[Steve Zalewski] I would say when we went back to SOX, S-O-X, the finance thing, right? The value of a CFO changed because they became held accountable, legally accountable, right, for signing off on certain documents with the CEO. Again, what I think here is everybody’s been saying CISO, CISO, CISO is the acronym for the new cybersecurity executive that, like your lawyer and like your CFO, now need to be that named executive responsible for cybersecurity risk.
That’s the good news. The bad news is the CISO role really doesn’t exist yet. It’s very dynamic. It’s primarily technical still. It’s migrating into a business role. And the organizations and the policymakers are all now simply saying, “Well, now that we’ve agreed that the CISO is the accountable party,” everybody’s kind of looking and going, “You know that whole CISO thing we’ve been talking about?
Not quite so clear as what we want.”
And that’s the exercise we’re going through of the formalization of the CISO role over the next three to five years, or I wish to say more formalization over what it is. Because it’s been morphing, but nobody’s cared up until now because while we might pay a fine, right, if it’s GDPR, we’ve never been held accountable for a felony.
And this exercise of it’s a felony and it goes to jail, right, means that our ability to know where we fit in that is the exercise we’re going through. And so I think I always say eventually common sense prevails. Common sense will break out for small amounts of time and then we go into a rationality again.
And I would say we’re at the beginning here of common sense is going to break out as it goes through the court systems because a whole lot of people now are really going to understand what the CISO role is, and you’re going to see a lot of good things happen in the industry. But in the meantime, fear, uncertainty, and doubt that cybersecurity has sold to our executives to be able to buy product is now being turned on us.
[David Spark] Now, Allan, I don’t want you to tell me any specifics, but you mentioned you operate under a framework, but I got to realize that part of this framework is that you have communications, and you have legal people, and they listen to the new regulations and the new laws. And then they come back and advise you like, “Hey, guess what, Allan, this and this is happening, so we need this kind of reporting because our framework has to adapt for this.” I mean, that just seems like this is like nothing new in the sense of this is just how we do business.
[Allan Cockriel] And that’s why I think it’s important to go back to basics in this case, and what’s your risk objective? What’s your control framework? What’s your risk posture? How do you lead with analytics and drive transparency? Those expectations don’t change. What I pick up from the question that you started this section with, David, is that I see this as just the natural evolution of this role as it raises in prominence and importance.
I spent most of my career as a CIO, and if I were to sign off on an attestation document or an end-of-year control posture or anything related to being a CIO, and I knew it was negligent, I would expect to be held accountable. And I don’t think that’s going to be any different from a cybersecurity leader being asked to document and to sign off on their controls work as well.
So, again, natural evolution. If that drives some CISOs out of the market, so be it. If you’re put into a position where you’re coerced or forced to sign something you know is not right, then you should actually be leaving because I think that, in similar to a CFO post-SOX, that can be a career limiting move.
So, again, I don’t want people to be nervous or afraid or feel that they have to leave the industry. Just understand the expectations have increased and they’ll be at parity with a CIO or a CFO or a CEO, and that’s making sure that we fairly and accurately represent the posture of the organization. CFO has the financial posture, the CISO will have the security posture.
[Steve Zalewski] So, Allan, I want to dovetail on that. I had a conversation with a lawyer in the SEC. She was in the SEC, and here’s what she said to me. She goes, “Steve, the NIST framework, I just learned this was a couple weeks ago, that it’s a framework, not a standard.”
[Allan Cockriel] That’s right.
[Steve Zalewski] And you can’t be held accountable to a framework, you can only be held accountable to a standard. Okay? So, I go, “Here’s an example of we talked about, the NIST framework.” I can’t… There’s no standard there, right? It’s what standard are you doing? Am I getting a SOC 2 Type 2? Am I going for HIPAA?
Am I going for FedRAMP? It’s standards we have to talk about so that we can demonstrate compliance to standard. We don’t have common standards yet. We have a set. And yet here we are looking at frameworks and using the word frameworks as something that we need to be held accountable towards. So, I’m kind of curious from your perspective, I’ve seen this dichotomy frameworks versus standards, where do you stand on that?
[Allan Cockriel] Well, so it’s a nuanced answer. So, if I look at the NIST framework or any of the ISO frameworks or similar frameworks, we’ve known as an industry what we needed to do for quite some time. Those frameworks, the NIST, ISO, SANS, provide all the detail of how to run a well secured organization.
When I say control framework, I mean, within the company that you’re operating in, how do you define your risk objectives, your control mappings, what good looks like, where your risk postures lie, and then how do you report and assure on those controls? So, when I say framework, it’s very much from an internal company control framework and not a NIST, a SANS, or one of those external frameworks.
Which you’re right, are mainly best practices and suggestions.
I think where the nuance to the answer ends up is I do see what they call additional regulations, but those type of standards being codified where they’re a lot more clear on what good looks like. And that means you have to have a certain control posture, you have to have… An example of that would be what we saw from the post-colonial attacks in the Department of Energy.
They were very specific in what they expected. They wanted better identity management, they wanted 2FA, they wanted what I would argue are security standards in the way you’ve contextualized it as how you secure some critical infrastructure. So, I see something like that probably ending up more broadly, potentially healthcare industry with some of the recent attacks, I think they’re probably going to see an increased expectations, and [Inaudible 00:30:33] be codified standards and what the regulators would be looking to see as basic cybersecurity postures.
Closing
30:46.644
[David Spark] That was excellent. And by the way, this is the big summation I have for today’s episode is cybersecurity is becoming more important. That’s why there’s more regulation around it, and that the role of the CISO is ever-changing. So, we’ve got two things that are moving at the same time.
And heck, it’s not the first time. There’s a history of this. And by the way, regulations change over time and guess what? So, now the CISOs are, I don’t want to say in the crosshairs, but CISOs are being given more prominence in the discussion than they’ve ever had before. All right. We’ve come to the portion of the show, Allan, where I ask you which quote was your favorite and why.
So, which quote was it?
[Allan Cockriel] I think you had a lot of great quotes, David. The one that resonated with me was the quote from Charles around avoiding Wells notices. I think that’s great for self-preservation as well as for longevity and career. So, do the right thing, try to avoid the Wells notices, and understand if one’s heading your direction.
CSO
[David Spark] All right. Good quote. Steve, your favorite quote and why?
[Steve Zalewski] I’m going to take a slightly different slant and I’m actually going to go with Jonathan Waldrop, the CISO of The Weather Company, where he said, “The SEC is now demanding full transparency, and boards of publicly traded companies are now on notice to over-communicate. It can be difficult though in a public disclosure to provide enough detail to outline the risk without showing all of one’s cards.
Where’s the balance and how much is too much to disclose?”
And I think this gets back to the industry is maturing, the CISO role is maturing. We’ve been told over-communicate now with our vulnerabilities and our exploitabilities, and we as CISOs are simply saying, “Well, we can’t show you everything,” but there’s no standard for where the line is, like there is for SOX controls, right, for finance.
And I think that’s the underlying angst now. This is a great way of us being told we’re being given some direction, but we’re being given direction without the way to be able to demonstrate evidence of that direction without giving too much away, and now we’re having all these conversations as we’re working through it.
[David Spark] Very good. Excellent. Well, that brings us to the very end of the show. Huge thanks to our sponsors. That would be SpyCloud. Thrilled to have them back on board again. I adore what they’re doing over there, and you should get that free report of your users’ exposed identity data. It’s totally worth it to see.
Go to spycloud.com. I did it. You should do it. Spycloud.com, go check it out. I want to thank you, Steve, as always. Thank you so much. And Allan, I always like to ask my guests if they’re hiring, are you hiring over at Shell?
[Allan Cockriel] We’re always looking for great cyber talent. So, reach out to me on LinkedIn. Great to have a chat and also meet great practitioners in the cyber community.
[David Spark] Awesome to hear. We will have a link to Allan’s LinkedIn profile on this episode on our blog, that would be CISOseries.com. As always, to our audience, we greatly appreciate your contributions and for listening to Defense in Depth.
[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cybersecurity. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site CISOseries.com where you’ll also see plenty of ways to participate, including recording a question or a comment for the show.
If you’re interested in sponsoring the podcast, contact David Spark directly at [email protected]. Thank you for listening to Defense in Depth.