Since so much technology today is not launched by the IT department, but by business units themselves. How do security professionals engage with business and application owners and have a conversation about security policy and procedures?
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. We welcome our sponsored guest Harold Byun (@haroldnhoward), chief product officer, AppOmni.
Got feedback? Join the conversation on LinkedIn.
HUGE thanks to our sponsor, AppOmni
Get visibility to all 3rd party apps — and their level of data access — with AppOmni. Visit AppOmni.com to request a free risk assessment.
Full transcript
[David Spark] Since so much technology today is not launched by the IT department but by business units themselves, how do security professionals engage with business and application owners and have a conversation about security policy and procedures?
[Voiceover] You’re listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. My name is David Spark, I am the producer of the CISO Series. And joining me for this very episode, you have watched him grow up before your very eyes, it’s Geoff Belknap, CISO of LinkedIn. You remember when you were a child actor, Geoff?
[Geoff Belknap] I refuse to accept that I am grown up, and I’ll thank you not to remind people of my child acting.
[David Spark] Our sponsor for today’s episode is AppOmni – it’s time to secure your SaaS data. Not this very moment. Please listen to the episode and then go secure your SaaS data. In fact, we’re going to talk about AppOmni a little bit later in the show. But first let’s talk about our topic. On LinkedIn, Geoff, you asked, “What’s your experience talking about security policy and procedures with business and application owners?” And by this you were talking about the applications that get spun up on credit cards by different business units oftentimes without anyone else’s knowledge.
So, the question you posed was how do these conversations even start and what’s the tone and are you taking a two-way street approach where each side learns from each other’s respective needs. I wonder from you, Geoff, is there anything you learned from our audience that you did not realize before?
[Geoff Belknap] I don’t know if there’s anything I learned that I didn’t know before, but I am very happy in the responses that people are figuring out that the business needs to get business done, and they don’t need to or shouldn’t always go to security to ask permission first to make the business successful which is, I believe, exactly right.
And I think people are learning how security teams can build guard rails and most importantly, relationships with the business so that there’s not friction when it comes to these kind of things, so I’m excited to get into that.
[David Spark] Excellent. And the person who’s going to join us, who I was interviewing not too long before, thrilled to have him onboard as well. It’s our sponsor guest, the Chief Product Officer for AppOmni, Harold Byun. Harold, thank you so much for being with us.
[Harold Byun] Great to be here with you and I’ll chat on my inner child throughout so I can match up with Geoff.
[Geoff Belknap] [Laughter] Great.
What are the best ways to take advantage of this?
2:31.020
[David Spark] Dan Desko of Echelon Risk + Cyber said, “Many don’t quite understand the why this may be a problem, or how it creates risk for the organization. Illustrating the risk to your business partners by sharing stories of how third parties are often the cause of many breach-related issues is a good place to start.
Breaking down for them the impact this could have should they not follow the appropriate risk mitigation channels could go a long way.” And Ruben Velazquez of Replicant said, “Starting with policy is not the way. Start by trying to understand their objectives, motivations, and challenges. There’s always a win/win to find there, such as automating provisioning/deprovisioning to reduce ops burden while increasing security.
When communicated appropriately, it will resonate as empathetic and helpful.” I will say from these two comments, Geoff, and most of them, there was definitely this attitude of be where they are in general. I think the days of “just listen to me” in cybersecurity are kind of long gone. Yes?
[Geoff Belknap] If they’re not long gone, they should be. You cannot be successful as a security leader or security professional if you think your power is derived from some special source and everyone just needs to do whatever you say. You have to build relationships, you have to understand how your organization operates, and you have to be there as a security person, not only to protect the organization but to help it succeed, an.
And you cannot protect it if you are stifling the growth or success of your organization. You have to learn what they need and how to give it to them in a way that it’s secure. This is a great approach.
[David Spark] Harold, you must see and deal with this constantly through your own customers as well. Have you seen sort of a pattern of success and a pattern of failure?
[Harold Byun] Yeah. I absolutely have. It’s not amusing. I mean, I was almost about to say that it’s amusing. I mean, I’ve seen some pretty negative scenarios and some scenarios where there’s always been this friction point between security and the business, at least historically. And I think much like Geoff is alluding to, that’s diminishing over time and there are people who have learned to speak in business terms and help identify kind of common goals for the business or a common win/win path.
There are other egregious scenarios where in the case of significant findings, we’ve had a security team member decide to raise a P1 against the business owner and application owner at two o’clock in the morning in the case. And those are scenarios where, again, going back to building relationships, you probably want to pick up the phone and call that person and say, “Hey, we found something and we think that we should probably figure out a way that we’re going to communicate and address this,” versus doing something where you’re throwing a stick of dynamite over the wall, more or less.
[David Spark] Ouch.
[Harold Byun] The other scenarios that I think are very effective though are the people who do understand that. I mean, I’ve spoken with a lot of people who have very interesting gaming scenarios that they’ll work through with the business and as well as…
[David Spark] Hold it. Can you delve into that just a little bit? What does a gaming scenario mean?
[Harold Byun] Gaming scenarios, I mean, I think that there a lot of interesting ones. One was where I was talking with a team at an airline, and I thought that theirs was… It’s really kind of a worst-case scenario. So, when we talk about what your business objectives are and how to map to that, I think one of the things that business owners often don’t realize is aside from, “Look, I’ve got to drive revenue or I’ve got to achieve these goals, and these are kind of the metrics that I’m measured against,” the thing that they don’t necessarily realize are the impacts that an adverse scenario may have on their business.
And so an egregious scenario in a gaming scenario would be for the airline industry was what happens if malware affects air traffic control and we have a planes down situation globally? What are you doing in that situation and what is the impact on your business? And there’s multiple ways you can extend that.
I mean, the food and agriculture industry is really looking at supply chain attacks against food and things like that, and that extends into the pharmaceutical industry as well. I mean, what happens if somebody changes the formula or concentration in a production line? And so when you start to look at that type of business impact and the severity of it, I think it at least puts a little bit of a different perspective on it for the businessperson.
What else is required?
6:56.061
[David Spark] Philippe Michiels, CISO of Cegeka, said, “Start with questions like ‘What is your goal?’ ‘What is important to you?’ ‘What would keep you from reaching your goals?’ and go from such questions to profiling the threats and risks. Eventually, business that understands the why/how/where will be able to take balanced decisions.” And Nathaniel Morris of EQdigital said, “Ask questions to understand the gap they are trying to fill with shadow IT solutions.
There’s a business need that they are trying to solve. Understand first. Offer to evaluate how, ‘We can solve this gap in a way that maintains the security/privacy of our customers and employees.'” I mean, yeah, the reason shadow IT exists is someone saw a solution and goes, “This is going to solve our problem,” and they just want to solve the problem now.
What are some maybe good questions to ask to get at the security concerns, Harold?
[Harold Byun] Yeah, I think that some questions to ask and really focus on kind of what are you trying to achieve with these applications, what is the accelerator or the gap that this is filling for you, how can you best achieve that. And then kind of given that you are adopting this app, how broadly is it used, how are you using it, how is it interacting with other systems.
Certainly, there’s a lot of focus on inter cloud-to-cloud SaaS-to-SaaS connectivity and the potential risks that that introduces. And so I think getting a real good sense of how this is helping enable the business first and aligning around that and those goals, and then starting the conversation around, “Well, what is really the security vetting process that’s gone into this application?
Are there ways that we can start looking at gaining better visibility? Is there a way that we can put guard rails around some of the security controls that are requirements and given that this is handling a corporate body of data? Right?
I think that if the app is egregious and in a position where it’s introducing risk, then that’s obviously a much different discussion and that’s the challenge with shadow IT and finding alternatives. And I certainly think you need to use a carrot-based approach with figuring out what a better alternative or better operating model with that given application might be versus saying, “Full stop.
You’re not going to be able to use this at all.” So, I think that you’ve always got to look at kind of alternatives and avenues for the businessperson to have a successful out route.
[David Spark] So, most people believe in the carrot approach, Geoff. When is the stick approach warranted, if at all?
[Geoff Belknap] I think the stick approach is really only warranted if you’ve had that conversation where you’ve said, “Here are your options to do this effectively.” You acknowledge that sometimes the business, not necessarily the technology org, needs to make a decision about using a new app or a new service agilely to sort of adapt to the needs of their customer base or whatever it might be.
And you’ve said, “Okay, here’s how to do that safely using a tool not unlike AppOmni or something like that so that you can get visibility. And if they don’t do that, I think you can bring out the stick. But in most cases, my experience has been there’s rarely ever a golden path or a safe path to engage with third-party services without going through…
[David Spark] Yeah, it’s always a balanced decision, like you’re taking on still some risk.
[Geoff Belknap] Well, look. Everything you do as you operate a business is taking on some amount of risk, right? So, I think where this stuff breaks down, it’s where you have a technology or a security team that is absolutely risk-phobic and doesn’t know how to do anything but say no. And the reality is there’s not a lot of that going on anymore.
Most people understand when they do, and the conversation here is usually more, “What tools and methods and processes can I follow to make sure that I’m onboarding the risk sanely?” I can sort of monitor drift and bad behavior in those other platforms.
So, what I was going to say is you can build a path, an easy path that people can self-follow that helps them onboard third-party SaaS products or even IaaS or PaaS, whatever it might need to be so that you get that visibility, maybe not day zero but day one, and you can onboard that app safely, securely, get that visibility, and I think that’s all you really need.
You need a path for people to do the thing they need to do where you can also get your visibility, and there’s a lot of great ways to do that.
[David Spark] Harold, I just want you to close this out. Give me just 20 seconds adding to Geoff’s comment. Is there an appropriate time to bring out the stick?
[Harold Byun] Yeah. I mean, I think that the challenge with the stick is and the way that I see people do it more successfully, kind of aligning with what Geoff is suggesting here, is really the risk is living with the business. Like as the security, as the CISO, as the security practitioner in the team, we can give you the best recommendations and the best advice that we can around our assessment of the potential exposure and risks of this application that you’re using or this technology service that you’re using, and if you refuse to listen to us, ultimately that is you accepting that risk on the business side.
And that is part of your overall risk profile and so from a stick…
[David Spark] So, I mean, the risk is you’re going to hurt yourself?
[Harold Byun] If you’re going to hurt yourself, then you’re going to live and die by that stick, so go die on that hill, right? I mean, that’s kind of if that’s going to be your…
[David Spark] Essentially, they’re beating themselves essentially?
[Harold Byun] Yeah. And just to quickly add, I mean, other effective kind of pseudo-stick mechanisms that I’ve seen are some type of gamification or leaderboard business unit or business leader comparisons in terms of kind of overall risk ratings, and some people have a really good time with that. I’ve seen some organizations that have done really fun things, like you get your headshot on the slide and then you see how many people in your org actually entered credentials on a phishing campaign.
Oh, is that something you do, Geoff?
[Geoff Belknap] Well, I’ll just say the number one most powerful tool I have as a security leader is a comparative dashboard.
[David Spark] Oh, yeah.
[Geoff Belknap] Every time I take some metrics and I show other security leaders or even just executive teams, “Here’s the security scorecard broken down by VP or business line leader,” things like that. You might not hear anything in that room, but if you’ve been trying to reach one of your senior leaders to make a change or to do something, I don’t know, patch, implement some software, whatever you want, you’d be amazed how fast that happens once they get in a room and get compared to their peers about how they’re performing on security.
That competitive edge or that little bit of embarrassment/accountability? Super powerful.
[Harold Byun] Yeah, absolutely.
Sponsor – AppOmni
13:40.396
[David Spark] Hey, before we go on any further, I do want to be talking about our sponsor AppOmni. That’s Harold’s company. And think about the enterprise SaaS platform your organization uses to get vital work done. So, it could be like Salesforce or Workday or Microsoft 365 or Google Workspace – that’s what we use.
Do you know which SaaS apps are connected to them or the data these apps can access? After all, the average SaaS environment has more than – get ready for this – 40 different SaaS-to-SaaS apps connected into it, and each one offers a new data access point to your major SaaS platforms. That means a single compromised SaaS-to-SaaS app can have threat actors the “in” they need to access sensitive data stored in your SaaS ecosystem.
But AppOmni actually can help here. With AppOmni, you can gain visibility to all your SaaS apps and SaaS-to-SaaS connections. You’ll have a complete inventory of every connected SaaS app in your SaaS ecosystem, and you’ll know when end users have enabled SaaS-to-SaaS apps, and the level of data access each app has been granted.
See what’s connected to your SaaS platforms and what vulnerabilities SaaS-to-SaaS apps may have introduced. Go to AppOmni.com today and request a free risk assessment. Trust me, you do want to see this. Check it out.
What are the elements that make a great solution?
15:06.169
[David Spark] Alfredo Hickman of Obsidian Security said, “For me internally, it all starts with governance and partnering with finance on establishing and operating agile procurement and due diligence controls. In essence, effective security due diligence upfront, and finance governance controls to gain visibility into SaaS purchase activity and get ahead of it is sort of shift left in the SaaS security world.” Azad Hozi of MyCISO-Online said, “Make the CFO accountable on any financed project/initiative without having security visa from early stage.
If you cut the money, then nothing can happen and everyone will come to you before starting a project that will not have any budget otherwise. Money is the key, control it first.” So, I was very intrigued by both Alfredo and Azad’s comments here about make it like you got to go through security first, not procurement first, to get anything done.
It’s a little bit of a stick approach. Yes, Geoff?
[Geoff Belknap] I think these are interesting ideas. Here’s my concern with these. I am not interested in security being your first step to any business success that you need to have if you’re one of my business partners. I want to build guard rails. I don’t want to build gates, I don’t want to be stamping passports, I don’t want to be pre-approving your travel, I don’t want to be looking at everything before it happens.
What I want to do is focus on how do we build a way that we can safely and securely onboard SaaS services that don’t involve you sitting down in a meeting explaining your intent, what the business success that you need is, and then having some engineer explain to you how it’s done here. If you buy staples, paper, anything like that, like, you’re not doing that.
You are, of course, going through procurement to get a great deal, but we should be building a platform that is adaptive, that can get that visibility into SaaS products without having to get pre-approval from security.
I do think as long as you are working with your procurement team and as long as your procurement team, your finance team, your legal team, they all understand that security is a stakeholder in this, you can always hook into the data security review, you could hook into the credit card bills, you can hook into all these ways to discover services that maybe you didn’t find out about ahead of time, and you can get a handle on those fairly quickly.
I think the scary part which creates this desire to get involved at the beginning is when you don’t find out about them for months and months or years and years. I think as long as you close that gap, you’re in a much better position than if you build this gate that people have to cross before they buy a service they might need.
[David Spark] Harold, what do you think of the go through finance approach? And I did like that comment of, “I want guard rails. I don’t want to be a gatekeeper.”
[Harold Byun] Yeah. I mean, I would very much concur. I think it’s important to have the governance and the guard rails and the program around it. I think that when you put in blockers or stage gates, that just translates into slow for me. And when you translate into slow security, you’re basically the security no person or the gatekeeper, I think much like Geoff is alluding to, and I think that that is absolutely problematic for much of the business.
I also think that when you’re that tied to the procurement process, and this is a lot of the problems that we see in the SaaS security space is – look at me, I’m going to date myself here – but back in the ’90s, I mean, third-party vendor risk was a two-page questionnaire with 30 questions on it and now it’s a sig with 1500 or 2000 different values that people need to respond to.
And that is very evident around the third-party risk that gets introduced.
But beyond that third-party vet and the security assessment of this vendor and how they’re operating and what their code release processes are, once you flip the switch on that application, most organizations have zero visibility in terms of how that thing is actually configured and how it’s operating and whether or not it’s configured appropriately.
We’ve walked into situations where a CISO has made a multimillion-dollar identity purchase with an IDP and you check out their SaaS applications and MFA is optional. Well, you’ve just completely bypassed the security model that you just spend a significant investment in. And so, again, like, how is the application configured, how is it being operationalized beyond the governance and procurement process?
Because there’s so much more downstream in terms of configuration drift and data exposure points that introduce risk to the business.
[David Spark] Let me actually ask one question, either of you jump in on this. Because it seems like neither of you want to do this, like, get into the procurement process. Is there kind of a midway point? Could you guys just give us a heads up when these things come in so we can sort of check these things out?
We don’t want to stop the purchase but we’d like to know early on. I mean, is there a midway point here, Geoff?
[Geoff Belknap] I’ll say in my experience, again, in my org, we’re plugged into legal and procurement, and we absolutely have a standard vendor review process. So, 99 times out of 100, that’s where we find out that we’re onboarding this new thing. And we have a bunch of platforms that allow us to, whether it’s SaaS, PaaS, IaaS, whatever it might be, we can assess the risk, we can decide what telemetry or introspection tool they need to be onboarded into, how do we get them to SSO.
But all that sort of happens in the background while we know that they are trying to acquire the solution. It’s very rare that you find something that someone has put on their personal credit card and you’re buying three licenses of.
What are the risks we’re dealing with?
20:48.671
[David Spark] Jovica Ilic of WIM Security said, “What you really want is commitment, and you can’t motivate anyone to commit to something. People can only motivate themselves. Most changes in an organization are motivated by someone’s rational self-interest.” And Gabe S. who’s CISO over at PDC Technology said, “People are most likely to do things if they understand why and how it matters to their objectives.
Communicate the value and pieces of the picture they may not see.” So, Gabe’s comment sort of brings us full circle. It’s the how and why this is important. Harold, how is that best communicated?
[Harold Byun] I think it’s really an alignment around kind of the important goals for the business and what they’re trying to achieve. And in many ways, it relates to agility and faster time to market or driving some new type of offering or service. I think where I see the best alignment occur is really around, assuming that you’ve established the security guard rail process that we’ve been talking about thus far, in many ways there’s a lot of methods to streamline the overall release process, ways that people can more tightly operationalize.
I know it’s an overused term but shifting left in terms of kind of that release process.
We have a lot of customers that have operationalized us in a way where we act as an automated stage gate to code promotion and pass, for example. And so if you look at a pre-prod environment and a developer’s recent code, it breaks in the prod environment and the developer says, “Oh, that configuration is actually breaking my code.
Turn that off in prod.” And that’s the exact opposite of what you actually want to occur. And so I think that the ability for us to really drive that process more left in the development process facilitates a faster release process, alleviates security from a lot of the architecture and software reviews that they need to do and the code reviews, and ultimately accelerates the process for the business.
And that becomes the type of win/win scenario that you really want to drive.
[David Spark] Geoff, a long time ago I was speaking to a bunch of security people about developers. A lot of them said, “Well, nobody really wants to see us.” That’s their attitude. So, in your initial question, and we’re kind of again bringing it full circle, was how do you start the conversation? Is it difficult to start the conversation or do you find that people are agreeable to seeing security walk through their door?
[Geoff Belknap] People are thrilled to meet people that have an interest in helping them succeed. If you walk through that door – first of all, you should walk through that door before you need something from somebody – but if you walk through that door and you take an earnest interest in understanding how they do their job, what their mission is.
And this is like go talk to salespeople, go talk to marketing people, finance people, whatever. People love to talk about the work that they do. And they would, in most cases, love to hear about how that intersects with security. And if you are just trying to find out how you can help them be successful, they’re thrilled to talk to you about that.
And I think that’s a great way to take that initial approach.
And people that build that relationship, they start to develop like, “Oh, security cares about me. And you know what? I care about security because I’m trying to make this company successful. So is security. Security wants me to be successful. Great. Same team.” Once you have that baseline established, most people as they’re going to buy something or they’ve found out that one of their teammates bought something or implemented something or they’re deploying something new, they’ll let you know about it.
Right? Or they’ll be interested in talking to you about it. And I think the most important thing is as long as you start with why. Why does security care, why is this part of the business buying this thing, what are they trying to do, and you can understand that, most people are happy to have a conversation about what they can do to make it more secure or to do something a little bit different.
It becomes easy at that point.
[David Spark] Let me ask you, close this out here, what’s a happy result from one of these conversations, Harold? You had it and how does the application/business owner respond? Like, “I’m so thrilled you showed up. We’re going to do X.”
[Harold Byun] I think the happy story is we’ve run into a lot of situations where there’s a lot of resistance and inevitably, much I think like you’re alluding, like when security walks into the door, and obviously this relationship should be established earlier, but when you cross the bridge and you’ve said…
[David Spark] Yeah. You’re bringing bagels or cookies early on.
[Harold Byun] Yeah. You’ve said, “Look. We’re going to start taking a closer look at the SaaS applications, especially the ones that you’ve already operationalized for the last better part of a decade.” And a lot of times the immediate response is, “Look. We’ve got this dialed in. We don’t need your help here in this type of situation.” And I think when we get an initial set of visibility and are able to highlight potential exposures or places where there are actual active data leaks going on out of some of these applications, it’s an eye-opening moment and there’s a realization that this is the right thing to do for business.
And oftentimes when I see that type of crossover and engagement with a center of excellence from an application group and the alignment with that application owner, it really becomes – it’s not a marriage, I would say – but there’s a partnership that’s established there and that’s really I think the happy outcome that we see.
[David Spark] Excellent point.
Closing
26:15.746
[David Spark] Well, that brings us to the portion of the show where I ask both of you which quote was your favorite and why, and I always begin with our guest, that would be you, Harold. So, Harold, tell us which of these wonderful quotes was your favorite and why?
[Harold Byun] I think the one that I like the most, I mean, well, there are a lot of them that I like the most, but I probably like it the most because it reminds me of a pretty memorable conversation. So, it’s the last one from Gabe, “People are most likely to do things if they understand why and how it matters to their objectives.
Communicate the value.” And I think the communication of the value is absolutely critical. In one of the more memorable conversations I had with a CISO who formerly had a fair amount of engagements with the military, he said he used to have to address and work with warfighters who were being deployed.
And he said, “I literally had to take a piece of paper and almost with a crayon draw stick figures around some of their surrounding technology and be like, ‘Look. You don’t get to go bang-bang until these issues are addressed.'” And he carried that through in terms of kind of his practice as a CISO in the corporate world, but I think that that really speaks to the alignment that you want to try and drive and the clarity.
[David Spark] That’s very good, I like that example. Geoff, your favorite quote and why.
[Geoff Belknap] Similarly, I like that one, but I’m going to go ahead and pick Ruben Velazquez from Replicant, “Starting with policy is not the way. Start by trying to understand their objectives and challenges,” and I think this is the same thing. It’s like, “Look. You’re trying to be successful. I want you to be successful.
Let me explain to you why doing this thing I want you to do using a security piece of tooling is going to help you be successful.” People don’t want their company to be insecure. They don’t want to do things that are bad for the company. They’re buying these things, they’re doing shadow IT because they’re trying to succeed, they’re trying to thrive.
If you can help them understand why they need to engage you in that process, you’re halfway there.
[David Spark] Excellent, excellent point. Well, that brings us to the very end of the show. Harold, I’m going to let you have the very last word here. But first, I do want to thank your company, AppOmni. Remember, go to their site AppOmni.com to get an assessment. They will find things you want to know.
It is better to know than to not know. So, if it is time to secure your SaaS data – AppOmni. I want to thank our audience as always for all their great contributions that they’ve proven once again here. I want to thank you, Geoff, for really I think what I want to thank you for is that you didn’t let the success as a child actor get to your head.
[Geoff Belknap] [Laughter]
[David Spark] And you really grew up to be a level-headed adult, so thank you for doing that.
[Geoff Belknap] All right. I promise you can see Miami.
[Laughter]
[Harold Byun] We’re going to have to see your child actor reels, that’s what we need to see.
[Geoff Belknap] Yes, I do want to see that. Harold, any special offer? Anything you would like to say at all to our audience? And by the way, are you hiring at AppOmni?
[Harold Byun] We are hiring, yes. I think it’s an incredibly exciting space where there’s a lot going on obviously in this arena. I mean, I think if you look at some of the high profile breaches that have occurred over the last year and a lot of the attacks that we’re seeing on identity providers and broad-scale credential theft and things like that, I think that this is an exciting space and it really represents an opportunity for anybody who’s looking to grow their career in the security industry.
I want to thank both of you for your time and the conversation here, I think it’s been very engaging and intriguing. This has always been an area of interest to me in terms of, again, that friction point and trying to minimize the crosswinds between security and the business and so I’m glad that we had it, so thank you.
[David Spark] Excellent. That’s it for the show. Thank you again, audience. We greatly appreciate your contributions and listening to Defense in Depth.
[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cybersecurity. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site CISOseries.com where you’ll also see plenty of ways to participate, including recording a question or a comment for the show.
If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to Defense in Depth.