How do you talk to non-technical business leaders about cybersecurity? It’s a concern, it’s a risk, they want to know so they can make logical business decisions. How do you help?
Check out this post for the discussions that are the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap). Our guest is Sara Hall, deputy CISO, MassMutual.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, HYAS
[David Spark] How do you talk to nontechnical business leaders about cyber security? It’s a concern. It’s a risk. They want to know so they can make logical business decisions. How do you help?
[Voiceover] You’re listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. My name is David Spark. I am the producer of the CISO Series. And joining me for this very episode, you’ve heard him before, his name is Geoff Belknap. He’s also the CISO of LinkedIn. Geoff, you sound like what?
[Geoff Belknap] This is my voice. Please verify me.
[David Spark] Aw. As I understand the first time we heard that in a film was the movie “Hackers.”
[Geoff Belknap] “Sneakers.”
[David Spark] “Sneakers.” That was it. “Sneakers,” not “Hackers.”
[Geoff Belknap] “My voice is my passport. Please verify me.”
[David Spark] I’ve done that at financial institutions. Which possibly our guest, they have that verification system at their company. I don’t know. We’ll find out.
[Geoff Belknap] I assume to.
[David Spark] We’ll find out. Hey, I want to mention our sponsor. Our sponsor today is HYAS.com. They are security protects and clears a safe path for innovation to follow. We’re going to learn more about HYAS a little bit later in the show. So thrilled that they’re joining us. But first, our topic today. A friend of the show, Patti Titus, CISO over at Markel, asked on LinkedIn the question in the tease that I said about how do you talk to nontechnical business leaders about cyber security. How do you have a risk discussion while also avoiding FUD – fear, uncertainty, and doubt? So, all security leaders are faced with these discussions. While you may be successful, which I’m sure you’ve had this many times, Geoff, I would assume it’s kind of always nice to know what’s your technique, how do you do it, and maybe put some of those tools into your quiver. Yes? Or maybe I’m mixing metaphors there. But what do you think, Geoff?
[Geoff Belknap] I think mixing metaphors is perfect, and I think metaphors, analogy, and any tool you can use in your narrative toolbox…
[David Spark] Not quiver.
[Geoff Belknap] …is what you need. Well, maybe if you have a quiver, don’t get the quivers.
[David Spark] If you don’t have a toolbox and the only place you have to store your tools is a quiver because you’ve put all your arrows in the toolbox…
[Geoff Belknap] Yeah, this is a great example of how you don’t want to talk to nontechnical business leaders.
[David Spark] [Laughs]
[Geoff Belknap] But it’s so, so important for security leaders to develop this skill. If you weren’t blessed with a talent, develop the skill about how to communicate about security to people that are not security people. It is officially a part of the job. I’m making it officially a requirement right now. And it will make your job so, so much easier. I’m excited to get to chat about it with our guest.
[David Spark] Yeah, and I just want to reiterate the whole idea is that even if you are very good, just to hear other peoples’ techniques is like, “Oh, I didn’t think about taking it from that angle.” I’m sure you run into that.
[Geoff Belknap] Absolutely.
[David Spark] All right, let’s introduce our guest. I don’t know if her voice is her password. Maybe she’ll say that. we can record it, and we can break into her account. What do you think? She’ll never come back again if we do that. [Laughs]
[Geoff Belknap] I don’t know how anyone would find out that we planned this, so it’s foolproof.
[David Spark] No, it’s foolproof. The deputy CISO over at Mass Mutual, Sara Hall. Sara, thank you so much for joining us.
[Sara Hall] Thank you for having me. By the way, this is not my voice.
[Sara Hall] But it is my password.
[Geoff Belknap] Fantastic.
[David Spark] One way it’ll work.
Where do we begin?
[David Spark] Gideon T. Rasmussen of Virtual CSO said, “I tend to start with a focus on the cyber security program and core functions. That lays the foundation. From there I focus on critical business processes, control points, and risk assessments. Privacy and fraud prevention need to be included in the conversation. Communications are critical to influence change.” I kind of like that last line. If you don’t communicate well, how is anyone going to take action on it?” And last quote here from Frank S. of Solivtur Systems said, “I usually try to put cyber risk into the following categories – time to market, competitive advantage, lost revenue downtime, risk to brand image. So, how essentially cyber security can help in those ways.” These are some interesting kind of starting points. Again, no one is correct. What do you think of both Gideon and Frank’s take, Geoff?
[Geoff Belknap] I think these are good. The important part is if you’re setting the groundwork for a discussion about risk, you need to communicate that risk in a way that’s going to relate to the audience. In this case, maybe it’s a board member or another executive, or, I don’t know, maybe somebody in marketing. And if you’re going to start a conversation about what the security program is and how it’s delivering, I think Gideon has got some great advice here about laying the groundwork and sort of talking about how it relates to the business process. If you are talking very broadly about risk, I think Frank has some great advice here – talking about how it connects to the business.
Whether it’s time to market, competitive advantage. The thing I always say to people here is to remember you really need to work on the dopamine receptors of your audience, not the sort of fear or stressor receptors. You want them to be happy or excited. You want them to have more conversations with you about the risk. You don’t want to scare their wits out. So, I think when you’re talking about risk in terms of the business and the things that they get excited about about the business, and how the business succeeds or helps its customers, that is the right path. That’s a good path for you to take. Now, how you get on that path, I think that’s a little different for everybody.
[David Spark] So, I love this take that Geoff had of focus on what will get them excited, the dopamine response, about security sort of enabling the business rather than the classic FUD technique, which aggravates everybody.
[Sara Hall] Yeah, I love that response because I think it really puts you in the frame of mind of listening to the other stakeholder and understanding what it is that is important to them and trying to put it into that context. So, I think all of these are great tips, but it really comes down to understanding what their drivers are, what they’re trying to accomplish, and then how that cyber risk fits into that picture. And being able to communicate it in a way that resonates with them.
[David Spark] So, one of the things that we’ve heard in the past, Sara, is that when you see people crossing over from the business into cyber security, those people seem to end up being the best communicators and being your best liaisons. Have you seen an example of this?
[Sara Hall] Yes, absolutely. When I worked in health care, I actually came across a nurse who had transitioned over into cyber security because she really started to understand the implications of security to protecting patients, but she found that the cyber practitioners were really using the wrong language to get across to doctors and nurses. And so what she took as her own personal mission was to educate cyber security practitioners to instead say, “I believe that I have a patient safety issue that you have overlooked.” And to begin the conversation that way would get the attention of the doctors and nurses and shift it into their language.
Why is everyone so confused?
[David Spark] Bill Bowman, CISO of Emburse, said, “Connect their personal digital life to their corporate digital life. We have brought this one up many, many times. If you can get them to care about their own personal cyber security, they’ll start to understand about corporate cyber security.” Mark Eggleston, who’s the CISO over at CSC, said, “In a word, storytelling. The story of where a company is, where we are going, and most importantly what’s in it for them to join the journey.” And lastly, Jerich Beason, who is a commercial CISO over at Capital One, said, “Analogies, metaphors,” like we started the beginning of the show, “and storytelling is generally how I communicate with nontechnical leaders. Rule of thumb, if my parents can’t understand it, I presume the business leadership won’t either.” Do you bring it to that level, Geoff?
[Geoff Belknap] Oh, I think that’s right. Although I feel like Jerich’s parents might be nuclear engineers or something like that. So, maybe that doesn’t work. But I think there’s that old adage – if you can’t explain this very complex things that you’re responsible for that you work on, you probably don’t understand it as well as you think you do. So, I think it’s really helpful to even practice talking to kids, or friends, or family, or neighbors. If you can get them to understand what you do and you can get them to understand…can sort of take an abstract risk decision you might be facing about maybe you’re onboarding a vendor, or your marketing team wants to partner with somebody new… If you can get one of your neighbors to understand the risk involved in that decision, you can communicate to anybody. So, I encourage people to practice. I encourage people to do exactly what Mark and Bill are talking about.
Like connect it to their personal life. I think personal life is really good if you’re trying to get people to make good decisions about passwords, things like that. But connect it to their business – to the thing that they do day in and day out, and how you’re going to help them succeed or at least limit their exposure to failure or downside. And you will find yourself bringing right through. And then if you listen… I think this is what Sara was talking about with her analogy. If you listen to how they talk about their business and you listen to the things that they worry about in their business, and you know how to connect that worry to the thing that you’re worried about, you have locked in to being on the same plane of existence as that person. And you will find it much, much easier to have that conversation.
[David Spark] Sara, years ago I used to appear on a television show in northern California called “This Week in Northern California.” It was kind of the local version of Washington Week in Review where they have reporters on the show. And I would have to explain a very complicated technology topic to a general lay audience. I remember I used to have my wife quiz me, ask me questions, so I could have all these topics. Because what we suffer is something I refer to as the curse of knowledge. The idea is you have way too much information in your head. You want to vomit all of it out, but that’s exactly what you should not do. And the whole trick was how can I answer these complicated questions simply, shortly so they work for television. I think that would work with the C-suite as well. Geoff was going so far as to practice. I practiced, again…I was doing it for television. How do you practice taking this curse of knowledge thing and deliver it simply? How do you prepare yourself?
[Sara Hall] I think I really spend time thinking about it from their perspective and what am I saying that could help them to understand how it’s relevant. And also do I understand their business. And so having a two-way dialogue can help. I also am a huge fan of using tabletop exercises because that’s a great way to get them actually immersed in that story and have them actually experience it. Because I think telling the story is one thing. But when you can relate that to an actual possible exposure in their environment, a compromise of one of their systems, and not something that creates FUD but something that is very realistic. And you start getting them to think about what is the implication of that, how does that impact my ability to work. It starts to put it into a different perspective and helping them along to understand where that might go.
[Geoff Belknap] So, once again, tabletops have immense value in so many ways to what we’re doing and to what companies are doing in general to address risk. Not just for CISOs and security leaders but for the company themselves to understand what’s going on.
[David Spark] I could imagine that in tabletop exercises… Either one of you jump in. Can you describe some kind of ah-ha moment you saw from one of your non security people going through the motions, and they were like, “Oh, okay. I didn’t realize that. That’s great we tested that.” Was there an ah-ha moment that you’ve seen before?
[Sara Hall] Yes, I’ve definitely seen many ah-ha moments. We were doing a tabletop at a biotech that I worked for, and there were a couple ah-ha moments. One when several participants in the room realized they didn’t necessarily know all of the data that was in the system that was in the exercise. And they weren’t really sure how to get that either. And then they also realized that data was highly sensitive. We had a lot of high profile folks going through the clinic. And really that ah-ha moment of, “Wow, if this were to actually get compromised, that could compromise the trust in our entire company, and that could threaten the viability of our organization as a whole.” And so I think that was a really big ah-ha moment for them.
[Geoff Belknap] Yeah, I’ve seen similar things where executives ask the right questions a lot of times instinctively but don’t realize that it might take hours or days to get the data to answer those kind of questions. And it has been really helpful to both reinforce, “This is why it’s good to staff security at a certain level, and this is why it’s good to invest in certain systems.” But also it’s not like TV. It can take a while to resolve things. So, helping them understand that this is not just magic I think is really powerful.
Sponsor – HYAS
[Steve Prentice]HYAS is a company that believes the best defense is a proactive defense. And when this comes to protected DNS it means knowing what to do and using the best data available. David Ratner is CEO of HYAS, and he explains.
[David Ratner] The power of protected DNS is all based on what data you have underneath the covers in order to make decisions. How do I understand whether this particular DNS request, whether this particular endpoint should be communicated or not? And historically people have relied on threat feeds, and people have detonated malware, and people have relied on what’s happening in the world to inform their allow and deny lists. That works great for well known attacks. But what HYAS has done is we’ve come up with a revolutionary approach. HYAS has data that other people don’t have, which allows us to make decisions that other people can’t do. And in fact we recently published a blog that demonstrates that HYAS can be an order of magnitude more affective at blocking new attacks than our competitors. Now, eventually other people catch up when these things get published in threat feeds, and Virus Total [Phonetic 00:14:48], and everybody knows about it. But what’s critical is what happens right now, and what happens during those weeks when no one else knows and only HYAS knows. And so it’s really about the deep intelligence that HYAS has that allows us to make decisions that other people can’t make.
[Steve Prentice]For more information, visit HYAS.com.
Why does it matter?
[David Spark] Ryan Boulais, CISO over at the AES Corporation, said, “A business leader should be responsible for cyber security of their business product, service, etc. The same way they’re responsible for the revenue, the margins, the uptime, the updates, customer relations, etc.” I think that’s a good way of putting it, by the way. “I recommend taking the opportunity to create a culture of security and not accepting the ‘I don’t understand’ as an answer.” This is a really good point that Ryan puts out. Sara, I want to toss this to you first of it’s just yet another thing that they need to manage. They just may not have the knowledge of it like they may have all the other things. And you’re just sort of that right-hand person that’s there to provide that knowledge so they can manage it like everything else. Do you see your role as that, Sara?
[Sara Hall] Yeah, absolutely. Cyber risk is just another type of business risk like legal risk or financial risk. These are things that the business leaders need to be informed on so they can make affective business decisions. We don’t expect the business leaders to have a law degree or to understand all of the possible legal implications of every decision, but they need to understand enough to know how to take that advice and make sound business decisions. It’s the same thing when we advise them on cyber.
[David Spark] Unless you get one of these awesome situations like you described earlier, and a nurse becomes a cyber security leader. Then they’re the multithread, right?
[Sara Hall] [Laughs] Absolutely.
[David Spark] I like that.
[Geoff Belknap] I think this is why we’re always clamoring about diversity and the breadth of people we bring into the industry. Because, look, this is a perfect example of when you want a difference of perspective on how you communicate with people or how you handle a risk, bring people in that haven’t just been dealing with tech risk or with technology. Bring people in that have this intuitive sense that they got from working with this somewhere else. It will, A, when you talk those people, give you lots of ideas about how to communicate risk differently to different parts of the business. And B, give you a whole different appreciation about how you might view something. There is value for your business outside of anything else that you can imagine that might make you feel good about metrics. It will make your business better.
[David Spark] I had heard of…and I can’t tell you where this was from. I just heard of it, so it may be a [Inaudible 00:17:40]. Who knows. But of a doctor who had a degree, was a licensed practicing physician that left to go into cyber security.
[Geoff Belknap] I worked with somebody like this.
[David Spark] You did? So, this person does exist you say.
[Geoff Belknap] Yeah. I worked with somebody just like this. One of the first security startups I worked with. Guy was brilliant. While I think at the beginning of his career it was questionable whether he made the right choice, I think at this point he has solidified that he definitely made the correct choice.
[David Spark] By the way, talking about doctors leaving the profession, Michael Crichton was a student at Harvard Medical School where my dad used to teach. And at the time, he had written the script for “The Andromeda Strain,” which was going to be made into a movie starring Raquel Welch. So, he dropped out of medical school to go to Hollywood, and my dad and all the doctors said, “What an idiot.”
[Geoff Belknap] Karma. It’ll always remind you later what you could have done if you just listened to yourself.
How do we determine what’s most important?
[David Spark] Lauren Verno Patrick of OnDefend said, “Explaining situations with concern is important, but it is just as important to come with a solution. That way your business leaders leave the conversation hopeful and trusting that their leadership will take care of the situation rather than frighten.” And Michelle Suedel, CISO over at The Title Team, said, “Active listening, hearing the unsaid, getting buy in from other leaders, and trying to find ways to increase their want, efficiency, productivity in tandem with improved security. Understanding all business decisions are risk decisions.” Michelle’s comment kind of sums it all up here, Sara. I’m going to throw this to you first. You were talking about this also earlier – active listening. There’s no point in coming in with your agenda. You just need to know what they’re doing and what you have in your sort of… Again, we go back to the analogies or metaphors we were using before. The quiver, the toolbox, whatever it is you want to use to help them out. Yes?
[Sara Hall] Right. Yeah, I love this quote because we’re not there just for the sake of security, as much fun as cyber security is. We are there to enable the business. And so it’s really critical that we understand the business and we find that happy medium to be able to empower affective solutions that protect the business to the right degree.
[Geoff Belknap] Yeah, I think so many times we forget that yes, you can do an okay job with security if you feel like your only job is to make sure that this organization you’re working for never makes a mistake. But truly great security is understanding that your role is to help the business, whatever organization you’re part of, grow and thrive as successfully as possible from your perspective of security. Like how do you help the business win. Again, when you can frame what you’re talking about in terms of risk, or your security program, or new investment that you want to put into the program in terms of helping the business win, that’s when it’s always going to come through. That’s when people are going to really hear you in that conversation. Look, it’s easy to talk to your board of directors. It’s difficult to add value to their thinking. When you start to add value to their thinking, that’s when you’ve landed at being able to really relate to them what you’re doing in their terms.
[David Spark] Yeah. And you make a good point. Like think to yourself, “What is it I’m going to say that will allow them to make an actual decision?” Just don’t say, “I’m not there to prove to them that I’m really smart about cyber security.” That’s not your goal there. Let me ask both of you, have you ever had a really challenging conversation? Either you didn’t know how to deal with an issue… It was like, “I got to take this back to my team because I don’t know the answer to this,” or they asked you a question that you were struggling to answer? Have either of you kind of have a tough…? And it might have been something early in your career that you solved later on. Geoff, any ideas?
[Geoff Belknap] Yeah, I think one of the first board meetings I think I had, I got a question of something along the lines of, “What are you doing about this X, Y, Z new vulnerability?” And my first reaction was like, “Oh, we’re going to patch everything, and we’re going to go find everything that this impacts. We’re going to take care of it. Don’t worry about it.” And then I realized as we sort of progressed the conversation that really wasn’t the question. In the board room and at the executive level, they assume you’re going to do that. they’re glad that you know how to do your job. What they mean is how are we going to make sure that this doesn’t impact the business – how are we going to make sure there’s a regular process here that doesn’t involve turning the business off for a day while we reboot and patch everything.
They want to hear what your strategy is for proactively being aware of these things and managing them. I remember that being one of those seminal moments where I’m like, “Oh, they’re not engineers asking me questions.” This person who is a CFO at a giant public company is not asking me if I know how to patch things. They’re asking me if I know how to think about this as a system of processes that are going to work together and scale up with the business, and am I going to add value to the business for doing that. And I think for me that was the moment where I was like, “Oh, I think I understand how this works.”
[David Spark] That’s a really good point because that is the kneejerk reaction of, “Don’t worry about it. We’ll fix it.” Which when you do that then you put yourself in the superhero category, and you have to then fix everything. Like everything is your fault if it breaks kind of a thing. And that’s a really, really good example of… Because that’s what we mostly want answered. Like, “Oh, well, we can fix a vulnerability. Don’t worry about it. We got it.”
[Geoff Belknap] Eh, don’t worry about it. Yeah.
[David Spark] Sara, do you have kind of a seminal moment like that?
[Sara Hall] Yeah, I actually had a moment that was much, much earlier in my career. We were working with some business trying to institute a new process where they were being required to capture all of their security mitigations and report on them. And after the meeting, the business owner pulled me aside and said, “So, you realize you’re asking me to give you the stick to beat me with.”
[Sara Hall] That moment… I think I was still in my 20’s at that time, but it was eye opening for me. Because I saw that from his perspective, and that’s one of the things that really caused me to try to shift and look from the other direction and say, “Okay. Well, how do I help message this in a different way so that that’s not how he’s viewing this activity?” And he’s understanding how this can help enable his business instead.
[David Spark] Awesome. And we will close there. But now I ask both of you…and I will start with you, Sara…which quote of all these wonderful quotes that we have received…which one is your favorite, and why? Sara, which one was your favorite?
[Sara Hall] There were some great quotes, so that was a tough decision. But I think I have to go with Jerich Beason from Capital One, that, “Analogies, metaphors, and storytelling is generally how I communicate with nontechnical leaders. Rule of thumb, if my parents can’t understand it I presume the business leaders won’t either.”
[David Spark] Very good point. I used to do a whole series of videos where I would ask people, “Explain complicated technology to your mom.” And what the pattern of the videos would be…the beginning, people struggle because I talk about this sort of curse of knowledge where people have too much information in their head. And they spurt out incredibly either too complicated or poorly dumbed down answers that don’t explain it. And then by the end of the video, you get some actually good, simple explanations of it.
[Sara Hall] Well, unfortunately my mom was a computer science major, so I try to consider… [Laughs]
[David Spark] You can’t do that with your mom.
[Sara Hall] …how I’d explain it to my neighbor maybe.
[David Spark] Yeah. Anyways, do a search on how to explain virtualization to your mom, and that’s a good example of one of the ones I did. All right. Geoff, your turn. Your favorite quote.
[Geoff Belknap] I really like Jerich’s as well, but I’m going to go with Mark Eggleston from CSC. “In a word, storytelling. The story of where the company is, where we are going, and most importantly what’s in it for them to join the journey, the security journey.” I think this is exactly how I think about it all the time is like where are we going, where’s the company along this journey, and what are we doing about it, and what do we need, or what decision are we at, and how does this relate to your business. I think this is one of the key pieces of advice other than Jerich’s to use analogies and metaphors that you have to really tap into your true storytelling spirit to really get this message across.
[David Spark] And don’t mix metaphors like I did at the very beginning of the show.
[Geoff Belknap] Well, everybody has got to start somewhere. Everybody has got to start somewhere. I think someday if you get good at this you could run an entire media empire, David.
[David Spark] That’s possible. That is possible.
[Geoff Belknap] Potentially.
[David Spark] That is possible. Hey, I want to thank our guest, Ms. Sara Hall, who is the deputy CISO over at Mass Mutual. Every time I hear someone who’s deputy CISO I kind of always assume they’re going to wear one of those little badges because I always assume deputy, you get a little star.
[Geoff Belknap] Or a sash.
[David Spark] Do you have one of those, Sara?
[Sara Hall] Yes. Yes, I do.
[David Spark] Good. Good. Good.
[Geoff Belknap] Good answer.
[David Spark] A sash and a badge would be perfect.
[Sara Hall] A sash and a badge. The badge holds the sash on.
[Geoff Belknap] There you go, practical and useful.
[David Spark] There you go. I’m going to let you have the very last word here. But first I want to mention our sponsor again, HYAS.com. That’s how you would go about finding them. Security that protects and clears a safe path for innovation to follow. Check them out at HYAS.com. Thank you so much, HYAS, for sponsoring this very episode. I will just mention that Geoff is always hiring. And if you for some demented reason do not want to work with Geoff, there are some confused people out there, Geoff… I don’t know why. There are other jobs one can get by going to LinkedIn.com as well. Anything else you would like to add to that, Geoff?
[Geoff Belknap] No, I think you said it perfectly. I think the only reason you might not want to work with me is if we worked together in the past, and you just had too much fun. And now you just really want to focus and get some work done.
[David Spark] Yes.
[Geoff Belknap] But yeah, LinkedIn.com turns out to be a pretty useful website. You should try it out.
[David Spark] It is a useful website. I have used it for other things as well like to promote this very show.
[Geoff Belknap] Look at that.
[David Spark] Sara, any last words? And the question we always ask our guest is are you hiring. So, can you answer that question?
[Sara Hall] I’m absolutely hiring. Always hiring. Got a lot of great positions, and Mass Mutual is an outstanding company. So, check it out.
[David Spark] All right. Anything last on our topic today or anything else?
[Geoff Belknap] [Laughs]
[David Spark] No, nothing else. It’s great.
[Sara Hall] No. You stumped me.
[David Spark] Stumped you. It’s amazing that the most open question becomes the toughest one. Don’t worry about it. It’s quite all right. We loved having you on. Thanks so much.
[Sara Hall] Thank you.
[David Spark] We’ve now had the CISO. We had Ariel on the other show, your CISO. And you, the deputy CISO, over at Mass Mutual. That is awesome. We’ll get all the senior leaders in security and maybe all of senior leaders at Mass Mutual on our show eventually. I’m sure.
[Geoff Belknap] Of course.
[David Spark] Thank you very much, Sara. Thank you very much, Geoff. And as always, thank you to the audience. If you see a fascinating discussion on the cyber security wires like on LinkedIn or on Twitter, please let me know. We love to turn great discussions into conversations on this very show. Send it to me. And as always, if we post a question out there – myself, or Geoff, or Steve Zalewski, who’s my other cohost – please respond because we may use your wonderful quote on a fantastic episode as well. So, we greatly appreciate your contributions and listening to Defense in Depth.
[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cyber security. This show thrives on your contributions. Please write a review. Leave a comment on LinkedIn or on our site, CISOseries.com, where you’ll also see plenty of ways to participate including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark at David@CISOseries.com. Thank you for listening to Defense in Depth.