Why do strongly supported security frameworks have such severe limitations when building a security program?
Check out this post for the discussions that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. We welcome our sponsored guest Stas Bojoukha, CEO, Compyl.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor Compyl
Full transcript
[David Spark] Why do strongly supported security frameworks have such severe limitations when building a security program?
[Voiceover] You’re listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. My name is David Spark, producer of the CISO Series. And joining me for this very episode, you know him very well, his name is Geoff Belknap. He’s the CISO of LinkedIn. Geoff?
[Geoff Belknap] David, happy holidays. I can’t wait to get into this.
[David Spark] The holidays are over.
[Geoff Belknap] Oh. Well, that’s…
[David Spark] We’re recording this at the beginning of January, but it’s not going to air until February. So, I think people stop saying happy holidays at that point.
[Geoff Belknap] Well, Valentine’s Day is probably coming up.
[David Spark] Yes, you could say, “Happy Valentine’s Day.”
[Geoff Belknap] Or 4th of July.
[David Spark] Yes.
[Geoff Belknap] Or maybe Halloween. Happy whatever holiday you’re celebrating right now.
[David Spark] That’s the other thing – not everybody listens to it when this episode airs. Someone could be listening to it around Halloween or next Christmas.
[Geoff Belknap] That’s right. So, don’t police my holiday cheer, David.
[David Spark] Okay, I’ll accept it. There’s always a holiday nearby.
[Geoff Belknap] [Laughs] That’s right.
[Geoff Belknap] Hey, you know, our sponsor for today, who I understand likes to celebrate holidays, they are Compyl – continuous compliance. And by the way, I’m going to repeat this many times. They spell their name a little differently. Let’s just lock this all into our brains. It’s spelled Compyl. I know if we were saying the word compile it would be spelled differently, but for the purposes of this company it’s spelled Compyl. They are responsible for our guest today who I will introduce in just a moment. But first, let’s talk about our topic. So, SOC2 and ISO27001 don’t require common highly regarded security controls such as multi factor authentication, antivirus, and phishing simulations, noted Troy Fine of Drata on LinkedIn. Now, we all know security doesn’t equal compliance. We’ve heard this line all the time. But do we get consumed with compliance requirements that we end up side stepping really critical security controls that we need to deploy to actually lower risk? What do you think? Do you think that there’s this insane obsession with the frameworks and compliance that risk and security controls becomes the second thing we do and maybe forgotten?
[Geoff Belknap] I think there’s definitely… Well, to start off, I think that this is a fantastic topic for us to go in depth on because…
[David Spark] Oh, obsessive response from our community on this.
[Geoff Belknap] Yeah. There is a far reaching over focus on SOC2 and ISO27K. And to be clear, to underscore this whole conversation, I am a big fan of both SOC2 and ISO27K. But I think it’s worth a discussion about what those things are useful for and what they are not useful for. And I think we’re going to get into that today, and that should be pretty good.
[David Spark] That is exactly what we’re going to do. And my guest, who he was the one… Oh, people are obsessed with this. I questioned it. I go, “Really?” And he couldn’t have been more right on this. That’s what we’re going to talk about.
[Geoff Belknap] Hit it right on the head.
[David Spark] Right on the head. It is the CEO of Compyl. You remember, Compyl. Stas Bojoukha. Stas, thank you so much for joining us.
[Stas Bojoukha] Glad to be here. Happy New Year.
[David Spark] Thank you very much.
[Geoff Belknap] Way to go. [Laughs] I’m not the only one, David. See?
What are they looking for?
3:16.742
[David Spark] Bill Richardson, who is with Assured SPC, said, “Most regulatory and third party compliance programs are nonprescriptive. For examples, they tell you what you need to do but not how to do it. Now, the major exception here is HITRUST, which as a prescriptive framework is quite explicit in its requirements. This is both a blessing and a curse.” And Usman Shahzad, INTECH Process Automation, “There is no hard rule for the implementation of any AV. Standards and security sometimes contradict or use in different contexts.” And Michael Segal of JIT said, “We just want some sort of bottom line – something we can cling to, and that’s where these frameworks prosper. The product security landscape updates with such speed and ferocity that these frameworks can’t keep up. And in a way, they offer false hope by suggesting the illusion of security to your product.” So, we say this a lot on our shows, about start with a framework. And people do like sort of direction and checklists. And yet, I’m going to kind of go back to what Bill’s comment said. He said it’s just the HITRUST, but I think there might be blessing and curse in all these frameworks. Yes, Geoff?
[Geoff Belknap] Absolutely, yeah. And I think it’s not just HITRUST. There’s also PCI, which is also very prescriptive. But I would say what’s really important here is to remember that a framework is really just that. It is a framework. It is just the outline of what a comprehensive program should include. And there’s a big difference between saying, “Your program should include something to help protect your endpoints,” and then saying, “Your endpoints should have antivirus or some other very specific type of software.” Because you can protect your endpoints in any number of ways, and you may decide based on your threat profile and your risk profile that you don’t need antivirus. That you need something else. Maybe something better or maybe something less restrictive. It is up to you if you are following a framework to figure out how you’re going to meet all the requirements of that framework. And the framework is never going to tell you exactly what to do because it’s a framework. It’s not a set of instructions. It is not a run book for you to follow, and that’s good. Now, some people need that, and I think that there is nothing wrong with that. It’s always great to have a discussion about where to start. But I think there are other things that give you that beginning.
[David Spark] There is just… I’m going to keep doubling down on this, Stas, coming back to you. There is just some comfort of, “Oh, I just follow the directions here.” They’re looking at frameworks as directions. Yes?
[Stas Bojoukha] Yeah. So, I think there’s a difference here between even calling it a framework. I would not call a SOC2 or ISO a framework. I’d call it a standard and guidelines. I’d call in the CSF for framework. This is a lot more prescriptive in terms of what should be done, when it should be done, by whom. SOC2…SOC in general and ISO is a guideline. Also you have to keep in mind that they just updated the ISO framework to 2022. But before then, it was 2013. We live in a completely different landscape than we did in 2013.
[David Spark] My God, so really nine years it hadn’t been updated?
[Stas Bojoukha] Yeah.
[David Spark] Wow. [Laughs]
[Stas Bojoukha] So, that’s why the guidelines and the standards are so misguided for where we are with our technology today.
[David Spark] Hold on. Let’s just pause for a second and think about this. Applying 2013 model to today’s security landscape… That’s pretty disastrous.
[Stas Bojoukha] It doesn’t make any sense. And that’s why you’re seeing this disconnect about not requiring antivirus or…
[David Spark] MFA.
[Stas Bojoukha] Yeah, phishing simulation, MFA. Because all this stuff used to be on legacy, on prem solutions that were much more difficult to integrate and to put in these controls. Whereas today, it’s very uncommon to come across a new company that isn’t entirely SAS.
[David Spark] It reminds me of today, physical security is you have security programs. You don’t build a building now without security cameras. But there was a time you didn’t even think to do that.
[Stas Bojoukha] Yeah. And it’s funny now because auditors are still often asking for physical securities around data centers, and then you tell them you don’t have data centers, and they ask, “Well, where is your data?” And you tell them it’s an AWS, or it’s an azure, or it’s HDCP. But then they still want to know all the ins and outs of it as well, but you can refer them to their certifications.
[Geoff Belknap] My favorite part about this is when auditors are then asking you, “Hey, how are you degaussing, or shredding, or destroying those drives that your Cloud service provider is storing for you?” And then you get to have that conversation with an auditor that hasn’t looked up anything new in the last 15 years about how you do this with encryption now, or how you handle things in the Cloud. So, I think it absolutely needs to be updated. But again, I think it’s like if you are looking for a precise list of what you need to implement, they need to go read NIST 853. Whatever Rev is current as of this conversation.
[Stas Bojoukha] Absolutely.
[Geoff Belknap] If you just want a guideline to make sure you’ve sort of ticked all the boxes but it’s going to be up to you to decide how you implement that then one of these frameworks is going to be fine for what you need.
What are the best ways to take advantage of this?
8:27.494
[David Spark] Brett Osbourne said, “Risk assessment or risk management is the foundation of security. Risk management sets goals and expectations. Compliance validates.” Jacob L. of CyberCX said, “The intent of ISO27001 is to be a risk based framework. The intention is not to achieve compliance with every single control. You should be trying to best mitigate cyber risk in your organization, not achieve compliance so that you can wave a certificate around.” And Fraser Hardy Qudini said, “Security and technical controls you implement are the most important. However, these usually come through a process of risk assessment, which is the core part of ISO27001.” This is just kind of like a resource balance game, isn’t it, Stas?
[Stas Bojoukha] Yeah. I think there’s definitely some elements of that. I do agree that technical controls are the way to go. What you’re seeing now and from my experience is a lot of companies that are… Again, keeping in world has really shifted in the past five years to Cloud technology, right? So, you have organizations being able to stand their products very, very quickly. And then they can get them into organizations quickly, and they need to sell them. And I completely get that they need to show and demonstrate that they have controls in place and all of that. The problem that I’m seeing in this industry is that a lot of those reports are not very technically focused. They go for the bare minimum on the SOC2, on the ISO standards.
Again, these are all self-prescribed standards and guidelines. And then on top of that you have auditors that are also not particularly well regarded, well known. Therefore you’re getting these reports that are very shallow with very little detail. The technology that’s also being pushed for a lot of this is, “Can I see the queries? Can I see how this is actually built? Can I see how this is running in the background, how the evidence is captured, who’s looked at it?” But there isn’t that level of transparency across this industry right now with the tooling that is currently being pushed into the market, which is I think it’s disingenuous to what is happening. And the whole point of this is to show that you are compliant, that you are trying to do the right thing, and that you are trying to move in the right direction. I think this has now become a real checkbox exercise and is really getting to the point where it could lose the merit that we’re trying to put around it in the first place.
[David Spark] Stas makes a really good point. Are we…? Is the sort of delay of updating all these frameworks, standards, whatever we’re calling them…? And I know that they’re different. But the delay of it, is it just making a mockery of the regulatory and compliance industry? And auditors, too, if they can’t keep up.
[Geoff Belknap] I’m going to say something that I’m sure the audience will find controversial here.
[David Spark] Go for it.
[Geoff Belknap] Which is you know what, the problem is not with the standards, or the frameworks, or the controls. The real problem we have and the real discussion we’re really having here is the way people misuse these compliance regimes and these certifications. What I mean by that is when you have a third party risk program and you are looking to onboard a vendor, whether it be my company or somebody else’s company, regularly you are asking those companies, “Provide me some proof that you either meet the ISO certification, that you have a SOC report in good standing, or that you meet some set of technical controls.” Because you’re trying to understand the risk of onboarding this vendor or this partner. And today, the shortcut to that is everybody asks for your ISO cert. Everybody wants to see your SOC2 type two, or they want you to fill out some other sort of information.
The problem is just as we talked about, ISO does not get updated every six weeks. It gets updated maybe ever half decade or so. SOC2 today is relied on I think misguidedly as one of the gold standards of whether you are a responsible company and whether you’re responsible with security or privacy. And that is just not quite what it’s intended for. Both of those things – your ISO cert and your SOC2 certificate or your attestation report – are really just meant to go like, “Yeah, they have a reasonable security program that’s in place.”
But you really have to figure out what do you need to ask these companies if you’re trying to assess whether they’re risky or not, or whether they have controls in place or not. Because it is not whether they have a SOC2 report or whether they have an ISO cert. That is something else. I think today we abuse all of these things to try to get to that discussion of whether company XYZ has reasonable security controls in place, and it doesn’t work. I think that’s why we have this conversation and why people get frustrated that these controls are not in place. I think we really have to get to how do we ask those better questions because nobody is operating their company today going, “Well, SOC2 didn’t ask me if I need to have U2F WEBOFFN [Phonetic 00:13:09] implemented, so I guess I don’t need it.” And the reality is no, of course that’s wrong.
[Stas Bojoukha] Yeah, I agree with that. Companies need to be able to implement continuous compliance throughout their organizations. They need to be able to rely on their teams, their products, and be able to grow with their organizations as they scale and make it as easy for them to be able to update their information security and management programs, add to them, make the barrier to entry almost seamless. This is the only way that we can make sure that we have continuous compliance. We have organizations big and small thar are getting breached all the time, and a lot of this results in a false sense of security once you have a SOC2 or an ISO, thinking, “I’ve already done it. I don’t need to do it again or look at it for another year.” This is a continuous compliance. We need to follow through with our information security programs and stay on it day to day.
Sponsor – Compyl
13:53.311
[David Spark] Stas, you just talked about the issues that we have and the need for continuous compliance, so I’m interested – when a potential customer comes to you, what is the situation they’re in that they need or they want the Compyl solution?
[Stas Bojoukha] Great question. Thank you. Our customers are coming to us when they’re looking for a robust solution to mature their information security management program. They’re not looking for checkboxes. They’re not looking for fake timelines. They’re not looking to satisfy a customer report for a simple audit. They’re looking for real results and looking for partners that can help them scale and grow with their business and all of their information security needs, and have a single platform that they can rely on that’s fully transparent and integrity first focused.
[David Spark] All right. Now, I want to talk a little bit more about your company, Compyl. Again, if you forgot, it’s spelled Compyl. So, GRC Solutions, what we’ve been talking about, often cause process roadblocks within organizations. They are either antiquated and lack the functionality needed or so stripped down they can’t fix the problems you set out to solve. So, that’s why the team over at Compyl created this all in one security and compliance automation platform. Compyl quickly integrates with the tools you use and automates 85% of the day to day tasks. Nobody does 100%. Don’t ask them to. 85% is plenty. So, they do this all while providing complete transparency and comprehensive reporting along the way. So, you can start your free trial with Compyl today and see all [Inaudible 00:15:21] you can expect from a leading solution. Learn about Compyl today at compyl.com/getstarted.
What are they doing wrong?
15:33.017
[David Spark] Simon E. of DYNTK said, “You can spend a fortune having all the policies and procedures in the world. But if you don’t implement technical controls as well as educating the users then the policies have zero impact.” Kelvin Walker of Optiv said, “SOC2 is requirements, criteria, and the ISO27001 and ISO27002 are standards.” Which we brought up before. “Neither should be called a framework.” Well, I did accidentally. Don’t shoot me.
[Geoff Belknap] I call them frameworks. I think it’s…
[David Spark] “NIST CSF is a framework.” That’s what you said. “Of controls and NIST 800-53 are a program of controls which can or cannot be implemented.” So, I’m going to ask you, Geoff… Kelvin right here kind of says these are all different things we’re talking about. Is putting them in the same bucket really causing problems or not? What do you think?
[Geoff Belknap] No. I fully admit that I use the wrong word regularly about whether it’s a standard or a framework. I think the important thing here though is if what you are looking for is a list of technical controls, specific technical controls, and implementation details around those, what you want is PCI HITRUST or you want to review NIST 800-53 Rev four, or five, or… And now we’re up to six or seven depending on when you’re listening to this. Especially NIST will give you a very prescriptive set of controls and implementation guidelines for you to implement. That is what you want. It is there for you. Or you can go look at CIS, which will give you instead of the 800 controls you might implement it will give you 19. That is what you want.
If what you want is something different, if what you want is just to understand that you are going to make decisions about what controls to implement and how based on your risk and your environment, SOC2 and ISO27K are going to be great for you. I would go so far as to say NIST CSF is also great for you because it takes a very risk based approach and doesn’t force anything specific on you. It just forces you to cover sort of the five categories that it talks about. That is what you want. But if you are a brand new tech company selling a service and you’re hoping to just get a certificate or a validation of something that will make customers buy from you, I have bad news for you. There is no easy way out. You have to do a good job at security. No one is going to give you a security merit badge that will tell you you can stop doing security. You have to work hard.
[David Spark] The cub scouts or the boy scouts do actually have security merit badges.
[Crosstalk 00:18:14]
[Geoff Belknap] Well, I think those are specific about skills.
[David Spark] [Laughs]
[Geoff Belknap] Not about whether you are secure. But yeah. I think that’s all it comes down to. It’s just we have to learn to expect the right things from each of these frameworks, or standards, or attestations that we investigate.
[David Spark] So, know what you’re getting out of each one of these. Yes, Stas?
[Stas Bojoukha] Yeah, absolutely. And just to forget semantics here for a second, right? Framework, standards, guidelines in this…it doesn’t matter here. There is no silver bullet here. I wish there was. As someone who’s been in the space for 20 plus years, I really wish there was a silver bullet. I think you have companies that are claiming that there is one. And the problem that you’re seeing with it is they are using SOC2 and ISO as a framework. The problem with it is you have companies that don’t understand the business and they’re applying a blanket approach to these businesses, it just doesn’t work. Very simple example – how we use Google Workspace versus how you guys use Google Workspace is entirely different. We’re going to need completely different controls in place in terms of do we hold any confidential data in our Google Drive. Maybe we don’t. Maybe you do.
Do you need dual factor authentication? Do you need a CASB to control who can login from where. These are just some simple examples of why you have to understand how businesses operate and what they use in their day to day environments in order to be able to actually protect them. The amount of times that we’ve seen customers are coming over to us that are basically saying, “We have this tool that we currently use. We don’t really know what it does, but it’s gotten us SOC2, or it’s gotten an ISO. But we’re actually legitimately now worried that we’re going to get breached.” And this seems to be pretty rampant across the industry at the moment, just going to my earlier point about that there needs to be some accountability here. Because what we’re trying to do is mature this industry and not the opposite.
What’s the motivation to fix this problem?
19:53.646
[David Spark] Daniel SUCIU of (un)Common Sense Advisory said, “I’d say that compliance without governance is just a utopy which cannot last. It’s just a badge, empty of any real meaning.” Aw, Geoff, speaking to what you just said. And David Geer of Geer Communications said, “Compliances are like dress codes. Suit and tie required, but you’d never show up to the party with only a suit and a tie.” I like that quote. That’s very funny. I do want to mention that I think the reason that there’s so much desire to start with compliance is while you do want to lower risk, if you don’t fill compliance, that is the first thing you’re going to get hit with. You might get ludicrously lucky and not get wacked. But you can for sure know you’re going to get a fine if you don’t get certain compliance issues in order. So, is it understandable that why people behave like this, Geoff?
[Geoff Belknap] I think it’s perfectly understandable. And I think for a couple of reasons. One, we are in an incredible time right now where everyone has either an expectations because they’re a customer or has the drive and desire to provide a secure service because you’re building something that’s valuable to you that you want to be valuable to somebody else. If it’s important to you, you’re trying really hard to make sure that it’s as secure as it can be and try to balance the risk and the controls that you’re implementing with trying to make it a good company to work for or a good product to buy or sell. And that is not easy. I’ll flip it the other way and go I have not worked for any company of recent memory that regularly got questionnaires about their financial management framework. Like yeah, we have GLBA, and SOCs, and things like that. Yeah.
But nobody was making you fill out questionnaires to explain what software you were using to manage your treasury department. So, it’s very unique that we’re getting these questions in security, and I think it’s really because there is so much change, and there is so much going on. There is so much for people to track that it’s hard to land on something. I always bring people back to you have to figure this out for yourself. You have to feel really good about what you’re doing, and you cannot over fixate either on certificates or ignoring certificates and attestations and just going, “I don’t worry about any of that. We’ve got the world’s most advanced technology for detecting a breach.” That’s great.
But if you also aren’t sitting down with your executive team and talking about risk on a quarterly basis or doing some of these other things that might not be super important to you if you’re only focused on the technology, you’re losing out. So, the real trick is none of these things tell you to do this, but I’m going to give you this secret – you have to balance all of these things. And I think that’s why we have these conversations. That’s why people like Compyl exist. That’s why we are invested in this space. Because we want to figure out the right balance for all these things that make our customers happy, our investors happy, our employees happy. And it’s not easy.
[David Spark] I would agree with that. Stas, give us the closing thoughts here.
[Stas Bojoukha] I completely agree with Geoff. This is all going back to fundamentals. It’s not the so sexy stuff like policies, procedures, training, vendor management, risk management, asset registers. But these are all things that need to be in place, and they’re all pretty widespread across all of these different frameworks anyways. But they’re the things that need to be kept up on a day to day basis, and maintained, and made sure that they’re nurtured and followed. I completely agree – it’s all about a reasonable level of security, but it has to be to the point where somebody has actually done a gap assessment, put together the risk appetite of that organization, and gotten buy in from that organization itself. That is not happening. And so we’re having blanketed approaches, again, to companies that don’t fully understand their exposure levels, and they don’t understand the risk landscape of their organization, which is why we’re seeing an increase in breaches in my opinion.
[Geoff Belknap] See, this is… Stas, I want to focus in on what you said. That review of what your current status is, what the gap is, what your risk is, how you fill in that gap, that is the thing that you won’t get from just blindly following a framework. That’s the hard work, and you’ve got to fill that in. And no framework of technical controls or policy controls is going to explicitly tell you that that’s where you need to start. Although I will say NIST CSF actually is pretty good at guiding you down this path. Although I think a lot of people sort of misimplement NIST CSF. That’s a podcast for another day. But I think that’s the really important thing that Stas is guiding us towards here.
[Stas Bojoukha] I completely agree with the NIST CSF point as well, but I think if you don’t have the skills internally then you need to go out and find them. Just like you would if you had a legal issue you’d go to a legal issue. Just if you had an HR issue, you’d go to someone that specialized in human resources. It’s the same principle that would apply here. It’s a very complicated, heavily regulated space most of the time. It needs expertise to look at and to say that you’re on the right path and to get some help when you need it.
[Geoff Belknap] Yeah, just like most people don’t defend themselves in court based on something they read on the internet. Maybe don’t build your entire security program based on something you read on the internet. You’re going to have to put in some hard work.
[Stas Bojoukha] Or diagnose yourself.
[Laughter]
[David Spark] Internet doctor, not a good idea.
Closing
25:03.374
[David Spark] All right, we’ve come to the point in the show where I ask both of you which quote was your favorite and why. I know which one was what I thought was the funniest. But I’ll start with you, Stas. Which quote was your favorite and why?
[Stas Bojoukha] I’m going to double down here. So, on the Brett Osbourne quote, “Risk assessment or risk management is the foundation of security. Risk management sets goals and expectations.” Again, this is all about the risk appetite and the risk landscape of that organization. If you were to be able to put a gap assessment of an organization…put their gaps in front of their C-suite or their management committee and get them to actually look at it and put their signatures to it, that’s how you drive real change in the organization, and that’s generally the best approach if you’re entering a new organization that’s dysfunctional or has never had security before. That’s usually my go to is that approach, and I would say that he hit the nail on the head there.
[David Spark] Geoff?
[Geoff Belknap] I couldn’t agree more, but I’m going to go for the laugh, which is David Geer saying, “Compliance is like dress codes. Suit and tie required, but you’d never show up to a party with only a suit and tie.” And I would say I bet you David has tried. But no.
[David Spark] [Laughs]
[Geoff Belknap] This is exactly what we were talking about, wrapping up the last segment. You have to fill in the gaps. You have to do more than just what the framework says, and you cannot fall back on in this day and age…you cannot fall back on yourself being a serious security professional if you’re like, “Well, I did exactly what the framework told me or what the standards were and nothing else. And oops, something bad happened. Not my fault.” Incorrect, and you need to look into growing and educating yourself as a professional in security if you think this way.
[Stas Bojoukha] Or lull yourself into a false sense of security.
[David Spark] Mm-hmm.
[Geoff Belknap] Yeah, or write a book, I guess, is the other way to go. Just lean in.
[David Spark] There you go. All right, we’ve come to the end of our show. Thank you very much, Stas Bojoukha, who is the CEO of Compyl. If you don’t already know how to spell it, let me do it one more time for you. Compl.com/getstarted to start your free trial. Anything else to add to that, Stas?
[Stas Bojoukha] No. Come check us out for a 30-day free trial. Again, we’re an end to end information security and automation platform, more better known as the Next Gen 0C [Phonetic 00:27:07]. With Compyl, you get a full FTE’s worth of automation out of the box and a robust information security program that grows with you as you scale.
[Geoff Belknap] That sounds okay.
[David Spark] That’s what I was going to say. I’m down with that. Thank you, Geoff. Thank you, Stas. Thank you, Compyl. Thank you, audience. We greatly appreciate your contributions and listening to Defense in Depth.
[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cyber security. This show thrives on your contributions. Please write a review. Leave a comment on LinkedIn or on our site, cisoseries.com, where you’ll also see plenty of ways to participate including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at david@cisoseries.com. Thank you for listening to Defense in Depth.