Our Security Tool Can Do Everything But Mitigate Risk

Our Security Tool Can Do Everything But Mitigate Risk

No department is immune to budget cuts. When the budget cuts come in, where can security look first to save money? Mike Johnson said, “An expensive tool that doesn’t mitigate risk should be at the top of the chopping block.”

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our sponsored guest is Almog Apirion (@almogap), CEO and cofounder, Cyolo.

Got feedback? Join the conversation on LinkedIn.

HUGE thanks to our sponsor, Cyolo

Too many critical assets and systems remain exposed because traditional secure access solutions are not able to protect the high-risk access scenarios and legacy applications that keep business operations running. Cyolo provides the fastest and most secure Zero Trust Access solution to give organizations visibility and access control.

Full transcript

[Voiceover] Best advice for a CISO. Go!

[Almog Apirion] The company is in a race car. I think that goal number one is to provide very good brakes for this car to win the race, so we have a lot of best practices. I think that we need to look at what the business needs in order to drive fast and win the race.

[Voiceover] It’s time to begin the CISO Series Podcast.

[David Spark] Welcome to the CISO Series Podcast. My name is David Spark. I am the producer of the CISO Series. My co-host for this very episode, you know him as Mike Johnson. Mike, grace us with the sound of your beautiful voice.

[Mike Johnson] I’m here. I don’t know that I would call my voice beautiful but thank you so much for the compliment, David.

[David Spark] We’re recording this episode on Valentine’s Day. Be my cyber valentine, Mike, would you?

[Mike Johnson] Oh. I’m sending you all the cyber hearts, David.

[David Spark] Thank you very much. We’re available at CISOseries.com and our sponsor for today’s episode, who is also responsible for our guest, I’m very excited about this, it is Cyolo – safely connect people to work. But before we introduce our guest, I want to ask you a question. I had the following scenario, this was a while ago. I had taken my son to a birthday party at a laser tag place. They had all these sort of video games, pinball machines, and other paraphernalia. And there’s one thing where you dropped 50 cents in, and you used a crane and you got some candy and you did it. And so I’m giving out quarters to all the kids there, and this crane candy machine consistently grabs about 10 cents of penny candy. All right? All right. I’m losing my mind watching myself get screwed over. [Laughter]

[Mike Johnson] [Laughter]

[David Spark] It’s driving me nuts. Now, more I’m like, “Just play the video games or the pinball machines,” which that just takes your money and just gives you entertainment back, which is fine by me. But it’s the knowingly getting screwed over. And the kids, by the way, were ecstatic. They were like, “Look! Look what I got! I got candy!” I’m like, “Yeah, you got cheated out of 40 cents!” So, here’s my question – is it wrong for me to be upset about that? Or whatever the kids are happy with, let it be? Because I was knowingly getting screwed over.

[Mike Johnson] I think that’s one of those things where inwardly you fume, and outwardly you project absolute joy.

[David Spark] Yeah, well I wasn’t.


[Mike Johnson] Yeah. Celebrate the kids. They’re so excited that they had the skill to get this prize of very little value.

[David Spark] Ten cents of candy.

[Mike Johnson] Yeah. And you’re sitting here thinking, “I could just give you 50 cents, and you could have 50 cents of candy.

[David Spark] And you could get a nice candy bar or something with that.

[Mike Johnson] Yes, yeah. But there’s no joy in that. Maybe if you made them work for that 50 cents of candy, they’d be all in on it.

[David Spark] I know. It really drove me crazy to watch it happen, but it was the combination of watching it happen and they were ecstatic about what they got.

[Mike Johnson] Well, that also tells you that maybe over time, that joy that we have as children just slowly fades into cynicism.

[David Spark] Yeah. Well, it was more of like, “Don’t you see what’s happening?!” [Laughter]

[Mike Johnson] [Laughter] The man is getting one over on you, kids! Get used to this!

[David Spark] Driving me nuts, all right. I see our guest laughing. I think he’s probably had a similar experience, driven him crazy as well. Let’s bring our guest on. I’m very thrilled. It’s a brand-new sponsor and we get the CEO, the co-founder of Cyolo is here on our show, very excited about that. Our sponsor guest, Almog Apirion. Almog, thank you so much for joining us.

[Almog Apirion] Great being here. I’m listening to your podcast for quite some time. I said at the beginning I’m a recovering CISO. So to be part of the show, I’m excited.

What’s the best way to handle this?


[David Spark] Security professionals are constantly dealing with changes – standard and emergency – and then you’re looking for opportunities to change your overall security program to better serve the business. Some changes cause disruptions, others very little, and I’m sure dealing with that becomes a risk management exercise in itself. So, I’m going to start with you, Mike. Where has change management gotten easier and more difficult for you over the years? And how do you engage with your team and the affected users about making a change that works best for the business?

[Mike Johnson] Back in the day, change management used to be this concept of you file a request for a change and then it goes to the change review board that happens to meet weekly or maybe monthly, and eventually, your change gets out into the world. And then when it breaks, you have to go through the same process to roll it back. It slows everything down.

What I really think that things have gotten so much better is the rise of DevOps and site reliability engineering. That combination. DevOps is built around this idea of being able to move faster, being able to deploy changes faster. The cool thing is that allows you to back things out faster and make other changes faster. You could make a security change a whole lot faster following the DevOp practices. So, I really do think that speed that we’ve built as part of DevOps is something that has made change management easier because change is more constant. You build the processes around that, like Almog was saying, to enable the business to go faster. You can still roll things back, that’s the brakes, that’s the combination.

Combined with that, SRE, site reliability engineering, has taught people how important reliability is, that we have uptime expectations, and developers are used to that. We understand that we need to be more careful with our changes because when it goes out into production, we have to keep the thing up and running. So, you combine those together and you can improve security as a result. For bigger changes, you gave the answer in the question. You need to stress the business value and explain in business terms the change and the change management, and as long as you’re speaking in those terms, then people will listen. It’s the common refrain that you’ll hear from us audience is, “Frame your security feedback in the form of business needs, and folks will listen.”

[David Spark] Yeah. It’s kind of the theme of the show. All right, Almog, I’m going to go to your opening comment of which Mike referenced the brakes on the race car. I envision change management is just another form of brake that is on the race car and you’re learning to play a little bit better. Per Mike’s example, DevOps is kind of one of these more refined brakes on a race car. What do you think?

[Almog Apirion] I think that first of all, people, we are change sensitive. And my opinion on change is, again, as a recovering CISO, I think that change management is the biggest enemy of security because in a lot of cases, you see something that is going to hit you, you want to make a change, and it’s not easy. I think that the way to go around this… And this is one of the reasons that, first of all, I really like this topic talking about change management and security. This is also one of the reasons that I founded this company because, again, a recovering CISO. Prior to that, I was in charge of the Israeli Navy Cybersecurity Unit, so I’m practically a security buyer, was a security buyer for more than 15 years.

So, I’ve met a lot of vendors and I’ve met a lot of startups, and one of the things that I became a little bit allergic to is this general story that goes like this: Hey. The world out there has changed, and we are supporting the new world’s problems so just change your existing environment to work with us because we are the future. Man, it doesn’t work like this. If you want to do a big transition, you need to take organizations and customers from their existing state to the wanted state. You need to hold their hands, and you need to show them value throughout the way. So, the ability to do integration of new technology without change management, without changing your environment, I think that this is the light at the end of the tunnel here. There are new technologies that are supporting big changes without changing anything. So, this is the point that I’m getting full of hope.

Where does a CISO begin?


[David Spark] If an attacker can just slow down critical infrastructure, not even stop it, it’s sufficient enough to cause serious damage. As Roya Gordon of Nozomi Networks notes in an article on Dark Reading by Elizabeth Montalbano that the 2021 Colonial Pipeline attack marked a significant shift as the system desperately relied on real-time data. And as a result, they actually did respond to a ransomware attack in a very time-sensitive manner. So, it’s kind of a perfect storm for attackers as slowing down is all you need to do to cripple a piece of critical infrastructure. Combine that with almost half of critical manufacturing organizations ranking between a C and an F on SecurityScorecard’s security ratings platform, as reported by Nathan Eddy also on Dark Reading. So, we know there’s a lot that needs to be done here. But Almog, if you were running such a critical piece of infrastructure, what will you do first to not make yourself such a sitting duck for attackers?

[Almog Apirion] I think that there is a retransformation that is happening in the OT space, and I think that the compelling event was definitely COVID. A lot of organizations were closed, and they had to open up in order to keep the business running, but now they understand that they have a lot of things to secure. So, if you’ll ask me what to do first, all the attacks that we’re familiar with, all the remote attacks that you’re familiar with, require three main things for the attacker to be successful – a door, a key, and the ability to roam around – these three things.

So, what to do first? It’s pretty much related to what we talked about at the beginning of this episode of being these very good brakes. So, we think that – it’s kind of funny – computer systems were designed to serve people, and people are the biggest risk on computer systems and always the weakest link. So, my recommendation or what I would do is to concentrate on something that we call high-risk access. And high-risk access are the places that a user access could cause enormous damage to the business. So, let’s start by tackling the biggest problems first because this should be the first place to address.

[David Spark] All right. Mike, Almog says the big thing is cutting down the access issues, which we’ve heard many times before, so it very much rings true with our theories here. What do we do to not make these critical infrastructures so sensitive to… Again, just slowing things down, doesn’t need a full braking.

[Mike Johnson] In some cases, they just have to be sensitive to that. And so it really comes down to how do you recognize that you do have time sensitivity or latency concerns and focus on those. Basically, prioritize how an attacker could damage any of those systems that are critical for that manufacturing in Almog’s first scenario. So, it comes back to inventory. What are your systems? What do they do? And then you bring an attacker’s mentality to it to say, “Okay, if I was a bad guy, what would I do?” And that then combined with your own internal knowledge says, “Okay, these control systems over here that are related to our accounting for our pipeline, those actually are critical, where we hadn’t labeled them as such before.”

I think in the Colonial Pipeline example, the systems, the pumps, the things that actually moved the fluids through the pipeline, those weren’t impacted. It was all the accounting systems. And I don’t think that they had gone through and done the inventory of what was truly critical for the business. Start there so that you know and really understand what is critical and then you can build the appropriate controls around there, such as reducing the high-risk access to those systems. But without that inventory, you’re going to be surprised.

[David Spark] Quick question for both of you, and I want quick answers. Do you believe per the theory posed at the beginning that the Colonial Pipeline attack, this whole idea of just slowing down, is all you need to do to cause massive disruption? And I’m sure us cyber people knew this a while ago, but do you think that was more the big wake-up call for the whole industry? Almog, what do you think, quick?

[Almog Apirion] Yeah. I think that it’s a pretty sophisticated way to go because you’re not making a lot of noise and you can be under the radar. And I think that it’s a big risk because when you’re slowing down processes, again, there is high risk there and there’s enormous damage there. So, it will put you there as an attacker for quite some time until you’ll be…or more time than just creating something that is more noisy. So, I think that it’s a big risk.

[Mike Johnson] I think the Colonial Pipeline example is one that we weren’t quite prepared for in terms of understanding where things slow down and the impacts of that. There are plenty of other areas where we understand the impacts of speed – search results, searches within online stores, checkouts, high frequency trading. We understand the impact of speed in many other areas, and I think Colonial Pipeline was an example of maybe we didn’t fully understand the impacts and the speed requirements there.

Sponsor – Cyolo


[David Spark] All right. Before we go on any further, I do want to mention our sponsor and that is Cyolo. That is Almog’s company. So, zero-trust is the buzzword that won’t quit. All right, we hear it all the time. But you know what? We’re all onboard. The US government’s onboard with this too. But you go to any conference and that seems to be all the vendors want to talk about. What they don’t want to discuss is whether they themselves live up to the zero-trust framework in their actual solution offering itself. So, each new breach of a security provider uncovers new and unique ways that they require their customers to trust them, all while selling a zero-trust solution.

This nightmare is why Cyolo was founded. So, there’s two things that are going on with zero-trust. There is the structure, the architecture that requires the zero-trust and then there’s trust in that architecture itself. So, what’s happening is Cyolo is the only access solution to truly abide by the zero-trust framework, so their customers don’t have to put specific trust in the framework, they know that the framework is following zero-trust principles because the trust at Cyolo has done that. To find out, to understand this trust/untrust dichotomy, go to cyolo.io.

It’s time to play “What’s Worse?”


[David Spark] Almog, you know how this is played, correct?

[Almog Apirion] Yes.

[David Spark] All right. So, I’m going to ask, we’ll give you two horrible scenarios, you’re not going to like either one. This one’s good because it’s going to put you in the shoes of when you were a CISO, okay? So, hang tight for this. Mike, this actually was inspired by Grant Yost at VillageMD. We went into a long debate about this and then sort of this came out of our conversation. Here’s the situation. Your budget has been slashed.

[Mike Johnson] [Laughter]

[David Spark] You know it’s not going to go well, all right? The only way you can get more budget for tooling, which you desperately need, in fact your security program will barely function without it, is you have to do one of the following two things. One – you got to lay off some of your staff. You’ll get money for tooling but have less staff and potentially your current staff will be skittish that they could be next. But the tooling is now better protecting the business, but it’s become harder on you and your whole staff, potentially burning you and them out. Sounds pretty bad, wait for number two. You got to negotiate to get some budget from the different business units. Each business unit now has some animosity towards you, but your security program is now better to protect them and the business. What’s worse?

[Mike Johnson] This one’s easy.

[David Spark] It’s easy?

[Mike Johnson] This one really is easy. So, the layoffs is worse. The reason why I like the second one is we always talk about the business needs to have buy-in to security. In that scenario, you’re literally asking them to buy into security.

[David Spark] So, it’s actually a pro.

[Mike Johnson] It is totally a pro. I love that idea. And it’s actually not an uncommon one where security is a shared service in an organization and everyone has essentially a chargeback, an overhead out of their own departmental budgets into the security budget. So, not only is it I think actually great, it’s pretty common practice.

[David Spark] But in our scenario, they got animosity towards you, towards doing this.

[Mike Johnson] Yeah. But at the same time, they’re probably going to have animosity for me for other reasons. So, we’ll just lump all that animosity together into one bucket.

[David Spark] All right. Almog, are you agreeing or disagreeing here?

[Mike Johnson] Absolutely.

[David Spark] Absolutely agreeing, I’m assuming?

[Mike Johnson] Absolutely agreeing just judging from my background. I got to this point and was so happy to get to this point that the business units are actually paying for security. And the thing that I liked about it the most is when they tried to benchmark me with external companies and they got back to me, like as satisfied customers. So, that was a big win. So, I think that it’s a pro.

Please. Enough. No more.


[David Spark] Today’s topic is secure access. There are so many product categories that fall into this and we’re also going to include talking access to data and applications. So, Mike, what have you heard enough about when it comes to secure access – again, this is a big umbrella here – and what would you like to hear a lot more?

[Mike Johnson] The whole concept of companies having centralized IEM teams to decide who should be granted access, that really needs to go away. My team can’t possibly know if that request that someone made is reasonable. We don’t own the resource. We’re actually just kind of turned around and ask the resource owner, “Is this okay?” This is wasted effort and my team is not providing any value-add there. What would really help and what I would like to see more is how we get capabilities into the hands of the resource owners themselves to make it easy for them to manage who has access. They can then take care of it, and we’re not just acting as some weird middle layer in between A and C that’s providing zero value.

[David Spark] Going to take this over to you, Almog. Almog, what have you heard enough about with secure access? I mean, this is your bailiwick, so my guess is there was something you heard enough about before you started your business that you wanted to start your business. What was that? And then I want to know…

[Almog Apirion] You touched it already. Zero-trust, right? Everyone is using this term, kind of abusing it, we heard it too much. We need to understand exactly what are the benefits and what you are providing to the business, right? What are the capabilities? What’s the actual use? Because saying zero-trust won’t get you nowhere and in a lot of cases, it can be kind of annoying. So, no zero-trust. Yeah, we need to do it, but instead of talking about it, let’s do it for real. Instead of using buzz words, let’s just do it as it should be.

[David Spark] Then let’s get into that. What should it be by the way you see it that you’re not seeing enough of? Maybe you can explain the Cyolo solution here.

[Almog Apirion] Yeah. Maybe I can share my story. I did this transition toward zero-trust access more than seven years ago. I met a lot of vendors that all of us are familiar with, and I had one question that I asked all of them. Can you guys access my network into my digital assets without me, any of my team members even familiar with it? So, I heard a lot of long answers, like, “We have ISO 27K, we have SOC2.” We don’t tend to do such things, so I had to refine my question. I didn’t ask if you want to do it. I just wanted to understand if you guys can do it. Because you guys are holding my access policies and my encryption keys, so you most probably can do it. And then incidents like SolarWinds, FireEye, and even recently Okta happened, and everyone understood that zero-trust means zero trust, not vendor trust. So, that was something that was really important for me.

[David Spark] Let’s pause on that for just a second. Because this is what I mentioned when I was talking about your company is that you have to trust the vendor has the zero-trust solution, essentially is what you’re looking at. Trust has to exist somewhere. It’s impossible to live in a world with truly zero trust. But it’s the architecture of the system that creates a series of checks that allows for the zero-trust concept. Am I getting this right?

[Almog Apirion] Absolutely. And the thing that I was concerned about is mainly because we security practitioners, we get used to analyzing risks by magnitude and probability. So, if a vendor is holding the door to all of his customers, he’s just transforming himself to very appealing target for attackers, and there are things that you cannot control, right? There’s no code without bugs. And awareness, right? The bad guys, they just need one person in order to get in. When I was a CISO, I invested quite a lot in awareness, so I took real incidents from the neighborhood, like other companies of the industry and I [Inaudible 00:23:28] with my users. So, when I started, I was successfully [Inaudible 00:23:33] 40% of the users. After five years, this number went down to 4%. But the bad guys, they just need one in order to get in. So, again, there are things that you cannot control, and if I’m holding all the keys to the doors of all of my customers, I’m a very appealing target for attackers. Just try to imagine that you’re breaking into a place and you’re familiar with the fact that there is a cabinet holding keys to everything that is precious.

[David Spark] Every heist movie is like that. That’s what makes it so much easier. Mike is nodding his head. [Laughter]

[Almog Apirion] Yeah. It’s the first thing to look for, right, if you want to maximize your gain. So, yeah, that was very important to us. To provide true zero-trust with a cloud solution that you can scale and deploy easily and can support any existing environment.

What’s the ROI?


[David Spark] During a recession everyone is asked to cut costs, and cybersecurity is not immune. Where can cybersecurity professionals find opportunities to lower costs? Pam Nigro at Medecision provided some suggestions, as reported by Sue Poremba of Cybersecurity Dive. Look at the cost of each tool plus its cost to implement, operate, and maintain. Then ask yourself, “Is the tool actually mitigating the appropriate risk?” And Adam Glick, CISO of SimpliSafe, suggested looking where you have redundancies with tools. Many tools may have identical functionalities to other tools you haven’t even turned on. Is there opportunity to use this information to renegotiate or cancel existing contracts, and possibly consolidate your tools? The article vehemently argues not cutting staff since good cyber talent is so difficult to get, and rehiring would probably be far more costly. Mike, where have you seen success in reducing costs in any of the examples they gave, something else? Is there something here I’m not thinking about?

[Mike Johnson] These are great strategies. A great place to start is an expensive tool that doesn’t mitigate risk at all, it should be at the top of the chopping block. Maybe it made sense at the time of purchase, but things change, environments change, and if that’s not providing value anymore, that should be the first thing that you get rid of. Maybe the risk is better mitigated by a different solution at a lower cost. It’s a good opportunity for a discussion with your vendor. Maybe they themselves have made a change, maybe they’ve got better ideas how the risk can be managed. So I would, before you go to actually trying to cancel a contract, have a discussion with your vendor. The reality is canceling contracts is difficult. You’re unlikely to be able to cancel it, but you should know when your renewals are. You should be planning in advance, “Hey, that thing is up for renewal in June. I’m going to make sure I’ve got a project in April so that we can be in a position where we can cancel that contract.” It’s really painful to renew a contract for something that you’re not getting the value out of.

One of the things I didn’t see mentioned is altering scope. Maybe the tool works for a subset of your environment, not the entirety. Maybe you thought when you purchased it, “We’ll deploy this everywhere,” but the reality is it’s either redundant or not useful in certain parts of your environment. So, if you can really understand the scope of the value of the tool, when it comes time for renewal you actually have that renegotiation possibility and say, “Hey, look. I’m going to pay you half the price because I’m only going to be using it in half my environment,” and the vendor’s going to understand that. You can have a really good conversation at that point. They’re not going to want you to be feeling like you’re getting bad value because they would much rather keep you than have you cancel entirely. So, I think in addition to these strategies, look at how you can reduce scope or right-size the scope of your solutions, and then you can have a discussion with your vendor about reducing the overall value of the contract.

[David Spark] Almog, I throw this to you. What do you agree with either Mike said or these examples I gave and do you have any other suggestions on finding ways to save money? Because everyone’s being asked to tighten their belts.

[Almog Apirion] I’ll start with the basic role. I think that the main challenge of every security leader and it’s also good because this is also the reason that we are not going to be replaced by computers because we are solving a big problem. I think that CISOs need to find the right balance point between enable and security business. And the ability to be on this optimum is basically not existing but you need to get closer to that. So, things that are helping you to get to this balance point where you can enable the business and secure the business, I think that these are the tools that you need to preserve because they are definitely not nice to have, you need them.

I would look at things that can integrate with my existing security stack because I don’t want to manage islands and I want to make sure that, again, like we talked about at the beginning of this episode, we want to be these really good brakes to help the business to achieve its goals. So, to concentrate on that and to concentrate on things that can be part of my security stack, I don’t want to manage islands because this thing around the total cost of ownership that you just mentioned, it’s not about just a deployment, the project, of people, hardware, and software. It’s take it for three years and look at the actual costs to maintain it, to scale it.

And also you have your users. In a lot of cases when you’re enabling the business, it’s also important because you don’t want to be in a place that you’re blocking your users from doing their job. And from my experience, users, they can be really creative. When you block them from doing their job, they will find a way to bypass things. So, the places that will take me to solve my challenge between enable and secure that can integrate with my existing environment and can support in the business, not my best practices, other places that I won’t touch. All the others should be reexamined.



[David Spark] Well, that brings us to the very end of the show. Thank you very, very much, Almog. I greatly appreciate you sponsoring and providing some really good thoughts around, well, this big issue of zero-trust and let’s get to the architecture of what it’s actually doing rather than just throwing out the word as a marketing buzz term as in… We say this also about AI. The spectrum of what defines “AI” is very broad. I would say the same is exactly true with zero-trust. Would you agree, Mike, on this one?

[Mike Johnson] Oh, it’s very much a buzz word and we need to be very careful about it. And Almog, I really appreciate your perspectives around how vendors need to think about how zero-trust applies to them and their solutions and how they architect for that from the beginning. I like that you kept coming back to that and how that’s really something baked into your own perspectives and what y’all do. I also really liked the sentence that you said where a remote attacker needs a door, a key, and an ability to roam around. Those are a brilliant way of summarizing what remote attackers need, so I think that’s a great thing for folks to take home with them. So, thank you for joining us and thank you for sharing your experience and your perspectives. Really enjoyed chatting with you today. Thank you.

[David Spark] All right. I will let you, by the way, have… I do want to rewind people to check out their site, cyolo.io, for more information on all of this. Do you have any special offer or anything you want to say to our audience in general, Almog?

[Almog Apirion] Yeah. First of all, I want to thank you guys. I was waiting to be part of this show as someone that was part of the audience, so thank you guys. It was great talking with you. And again, in order to support secure digital transformation, you need to be in a place that you’re gaining visibility and you know how to connect users’ digital assets while you can set a policy of who can access where and what this user can do while he’s connected. Super simple and this is the reason that we founded this company because it’s a huge problem to solve and it’s a fundamental building block when you think about secure digital transformation.

[David Spark] Perfect! Thank you very much, Almog. By the way, you can connect with Almog. We’ll have his connection to his LinkedIn account on the very episode of this blog post. Thank you, audience, as well. We greatly appreciate your contributions. Obviously, I did not come up with a tough enough “What’s Worse?”

[Mike Johnson] [Laughter]

[David Spark] But a good scenario in that it was a great way you want to play off. I just thought the animosity part… But the getting the buy-in, the financial buy-in, is actually an ideal situation. Good point. I was more working off the whose animosity you want, your staff or everybody else, and your attitude. Which, by the way, I speak to security professionals and they have this glass half-empty attitude of, “Well, everybody hates us,” and they just got to go [Inaudible 00:33:04] along with it. Do you feel that way? Do you think everybody hates security?

[Mike Johnson] I don’t think so, but I think there’s some perceptions of reality that we need to work through. I think it’s shifting a lot, but we do have to make difficult decisions sometimes and those are not always winning us fans.

[David Spark] All right. Almog, Mike, here’s my suggestion – security team donut Thursday. You bring out donuts for everybody on Thursdays and it’s brought to you by the security team.

[Mike Johnson] Been there, done that. Works out really well.

[David Spark] There you go.

[Almog Apirion] I have a better idea.

[David Spark] What?

[Almog Apirion] And we already talked about it. Support the business in the things that are really important for them, and they will love you without donuts at all.

[David Spark] We’re bookending the whole show, Almog! Perfect! Exactly what we want. Thank you very much. Thank you. Thank you to our audience for your contributions and for listening to the CISO Series Podcast.

[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows – Super Cyber Friday, our Virtual Meetup, and Cybersecurity Headlines Week in Review. This show thrives on your input. Go to the Participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to the CISO Series Podcast.