Security professionals talk a lot about the reputational damage from breaches. And it seems logical, but major companies still do get breached and their reputation seems spared. What’s the reality of what breaches can do to a company’s reputation?
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. We welcome our guest Cecil Pineda, CISO, R1.
Got feedback? Join the conversation on LinkedIn.
HUGE thanks to our sponsor, Brinqa
[David Spark] Security professionals talk a lot about the reputational damage from breaches. And it seems logical, but major companies still do get breached, and their reputation seems spared. What’s the reality of what breaches can do to a company’s reputation?
[Voiceover] You’re listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. My name is David Spark, I’m the producer of the CISO Series. And joining me for this very episode, you know him, you love him, his name is Geoff Belknap, and he’s the CISO of LinkedIn. Geoff, say hello to the friendly, nice audience.
[Geoff Belknap] Hello friendly, nice audience, and hello David.
[David Spark] Before I go on any further, I do want to mention our wonderful brand-new sponsor and that’s Brinqa. Brinqa orchestrates the entire cyber risk life cycle across all security programs including understanding the attack surface, prioritizing vulnerabilities, automating remediation, and continuously monitoring cyber hygiene. Wow, that’s a collection. Well, more about that later in the show.
Geoff – our topic for today. Justin Daniels of the law firm Baker Donelson asked, “Does a breach really result in lasting reputation damage?” It’s a great question because it’s something security professionals warn of, but it doesn’t seem to be actually playing out, or we don’t see it and that’s kind of a key thing here. Big breaches of Target, Home Depot, and Neiman Marcus seem to have no long-term effects. Are we more accepting of breaches, don’t notice it, don’t care? Why is this happening? Or are breaches really causing reputational damage we may not be privy to? Geoff, what say you?
[Geoff Belknap] I think it’s a great question that Justin poses here, although I think he overlooks the other great reputational harm that can come, which is to people like myself that are in security leadership roles, not just the reputation of the brand.
[David Spark] Ah. Good point.
[Geoff Belknap] But I think it’s very clear that brand damage does happen, although frequently it’s acute and it’s not long term. And that, I mean, to some extent that’s great. To some extent, it’s a shame. You would like to see there be some consistent pressure to change over time. But you know what? It’s a very complicated matter and I think we’ll have a great conversation about this.
[David Spark] I am looking forward to it. And I’m very excited to bring our guest on. A fan of the show and now he’s on and thrilled to have him on. It is the CISO for R1 – Cecil Pineda. Cecil, thank you so much for joining us.
[Cecil Pineda] David, thank you for inviting me. This is one of my bucket list. You probably remember how when I saw you at RSA, you saw my reaction when I saw you. I was very excited and now I’m more excited. I’m in your program, finally.
[David Spark] If only my wife could be that excited to see me.
What’s going on?
[David Spark] Chris Gebhardt, CISO of Synoptek, said, “Initially, yes.” Again, we’re referring to reputational damage. He goes on to say, “Stock charts show that link. But as investors are greedy, they love a bargain stock. So, Equifax went from a high of $145 in August to a low of $92.98 45 days later. Today, it’s at 193 bucks,” or when he put this comment up. So, not as pronounced in others but it’s definitely there. And Bryan Solari of AppOmni said, “Looking to stock prices post-breach does not, in my opinion, calculate the reputational damage. It depends on the type of the data exposed, the amount of time between the date of exposure and the time of remediation and disclosure, and the actions of the company before, during, and after the breach.” So, I’m going to lean on that very last thing that Bryan says. I think that’s the thing that really affects reputation is how they handle it. But is it both? What do you think, Geoff?
[Geoff Belknap] It is. It depends, which I think is my favorite answer.
[David Spark] We should just call the show It Depends because that comes up a lot.
[Geoff Belknap] That is the spinout that’s coming soon. So, here’s the “it depends.” If you look strictly at stock price, you’re almost always going to see that recover fairly shortly after the breach.
[David Spark] And everyone likes a bargain, and Chris makes a very good point.
[Geoff Belknap] Everyone likes a bargain, and the reality is, especially if it’s a consumer company, right? If it’s not a business-to-business company, that stock price is going to recover pretty quickly, and people realize that they need to buy nails and hammers and diapers and milk and things like that. And let’s be honest, many breaches don’t interrupt how a business performs. Now there are other breaches that might be financial, that might be related to ransomware or might be related to your ability to maintain regulatory compliance long term, but the reality is it is first and foremost an opinion of whether they should do business with you. So, if you’re a consumer products company, it’s pretty easy for them to figure out they can still buy milk from you and everything’s going to be okay.
If you are a security service provider, and I think especially if you didn’t communicate about the breach well or if that breach wasn’t handled in a timely manner, it is going to be very difficult to do business with you long term, and especially if you’re a business that is a nice to have, not a need to have. It’s going to be very easy for people to switch away from you. So, I think that reputational brand damage is certainly something that you have to manage, but there are ways you can manage that and there are plenty of people that have done a phenomenal job of doing that.
[David Spark] All right. Cecil, I throw this to you. Chris says there is an initial hit, which we have seen. This is to big public companies. But Bryan says looking at stock prices, that isn’t the way you calculate it. It’s all these other factors as well. Where do you think this brand damage appears or if not at all?
[Cecil Pineda] Yeah. As Geoff mentioned, type of industry and how you handle the breach. And for healthcare industry, this is something that we always worry about. We know that there are fines, we understand that we have to take care of those fines, but at the same time the most important for us is making sure that we take care of the organization’s reputation, so we work every day to make sure of that. We work with various parties including our customers. We work with 11,000 healthcare organizations to make sure that we are always…
[David Spark] So, let’s get into the… Like dig down one level. I’m sure you’re trying to do it and everyone’s trying to do that. But where do you think the reputation gets the biggest hit that you have to work on the most, I guess, is the question.
[Cecil Pineda] I would say for myself we monitor all these breaches. And a lot of the organizations that have been hit by ransomware, for example, or data breaches, it takes a while for them to recover. I’ll give you an example and this is public knowledge. Our organization, before, we were known as Creative Solutions. If you Google Creative and Brian Krebs we were headlined between 2011 to 2013. We lost PHI and until now, even though we’ve recovered, we’ve improved our security program, we know that when we deal with organizations, like based in Minnesota where the laptop was stolen, we’re still getting asked about that particular incident that happened 11 years ago. So, this reputational harm for us is very important.
[David Spark] So, you did actually experience something like that that has, what is it? A 12-year lingering effect it sounds like.
[Geoff Belknap] Yes, yes, it is. And that’s why we are always on our toes, we work 24 by 7. Healthcare CISOs are probably, outside of financial CISOs, are probably the most stressed-out leaders around here. We have every American’s information in our system so it’s hard for us not to be stressed because we all know that it’s just a matter of when, not if. But we would like to avoid it if possible.
Why is this so darn hard?
[David Spark] Bryan Solari of AppOmni said, “There’s also an element of truth that even companies with the most excellent security programs and defense in depth get breached. Holding companies accountable has to extend beyond only the existence of an incident. The layers must be peeled back to what happened before and after an incident and how these issues were handled. The nuance is important.” I like to say sometimes LeBron James loses.
[Cecil Pineda] Yeah.
[David Spark] That’s the way I read that. And Sandor Slijderink noted a variety of factors, “Nature of the business that was breached, reason for the breach, public response to the breach, business activities between the breach and announcement of the breach, and brand loyalty.” So, let’s take this from, “We’re an awesome team, we’re the LeBron James of security,” how do we present ourselves of handling the breach at sort of all these levels that Sandor pointed out as best as possible? Geoff.
[Geoff Belknap] I think the reality is – Sandor’s got it exactly right – it’s the nature of the business, it’s all the factors that went into it, and it really is the nature of your customers as well, right? So, if that brand loyalty, that brand trust is really critical to the market that you’re in, boy, you better have some not only great security people, and this is the thing that everybody forgets about, you better have some amazing communications team. And what I mean by that are the people that are in charge of making sure that your voice and what you need to say about whatever happened makes it to the right audience, right? And whether that be the press, whether that be most importantly your customers, or in my case, your members, the security people can’t do all that themselves, right? It’s an amazing team sport. Just like when LeBron loses, it’s not LeBron that lost, it’s the whole team, right?
[David Spark] Right.
[Geoff Belknap] Although frequently, and I think this is important to point out as well, CISOs are often seen as the quarterback or the power forward or pick whatever sports metaphor you’d like me to model, and a lot of times the first couple of press articles that are going to come out are going to feature the CISO, the CISO’s name, or what…
[David Spark] Yeah, LeBron James lost the game or whatever.
[Geoff Belknap] Exactly right. And so I do think there’s a conversation to be had here about there can be absolutely reputational damage for the CISO that was in charge. Even if they had only been there for a day before the breach was discovered, it is a reputational hit for the person. And certainly for me and Cecil. We don’t have teams of comms people or lawyers or other people to protect our reputation. But I think it is something really important for us to keep in mind that we have to try our best, we have to work together as a team, and we have to really be thoughtful about how we communicate about what happened. Yes, for legal reasons, but most importantly, if you want people to trust you, especially for issues like this, you’ve got to lean towards transparency.
[David Spark] So, Cecil, describe either for yourself or how you’ve seen others handle it the best way. Because again, even the best can have a bad day.
[Cecil Pineda] For many years now, I watched Reed look at all these indicators for all the breached companies, how they communicate, how they handle it. Until now, there’s really no magic formula. I’ve seen companies communicate less and they got out of it. I’ve seen companies communicate more and they got out. And I think what Sandor was saying is true.
[David Spark] That’s a really good point because everyone talks about transparency, which you also mentioned, Geoff, as well, but the whole gamut has been successful. That’s a good point. Continue, Cecil, I’m sorry to stop you there. Go ahead.
[Cecil Pineda] Yeah. I’ll give you an example right now. Do you know how many times I got a breach notification from T-Mobile?
[David Spark] No.
[Cecil Pineda] I couldn’t count anymore. I have multiple credit protection letters already from T-Mobile but I’m still with T-Mobile. Why? I’ve earned these years of rewards; I’ve earned this grandfather data. And I just checked to transfer to AT&T or Verizon. They have to do a lender credit check. Really, it’s so hard to just move from one carrier to another. So, what Sandor was saying, brand loyalty is, yeah, it’s probably one of the reasons why people decide to stay for that service because…
[David Spark] There is also the cost to exit. Sometimes a cost to exit is so darn high, it’s just not worth it.
[Geoff Belknap] And I think the switching cost is a really important part of that, right? So, I can buy my milk somewhere else. No problem whatsoever. Switching internet providers for my home? Higher pain cost. Switching it for my business? That’s a high cost. It takes months, there might be a big change, and a lot of that factors in. But the important thing is, and I just want to pick up on something Cecil said early on, people get out of it. And sometimes they don’t say anything, sometimes they say very little. But what we really mean here, and I think this is, Cecil, what you were saying, is when you get out of it, what you’re really saying is like, “Yeah, eventually Krebs writes about something else, or Vasily, Wall Street Journal can’t cover your breach for six weeks end on end.” Right? Now, if they do, you’ve really messed up.
[David Spark] Well, there’s some like the SolarWinds, it seems like that went on forever.
[Geoff Belknap] But even that. There’s no new press about that right now, and I’m sure there is still stuff going on and there’s still unresolved components to that.
[David Spark] Yes. In fact, I spoke to the CISO. He’s still dealing with it two-and-a-half years later, I think.
[Geoff Belknap] A great example. I’m sure that will follow him around, much to his displeasure, for many, many years, and it will not be his favorite thing to talk about or her favorite thing to talk about. But I think the real important thing is, yeah, eventually you get out of the press, but the real getting out of it is is your reputation still there? Do people still trust you? Because if you’re, again, if you are the CISO, or if you’re thinking about the corporation or organization’s brand and trust, that is what matters, that is what gets people to do business with you, and if you don’t have that, it’s going to be a long uphill climb.
[David Spark] But think about this – Cecil, I’m going to ask you this question – what is a better security leader you want to work with, one who’s dealt with a breach and dealt with it well, or a security leader that’s never had a breach that you know of?
[Cecil Pineda] Always want to work with leaders who have been through it all.
[David Spark] Yeah.
[Cecil Pineda] Because I think experience is really the best. I’ve worked in companies that have been breached. I worked at GameStop, I work at various companies, and I know that leaders who have been through it, their past experience helped us get out of it quickly.
[David Spark] That’s a good point.
[Cecil Pineda] Reputation may get a hit, but I think the way we handle post-breach is very important for us to be able to at least maintain our reputation at a certain level. Now, it might be a little hit but it’s better for people who have been through a breach.
Sponsor – Brinqa
[David Spark] Before I go on any further, I do want to mention our wonderful brand-new sponsor, Brinqa. Remember I mentioned them at the beginning of the show? By the way, if you’re wondering how they’re spelled, it’s B-R-I-N-Q-A, and if you throw a dotcom you’ll get to their site. So, more, as we all know, was supposed to mean less than one cybersecurity tool after another, after another. An ever-growing arsenal to keep up with the increased risks exposed by a rapidly expanding attack surface. More tools in order to bring about less risk, right? But that’s not what we got. Instead, more tools have only led to more complexity, more incompatibility, more silos, more pieces to the puzzle, more time trying to understand security posture, to see what’s what, and more hurdles to taking effective action.
What we need now is more precision, more laser-targeted action to manage assets and their vulnerabilities across all security tools, programs, and their entire attack surface. To know who owns what, get to a single source of truth, and surgically eliminate critical risk. This is exactly what Brinqa provides to those charged with navigating the relentless chaos of securing their business. The Brinqa SaaS platform cuts through security complexity and empowers precise action, tuned for specific environments and business outcomes. See clearly, act precisely, that’s what you get with Brinqa. So, learn why companies like Adidas, Whole Foods Markets, and Coca-Cola trust Brinqa. Go to their website, visit brinqa.com to learn more.
Why are they behaving this way?
[David Spark] Justin Daniels, once again from Baker Donelson, he’s the one who brought up our topic, said, “I tend to think reputation harm for most companies is overblown as people become accustomed to it.” That I think is true. I go back a number of years; I don’t think people were as accustomed. And Jonathan Weekes of Lazard said, “I also think that people realize now how hard it is to keep the bad guys out and just assume it will happen. Smaller companies are typically not that lucky, as they don’t have an established name or large client base, and they tend to have names you don’t know.” So, this is kind of an interesting thing, and this also comes up is that I mentioned really big breaches like Target and Neiman Marcus, and they seemed to do fine. But there may be the smaller companies you hear about that kind of get hit, they vanish, and we never know about it. Do you know of one of these and have you seen this happen, Cecil?
[Cecil Pineda] I used to work for a consulting company and a lot of these small SMBs are not able to recover quickly, and at least I know a couple of them that had to borrow a significant amount of money to get out of it.
[David Spark] Really?
[Cecil Pineda] Yeah. Forensic legal fees, smaller companies cannot afford that. Organizations like ours because we have pretty good infrastructure behind us, cyber insurance, we can typically survive larger breaches.
[David Spark] Geoff, have you seen this kind of behavior for smaller organizations?
[Geoff Belknap] I don’t have a ton of personal experiences here but anecdotally I know it happens. I know there are small companies that might go out of business because they, again, if it’s something like ransomware, maybe they don’t have backups, maybe they’re not in the cloud, right? If you hit a dental firm, a dental firm is not using the world’s most cutting-edge infrastructure or software as a service necessarily. It could be like a mom-and-pop kind of thing, so it can be very impactful.
But I think I am really strongly aligned with Justin Daniels here where he says the reputation harm is overblown, and I want to add some nuance here. The reputational harm angle as an approach that CISOs take to justify their existence or their budget or their head count is overblown, and at this point, overplayed. It is no longer sufficient, if you are a CISO of a modern organization and you’ve been doing this for any amount of time, it is no longer a real approach for you to take to say, “There’s going to be brand damage and the company’s going to be hurting for years.” The reality is we are seeing consumers and other businesses just not care. Or at least not to the extent that they’re going to stop doing business with you.
[David Spark] I strongly think that you’re right on the just don’t care.
[Geoff Belknap] Now here’s the important part. That doesn’t mean we go home because the consumers don’t care, it means that people have been numb to it. I’m like Cecil, I’ve got free credit reporting insurance for the rest of my natural life. I’m going to find out it if I can leave it to my kids. But the reality is now as security leaders, we need to pivot to understanding what is the value that we are adding to the organization, what is the upside we are protecting or adding beyond just protecting against risk, right? Any one of us can buy car insurance. Nobody wants to buy the luxury, top-end, super-duper car insurance. We just want sort of middle of the road. We don’t want to be paying more than we should. In this case, security has to stop selling itself as insurance against something bad that might happen and think about what is the good that we can add to the organization. And there’s a lot of good that we can add, and we have to let go of this trope that only we can protect a company from something bad happening.
[Cecil Pineda] Yeah, I’m a little worried about that breaches are getting normal. And unfortunately, it is.
[David Spark] I don’t think any of us likes that, sure.
[Geoff Belknap] To be sure. I don’t love it, but I do see what’s happening. I think you’re using the right word, Cecil. It’s getting normalized. People are getting kind of numb to it.
[David Spark] Well, when it’s in the news it seems daily, we can’t always be in panic mode. You know what I mean?
[Geoff Belknap] Yeah. I apologize to my sales partners but so much of marketing message, especially for security companies, is centered around sending email blasts anytime there’s a new major breach or vulnerability. I must get 30 emails within an hour of that thing being announced. And so now it’s all anybody hears about is the negative side of things. What I would challenge anybody who’s building a marketing campaign or selling or pitching a security product is talk about the value this adds to the organization that is not directly tied to preventing a breach or something related to a breach. Let’s talk about how this makes it easier to do business at my company and lowers the friction of this intense security feature that I have to implement everywhere. It makes customers happier because we’re building a more secure environment. We have to let go of everything’s about a breach.
[David Spark] Very good point, and to quote the other co-host of this show, Steve Zalewski who used to work at Levi Strauss, he’s been heavily quoted saying the line, “How does it help me sell more jeans?” If you can understand the how it impacts the business, that’s huge.
Whose issue is this?
[David Spark] Chris Gebhardt, again, CISO over at Synoptek, said, “The only way to impact these companies to take security seriously is through large, impactful fines.” And Robert Busby said, “Privacy regulation and real enforcement fines are necessary for larger businesses that fail to exercise due care and due diligence in their operations. Step one – fire or fine the CEO and CFO, not the poor underfunded CISO scapegoat.” Now, I’m sure we’re all onboard with not firing the CISO here, but both Chris and Robert bring up really good points is that there doesn’t seem to be enough real pain when the company does truly wrong. Should we fine just because we got our house broken into or should we be fined because we left the door wide open? Cecil.
[Cecil Pineda] Well, I have to answer this in two ways. One, Cecil as the consumer. I can tell you I agree with this. But at the same time, as a leader where I work where we know the cost of data breach is already high, I don’t know if you know $400 per account for PHI is pretty hefty.
[Geoff Belknap] Yee.
[Cecil Pineda] Yes. It’s higher than PIIs. At the same time, it’s so hard to… I agree with these two quotes as a consumer, but as a CISO I think, at least at the healthcare industry, we’re already heavily fined. There’s a lot of losses that’s involved with data breaches with healthcare, I would really think that…
[David Spark] You don’t want to invite more fines and regulations. [Laughter]
[Cecil Pineda] Yeah. There’s already a lot. And I know that most of the healthcare organizations that I know of today are doing our best to protect PHI for all of our customers.
[David Spark] So, I go back to the analogy of LeBron James sometimes loses some games.
[Cecil Pineda] Yes.
[David Spark] Geoff – so I mean there’s this desire to throw in real pain, but we already have systems in place to create fines if you get breached and certain stuff gets loose that you don’t have proper protections on them. What more do you think Chris and Robert are looking for here?
[Geoff Belknap] I’ve known Chris for a million years. I get where he’s coming from, and I understand Robert’s point here. But I think the reality is let’s reset for a second. I know a lot of CISOs. I don’t know any CISOs that I have met recently or that I talk to regularly that have been fired as a result of a breach, right? So, I think let’s just take that off the table. I don’t think that happens. Now before anybody comments in the comments of the show that they know one CISO that it’s happened to…
[David Spark] I think historically a long time ago that happened. I don’t think it’s happened in many, many years.
[Geoff Belknap] Yeah. I just don’t… Let me put it this way – I don’t know that that happens as a matter of regular practice. That is not a regular thing that happens. What is much more regular is if a CEO misses sales projections or if a CFO has material accounting regularity, like, those people lose their jobs. But here’s the thing we really need to look at. What we’re talking about with fines and scapegoating or firing CEOs is what we’re really saying is we’d like these organizations to take security more seriously. And the reality is today, if you were going to offer a CEO $100 million to invest in go to market and to improve their sales, or $100 million to invest in security, they’re going to put the $100 million in go to market and improve sales or revenue.
[David Spark] Yeah.
[Geoff Belknap] What we don’t do today, and I think there are things we can do before we start fining, is lean into things where we could make people, any company over a certain size, we can set the threshold pretty reasonably, file a quarterly report about your security practices. Require companies to report breaches that happen to them through the course of regular business as a transportation incident. And I think we’ve talked about this several times on this show, that my peers and that I would greatly appreciate is when there is a breach, I would love if there was a publicly consumable report that’s like what happened, what led up to that, what can I do now to avoid that?
Now, that’s very scary and you don’t want to be the first person to have to put that out, but let’s be honest, people are already doing that when there are major breaches. The really good companies are putting out detailed reports of what went on. And if we look at transportation, aviation safety has been increased by leaps and bounds by the fact that we put out information about what causes aviation accidents. We do a ton of investigation, and we release that information. Those same things can apply here, and I think we need to lean into those before we lean into severe threats of fine or firings.
[David Spark] Very good point. I’ll let you have the last comment here, Cecil, wrapping up this whole discussion about reputational damage from breaches. I’m getting the sense from both of you that everyone’s trying their damn best, it’s just so damn hard. Do I have that in a nutshell?
[Cecil Pineda] Yeah. Yeah. I don’t speak for all the CISOs in the healthcare, in the Dallas area as well, but I can tell you, a lot of us are doing our best, even to the last cent of our budget, we do our best, 99 or 100% of the CISOs I know, they care for the organization they work for.
[David Spark] That’s a good point.
[David Spark] All right. Well, we have come to the point of the show where I ask you which quote was your favorite and why, and Cecil, I will begin with you. Which quote was your favorite and why?
[Cecil Pineda] Sandor’s probably that stood out. There’s a lot of factors, not just how you handle the breach. There’s a lot of things as I gave you an example on T-Mobile. It’s brand loyalty, it’s where could I buy the service. So, there’s a combination of multiple factors outside the list that he… He captured most of them.
[David Spark] Yeah. And it’s not like breach happens, boom, your brand is now garbage. It never really translates like that. Does it, Geoff?
[Geoff Belknap] Well, I think in the immediate term, if you use stock price or Twitter, heaven forbid, as a thermometer for a brand, there’s definitely going to be an impact in the short term.
[David Spark] Right, exactly.
[Geoff Belknap] But I think if I just look at what Bryan and Justin are saying here, reputational harm for companies is overblown. And I think Bryan is saying is there’s an element of truth, that even companies with the most excellent security program and defense in depth get breached. And I’ll tell you right now, you think, listener, in your mind, what company you think of has the best security program on the planet, and I guarantee you they’ve had more than one employee click on a phishing link and enter their credentials. And that happens all day, every day, to companies around the planet no matter how good their security program is. And we just manage it, there are programs that manage it. It’s just a matter of how you handle that breach.
[David Spark] Excellent point. Well, we have come to the end of the show, and I want a huge thanks to our sponsor Brinqa. Brinqa orchestrates the entire cyber risk life cycle across all security programs, including understanding the attack surface, prioritizing vulnerabilities, automating remediation, and continuously monitoring cyber hygiene. Go to their website, learn more, brinqa.com. But I also want to thank you, Cecil. Cecil Pineda who is the CISO over at R1. Cecil, let me ask you a quick question, are you still hiring over there or are you fully staffed?
[Cecil Pineda] We have a lot of openings. There’s almost 120 people in my team and I know there’s at least 3 or 4 key roles in my team that we’re looking for. One is an AppSec manager, and I know several – identity and anyone with a SailPoint experience, we are looking for one.
[David Spark] Ah, okay. Excellent, very good. Geoff, I know you’re always looking. And if you’re not looking to work with Geoff, there are jobs that can be found on the site that he works at, and that’s linkedin.com. I want to thank our audience as always. We greatly appreciate your contributions and for listening to Defense in Depth.
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows – Super Cyber Friday and Cyber Security Headlines Week in Review. This show thrives on your input. We’re always looking for more discussions, questions, and What’s Worse? scenarios. If you’re interested in sponsoring the podcast, check out the explainer videos we have under the sponsor menu on CISOseries.com and/or contact David Spark directly at David@CISOseries.com. Thank you for listening to Defense in Depth.