Given that your company’s security is dependent on the security of your partners and others, what can we do to get more organizations above the security poverty line?
Check out this post for the discussions that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. We welcome our sponsored guest, Jason Kikta (@kikta), CISO, Automox.
Got feedback? Join the conversation on LinkedIn.
HUGE thanks to our sponsor Automox
[David Spark] Given that your company’s security is dependent on the security of your partners and others, what can we do to get more organizations above the security poverty line?
[Voiceover] You’re listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. My name is David Spark, I am the producer of CISO Series. And joining me for this very episode, it’s Geoff Belknap. You also know him as the CISO for LinkedIn. Geoff, welcome!
[Geoff Belknap] David! Welcome to you too. Thanks for doing this, you do a great job. I don’t know if anyone ever tells you that.
[David Spark] Actually, we get plenty of compliments, thank you for saying that.
[Geoff Belknap] Oh. Then never mind. You should do better.
[David Spark] I should do better? I’m not achieving enough. I have to say endlessly we get unbelievably nice feedback from our community, and as I have said in the past, I have an extremely high tolerance for compliments. I can take it.
[Geoff Belknap] [Laughter] That’s a good trait to have.
[David Spark] Yes. I want to mention our sponsor today. It is a new sponsor, and we love having them onboard. It is Automox – all your endpoints, always configured, always secure. A great company that is supporting CISO Series, we greatly appreciate it. We’re going to talk a little bit more about Automox later in the show, and they brought our guest for today. That in just a moment, but let’s get to our topic. Organizations living below the security poverty line – tip of the hat to Wendy Nather, she coined the term – they are not only a risk to themselves, but to us as well. And we’ve talked about the rising tide raises all ships, so this is same theory here. These are the organizations we do business with, they are our suppliers, they’re the towns we live in, and they’re the schools our children go to. Now, we hear education as an answer, but that can only go so far. Someone has to actually do the work. Geoff, you asked on LinkedIn – what can we do to get more organizations above the security poverty line? And I asked for creative ideas from you and from our audience, and you asked it from our audience, and I think we got it. We got some pretty creative ideas.
[Geoff Belknap] Boy, did we ever.
[David Spark] So, what are your thoughts on this topic of getting more companies and individuals to help others?
[Geoff Belknap] This is one of those things that I always like to wax poetic about. It’s one of those things where we know that more people need to take security seriously, but we also know that there are people and organizations that take security very seriously that just don’t have the means to be better at it or to be more mature, more advanced, higher scale at it. And I think even when it’s not a matter of scale, there is a truth to the matter of we need everybody to be above the low water mark, we need everybody to be more secure or offer more secure products or behave more securely, and we can’t just rely on the people that have the biggest budgets to do it for everyone. So, I think this is a great time to have a good conversation with our guest about how we can fix this, what we can do.
[David Spark] And I want to get your response to these very sort of challenging ideas that our community came up with to solve this problem that is not just education.
[Geoff Belknap] Or just spend more.
[David Spark] Yes, exactly. And the person that is going to join us, our sponsored guest, thrilled to have him onboard, it is Jason Kikta who is the CISO over at Automox. Jason, thank you so much for joining us.
[Jason Kikta] Thanks, David and Geoff. It’s great to be here.
Does anyone have a better solution?
[David Spark] Andy Steingruebl, who’s the CSO over at Pinterest, said, “For those with more influence, resources, and clout – use it to make sure that widely used tools, services, etc., are more secure by default, and those things that aren’t default are easy to turn on and don’t need experts. So, HTTPS by default, everything easily supports FIDO2. DMARC is a standard and widely supported and easy to implement,” as he offers some suggestions. And Casey Cammilleri of Sprocket Security said, “Sadly, I see many organizations below the poverty line working on the wrong things, wasting already tight budgets. They need guidance towards working on priorities in cybersecurity.” So, just like advice on how to spend your money wisely. And Jason Ozin of PIB Group said, “Take a hands-on advisory role. So many small businesses still haven’t turned on 2FA even though it is free on the platforms they use. They either don’t know about it or are scared of doing so.” So, a lot of this has to do with spending your time and money wisely and just getting a lot more security by default, which I think that alone would solve a lot of problems. Yes, Geoff?
[Geoff Belknap] Absolutely. I think we definitely could use a minimum standard, right? I wish there was – and I hate to say this out loud – I wish there were regulation or some sort of incentive, but there isn’t. Thankfully, there are a lot of people that understand if you’re providing a product like an email service or a marketing service or a bill-pay service, that you need a minimum level of security, and that’s really good. What I think we need to do is elevate that to you really should have a minimum level of security that is at or better than most advanced security for enterprise products today, for even consumer products. And if you provide business products, so if you’re a B2B provider or something like that, you should also be providing a very high level of security that requires me to go in and turn security down by default instead of turn it on by default. I think that alone would make a huge difference in where people are at. And then I think just generally thinking about the fact that you have to provide security tools for people so that they don’t have to do it themselves, so that the things that they have to invest time in and money and people are the things that are specific to their business, not the basics like SSO or 2FA or logging. And then side note – stop charging people extra for that stuff.
[David Spark] We will get into that as well. All right, Jason, in this sort of just basic advice of using your money wisely and security by default, where have you seen success?
[Jason Kikta] So, I’ve seen the best success where security has an advocate, and the challenge that you see in a lot of mid-market and smaller organizations is that oftentimes the IT team and the security team are the same people.
[David Spark] Or a security team doesn’t exist at all.
[Jason Kikta] Or security team doesn’t exist, and it falls on the backs of the IT people who maybe aren’t trained in security, and it’s not really in their wheelhouse. So, I liken it to something I used to bring up a lot in the Marine Corps when I was a communications officer, right? So, my job was telecommunications on paper, but I was also supposed to be in charge of security, and as I kept pointing out to my broader community, I said, “Relatively speaking, the military is fabulously resourced compared to the civilian sector, but we still have the same fundamental problem as so many companies. That if the Colonel’s email doesn’t go on time, I get fired. But if we have a security incident, and he doesn’t understand it, then nothing bad happens to me and I’ll just keep getting promoted.”
And that’s sort of the issue that we’ve run into in the private sector is that when someone comes into their company leadership advocating for spend or advocating to inconvenience users or advocating to potentially inconvenience customers for security purposes and it’s not well-understood, then it just gets drowned out, right? It’s a bunch of white noise or beeps and squeaks from the nerd crowd, and there isn’t someone there – it doesn’t have to be their full-time job – but you need somebody who understands it, who understands risk, and understands how to balance those challenges with all the other things that a company has to deal with on a daily basis.
[David Spark] Quick question to close that out, and that is, okay, an advocate is key, what is that sort of – and this is a gentle balance – how do you become an advocate rather than an annoying pest, I guess, to the people who don’t care who haven’t had that on their front…? And I think everyone cares to some level, and either one of you jump in on this. What’s the gentle line?
[Jason Kikta] I’ll say I think there’s being an advocate but there’s also you need customers to demand a higher security product, and this is a very important difference. You don’t need customers that say, “I will pay money for security.” You need customers that say, “I will not pay for your product period unless it has high-end enterprise security.” And until that happens, it really won’t change. Because I would say similar to Jason’s example here, there are situations – and certainly no one I work with now or previously, you’re all perfect and wonderful, this isn’t about you – where I would be in positions where people would go like, “Yeah, I know you would like us to build more security into this product, but there’s a chance we won’t meet our revenue targets or our growth targets if we do that, and then we’ll all get fired. But if we just don’t add security, only you get fired, so we’re going to make that choice,” right? That’s sort of a hyperbolic example, but until that changes, where customers are demanding security in their products as part of the base price, we’re really going to continue to fight this battle.
How are the vendors handling this?
[David Spark] Duane Gran of Converge Technology Solutions said, “I see some vendors that have become very successful instituting a minimum seat number in their sales planning. Now, for those of us negotiating deals with these multi-thousand seat licenses,” those are the ones that are above the line, “We could actually push back on those vendors a little and ask during the sales engagement for them to make ‘X exceptions a year’ to sell their product to smaller accounts.” Interesting take, I like that angle. And Guillaume Charpiat of GitGuardian said, “We feel that giving our dev tool on a free tier to upcoming, innovative companies is actually in our best interest. It allows them to show they have some security controls in place when they try to sell their own solutions to their target customers, which allows them to grow, so that in the end they can finally afford to pay for our solutions, win-win.”
So, Jason, both of these tactics have to do with selling of security products. One of the customer who is big having some level of influence saying, “All right. You want our deal, you got to sell some smaller deals as well.” We’ve kind of seen this where, like, what was it? That shoe company, like you buy a pair of shoes you give a pair of shoes for free to somebody else. It kind of falls along that line. And Guillaume’s comment of these companies that offer a free tier, it’s not just for them to try to get people to taste and try, but it’s also an opportunity to show, “Hey. This is a way to implement security, and here’s a free way to do it.” What do you think of these tactics?
[Jason Kikta] I mean, I think both of these tactics are very good. I think these are examples of people who are thinking deeply about the state of security and how it ultimately affects them, and that because this is the real challenge – as Wendy so eloquently put it – this is the real challenge of the cybersecurity poverty line, is that those smaller organizations not having sufficient security are in the end a threat to all of us, right? And those are your suppliers, those are your contractors and subcontractors, those are the schools your kids go to, they keep on your power, they keep on all the utilities that you rely upon. And if you’re not trying to look out for them at least a little bit when you’re in a position of power, then it’s a short-sighted mentality. That said, I don’t know that I would hope on everyone being as forward-looking at these two to try and make the problem better, right? I think we need other solutions, but their head’s in the right place and they definitely exhibit an understanding of the challenge.
[David Spark] And I think that what this whole episode is about is different solutions. Neither one of these is the one that’s going to solve the whole problem, but it is specific solutions that if you take charge, can definitely make an impact.
[Jason Kikta] And it’s what you can do right now today.
[David Spark] Yes.
[Geoff Belknap] Yeah, I think that’s a great point. And I love the creativeness of both of these options, right? Because the thing Duane is talking about is the problem that I complain loudly about a lot which is look, if you run a bank or a national infrastructure component like a power company or something like that, you’re going to have security. Now, maybe it’s not the very best-funded as like Microsoft’s or Amazon’s security, but you’re going to have security. If you run a dentist’s office, you still have people’s PII, you still have payments, you have information that you need to protect. It’s probably unlikely that you’re running a high-end endpoint security solution on all of your desktops, you’re probably not running consistent configuration management across all those, you don’t have phishing protection. You’re relying on all of your vendors to provide those things for you. And I think the more we can do to find innovative ways, to find people to sell down-market to those kind of people that have a need, I think that’s a really interesting way to approach this.
[David Spark] Jason, I know that Automox, this topic of getting more companies above the security poverty line, is a passion for Automox, correct?
[Jason Kikta] It absolutely is.
[David Spark] Let me ask – what exactly are you doing because we just in this last segment talked about vendors, how they specifically… What are you doing in this sort of fight yourselves?
[Jason Kikta] So, the thing I like about Automox and what drew me to the company is that we’re providing a very reasonably priced affordable product to the mid-market, to smaller organizations that need this sort of automated patching, that need to improve their security without putting people against it. And the way I always explain it to my peers when they ask is this takes patching from something that your IT team has to put several people against to it’s a part of one person’s day. It’s all right there in a web interface. You point, you click, you can check it and check what’s been done, you can generate reports to show you’re compliant. And so that sort of freeing people up, that precious head count up to work on more important security tasks, things that computers aren’t good at, but humans are, that’s what’s really critical.
Sponsor – Automox
[David Spark] Excellent. I want to mention a little something more about Automox. It has to do with the manual patching, and I can assume our audience is very much ready and eager to ditch manual patching, if they haven’t done it already. Every operating system requires critical patches to reduce your risk of attacks, of breaches. And the problem, well, it’s patching and endpoint management can be agonizing, and we have all experienced this, with multiple tools creating interruptions that slow down your end users, and complexity that takes up all of your IT team’s time.
So, modern patching should be easy, and as Jason has mentioned, with Automox it actually is. Cloud-based and globally available, Automox allows you to automate cross operating system patch management, dramatically reducing the time, effort, and complexity it takes to manage multiple operating systems. Now you can sleep better at night. We all know that’s the grand question – what keeps you up at night? Well, don’t let it be patching for that reason. Sleep better at night knowing your IT environment has a level of greater security. Interested in trying out the platform yourself? Well, go to Automox.com to start a free trial and have all of your endpoints more secure, more safe in just 15 minutes.
What are they doing wrong?
[David Spark] Haroon Meer of Thinkst Applied Research said, “I feel strongly…” and I know this about Haroon, “That companies that can, should push back hard against bad security choices in products…” this is like what Andy Steingruebl mentioned earlier, “And bad marketing from security product organizations.” TC Niedzialkowski, CISO over at Nextdoor said, “We use the same software. The sso.tax Wall of Shame is a great example of the Haves helping the Have Nots by calling out software vendors charging two to three times the licensing fees for SSO – that’s single sign-on – integration when it should be offered by default at no additional charge.” And Harrison Yager of Yagershots said, “Companies should get a visible security score like restaurants get a food safety score. This will notify consumers at the point of sale. If you’re shopping with a new business online, you may not want to give out your credit card info to sites with low ratings.”
So, this goes back to what you were saying, Geoff, of if they imply there’s security, the customers have to push back that, “I’m not going to give you my money unless you are a level of secure.” This desire to have this third-party rating system, which by the way, all of us would love. I mean, wouldn’t you love this, Geoff?
[Geoff Belknap] Oh, absolutely. I think I’ve talked often about the fact that I wish we had a Security Nutrition Facts. And you know what? I think we’re getting there. I think CISA just released something that’s very, very similar.
[David Spark] Well, SBOM is trying to go in that direction.
[Geoff Belknap] Yeah. I don’t know if that’s the way that’s going to be successful, and it’s really just one aspect of it. But I think pivoting this to the discussion about the sso.tax, I think that is a great example of where we just aren’t there yet. And sso.tax, which is a website that you, dear listener, can go to right now, is a great place where you can see exactly the problem that we’re dealing with. Here are companies that are great companies with great products, but for whatever reason, their product management folks have decided that if you want SSO integration – which if you are a business of any kind that is what you want, that is a very secure basic building block of security for enterprise security products – you are going to end up paying up to two or three times the typical license price for that product, just to get this basic authentication mechanism that is going to protect your enterprise.
And it’s ludicrous. It is just what we’ve built the idea upon that if you want a fancy feature, you got to pay extra for it. And while I absolutely believe that if you want extra feature functionality above and beyond the basics, you should pay for it, but not when it comes to security. It’s a little like saying like, “Hey, your house, if you want sprinklers in it, you got to pay extra. If you want smoke detectors, you got to pay extra.” And it’s like those are basic life safety systems. Those should be built into the cost of your home. I mean, same thing, like you wouldn’t want to pay extra for airbags or seat belts in your car. They should just be baked into the price, and indeed they are.
[David Spark] My main complaint about the sso.tax site is how not recent a lot of these have been updated. Some of these go back to 2018 is the last time they verified whether they’re charging for this or not, so you have to do your due diligence is what I have to say.
[Geoff Belknap] Yeah, although I’d say it’s because they haven’t changed their status.
[David Spark] That’s conceivable as well.
[Geoff Belknap] I think that’s the unfortunate aspect of it.
[David Spark] That would be sad as well. All right, Jason, the community pushing back, what are some active ways besides the obviously sso.tax site that buyers can make it clear, like, “I won’t buy your product unless it has this”? And again, it could be really the enterprises have to do it rather than the groundswell of individuals.
[Jason Kikta] I think it’s sort of an all-of-the-above approach that’ll be most successful. So, Congress and state legislatures, they’ve been reluctant to push security standards, and I understand why because it’s very hard to legislate a security standard that’s still going to be relevant in a few years’ time, or you could end up with counterproductive security measures that are enshrined in law and now you can’t change them. But it’s somewhat turned into an excuse of doing nothing, right? Whereas saying, “Hey, you must have some form of SSO, you must have multifactor authentication unless you meet one of these exceptions.”
There are a lot of just basic fundamental things that can be done that, yes, we will always find an exception or a reason not to do it, but it needs to happen. And that gives cover to companies to then make that investment even when it might not be in the best interest of their bottom line. Same with insurance companies. Insurance companies starting to mandate more and more of these basic protections is something that’s going to help move us there. And then companies, just like Geoff was saying, SSO should not be an add-on, it should not be an extra, it should be just baked in, you should not be able to…
[David Spark] Well, it’s honestly… It’s like charging for passwords is really what it’s doing.
[Jason Kikta] Or selling a car without seat belts.
[Geoff Belknap] I mean, to be clear, it is worse than charging for passwords. It is charging for the ability for me to manage my own passwords.
[Jason Kikta] Yes.
[Geoff Belknap] You as an enterprise software company, you are no longer managing my identity solution. Why does that cost me more?
[Jason Kikta] Right.
[Geoff Belknap] So, I just… Man, I’m going to go on a rant here, I’m going to stop myself. But here’s a great example of the misaligned incentives causing weaker security writ large for companies that need these products.
[Jason Kikta] And frankly, it’s an epidemic across the industry.
[Geoff Belknap] Absolutely.
[David Spark] I throw out this. I think the reason we see the sso.tax is because industries like airlines discovered, “Hey, wait a second.” One day, one airline woke up and said, “Hey, we could charge for people to check their bags, and we don’t have to do anything extra. All we’ll do is a thing we were offering for free, we’re going to start to charge for.” And then this ripple effect through the industry is, “What do we have that we’ve been offering for free that we haven’t been charging for that we can charge for, make more money for, and not do anything extra work?” It’s a great business model, isn’t it?
[Jason Kikta] And it becomes hard to push back against when you have one of the largest software companies out there charging extra for logging. Like, that’s hard.
[David Spark] Yes.
[Jason Kikta] That’s hard to say, “Well, we shouldn’t do this.” “Well, why not because they are, and so therefore we should.” And that’s really… That’s hard.
[David Spark] And if one of the big players does it, then they all start to fall in line.
[Geoff Belknap] Mm-hmm.
[Jason Kikta] Yeah.
[Geoff Belknap] If I’m honest – because I’ve been on the other side of this and I’ve had these arguments with my product management folks – it really comes down to a lack of understanding that, you know, sometimes you definitely want to differentiate your product between like a mid-market SMB product and an enterprise product. And SSO is the number one thing any company that considers itself enterprise will ask for, and it just happens to be the easiest thing for you to go like, “Well, that’s an enterprise feature.” And instead, you should be going like, “That is a table stakes feature.” But it’s really hard for you to be the first one to go out, to Jason’s point, and it’s going to take a lot of brave product managers to go like, “This should be free. We’ll find something else to be the differentiator between an SMB product and an enterprise product.”
What would a successful engagement look like?
[David Spark] Jessica B. of Blue Cross & Blue Shield of Rhode Island said, “When I attended my trade school 20+ years ago, we got volunteered out for different organizations to either help build equipment or fix issues, upgrade equipment with donates from other businesses. This not only helps those below the poverty security line but gives actual experiences to those who need to be employable.” And Jorge G. Lopez of Peloton Interactive said, “Create a ‘Adopt a Highway’ for cybersecurity? It could even include some percentage of time where their security personnel can volunteer at the adopted organization.” So, we actually just did a recording of an episode of the Cybersecurity Divide and there’s this huge demand for experience. I mean, this is a great way for individuals to get experience and provide value. I think it’s kind of a win-win, but there’s the obvious thing of, “Well, if my people leave and are not working for me, then I’m not getting value of that.” What percentage of organizations are you seeing – I’ll start with you, Geoff – of, “All right, I’m gung ho about my people volunteering somewhere else a certain number of hours”?
[Geoff Belknap] I think there’s a lot of companies that have volunteer programs that will compensate you and even give you time off to volunteer. And while most of those are aimed at more traditional volunteering opportunities like local community service, I think this is a great example where this could be community service, but you’re going to have to do a little bit of work to find somebody that is worthy of or will take on volunteers to do this work. The challenging thing though is while absolutely with a little bit of volunteer effort, you can beautify a highway or clean up some garbage from the side of the road, this requires more effort from us as a cybersecurity community, both to apply pressure to companies to provide products that are affordable or even available for smaller to mid-market organizations, or to just in general make sure that this information about how to do this work or the technology or the people are just available in some way to these other companies, where they’re just not today. But I really like the way we’re going here, like this is an interesting way to think about it.
[David Spark] All right, Jason, where can we go with volunteering?
[Jason Kikta] So, I think more so there’s some good to be done in your local community, helping out your local municipal government, local schools, firehouses, that sort of thing, but there’s a level of scale that just isn’t quite there and would be disproportionate in very tech-heavy areas, right? Like, you’d get a really good result in San Francisco and Austin, but maybe not in Walla Walla, Washington.
[David Spark] Mm-hmm.
[Jason Kikta] So, I think probably the better way to do it would be to focus them on things like open source projects, on creating standards where a lot of what needs to happen in security, when you talk about the sort of fundamentals of security, of do I have identity management, do I have asset management, am I apply patches, do I have firewalls, those are things that are ripe for standardization on some level and for people to help out companies to be able to buy. “Hey, if you buy something in this category, it will plug into the other things you purchase, and it will work and it will help you.” And that’s kind of back to the grading scale of almost categorical solutions. Is there a way that they can help build those things to help these disadvantaged businesses and organizations get what they need without having to hire on expert staff to do so.
[Geoff Belknap] Yeah. I think that you make a great point, Jason. We need more thinking along those lines.
[David Spark] Excellent point.
[David Spark] And that brings us to the point of the show where I ask both of you which quote was your favorite and why, and I will start with you, Jason. Pick a quote, tell me why you think it’s so awesome.
[Jason Kikta] Well, I don’t think it will surprise him at all but definitely Haroon’s quote was just my favorite, simply because he and I have had some discussions about this and have bantered back and forth on Twitter about that.
[David Spark] Haroon is crazy passionate about this stuff.
[Jason Kikta] Oh, yes. And I love listening to him every time he gives a talk. There are so many just fundamentally bad security choices and products, like Geoff was saying earlier. Nothing should become insecure by default but so often it does. And there’s bad marketing, there’s bad marketing where something can’t quite perform what it says it does, but they claim they can. There’s bad marketing that screws up people’s threat models where they’re worried about… I mean, there’s a lot of places out there right now that are far more worried about state actors than they are about common criminal activity. But what are they most likely to encounter? Standard sort of common criminal fraud activity. And then there’s also the piece of people hype up security in one area when they don’t have it in another area, and so you get very fixated on the shiny thing that’s being marketed, but you don’t know or don’t think to ask the right questions about all the other areas.
[David Spark] Excellent point. By the way, I will mention to our audience, do a search – or if I can remember, I’ll add a link on this episode – Haroon was on a recent episode of this show as well, and we have a link to this amazing video where he goes through all the details of what he sees wrong with the whole cybersecurity ecosystem, the whole everything, and pointing fingers at VCs as well. Geoff, your favorite quote and why?
[Geoff Belknap] Well, I think just to comment on Jason’s point, I think Haroon should be the CEO or chairman of the board for every security products company. But since he can’t, I will go with what Andy, my buddy Andy said from Pinterest which is effectively saying like, “Look. Those of us who have clout and influence and resources that we could leverage against some of these product companies, we should really be doing that. We should be doing a lot more of that and demanding that these companies that we are big customers of be providing, whether it be FIDO2, AuthN/AuthZ or DMARC or HTTPS by default or, I don’t know, cloud storage is encrypted and private by default. We should be leveraging our clout to make sure that those things are happening.” Because really, nothing happens if a customer doesn’t demand it or doesn’t want it. A product company will not change – unless they’re run by Haroon – they will not change just because it’s better for the community. Product companies are always driven by what customers are asking for. So, I think more and more of that from us is one of the small ways, besides volunteering, that we can make a big difference.
[David Spark] Customers need to push back; I think that’s our theme. If you want change, customers push back, you put your dollars with the companies that are providing the security that you want. Excellent, gentlemen. Well, thank you very much. Jason, Jason Kikta is the CISO over at Automox. And as I mentioned, you guys do vulnerability remediation in an extremely simple way across multiple operating systems. You can start a free trial, get it up and running, make your life simpler. Did I miss anything there, Jason?
[Jason Kikta] No, I think you got it.
[David Spark] All right, Automox.com. Thank you so much, Automox, your company, for sponsoring this show. Geoff, as always, thank you, and thank you to our audience. I greatly appreciate your contributions and listening to Defense in Depth.
[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe, so you don’t miss yet another hot topic in cybersecurity. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site, CISOseries.com, where you’ll also see plenty of ways to participate, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to Defense in Depth.