When you think about building a plan (and budget!) for your security program, do you lead with risk, maturity, or something else?
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Our guest is Ngozi Eze, CISO, Levi Strauss.
Got feedback? Join the conversation on LinkedIn.
HUGE thanks to our sponsor runZero
[David Spark] When you think about building a plan and budget for your security program, do you lead with risk, maturity, or something else?
[Voiceover] You’re listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. My name is David Spark, I am the producer of the CISO Series. And joining me for this very episode, you’ve heard him before, you’re going to hear him again right now. His name is Steve Zalewski. Steve?
[Steve Zalewski] Hello, audience.
[David Spark] That’s how he sounds. You’re going to hear a lot more words coming from him. He knows more than just that. Correct, Steve?
[Steve Zalewski] On a good day.
[David Spark] On a good day. Today is one of those days. But first, let me mention our sponsor today, runZero. They are a new sponsor of the CISO Series, and we are thrilled to have runZero onboard. They are a cyber asset management solution, and they do an amazing job about finding unmanaged assets. And you know the old line of, “You can’t protect what you can’t find”? Well, you’ll be interested in what they have to say later in the show. But first, Steve, the question I pose in the tease was posted by another CISO Series co-host, Mike Johnson. He wanted to know what’s the overall theme you lead with when you’re building a security program. And I’m going to ask you, Steve, why is it an important question to answer before you build your program and how greatly can your security program vary? Depending on your answer to the question of what do you lead with.
[Steve Zalewski] So, I would say this is actually a very timely question because even two years ago, I would say there’s very different answers or there’s a very different set of philosophies. The challenge I ask everybody with this question is who has your back? It’s not so much how do you want to run your program anymore, but who has your back and how do you build a program to maximize your capability to protect the company and still protect yourself?
[David Spark] That’s a good point, and we’ll get more into this on the show. Now, here’s what I’m excited to say, is because I’m going to introduce our guest who – and we’ve never had this happen on any of our programs before – the person who took your last job, which was CISO at Levi Strauss. We have the current CISO of Levi Strauss. This is like seeing Clark Kent and Superman in the same room together. Everyone’s heads are going to explode. I’m seeing both together. It’s unbelievable. It is the current CISO of Levi Strauss – Ngozi Eze. Ngozi, thank you so much for joining us.
[Ngozi Eze] Thanks so much, David. It’s so great to be here. Great to see you again, Steve.
[Steve Zalewski] You too, Ngozi.
What should we be measuring?
[David Spark] Stu Hirst, CISO over at Trustpilot, said, “A mix of risks we know we need to reduce plus a list of team capabilities – AppSec, CloudSec, SecOps, and risk – highlighting what we’re not currently doing or strong enough at.” So, that’s what Stu would like to see. Jonathan Waldrop over at Insight Global said, “I often think more in terms of capabilities than maturity. Maturity can be subjective; capabilities can be binary. Either you can, or you can’t. That lends to your ability to “do” that task, which leads to proficiency. And then we end up back at maturity, which then influences the amount of risk that’s present.” I think these are really good sort of solid thoughts on how to start from both Stu and Jonathan. Steve, what do you think?
[Steve Zalewski] Yes. There’s no wrong answer to how you start. I think the real challenge isn’t in how you start, it’s in what your objective is. Because what you’re seeing here in one case is, all right, I’m going to build a strong technical program, I’m going to measure my controls, I’m going to measure my efficiency, and I’m going to show you how I’m going to lock down the company. And in the other case, right, capabilities, they’re starting to understand maybe where the key risks are for the company. So, they’re taking not a controls-based but a cybersecurity risk-based, in which case that is their guiding direction to be able to figure out how people, process, and technology are going to be merged into a roadmap and be able to then demonstrate to your leadership team the vision that you have and how you’re going to execute that vision successfully.
[David Spark] All right, Ngozi, I would say a wrong way to start is to not have a plan, but these are solid ways to begin. What’s your take?
[Ngozi Eze] No, absolutely right, I think on both accounts. One, you surely need a plan. And to Steve’s point, I agree as well. I mean, there’s really no wrong answer. I think the real key is understanding where’s the organization at in its maturity cycle overall from a cyber perspective. Are you at a point in time where this is a net-new organization, you have no cybersecurity program, you don’t even have a named CISO, you don’t have a responsibility from a cyber standpoint. Well, you might want to begin with maturity. You may have all that, right? This may be a 100-year-old company, security may be well mature from that perspective, and in that case, you may want to use other levers like driving a risk-based approach to measuring the success of your program. Because ultimately, that’s what it comes down to – how well are you moving the needle against your stated goals and objectives and how can you communicate that back to internal stakeholders and partners? So, to your point, there’s really no wrong answer. It’s just really identifying and getting a good sense of what’s your starting point.
[David Spark] Let me ask this of both of you. Have the two of you chosen different paths depending on the company you’re with, or do you find this is the kind of security leader I am, and this is the way I operate so this is the way I’m going to do it? Steve?
[Steve Zalewski] So, that question is twofold. First, there’s the type of leader that I am. And I describe that as am I a manager or a leader, and both have a place in what you’re doing to be able to accomplish that. But I think the other part of the question is but are we asking the right question of what we’re going to do. And the key here is we just talked about a couple of the standard ways that we try to ask the question to establish a program, right?
Ngozi and I actually have different philosophies based on our experiences as to what we think the best program was for Levi Strauss. We didn’t have exactly the same idea because we brought different experiences, management had different expectations as it matured. But the point that I’m bringing here is other questions about your program, like are you going to build a program that’s good enough security, are you going to build a program that you realize that the leadership team is only going to make a nominal investment, and so therefore when you join, writing your employment contract in a way that it’s really your termination contract because you’re understanding what the true expectations are of the business and of the leadership team, not so much that they are aligned with what you want to do.
What needs to be considered?
[David Spark] Esteban Gutierrez of New Relic said, “Begin with ‘customer and market requirements’ overlayed with risks followed by costs in terms of here’s the impact to the bottom line for not doing this work. The story to finance really boils down to here’s what we can and can’t do to enable business objectives and manage risk with different funding models.” I think, Ngozi, that’s what finance loves to see. Am I right there?
[Ngozi Eze] Absolutely. And when you think about consideration, what things you need to consider, all parts are on the table, especially for a cyber program that tends to touch all parts of the business. So, you have to consider the consumers, you have to consider your customers, your regulatory requirements. You have to consider the market, the climate, the technological climate that we’re in, your vertical, and your competitors. Right? I think all those factors really give a sense of a mix and along with your overall maturity of what your overall starting point needs to be so that you can measure and leverage your investments wisely and appropriately.
[Steve Zalewski] So, Ngozi, I’m going to add on, and again, I’m going to use our experiences since obviously we were at the same company, and we transitioned through. Right? Which was what needs to be considered? What about FAIR? Right? If you’re looking at this and you’re going to use the FAIR model and go to a risk register and try to define truly a quantitative risk register based on FAIR, to be able to then drive your program, is that actually the right answer that we should all be doing?
[Ngozi Eze] So, FAIR, it’s a great concept overall. The idea of tying and quantifying risk to a numeric and dollar value. It is really critical to an organization. Organizations are in business to do one thing – drive shareholder value which is effectively from a financial perspective. What I have found in our execution and practice of FAIR is it goes back to the maturity conversation. Where are you at in your state of maturity? As you’re building a risk program, I think it’s really critical, Steve, Dave, to start with a qualitative approach. I think that is totally valuable and helpful, and then you build your quantitative approach from a controls implementation standpoint and quantifying that perspective.
As you begin to make the leap to FAIR, that’s a little bit wider of a cavern to drive. Because I’ve been at companies where we’ve actually had a pretty fair, mature, FAIR implementation model, and we run through our calculation, and we communicate it to our business partners. And with shock, our business partner says, “Yeah, it’s only going to cost us 157,000 to cover that risk? I’ll do that.” And you’re like, “No, no, no, no. This is a bad thing. We should not actually do that.” And we found where FAIR could potentially obscure the cyber risk. So, I think it’s a great measurement as a perspective and another input overall, but I am very careful and conscientious to not holistically lead with FAIR. Just because I think it’s on its way, but I don’t know if it’s there yet. Now, I will leave the caveat – if I was in an organization, it was an insurance organization that understood those models a little bit better, I think you’re in a different ball game there.
[David Spark] Because it’s interesting, we talk about the FAIR model a little bit, not a lot, on this show, but we’ve yet to hear anyone be extraordinarily bullish on it. And you bring up a good point is it’s good as an input but not to lead everything. Steve, you’re nodding your head.
[Steve Zalewski] So, the game – and I’m going to call it a game, Ngozi, you can tell me – the game is quantitative over qualitative. Everybody wants hard data to be able to make a decision that they know is right and will be proven over time. And for security, that’s almost impossible because we just don’t have the maturity, the frameworks, the data to offer true quantitative value unless we put tons of time in, make a bunch of assumptions, and then we get called out for it when we try to present it. So, to Ngozi’s point, what we do is we’ll test that method to see where our qualitative assessment is so that we can demonstrate we’re at least trying to go down there. But unless you’re a real diehard on, “I know I can do it because my company is so quantitatively based that I can figure this out,” no business impact analysis, no effective FAIR analysis.
[Ngozi Eze] I love this conversation around FAIR because I think it leads me to the point of reasonable assurance. I think from a cyber perspective, we are trying to build and deliver reasonable assurance. We can have an unlimited cyber budget, we could deploy every cybersecurity control known to man, and we could still unfortunately have a mishap, a exposure of data, an infiltration, certainly anything type of happen because of how fast technology advances. And I think the challenge with FAIR is that I think it drives you to an unachievable goal, which is a hard, quantifiable, “If you do X, Y will happen.” That’s why I tend to say it’s a good input, right? I don’t want to lead with it as the end-all, be-all. I absolutely think it’s a helpful factor. Now, I’ll kind of communicate it on both ends, right? Where I’m not necessarily bearish, I’m not necessarily bullish. I think it’s very helpful, but I certainly don’t think it’s at a maturity standpoint, at least in the programs that I’ve been, where we can lead with it solely.
[Steve Zalewski] Okay, Ngozi. What’s the difference between reasonable insurance and good enough security?
[Ngozi Eze] Yeah, I think it’s just the words you use, right? [Laughter] From good enough to reasonable assurance and who are you speaking to. And really, I think that is a conversation for your executive leadership team, your board, and your cyber, and your general counsel, to kind of come to an agreement that based upon our investment, our capabilities, our overall maturity, our ability to identify, manage, and mitigate risk to an acceptable level, is this consistent with our laws and regulatory requirement practices for this point in time? I think we’ve reached that threshold and then how can we drive incremental improvement from that standpoint. And so reasonable assurance, good enough security I think are the same terms, and I think that’s what we’re all chasing. What’s good enough? Because what’s good enough today very likely with the regulatory change, technology advancement, your users…
[David Spark] You can just look back in your history. What was good enough five years ago isn’t good enough today.
[Ngozi Eze] Absolutely. Well, everyone says multifactor authentication is the goal, right? You have to have it and that’s good enough. Now, all of a sudden, there’s MFA exhaustion and social engineering behind it and other attacks against it. For every control we develop, there’s exponential amount of attacks that are going after it. So, those are some things that we need to be aware of.
[Steve Zalewski] And then one more is okay, we’re in a recession. Whether you believe it or not, everybody is acting like we’re in a recession. So, the reason why I asked that question of Ngozi was reasonable assurance is a nice business way of talking about risk when all is good. In a recession, what’s good enough? Right? People now have hard budgets; they want harder answers. And so some of it is reflecting kind of the attitude of the industry and of your executive team because many of the executives now don’t want to hear what’s reasonable assurance. They want to know what’s good enough. What’s good enough for me to make payroll tomorrow? And so the reason why I was bringing that up is it’s the same thing but said with two different perspectives that may have very different outcomes as to how the executive team aligns with their understanding that you get the problem.
[David Spark] So, I have both Ngozi and Steve, the former and current CISO of Levi Strauss. Let me ask – the two of you did the handoff, I want to know from each of you quickly what worked, what didn’t work in that handoff. So what worked, this is great, we could have done that better. I’ll start with you, Ngozi.
[Ngozi Eze] I thought the handoff was really great. I think what worked is worked is Steve was extremely gracious in lending his time, his support, his perspective, and his knowledge of the program, people, the culture, the board overall, and I think that is what worked right away. I think a big other part of that is Steve’s colleague Collin was a big part of that process as well from my onboarding early on. So, it was a fantastic handoff between the leaders of the Levi cybersecurity program. So, I really understood what the organization was trying to do in building the program. Now, what could have been better? Well, Steve could have stayed a little bit longer, right? I just [Laughter] really hated to see him leave out, but I think it was great for him to go on to do some new things. But I’ll kind of do a sandwich approach and say that being said, his door’s always been open. We’ve had conversations, we’ve bumped into each other at other places, and so I think that’s an extremely healthy thing. Because one of the things you mentioned is we brought different perspectives, right, and we didn’t use that as an opportunity to clash, we used that as an opportunity of saying, “Hey, how can we build upon and leverage what each of us brings to take this organization to the next level?” and I think that’s been a success thus far.
[David Spark] Steve, your take?
[Steve Zalewski] Sure. When Ngozi and I met, and with Collin, this was a friendly transition. And so in my mind, what I said was, “I’m going to do this in the way that I would hope somebody would do it for me if I took a new operational role as a CISO.” It’s not possible many times because the transitions may be the CISO has left because he’s not happy or he was let go, and so therefore, it is a difficult transition because you don’t have the people. What I said was…
[David Spark] And I’m sure that happens plenty of times.
[Steve Zalewski] It happens plenty of times. What I said in this case, “Let’s set an example for how you would like to do a transition.” And so we had some runway, I even extended. But I will tell you what I told Ngozi when we met the first time when we had this conversation I share with everybody, I said, “Hey, Ngozi. Really happy to have you onboard. Let me explain how I want to run the transition with you. My job is not to tell you what I think you should do. I’m not going to do that. My job is to put a safety net here to make sure everything continues, for you to lay the program that you think this company wants. Right? Because the company has expectations, and so I am not going to bias your thinking or try to force you. I will answer any question, I will do everything I can to support you, but I want you to develop the program that you think is right for this company.” And that was the initial conversation and the basis of what we did. So, I was there for him anytime he had questions. He knew what I was doing. I was just keep the programming going while he was learning, give the executive team confidence that we were highly integrated. But I thought that to me was the way that I was trying to set Ngozi up for success. He knew I was not there trying to influence. He knew I was there to support in the direction that he wanted. That is amazing. That’s exactly what I wanted to hear from both of you.
Who’s our sponsor this week?
[David Spark] Before we go on any further, I do want to mention our sponsor though, runZero. You remember I mentioned them at the beginning of the show? The cyber asset management solution. It is the fastest and easiest way to build a full asset inventory, get proactive about your security program, and accelerate your incident response. Who would want all of that? So, get the data and context about devices, services and configurations needed to effectively manage and secure your environment. We’re talking about unmanaged assets here because, yikes, we’ve all got them, and we don’t want to have too many of them. So, take advantage of their integrations with your existing IT and security stack together with their proprietary scanner to cover all of your assets, local IT, OT, IoT, cloud, external, work from home, and even your unmanaged assets. Remember I mentioned those? RunZero is so easy to use that you can get started in minutes on your own. Go to runzero.com – it’s spelled exactly the way it sounds – for a free trial. No credit card is required. Or you can get a firsthand look at runZero in action, just search for the term on YouTube to check out their video demonstrations.
How do we go about measuring the risk?
[David Spark] Samuel L. of Ultimate Kronos Group said, “With risk, you can mitigate, accept, or transfer it. As such, you can’t use it as the only measure because it really is easy to accept a risk and a lot harder to pay for it. Since transfer insurance comes with a mitigative due diligence, it isn’t really any better than just mitigation.” Ryan Franklin of Amazon said, “Risk first and then blend with maturity. You can get a lot of risk coverage for a low cost; however, continued investments to reduce risk will have increasingly diminished returns over time. As soon as an organization realizes it’s approached that point where the ROI is no longer acceptable, I think that’s when it should start to think about shifting the focus to more maturity-driven initiatives.” So, the driver seems like it’s risk, risk, risk all the way, Steve, and I hear it all the time. Do you agree?
[Steve Zalewski] I got to say I like what Ryan said. I think because you lead with risk, you blend with maturity, the 80/20 rule, right? At what point does the incremental investment maybe make you more efficient but it doesn’t make you more effective? It doesn’t stop the attacks better, at which point you pivot, and you find where the attack surfaces are weaker, and you move in that direction. So, to me, Ryan’s comment really just nailed it for me.
[David Spark] Ngozi, again, we just hear – because we always hear it shouldn’t be called security, it should just be called risk management, and they’re just sort of defining, “Well, that’s really what the job is.” Yes?
[Ngozi Eze] Absolutely. And the reality is everyone in the organization is managing risk. So, certainly should measure risk to the best of your ability. I think I mentioned it earlier in the conversation, I think it’s really good to start where you are from a qualitative perspective and to really kind of mature that process and then move into more a quantitative concern from a risk aspect. Because risk is an extremely nebulous concept and not extremely precise, and so even if you quantify it really well, you can still have challenges communicating it. So, I think it’s helpful to absolutely start with measuring the risk because I think as you mentioned earlier, it is totally about you can transfer it, you can mitigate it, you can accept it, things of that nature, but you have to have some type of way to measure it, and so I love a good qualitative and quantitative mix there.
[David Spark] And I got to assume that there are certain risks that are like, “Guys, this is the obvious easy risk to mitigate. We obviously easily need to do this.” I mean, do you address this as like above the line, below the line type things? This is stuff that we’re not going to even question, like certain email protections, firewalls, EDR, things like that. And then it’s like, “Well, this is the area where we can negotiate.” Do you guys sort of operate in that way, Steve?
[Steve Zalewski] This gets back to the type of company, industry, vertical you’re in, where Ngozi and know this. If you’re in a highly regulated industry, often time the controls framework are very proscriptive and you just have to show that you’re doing it. If you’re in retail, a control framework is not what’s driving you, right? It’s how much money do I really have to invest to do what’s good enough? And so that’s where when I think about this, the philosophy of what is appropriate is really dependent upon the organization and how that organization’s values, whether you’re a mandatory cost center or you’re a profit center trying to limit the amount of hard-earned profit that’s going to be lost due to fines or breaches or other ways that you’re going to see that money slip through your fingers.
[David Spark] Yeah. I mean, doesn’t retail refer to it as leakage and not like theft? Yes, Ngozi?
[Ngozi Eze] Yeah. Certainly. Right? Leakage, theft, those are certainly all a part of it. I think to your earlier question, we prioritize five areas where we can’t get this wrong – from an identity perspective, through our network, our cloud, our endpoints, and the way we manage email as well. Right? So, from a security standpoint.
[David Spark] It’s kind of like just locks on the door. It’s like, well, we’re all going to have locks on the door.
[Ngozi Eze] Yeah. Some of those things are non-negotiables from that perspective, and so I think the business appreciates it, the financial teams, those who are asking questions. You are the senior most security executive in the organization. You’re here to make those calls and those decisions. And those are some areas that I think is really critical for organizations to prioritize or have a set of prioritizations that are their non-negotiables.
How do we make this everyone’s concern?
[David Spark] Maxime Rousseau, who’s deputy CISO over at Empower, said, “What does the security program need to do to support the business? Are you more B2B where sales requires you to show higher maturity, compliance, and audits? Is it more about preventing a big breach? Detecting insider threat?” And Christian Hyatt of risk3sixty said, “First, I talk to executives to get 100% clear about what the business’s most important goals are. Then I do some soul searching to make sure security is supporting those objectives and how. Then I bring the plan to leadership, demonstrating that link and the clear business case for security.” So, I’m going to start with you, Ngozi, on this. This is kind of the theme we hear all the time, like learn the business first, all the time. So, with all our conversation – start with this, start with that – we’re like, “Well, you can’t start anywhere unless you know the business.” And I’m assuming you learned the business of Levi’s before you learned anything else. Yes?
[Ngozi Eze] Oh, God. I would love to say yes to that question [Laughter] definitively.
[David Spark] But no?
[Ngozi Eze] It’s a big sprawling complex business.
[David Spark] Sure.
[Ngozi Eze] Levi’s has been in business for 167 years. I made a statement earlier, I don’t know if you caught it, we have our consumers and then we have our customers because we have our direct-to-consumer channel and we interface directly with the end consumer. But then we have our customers and our wholesale customers and then we have our franchisee partners and things of that nature. So, it’s evolving. I think in an ideal world, you totally come in and you understand the business overall. Because there’s a couple things. [Inaudible 00:27:33] cybersecurity is a team sport. Our mandate is to lead our cybersecurity efforts and to manage risk to an acceptable level for the organization. It’s lead. Not do everything. We’re not the AOs, we’re not the authorizing officials for every technology platform in the organization. We’re not necessarily the organizations that receiving PII from a loyalty program on behalf of consumers. We are helping the organization identify that, manage it, and mitigate it to an acceptable level. But we can’t have an intelligent conversation if we don’t understand the business, if we don’t understand the WIIFM, the what’s in it for them, and we can’t communicate and lead if we don’t understand. So, that’s why I think it’s so critical. And everyone says it but that’s my kind of take on that perspective.
[David Spark] So, that’s a good take, Ngozi, in that it’s impossible to know a business that old, that complex, early on. But you do need to understand something. Correct, Steve?
[Steve Zalewski] Yeah.
[David Spark] I’m assuming, you were at Levi’s for quite some time, you learned more about the business over time.
[Steve Zalewski] Yes. And to Ngozi’s point, I came on and I thought my job was do security for the business. And the first 18 months was me understanding what this business was, talking about creatism [Phonetic 00:28:59], putting bubbles around creators and everything. So, Ngozi did a great job of answering this question, I couldn’t do any better, but I’ll give you an alternate approach to how you come in and say, “How is this everybody’s concern?” Really easy. Okay?
When I look at it now, I say there’s two jobs that I have. Why is it everybody’s concern? I want to make sure that we sell more jeans so everybody gets the most bonus that they can every year. So, what’s in it for them? Their bonus because if we sell more jeans, you get more. We’re being attacked all the time. What am I doing to minimize the attacks, so we maximize the profit of selling more jeans? That’s why you care. The second reason why we care is, and we work with customers, and consumer data is job one. If we lose that consumer data, we lose the trust of our customer, and they won’t buy from us. So, why is it everybody’s concern? You want your bonus, and we want customers because I’m here to sell more jeans and those are the two things that I have to protect against the people that are attacking us. And that’s like the netted-out business value of, “Okay, let’s just get to why we’re here,” and you almost don’t even have a security conversation.
[David Spark] A great way to conclude this show. That is awesome. Thank you so much, Steve, and thank you, Ngozi. Now, we have come to the portion of the show where I ask you which quote was your favorite and why. So, Ngozi, what was your favorite quote and why?
[Ngozi Eze] My favorite quote was from Esteban Gutierrez and New Relic Incorporated where he said begin with customer and market requirements overlay and risk followed by costs in terms of here’s the impact to the bottom line for doing this work. That is so critical from my standpoint to driving value for the organization from a cyber perspective. It also helps to establish the goalpost for how you’re going to drive incremental improvements in your cybersecurity organization. So, tons of great quotes, it’s hard to always pick just one, but from what resonated with me from the moment I saw it, it’s certainly Esteban’s comment there.
[David Spark] Steve, your favorite?
[Steve Zalewski] I kind of let the cat out of the bag earlier. It’s Ryan Franklin from Amazon, risk first and then blend with maturity. And the key here is and it was kind of what I was talking about at the end when you netted out. The risk is is it technical risk, is it cyber risk, or is it business risk? It’s got to be all three, but look at the risks, understand how it impacts the business and profit, and then blend that with maturity to know when you’ve got good enough to be able to then look to a different set of attack challenges. That’s it.
[David Spark] Excellent point. Thank you very much, Ngozi. Thank you very much, Steve. That was Ngozi Eze who is the CISO over at Levi Strauss. That was Steve Zalewski who’s the former CISO over at Levi Strauss. Our sponsor for today’s episode is runZero – cyber asset management solution. Check them out at runzero.com and you can do a free trial without leaving your credit card information on their site. Give it a try. Thank you very much, audience. We greatly appreciate your contributions and for listening to Defense in Depth.
[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe, so you don’t miss yet another hot topic in cybersecurity. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site, CISOseries.com, where you’ll also see plenty of ways to participate, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to Defense in Depth.