Haven’t we already discussed at great length the cloud shared security model? We’ve had the cloud for a few decades. Why can’t we just extend that shared responsibility model for that to SaaS?
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Joining us is our sponsored guest, Russell Spitler, CEO and co-founder, Nudge Security.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Nudge Security
Full Transcript
Intro
0:00.000
[David Spark] Didn’t we already figure out the shared security model? I mean we’ve had the cloud for a few decades now. It’s all tech by now. Why can’t we just extend that shared responsibility model for SaaS?
[Voiceover] You’re listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. My name is David Spark. I am the producer of the CISO Series. And joining me for this very episode, you’ve heard him before, and you’re going to hear him right now. It’s Steve Zalewski. Steve, say hello to the audience.
[Steve Zalewski] Hello, audience.
[David Spark] That’s Steve Zalewski. You’ll hear him say far more intelligent things than shouting out to the audience. It’ll come in but a moment. Our sponsor for today’s episode is Nudge Security, SaaS security for the modern workforce. Aw, this is appropriate for this episode. And our guest comes from Nudge.
We’ll introduce him in a second. But first, let’s talk about today’s topic, Steve. It’s easier than ever to keep IT out of the loop when it comes to software. SaaS is not new, but we’re still figuring out how to secure it. We know all about the cloud shared responsibility model. In fact, we’ve done umpteen segments and episodes on it.
But that seems to break down when we talk about SaaS. There is definitely not a one to one correlation between cloud and SaaS even though they’re both on the cloud, for that matter. So, Seve, you posted about this. How is the response to this different from the classic Shadow IT problem?
[Steve Zalewski] So, Shadow IT is somebody deciding not to play nice. Okay? And that’s what Shadow IT is. People deciding, “Aw, I don’t need the IT team until I do.” But SaaS, as we’re going to talk about here, is not about somebody not playing nice. It’s about how do I trust somebody that I can’t not trust.
And there is no good ways to do that.
[David Spark] Well, we will hopefully come up with some solutions because we don’t want to live our audience in the lurch here, now do we. And to help us discuss this very topic is our sponsor guest. And by the way, let me give some more cred to them. Beyond them being a phenomenal sponsor, they were the winner of our second season of the Capture the CISO contest.
Our judges and our audience absolutely love them, and we love this guest. We’ve had him on multiple times on many different shows. We’re going to get very specific into the SaaS security model with him. It is the CEO and cofounder of Nudge Security, none other than Russ Spitler. Russ, thank you so much for joining us.
[Russell Spitler] Thank you for having me here today.
What’s our visibility into this problem?
2:50.489
[David Spark] Adam Gavish of DoControl said, “The real question from the beginning should be how security teams are expected to own and govern SaaS data when SaaS applications themselves don’t even make it easy or even possible in some cases. I say a new SaaS shared responsibility model could help assign clearer ownership to relevant teams – IT, security, business units – across managing SaaS identities, data, SaaS to SaaS, etc.
This is helpful because today in some SaaS security cases IT has to do security work without the security knowledge context,” as we’ve discussed. “And security has to do IT work without a clear understanding of the potential impact of misconfigurations.” Let me also add Chris Jones of Promethean IT who said, “With 90% of SaaS apps being introduced outside of IT, it’s essential to clearly define responsibilities among SaaS providers, IT, and security teams, and end users.
By establishing a standardized model, we can help nudge SaaS providers…” By the way, they had no idea that Nudge was involved with this. They just used the word “nudge.” But Chris goes on to say, “We can help nudge SaaS providers to integrate critical security features and management tools, ensuring a more secure and transparent relationship between customers and their entire SaaS security ecosystem.” So, all of this sounds great, if anyone did it.
Yes, Steve?
[Steve Zalewski] Yeah. And I’m trying to think of a simple way to put this in context for Russell and I. Here’s what I would say, which is the old school was verify then trust. Right? IT would verify that we understood the applications, where it was, and then we would trust it. The challenge we have with SaaS is we have to do trust and try to verify.
So, even though we want a shared responsibility model and both sides want to have a conversation, we, in essence, can’t see inside the SaaS applications, and they can only share a certain amount of information that I want to see. So, I go we went from verify then trust to trust and verify, and that it’s the conundrum that we’re in.
[David Spark] Well, the difficulty of verifying within the SaaS model, Russ, how do you approach this?
[Russell Spitler] You know, I think both Adam and Chris bring up two very interesting points in different context. Chris, to his point, is if you have a large influx of business led SaaS adoption, you’re often in a place where regardless of whether you trust and/or you verify, you first need to know.
And that becomes a scalability challenge in a lot of organization. Adam, to his point, I think really hits the crux of the shared security model on the head, which is that sort of user persona definition that has been performed by these SaaS providers is often easy. Where they assume that the first user to sign up for that application can take on the administrative responsibilities including the affective use of security features.
That, I think, is the crux of what the challenge is today. Because you go and look at all of these PLG led services or even just free trial led services, however you want to do it. People are signing up for these applications, and they’re inheriting the responsibility for those security features on behalf of their organization regardless of whether or not they have the appetite, the context, or even the interest in taking on that responsibility.
[David Spark] You know, it’s interesting you mention that it’s always the very first user because more and more SaaS apps I use now, I’m often the first user, and I’m allowed to provide other people access to it. But they very nicely give me like admin, manager, just viewer, editor. They’ll give me four different stages and explain what they are but never for the first.
They assume you’re the admin, right out of the gate. And why wouldn’t they?
[Russell Spitler] They have to. You got to do the things of inviting other users. You need that level of permission. Now, it’s obviously… You can transition that ownership to other people within your organization, but often it might be a developer to a development manager or somebody on the front line of marketing to a marketing manager.
It doesn’t always go back to the IT organization.
Whose issue is this?
7:28.765
[David Spark] Simon Goldsmith of OVO said, “The only shared responsibility models I’ve seen are from cloud suppliers describing an abstraction of contracts with their buyers. What I think you’re referring to is shared responsibility within an organization. I view this as just as a different take on the fundamental question of how we get our people and our third parties to take accountability for security.
So, no, we don’t need a new abstracted model. We need new contracts and incentives.” That’s an interesting take here. We’ll get to that. Michael Giraldo of TheFence said, “Turning the question around, why would an employee from outside the IT department seek alternatives? It’s often because their needs are going unmet by the organization.
If IT isn’t attentive to users and their requirements, employees will naturally find other ways to complete their tasks. Essentially, this happens when IT isn’t affectively listening to and addressing user needs. All right, so that one we’ve heard before. So, I’m going to toss to you first, Russ. Tackle either one of these.
Will new contracts and incentives actually move the needle? That’s what’s Simon says. And with Michael, like IT isn’t engrained enough in the business to know what people want, and they should.
[Russell Spitler] So, both of these are the same problem in different language. It is a completely unreasonable expectation for a centralized organization to understand the business needs of every single employee in the organization and preemptively procure and provide the technology that’s going to make it more productive.
Those days have long sailed. It didn’t work back in 2000. It’s not going to work today. And of course the amount of technology today far out strips what any centralized organization can do. The second piece of that, as Simon brought up, those end users are the ones signing the contracts when they’re clicking through, putting in their credit card or starting the free trial.
Yes, it might go to procurement later on, but the reality is we are entering into contracts, and those end users are entering into the contracts. Just having something laid out in a contract isn’t going to change anything related to the practical reality that those users are now responsible for some portion of the secure use of that application.
[David Spark] And also, the point I always make is when that data has gone out, really are you going to complain to the software provider, whomever? Which, by the way, they’re probably protected by their ULA agreement. That’s not going to be your first move. Your first move is dealing with the data.
I’m throwing this one to you, Steve. How much can IT know? And let me throw this out, because we’re talking a lot about IT. Sorry to derail for just a second. But years ago… And this goes back I’m going to say like eight, nine years ago. I did a video shoot at the AWS re:Invent Conference, and I was asking people about their IT department.
Half… And, again, eight or nine years ago, so I’m sure it’s higher today. Half of the people who I interviewed, again, at AWS re:Invent said, “What IT department?” There are many that just don’t have one at all. Steve?
[Steve Zalewski] This is why it’s a multifaceted problem. And I don’t mean to make it sound complicated. What I’m trying to do is oversimplify it. To your point is, look, the size of the company makes a difference. These two quotes that we talked about here, actually on one hand we’re talking about what is the shared responsibility as a SaaS vendor to be able to do this.
But more and more I’m coming back to shared responsibility is if security is everybody’s responsibility then within the company itself, how is everybody taking that responsibility to wield their power for good and not accidentally create problems for themselves. Your conversation around admin, that’s a service account.
Admin account is not owned by a human. It’s a service account. Right?
So, them taking on responsibility and acting like an admin and then handing the password around, bad security practice, but the business has to get something done. Then the last thing I’ll say is and is it an IT problem because is security, which traditionally falls under IT and as its morphing…is it a security problem versus an IT problem, versus the shared responsibility of me as an employee.
So, I kind of went down that logical path for people to see everybody is picking one or more of those perspectives and then arguing or having a conversation around that. Whereas what we’re struggling with is all of these have entered the picture, and I’m going to go back to I think the shared responsibility is really within the company for every employee to understand what their role is in security, not necessarily they have to be experts in security.
[David Spark] Let me toss this back to you, Russ, in the reference that I made earlier saying a lot of people I interviewed didn’t even have an IT department. Are you dealing with customers that have nonexistent IT departments but just have their entire business on SaaS apps? I mean there’s tons of businesses like that.
[Russell Spitler] Yeah. And the sort of rule of thumb that I have is if you’re below 5,000 employees you more or less are 90+% on SaaS applications. Nobody has got appetite to spin up a data room and throw a [Inaudible 00:13:27] on a server just to push code out the door. The piece that Steve just brought up I think is the crux of this issue, which is in a lot of these SaaS applications, there are assumptions they have about the end users of the product in terms of what security features, how they use data collaboration features, how that product gets used.
There are assumptions related to the administrative role. And, Steve, I’m trying not to say the administrative account.
But you know, the person wearing the admin hat for that service has responsibility for how do I deploy the security features in the context of my business processes and use. And then as you well remarked, regardless of whether it’s somebody wearing an IT hat or a security hat but there is somebody in that organization who has that responsibility for, “How is my dad secured in these third parties that I’m using?” And they need to be able to coordinate with all of those admin roles across the organizations.
All the people who play those across the various apps. And in a lot of cases with all the end users of those applications as well. “Hey, did you turn on MFA in this app that requires end users to opt into it?” And that’s the real challenging dynamic. I think when you look at it from a SaaS vendor perspective, they assume all three of these roles are the same person.
And they sit there and say, “Hey, I gave you an admin feature to enforce MFA. Why didn’t you use it?” And of course the person who’s sitting in the admin seat is saying, “Because the IT guy didn’t tell me about it. The IT or the security guy.” And the IT and security guy is pointing back and saying, “You didn’t even tell me the app existed.” And meanwhile the bad guys are saying, “Thanks.”
[David Spark] [Laughs]
[Russell Spitler] Right? That’s the challenge we’re dealing with.
Sponsor – Nudge Security
15:07.821
[David Spark] Who’s our sponsor this week? Well, it’s none other than Nudge Security. So, let me ask you a question. How big is your SaaS attack surface? It’s probably pretty darn huge. And you can find out with Nudge Security. Their patented approach to SaaS discovery finds all SaaS accounts ever created by anyone in your organization and alerts you as new apps are introduced.
So, all these concerns we’re talking about on this show, well, they’re addressed with Nudge Security. And the best part – you’ll have a full SaaS inventory in minutes. No agents, browser plug ins, or network proxies required. For each SaaS app discovered, you’ll see the list of all users, the MFA coverage, SSO enrollment status, breach history, and more.
You’ll also have a full inventory of app to app OAuth connections, scopes, and risk scores with the ability to revoke risky grants with just two clicks. Nudge Security also includes playbooks to automate tedious time consuming tasks like user access reviews, employee offboarding, and more. So, you can take control of your SaaS security posture with Nudge Security.
Why not just start a free trial? You can do it right now. It’s only a 14-day free trial. It’s great. You’ll see all the awesomeness in that period of time. Just go to their website. It’s nudgesecurity.com. Go to that and go /cisoseries. Nudgesecurity.com/cisoseries, and it’s spelled exactly the way it sounds.
Go check it out.
How do we approach governance?
16:51.838
[David Spark] Lior Yaari of Grip Security said, “Enterprises need to stop managing SaaS and start governing SaaS. It is wrong to assume we can secure the modern workforce with its 2-year-old innovative gen AI solutions using 15-year-old firewalls and CASBS. The shared responsibility model should change to allow the business to own the risk and security team to monitor and support securing those apps instead of doing it themselves.
And Clea Ostendorf of Wolfpack Security said, “The explosion of SaaS products and the fact that most users are not using enterprise versions and buying what they need is one of the biggest blind spots to any security program in my opinion. Your data is going there, and you have no control. People might be reusing passwords.
People might be still maintaining access after they leave the organization.” Might? For sure it’s happening! Steve. It’s essentially like we’re trying to deal with this with old ways of thinking about security, and this is such a different egg, as both you and Russ have pointed out. Steve?
[Steve Zalewski] Yeah. So, I’m going to actually respond to both Lior and Clea in two different ways. I want Russ to give me a spot. What Lior is talking about in my mind is that our traditional way of securing everything is with a network edge. Network service edge, firewalls, CASBS. But what we have with SaaS more and more is we have a data edge, not a network edge.
We have to expose the data directly. We can’t rely on our network firewalls anymore. And so that’s a change in how we have to be able to respond. I think he’s part of that. Which was, “Guys, we have to acknowledge our service edge for a lot of companies doesn’t have a network edge.” And so we have to do things differently.
What do we need to do? And where is the innovation to be able to accommodate that change in thinking?
That’s the first one. What Clea is talking about in my mind is, hey, look, SaaS applications are not necessarily large enterprise applications like SAP. Volleyball.com now is becoming an enterprise SaaS application because a dozen employees have decided to get together and are using volleyball.com in the evening in order to be able to meet.
And so we’ve bridged between the business identity and the personal identity, and we’re doing business with both. So, this definition of a SaaS application as a large enterprise application is no longer true. They’re very lightweight. Often times they’re not well respected applications, but they’re what the employees are using.
And now we’re doing business with our consumer or personal identities as well.
[David Spark] All right, we throw this one to you, Russ.
[Russell Spitler] I think that point about the data is right on, and I think that thread kind of weaves through everything we’ve been discussing so far, which is as corporate citizens, as employees, we are entrusted with corporate data in some form or another, and then we, in turn, trust it to any number of SaaS accounts that we upload that data into.
And when you think about that dynamic, that all of a sudden starts to drive what our response needs to look like, how we bring technology to bear in this problem, and how we address these challenges at scale. And so understanding where that data is ending up, what accounts are created is the first step.
Then of course the next piece is understanding those traditional security controls that we’ve applied to data¸ which is authentication. Then of course the authorization that comes after that. That now needs to be applied to a broad set of systems that are outside of our control that sometimes we know about, sometimes we don’t know about.
And we need to do that in a scalable mechanism where we have the business context to make those decisions in a reasonable time so as not to disrupt the business process, and that’s the crux of the challenge that we’re dealing with today because our data is no longer conveniently in our data center. It is all over the world, all over these different disparate SaaS services.
[David Spark] You know, I talked a little bit in the sponsor read about what Nudge Security does, and I think you also listed off some things, of which some of them I think Nudge actually handles. What of these sort of concerns that we’re dealing with can you actually manage within Nudge or people can manage if they use Nudge?
[Russell Spitler] I wouldn’t be here if I weren’t passionate about this subject. And if I weren’t passionate about this subject, I wouldn’t have created a company to help people with these challenges. So, what we do with Nudge is certainly start with that first challenge, which is help you map out exactly where people have created accounts, what apps are being used.
Help you understand and manage that footprint that’s across that organization. Then we go further, which is start to help you revoke access. To Clea’s point of when employees are leaving an organization, we have data that shows about 40% of the accounts that they had during the time that they were there are left provisioned after they leave, and that’s because those were created with an email and password, and IT and security don’t know about it when they employee leaves.
And so we can help revoke that access when that time comes. But then most importantly, we can help get in front of this.
So, as you’re sitting there, mapping out where you have these reliances, what third parties have access to your data, what security risks are you going to accept in terms of the productivity provided by these services, we can start to help you engage with those employees, get that business context, help you streamline those processes so that you’re making more affective governance based decisions about what technology is in place and help make sure your employees are taking on their part of that responsibility model when it comes to those end users and those administrative roles across the organization.
What’s most important?
23:07.173
[David Spark] Mauricio Ortiz of Merck said, “Yes, a model is needed. Enterprises cannot rely on or assume all the risk controls and security is the responsibility of the SaaS providers.” Eh, we don’t know how far that can extend. But… “The number one shared is to protect the customer data.” We agree with that.
“Companies should implement strong IAM mechanisms to prevent phishing or exfiltration of data from their accounts. They also need to implement their own data backup strategy. It is critical as there are plenty of examples where SaaS vendors had lost customers’ data due to internal errors.” So, everything we’ve been talking about is just the SaaS vendors doing everything right.
They’re providing us all the access we need But Mauricio is saying, “Well, they do screw up, and they have all our data.” So, what do we do, Steve, in those situations?
[Steve Zalewski] Well, there were two points there, which was how do I trust the SaaS provider that they’re using authentication and authorization controls affectively, consistently. And you can demonstrate audit wise that you’re doing that. Yet me, within my company, having all my employees using those SaaS apps, I hold myself to the same level of accountability.
Do we have MFA implemented? Do we know all the SaaS apps? Are we implementing our password controls? So, there’s both sides. This is where we get back to a little bit about that third party trust but verify problem, and we’re asking for it. But then internally, are we holding ourselves and our employees accountable and do they understand what that shared responsibility model looks like for SaaS?
And I would argue we’re losing ground, not gaining ground on both parts right now while we’re still struggling with getting better at understanding that.
And the final point I’ll say here is when I was talking about you as the employee having a business persona and then your personal persona, right? A SaaS app may be the local deli shop, and the individual is using their corporate credit card but their personal data in order to be able to order from the deli shop.
And that’s a SaaS app now, in the past where it’s maybe very, very weak on that SaaS app and I don’t have control over it. So, this is where I’m getting at that bridge between how we do our job for the business and the control over the identity for that business is, again, an area that we’re still struggling because we’re losing some control, which is why I reinforce the every employee has to understand their role in the shared responsibility.
And that’s something we’re still working through as we’re adopting these different kind of SaaS models of use.
[David Spark] And I want to double down on…really it’s the title of this whole episode, a shared model. But I realized as we’re discussing this that this is far more a shared issue than the classic cloud shared issue because there is so much that… Let’s just even if these SaaS vendors wanted to, there’s so much visibility they don’t have into your organization that they couldn’t do anything for that matter.
Someone leaves. How are they going to know that? So, this is so much an issue of you don’t have a choice. You got to do it on your side. Yes, Russ? There’s just nothing the other side could do.
[Russell Spitler] So, I have spent my career… I’ve worn many hats, but primarily my hat was a software vendor. And it is blatantly clear from my perspective that the only secure system is one that doesn’t work and is just locked in a basement, buried in concrete. Whatever you want to use. And so when we think about providing a service to an end customer, there are always places where we could make security decisions that would essentially break the functionality of that service.
A file sharing service that doesn’t allow you to share files with people outside your organization is a very limited file sharing service but would be far more secure from an enterprise security perspective. Now, when we get into the sort of myriad of challenges, often when a product manager or developer comes to a pass where they say, “This is the right thing from the security perspective, but it’s going to limit or alter the functionality of my product,” they put in a switch.
That becomes a security feature.
The business gets to make that decision whether or not to use that feature in that context or that way. And that’s where the real crux of the shared security model comes into play, which is providing you a service, and they’re not just providing you it. They’re providing thousands of companies, if they’re fortunate enough to be a successful SaaS company.
And they need to make a service that affectively fits in the security policy of all of those organizations, and sometimes there are choices that the customer needs to make. And so when you kind of look at this and sort of put blanket statements in terms of security is the responsibility of the SaaS providers, you have to get to a place where you can accept some portion of the responsibility for that security.
Very similarly, when you go back and start to put your security posture based on single sign on is going to solve my SaaS security problems.
Examples like Steve gave are canonical examples but probably more practical real ones are I get shared a data room from a third party provider in box, and I’m doing a deal, and that partner needs me to access that data, and that account is owned by that third party. It is not owned by my organization.
Single sign on doesn’t apply in that world. And I don’t care what industry you work on, those eventualities happen. And so this can’t be a single solution, single sign on is going to save my world. This can’t be the SaaS providers need to do better, and make these decisions for me, and make sure my employees are secure.
We need to be able to balance that, and that’s of course where the sharing comes into play. And whether you want to call it shared security model or sort of the modern Google, shared fate model, it doesn’t matter. We’re all in it together. And whether we take responsibility or just deal with the consequences, we still need to be able to balance the responsibility across these stakeholders.
[Steve Zalewski] And I’m going to dovetail on that. Russell and I were joking earlier. I go, “That’s the federated identity model. How do I have one uniform way of determining who you are?” And then I said, “So, at what point does a nudge become a shove so that I’m not nudging you on what the right thing is to do.
I’m shoving you to action that the right thing gets done.”
Closing
30:14.554
[David Spark] Very good point to close this out. All right, we’ve come to the portion of the show where I’m going to start with you, Russ, and I’ll ask you which of all these quotes…really lots of good ones here…was your favorite and why.
[Russell Spitler] I loved where Adam came in, which is that day to day reality that we’ve all probably experienced, which is sometimes as end users we have to do security functions. And sometimes as security players, if you’re a security operator, sometimes you end up doing IT functions. And I think that really hits the nail on the head in terms of the different hats you need to wear during your day to day use, and that really is the problem that we’re trying to exemplify here.
[David Spark] Good point. All right, Steve, your favorite quote and why.
[Steve Zalewski] So, I’m going to go with Chris Jones of Promethean IT. With 90% of SaaS apps being introduced outside of IT, it’s essential to clearly define responsibilities among SaaS providers, IT, security teams, and end users. Absolutely. We just have to have that hard conversation along shared responsibility, so I’m kind of doubling down on what Adam and Russ said.
I think it’s the right thing to do.
[David Spark] And I would also mention, as… Let’s just say we get this sort of nirvana that Chris Jones speaks of. Even when we try our best, we still don’t have a clue what’s going on. I mean we’ve seen this again and again [Inaudible 00:31:34] That’s why I think what Nudge Security is offering… Even if you were to achieve that great Eden that Chris Jones described, it’s still going to be a giant mess.
I mean, Russ, tell me, what is the best looking system you’ve seen before where they had sort of the best view? It’s still probably pretty bad, yes?
[Russell Spitler] Yeah. And there’s a couple ways to measure that. But if we go by the organizations who beat on their chest and said, “Single sign on is in 100% of our applications,” and we revealed that it’s about 40%, which is about the best case we’ve ever seen. Or if you kind of go from the perspective of the people who say, “Hey, my CFO is a real hard nose guy, and no expenses for any SaaS apps ever get through.” Then you start to talk about, “Well, what do you do for the freemium apps and the apps that start for free and then…?” Even Slack, right?
Those get deployed across an entire organization before you start paying for it. And you end up in these challenges where regardless of where you stand, whether you’re using kind of that network edge or you’re using that financial control, these things, their whole go to market model is built to avoid those.
And they’re in there, and that reality is big.
[David Spark] They’re designed to get you up and running as quickly as possible. That is their goal. Not to put in 12 layers of security before you start anything.
[Russell Spitler] And getting up and running as security as possible often means working around procurement and often means working around security in some form or another. At least that network edge in some form or another. And companies have gotten good at that.
[David Spark] I agree. All right, I want to thank your company. That would Nudge Security. SaaS security for modern work. I’m also going to let you have the very last word here. Russ, do you have any special offer or beyond…? I mentioned if you go to nudgesecurity.com/cisoseries, type that all out, you will get a 14-day trial with Nudge Security.
Anything else you want to say to our audience about that or anything else?
[Russell Spitler] My absolute favorite experience is having those conversations after the trial deploys because we actually get to go through that data. And it’s about an hour on average to analyze, and I can show you every app that your organization is using. All the places your employees have signed in, how they’re signing in.
And that is a never ending source of amusement, not just because I’m dealing with a customer who’s very happy that they finally have an answer to a question they thought couldn’t be answered, but we always get to explore and find some new things. And I learn about new apps every single time we deploy, and that’s… I would love to offer that experience.
And anybody who deploys, I’d be happy to jump on that call and be do that with you.
[David Spark] Excellent. Take Russ up on that. That was Russ Spitler, who’s the cofounder and CEO of Nudge Security. Thank you, Steve, as always for being awesome, and thank you to our audience. We greatly appreciate your contributions and for listening to Defense in Depth.
[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cyber security. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site, cisoseries.com, where you’ll also see plenty of ways to participate, including recording a question or a comment for the show.
If you’re interested in sponsoring the podcast, contact David Spark directly at [email protected]. Thank you for listening to Defense in Depth.