Lots of vendors claim to offer zero-trust solutions. But is that framework even applicable to some product categories?
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Joining me is our guest Richard Stiennon, chief research analyst, IT-Harvest.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, SquareX
Find out more at sqrx.com.
Full Transcript
Intro
0:00.000
[David Spark] Lots of vendors claim to offer Zero Trust solutions, but is that framework even applicable to some product categories?
[Voiceover] You’re listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. My name is David Spark. I am the producer of the CISO Series. And joining me for this wonderful episode, it’s Geoff Belknap, who is also the CISO of LinkedIn. Geoff, say hello to the friendly audience.
[Geoff Belknap] Hello, everybody, and hello, David, and mystery guest.
[David Spark] He’s not a mystery. You’ve already met him. But… And he’s not a mystery to our audience, who’s probably saw this on their podcast feed and can see who the guest is, but I will introduce him in just a moment. But first, our sponsor for today’s episode is SquareX, be fearless online. Yes, SquareX actually allows you to open even suspicious or malicious resources fearlessly. How do they do that? Well, we’ll talk more about that later in the show. Geoff, our topic today – Zero Trust remains a popular buzzword in cyber security. With so many vendors identifying as Zero-Trust solutions, it can be hard to see how they actually play a part in this architecture. So, our guest today, Richard Stiennon, who I’m going to introduce in a second, has done the yeoman’s work of categorizing these Zero-Trust vendors in order to help make sense of the landscape. Now, Geoff, I’m sure you’ve heard this before from a vendor, that they are a Zero-Trust solution. Do your eyes roll when you hear it? What’s your response?
[Geoff Belknap] No, they don’t roll in the back of my head. I pass out.
[David Spark] Halfway up?
[Geoff Belknap] I go into a fugue state, and I wake up at home, and I don’t know what happened. We’ve looked into it. I think it has to do with hearing that trigger word. It could be Pavlovian. Unclear. I think, in all seriousness, that is how most CISOs feel at this point when they hear the buzzword, Zero Trust. I think I really appreciated the idea when it started around 2010 and has definitely morphed into something where our guest is now tracking all of what the Zero Trust ecosystem, and world, and what the meaning might be. So, I’m really excited to get into this.
[David Spark] Yeah, it is an ecosystem, and there are ways to achieve a Zero Trust solution. And that’s what our discussion is going to be about, and I’m very, very thrilled. And let me give some huge kudos to our guest today. Our guest has actually been counting the vendor landscape, which I think often when you see like how many vendors are out there, there’s a lot of shooting from the hip. Like nobody knows. But literally, his job is to find out and count them. Now, it’s very difficult to do that because they are coming and going at such a rapid clip, and yet he’s doing it. So, if you’re not on his list, make sure you are. But he is counting as much as you can. Anyways, let me introduce him. He is the chief research analyst over at IT-Harvest, none other than Richard Stiennon. Richard, thank you so much for joining us.
[Richard Stiennon] So great to be here, you guys. Thanks.
What do most people think it is, and what’s the reality?
3:19.172
[David Spark] Nathaneal Coffing of Servant said, “Can you start by defining both what you mean by Zero Trust and what the security vendors define it as? Perimeter based solutions don’t even register as Zero Trust if we’re using a strict definition.” Stephen Martin Rajan of Deloitte said, “A technology vendor has to contribute to the principles of Zero Trust, which is to verify explicitly and implement least privilege in order to have an impact in enterprise environments. At the end of the day, Zero Trust is a framework, and current cyber workstreams and products will continue to play a role in the desired end state.” Lastly, David S. Jones of DeepSeas said, “The product industry still tries to work off of buzzwords and check boxes. Having a framework with discipline to implement around people, processes, and technology is the only way to sustain a true security posture.” I think maybe when you get right down to it, could it be conceivable every security solution supports Zero Trust? Maybe some more than others, Geoff?
[Geoff Belknap] Oh, God, I blacked out again. Yes.
[David Spark] [Laughs]
[Geoff Belknap] Look, let’s just get this out of the way – Zero Trust, when we started talking about it, meant something very specific, and it was about this concept that at the time, especially in the early ‘10s, around 2010, when this was quoted by the fellow over at Forrester, we were really talking about how do we get away from this model where we put up just an outer perimeter of firewalls, and we say, “Hey, as long as we have to VPN into something, it’s secure. We’re all safe.” And with time and with maturity, we realized as an industry that was not the case. We had this crunchy, hard exterior and this nice, delicious, soft inside that all the attackers figured out. And John over at Forrester started thinking about, “How do we build this model of an environment that we can trust without having to just depend on firewalls or a network perimeter?”
And I think all of that, you know, sort of the Google BeyondCorp and all the thing that came out of that, that was really about that. Where we went from there was talking about why do we implicitly trust anything. And then, I think… And I would love to hear our guest’ take on this. I think then that’s sort of where we lost the plot on the term, and it became a buzzword. So, I think if you’re talking to me about Zero Trust, I’m going to assume you mean that concept of network parameterization or de-parameterization. And if you’re talking about anything else, I’m going to assume you are in product marketing, and not that you’re unintellectual, or stupid, or anything but that we are talking in a different context.
[David Spark] So, Richard, I throw this to you. How at IT-Harvest have you been designing Zero Trust, and has that evolved over time? I mean, did you have like a grand editorial discussion of like, “All right, this is the way we’re seeing it. If they do this, this, and this, they fall in this bucket. Otherwise, they’re out of the bucket.” Or was that not the case? How was it handled?
[Richard Stiennon] Yeah, not the case at all. I was treating it as a buzzword. And I think even before 2010, I had heard Zero Trust, and I loved it. But it was completely different than what John Kindervag came up with at Forrester. Zero Trust was first introduced to me by people that would solve the problem that when you store stuff at Dropbox, it was encrypted with Dropbox’s key. So, anybody at Dropbox could read your confidential information if… But they didn’t because you trusted them not to. Zero Trust was encrypt locally, store the encrypted stuff in the cloud, and you didn’t need to trust them. So, you had Zero Trust in Amazon not reading your stuff.
You had Zero Trust in Dropbox. That is a good definition of Zero Trust. When you get to where we are today, it’s not zero anything. It’s dynamic trust, and it’s gradated trust based on your posture, and where you are, and what time of day it is, and all these things which we’ve always had. Right? Every network access control system has had those tuning capabilities. Every firewall has had those tuning capabilities since firewall one. So, after I had a database of all the vendors at the time and a process to collect that database, I actually asked my team in India, so 11 people, to go to every single website, about 3,000 of them, and tell me…just check the box on this spreadsheet if they say Zero Trust on their landing page.
And there were 238, and that led to the post on LinkedIn. Because I just wanted to get a feel, you know, how big is this. Now, today, of course… And by the way, since it’s not a product category… It can’t even come close to a product category or a market because it’s so diverse. It fits into a lot of things like network access control. Maybe the ZTNA stuff is a fine name for it, but it’s like a lot of other things, like cloud security. Not a market. Each cloud security product already fits into other markets.
Who owns this issue?
8:32.205
[David Spark] Simon M. of The Cyber Hunt said, “The majority of IAM vendors,” that’s be identity access management vendors, “leverage the ‘identity at the centric’ narrative. Certainly, authorization and policy based controls are booming, too. I would have perhaps expected network providers pivoting more though.” Mark Allers of Cimcor said, “The IAM guys think this whole strategy was written for them. Identity and access are major aspects of Zero Trust, but everyone is missing the layers to support a trusted system/service – workload/device to be specific. The industry needs to apply a strategy and methodology to Zero Trust for workload, identity, access, and transaction.” So, there’s Zero Trust across all of these.
And going back to what you said, it is graduated trust is what it is or dynamic trust. And by the way, that’s a great way of defining it. “The cloud won’t solve the workload issue. It, too, needs to incorporate integrity and trust, just as if it were on prem.” So, going back to your definitions of it’s not a zippy graduated and dynamic trust as Zero Trust, but it’s a better definition, Richard. I like it. How should, I guess, the vendors be presenting themselves to us, and what should we be looking for? And I know this is kind of a big question, but let’s see if you can boil it down. Like what should they be presenting to make us not have a blackout like Geoff just had?
[Richard Stiennon] Yeah, this really came home to roost for me with a category called digital risk protection, which in a vacuum you would not be able to tell me what that is, right? Because digital is redundant. There is no analog cyber security, right? Except in electronic warfare. Then there’s no way in the world you’d want to protect risks. Those should be gone. You want to eliminate risk. And yet, that’s the term for threat intelligence vendors. And most of the ones that listen to Gartner who made up this silly term, which is pronounced DRP, which is not a good thing…
[Geoff Belknap] [Laughs]
[Richard Stiennon] …said that, “Okay, we’re DRP.” You go to their website, they say they’re DRP. So, how does that help you and your SEO? Because nobody in the world is going to buy a box of DRP to deploy. Right? They need threat intelligence. They have a budget line item for it, and you no longer match your budget line item. So, my advice in general to all vendors is to say what you do, say what your product does, name it in a logical way. I hate to say that Fortinet is the best example of this. They just take the tag for what it is – the SIM, an IDS, an IPS, a firewall, and they put 40 in front of it. Perfect. The 40 SIM. You know exactly what you’re getting, right? And the 40 NAC, you know exactly what you’re getting. Don’t obfuscate with the latest buzzwords, be it zero truth, or de-parameterized, or any of that stuff.
[David Spark] De-parameterized. I like that one, too. Geoff, maybe you can think about how a vendor spoke to you about this or really the opening line that didn’t…that had the…I guess I’m going to say the opposite of effect of a blackout. What was that approach?
[Geoff Belknap] Well, I think it’s exactly what Richard points out. I cannot plus one this strongly enough, to please… Analyst firms have their value, and I think they bring a lot to the industry. This rush to like try to name your product to fit a made up sector, or a quadrant, or a wave, or whatever it might be, it is really unhelpful for people like me that need to buy these things and have a job to do. What you can do…number one thing you can do to get useful time with me or any other security leader is just tell me what problem you solver. Tell me what you do, and then let’s talk about how well that fits in my environment. Like the faster I can get through…
Like if you come to me and say, “I’m a Zero Trust solution,” now I have to do the homework to figure out what you by that and whether that actually solves a problem I have. Because let’s be clear, no one has a Zero Trust problem. No one needs to buy a Zero Trust solution to their Zero Trust problem. They have some other problem that they believe a Zero Trust solution, whatever it might be, may solve. And the less of that translation layer I have to get through, the better. So, as soon as I know what you do, and I can figure out whether that solves a problem for me, it is so much easier to have a conversation and to get further along to the purchasing.
Sponsor – SquareX
13:18.188
[David Spark] Before I go on any further, I do want to tell you about our absolutely awesome sponsor, and that would be SquareX. SquareX empowers organizations to detect, mitigate, and threat hunt web attacks against their enterprise users in real time. Now, as we all know, traditional SSE or SSE secured web gateways can’t stop modern web threats that happen on the client side, and end point security companies have no visibility into what happens in the browser during a client side web attack, leaving an organization vulnerable. SquareX, with its innovative approach, bridges this gap.
Their browser native security product, which deploys within minutes as a browser extension, safeguards enterprise users from a spectrum of web based threats, encompassing malicious files, websites, scripts, and compromised networks. SquareX offers full visibility into the attack chain, enabling enterprises to affectively threat hunt and identify similar attacks across their networks. You can learn more about protecting your enterprise users against web attacks with SquareX at sqrx.com. That’s sqrx.com. That’s sqrx but without the vowels. So, don’t wait for threats to reach your enterprise. Stop them where they start, with SquareX. Remember, it’s sqrx.com.
Where does this effort fall flat?
14:48.727
[David Spark] Amit Chaudhry of Cloudflare said, “Funny how network vendors can claim to do Zero Trust. It’s a 0:1 scenario. Either you do a VPN/firewall, or you do Zero Trust.” I guess I don’t know if that’s an equation, but whatever. “Zero Trust architecture is opposite of network security. You don’t build a routable network with firewalls. You connect the right entity to another based on identity and context. That’s how Trust and Verify comes about.” Good point. Elliot Volkman of Drata said, “If someone says they have a full Zero Trust solution, they are selling vaporware.” I think there’s agreement here. “It’s absolutely about architecture and strategy but not all tools align, like VPNs.” So, I’m going to start with you again, Richard, on this one. I think this last line from Elliot from Drata kind of speaks to everybody. It’s about architecture and a strategy, and not everybody is on board. But, I mean, being that this… During our break, Geoff was asking the question of how many websites do you think say Zero Trust on them. How many do you think?
[Richard Stiennon] Probably still the same number. But since we did that, we’ve really built out our processes, so now we track all security products as well. So, I can search by keyword. And if I search on Zero Trust, I get 305 products that say they implement Zero Trust.
[David Spark] So, that’s almost 1 in 10 or maybe 1 in 12 of who you’re tracking.
[Richard Stiennon] Yeah. Yeah, of who we’re tracking. So, it’s pretty dominant compared to everything else. Right? I think we’re done saying layered defense or defense in depth, but that’s what I go by. That’s my framework is defense in depth, thank you very much.
[David Spark] Happens to be the name of this show.
[Geoff Belknap] Ah, good name.
[Richard Stiennon] Yeah. What a coincidence. How did you…? You changed the name just to get me on. This was wonderful.
[Geoff Belknap] Well, this was the Zero Trust podcast, but… Yeah.
[David Spark] Yeah, we were considering… I don’t think Zero Trust as a name was in vogue at that point when we came up with this name.
[Richard Stiennon] The White House, the Government, and CISA are all in on Zero Trust, right?
[David Spark] I know, we’ve seen…
[Crosstalk 00:17:03]
[Richard Stiennon] Yeah, so we started seeing their [Inaudible 00:17:04] being published. What they did is they replaced the old buzzword, which was risk management. And I’m, frankly, very happy that they stopped talking about risk management. The final version of the NIST framework talks less about risk management than the very first version, which was mentioned 250 times or something. And I’ve just been fighting a careerlong battle to get people to stop talking about risk management because it’s impossible, and why bother talking about it.
[David Spark] You know what? People love it. I will just say for our Super Cyber Friday show, when we do a risk management episode, usually one of our most popular episodes. They love it.
[Richard Stiennon] Yeah. Yeah. People love it because it’s not technical. It’s nothing. You can just kind of throw stuff around – what’s risk. And you can measure it with…
[Crosstalk 00:17:48]
[David Spark] Well, I don’t know. I’m going to throw this to you, Geoff. A lot of people argue we’re not doing security, we’re doing risk management. What do you think?
[Geoff Belknap] That feels like a nuance, just like I’m not selling firewalls, I’m selling Zero Trust network access devices.
[Richard Stiennon] If a general came to you and said, “We’re not doing civil defense. We’re doing risk management,” you’d fire them. You don’t want that. You want them to fight battles for you.
[Geoff Belknap] Yeah, we’re not… We’re nation buildings. Hearts and minds, right, Richard? So, I think…
[Laughter]
[Geoff Belknap] …the reality, again, here is whether you’re talking about the network concept, whether you’re talking about the framework, I think, I think about the work that I do as risk management. I don’t… But I think about that expansively. I think about it as it’s my job to try to help manage risk for the business, but really, again… I’ve said this before. I think about my job as it’s my job to help the business or the organization that I work for succeed. I think in this context where we’re talking about Zero Trust and what it might be, it really…the words now outside of the product ecosystem refer to just making sure that we’re not going like, “Okay, this thing comes from IP address 1.1.1.1. We’re going to just trust that thing, that it’s never going to have a problem, that it will never exceed our expectations for how it accesses data or the network.”
That we’re doing a more layered approach to that. Whether that be dynamically granting it access every time it needs it through some sort of like just in time access management process, whether it’s granting people like Richard or myself access to systems or services when we need it or in an adaptive, dynamic context. It’s all about elevating things. Because where we started 15, 20 years ago was, “Okay, I put this thing on network one, and now it has access to everything in network one even though it clearly does not need all those things.” And I think that’s where we’ve matured to as a security industry, to be thinking about it as a much deeper, nuanced discussion than just implicitly trusting things.
Who has the solution?
19:49.922
[David Spark] Saul Garcia of Mass Data Trust said, “Can any of us trust any one vendor to provide a complete Zero Trust solution that uses their own products?” I ask because I think some vendors are headed in that direction, as we are seeing many of the big players buying lots of vendors. That’s my commentary. And Saul goes on to say, “And I’m wondering if that warrants a long-term partnership.” Now, I will also say that what I have heard from a number of CISOs is they are looking at the platform plays, someone who could conceivably… And, again, don’t black out when I say this, Geoff. But if the vendor has bought enough products and bought enough products that could conceivably build out a Zero Trust architecture, conceivably they could sell themselves as a, get ready for this, “Zero Trust solution.” What do you think of that argument?
[Geoff Belknap] I certainly believe a lot of strategies in the security or the technology space depend on bundling solutions together and how they play together. Certainly if you lean into one solution space for one vendor versus all others, you get to know that, and you get to know the sharp edges versus the useful components of that pretty well. I think the reality though is… Let me just be clear, I think that can work. But I think where that can work is probably a lot more limited than many people would like to admit. If you are a very narrow business, you can absolutely lean in all the way to one vendor’s security stack, and it’ll probably be fine for you.
If you are a very diverse, high skill business, or you’re doing something different that nobody else does, and you’re not just a traditional services shop or B to B shop, you are going to have to do the work of hiring a security team that can understand what products fill in what gaps for what problems that you have. And that’s just the reality. It’s never as easy as only buy one vendor solution. I think the good vendors will be very up front with you, that they may have a plethora of products that you can choose that will all work presumably very well together, but there are areas that they are not going to be great in. And nobody wants you to have a giant security hole in the one area they’re not great in. They’re going to be up front about that. If a vendor tells you…ever tells you, “We do everything, and we do everything perfectly,” you need to run away, far and fast.
[David Spark] Question for you, Richard. In your analyst work, do you look at platform plays and sort of their bundling of products and how they interoperate, or are you trying to keep sort of your analyst and your sort of products specific one by one and not looking at the interconnectedness? How are you looking at them?
[Richard Stiennon] Yeah, one by one. Because I have been lied to by the large vendors for going on 25 year now.
[David Spark] Wow. But 26 year ago, they were very truthful.
[Richard Stiennon] No, no, they were lying as soon as I got into being an analyst.
[Geoff Belknap] [Laughs]
[David Spark] Oh, okay.
[Geoff Belknap] Well, they knew who they were dealing with.
[Richard Stiennon] My junior exposure as an analyst was big vendors lying to me. And publicly traded ones, and I don’t know how often…
[David Spark] Let me pause for a second. What does a vendor lie…? How does it present itself? So our audience understands, how does that present itself?
[Richard Stiennon] It’s just blatant. You say, “Hey, how many products, Mr. MSSP…how many end points do you manage?” And they’ll blatantly just make up a number on the spot. 1,500. Which would have made ISS at the time the biggest MSSP. It was just wrong. Fewer than 500 at the time. And you catch them in their lies. Or Microsoft telling me that they’re going to have a network firewall. I said, “Does it run on Windows?” And they go, “Well, yeah, that’s the operating system.” I say, “It won’t work. It’s not going to work. Nobody will buy that. Blue screen of death in your firewall, not a thing.” Or I’d say, “Okay, I’ll grant you, maybe you can have a stripped down version of Windows. Will it have Internet Explorer on it?” “Well, yeah.” “Well, it’s not going to work as a firewall. You can’t have something that’s so vulnerable running in the core of your product.”
But they had buried Internet Explorer into their operating system. Every six months, they’d brief me on their progress on their firewall. And they’d have a new product manager. Literally always a new one. I would tell them, “Look at, why should I even listen to you? You’re not going to be here in six months, because you’re going to have a different job, because it doesn’t work.” And that’s just one example. It’s easy to pick on Microsoft, but every single large vendor, all the publicly traded ones, engage in this kind of lie where I just can’t believe them. If they say, “Hey, we’re going to introduce artificial intelligence,” as Palo Alto was talking to Goldman the other day. It’s like that’s the big thing is protecting artificial intelligence. And it’s like, no, there’s no market there. You can’t just make stuff up in meetings and expect the industry to follow you. It doesn’t happen.
Closing
25:08.652
[David Spark] Well, that brings us to the tail end of our program here, which at the very end I like to ask my guest and my cohost, what was your favorite quote and why. And I will start with you, Richard. So, please let me know which was your favorite quote and why.
[Richard Stiennon] Of course it has to be Winston Churchill.
[Laughter]
[David Spark] I think I quoted Winston Churchill, did I?
[Geoff Belknap] I don’t think he… Yeah, I don’t think he replied to this LinkedIn thread, although he is active.
[David Spark] Is he one of your friends on LinkedIn, Richard?
[Laughter]
[David Spark] Because, by the way, I should be giving you a lot more credit than I was. One of his best friends is Winston Churchill. But please, Richard, give us your… Of the quotes that we got here, which was your favorite?
[Richard Stiennon] Yeah, so Stephen Rajan from Deloitte, and you’ve already said this, but the last thing you said – a the end of the day, Zero Trust is a framework, and current cyber workstreams and products will continue to play a role in the desired state of that framework.”
[David Spark] And why do you like it so much?
[Richard Stiennon] Yeah, one, it takes you away from it’s not a solution. It’s nothing else. It’s a framework, so it’s a way of thinking about something. And frameworks help you think about something, right? They give you a structure to it. And you leave it at that, right? Then you build your strategies into the framework, which is fine, and certainly much better than the risk management framework.
[David Spark] Great. Geoff, what’s your favorite quote, and why?
[Geoff Belknap] I’m going to go with Nathaniel Coffing from Servant who said, “Can you start by defining both, what you mean by Zero Trust and what the security vendors defined it as? Perimeter based solutions don’t even register as Zero Trust if we’re using a strict definition.” I think this is the thing that always triggers me, so I’m picking out what do you mean. I believe Zero Trust exists. I can completely come around to the discussion that Zero Trust outside of my network centric view of it exists. I think it just comes back to what we talked about before, and you have to just tell me what your solution does. Don’t use a term that comes from an industry analyst. That term was built for a different purpose. That term was not built to help me, a person who is practitioning, solve a problem. I really just need to know what it is you’re doing, and we don’t have to put labels on it. We can do whatever you want. But just help me figure out what you’re doing, and then let’s figure out if it works for me.
[David Spark] Excellent. Well, that brings us to the tail end of the show. And a huge thanks to our sponsor. That’s SquareX. That’s sqrx.com. Be fearless online. Get their web extension. Just go to sqrx.com. That’s sqrx without the vowels, sqrx.com. I want a huge thanks to you, Richard, for joining us. This was something I was very much looking forward to – to have this discussion, to have you on because I greatly appreciate the analyst work that you’ve been doing for the marketplace. Is there something you want to say about IT-Harvest, communicate it to our audience? What would you like to add?
[Richard Stiennon] Yeah, probably by the time this show airs, we are going to make a massive pivot. Right? So, we’ve been covering the space from the perspective of he vendors. Right? Their health, their growth, their funding, etc. So, our users of our platform, which is a subscription SaaS, we’re investors. Because we are the only one that had that list of products, we are the only ones who could, I guess, enlist open AI to grab all the data from all the vendor’s websites and extract their products, the descriptions of the products, their feature sets, and align them with the MITRE ATT&CK techniques that they address. So, next week or the first week in April, we are announcing that this is now a product selection platform. We are going right up against the Gartner Magic Quadrant and arguing that if you’re going to make a big decision about a product, you should start with all the options rather than just the ones that have passed through the Gartner gauntlet. And that’s what we’re making available to CISOs right now.
[Geoff Belknap] Very cool.
[David Spark] We are very much looking forward to seeing that. That is awesome. Well, thank you again, Richard. For those of you who want to connect with Richard, we’ll have a link to his LinkedIn profile. Maybe through Richard you could get that introduction to Winston Churchill. I’m not guaranteeing anything. Not guaranteeing. And for Benjamin Franklin, you would have to work through Geoff Belknap.
[Geoff Belknap] That’s right. I rep him.
[David Spark] All right. Thank you very much, Richard. Thank you very much, Geoff. And thank you to our audience. We greatly appreciate your contributions. Please, if you see fascinating discussions online, send those links my way. We love turning those into episodes of this very show. Thanks for contributing, and thanks for listening to Defense in Depth.
[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic yet in cyber security. This show thrives on your contributions. Please, write a review. Leave a comment on LinkedIn or on our site, ciso-dev.davidspark.dcgws.com, were you’ll also see plenty of ways to participate including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at david@ciso-dev.davidspark.dcgws.com. Thank you for listening to Defense in Depth.