Do you have a policy for a certain issue that people know about, have been trained on, and actually apply? Or did you write one hoping all of that would happen?
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark, the producer of CISO Series, and Edward Contreras, senior evp and CISO, Frost Bank. Joining us is Justin Berman, formerly vp of platform engineering and CISO at Thirty Madison Health.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, SecurityPal
Full Transcript
Intro
0:00.000
[David Spark] Do you have a policy for a certain issue that people know about, have been trained on, and actually apply? Or did you just write one hoping all of that would just happen?
[Voiceover] You’re listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. My name is David Spark, I am the producer of the CISO Series. And joining me, if you haven’t noticed lately, he’s become a regular co-host. It’s Eddie Contreras, Senior EVP and CISO over at FrostBank. Eddie, thank you so much for joining us.
[Edward Contreras] David, always a pleasure to be here.
[David Spark] That is the sound of his voice. Get to know it. Our sponsor for today’s episode is SecurityPal AI, 100x faster security reviews, powered by AI agents and expert humans. More about just that a little bit later in the show. But first, let’s talk about the topic at hand. All right, Eddie, let me set this up. Alan Wilemon of KirkpatrickPrice argued that having a policy on a certain issue is not the same thing as having an implemented policy. So, written versus implemented. For a policy to be in effect, Willman noted that you need training, auditing, and monitoring and coaching, and corrective action when needed. Now I know policies get written and then there’s this hope it will be read by someone, they will follow through with it, but geez, does that magical hope really ever happen? Isn’t there a process where you have to put the policy in action? Aren’t there some arguments that end with “but that policy has been written down.” Have you heard that line before, Eddie?
[Edward Contreras] Not only have I heard it, I’ve dreamt about it. I’ve woke up and had nightmares.
[David Spark] [Laughter]
[Edward Contreras] It’s just something that happens all the time. I think if you think about the term “policy,” and I always like to ground everybody in the conversation before we dive into the details, policy, what does it mean? How do you define it? If you are an active directory user, policy has a certain stigma to that. If you are identity user, policy has a different meaning. If you are corporate governance, policy has a different meaning. I think the challenge is a lot of times when policies are being written, a lot of those concepts from all three different levels are merged into a single document, which makes it a very challenging document to interpret. And so, when you think about policies and you think about, do I have a document that is going to help my institution be better, it’s going to guide my administrators to be effective, and I can report on what policies are essentially doing what they’re supposed to be doing. It takes a lot to get there. And so, I think you have to be grounded in how is your policy written? What are you trying to get out of your policy and how are you measuring against it in order to be able to answer all these statements because it’s a lot of statements built into one little quote there. You can tell just by the quote, they’ve probably been looking at policies that have a merger of all three of those concepts in one.
[David Spark] This is a really, really good concept that it is far greater than the sort of those initial written down words, I guess, if you will. And how those are written down and managed is a different thing. All right, I’ve got someone on, who I have to apologize profusely, we have not had on for a long time and it’s one of our favorite guests, totally friend of the show. Now he’s working on something new, might be able to announce it by the time of this release, don’t know yet, but he’s formerly the VP of Platform Engineering and CISO over at Thirty Madison Health. Please, huge round of applause. Everybody, if you’re at home, in your car, jogging, at the gym, for none other than Justin Berman. Justin.
[Justin Berman] You are too kind as always, David. I’m stoked to be here and excited to talk to Eddie about this.
Why is everyone so confused?
3:44.043
[David Spark] Alban Fernandes said, “Having a policy but no control over its implementation can be compared to having a map, but no means of transportation. Just as a map outlines the route to a destination but requires a vehicle to get there, a policy provides guidelines and objectives but needs effective control mechanism to ensure those guidelines are followed and objectives are met.” Kind of very nice little summary right there. Aysun Güneren of Novartis said, “Policy needs to have controls in place. Those controls mitigate the risks addressed by the policy. The implementation of the policy, which includes training, awareness, single source of truth document/location is key for successfully addressing the risk.” So, this is kind of a nice setup to really kind of echoing what you said at the very beginning, Eddie. Yes?
[Edward Contreras] I would agree. And if you hear the statement “control objective,” and if you think about a policy that’s well-written, how deep is the control objective in a policy? And so, we’ll start with grounding and making sure that as this conversation progresses, we’re all talking the same thing. So, the way I define a policy, it’s either management or board’s intent, and that is something that is typically very high level. It is what they expect of the organization and what they expect of management. But when you talk about standards and you talk about all the controls that are built into the standards, you have what’s called a control objective that links it to the policy. And so, there is a merger of these documents at some point in time. And so, if the policy is well written, you’re writing it with control objectives in mind, but may not be disclosing it all the way in that policy. And so, if you think about that, how do these documents interlock and how do you get them to support each other is really the challenge versus is the policy in itself have the controls that are sufficient to make your organization safe, minimize risk, and still be effective. So, I think the marrying of these documents that make it an effective program versus the policy by itself. But I’m curious to see where Justin lands on this.
[David Spark] All right, Justin. What’s your take? And by the way, any examples you can throw out would be fantastic.
[Justin Berman] Sure. I think I agree overall with what you’re saying, Eddie. Here’s maybe coming from like working at a lot of smaller and like very tech-centered, move fast, break things kind of organizations. To me, the separation between standards docs, policy docs, etc., is mostly about frequency of change. My standards or my control, like the documentation I might have about control implementation, might change frequently because I want my security engineering team to be coming up with new ways to meet the objectives overall that are better all the time. And I might describe my like technical measures or technical metrics within a standards document. But the policy document should remain relatively static for a much longer period of time and changing it requires usually a great deal more review. That said, I think coming from those smaller organizations, it’s really helpful to also characterize kind of how is that document going to be used?
For example, working in B2B SaaS, I can say like often one of the most important things I’m going to do with it is use that document to help either a customer or an auditor, doing like a SOC 2 or an ISO assessment or something similar, understand what the organization is claiming to do so that they can then assess where that meets or doesn’t meet their own objectives for the security of either the attestation or the customer relationship.
Why is this so darn hard?
7:34.901
[David Spark] Nino Renzi said, “Even when you write policy, get the golden stamp from risk management, the CIO, or even the CEO, there’s always that one special character that is exempt from enforcement because it would make their life a bit more difficult. Every organization has at least one of these employees where the password does not expire or can’t have MFA.” And Bilal Iqbal of McKesson said, “Policy needs to be more than a documented statement. In order to truly activate compliance to the policy, organizations need to provide enabling support in the form of awareness, communication, training on mechanisms to comply, metrics to track compliance, and reinforcement steps to ensure compliance.” So, I want to actually start with this first quote from Nino here who said that there’s going to be exceptions, like one person in the company is just going to say, “No, I’m not going to do it that way.” Have you run into this, Justin?
[Justin Berman] Sure, but I think that in some ways, this to me speaks of like a policy-writing group or a policy implement… Like a group that is coming up with policy that is deeply disconnected from something at the organization. So, to me, there’s a top-down way of writing policy, which is define some risk objective, you define some overall like set of approaches that you’re going to follow to meet that risk objective, some kind of behavioral standards that you’re expecting people to follow, etc. The other way is a bottom-up approach, which is you take that risk, you have a set of mitigations, technical policy, or process-oriented, or sorry, let’s say technical or process-oriented mitigations. And then you bottom up into what is a policy need to look like, or what is a combination of standards?
What I notice is I rarely run into the same kind of problems when I use a bottom-up approach first and then figure out where that has gaps versus the top-down. Like is this actually going to meet the objectives or not? Because that way, I actually have the controls or the metrics or the reinforcement or the whatever else in place because I’ve been testing approaches to solving the problem, and I’m solidifying policy once I actually know the right way to solve it at an organization, as opposed to when I define that there’s a risk that has to be mitigated, and I start with policy and then go down into how. Obviously, every company and every organization needs something different, but I guess I’m curious what Eddie thinks. He might be like, “That’s crazy for a bank.” [Laughter]
[David Spark] Well, yeah, I’d be interested. Because you haven’t worked in finance, have you, Justin?
[Justin Berman] I was at Bridgewater Associates for a bit but obviously, being at a hedge fund’s quite a bit different than being at like a large bank or a public institution.
[Edward Contreras] The way I would look at this is, and I think what Nino was talking about is exactly how you opened up this segment, David, is have you ever experienced this? And I think what he’s looking at is probably a poorly written document. And it’s not his fault and it’s not the person who wrote it’s fault, right? Here’s some times where you might have small teams and you’re tasking a technologist to write a policy and they’re starting to bring in controls that belong in a standard, and all of a sudden, you have a very bloated document that is very hard to conform to. So, I would say this. When you look at that statement, you should never have a single employee have an exception to a policy because policy is manager’s intent. That is like saying, “You have vacation allotted to you.” And then someone says, “Except for you. You don’t get vacation.” The policy is, no, you are allotted that. Now your standard is, how do you structure that? Is it within one-week segments, couple days at a time? The standard tells you how you abide by the policy.
And so, if you start to embed controls into your policy, then you’re forcing people to make an exception to your policy. So, the way that policies typically work is, your board or your executive team has to approve it. It gets catalogued. It’s an annual event, and it’s exactly what Justin said. It should rarely be changed, if ever. This is your management’s intent, and this is what the intent is across the organization. So, employees shouldn’t have the option to opt out of a manager’s intent or the board’s intent. What they should be able to opt out is the controls that you apply to adhere to that intent. That’s where you typically see your exceptions, and now you’re talking more on the standards side. So, on the standards, if you’ve noticed, yes, you can have an exception to a standard, you can have compensating controls to a standard, and you can still be adhering to a policy. You’re just not conforming to the rules or the structure that was built into the standard. And that’s typically where you see the exceptions.
But if you are seeing exceptions in your policy, one of two things is occurring. Either A, you had the wrong person write it because they are bringing controls that are essentially bypassable into your policy, or B, the way that the policy has been historically written is really just being used as a hammer. If you’re not following this, we can terminate you. Therefore, let’s fit as much as we can into there. And then, of course, you should anticipate exceptions to that. So, a really well-written policy should rarely, if ever, have an exception associated to a policy.
Sponsor – SecurityPal AI
13:00.245
[David Spark] Before I go on any further, I do want to tell you about our spectacular sponsor, and that is SecurityPal AI. Now, I’m going to start with a little bit of an origin story here. Founder and CEO, Pukar Hamal, was about to close the biggest deal of his then-startup, not SecurityPal AI, when all of a sudden, kaboom, a 200-page security questionnaire landed in his inbox. While depressing at the moment, it inspired SecurityPal AI. Why? Because he was facing something a lot of companies face. Companies waste thousands of hours and millions of dollars on security assurance requests while juggling GDPR, FedRAMP, DORA, NIST 2, the AI acts, and a lot more. If you’re a CISO, CIO, or GRC exec, you know these headaches. Three-hundred questionnaire reviews that stall deals, compliance requests that snowball, vendor approvals that grind to a halt. But don’t worry. SecurityPal AI, and their adorable Himalayan mascot, the Security Yeti, huh? They’re on the case.
SecurityPal AI solves that with a blend of fast, accurate AI, and a global team of certified security and GRC experts. You get 24/7 coverage, enterprise-grade precision, and turnaround times in hours, not weeks. Whether you’re handling outbound questionnaires, inbound reviews, or third-party risk management, they eliminate the friction so your teams can focus on growth. Forbes featured them. Fast Company called them one of the most innovative AI companies of 2025. If you’re ready to eliminate friction and win trust faster, you got to go to their website. Go to securitypal.ai. When you go there, let them know you found out about them from the CISO Series.
What needs to be considered?
14:58.027
[David Spark] Tiana Tew of Cadence Bank said, “Yes, attestation is important for awareness. However, without a true understanding of a policy, it will not be adhered to. I’m not sure how different organizations have teammate attests, but how many folks are actually reading before marking it as read? I believe interactive training would be beneficial. We need to move away from the compliance checkbox and truly focus on security.” I think that probably gets into the whole aspect of how you’re doing the training or how you’re bringing the policy on board. Merrill Albert of Merrill Albert Data Consulting said, “Policies without comprehension are just paperwork. The thing that bothers me is when companies create policies because an audit told them to, but they really don’t care about anything else than checking a box. If the auditors come back and see that they now have a policy, they really didn’t dig deep enough into the issue.” So, I want to get into this whole thing of comprehension, Eddie, in that you need to communicate why the policy exists because, correct me if I’m wrong, people just don’t do things because they’re told to do it, do they?
[Edward Contreras] If you think about it, David, and I know you’ve worked in corporate America for some time now, how often when we used to go into the building, you would walk around and you would see a compliance training video in the background while someone’s doing another task?
[David Spark] [Laughter]
[Edward Contreras] And usually that is the video that is teaching them about a policy.
[David Spark] Yeah, yeah, yeah.
[Edward Contreras] So, I agree with what Tiana’s saying is you do have to create the learning environment that keeps the employee engaged without them just turning on the video, letting it run in the background, 30 seconds are up or however long that video is, and then all of a sudden, they’ve completed the task. Interactivity helps. It gets you to the point where you know they’re still there. Maybe even pauses where they just have to click “Continue” to go to the next segment. Something that shows that they’re engaged and something that can capture the acknowledgement afterwards is helpful. But I do agree. If you’re just doing it for compliance, check the box and, yeah, you can get out of audit jail, that’s fine. But if you’re trying to teach people about policy and if you really want them to understand why you’re doing this, your training shouldn’t be how to read the policy. It should really be about what goes wrong if you don’t do it. What can be the ramifications? And keep people engaged.
In the financial sector, we have what’s called the BSA Act, the Bank Secrecy Act, and failure to comply with this could lead to a fine, it could lead to termination, and it can lead to jail time. And so, failure to comply with that expectation is significant, and I would really hope that most employees, when they hear that, they put down whatever they’re doing and say, “Wait a minute, what did that say?” There’s ways to keep the employees engaged. Maybe not with a pencil or a rod or a carrot, but a mixture of all three maybe.
[David Spark] So, I’m going to ask you the same question about comprehension, Justin. And also, let me add to that is there also has to be refreshers too, because there can be comprehension slide or letting things go after a while. I mean, what do you see in terms of what works for comprehension and what turns into actual activity?
[Justin Berman] Maybe this’ll sound like a hot take or a take from tech that’s disconnected from the way a lot of large organizations need to operate, but my belief is that first and foremost, it’s understandable to me that I want to write policy, I want to define my program, I want to define the like goals, etc., and separate them into standards. None of what Eddie said before about that changes. However, I want to implement technical and process controls that create the guardrails such that I don’t care if people comprehend. The majority of people comprehend the majority of policy. The average person is hired not to follow policy, but to accomplish a bunch of business outcomes, and the policy is at most a, like, extra set of work they have to keep going in the background.
Example of this that is, like, very near and dear to my heart is I think the way we teach about stopping phishing by testing our employees is nonsensical. At best, slows down the rate of failures of employees. And I’ve watched people that passed the phishing check get caught by smart bad guys over and over again in career. And it is just disconnected from reality. The reality is people have to use email to do their jobs. Some people have to take an email from outside of the company to do their job well. And you can’t just hammer them and say, “Catch the bad guys,” over and over again. It is much more the engineering, IT, security, whoever at your organization job to make it harder for bad guys to land bad email in the inbox.
And then for the subset of policies which really rely on human decision making, like you have an interpretation to make because there isn’t a way I can guardrail you into making the right decision. That’s where I think I would focus my time and attention on policy that goes beyond the checkbox you’re required to do this training every year. Like a good example of this is as much as most people hate it, a lot of HR-oriented policy stuff is about the fact that managers have to make choices in the moment. And if you don’t know, for example, what it can look like to commit microaggressions against a protected class, and that’s where the company could be liable because of word choice that you made, then you’re much more likely to make those. And if you’re a caring manager who’s been taught what it can look like, then you’re much less likely to make those mistakes.
First of all, let’s reduce ourselves to the subset of policy where I really need decision-making thought and guidance for people. And then since you asked the question about reinforcement, I’m an advocate of focus on finding the places where people made mistakes and then design customized learning for those moments. I think Eddie already covered the like more interactive, more consequence, more like explaining the impacts of not following it. So, if you’re going to retrain, retrain where people make the mistakes with an eye towards helping them learn from those mistakes, calling them in from those mistakes, and not just making them rewatch the same video that you made them watch at the beginning of the year. Anyway. Again, from a checkbox perspective, of course you have to make people rewatch things to be able to like meet certain obligations.
[Edward Contreras] And to add to what Justin said, and I like what he said about transparency, right? A lot of these controls should be fairly transparent to the employee. So, if you have a very well-written policy and you train on the controls and how to manage the controls, they may not even have to care about, am I adhering to that policy? So, in just an example, if you say, “We will not have a hostile work environment, that is our policy.” And then your controls are, we’re going to pick up on certain derogatory terms and we’re going to omit those terms from being added into any type of emails or any type of Word documents. And then the guidelines to your technologist are you can use anything within these parameters and provide that back to the employee. Now, all of a sudden, they’re not really focusing on the policy. They’re just, “Okay, let’s do our business. Let’s do what we were hired for.” And they’re staying within those guide rails. And that’s kind of how you daisy chain those documents together.
What’s most important?
22:29.338
[David Spark] Sara Tumpek of Decathlon Austria said, “Much more important than the controls are the measures to ensure that the teams actually understand the guidelines. Yesterday, I held three different training sessions for our teams. It was amazing to see my colleagues experiencing real “Wow!” moments. I truly believe that hands-on training with real-life examples creates the best awareness in day-to-day business. I always use my trainings for creating bridges to and between the teams in order to help and support them on the best possible way.” Say, have either of you ever seen a trainer that’s so unbelievably good in that they create examples and workshops and little things are like, “Oh, my God. This is so sticky. I can’t ever forget that.” And there’s kind of an awe of someone who is that good a trainer. Justin, have you seen that?
[Justin Berman] I mean, I think we did this really well in a couple organizations that I’ve had the pleasure of building up security from ground. And I was employee 60 at Flatiron Health and part of how we drove HIPAA training home and made it real and meaningful to people is the following. We took the news of real examples of the impact of health data loss on humans in the world, and then we spent a lot more time in that conversation. Which, by the way, was a live training, not like an over Zoom thing. But what we found is that once you start relating the impact to something that the people on the other side care about, and yes, you can use fear like fear of job loss, etc., but like more interesting for a healthcare professional is like, oh, people’s health was worse, or people suffered as a result of this data loss. You’ve suddenly transformed and humanized this thing into a thing that people deeply give a lot of effort to and care about.
And what we found culturally at Flatiron as a result was that people were coming to us perhaps even more paranoid than they need to be, “Oh, is this okay? Is this HIPAA okay? Is this not? Are we doing the wrong thing here?” Which, a security team, super useful to have an engaged workforce, but the engagement came out of showing them an impact that they could really relate to that wasn’t just a company that makes many billions of dollars makes $10 less or suffers a million dollars of fine or something like that, which is very disconnected from the day-to-day of most people’s life.
[David Spark] Eddie, what about you in terms of seeing when training really hits home?
[Edward Contreras] I’m going to acknowledge one of our trainers at my current employment, and she’s phenomenal. When we register for a class, she looks at the attendees that are coming in. She understands the business unit they’re coming from. She knows which level they’re at. And then when you get into the class, she personalizes the content. Her name’s Veronica. She’s a phenomenal person. It was so amazing to watch her take what I’m sure is cookie-cutter content and personalize it specifically to different people in the room. And so, she’s applying a theory to a management or non-management level to a customer service-oriented position or a operational position, and she was making it relevant. And she made it to the point where she was able to not only bring relevance, but personalization to the experience.
And when you talk about remembering training concepts, there’s no better way when you think, well, that training was actually built for me. And even though 90% of that content probably is cookie-cutter that she gives three times a week or how often she gives it, you really walk away from that interaction as, “That content was actually meant for me.” And I appreciate that. So, I think the way that she does that, and she’s one of many really good trainers out there, if you know how to do that and you can make your information stick to somebody because you’ve personalized it, I think that’s where they come to you more often as opposed to them seeking you out saying, “Hey, come back for more training.” And it’s really interesting. She’s booked up all the time months in advance with managers saying, “We’d love to get back in front of you with there’s more content we want.” So, you can tell a good trainer by how far out their calendar’s filled out.
[David Spark] That’s a really, really good sign. Yeah. I’ll throw this out to both of you, I want your take, is that when I worked in television and we were explaining concepts in technology, there was this obsession. Again, it was television, I should mention, that’s very much a visual medium. But there was this feeling of, “How can we represent this visually?” And not necessarily charts and graphs and just showing a screen, but can we create something physical to represent this? Like is there a desire to represent things in different ways? Like, “Imagine if you were in this situation.” Do you ever kind of run into this? Or have you seen the trainers do this?
[Edward Contreras] Yeah, we’ve seen that. I’ve seen that in a lot of instances. I think back when I used to live in the Bay Area, a lot of times our training groups would get very creative. And of course, they had a fairly large budget. And so, they would try things that were different than the normal trainer would try with actual objects in the room. They would try with posters that are up or even marketing campaigns. They worked really well with internal communications groups. And so, you can tell that not only did they know their craft, but they were proud of it. And they would bring in all these types of resources with them. And it’s kind of to your point, David. They wanted interaction, not just read the book or flip on the screen, but it was more if you’re interacting with the person and they’re interacting with you, then most likely the concept’s going to stay a little bit longer. So, I’ve seen that happen a lot.
[Justin Berman] I think I echo this. The example that always sticks in my mind comes from many years of doing application-oriented security work, both as a consultant and otherwise. And the thing that sticks the best for actually teaching developers to not make the same mistakes was much more the, like, have them actively build a thing that’s vulnerable, break the thing that’s vulnerable in the way that it is vulnerable, and then fix it. And those developers so rarely ever repeat the mistakes. And that to me is, it’s a little bit more of the standards, I guess, version of this or the controls version of this, but it is ultimately like we don’t want this policy of we won’t have certain kinds of vulnerabilities or certain severities, whatever, but it’s grounded in their day-to-day. This is how you do that thing. Making it as practical in its application as possible is part of what I’ve seen great training or trainers do, which maybe is sort of similar to what Eddie was saying previously as well.
The one last thing I’ll say, try to be really quick about, I think the thing that neither one of us has said but is deeply valuable to making training relevant is never waste a good crisis. Every time there’s a meaningful event, whether it’s an external to your company event, certainly if it’s an internal to your company event, once you’ve gotten whatever redaction, sign off, legal approvals, etc., to talk about it, it is incredibly useful to say like, “This policy exists for a reason. Here’s why. Here’s the bad thing that happened and this is what happened to the company as a result,” very directly. I do think it’s important to take advantage of those moments as focusing moments where the organization is more open to hearing about it because something real did happen, it’s not a theoretical in that moment, and so often, risk teams deal in theoretical protection because we’re trying to avoid the bad thing from ever happening ideally.
[David Spark] But I’m sure also the two of you hear this all the time, some huge hack happens, it hits the New York Times, it hits the Wall Street Journal, and somebody from the C-suite comes up to you and says, “Could this happen to us?” And this is what you’re just saying is perfect time to educate about essentially a tragedy of some sort.
Closing
30:32.196
[David Spark] We’ve come to the point where I’m going to ask both of you, and I’ll start with you, Justin, which quote was your favorite and why?
[Justin Berman] I think the – sorry, I’m going to butcher this name – but Aysun Güneren, I think, “Policy needs to have controls in place.” I think I’ve seen too many times people write beautiful policy suites and end up not spending enough time on actually creating the standards level below that and the actual implementation of those standards and the programs which actually have to run in order to make those things real. And so, to me, I don’t care about writing… Part of the reason I’m always a bottoms-up policy writer is because I don’t care about writing policies about things that we’re never going to do anything about. It’s just like a waste of time. It actually exposes you to different kinds of risk. If you write a policy saying you’re going to do something and then don’t actually do anything about it, that’s a whole different reason. For me, it’s like I am a builder ultimately at heart. I come from an engineering background. I like want to solve the problem. And so, that quote speaks to me. The like implementation or execution, if you will, is 99% of the problem.
[David Spark] All right, Eddie, I throw this to you. Your favorite quote and why?
[Edward Contreras] Sarah Tumpek is my favorite quote, and it’s really the first part, “Much more important than the controls are the measures.” And I think if you can understand, is your message being received? Is your doctrine being understood? And if you can, can you measure that? So, I think maybe even to Justin’s point, all the documents that you write, great. You might have novelists, you might have legal theorists, you might have a lot of people there that create really amazing documents. But if it’s not resonating and you can’t measure how impactful that document is, then really, what’s the point? So, I really like Sarah’s quote.
[David Spark] Very good. Well, that brings us to the very end of this episode. Huge thanks to our sponsor, SecurityPal.ai. Remember, go to the website securitypal.ai for help in your GRC efforts, especially these last-minute requests that come in, the, “Geez, I can’t handle this. I don’t know about these laws and all this kind of stuff.” Guess what? They’re the experts and their AI tools can do it all a lot better. Go check them out. And when you do, let them know you found out about them from the CISO Series. I want to thank my co-host, that’s Eddie Contreras, and also my guest, Justin Berman. Thank you both very, very much. This was a phenomenal discussion. I think we sort of unraveled a lot of stuff here. And to our audience, I always have to say, we greatly appreciate your contributions and for listening to Defense in Depth. If you haven’t told at least three of your friends about the show, go do that now. Thank you.
[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cybersecurity. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site CISOseries.com where you’ll also see plenty of ways to participate, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to Defense in Depth.