Is cybersecurity a communication problem at its core? If communication is so critical in cybersecurity, why do we keep seeing so many failures?
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap). Joining us is Jim Bowie, CISO, Tampa General Hospital.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, SeeMetrics
Ready to automate your security programs? start connecting your environment at seemetrics.co
Full Transcript
Intro
0:00.000
[David Spark] Is cybersecurity a communication problem at its core? Everyone would agree that communication is critical in cybersecurity. So, why do we keep seeing so many failures?
[Voiceover] You’re listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. My name is David Spark. I’m the producer of the CISO Series and joining me is my co-host. Why, it’s Geoff Belknap. Geoff, say hello to the friendly audience.
[Geoff Belknap] Hello, friendly audience and David.
[David Spark] Hold it. Wait, I’m not part of, well, I’m not the audience.
[Geoff Belknap] You’re not the audience.
[David Spark] You said it like I’m outside of the… I’m not part of the friendly group.
[Geoff Belknap] I’m always trying to other you. It’s my hobby and mission in life.
[David Spark] By the way, if you are not a part of the friendly audience, please message me and let me know and say, “I’m the unfriendly audience,” because I’d like to know who you are. I’m assuming most people are friendly.
[Geoff Belknap] And let us know why you hate me.
[David Spark] Well, we didn’t say that they hate you specifically, Geoff.
[Geoff Belknap] Well, I mean, if they’re not friendly, what else could it be, David?
[David Spark] There are other reasons to be unfriendly and doesn’t require them to hate Geoff Belknap.
[Geoff Belknap] What a great start to the show.
[David Spark] Yes. You know it’s going to be a good episode. On communication too. Our sponsor for today’s episode is SeeMetrics. Measure everything so you can build your own story. Yes, that’s what SeeMetrics helps you do, and we’re going to be talking about exactly that a little bit later in the show.
Let’s get to today’s topic at hand, Geoff. The communication hurdles in cybersecurity are considerable. This ranges from cybersecurity practitioners’ struggle to translate technical risk conversation into something the business can process, vendors not being clear on what they are trying to solve, and the industry’s overall failure to convey cyber risk to the media.
Cyber is a communications problem, pointed out Ross Haleliuk, who is the author of Cyber for Builders, in a recent LinkedIn post. And by the way, if you’re not following Ross, I highly recommend it. This guy’s pretty bright and posts some really, really intelligent stuff. So, Geoff, I mean, it was just a really interesting thing.
He just said it’s all communications. Geoff, do you agree with the statement? And can we boil all our problems down to just poor communications?
[Geoff Belknap] No, but is one of the largest challenges in cybersecurity that people do not put enough energy in communications? Yes, absolutely. Ross hits it out of the park, as always. Cybersecurity came from this place where everybody just assumed it was an engineering problem, and certainly there is a lot to solve with engineering.
But talking to people about the problem, especially people who aren’t engineers, is incredibly difficult, especially for engineers. So I can’t wait to get into this with our guest.
[David Spark] And I’m very excited to have our guest. He is actually the CISO of the Tampa General Hospital, none other than Jim Bowie. Jim, thank you so much for joining us.
[Jim Bowie] Thank you. It’s good to be here.
What kind of experience do you need?
3:02.181
[David Spark] Erik Bloch said, “Startups need help with messaging that resonates with the operators they want to get through to. So, senior leaders need to talk to the language of the business.” We hear that a lot. “Experience is the only solution I’ve come up with. Fail enough times and you eventually figure it out.” So, you communicate through constant failure.
Some pretty good advice there. Garry Kolb said, “Drop the cybersecurity babble and speak in terms that resonate with the business leaders. For example, stop talking about threats. They don’t care about them. How are the threats a risk to the business, and not some pie-in-the-sky risk, but a real definable risk that has business impact?
Then you can help them understand that cybersecurity is really an integral part of the business and can possibly affect the bottom line. Sadly, our industry is slow to move towards that model. So, some really good examples from Erik, all the different things. And Garry just saying we just need to communicate why this is important to the business.
I mean, we’ve talked enough about this, Geoff, haven’t we?
[Geoff Belknap] I feel like this entire podcast is based on this concept. And look, I think Erik makes a great point here that I echo regularly to anyone who will listen, which is success is a terrible teacher, but failure, you will learn something from that every single time. Now, in this case, I would say failure to communicate gives you a lot less chances to learn because often if you fail to communicate effectively, people are less interested in communicating with you.
Especially if you fail spectacularly. They would probably not want to speak to you again.
And I think this is one of those things that I want to be clear here, especially because I know a lot of our best listeners are in the information security solution space. But a lot of the problem here is generated by people marketing cybersecurity solutions to people like Jim and I, who do need to hear about them in technical cyber babble terms, it is useful to us.
However because a lot of money gets spent in driving that communication about cybersecurity products, people tend to think that’s how you should talk to everybody about cybersecurity problems, and that is not the case. When you talk to a board member, for example, Garry is exactly right here, you need to be able to do a translation between what is that really hard technical problem that you’re solving, and why does it matter to anybody who’s not solving that really hard technical problem?
And you have to understand that maybe solving technical problems does not have the business impact that you think it does. You have to really constantly be thinking in that business logic, and it’s a difficult skill to learn, but it’s a skill you can learn, and you can practice, and we can all get better.
[David Spark] So, I’m going to quote before I toss it to you, Jim, I’m going to quote our other co-host on the show. And that’s Steve Zalewski, who says repeatedly, referring to exactly what you just said, Geoff, when he worked for Levi Strauss, his comment to all the vendors was, “How does this help me sell more jeans?” And if you can boil that down to that, then you’ll make a win.
So, I throw this to you, Jim. I mean, I’m assuming you work in a hospital. How does this help the safety and security of my patients? Yes?
[Jim Bowie] It’s a little bit of an easier sell on the healthcare side because downtimes do affect mortality rates. There was a recent study about that. So, I have it a little easier on that front. However…
[David Spark] Yeah, it’s more than that. Ah, it’s life or death. Yes.
[Jim Bowie] But that being said, for some reason, healthcare cybersecurity spending is one of the lowest across all the industries, right? At I think 8% versus the industry average is like 11.6%. And so the reason for that is, again, I think communication. If you’re talking to all my peers that are other healthcare CISOs, I think a good cyber program that is well-funded, well-staffed, has the tools they need, and a poor one, the difference is going to be how well they communicate to the business why they need what they need.
And if you just go in there with no bots, and like we said earlier, you’re sitting in the closet as an engineer pecking away at a keyboard, and you can’t translate that to, “Hi, if you give me this, I can save you from this much downtime.”
[David Spark] What is the situation you’re dealing with then when you’re…not looking at it as a profit center, I guess?
[Jim Bowie] So, you’re looking at it from a, if we’re down, people are going to get hurt, and how do we save the organization from having a downtime? That’s really what it comes down to. And the longer you’re down, the more likely someone is to get hurt. And if you can communicate to the business that X number of minutes of downtime, or X number of minutes of exposure to a threat actor, or a cyber attack, equals X number of lives saved, or X number of…and if you want to talk to the lawyers about it, X number of lawsuits that you don’t have to deal with, you end up getting more funding that way.
[Geoff Belknap] I just want to highlight because I think this is so, so important, especially in Jim’s world, where unlike some of us, it’s not all about money. Sometimes it’s not just about making money or losing money. It’s about something else that’s really important to business, in this case, patient outcomes.
And this is where when we have this conversation, sometimes people miss the point. It’s not about translating hacks into things that will cost you to replace them. It’s about translating the risk that you’re trying to protect against to things that matter to the people that are not technical people, that are not engineers.
And that is not always just money. It’s a great point, Jim.
What must a security leader be able to do?
8:33.236
[David Spark] Yakir Golan of Kovrr said, “So many of us have been isolated in the technical realm in our respective niches for too long. On the bright side, cybersecurity professionals have undoubtedly begun to recognize the limitation and started investing in ways to expand our communication skills, understanding that it’s going to lead to both professional and broader business success.
Labeling communication as a ‘soft’ skill has framed it as less important than its hard counterparts, but that couldn’t be further from the truth.” I love that last line.
And Frederick Carlson, Bureau of Economic Analysis for the U.S. Department of Commerce, said, “There is a communication breakdown on both sides. The cybersecurity folks don’t communicate well, and the people they are trying to communicate to mostly do not want to deal with this issue. You have a poor storyteller with a constantly shifting story, talking to people who absolutely have every interest to keep the wicked problem bottled up and away from them at all costs.
The good news, it will be fixed because it has to be.” Jim, I love that quote too as well. It goes back to that line of nobody wants to talk to security because they always feel that anything we come to talk to them about, they’re not going to want to hear. Do you, by the way, still feel that, or do you feel we’re moving away from that?
[Jim Bowie] No, I still feel it. It’s getting better with, we can get into it with Change Healthcare that brought down the ability for one-third of the hospitals across the nation to earn money when it went down because of a cyber attack, right? That got everybody’s attention real quick and got me in front of the entire leadership for the organization to give a brief.
But I have to go back to the first part or the first quote you sent. I’ve always said to my teams, charisma is not a dump stat if you want to get nerdy on it, right, in cybersecurity. We are engineers, we are technical, and by technical, I don’t just mean cyber ops, I mean GRC, I mean training, education, identity.
It’s a technical role. You need to know a lot of things in a lot of areas. But if you can’t communicate that, if you don’t have the rizz, as kids call it, or my kids would tell me, and they would roll their eyes.
[David Spark] I learned it from my kids too, by the way.
[Jim Bowie] If you don’t have that, you’re not going to get what you need. You’re not going to be able to have a successful program. They’re not going to understand why you need what you need, going back to what we were talking to you originally. You have got to be able to communicate. And you can develop it.
It’s not something you’re born with. You just got to get used to speaking to people. You got to get in front of people, go to engagements, go to the conferences, give a talk, pick something. That’s what I encourage my teams to do, and it’s paid in spades in our engagement with the community here, with my organization.
[David Spark] All right, Geoff. There are two thoughts here. One is, is soft skill being treated with more precedence or more importance? And also, this whole thing that Frederick brought up of nobody wants to talk to us in cyber. These are two critical issues here.
[Geoff Belknap] I think Jim brings up a fantastic point, which is our goal should be for each of us to become the cyber rizzler and to be able to communicate effectively to people. And it is, I think this just gets to, and I’m going to keep hammering this point home, yeah, there’s soft skills and there’s hard skills, if that’s how you choose to identify them.
But the most important thing to keep in mind is that cybersecurity is not just one or the other. This is where we always talk about, especially when we talk about diversity and technology, information security and cybersecurity is the place where you need diversity. You need people that have hard skills.
You need really strong hard skills. You need people that have really, really strong capabilities on the soft skill or the communications and sort of diplomacy and politics side. You need people that need to understand various different parts of these really complicated problems, both politically from a policy perspective, legislatively, regulatory.
And you need to be able to translate those things into technology solutions for the most part that you can build and scale out for your organization.
The only way that’s going to get solved is if you can do both of those things equally as well. And if you suffer at each of those, if you’re really, really great at communicating, but you stink at implementing technology, you are going to be just as bad as if you are the world’s best technical expert in cybersecurity and you cannot communicate about it to save your life.
Both outcomes are going to be about equal.
[David Spark] Can I throw an argument here, Geoff?
[Geoff Belknap] Please.
[David Spark] But at your level, as CISO, how many technical implementations are you doing directly? Can’t you let that slide? I mean, I hear a lot of CISOs that say, “I do definitely do not have the skills my staff have anymore.”
[Geoff Belknap] Oh, that’s a fantastic point, and thank you for not letting me go on that. What I mean is your team, the people working in your security program, you need to have equal amounts of those skills. You cannot just stat dump to one. And frankly, to steal from Jim, you can’t stat dump into just one.
My job, and we have this conversation a lot I find, especially with newer engineers, my job as CISO is not to be the best security person on the team. In fact, I assure you that has never been the case of any security program I’ve worked in. I’ve never been the best. But my job is different. It’s to be that translation layer between the more technical folks and the business folks.
It’s to focus there. That’s where my stats are highest. But I have to have some technical skill to really do that. And so I think it is important to have both, and it’s important to have both in your team in spades.
Sponsor – SeeMetrics
14:10.566
[David Spark] Before I go any further, I do want to tell you about our absolutely awesome sponsor, and that is SeeMetrics. Now, if you haven’t heard them on one of our shows before, let me explain. SeeMetrics automates metrics programs, transforming silo data from across your entire security stack. Now, successful exposure management must capture the full context.
And that’s exactly what SeeMetrics is doing. So, no more siloed or static data, no more huge investment or time and money in data ingestion. Oh, that can be, we know, very expensive. With SeeMetrics though, you instantly get to see the entire panorama as well as the details. So, you prioritize risk, and you reduce exposure proactively, efficiently, and at scale.
You enforce policies, goals, and strategies on an ongoing basis and maximize efficiency with one data source for multiple outputs.
So, if you’d like to free up your subject matter experts’ time from manual data collection, well, they shouldn’t be doing that. So, plug into SeeMetrics and get started on measuring your organization. SeeMetrics provides dozens of templates to measure risks, threats, security programs, and projects, and it’s all based on the same data set.
So, let’s say a new threat is trending. Boom, you can easily create your own new custom board to see into the relevant controls around that specific threat. How are we protecting ourselves from that specific threat? I know that comes up in meetings. Well, you got a story to tell about that. Ready to elevate your metrics program?
Just go to their site. It’s SeeMetrics.co. If you go .com, you’ve gone too far, SeeMetrics.co.
Why is this so darn hard?
16:16.405
[David Spark] Ahmed Abbas of Digital Macro Strategy Corporation said, “There’s now international recognition that it is businesses refusing to accept the cost of cybersecurity issues, where they can profit from the vulnerabilities also, and that it is also recognized that the cybersecurity issues are well communicated and understood.
That’s why we now have directors personally liable if they pretend at a court not to understand cybersecurity.” So, you legally need to know what the heck’s going on. Arian J. Evans of Amazon said, “The majority of a business focuses on growth optimization and a subset on risk mitigation. Those who focus on risk exclusively often lack the language and perspective to map their views up into the larger business growth perspectives.” I reference the, “How does this sell more jeans?” So, “This is assuming the business actually cares about risk mitigation.
Many don’t.” I’d argue with that. “But risk/security is simply a checkbox, a sucking black hole in the budget and an officer to blame later.” Oh, Arian has a lot of negative views here. I see. All right. I’ll let you, Jim, take on this one. What do you think?
[Jim Bowie] I think he’s right, or whoever that was is right for 5 or 10 years ago, but I think in the last 3 or 4 years with the risk that is associated with a successful ransomware attack or a cyber attack or extortion, you’re seeing companies come more in line with understanding that they need a cybersecurity program, and it’s not just a checkbox anymore.
You’re also going to see, I think it was last year that insurance rates, cyber insurance rates were through the roof, right? Because they didn’t have X, Y, Z factors. So, to that point, again, it is about checking boxes, but it’s the right boxes with having a good cybersecurity program, with having all the best practices in line.
And if the businesses realize that by doing that, they can avoid or mitigate more risk and reduce their costs at the same time, you’re going to get more successful implementations.
[David Spark] I think that’s interesting you said 5, 10 years ago. I’ll ask you, Geoff, do you feel there has been a significant upswing in sort of looking at security as managing risk? Like when do you think it was taken as not managing risk, and when do you think the shift began to happen? Because I kind of agree with that.
We did not have risk conversations, I’ll safely say 10 years ago, or I don’t feel we did.
[Geoff Belknap] You know, I don’t disagree. I think this is exactly to the point that we’re talking about. The language has evolved. We were always having risk conversations. Even back, gosh, I think one of my first tech jobs in a year that started with 19. We’re not going to go any further than that.
I installed very early on a firewall for an organization. It was a law firm that was connected to the internet. That’s a risk mitigation technique. They weren’t doing it because they thought it was cool. They weren’t spending the extra money because they thought it was neat. They were doing it because they understood there were risks and this is how you mitigate them.
I think then, like now, we sort of understood that intrinsically. But now we have language and sort of a shared terminology to discuss that.
I also think, sort of to either Ahmed or Mr. Evans’ thoughts here, I don’t know that businesses didn’t accept or didn’t want to engage on risk. I do know that the skill level of people like Jim and I, being able to communicate about risk in terms businesspeople understand, has dramatically improved over the last decade or two.
And I think it was very easy to be an engineer or a system administrator or a technologist 15 years ago trying to communicate to a CEO and going, “This guy just doesn’t care. He just doesn’t care.” The reality is nobody wants their business to be potentially at perilous risk, but if they don’t understand what you’re talking about, if they’ve never heard of this thing or ever seen the movie Hackers, it’s really hard for them to relate.
Well, now a lot of people have seen that very much up close and sort of get it, and you have to do a lot less work to communicate that to them. You still have to work hard at the skill, but it takes a lot less context setting.
[Jim Bowie] So, it sounds like we got better at communication.
[David Spark] Well, this is where, the moment I think it happened. I think the moment it happened is when these cyber attacks, which we’ve had for many, many, many years, they started to break in the New York Times and the Wall Street Journal. They were not breaking in the trades. They’re breaking in the big [Inaudible 00:20:58], and that’s where the business leaders are reading it, and they go, “Hey, what is this about this cyber attack?
What do I need to know about this?” And all of a sudden they started to care. And what I found the trade started to do at this point was instead of breaking the news, they were making context of these cyber attacks. Because, the general mainstream newspapers weren’t going in depth like the trades were at that time.
And that’s why I think it happened.
[Geoff Belknap] Yeah, look, I mean, Operation Aurora, many, many years ago at this point, spawned a lot of modern approaches to this thing, but it also spawned people talking about it in the Wall Street Journal, in the New York Times, and the mainstream press. And now it is covered like a normal beat.
I mean, there are people who would otherwise be covering national security or sort of domestic politics that are covering cybersecurity with the same professionalism.
[David Spark] And I should also point out that the role of CISO has been around we could say 20 years, but there weren’t that many 20 years ago, maybe 10 to 15 really is what we’re looking, in terms of a population of CISOs, if you will. Yeah, so the role of the person communicating to the business hasn’t existed that long.
Jim?
[Jim Bowie] No, I agree. And actually, I think it plays to exactly what we were talking about in the last decade or so. Actually, I’m trying to remember the exact attack it was that I remember hitting, like you said, the Wall Street Journal, New York Times, and then my CIO coming and saying, “Hey, what is this?” And I’m like, “Oh, I should have gotten ahead of you on that.” And so I had to start because I know you all know this…
[David Spark] Because you were reading the trades, and they didn’t get it.
[Jim Bowie] Exactly. All I tell my boss now, like, “Hey, you’re going to see this in the papers in three or four days. We’re okay. It’s not affecting us,” right? And so then it hits and he’s like, “We’re good.” So, I think it’s a very good point. I think the news cycles picking up on it made a big deal.
And I don’t know if that would be WannaCry or if that would have been whatever massive event it was. When it finally started hitting everybody’s personal lives is probably when you started seeing national attention.
[David Spark] And thinking about roles, like the title of BISO, business information security officer, is even newer, and they are really designed for the communications.
How do we determine what’s most important?
23:08.614
Tom Schmitt, Anheuser-Busch InBev, https://www.linkedin.com/in/tschm/ “The problem isn’t the
ability to communicate, it’s the ability to persuade. They are different: the first is about clarity. The
second is about convincing others to take actions that may conflict with their own personal interest.
The best thing you can do to overcome the challenge is to find common interest, and then agree on the
problem. Beyond that, with rational parties who are honest, it’s just a matter of data delivering results
that close the gap on the problem.”
[David Spark] Tom Schmitt of Anheuser-Busch InBev said, “The problem isn’t the ability to communicate. It’s the ability to persuade.” Interesting. “They are different. The first is about clarity. The second is about convincing others to take actions that may conflict with their own personal interest.” I’ll argue that may or may not be good, but we’ll see.
Hold on. “The best thing you can do to overcome the challenge is to find common interests and then agree on the problem. I agree there. Beyond that, with rational parties who are honest, it’s just a matter of data delivering results that close the gap on the problem.” A very sound discussion here. Geoff, your thoughts on Tom’s comment here?
[Geoff Belknap] I couldn’t agree more. A friend of mine, Bob Lord, who’s at CISA now, who’s been a mentor of mine for many years, always made this point, and it resonated very clearly, which is communicating, talking to a board is easy. They’re just people. Influencing their thinking, landing a point with them, that’s challenging for people like us.
Because what they do is just as foreign sometimes to cybersecurity leaders as cybersecurity is to board leaders and board members. So, this is where it is just as important for somebody in one of these roles, in a security leadership role, to understand how the details of the technology organization or how cybersecurity technology works, as it is to understand how a business works, what marketing is, how to read a P&L or a balance sheet.
Because you need to understand the world through the lens of these people that are making business decisions to be able to really make that translation layer work. And I think that can be an easy common interest if you’re trying to talk to a businessperson and land things. But beyond that, there’s always layer eight, which is politics, religion, and sports, and if you can find out what their favorite golfer or sports team is, that’ll work in a pinch, too.
[David Spark] All right. I’m going to let you close this one out. Tom makes a really good point of persuasion is really the thing and about finding sort of common ground. I think it just goes into sort of overall relations of the CISO understanding the business, and the business understanding the value of cybersecurity.
And that doesn’t happen with a snap of the fingers, does it, Jim?
[Jim Bowie] No, it doesn’t. It’s empathy, right? It’s being able to understand why they’re struggling to understand what you’re trying to tell them is important. It’s understanding their needs too. I tell my team when they get offended, “Hey, we made a recommendation. They didn’t go with it.” And I’m like, “Team, you’ve got to understand where they’re coming from.
They have a business to run. We’re a part of that business, but we’re not the end-all, be-all, say-all. We just advise them on the risk, and we say, ‘Hey, if you do X, Y might happen. There’s a calculation there. You can still do X. We’re here to help.'” And if you don’t understand and empathize and make those relationships, you’re not going to be very successful.
The other part of that is to be able to empathize with someone, you need to have personality with them. You need to understand their drives, wants, needs, emotions, what’s driving them that day, if they’ve had a bad day. Maybe someone, if you’re close enough with them, maybe someone they know about is having a bad time or one of their loved ones is sick, that’s not the time to approach them for $5 million.
It’s about having that relationship and being able to empathize with people and feed off how their day’s going and what they’re going to need from you and knowing when to time things.
[David Spark] Excellent point.
Closing
26:49.903
[David Spark] Well, that brings us to the portion of the show where I like to ask both of you which quote was your favorite and why? And this episode was packed with a lot of really good quotes. So, I will start with you, Jim. Which quote was your favorite and why?
[Jim Bowie] Oh, my favorite quote was Tom Schmitt about persuasion being the actual skill we’re looking for, not communication. Because we could write a great technical manual on a great zero day or some hour analysis that’s not going to make the program successful. It’s cool, but it’s not going to convince the board to fund what you need.
So, it is that persuasion.
[David Spark] I love it. All right, Geoff, your favorite quote and why?
[Geoff Belknap] Boy, a high density of phenomenal insight and quotes here. But if I have to pick only one, I’m going to go with Ahmed Abbas. “There’s international recognition that it’s businesses refusing to accept the cost of cybersecurity issues, and it is also recognized that cybersecurity issues are well communicated and understood.” Well, I think while I disagree, I don’t think it’s strictly businesses refusing to accept it, but I understand that I think the point you’re trying to make here, Ahmed, is you are really only succeeding if the business understands the risk, and you are not a successful cybersecurity leader if you are failing at that.
And this is ultimately why people need to accept that there’s going to be liability, and part of that liability is making sure that the business hears from you and understands you on what the risk is.
[David Spark] And then that actually ties in, and I really like your comment about the team, Jim, that, “But they didn’t listen to us. They didn’t do the thing that we told them to do.” And he’s like, “But did they understand you? Did you communicate it? Did they get the risk? Then you succeeded.” I mean, right, that’s what it boils down to.
They still have to run their organization and run the business. Before the days of cyber, businesses ran different kinds of risks all the time.
[Jim Bowie] We’re just the latest add-on.
[David Spark] All right. Well, that brings us to the tail end of the show. I do want to thank our fantastic sponsor, SeeMetrics. Remember, go to their website, SeeMetrics.co. Go to that website and sign up for their free trial. Before we go on any further, I want to thank Geoff as always, and Jim, I’ll let you have the last word.
Are you actually hiring at Tampa General Hospital?
[Jim Bowie] We are not now. We will be hopefully October 1st, new fiscal year.
[David Spark] All right. Well, then if you would like to work, if you’re in the Tampa area… Do you take people outside of the Tampa area or you stay within the Tampa area?
[Jim Bowie] No, for the right person, we can work through that.
[David Spark] We can work through it. Well, if you’d like to work with an awesome person like him, you can start building the relationship now. Lay the groundwork now. Should come October and a great position open up, it could be yours because you’ve made a nice relationship and you communicated it well to Jim, Jim Bowie, who’s the CISO over at Tampa General Hospital.
Thank you, Geoff. Thank you, audience. We greatly appreciate your contributions and for listening to Defense in Depth.
[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cybersecurity. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site CISOseries.com where you’ll also see plenty of ways to participate, including recording a question or a comment for the show.
If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to Defense in Depth.