How does a CISO approach strategy as they become more comfortable in their role? Is a long-term strategy even possible for a new CISO?
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Mike Johnson, CISO, Rivian. Joining us is Gaurav Kapil, CISO, Bread Financial.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, ThreatLocker
Full Transcript
Intro
0:00.000
[David Spark] How does a CISO go about strategy as they get more comfortable in their role? Is long-term strategy even possible for a new CISO?
[Voiceover] You’re listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. I’m David Spark, producer of the CISO Series. And joining me for this very episode is someone who doesn’t frequent this show that much, he’s been on it plenty of times before, but you’ll see why we brought him on for this specific episode. You’ve heard him before if you’re a fan of the CISO series.
It’s none other than Mike Johnson, CISO of Rivian. Mike, say hello to the audience.
[Mike Johnson] Hello, Defense in Depth audience. Glad to be here with you today.
[David Spark] I’m sure many of them are crossover and hear you over on CISO Series Podcasts as well.
[Mike Johnson] I hope so.
[David Spark] If you have not, you should be. Our sponsor for today’s episode is ThreatLocker, zero trust endpoint protection platform. More about ThreatLocker a little bit later in the show. Mike, the reason you’re on this episode is because we’re going to be talking about a LinkedIn post you put up that blew up, and I just want to say the majority of everyone’s comments are, “You were right, Mike.”
[Laughter]
[David Spark] Which I’m sure you like that.
[Mike Johnson] Well, that’s not why I post.
[David Spark] No, I know you don’t, but a lot of people did agree with you. So, let me tell you all what people were agreeing with, with Mike. Mike, you posted on LinkedIn that you didn’t feel comfortable creating a multi-year cybersecurity strategy until you had a few years in the CISO role under your belt.
So, here’s my question to you. So, when did you know you could create an effective long-term strategy and how far out should a new CISO even try to plan as they get comfortable with an organization?
[Mike Johnson] The reason why I put this out there was when I first joined Lyft as my first CISO role, did all this research, trying to get prepared, reading, talking with folks. There are so many CISO first 30-, 90-, 180-day guides, and all of them preach that you should have a strategy documented within 90 days, and so I felt pressured to do that.
And then I read more, and some were even, “You should have a multi-year strategy.” And again, without really understanding or knowing any better at the time, it’s like, “Yeah, okay. Yeah, I’ll go try and figure that out.” And then in hindsight, what I really have come to realize is that there’s many environments, maybe there’s a few that this works, but most environments, they move so fast, and the companies are moving fast, those horizons are very close to you, and it makes it really difficult to actually put together a long-term strategy.
Especially when you’re just joining a company, when you’re trying to figure out like where the bathrooms are.
[David Spark] That does not take 90 days, Mike. [Laughter]
[Mike Johnson] It doesn’t, but it might take you a few days.
[David Spark] Most people figure that out on day one. If you don’t, you’ve got a serious problem.
[Mike Johnson] You’d think. But then like, can you find the same one over and over again, I think is really the question there. So, it was really more of a putting that out there in a way to try and give folks a different opinion, that rushing into a strategy is not the right way to approach it.
[David Spark] Very, very good point. Well, we have a great CISO who I just saw recently at an event, and I’m thrilled to bring him on to this very episode. A fan of the show, first time on one of our shows, thrilled to have him on. He is the CISO over at Bread Financial, none other than Gaurav Kapil.
Gaurav, thank you so much for joining us.
[Gaurav Kapil] Great to be here. Thank you for having me on, David.
What do we have to do now? What can wait?
3:46.989
[David Spark] Michael Collins of Cyber Cognition said, “I’d agree you need three to six months to really understand the business and how it operates if you’re coming in fresh. Also depends on when you land in the budgeting/planning cycle.” That is a very good point. “Sometimes you need to pull together a quick and dirty short-term approach to meet corporate planning cycles.
Personally, within the first year, I’d be aiming for a three-year vision of where you want to be with a rolling annual plan, which may change based on a number of factors. The operating environment is too dynamic to be overly prescriptive beyond that. Finally, bring the leadership team and board along on the journey and make them aware of the dynamic environment and be prepared to pivot as required.”
And lastly, Jay Wilson, who’s the CISO of Insurity, said, “Providing a vision beyond that six-month horizon can be helpful. It’s a living vision like others have said, not static, but providing that to your peers and team members can inspire and also help other teams outside of the security team aspire to meet you many months, quarters down the line to help the company overall reach the tenets of that vision.” I kind of like what Jay said.
It’s like the benefit of having a plan is you can get people on board with something. Like, if you don’t have a plan, what does everyone sort of rally around, Mike?
[Mike Johnson] On the counter of that, vision is also something that you can rally around.
[David Spark] I think he used the word vision, not plan. Yes.
[Mike Johnson] Yes. And a vision and a plan are two different things, and I do agree that creating a vision, it’s something that generally can be pretty stable. It’s something that can be sustained over a long term. Even as the business changes underneath you, what type of program do you want to have?
How should other teams and leaders think about cybersecurity? How should they think about your team, the practice of cybersecurity? And that’s where vision can come into play. That gives you essentially your North Star, even as the underlying realities of the business change, and it’s those underlying realities that change that force you to readjust your plan.
The greater the specificity that you have, the more frequent you’re having to take a look at it and revisit what you should do next. But a vision is something that people can get on board with, they can understand, and they can rally behind.
[David Spark] That’s a good point. Gaurav?
[Gaurav Kapil] I agree with Mike and the comment that you shared to kick off the conversation, David. I think it all starts with a vision. If you don’t know where you’re going, chances of you getting there are impossible.
[David Spark] So, how do you communicate that vision to a team and to the partners and stuff? And you don’t have to be specific about what you’ve done, but how would that go? And use any example you would like.
[Gaurav Kapil] So, I think even though of us as CISOs, we’ve got a number of years of experience, of cyber experience under our belt, we’re kind of walking into a role we know what to do and what not to do. We’ve learned by experience. And over the last maybe decade, I’ve worked for a couple of different organizations.
The more I’ve transitioned from one organization to the other, some things remain the same and some things change, right? So, what those remain the same is the cornerstone of what your vision would look like, based on experience, based on leading practices, based on learnings from your peers. Even the academia, if you will.
The second part is that a cyber program is only effective if it’s aligned with business goals, right? So, you really got to spend a lot of time in understanding what the business is, how it does what it does, so when you’re building the cyber program, you’re actually tailoring that to the business itself, right?
So, to move into how do you really bring the organization along? It’s all about influence, and I think CISOs are not only subject matter experts in cyber, but they have to be great communicators, they have to be good relationship builders, and they have to be able to influence people. And you influence people by aligning with their ideas and their goals and translating that to within the program itself.
So, that’s one of the tactics I would say, is to really learn about the business and then tailor the cyber program along with it.
What are they doing wrong?
8:10.526
[David Spark] Vsevolod Shabad of BT Group said, “I doubt that any current strategy – business, IT, security, etc. – can be relevant in a three-year perspective. Internal, external factors like COVID, wars, quantum cryptography, AI advancements, etc. I believe it is better to follow a lean portfolio management approach and use a dynamic portfolio of risk-driven security initiatives instead of a solid multi-year security strategy, continuously adapting this portfolio to the current landscape.” And Greg Notch, who’s CISO over at Expel, said, “I am of the opinion that plans are basically wrong as soon as they are written, age like milk, and have error bars that increase exponentially on the time axis.
I’m however firmly in the Eisenhower camp of plans are useless, but planning is indispensable.” All right. I love these two quotes in that we’re talking about the need for the plans and they both argue that these are useless, but we still have to make them regardless. What do you think of that, Gaurav?
[Gaurav Kapil] I wouldn’t call them entirely useless, right? I mean, you got to be able to chart your path forward.
[David Spark] I was strong with that verbiage.
[Gaurav Kapil] Right. And I think that’s got three components to it, right? Leading back to my previous comment, there’s the leading practices that we need to build into the program. It’s like I would just talk about human health, right? I mean, how do you take care of yourself? You get up in the morning, you brush your teeth, and you take a shower, and you get ready, and that’s your basic hygiene practices that you follow.
So, similar to that, there’s cyber hygiene practices that you need to be following in terms of how you build a program up, what the framework looks like, what the plumbing looks like, what the interaction model looks like, what the engagement model looks like. All that good stuff needs to be there.
The second being is the world today, October of 2024, is very different from October of 2022 because ChatGPT had not knocked on anybody’s doors until November 2022. And now, two years later, we’re having a totally different cyber conversation. In a similar way [Phonetic 00:10:15], cyber world, the threat landscape continuously changes, and we need to be able to build the right structures, the right plans to be able to solve for the relevant and the current cyber threats landscape.
The third part being is we need to be agile. Businesses don’t do cyber for the sake of doing cyber. They do cyber so they can build the technology and provide the service or the product to be able to create revenue.
[David Spark] And cyber always has to adapt for the business, whatever is the need of the business.
[Gaurav Kapil] Absolutely, right? So, there has to be some big initiatives, big rocks that any business have, whether it is a startup that is a two-man army or a 500-person organization or a 5,000-person organization, there has to be some key strategic objectives, and cyber needs to build a program, build a plan that enable the successful and secure delivery of those initiatives.
So, I think it’s a three-part model where it’s a combination of your basic cyber hygiene, the right robust cyber program, threat landscape, your risk landscape, whether it is internal or external to the organization, and then of course, the big initiatives that any organization has to pursue to deliver on its goals.
[David Spark] All right. I throw this to you, Mike. What do you think of these quotes of the need to plan, even though all these plans are useless? Again, I’m being extreme there.
[Mike Johnson] I think what the point behind the quote of planning is critical is taking a look at all of your work, figuring out how to organize it, coming up with a structure so that you can then go do things in a systematic manner. That’s really what planning gets you. The plans themselves are going to change.
[David Spark] Let me ask you in the last, say, 5, 10 years of business, has any plan stayed consistent for a month?
[Gaurav Kapil] You wish.
[Mike Johnson] So, a month, perhaps. A quarter, things start getting maybe. Six months, a year, you’re getting out there. And it’s like Garev mentioned, the need to be agile is what’s important, and if you’re good at planning, you then can get good at adjusting those plans.
[David Spark] Let me double down on that. How does a security leader get good at being agile? What is that skill?
[Mike Johnson] Getting good at being agile, a lot of it comes down to how do you manage being frenetic? Like it’s very easy to just say, “Oh, well, we’re going to do this now. Oh, no, changed my mind. We’re going to do this now.” So, I think a lot of it comes down to managing change in a way that is not disruptive, and I think, frankly, it’s practice.
I don’t think it’s something that we as humans are innately good at. One recommendation would be to go take program management classes or project management classes. Those folks, their careers, their job is planning and managing plans and managing change and being good at agile. That’s an opportunity to learn.
[David Spark] You want to jump in, Garev, here?
[Gaurav Kapil] I just wanted to add something to what Mike said. Yes, change management is important, but I think more critically, we need to be good problem solvers and be able to quickly dissect the problem statement and create a tactical plan to solve. And at the same time, be able to be hyper good at being able to prioritize stuff, the right things at the right time.
If somebody asked me, “What does a CISO do?” I’m like, “Well, sometimes I’m a banker. Sometimes I’m a lawyer. Sometimes I’m a shoulder to cry on. Sometimes I’m a risk guy.” So, it really depends upon what the touch point or the meeting or the day is about. I think we really need to hone our skills of problem solving, critical thinking, and priority management.
Sponsor – ThreatLocker
14:01.850
[David Spark] Before I go on any further, I do want to tell you about our absolutely spectacular sponsor, and that would be ThreatLocker. Now, let me ask you a question. Do zero-day exploits and supply chain attacks keep you up at night? I don’t think they’re lulling you to sleep. Well, you don’t have to worry anymore because you can harden your security with ThreatLocker.
Imagine taking a proactive, deny-by-default approach to cybersecurity, blocking every action, process, and user unless specifically authorized by your team. ThreatLocker helps you do this and provides a full audit of every action allowed or blocked for risk management and compliance. Onboarding and operation is fully supported by their US-based support team.
Stop the exploitation of trusted applications within your organization, to keep you running efficiently and secure, protected from ransomware. Worldwide, companies like JetBlue trust ThreatLocker to secure their data and keep their business operations flying high. To learn more about how ThreatLocker can manage unknown threats and ensure compliance for your organization, you got to go to their website, and that is threatlocker.com, and it’s spelled exactly the way it sounds, threatlocker.com.
How do we convince the C-Suite?
15:18.849
[David Spark] Chase Sutphin of Fortinet said, “I will say it is important to have that conversation early to set expectations with the CEO or CIO, depending on the reporting structure. They may expect to have something multi-year because their last CISO did it that way. So, during the hiring process, breaking this down and setting proper expectations that it will grow and mold the longer you are with the company stops them from feeling like you are just going with no long-term strategy.” And Donnie Hasseltine of Second Front Systems said, “It takes time to set the foundation and establish the culture, and every time you dig into an issue, you discover more that needs to be done, which can be overwhelming.” So, this is actually some interesting angles of, like, know what came before you and understand the culture.
Like, don’t just set your own agenda. You need to know what you’re dealing with. Mike?
[Mike Johnson] I think that expectation-setting is key. Knowing what you’ve gotten yourself into or getting yourself into.
[David Spark] And let me quickly ask you, in the different sort of CISO roles you’ve had, which now you’ve had three, was it a different sort of expectation levels in each one?
[Mike Johnson] For sure. When you join a company as their first CISO, they’re not quite sure what to expect.
[David Spark] So, you need to kind of tell them.
[Mike Johnson] Exactly.
[David Spark] Were you the first CISO over at Lyft?
[Mike Johnson] Yes.
[David Spark] And you were also the first time a CISO.
[Mike Johnson] Correct.
[David Spark] So, both of you didn’t know what you were doing.
[Mike Johnson] Both of us had a lot of expectation-setting to do with each other.
[David Spark] There you go.
[Mike Johnson] For sure. But a lot of it comes down to what is the company culture? If you’re used to being more scrappy, more agile, and you join a company that is used to multi-year plans, even outside of security, it’s really how is the company used to planning? Full stop. Not how is the company used to cybersecurity planning?
If they’re used to multi-year plans, buckle up. You’re going to have to figure out how to do a multi-year plan and figure out how to do it quickly.
[David Spark] Let me throw this to you, Gaurav. Say you’re thrown in an environment like that, not speaking to your current supplier, and it’s like, well, you really want to work for the company. And he goes, “Well, all the other C-level employees, they give us a multi-year plan.” But you know anything you write down, like what was said before, anything you write down, it’s going to be tossed out.
Do you do it just to make them happy because that’s the culture and say, “Hey,” and with a nice bold at the top, “This is subject to change”? [Laughter]
[Gaurav Kapil] No, that’s a great point, David. I mean, just coming on Bread team just over the last few months, most CISOs, if not all CISOs, go through a pretty thorough vetting process before they are given an opportunity to come join the team, right? So, you obviously built a lot of credibility with the executive team, with the board, and it starts there.
You’ve taken months to really build that influence, build that credibility, and you want to leverage that. CEOs are CEOs, CFOs are CFOs, right? They brought you on board because they trust that you can do the job. Some of my initial conversations with the executive team were like, “Hey, what are you expecting cyber to do?
Are you expecting us to solve world hunger? What exactly are your key pain points?” Right? And I remember sitting down with some of our leaders and they actually told me, right, “This is what we are expecting from the C-Suite. This is the level of engagement we want. This is the level of communication we want.
This is how we want to engage with you.” So, it’s aligning that.
[David Spark] It’s better to know what they’re expecting than both of you be up in the air, and then all of a sudden their expectations come down. You’re like, “Wait, we didn’t discuss that early on.” [Laughter]
[Gaurav Kapil] Right. So, it’s up to the CISO to ask the questions. “Hey, what are you looking to do?” Right? I mean, some CISOs are excited about coming and waxing the car, if you will, right? Like, “Hey, a program is already in place. Let me just run it and provide you with the right metrics, the reports, the compliance, all that good stuff.” Some CISOs like myself are excited about getting into the ground and actually building something up and feel proud after a few years that, hey, you actually did something of value that provided value back to the organization.
So, one is ask those questions. What is the board expecting you to do? What is the C-Suite executive team expecting you to do? And then kind of charting out a path and saying, “Look, this is the body of work. This is where we are at today. This is my understanding in the first two weeks, 30 days.” I mean, we all have our sixth sense, spidey sense, if you will, on what the skeletons in the closet are and what state that the program is in, and you can provide that objective assessment.
And most, in fact, I don’t know of an executive team that will not give you the time to really learn and build your observation map, if you will. In fact, if they don’t, then that’s a very tricky situation to be in, right? And you kind of talk about how long it’s going to take to build and meet those expectations.
And while you are in this journey, there’s going to be certain level of agility that’s going to be required, a certain level of reprioritization, a certain level of structuring that would be required to meet those milestones onto your journey to deliver the eventual expectation.
What are the best practices?
20:27.645
David Spark] Ohad Horenstein of Kovrr said, “It can be challenging to put together a multi-year cybersecurity strategy within a few months of starting a new role. In today’s rapidly changing cyber landscape, it’s especially important to take the time to gather the necessary information and insights before making long-term decisions.
We’ve seen the same approach with some of our clients, especially with new CISOs who are keen to quickly understand the current impact of cyber risk on their financials and align that strategy with those who have the highest impact on their finances.” So, I’ll start with you, Gaurav. This comes down to understanding your crown jewels, where’s the risk, basic things a CISO needs to know.
Any strategy you would create prior to that would be useless, yes?
[Gaurav Kapil] Yeah, you’re absolutely spot on. And the good news, David, is that a lot of this work is actually done by your peer organizations within the organization.
[David Spark] Hopefully, it’d be easy.
[Gaurav Kapil] Yeah. I mean, if it’s not… I mean, hopefully the CISO is not the one who’s identifying crown jewels and key assets in place. It’s the business that is identifying what the crown jewels are. You obviously use various methodologies to determine how to best protect them. You do your business impact analysis and what your loss-to-value projections could be, and what’s your risk impact or realization.
All those methodologies, you can leverage to come up with how to best predict the key assets.
[David Spark] All right. Mike, I throw this to you. I’m going to do a little twist though on this discussion here. One of the common things I hear from CISOs all the time is when they announce publicly, “Oh, I just became CISO of company XYZ.” They get a flood of emails like, “Oh, let’s talk about this product and this product.” I’m like, “I don’t know anything yet.
Like, what the heck?” So, what would be a better approach from a vendor to a CISO who just announced and knows nothing right now? What do you think?
[Mike Johnson] I think something along the lines of, “Congratulations. We’re here to help when you’re ready. Here’s our area of expertise. We commonly see these kinds of problems when a new CISO starts at a company,” and leave it at that. Give a little bit of we’re here to help, you get your name out there, and also a little tidbit.
Please do not send them your first 90 days as a CISO tips. They either already know them, or they’re going to follow them, and things are going to get really rough for them.
[David Spark] I believe Andy Ellis has written some of these up himself.
[Mike Johnson] That’s great. That’s his perspective. A lot of them might be correct, but also some of these things we need to figure out on our own the hard way.
[Gaurav Kapil] That’s spot on. I was smiling all the way as I was hearing Mike. Listen, because from the day I announced that I’m just going to join Bread Financial, I mean, LinkedIn [Inaudible 00:23:27] blown up.
[David Spark] Your email inbox too, right?
[Mike Johnson] Yes.
[Gaurav Kapil] Oh, tell me about it. I mean, how the heck do they get their email? Well, I guess it’s easy to figure it out, right?
[David Spark] My question to a brand-new CISO, I always ask, how many have you received? How many hundreds of, “Let’s set up a meeting now that you’re a new CISO”? It’s truly the worst timing, and that’s when they all come in.
[Gaurav Kapil] Yeah. I just want to add to something that Mike already shared. Yeah, maybe an initial congratulations, congratulations on the new role, introducing yourself, here’s who we are, here’s our expertise, best wishes, stuff like that, right? And then maybe circle back after maybe 90 days and saying, “Hey, how’s been the last 90 days?
Based on our initial reach out, is there something that we can offer of value to you? Does it make sense for us to connect for 15, 20, 30 minutes?” Instead of, “Hey, let me take you out to lunch. Let me take you out to a happy hour. Let me send you…” I mean, I kid you not. I actually received books, first 90-day book from vendors, multiple copies of those.
[David Spark] Of the same book?
[Gaurav Kapil] Of the same book from multiple vendors, right? I don’t know if they’re going to be listening to this podcast, David, but I don’t want to [Inaudible 00:24:35] any names, yeah.
[David Spark] No, you don’t have to mention any names.
[Gaurav Kapil] It’s crazy, right? I mean, they knew my office address before the security guard in the lobby knew that I was actually going to be based out of this office, so.
[David Spark] [Laughter] So, you had books upon your arrival. That’s great.
[Gaurav Kapil] Right.
[David Spark] Mike, I want you to close this out because one of the key things we’ve talked about in the past, and I know that you did this when you joined over at Fastly, is this concept of just listening at the beginning. And I know, Gaurav, you referenced this as well. Explain, like, it’s more than just saying the word listening.
Give me a little bit more depth to that.
[Mike Johnson] It’s the concept of actively engaging other leaders, going around and asking them questions and listening and orienting based off of that. Ask them, Gaurav had mentioned, what are you expecting the cyber team to do? What are your pain points? Just go and ask your peers those questions as well.
Go and find some architects across the company. Ask them those questions. All of these people know what the problems are. They’re happy that you’re there because you’re going to help them with things that they know exist. So, we called it a listening tour. The idea is you actively go and meet other leaders, other senior individual contributors, ask them questions, take notes, orient that, and then take a direction.
Don’t come in with preconceived notions.
[David Spark] Just wanted you to know, the Mike Johnson listening tour, worst headline act ever.
[Laughter]
[Mike Johnson] It can be entertaining and soothing at the same time.
[David Spark] It could be, yes.
[Gaurav Kapil] David, just one comment that I want to add.
[David Spark] Sure.
[Gaurav Kapil] Yes, it’s important to listen to everybody in the organization, but understand every person has their own opinion. You have to be smart enough not to get jaded by the positive or the negative that you hear from across the organization.
[David Spark] That’s a super good point to close on. That is great. Before we truly close this out, I’m going to go to you, Gaurav. I’m going to say which of all these quotes was your favorite and why?
[Gaurav Kapil] On a lighter side, I saw this one quote where it says, “Most CISOs resign after two years, so what’s the use of the three-year strategy?”
[Laughter]
[David Spark] So, it’s not one of our quotes, but that’s fine. I like that.
[Gaurav Kapil] That was on the funny side. But really, I think one of the quotes, and I’m obviously summarizing it, the importance of having a long-term vision, a long-term plan, but having the agility to look at it every six months and re-strategize and prioritize on what you’re focusing on.
[David Spark] All right, Mike, your favorite quote and why?
[Mike Johnson] I really liked Greg Notch’s.
[David Spark] It was from a military leader. Hold it, who…? Eisenhower.
[Mike Johnson] Yeah. So, his reminding us of the quote from Eisenhower that plans are useless, but planning is indispensable. I really think there’s just a lot of wisdom wrapped up in that. As senior leaders, we can take a lot away from that. So, I really appreciate Greg introducing that to this conversation.
[David Spark] Well, you said it earlier, while the plan itself may be useless, the process of creating the plan, the organizing your thoughts, that is what’s indispensable. It’s clear. Yeah, you can’t expect anything’s going to hold the plan.
Closing
27:51.173
[David Spark] Well, that brings us to the very end of the show, and I want to thank our sponsor, and that would be ThreatLocker. Remember – zero trust endpoint protection platform. They are proactive when it comes to zero trust. Go do it yourself, threatlocker.com. Now, I want to ask, are you hiring over there at Bread Financial, Gareth?
Yes?
[Gaurav Kapil] Yes, we are.
[David Spark] Awesome. So, if someone had heard this episode and they’re interested in working for security at your company, I’m assuming you have a jobs board on the site, yes?
[Gaurav Kapil] Yes, of course.
[David Spark] And they can contact you via LinkedIn, yes?
[Gaurav Kapil] Of course.
[David Spark] Please do. Thank you very much, Gareth. Thank you very much. And thank you to our audience. We greatly appreciate your contributions and listening to Defense in Depth.
[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cybersecurity. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site CISOseries.com where you’ll also see plenty of ways to participate, including recording a question or a comment for the show.
If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to Defense in Depth.