The idea of least privilege has become accepted wisdom in cybersecurity. Despite being around for decades, everyone still seems to be struggling with it. So if we can’t realize this principle, is it worth chasing in the first place?
Check out this post by Kevin Paige, CISO at ConductorOne, for the discussion that is the basis of our conversation on this week’s episode co-hosted by David Spark, the producer of CISO Series, and Edward Contreras, senior evp and CISO, Frost Bank. Joining them is Julie Tsai, CISO-in-Residence, Ballistic Ventures.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Cyera
Exposure Management is a relatively new but increasingly central part of cybersecurity. It forms a strategic layer above traditional vulnerability management, providing a continuous, risk-based approach to identifying, prioritizing, and reducing an organization’s exposure to cyber threats.
Traditional vulnerability management involves scanning for known weaknesses and patching them but often creates large lists of vulnerabilities with little context or prioritization. Exposure Management integrates threat intelligence, attack surface management, vulnerability data, and business context to provide a clear picture of what’s truly at risk and what actions matter most. Not only does it help CISOs identify and mitigate their organization’s most pressing exposures, it also makes it easier to explain to a board of directors what is really going on by focusing on the cyber-related issues that the board truly cares about, such as the risk the organization is carrying, the potential business impact of this risk, and which critical areas to address.
This puts CISOs in contact with board members, making the conversation more strategic and more likely to generate much needed support. CISOs looking to gain insights and to develop their Exposure management influence and leadership skills should explore industry groups such as The Exposure Management Leadership Council.
Resources: The Exposure Management Leadership Council ; Sample Output report
Full Transcript
Intro
0:00.000
[David Spark] The idea of least privilege has become accepted wisdom in cybersecurity. Despite being around for decades, everyone still seems to be struggling with it. So, if we can’t realize this principle, is it even worth chasing in the first place?
[Voiceover] You’re listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. My name is David Spark, I’m the producer of the CISO Series. And joining me as my co-host for this episode, he’s been a new co-host, we love having him on. It’s none other than the VP and CISO over at Frost Bank, Eddie Contreras.
Eddie, thank you so much for joining us.
[Eddie Contreras] David, thank you for having me back yet again.
[David Spark] We love having you. Our sponsor for today’s episode, great sponsor of the CISO Series, that would be Cyera. Secure your data wherever it lives. And what’s cool, they got a really awesome event coming up in Dallas, and if you are there or live near there, you’ll want to listen to what we have to say later in the show.
But first, let’s get to our topic at hand. We talk all the time that cybersecurity needs to be a business enabler, and Kevin Paige, CISO at ConductorOne, makes the case that least privilege is a fantasy that distracts cybersecurity teams from their core mission.
In an age of dynamic and complex infrastructure, least privilege is fundamentally at odds with keeping the business running smoothly. He proposes instead, security teams focus on building systems that scale based around zero standing access, just-in-time provisioning, and full auditing.
So, I throw it to you, Eddie, and I know this is just the setup. Is that any more feasible, what he just described, than least privilege?
[Eddie Contreras] It’s going to be a very good conversation today. The way I think about this is so often technologists try to take ownership of a domain, and least privilege is the newest member of that conversation. It’s been around for a long time, but it’s not just restricted to cybersecurity.
So, if you think of this concept being around and how everybody needs to make it successful, the best way, and David, you know me by now, you go to a hotel, you arrive at that hotel, you get a key to your room, but you don’t get a key to every room.
There is a lot of stuff that you don’t have access to, but that’s the fundamental practice of least privilege. Arrive, go where you need to go, be where you need to be, and make sure that you do not step across those bounds because bad things could happen.
[David Spark] Very good point. All right. Helping us with this conversation, by the way, this was a conversation long waiting to happen, and we’re thrilled to finally have it happen, and I ran into her again at Black Hat, thrilled to have run into you so you can be back again.
She is currently the CISO in residence over at Ballistic Ventures, none other than Julie Tsai. Julie, thank you so much for joining us.
[Julie Tsai] Great to be here, David. I’m glad we ran into each other too. Great to be on here with Eddie.
Why is everyone so confused?
2:54.810
[David Spark] Samuel Roach of Cyberoptiq said, “The principle of least privilege is just that, a principle. It is ineffective without actually implementing the right controls, but it is the principle that should dictate the controls one should implement.
It is the reason you cannot normally enter the security area of an airport without a valid boarding pass.” Good analogy, speaking your language, Eddie. Samuel goes on to say “The principle of least privilege is certainly not dead. We simply need better visibility of what identities have access to and do a better job of applying the principle consistently.” That sounds pretty darn good.
Can we get to it? We’ll see.
But I also want to mention Muhammad Khan’s quote here, “Rather than declaring least privilege dead, perhaps the real issue is the lack of adaptive privilege models. Least privilege isn’t broken. Our execution is. With identity sprawls, CICD pipelines, and multiple cloud APIs, what we need is dynamic access governance.
Policies that adjust with user roles, tasks, context, and risk scores. Just-in-time access and zero standing privileges are brilliant tactics, but they’re part of a modern least privilege strategy, not its replacement. Instead of burying the concept, maybe we should evolve our tooling and mindset to apply it meaningfully at scale.” All right, Eddie, these are two great quotes, and I think they kind of hit it really well.
Both are saying, don’t throw out least privileged. We know we just need to adapt. Yes?
[Eddie Contreras] Everything adapts over time, and I like these two quotes because it starts to ground us in the conversation that it’s not easy.
[David Spark] Yes. By the way, that’s the whole theme for CISO Series. It’s not easy.
[Laughter]
[Eddie Contreras] It’s not. And George Foreman coined it, right? Set it and forget it, right? It’s not one of those areas where you can just forget it. But it is adaptable. And with every technology that’s out there, with every new concept, with every new process, it forces you to reevaluate what controls you have.
And if you really look at least privilege as a control, you design that control, and then you test the effectiveness of that control over time. And if you’re not testing it with every iteration, upgrade, and/or new process or technology, you’re right.
It can be very challenging. And a lot of companies, unfortunately, once they set the control, they do forget it. They think it’s the easy button, and then two years later, when they revisit that control, that’s when you start to unpack, well, what happened?
Well, did we ever really have least privilege? But it is one of those controls that you have to manage thoroughly.
[David Spark] And going back to the original post, Julie, that Kevin Page posted about saying that we need zero standing access, just-in-time provisioning. These are evolving concepts of least privilege. It really isn’t throwing it away completely, and so that also leans into what Mohamed said.
Yes?
[Julie Tsai] Absolutely. I think that in some ways, I appreciate the conversation he’s trying to ignite, but it’s a provocative way of posing what I think is a false choice.
[David Spark] Right. It’s not either/or.
[Julie Tsai] Absolutely not. And in a lot of ways, just-in-time provisioning and dynamic access are forms of least privilege. When you think about the things that you’re going to limit in terms of privilege, you’re going to make it time bound. You’re going to do it per role.
You’re going to do it per task. And this is one dimension of that. So, just-in-time provisioning, zero standing access, those are actually pretty good flavors of least privilege. It’s just, I think that for the sake of people’s understanding or getting twisted in some other form, I don’t think it should be taken as, oh, least privilege is dead.
Just go ahead and give everyone the root keys. It’s not like that. This is one way of approaching this problem.
[David Spark] Well, I don’t think he said give away the root keys. I think what the argument up front is, we’ve tried so hard, we failed, so we got to take a complete other tactic. And I know that’s not what you believe, but I thought it’s interesting, like you said at the beginning, it’s quite provocative to even just go down that road.
[Julie Tsai] Right, exactly. It’s almost like, okay, well, what is it that you’re proposing? I know you’re not proposing to throw out the baby with the bathwater on this. Security, I think, is as much a maturity progression in terms of not letting the perfect be the enemy of the good.
We will never be perfect, but you cannot stop trying because otherwise you’ve just made it way worse.
I didn’t think of these options.
7:14.400
[David Spark] Rory Bray of IBM said, “I also don’t see strategies like just-in-time access as a separate from least privilege,” what we were just referring to. Rory goes on to say, “It’s about only what you need and only as long as you need it with oversight.
There are new tools to make that easier, but it was always possible and always advisable.” And Caleb Sima of WhiteRabbit said, “A hundred percent agree, but your solution is my definition of least privilege. So, in some sense, I feel like you argued against yourself.
One solution to the never-ending least privilege problem is by focusing on crown jewels. What areas or critical systems are the most important and apply that effort there versus chasing the never-ending dream of the entire organization.” It’s interesting.
That really is the top of the least privilege discussion is beginning with the crown jewels, isn’t it, Julie?
[Julie Tsai] Oh, absolutely. Because you’re going to go to the place where it actually matters, where there’s significance. And there’s always something, it may be a small amount, and you may have gotten it pared down, but there will be something that the organization cares about existentially.
It could be IP, it could be trade agreements, it could get back to literally the keys to the kingdom, but there is something somewhere that is important. And you do have to say like, okay, in this extreme case, how are we treating this? I do understand where people have had to start prioritizing more and more.
I think the idea of the crown jewels, or sometimes I think of it being close to our territory, the go bag. You know, the bag that you just cannot live without, right? And in times of emergency, if you can pare that down to just the essentials, that really helps.
So, I understand where orgs need to do that, but absolutely, you have to keep some sense of knowing who’s coming in and for what and not letting go of that accountability.
[David Spark] Eddie, I think your business is probably the perfect example of scaling up least privilege because of crown jewels. I mean, doesn’t all finance pretty much operate that way? The more critical the engagement or the trade being, the more layers there are to getting it done and proving identity.
Yes?
[Eddie Contreras] Absolutely agree. I think Julie’s a perfect person for this conversation because, to your point, David, industries matter. As a CISO, you have to know where you operate. Are you in a startup company? Are you looking for seating? Are you already on a Series B?
Are you publicly traded? Are you a Fortune 100? I think all of those define how mature your least privilege program looks and feels like. And you’ll notice as you cross these industries, there are some companies that get close to utopia. There are some companies that are not only achieving what they’re supposed to achieve, but they’re also achieving it in a way that’s defensible, it’s auditable, and essentially, you get graded on your delivery of this program.
So, it really does depend on that industry – and Julie’s well aware of this, right? In her portfolio, what works for one may not work for another.
[David Spark] Or might not be necessary for another.
[Eddie Contreras] Correct.
[Julie Tsai] Absolutely. A lot of times like for small startups, whether they’re in the security space or not, they’re much more optimized around speed; however, most of them are going to care about their IP. So, on some level, there’s going to be some aspect of that, where they know that I can let go of the rest of it.
I can recover the rest of it should we have an issue. This one piece, I really, really care about. As they progress, customer data and what they’ve acquired and what they need to protect in terms of reputation becomes more and more important. And part of that journey for any startup, as well as the people who are helping them, is figuring out, okay, are you now at a new threshold?
You now have public scrutiny. Your financial records need to be incontrovertible. They need to be intact and able to be backed up. Your customer data, should you lose it, who does it impact? Is it patients? Is it children? Is it people in other countries?
And so, those conversations start to get more expansive as you go on, but at early stage, it is very different.
And I think that getting back to the fundamentals of understanding why we’re securing what we’re securing can lead people to the right answer in terms of what’s the level, where do we need to be on that spectrum of least privilege? Least privilege is not just an ideal, but a foundational muscle on how we operate in terms of knowing like, hey, this is how I’m going to approach this problem every time.
We’re going to land in the right place. It’s not going to be an absolute place, but we’re going to land on the right place because I’m looking at it from the perspective of who needs to know this.
Sponsor – Cyera
11:56.694
[David Spark] Who’s our sponsor this week? Hey, AI is here. We all know that. And it’s moving very fast, but with every new system, tool, and integration, your data and security posture are under more pressure than ever. That’s where the DataSecAI Conference comes in and it’s happening next week.
So, if you’re hearing this when this just came out, you got to move fast. It’s happening November 12th and 13th in Dallas.
DataSecAI25 is the industry’s leading conference at the intersection of cybersecurity, data governance, and AI innovation, and it’s hosted by AI and data security leader, Cyera. So, this isn’t just another tech event. It’s a conference built by the industry for the industry designed to help CISOs, data leaders, and business technologists rethink what’s possible, share real-world strategies, and collaborate on the future of AI security.
You’ll hear from top voices driving transformation across sectors, from enterprise CISOs to AI threat intelligence experts. And you’ll walk away with the insights you need to scale secure innovation. Now, if your job touches security, AI, or data, you need to be at DataSecAI.
Here’s a great thing. There’s no cost to attend. Just bring your perspective and join the conversation. Just go to Cyera.com, that’s their website, cyera.com, but at the very, very top of the page, on the top, top row, there’s a link to the DataSecAI Conference.
Just click on that and go ahead and register.
This isn’t just a security issue.
13:27.835
[David Spark] Ron Yankelevitz of Next Insurance said, “Least privilege isn’t the problem, poor implementation is.” And by the way, a lot of people agree with that. Ron goes on to say, “Just-in-time access, step-up approvals, audibility, those aren’t replacements for least privilege.
They’re how you achieve it in modern environments. The principle hasn’t failed. What’s failed is trying to enforce it manually without context, automation, or lifecycle management. In my honest opinion, the answer isn’t to abandon least privilege, it’s to operationalize it properly.
With the right tooling, it scales just fine.” Now, what the argument at the beginning is, [Laughter] “Yeah, we haven’t been doing that, so let’s try something else.”
But Matthew Halsey also says, “If a business is struggling to have the correct access assigned in a timely manner, then that is not a security problem. That is a poor Role-Based Access Control or RBAC system problem. What likely causes problems like these are people in positions of power, like heads of departments or members of the C-suite, circumventing proper access control policy because ‘what I need is super business critical, and it needs doing now.'” So, Eddie, you’ve seen least privilege fail and you’ve seen probably people push against least privilege because I just need to get things done.
That battle’s not going away, is it?
[Eddie Contreras] It’s not going away, and I may be a little biased here.
[David Spark] Go ahead.
[Eddie Contreras] You can throw the C-levels and the executives under the bus and say, “Well, I just need this access.” I really like what Ron was saying here, right? It may not be the principle, but it could be the delivery, and if you have a friction-filled control, implementing least privilege is going to cause people to say, “Let me bypass you,” which is where you get caught on those statements like Matthew’s talking about.
You know what? Just give me the direct access. I have to do my job. And ultimately, we’re all here to do our job. So, if your control is full of friction, if it hasn’t been tested by the user community, if you haven’t solicited feedback, or if you didn’t solicit feedback at the beginning to be able to design that control properly, you should assume it’s going to get circumvented.
You’re going to assume, hey, people are just going to try to get past this because it is too friction-filled. So, I do think there’s a gift of delivery here. If you truly know how to design a control with the least amount of friction, you can apply the proper principles.
If not, what Matthew says is true, people are going to bypass it. But is that their fault? I don’t think so.
[David Spark] What’s been your experience of the business fighting least privilege, Julie?
[Julie Tsai] I take it for granted that they’re going to do that, just like a dog is going to come and ask for a bone at the dinner table.
[David Spark] [Laughter] It’s like death and taxes. It’s inevitable.
[Julie Tsai] Absolutely. Death and taxes, and they will be asking for more access. It’s human nature. People like to push the edge on these things unless they’ve actually had the scar tissue themselves. And I think that if you’re working with someone mature and who can work with you across the aisle, you can have this conversation with a wink, and say like, “Okay, I know you’re going to ask, and you know what I’m going to say, and you know what our options are in front of us.” But lifting up from that, I’m going to say that automation is the sword that cuts both ways on this.
I think that in terms of eliminating friction, of course, you want to automate both the conferring of access as well as the removal of access, but the win for the security department on this, on every single time, is predictable implementation, logging, and that auditability that we love, right?
Because if I or someone is having to go in manually, that may have multiple methods of doing so. There’s irregularities in our records, and we have to often manually document the reasons why, if we’ve done that at all, right? But if we have instrumented something to do that conferral of access quickly, and then the revoking of access can happen quickly, whether it is manually initiated or not, I still have the process, I have the logs, and it’s just another quick step to tie it into my ticketing system.
So, on some level, as long as I can get the visibility and accountability there, and we have some sort of agreement on like, what’s the level of approval you need for this change? Are they going to sign off on this and put themselves out on the line for these changes?
And maybe they should be thinking hard about it, if they’re asking for those exceptions three times a week. You can start surfacing these issues so that security is understood to be a company-wide effort, not just you and your department.
[David Spark] In an industry like finance, aren’t a lot of these things kind of already dictated for you, so there doesn’t need to be a lot of pushback, yes?
[Eddie Contreras] One of the fortunate things about being in a bank is you have such a large security team, and I don’t mean that in the size of the team that reports directly to me. I mean that in every employee is security conscious, right? They’re understanding what’s expected of them.
When you’re in the financial industry, you realize some people get the keys to the vault, some don’t, right? Some people have authority, some don’t, and people understand that. So, I do agree, David. Being in this industry, the ability to deliver security controls is not as resisted, but I can tell you at some point in time, resistance comes if the control is not manageable.
Usually the feedback is really, “I would like a better control,” even though the words you’re hearing is, “I don’t like it,” right? Or you’re hearing frustration, but it gives us an opportunity to redesign the control. But yeah, we do it.
[David Spark] I’ve noticed IN the finance industry that doing certain money movements take more steps than they have in the past, and it’s a lot of essentially more multi-factor authentication, really. That’s all by design, yes?
[Eddie Contreras] It is not only by design in the technology, it’s by design in this process. So, we even step out of the technology and still apply least privilege because again, we’re a financial institution, and we’re taking care of your money. You’d want us to have those steps there in place.
So, it’s very important for us.
It’s time for this week’s security tip.
19:20.802
[Voiceover] This week’s security tip is brought to you by Tenable, the exposure management company.
[David Spark] Exposure management is a relatively new, but increasingly central part of cybersecurity. It forms a strategic layer above traditional vulnerability management, providing a continuous risk-based approach to identifying, prioritizing, and reducing an organization’s exposure to cyber threats.
Traditional vulnerability management involves scanning for known weaknesses and patching them but often creates a large list of vulnerabilities with little context or prioritization. Exposure management integrates threat intelligence, attack surface management, vulnerability data, and business context to provide a clear picture of what’s truly at risk and what actions matter most.
Not only does it help CISOs identify and mitigate their organization’s most pressing exposures, it also makes it easier to explain to a board of directors what is really going on by focusing on the cyber-related issues that the board truly cares about, such as the risk the organization is carrying, the potential business impact of this risk, and which critical areas to address.
This puts CISOs in context with board members, making the conversation more strategic and more likely to generate much-needed support. CISOs looking to gain insights and to develop their exposure management influence and leadership skills should explore industry groups such as the Exposure Management Leadership Council.
[Voiceover] This has been your weekly security tip. To learn more about exposure management, go to tenable.com.
What problem is this solving?
21:13.166
[David Spark] Doug Mayer, CISO over at WCG, said, “Terms like least privilege and zero trust were never alive to, at one time, say they are dead.” All right, so they were never on the table to begin with. “But rather, they’re only buzzwords to give the security professional a term to get the business thinking about helping us to help them.
So, all the options are great, but all my years in the job, it’s about prioritize and apply where possible because the little wins make a difference, and with enough little improvements, the attack surface is harder for adversaries. Any new term that evolves or replaces it, I will use it.” Doug has a more realistic view of it.
It’s like, ah, well, you can argue about the terms, but if I can just improve the situation, I’m happy. Where are you, Julie, on that thinking?
[Julie Tsai] I see him as a kindred spirit. That’s a very nuanced take, and it’s absolutely true. We recognize that these are words that we wrap around these concepts to get people excited about things, you know, zero trust and defense in depth and security by design.
And a friend of mine had said not too long ago, look, all these things in security that most people, the vast majority, know what they’re supposed to do. You know you’re supposed to use tough passwords. You know you’re supposed to use multi-factor.
You know you’re supposed to design not in a extravagantly open way, but we don’t do them because it’s inconvenient. And I think that once people have been around the block on this and maybe have the responsibility and have some scar tissue, there’s some understanding and a desire to come to the right place on it, at least find that moderation.
And until that point, we keep working to get these concepts embraced and understood in the larger community that maybe still finds it too inconvenient to do.
[David Spark] All right. Your take here, Eddie. Is it just a lot of posturing? Let’s just make access better?
[Eddie Contreras] if someone could solve this, I’m sure there’d be a lot of money spent. And so, I think all of these phrases to some degree have some relevance to them.
[David Spark] And by the way, Gartner keeps creating another category for you to create a line item for to sell another product. [Laughter]
[Eddie Contreras] Exactly. If you think of all the new releases that Gartner or Forrester have, or any of the other big names, the best thing to look at is it’s keeping the discussion alive. And whether you call it least privilege, whether you call it separation of duty, whether you call it just-in-time access, whatever you want to call it, the conversation’s going and it’s active.
And you can’t really harm anybody by saying, “Hey, let’s have a conversation about security,” with people that are not in security. So, I think it’s good. I think we’re going to continue to have this conversation with the adoption of artificial intelligence coming in where agentic AI now have a role-like personality where they’re going to perform tasks of a human.
You’re going to authorize them to do a lot of things. Least privilege in that new area, I would suggest every CISO needs to again reevaluate your controls and understand, will they continue to function and perform as they are today? And if they don’t, it just gives you the opportunity to again, talk through the process.
[Julie Tsai] Eddie outlined it really well, and I think that fuels the cycle. We like to make fun of it, and we like to wring our hands about it, but it’s true. The analysts are going to come up with new categories to describe problems that are deep and nuanced.
We in the industry are working to find more creative ways to solve those things but often pressed against the wall in terms of budget and time, and hence the products start proliferating. And I think this is why you all started this podcast, right, originally as the CISO vendor relationship.
[Laughter]
[David Spark] Yeah, that was the original plan for it. You know what? Talking to somebody about how because they were able to start a greenfield security program, it was way more secure than had they had to walk into because what happens is when you have a lot of baggage, it’s very hard to have a sort of a clean program.
And the question is, maybe for a future episode, when is it worth it to scrap your security program and all your tools and start from scratch? Is it ever? [Laughter]
[Julie Tsai] It’s the burning the village to save it model. It’s a provocative question also.
[David Spark] That’ll be a future episode, I’m sure.
Closing
25:36.284
[David Spark] All right, now I have a question for you, Julie. Let’s look at the quotes. I loved all these quotes, they were all great, but I want you to pick one that was your favorite and just tell me why.
[Julie Tsai] I think the last one that we were just talking about.
[David Spark] That’s from Doug Mayer, the CISO of WCG, just saying like, hey, call it whatever the heck you want. I just like the little wins.
[Julie Tsai] Yeah, this industry, the space is very much that game of inches and just trying to get that extra bit. Because you never know which inch is going to be the one that saved you from the last attack.
[Eddie Contreras] That’s a good point. All right, Eddie, your favorite quote and why.
[Eddie Contreras] First, I want to thank Kevin for the conversation. It did spark a lot of conversations and posts. It was good.
[David Spark] It was good. It was totally good. There was a little bit of ragging on it, but we’re all totally appreciative of it.
[Eddie Contreras] Ragging builds energy, but I’m going to go with Samuel.
[David Spark] That’s the first quote, yeah.
[Eddie Contreras] Correct. Not because we took the conversation with an analogy, but because we simplified the topic, right? And I want to align myself with Samuel here and say I’m maybe in the same realm as him. He’s a phenomenal person here, but if you think about his quote, “He’s not teaching anybody about cybersecurity.
He’s making them be more aware that the concept exists already and so let’s have that conversation.” So, I like his quote.
[David Spark] And just to remind everyone, the analogy used is that you can’t get into the security area of the airport without a boarding pass.
[Eddie Contreras] Correct.
[David Spark] Which, by the way, here’s a perfect example. There was a time you could get into the security area without a boarding pass and things changed.
[Julie Tsai] Right.
[Eddie Contreras] Yes.
[Julie Tsai] They did.
[David Spark] Exactly. All right. Well, that brings us to the very end of the show. I want to thank our sponsor, and that would be Cyera. And you remember, they’ve got this great new conference. If you’re hearing this today, it’s happening in less than a week, [Laughter] so you need to move quickly.
Just go to their website, Cyera.com. It’s the DataSecAI Conference. It’s happening November 12th and 13th. Go check it out. In Dallas, by the way, go check it out. It’s going to be a ton of fun. I actually was there last year and had a great time. That was their first event.
This is their second event. It’s totally worth it to go, even to take the trip to Dallas. It’s a lot of fun. All right, Julie, let me ask you a question. You work for a VC firm. You have a lot of portfolio companies. Are any of them hiring?
[Julie Tsai] I do know startups that are hiring in not just the ballistic portfolio, but also in the startup ecosystem.
[David Spark] Oh. So, contact you directly?
[Julie Tsai] Yes. Contact me directly.
[David Spark] So, we will have Julie’s LinkedIn profile linked to on the blog post for this episode. Just go find it. By the way, T-S-A-I is Julie’s last name. You can just search it on our site if you can’t find it. If you’re listening to this the week it comes out, it’ll be very easy to find right on the site.
Thank you very much, Eddie. Thank you very much, Julie. And to our audience, we greatly appreciate your contributions and for listening to Defense in Depth.
[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cybersecurity. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site, CISOseries.com, where you’ll also see plenty of ways to participate, including recording a question or a comment for the show.
If you’re interested in sponsoring the podcast, contact David Spark directly at David at CISOseries.com. Thank you for listening to Defense in Depth.