The Securities and Exchange Commission issued new cyber rules. What do these new rules mean for CISOs and will they ultimately improve our cybersecurity posture?
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Joining us is our guest, Jamil Farshchi, CISO, Equifax.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Nudge Security
Full Transcript
Intro
0:00.000
[David Spark] The Securities and Exchange Commission here in the United States issued new cyber rules. What do these new rules mean for CISOs and will they ultimately improve our cybersecurity posture?
[Voiceover] You’re listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. My name is David Spark, I am the producer of the CISO Series. And you know this guy, you’ve heard him many times on this show before, it’s Steve Zalewski. Steve, say hello to the audience.
[Steve Zalewski] Hello, audience.
[David Spark] That’s his voice. Get to know it now. Our sponsor for today’s episode is Nudge Security and pretty excited about this. They will let you know what SaaS apps are being used in your environment so you can better secure them, and they’ll actually help you with that as well. More about that a little bit later in the show.
Steve, after a very long anticipation and demand actually from our audience for this discussion, the Securities and Exchange Commission or SEC has finally released its new cyber rules. Now, for those listeners not in the US, the SEC is the regulatory body responsible for enforcing securities rules, like our stock market, all designed to protect investors, and these cyber rules are designed to do the same thing.
Now, our guest, Jamil Farshchi, who’s the CISO over at Equifax, posted on LinkedIn that these rules will lead to more CISOs being appointed at companies that don’t have them, provide for more reasonable cyber budgets, and see boards give more time to cyber risk. So, Steve, are these rules something to celebrate, or are they just going to make a CISO’s compliance efforts even more difficult?
[Steve Zalewski] I don’t know if “celebrate” is the right word, but what I would say is these rules, from my perspective, are guidance on the path to risk maturity. And I think from that perspective, they are going to be well received and are very timely.
[David Spark] Would you say this is – because I don’t think a lot of people get excited about new rules and regulations – but this one seems, I mean, not celebrated but this is kind of going to be a boon to the security industry, yes?
[Steve Zalewski] The measurement of cyber risk is an ongoing conversation around the maturity that we have as an industry to do it. And I think why I’m really happy to see this and why I call it “guidance” – Jamil will chime in here – is that it’s an acknowledgement of the ability that we have to measure risk against the maturity that we have to measure risk, and the guidance they’ve offered is continuing to push us down the right path.
[David Spark] Excellent. Let me introduce our guest today who is responsible for starting this very discussion that we’re going to continue on this very episode. It is the CISO of Equifax, and if you’re not currently following him on LinkedIn, you should follow him on LinkedIn, and that is Jamil Farshchi.
Jamil, thank you so much for joining us.
[Jamil Farshchi] Thank you very much for having me today, David.
Is anyone happy with this solution?
3:12.500
[David Spark] Barry Rabkin said, “I think it will lessen the number of CISO candidates,” so completely the opposite of what you said, Jamil. “It also reflects naiveté about how companies operate and their ability to report a material event within four days.” We’ll get into that four-day limit because that seems extreme given that we’re going from months to four days.
Not that months was good, but four days is a doozy. Jon Watkins of Watkins Consulting said, “My only concern is that the compliance isn’t a checkbox just to ‘be secure’; however, for these companies who actually follow the guidance, this will step up their cyber game considerably.” Which is I think what we’re all hoping for.
So, I’m going to start here with you, Steve. Starting with Barry who thinks it’s actually going to lessen the number of CISO candidates, which I don’t really actually see that, I don’t know where he’s coming from, but also this four-day limit, wow. Is this doable?
[Steve Zalewski] There’s a couple of things with what Barry is saying I think we want to talk about here which is, one, is four days in guidance, again, this is spirit and intent. They were very careful, I think, to go from something very proscriptive to something that allows us to figure out how to do this, and that this is for public companies, right?
And everybody’s thinking, “Oh, my goodness. Everybody has to do this.” Again, I think what the SEC has done is said, “We’ll start with the public companies. We’ll let the boards decide how they want to mature cybersecurity, but we’ll put a couple of” – I don’t know if you want to call them measurements or metrics – “in the guidance in order to be able to push the conversation the right way.”
[David Spark] Jamil, what was your first takeaway from this guidance of this is going to help or hurt or what sort of is sort of exciting emboldening [Phonetic 00:05:21] you?
[Jamil Farshchi] It’s about transparency. I’m a firm believer that sunlight is the best disinfectant, and I think these rules get us at least a few steps of the way there. I think some of these comments, let’s take Barry’s, for example, that you mentioned a minute ago, I see no basis for that whatsoever.
I don’t see CISOs running away because there’s going to be more transparency because they’re going to have a seat at the table because they’re going to have greater influence because boards and executives are going to care more about security because the SEC is looking at this more closely. There’s no basis in fact on that comment.
And I think that some of the challenges here are that we’re missing the point of what the SEC is trying to achieve here. Ultimately, what they want to do is to be able to help arm investors. This isn’t for CISOs. I think we get a halo effect and a benefit from it, but this is for investors, and for them to be armed with greater insight about the cyber maturity of the organizations that they may or may not invest in, I think is a boon for everybody.
I don’t really see any meaningful downside for it. And so all of these knock-on effects that I think that we’ve been talking about, that the industry’s been talking about as it relates to this, are really secondary to what the SEC’s intent is with these rules.
[Steve Zalewski] And I want to chime in here with Jamil too, right, which was the reduction in the number of CISO candidates. I agree, I don’t think so, but what the counter is is it’s going to set a higher expectation on what the responsibility of a CISO is for their company. And now the CISOs have accountability and responsibility, and they better have the business acumen, not just rely on technical acumen.
[Jamil Farshchi] But what part of that argument suggests that CISOs are going to opt out of being in the role because of that? I think it’s something we’ve been clamoring for since I’ve been in this space. Which is, “Hey, I want people to listen to me, I want to be able to communicate to the board and articulate the risks that we’re facing.
Because I’m unable to be able to communicate to them otherwise and as a result, I’m sitting here in the boiler room fighting all these fights without any champion, any support.” So, I think that, sure, are CISOs going to need to step up their game? Do we need to understand the business? Do we need to be able to be meaningfully strong communicators?
Sure. But that’s always been the case. I don’t know an organization that says, “Hey. I don’t want you to know anything about my business. I just want you to deal with the technical risks.” That’s just not the reality that we live in today.
How do we convince the board?
8:08.384
[David Spark] Jaydeep Thakkar of PwC said, “Sharing the responsibility beyond just the CISO is a great step. Transparency will lead to more cyber awareness among investors and help the community as a whole.” Eric Staffin of BlueVoyant said, “This is also a pivotal moment for CISOs and the business stakeholders to improve engagement.
Contextual relevance is bidirectional.” And lastly, Sanket Naik of Palosade said, “As security practitioners, we should celebrate this win that the C suite now has to allocate mind space for cyber because there is a direct line item on the 10K which could affect the stock price.” Now, I want to double down on that very last line of Sanket’s quote here.
This is what’s huge. If there was ever a big sign that says, “Cyber is directly related to money,” this is it and that it is part of the business. It is because you hear from public companies, we have to, it’s the stock price, the shareholders, the obsession. Now there is a direct line here. Jamil, you’re nodding your head.
[Jamil Farshchi] 100%. I think I mentioned the 10K part, I think we’re all going to be – in my post – I said, “We’re all going to be, as CISOs, we’re all going to be reading these 10Ks far more frequently than we ever have before.” And it’s because of that insight. And obviously, investors are going to benefit from the same thing which is, “Hey, I’m going to be able to read in the 10K what your risk management practices are, what board committees are actually focused on and accountable for this particular area.” And I think it’s going to help enlighten the investor community, but I think it’s also going to help us a lot as well from the CISO perspective.
And that’s because there’s just a dearth of information in this space today and I think that this is going to give us that step-up, that opportunity to be able to say, “Hey, how are other organizations solving this?” and it’s going to be in there every single time.
Now in terms of the stock price though, I would somewhat debate that one. I think the 8Ks are going to affect the stock price far more, i.e., when an organization does have a breach and they have to report it and the material incidence. That’ll probably have a more direct on the stock price, but I think the 10K component will certainly be a factor now where it never has been before.
[David Spark] Steve?
[Steve Zalewski] So, the 10K and what Jamil said I think is very, very true, which was for public companies, they tend to have the best CISOs, the most business savvy, the ones that understand the technical, the cyber risk, and the business enablement. And so this is an excellent opportunity for those CISOs to be able to set the bar for all the other companies that are not public, and all the other CISOs that are in different stages of their maturation, that may ultimately get them to a Fortune 500.
And so this is why when Jamil said a lot of us have been clamoring to get the attention and the opportunity. Well, the key is now the 10K is going to be setting the stage for the framework that all the other companies and CISOs can learn from. So, again, this is why I call it guidance and not rules is it sets us up for the leadership in the cybersecurity industry to be able to have the platform to educate the rest of the CISOs for the coming years, to get to that level of maturity for all companies, not just the public ones.
Sponsor – Nudge Security
11:58.065
[David Spark] Before I go on any further, I do want to tell you about our sponsor, Nudge Security. So here I want to ask you this question. When your CEO asks, “Hey, are we using that SaaS app that was just breached?” And by the way, I’m going to assume your CEO says it that calmly. How quickly and confidently would you be able to answer that very question?
So, the decentralized sprawling nature of SaaS adoption makes it a real challenge to know who is using what and to assess the possible implications when a popular SaaS app is breached, until now. Nudge Security discovers and categorizes every account for every SaaS or cloud app ever created by anyone in your organization.
No agents, browser plug-ins, or network proxies are required. The best part – a full inventory of your existing SaaS and cloud accounts is available within minutes of starting a free trial and configuring a simple integration with your email provider. Not only will you know who’s using what, but you can automate communications to end users, called “nudges,” of course, to notify them of security incidents impacting the apps that they are using.
But wait! There’s more. Nudge Security will notify you of breaches impacting your SaaS providers and breaches impacting the vendors used by your SaaS providers so you can mitigate digital supply chain risk as well. Ah! Now that is music to your ears, I know that. Pretty cool? Okay. So, you can see all of this for yourself by starting a 14-day trial today at, and write this down, nudgesecurity.com/saassecurity.
We’ve seen this one before.
14:02.968
[David Spark] Rachel Apanewicz-Delgado of Ocrolus said, “Serious companies concerned with protecting consumer data should have been doing this all along. If you need a ruling to be told to do the right thing, your firm has serious issues.” Matthew Brian Helsel said “Meh, I won’t relieve the SEC of any missteps here, they’ve got to be better too.
They owe the public at least to report on their own failings.” So, a couple of things here. One is this is not the first time a company’s had a rule or a regulation, and compliance is actually usually the first thing that is done because there is a direct fine. It isn’t a chance. You’re going to get fined if you don’t do this kind of a thing.
So, often even though compliance does not equal security, it often sometimes drives a security policy, for that matter, and we’ve seen that in the past. So, I’m not as down on that comment from Rachel, Steve.
[Steve Zalewski] I struggle with these statements because I almost feel like they’re not seeing the larger impact to the industry. What they’re doing here is they have a somewhat myopic view that says, “Look, if you’re a security practitioner, then confidentiality, availability, and integrity is the law.
What’s the big deal? And hold us as highly accountable as possible.” But the reality that Jamil and I have is but when you’re looking at a Fortune 500 or Fortune 1000, it’s not that simple. I cannot introduce all of the friction that I want to the business processes to secure my company. And so that’s where we’re having this balance of understanding just how do you measure cybersecurity risk, and where do you balance the risk acceptance versus the risk mitigation, and that’s an ongoing conversation.
We’re only 20 years old and we’ve got 30 or 40 years ahead of us to get to that level of maturity that we have in our financial controls.
[David Spark] I don’t get the sense you’re down on this at all, Jamil, yes? I mean, this is pretty exciting for you.
[Jamil Farshchi] I think I literally said I celebrate this, so no, I’m not down on this at all. We all need to operate in the world as it is, not as we wish it to be. And what Steve said is exactly right. In the world we live today, sure, there’s some unicorns out there that are going to the ends of the Earth to be transparent and to have these measures in place and things like that.
I think in many respects, Equifax is one of those companies, but that’s not the norm. That is the exception and I think these rules help get us closer, a little bit closer to that end state that I think we all ultimately want which is organizations all doing the right thing, all being as transparent as reasonably possible, and us to be able to share information and do the best we can to fight this fight.
I won’t comment on Matthew Brian Helsel’s quote there around I guess there’s some SEC incident that they had that they weren’t transparent about. But I think a lot of the naysayers here or the “nothing to see here” camp, I don’t agree with it because I think this is a meaningful change. It’s not a lot of work, I don’t think, for a lot of these companies, but I think it’s a meaningful change for the industry and the community at large.
[Steve Zalewski] And when you look from the SEC’s perspective at public companies, they tend to be big, they’ve got lots of revenue, they have big security teams. Legal and regulatory compliance generally drives the CISO as to what he has to do because he’s always working with the auditors. But when you get out of that and you look at mid-tier and you look at small and medium business or private, okay, making payroll is the primary responsibility of the CISO and the executive team because they have to be here tomorrow in the hopes of getting big enough that they have the luxury of then worrying about audit and compliance as their primary driver.
And so again, I think these conversations are important, but we have to bear in mind that the Fortune 500 and the public are leading the way, but that most CISOs and most companies are really focusing on making payroll and trying to find the right balance. And so understanding where that balance is is as important as this ability for full transparency.
Jamil, what do you think? I mean, I’m kind of putting that out there for our audience because I think they’re going to learn from us here, this is such a meaty conversation. Where do you lie on that kind of perspective?
[Jamil Farshchi] I agree with what you said. The companies that I’ve worked for, they’re all larger companies, and so I’ve been fortunate to have large security budgets, big security teams, a lot of emphasis around the space and so forth. But it doesn’t take much, when you go down that list, it doesn’t have to be a whole lot smaller than an Equifax or whatever before that level of support, that level of investment drops off a cliff.
I mean, I talk to people, brand names, quite frankly, that have security teams all of 8 or 10 people. I have more people; I have three times that many just doing compliance. It’s just the volume and the resources, it’s just materially different.
And I love what you said about these rules and these larger organizations help setting the standard for everybody else. Because I think we’ve seen that time and again, where even if it’s as mundane as multifactor authentication, you get the big boys adopting this stuff, and it cascades down, it just trickles down over time.
And I think this is another. These requirements, the governance that will be included in it, the transparency that’ll be created from it, will trickle down and it will help improve the lives and I think the security of a lot of these other organizations farther downstream.
What’s the next step?
20:22.883
[David Spark] Eric Stoever of Career Break said, “We need to see how the states with their own cyber incident/breach notification timelines react to the SEC definition of ‘materiality.’ This may lead to a national standard, ending the confusing patchwork of state regulation.” Axbal Lara of Ubiquity said, “I hope that non publicly traded companies see this as a proactive guidance and private equity firms use it to demand more diligent processes in those where they can inject capital.” And Chalan Aras of Deloitte said, “Astute enterprises will recognize that their cyber risk profile is inevitably tied to the hip to their long and wide value chain.
Asking for clear and easy-to-understand cyber risk profiles from second, third parties, and beyond is a likely next step that will spawn from this regulatory update.” Oh, boy. I would love if that happened. Yes, Jamil?
[Jamil Farshchi] [Laughter] Wow. I mean, given that it’s one of the biggest risks that we face. I don’t know a single CISO that’s not frustrated in that space. That would be a boon, I think, for all of us.
[David Spark] Even a small uptick. It doesn’t have to be perfect, but any uptick from this would be great.
[Jamil Farshchi] A fingernail of an uptick would be a boon for all of us, I think. But I also think it’s accurate. I mean, if you look at some of the other focus areas. I mean, CISA’s been pushing in this direction as well with the SBOMs and this focus on the supply chain and so forth. I think it is a natural thing.
I will say this though. Remember these SEC rules, they were first proposed, I don’t know, 18 months ago or something. They were supposed to be released this past spring and actually right before they released them, they actually delayed it again. So these new rules weren’t supposed to be released until, I think, October.
And then they out of the blue published them. So these things take time, I don’t expect the next step to be something that hits us in the next six months or a year. It’s going to take some time for us to digest these, for them to get some runtime and become standardized, and then I think we’ll see more after that.
[David Spark] By the way, similar with GDPR. It came out, there was a lot of confusion. It’s like we’re going to have to see how this whole thing rolls out. Yes, Steve? Just I want to point out to our listeners, we’re recording this at the tail end of August, this episode’s airing in October. So a lot of things may be a little clearer by the time this airs.
Steve?
[Steve Zalewski] Yes. You hear me all during this say it’s guidance, it’s guidance, it’s guidance, okay? Because I think when they pulled back at the last minute, it kind of surprised people because they went from proscriptive to guidance. Because I think they got some heavy feedback that says ultimately the board’s only responsibility for how they run the company and that they all have to have an opportunity to figure out how they want to address cyber risk relative to the business risk.
And who better to figure out that than the boards themselves, so let’s empower to have the security conversation with the CISOs. But let’s give them some time to figure out where that ultimately lands because that is a business decision that they own and that the board and the executives have fiduciary responsibility.
So that’s the way I interpreted that and thought that was a very forward-thinking view.
But there’s a second-order effect here. To me, when we talk about third-party risk, we talk about the fact that as a maturity of how we protect our companies, right? We’re going through a lot of transition, is we built a lot of product and a lot of process, and many of these big companies have 100, 200, 300 products in there because what they’ve been doing is piling on more and more products over time because they have a lot of legacy and a lot of regulation.
But with this opportunity, is there going to be some rethinking of our roadmaps and our architectures? And what good-enough or best-in-class security looks like to take into account kind of some of this greenfield opportunity. And so I think we also have to give the executive teams and the CISOs an opportunity to rethink what these 200 or 300 products look like and how do we simplify to become more effective, not just more efficient.
Jamil, what do you think?
[Jamil Farshchi] I think that is true. I don’t know that it ties to these rules though. I feel like that’s something that as a community and as leaders we should be doing anyway. I think this might help a little bit in terms of making sure that it’s on the radar of senior executives and CEOs and boards, which might give you a little bit more backing and mind share to be able to drive that change, but it should be something irrespective of these rules that we’re doing anyway on a day-to-day basis.
I will say one other thing, and David, your comment about GDPR was insightful. A next step we could see, that I would actually expect to see from this, is the adoption of these rules or similar versions of them throughout the global community, especially in Europe, Australia, New Zealand, potentially even Brazil, things like that, or countries and regions that have adopted the GDPR-ish regulations as well.
I think that this could be a domino effect globally.
[David Spark] Well, GDPR was a domino effect too. I think it’s going to be a giant circle coming back again because GDPR started, I think, the security policies in California, and then probably this SEC, and then it’s going to spin back out again. Let me throw this, I want to throw this additional question because we touched upon it earlier about the number of new CISOs that will be out there.
In the five years that we’ve been doing this show, we have interviewed a lot of first-time CISOs at big companies. Like we’re shocked, like, “Really? You’re the first CISO at this huge company?” And it’s often because many of these regulations don’t say, “Hire a CISO,” but they say, “There needs to be someone responsible for this.” Now, correct me if I’m wrong, but the SEC ruling doesn’t specifically say that, but they say you have to disclose security expertise.
Am I correct on that?
[Jamil Farshchi] Yes. At the management level, it does, yes.
[David Spark] Now, I want to add to this, and we’re going to be talking about this on another show, is that Brian Krebs had a post out noticing that – and I think I’m getting this number correct – 5 out of the top Fortune 100 companies listed as a CISO on their C level executives on their website, only 5 of 100.
I believe that number’s going to go up dramatically because of this ruling. What do you think, Jamil? You’re nodding your head.
[Jamil Farshchi] 100%. It absolutely will do that. And this goes to the halo effect and the benefits that our community and the CISOs will have from this ruling. Because what? What’s happening here? The SEC is incenting publicly traded companies to prioritize security far more than they have in the past.
And so you can rest assured that organizations will do whatever they can to be able to highlight their focus and their maturity around this space which begins, and in many case ends, with, “Do you have a CISO? Do you have a leader in charge of this space for your organization?”
[David Spark] Steve, I’m going to let you have the last word on this.
[Steve Zalewski] I think we’re going to see a lot of work going on as to what are the qualifications or certifications to obtain the title of CISO because it’s still relatively new, and I hate to say this, but there’s a lot of CISOs that are anointed, not appointed. And so what I’m hoping to see out of this, again, is all right, like a CPA for finance, what are the qualifications and certifications that have been generally acknowledged so that you can stand in front of the board or the board can stand behind you to be able to know that you have their back.
[Jamil Farshchi] Can we please not do that? I am not a huge fan of a lot of the certifications out there, and there is a lot of folks who are certification junkies and they’ve got a zillion trillion letters behind their name but when you put them into a firefight, they just aren’t going to be able to stand up and perform very well.
I would be – while nothing’s wrong with the certifications – I would be remiss if I did not say that I would hope there is no end state here where a given certification is going to be the sort of gatekeeper for the new breed of CISOs coming in.
[David Spark] I think we’ve seen this in waves. But just throwing it out, like people got MBAs to go into business and then you realize, “I don’t need a frigging MBA to go into business.” I think it has the same thing. Steve?
[Steve Zalewski] Well, and that’s what I was getting at, Jamil, and I appreciate you when you jumped in and go, “Please let’s not go there.” Right? There are way too many certifications for the sake of certifications. My perspective here is to really be good as a business practitioner with security expertise.
Okay? That’s kind of where I was going was how can we, given the opportunity to be at the executive level, operate that way. And I think that’s where I was kind of challenging on where’s your business expertise, not just your technical security expertise because that’s where we’re falling down. And I think folks like you are kind of setting that expectation for what does a good CISO get and what’s the well-rounded experience that you’re expected to have to earn that seat at the table.
[Jamil Farshchi] That sentiment I could not agree with more. And I think it’s a function, and you mentioned it, that this is a pretty new field, and the amount of change that we’ve experienced in this space has been monumental. And there are a lot of folks that are moving into this position that just don’t have that background and they haven’t had the opportunity to learn and grow to the degree that they probably should.
And with the expectations raising at the same time, it potentially sets up a lot of folks for a really tough and maybe rude awakening once they get in the seat.
[Steve Zalewski] Yes. Nailed it.
Closing
31:21.376
[David Spark] We’ve come to the end of the show and where I ask both of my guests which quote was their favorite and why, and Jamil, I’ll start with you. Which quote was your favorite and why?
[Jamil Farshchi] My favorite one was the one from Jaydeep Thakkar, hope I’m pronouncing that right, from PwC, “Sharing the responsibility beyond the CISO is a great step.” And that point in particular. The reason I think this is a great quote is because security is everybody’s responsibility. It is not just the role of the CISO.
You can have the best CISO in the world, you can have the best security team in the world. If the rest of the business does not fall in line, is not supported, does not have it in their DNA, I don’t care how great your security team is and your CISO is, you will not succeed. It’s a team effort across the board from your board all the way down.
I think that’s a fantastic quote that encapsulates that.
[David Spark] Very good. Steve, your favorite quote and why?
[Steve Zalewski] I’m going to stay in the same theme, I’m going to go with Eric Staffin at BlueVoyant, and we didn’t really expand on this, but he said, “This is a pivotal moment for CISOs and the business stakeholders to improve engagement. Contextual relevance is bidirectional.” And it really spoke to what Jamil and I were just talking about which was you get a seat at the table, but it’s the business and the CISO having bidirectional context to understand what the role of cybersecurity is as it continues to evolve, and I thought that really was spot on.
[David Spark] Excellent. Thank you. Then that brings us to the very end of the show. Thank you very much, Steve. Thank you very much, Jamil. I’m going to let you have the very last word, Jamil, but first huge thanks to our sponsor, Nudge Security. Remember – you want to see what SaaS apps are being used in your environment?
Well, start your 14-day trial today over at nudgesecurity.com/saassecurity. Remember that, all of it. If you can’t remember that, just go to our website, click on the link, the banner ad, and it’ll take you right there. Steve, any last words on this topic today?
[Steve Zalewski] I just want to thank Jamil. Jamil, this was awesome, okay, from Defense in Depth. I think we didn’t just talk about it, we tried to figure out where we have to go, and so I want to thank the audience for continuing to support us to give us the opportunity to have these kinds of really rich conversations that I think advance the state of security.
[Jamil Farshchi] I’ll double down on that. Thank you, both of you, for the opportunity here. But I think out of all the stuff that we said during this discussion today, I would actually laser focus on what Steve’s message was. We all need to be familiar and acclimate ourselves with the business. We, most of us, we all know the security aspects.
We know the technical ins and outs. That’s where we cut our teeth, that’s why we’re here. But unless we get familiarized with the business and understand what the business is trying to do, and we’re able to make those tradeoff decisions around risk and around business enablement, then we won’t be successful.
So, really lean in on that one and I think you’ll be in a great place.
[David Spark] Thank you very much. One question we always ask our guests – are you hiring? Are you hiring, Jamil?
[Jamil Farshchi] Of course. Please. Send all, any and all, come on down.
[David Spark] Please if you’re looking to work with Jamil over at Equifax, please give him a holler. I know you are visible on the LinkedIn. We’ll have a link to his LinkedIn page as well. Thank you again, Jamil. This was a highly demanded topic of discussion for our audience, so we appreciate you bringing it to them.
And as always, audience, if you see great discussions online, bring it to our attention. We greatly appreciate you contributing and listening to Defense in Depth.
[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cybersecurity. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site CISOseries.com where you’ll also see plenty of ways to participate, including recording a question or a comment for the show.
If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to Defense in Depth.