Host (David Spark)

Best advice I ever got in security.

Mike Johnson

Go.

JP Calabio

The best advice I ever got in security was to create a stakeholder map. So before I go into a meeting, I understand what motivates each of my stakeholders.

Host (David Spark)

It's time to begin the CISO Series podcast.

David Spark

Welcome to the CISO Series podcast. My name is David Spark. I am the producer of the CISO series and joining me is my co host. It's one of your favorites, the original Mike Johnson, CISO over at Rivian. Mike, say hello to the audience.

Mike Johnson

Hello, audience. One of your favorites, huh?

David Spark

Well, well, like my children, I cannot play favorites, Mike.

Mike Johnson

Ah, okay.

David Spark

I cannot play favorites.

Mike Johnson

I guess I'll go, I'll accept with one of.

David Spark

One of you are going to be one of our favorites. You know, we're available@cisoseries.com and our sponsor for today's episode is Threat Locker. Again, spectacular sponsor of the CISO series. If you don't know they are a zero trust solution. Allow what you need, block everything else by default, including ransomware and rogue code. If you're not clued into what they do. Guess what, we're going to be talking about that a little bit later in the show. Mike, I have a question for you. Okay, so I run the San Diego Cyber Group and there's a lot of young people who are either in school or just out of school trying to get their first job in cybersecurity. And I would say I think I'm seeing more of that now than I've ever seen before personally. It's just anecdotally they're wide eyed, very excited, very eager to get in. When someone young of that age looking for their first job in, they're grasping at straws. They don't know what to do. It's like, what do I do? What's the guide? What's the path? What do you say to those people? What is your sage advice that you give to them?

Mike Johnson

What I usually tell them is look at the skills that they have that are frankly non security related and go and find a job, a role in that and build up that skill and then use that to pivot into security.

David Spark

So hold it. Give me an example. This is a very interesting take here.

Mike Johnson

It could be something as simple as it help desk.

David Spark

Well, it help. It's interesting. Young people have met. He goes, well, I'm kind of working to help descent.

Mike Johnson

I was like, great, keep doing that.

David Spark

Yeah, I light up. I'm like, oh, you have no idea. You're in the most attractive position right now.

Mike Johnson

Absolutely. Or development of Some sort like lightweight development, entry level software development, or network engineer or cloud engineer. Something that is security adjacent. Because right now there's actually not a whole lot of concept of entry level in cybersecurity anymore.

David Spark

Yeah, it's kind of sad. That's a really good point.

Mike Johnson

So go and build your skills elsewhere and use that on your resume as your introduction for like, hey, I did all this cool stuff over here that's very security adjacent. I have all of this knowledge and training in security as well. I want to apply that to security, and that's really the best path into the career these days.

David Spark

And hold it. Have you hired people at exactly that sort of combination you're describing?

Mike Johnson

Yes, yes. The best example, the one that I love the most is, and this was a while ago, we had an intern who had been a first responder, like a fire department or police department, and we hired them into the SOC after an internship because they had that calm under pressure concept. And so that one's way afield. But I've brought people in from it, from help desk roles, from network engineering roles. Very common.

David Spark

And just confirm of. Right. Someone who on paper has lots of education in cybersecurity, but no kind of real world adjacent experience is not as attractive as someone who has some cyber training, educational training, but with also with an additional adjunct position that's more attractive.

Mike Johnson

Yes, yes. Like having experience in a enterprise, corporate company culture and having some security knowledge, some security experience is actually going to stand out more than somebody who has a lot of education and no professional experience at all.

David Spark

Good, good advice. By the way. I'm going to echo that, Mike, and I will quote you appropriately.

Mike Johnson

Great.

David Spark

All right, let's bring on our guests, somebody I have been working on to get on our show for quite some time. And we just discovered that if you were to go way back to a live show that we did in Los Angeles, he made a sneak appearance playing a game we had called Security Squares. This was an episode with you and me, Mike and Gary Hayslip for the Issa LA event. It was a live show and he played the game at Security Squares. We actually, I think that might have been the last time we played that game to tell you. That's true.

Mike Johnson

I think that's right.

David Spark

I want to bring the game back. It's fun. It's based on Sunil Yu's cyber defense matrix, which is pretty darn cool. All right, Excited to have him on the VP and CISO over at Granger. None other than JP Calabio. Jp, thank you so Much for joining us.

JP Calabio

It's a pleasure to be here.

Host (David Spark)

How is AI going to solve this problem?

David Spark

Well, one thing that experience keeps teaching me, Colin, the scariest issues usually aren't bad code. They're broken assumptions between components. That's an interesting take. A recent cybersecurity subreddit post on the future of AppSec in the age of AI was found that maybe the new tech won't solve as much as we think. So commenters pointed out that code scanning maps the repository. It doesn't map the running system, the identity providers, the service to service auth assumptions, the legacy endpoint that quietly bypasses your permission model and the config drift that makes your secure defaults moot. So if AI gets better at hardening the map, how do you actually secure the territory? Mike, I'm starting with you. Can AI help us solve the broken assumptions at the heart of this issue? And I think it's interesting. It's not the code, it's the connections is the problem. What do you think?

Mike Johnson

I have to start with a disclaimer. I'm not an AppSec expert, I don't claim to play one on television.

David Spark

But he's going to provide some advice. Let's hear it.

Mike Johnson

But I'm going to do my best here. And if you think about AppSec, code scanning is one of the key pieces of it and we're seeing a lot of value there. AppSec is already changing in the world of AI, especially when it comes to code scanning. We can cover more, we can find more. We can also weed out false positives better. And that last part, the weeding out false positives, that is something that we used to have humans do and humans would spend all of their time like before we hand this over to a dev team, let's make sure that this is legitimate. We're not having to do that as much anymore or frankly getting to a close where we don't have to do that at all. What maybe this person isn't so much thinking about is AI doesn't have to solve all of the problems. AI has to solve some of them so that we can move resources. We can take the people who were spending their time evaluating false positives and they can go and solve the harder problems. They can go and look at the system interfaces, the way that data moves around the threat models at design stage. That is something that we can now do more of than we could in the past because people were spending their times on things that the machines should be doing for us. And that's Current state, we're seeing that today, we're seeing that advantage. But I think one of the things that folks might not really be internalizing is what AI can do today is very different than what it can do six months from now, three months from now.

David Spark

And I may have mentioned this on the show before, I know I mention in conversation all the time, the best way we know that, Mike, is just look at AI image generation and AI video generation. I was first introduced to AI a little less than three years ago, and I remember how crude it was now. And now I see it today and I've seen it every month interval, and I've watched it get better and better. So if we can just visually see it changing, like with AI image generation, we know it's improving across multiple planes. All right, I'm throwing this to you, JP as well. Where do you think the problem is in AppSec? Do you agree with this opening statement? It's not the code, it's in the connections.

JP Calabio

I do to a degree. The problem that I've run into with my AppSec organization and the developers is really around prioritization. So I agree with Mike. Code scanning is getting a lot better. The problem is prioritization of fixing these vulnerabilities versus the actual code that they have to do for the business. We can't use AI today to go through and identify the dependencies and fix the dependencies, but that's our hope that we can eventually get there. And quite honestly, to use the terminology that was used in the quotes, right, like if artificial intelligence is helping to secure the map, I don't see why there isn't a reason why AI couldn't help us secure the territory. You don't need a single product to do everything. And in this case, you can probably start to use agents or create agents to tackle different pieces of the puzzle. You just have to figure out how to make these agents work together. And I know that's not as easy as it sounds. Can it do it today? Maybe not completely, but I do believe there's a quote out there that kind of encapsulates what we're talking about here. Today's AI will be the worst AI you ever use.

Host (David Spark)

Where can we cut costs?

David Spark

Quote, CFOs don't fund faith, they fund math. That's From Adrian Salasa, CISO over at ShiftKey. He laid out a framework that got him a 40% budget increase. Quantify asset value, exposure factor, annualize loss, expectancy, and suddenly security. The math is clean. And that appeals to the CFO but is it necessary? We don't calculate ROI on the receptionist, the office furniture, or the CFO's own salary. Plenty of business expenses get funded because leadership accepts them as the cost of operating. So why does security uniquely have to justify itself in financial models while other functions and get a pass? Is it because security still hasn't earned a seat at the table as a business fundamental? Or does forcing the ROI conversation actually sharpen security leaders thinking? I'm asking you jp, making them prioritize controls to move the needle over ones to just check a box and I think that last line is key right there. What do you think? Why is the proof so important for security leaders? Or proof of value, if you will?

JP Calabio

I actually saw this post the other day and I thought it was great for that CISO and I do appreciate the case for quantifying risk. I consider risk quantification the gold standard. But is it necessary at this point? I don't think so. There's a lot of security leaders out there that have successfully used qualitative risk, or I guess the other gold standard, fear, uncertainty and doubt to get what they needed. From a budget standpoint, does it make it easier to get funding if you have risk quantification? Maybe. But at the end of the day, the CFO or whoever is still making a funding decision based on all the information that's presented to them, along with all the other requests that are in the queue for budget. Getting to this level, though, will definitely help sharpen a security leader's thinking, especially if we're talking from a financial standpoint. But it's also helpful to understand different perspectives. There's a limited pool of funds the CEO may be comparing security risks against the repair of a roof or the returns of an acquisition. So always getting that perspective or understanding that perspective is key. There's never any harm in improving your financial and business acumen.

David Spark

All right, Mike, I'm going to throw this to you. You've had multiple CISO roles. I'm interested to know, in each of your CISO roles, have you required different levels of proof of the value of your security program depending on the job you've been at?

Mike Johnson

I think you always have to be able to talk like, what is the value that we're bringing here, being able to prove through risk quantification? I've never been challenged with that.

David Spark

So you haven't had to put numbers behind these?

Mike Johnson

No, because I agree with JP that risk quantification feels like the gold standard, but it's also one of those that it's very difficult to actually prove when you start peeling back the layers of it.

David Spark

Let me pause you for a second. Is let's say you do go towards a quantification. Not a qualitative model, but a quantified model. Don't you feel that someone could just shoot bullet holes in the darn thing?

Mike Johnson

That's the risk, right? That you show up and you say, okay, well, if we spend a dollar, we will avoid doll of an incident or something like that.

David Spark

And then someone could challenge you and you're like, well, yeah, I guess it breaks down when you look at it that way.

Mike Johnson

That's one of the problems that I have with it. And I will put out there that I am quantification curious, but it's also something that I've really struggled with myself.

David Spark

All right, so if I'm reading you correctly, it is a gold standard. You would love to be at that level, but you. You feel it's such a tough level to achieve?

Mike Johnson

Yes, I think so. And I think what I would wonder. This doesn't feel like an a B test, right? If this CISO walked into the same CFO with a list of here's all of our risks in order, and here's red, yellow, green of each of them, they might have walked out with the same amount of money. I don't know that we have an AB test to say that quantification really was the cause of the funding that they had. I haven't needed to get to that level of precision. Again, though, agree with JP that you need to understand the business. You need to understand the trade offs. I've sat in finance reviews where somebody is showing up saying I need to spend $17 million on this one piece of equipment. And when my whole budget is less than that piece of equipment, but that is the thing that lets us make cars. It is a very different perspective. And you really need to have that holistic perspective of how you fit and how the security program fits within the business. And then you can make good arguments from that direction. Storytelling is perhaps more valuable than quantification.

David Spark

Phishing isn't going away, Credential theft isn't slowing down, and identity alone is no longer a reliable control. Even with MFA in place, we've seen it recently. Attackers gaining access to cloud environments using stolen credentials and session tokens without ever triggering traditional defenses. Because once they're authenticated, they look like a legitimate user. So security teams are being forced to rethink what actually determines trust. It's no longer just who you are, it's what device you're on, the context of the request, and how access is being established. That's why ThreatLocker is expanding its platform and security coverage. Now Already known and trusted for Endpoint and Application Control, ThreatLocker is now extending its zero trust approach into network access and cloud access. The goal is to ensure access is only granted when identity, device and policy all align across both internal systems and SaaS applications. So even if credentials are compromised, access isn't. If you're rethinking how access should work in your environment, visit threatlocker.com CISO to learn more and book your demo today. And do me a Favor, go to threatlocker.com and add the CISO. Easiest way to let ThreatLocker know you heard about them from the CISO series.

Host (David Spark)

It's time to play what's worse.

David Spark

Jp, I know you know this because you saw us do it live on stage. The way it works. Two horrible scenarios. You're not going to like either one of them, but you have to pick out which one's worst. Mike, I'm going to make you answer first. And this comes from one of our favorites, Jonathan Waldrop, who's a CISO over at Acoustic. And here's the setup. I'm going to give you the option in a second. This is the setup. You're at an enterprise company, more or less kind of an old fashioned company. Security reports to it and it manages the identity platform and MFA policies. Now, security has requested that it implement Phish Resistant mfa. How they define that, I don't know, but. So the idea is that someone can't fool you into giving up your second authentication. Yep. Pass keys. It was promised for delivery six months ago, yet security is still waiting. So here are your two options.

Mike Johnson

Okay.

David Spark

Number one, and I never heard of something like this happening. So you tell me, if this actually does happen, you execute a hostile takeover of identity management. Does that happen?

Mike Johnson

Hostile might be a questionable way of

David Spark

putting it, but anyways, that's the way he wrote it. Okay, that's what I was saying. But we're going to go with it, all right?

Mike Johnson

Okay.

David Spark

You execute a hostile takeover of identity management without adding any additional staff to your already stretched security team. But you complete the rollout in three weeks. You now own identity going forward, yet your team is stretched and you expect the other programs are going to suffer. Look, you took on more that you currently can't handle.

Mike Johnson

You took over the responsibility without additional resources.

David Spark

Exactly. So now you've got more that you're dealing with. Or you just Sit back, you wait for it to roll it out, but it takes them another year to deliver the capability. And this doesn't tax your team at all. Which one's worse?

Mike Johnson

So realistically, you have to zoom out and look at the big picture. Like what is the long term impact to either of these directions? And one of these, it took you a little bit longer to get to phishing resistant mfa. You probably haven't had phishing resistant MFA your entire time, otherwise you wouldn't be asking for it. And that state has been fine, is waiting a year and a half to get that implemented that big of a deal in the grand scheme of things, versus taking on a new responsibility that is then negatively impacting the security of the organization because your team is going to start dropping other programs. This feels pretty clear to me that the taking this thing, this responsibility over, great, you've solved this one problem. You've created three new ones, five new ones, 100 new ones that are now negatively going to impact the company versus taking a little bit longer to get phishing resistant mfa. Again, one control to get that done. It's pretty clear to me that the first one is the worst scenario.

David Spark

Now, it couldn't be a situation that you have a crappy MFA and people are abusing your identity, and for that year you could have a host of problems.

Mike Johnson

The reality, though, is if you're having a bunch of incidents related to that, then you will get the IT organization to solve the problem. Well, that's just reality.

David Spark

I know, but you can't change the model of a what's worse scenario.

Mike Johnson

But you introduced that as well, so you added that in as well. So I got to add in my own.

David Spark

Well, I don't know. It's still gonna take him a year to get it done. All right, jp, I'm throwing this to you. Do you agree or disagree with Mike here?

JP Calabio

Okay, I'll give a counter great to that. Sitting back and waiting can be just as bad as we know, but it may be worse because you may run into a situation where you actually get breached.

David Spark

This is what I'm thinking, because you're

JP Calabio

sitting back and waiting. Maybe they don't have MFA in place. Contacts obviously matters, but if you have a breach or if you have continuous attacks where maybe your team members are not your team, but your employees are getting tricked into giving out their passwords. Now your team is actually working just as hard or maybe even harder because they're having to deal with each one of these situations and then still having to come back anyway. And Take it over. So there's my thought.

David Spark

That is a good point right there.

Mike Johnson

Very valid point.

David Spark

Let me also ask you this question, Mike. If you knew there was a security problem and you were watching it and you could fix it, could you literally sit on your hands for a year and not fix it?

Mike Johnson

No, that's a very different scenario. If that was literally happening, no, I would not wait. But at the same time, I would also be going over the CIO's head to say, look, we are on fire. I don't care what else they're doing, they need to drop it and fix this. Because it's not like they're sitting around on their hands. They're taking time because they've got other priorities. And if you are literally getting compromised, that is where you exercise all of the political capital that you've built to say, we need to adjust the priorities and whatever else they're working on needs to drop. But that's something that would need to beat up.

David Spark

Yeah, but that's not the scenario, too.

Mike Johnson

I'm answering the question you asked me, David. I'm not answering the scenario.

David Spark

No, it's just, I would just think, just as both of you as security professionals, if you see something that needs to be fixed and even though there was this political nonsense that was going on, well, no, no, we can't do it. It would drive you crazy, wouldn't it?

Mike Johnson

It would. But again, there's a difference between. This is a new thing that we need to add because we think it is a good control and nothing is going wrong. But we just like we know we want to approve this control. That's different than the house is on fire. We need to do something about it. And if the house is on fire, absolutely not. Am I sitting on my hands? I'm going to do whatever I need to do to solve that problem and then deal with tomorrow's problems tomorrow. But if I'm, all things else being equal, I'm going to look at the long game and say, if we go and do this today, are we really going to harm ourselves in the future?

Host (David Spark)

Is AI going to help us or hurt us?

David Spark

When a CEO announces that AI can replace replace their workforce, they're not making a bold bet on the future. They're telling you their business has no core. Dave Edwards of Artificiality makes the case that companies racing to replace knowledge workers with AI aren't optimizing. They're confessing that their value creation was never that differentiated to begin with. When every competitor runs the same models, you've Got a commodity business or with a margin problem. But humans have always been displaced by the next age. I mean, look, classical, medieval, modern information and the workforce adapted each time. So is this moment genuinely different? Or is Edwards mistaking disruption for collapse? I'm going to start with you, jp, on the security side. If the analysts, engineers and responders who hold your institutional knowledge walk out the door, what exactly does your AI inherit?

JP Calabio

You don't want your security engineers or responders with institutional knowledge walking out the door.

David Spark

No.

JP Calabio

AI is a great tool and its advantage is speed and scalability, but it doesn't have human intuition or collaboration capabilities, which really is the human aspect of security. Like who's going to call someone that needs help or, you know, do a little bit more of an investigation that where you need to talk to someone versus checking logs and following a playbook. So today, like we use AI to reduce the noise for our security operations center. And this past year we really significantly increased the amount of ingestion into our SIEM simply because we want to have visibility to our entire environment. We also knew that we wouldn't be able to scale up with resources quickly enough to handle all the alerts that would be coming in with all this new data. So we used AI and an MDR that uses AI, and this solved it for us. It's processing all of our alerts, it's triaging based on our playbooks, and it leaves the high alerts to us to handle. It also documents everything for my analysts, which is great, so that's very helpful. But I think the real question here though is going back to the beginning of this podcast. What skill sets will the next generation of security professionals really need to have? With this introduction of AI, this also

David Spark

becomes a question for the young people because the traditional entry level positions are not going to be the traditional entry level positions anymore. What do you think, Mike?

Mike Johnson

I think that what folks should be really spending their time on today is how they can use AI to augment themselves. Developing skills and using AI to scale yourself to either add on more knowledge or as JP mentioned, to have AI take care of the noise and allow you to focus on what really matters. Having that skill set and that mentality of augmenting yourself, that's really what people need to be thinking about these days. And I think that's where we're going to see more and more. And yeah, the entry level SOC jobs are going away, but we've seen that as technology has advanced time and time again, how many people have skills in writing, assembly, language, Anymore. That's not a thing.

David Spark

By the way, I studied Fortran when I was in college.

Mike Johnson

Yeah, Fortran. I'm sure there are still some people who are great at Fortran. And maybe people need to call you David.

David Spark

Does anyone need it?

Mike Johnson

I don't know. I don't know. But the reality is we're shifting skills, and that's going to happen again and again and again as we figure out what are the limits of these systems. And I think this is a good thing, this idea of letting humans focus on what really matters, on what humans are really good at and machines may never be good at. That's really the value here. And JP had the great example of we can now ingest more data, we can look at more events because the AI is filtering out the noise, and we wouldn't have been able to do that otherwise. That's really the world that we live in today. And that's part of the enabler that we need to be thinking about.

Host (David Spark)

There's gotta be a better way to handle this.

David Spark

A cooling tower fails to drain before a freeze. A chillier plant shuts down, and 90% of global derivatives trading goes offline. Ed Walters uses this no malware, no adversary incident to diagnose the real OT security problem. Nobody owns the gap between cyber and physical infrastructure. The org chart never caught up to the network. Cyber says they don't touch OT facilities, says it's a security problem. The CISO reports risk, the VP of Operations reports uptime, and the exposure lives exactly where those two conversations never meet. Ah, kind of like our discussion about AppSec earlier. Legacy hardware runs for decades because replacement means downtime that nobody will authorize. The catch 22 is that systems most critical to protect are the ones least tolerant of the security controls designed to protect them. So, Mike, when it comes to resilience, who owns this issue? Because it seems a lot of people are involved.

Mike Johnson

So I'm really confused at the premise. And there's this idea that CyberSecurity doesn't touch OT. And like, okay, we also don't touch the routers. We're not going and touching everything that's out there. That doesn't mean that we issue our responsibility. We are working very closely with the OT teams on what are the appropriate architectures, what are the ways that we can engineer security controls around those ancient systems. We have systems in our factory that are older than our company, and we've worked very closely with the OT teams on appropriate security architectures for that. And we monitor the heck out of things and we build the appropriate walls around them. We have regular conversations with our OT teams and that's really what we need to do. Whether or not we own OT resiliency. That's not really a question that I have. My question is really what is the security of that environment and how are we building in the appropriate controls to deal with the reality of the environment rather than wishing it were something different?

David Spark

All right, I throw this one to you. Jp, you have a little experience in ot. Have you seen this sort of disconnect in communications before?

JP Calabio

Yeah, absolutely. Whenever you have multiple teams involved, there's always a bit of confusion. But the question is, who owns Resilience? And it's a good question for talking about accountability. I think you should sit with a senior leader for looking at that one person. Maybe it's the COO or the equivalent or if you're a forward looking organization, maybe there's a chief Resilience officer. I think those are new titles that I'm hearing these days. I like to use my tried and true method, which is when things go wrong, who's the CEO calling? That's usually the person who's going to be accountable. But ultimately it's a shared responsibility and it depends on the situation. Right. So if it's a safety issue, you know you're going to have an environmental health and safety group that's managing the aspects of that. But since we're talking about cyber, to me it's a collaboration, just like Mike said, right? Between Cyber and OT engineering. My GRC team works with engineers to do business impact analysis. We help with business continuity, plans, et cetera. The architecture team ensures that we've got secure standards in place for OT connectivity. And my SOC monitors network traffic. So like it. We rely on OT engineering to maintain their environment and they assist us if we find anything related to cyber.

David Spark

All right, well, someone's going to take ownership of this someday. Let's hope. We have brought ourselves to the very end of the show. I want to thank our sponsor and that would be Threat Locker. Remember Threat Locker. Allow what you need. Block everything else by default, including ransomware and rogue code. ThreatLocker Zero Trust Leader, phenomenal sponsor of the CISO series. Remember, go to threatlocker.com CISO threatlocker.com CISO easiest way to let them know that you heard about them through the CISO series. Do that for us. It makes our lives a lot easier and lets them know that, oh, people are actually listening to them. It's fantastic. Mike, as always, I greatly appreciate, appreciate your Contributions here. Any last words you'd like to say to jp?

Mike Johnson

JP was great being able to catch up with you again after all this time.

David Spark

But let me ask you, do you think he did better playing the game Security Squares or on today's episode?

Mike Johnson

Well, he had a lot more airtime this time and so we really got to hear more of his insight versus the on the spot, ad hoc listing of whatever he was listing at the time. And so I really, I liked the example that you gave JP of using AI in the SoC allow you to ingest more events. I thought that was a really visceral example that people can relate to of the value of AI in this current space. And so thank you for sharing that example and also reminding us from the very beginning that relationships matter. Know your stakeholders.

David Spark

Yes.

Mike Johnson

Something that we always have to keep front and center. So thank you for joining us today.

David Spark

Everyone has different motivations. That is so, so key. You play into that, you'll make up a lot more people happy. All right, jp, I'll let you have the last word. And one of the questions I have for you. Are you hiring over there at Grainger?

JP Calabio

Yes, we are.

David Spark

All right, so I'm assuming you have got a jobs board there.

JP Calabio

We do have a jobs board. You can go to our career portion of our website@www.graeger.com and also if they

David Spark

see something they heard you on the show, they can contact you directly via LinkedIn. We will have a link to his profile on the post for this very episode. Any last words about today's show?

JP Calabio

Pleasure being here. Great questions. Always enjoy the game that we play.

David Spark

What's worse, I thought you both played well. You both handled it well. There was a desire to change it. I can't. I can't stress enough. The way the games works is you can't change it. That's the way it is.

JP Calabio

Right?

David Spark

Because if you could change it, then it wouldn't be as bad as it is. It is what it is. You got to deal with that. All right, thank you very much, jp. Thank you very much, Mike. And to our audience, as I always say, and I always mean, and I'm not going to get earnest about it at all, just going to say it. I'm going to just put it out there and just be done with it. We greatly appreciate your contributions. And for listening to the CISO series

Host (David Spark)

podcast that wraps up another episode. If you haven't subscribed to the podcast, please do. We have lots more shows on our website, cisoseries.com please join us on Fridays for our live shows, Super Cyber Friday, our virtual meetup, and cybersecurity Headlines. Week in Review this show thrives on your input. Go to the Participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you're interested in sponsoring the podcast, contact David Spark directly@Davidisoseries.com thank you for listening to the CISO Series podcast.