David Spark (1:52)

I don't know what is. Everybody wants to know why I sent an email that began in 1000%.

Mike Johnson (1:58)

I want to know.

David Spark (2:00)

I canceled a service. I got an email because it was very difficult to cancel. I know that some people have had Trouble.

Mike Johnson (2:09)

Was it SiriusXM?

David Spark (2:10)

No, it was not SiriusXM.

Mike Johnson (2:11)

Okay.

David Spark (2:12)

It's a service we use for the business. We used to use for the business. And I got an email saying that they were going to charge my credit card for another year.

Mike Johnson (2:23)

Oh, my gosh.

David Spark (2:24)

And I go, I canceled this service. Now I. And then they said, oh, we're so sorry you feel this way. You can go to the settings and go check for yourself. There is nothing on the setting that shows you cancel. And then when you go to select cancel, there's nothing to show that you did cancel, nor do you receive an email that says you canceled. And you can cancel 20 times in a row.

John Barrow (2:46)

And.

David Spark (2:47)

And it still Won't say it.

Mike Johnson (2:48)

Oh, my gosh.

David Spark (2:49)

And so I get a bunch of emails telling me that they're sorry with the way I'm feeling, not, I'm sorry that our service by default alerts you that they're gonna charge you again. And so this, of course they know they do this. They have not turned this off. And they said, oh, well. And so I get a mention, oh, well. This is just an automatic thing that goes down. It goes that automatic thing that goes out should not be going out to the people who have canceled their service. Hence, you 1000% suck.

John Barrow (3:27)

Bringing the story to sounds like a bad ex girlfriend.

David Spark (3:33)

That's John Barrow, who is the Cecil of JB Poinsettia, our guest. You said it sounds like a bad ex girlfriend. Here's my question to you, John. Have you, quote, canceled with a girlfriend and they want to renew for another year?

John Barrow (3:50)

Yes. I won't go into the details, but yes, it was very interesting time.

David Spark (3:53)

Well, hopefully they didn't charge your credit card.

John Barrow (3:57)

Yeah, yeah.

David Spark (3:58)

Let me reiterate, that is our guest for today. He is the CISO for JB Poins Extra and company, none other than John Barrow. John, thank you so much for joining us.

John Barrow (4:07)

Thank you. Glad to be here.

Host (4:11)

Should you hire this person.

David Spark (4:16)

Quote, security people struggle because AI doesn't behave like systems. They know you can't firewall a prompt injection. You can't patch a model that leaks training data through its outputs. Now, this is from Chris Matthews of Prezi. The AI talent shortage, he says, requires people who are both a security professional and an engineer. Security folks can't threat model what they don't understand architecturally. AI engineers treat security as something to bolt on after deployment. And the unicorn who's actually red teamed an AI product in production, who knows? Three other companies are trying to hire that person right now. If that person doesn't really exist yet, how do you find and train the person who can learn to do the thing that nobody fully understands right right now? So, Mike, I throw this to you. What does that hiring process even look like? You need someone to do all these sort of AI security things, but no one's coming out of the box having that skill.

Mike Johnson (5:17)

The reality is you don't hire unicorns, you build them. This is the thing that we do time and time again. Whenever there's a technology shift, there's always this period of time where security is working to catch up, and we're in that cycle again. So this is a matter of find your skilled security engineers who are already using AI they're already there and train them.

David Spark (5:41)

I feel in a situation like this, this is a hire within situation because you got to have the people who are not a hire from outside.

Mike Johnson (5:48)

Absolutely. That is a bonus. Right. Where if you train somebody up within your team, they have context, they have business awareness, business acumen, they know what's where and it then gives a message to the rest of your team that you're willing to invest in your team. So there's so many opportunities by doing this, going and hiring somebody that you're probably paying a premium for and is still going to actually take months to come up to speed, by the way, because they're going to need to learn the context. They'll bring potentially the AI security aspect, but you have to train them on the context. So you're really just picking your battle here. Of I would rather train somebody who has the context rather than try and teach somebody who has the knowledge the context.

David Spark (6:39)

That's a really good point.

John Barrow (6:41)

I agree and disagree. Okay, I agree that you do need to build your internal champions for AI with engineers and whatnot, but also it depends on the size of the company and your team as well. Right. Like with us, we have a pretty lean team and there's no way our current engineers would have time to do this as well. And my thought is, unless you have a team that's solely dedicated to AI, you're really going to be challenged to be successful. Because my engineers, I mean, they're already their plates over full, right. Like they don't have any additional cycles. But I think it depends on the organization. I mean, if you have a larger team, that may make sense and I think you do need over time to build, like I said, internal resources that are those experts. But I think it needs to be. You need to have outside help as well for guidance. Right.

David Spark (7:33)

But wouldn't your team, let me throw this back at you, John. Wouldn't your team relish the opportunity to move to that area and have someone else from the outside take over their responsibilities? I mean, I got to assume there would be people like that.

John Barrow (7:48)

No, I think they would love that. But then the work they're doing now doesn't get accomplished, right. Like the run and maintain and a lot of that gets missed.

David Spark (7:57)

Well, I'm just saying that where are you hiring from? It's like one of those situation, we got to fill this position. I either can move a person up that already works here, move them up into that position and then fill that position, that person left or the other way around, hire from Outside, which do you think is easier to do?

John Barrow (8:18)

I mean, I think it depends on the speed, how quick you want to move. I think if you want to move quickly and you want to really start embracing AI as fast as possible, I think you need to hire from outside. I think if you're being more methodical and you have more time, then, yeah, I think you can build out that team internal, but it's going to take time. I mean, I think it depends on the speed, how fast you want to move.

Host (8:42)

Is this a good idea?

David Spark (8:48)

A triad confidentiality, integrity and availability is both too broad and too narrow. It lacks a vocabulary and context to handle today's realities. End quote. This is Loris Guttick of CSO Online poking the bear when he called the CIA triad, quote, cold War relic that's masochistically forcing security teams to retrofit modern concepts into a rigid 1970s structure. He argues the target doesn't speak to authenticity or accountability and has no room for resilience or engineering for failure mindsets. Most people in cybersecurity are fans of CIA. It's foundational, it's taught everywhere. But just because something is a standard doesn't mean it can't crack over time. I will ask you, John, is the CIA triad still getting the conceptual job done?

John Barrow (9:47)

I think everything rolls up to the CIA triad, but I don't think it's not in the forefront of my mind as I'm implementing things or as I'm building out the program. I'm not thinking, okay, where does this fall under CIA?

David Spark (10:01)

You know, and it's not something you hammer home with your team then.

John Barrow (10:05)

No, I mean, honestly, the last time I actually mentioned CIA was probably when I was studying for the cissp. But yeah, I mean, I mean, but everything does roll up to it. I think it's still relevant, but I don't think it's leaders, cyber leaders and teams are like stopping and it's like, wait a minute, where does this fit under the triad? You know, like you're not thinking that way, but I think you have to make sure everything is done the right way. Right. And I mentioned on earlier is I know that it is kind of a pivot, but the human element. I mean the only way you're going to be successful in any program is to make sure that you're building those relationships with internally, with all the business leaders, with your executive leadership team, your C suite, the board, and also that you understand the business and that you understand that in order for you to be successful and best protect the Company, you have to have those relationships, you have to have that trust built. You have to communicate transparently and honestly. That's really how we've been able to move the needle in my program is with any major change or whatever, we over communicate, we explain the why, we allow people to raise concerns and ask questions and we test the heck out of it. I mean we have a huge test group that we test for several weeks and make sure that doesn't break anything because we really want to minimize that operational impact because the business exists to make money. Right? And so as a cyber security leader, yes, you want to best protect the Kona, but there's a lot of times where you got to kind of balance that, where it's like, okay, with my cyber hat on, I know this is what I should be doing and, but the business won't accept that. Right? So you gotta, you gotta kind of balance that. And I know that's kind of a left Turner, a pivot from CIA triad, but I think that aligns with that. I mean, I've been at programs where they come in with an iron fist like you will do this, you will not do this. And it doesn't work. You know, they don't build those relationships, they don't communicate, they don't really explain the why. They just come in and say, we're security and you have to do this. It's usually not successful.

David Spark (12:03)

You know, that's a really good point. And I think you're the one who said this, Mike, on a previous show, we did a post a while ago and I said, is there anything in cybersecurity that is said it and forget it. And you said at one point I believed it was ethics, but I don't even think that said it and forget it. And kind of like what you just said, John, there is no iron hand. As much as you would like CIA to stay rigid, it would be nice. It doesn't apply to the business world again is what John was saying. Agree, disagree.

Mike Johnson (12:40)

What I like about what John was saying is the flexibility of the CIA concept allows you to have those conversations with the business and be consistent with them. If you keep changing how you're talking with the business, that's going to be a problem. Everything in security is about those relationships that you've built. And I do think the value of CIA is that it is extremely high level and basically you can find a home for everything if you really need to. And that's really where the value comes is it is flexible, too broad. I don't Think so. I really genuinely think that its broadness is its advantage. And that allows you to be able to, when you need to break down into a conversation and you're having a meeting with a fellow business leader and like, well, why is this a security thing? Well, think about the confidentiality of this data. Like, it just almost rolls off of your tongue because it is so baked into how we think. And it allows you to have that framework that when you then talk with that business leader again, like, hey, remember we were talking about the confidentiality of this data. And it resonates with them because you're continuing to use the same termin as part of those relationships because of the flexibility of the CIA concept.

David Spark (14:03)

Our sponsor this week is the phenomenal Vanta. And let me ask you a question. What's your 2 in the morning security worry? Is it, do I have the right controls in place or are my vendors secure? Or the really scary one, how do I get out from under these old tools and manual processes? That is where Vanta enters. Vanta automates manual work so you can stop sweating over spreadsheets, chasing audit evidence and filling out endless questionnaires. Their trust management platform continuously monitors your systems, centralizes your data, and simplifies your security at scale. VANTA also fits right into your workflows, using AI to streamline evidence collection, flag risks, and keep your program audit ready all the time. Not at just a point in time, but just continuously. So check it anytime. With Vanta, you get everything you need to move faster, scale confidently, and get back to sleep. You can get started if you go to their website. Go to vanta.com, that's v a n t a.com CISO. Do me a favor, just add that CISO in. Easiest way to let Vanta know you heard about them from the CISO series. Remember vanta.com CISO.

Host (15:31)

It's time to play what's Worse.

David Spark (15:36)

John, you're familiar with this game? Yes?

John Barrow (15:38)

Yes. Yes, I am.

David Spark (15:39)

All right, good. This comes from Dustin's Sachs of Cyber Risk Collaborative. Your two scenarios. Scenario number one, your zero trust model blocks access to the company website to every third visit because you can't trust anyone, not even yourself. Or your zero trust model requires. Get ready for this. 13 factor authentication, including voice recognition, retina scans, and dance challenge before you log in. So everyone does a 13 factor login or 1 out of 3 fail. Which one's worse, Mike?

Mike Johnson (16:13)

Well, these are both, you know, highly farcical.

David Spark (16:16)

Yes.

Mike Johnson (16:17)

So I'm gonna go. But my preference is the one that requires the dance challenge. Like, I'm here for it.

David Spark (16:24)

So 13 factors. So here's the thing.

Mike Johnson (16:27)

The first one doesn't have a dance challenge. That's the worst one. This is easy.

David Spark (16:31)

But hold on. 13 factors. Given the time it will take you to go through 13 factors, including the.

Mike Johnson (16:37)

Dance challenge, it's secure because people will give up. Like, you know, you've got the most.

David Spark (16:41)

Secure environment, but then you'll get zero axis.

Mike Johnson (16:45)

Great. Security is solved. I don't see why this is a bad thing.

David Spark (16:49)

Oh, I'm taking this to you, John. Which one's worse here?

John Barrow (16:54)

Yeah, I think the dance is worse. I mean.

David Spark (16:58)

Wait, wait, wait. Are you saying the dance is better or worse? Mike, let me go back to you, Mike.

Mike Johnson (17:02)

Oh, no, I like the dance. That's great.

David Spark (17:04)

He thinks the first one's one out of three fails. But you think the dance challenge of 13 factors is worse. Yes. Yeah. Why is that, John?

John Barrow (17:11)

Cause no one's gonna do that. You're gonna break the business.

Mike Johnson (17:15)

Because he doesn't like fun. Like, this is very clear. Because John doesn't like fun.

David Spark (17:21)

This'll get boring real fast. It's like being in kindergarten and you're doing some game, and you have to repeat the same thing 13 times over.

Mike Johnson (17:30)

Oh, can we have Simon says as part of the. As one of the. As One of the 13, people get.

David Spark (17:35)

Really bored really fast.

Mike Johnson (17:36)

Red light, green light, Pete.

John Barrow (17:38)

And repeat. Sitting on a wall, Pete falls off. Who's remaining?

David Spark (17:43)

So you will just crush your employees if you make them do 13 factors to log in? Yes.

John Barrow (17:49)

Oh, yeah.

David Spark (17:50)

Oh, yeah. What number do you think the breaking point would be? We're currently at 2. What would be the breaking point? People say, I've had enough. Would it just be three, or could it be, like, how high do you think you could go?

John Barrow (18:01)

I feel like anytime we add any additional step, even if it's just one additional step, people freak out.

Mike Johnson (18:06)

I mean, and to be fair, what we have today. Two factor authentication. It's one of three factors. Any of these 13. There's probably not 13 unique factors. It's probably like doing something, you know, 12 times or something. You are five times.

John Barrow (18:23)

Like, there's 10 security questions.

Mike Johnson (18:26)

Yeah. The reality is we're not. We don't have that many factors available to us.

David Spark (18:31)

You never thought of the dance challenge until now?

Mike Johnson (18:34)

Well, I'm here for it. I am literally gonna send an email after this and ask my team to investigate adding a dance challenge to our workforce authentication platform.

David Spark (18:44)

Can I tell you something? I was playing no it wasn't exactly, but I was playing one of these Dance Dance Revolution type games with my son. Nothing makes you feel more uncoordinated playing that game.

Mike Johnson (18:59)

Yeah, actually that's better. Like that's part of the. One of the factors is how far can you get in DDR? Like if you can't make it past level 5, then you can't authenticate.

John Barrow (19:08)

That'd be fun to watch.

Host (19:13)

Could this possibly work?

David Spark (19:19)

If you look at the cybersecurity news, it's easy for CISOs to become reactive. There's always new risks and threats to account for. So how do CISOs move into being more strategic? Jimmy Arbel of Methodist Le Bonheur healthcare argued on LinkedIn that this requires bringing GRC to the boardroom, positioning it as an investment to protect revenue and enable growth, not just another compliance overhead cost. So sounds good, but what's the actual first step, John, you can take to make that transition? To bring GRC to the boardroom? And have you?

John Barrow (19:55)

Yeah, I mean, GRC is kind of like CIA like we talked about before. It's concrete, it's easy to understand, you know, and so I think leadership understands the importance of compliance, but there's an extra step to that, obviously, you know, making sure that they understand that being compliant doesn't mean you're secure. Compliance is kind of the baseline, the first step. So, yeah, bring in that. I make sure they understand the top threats to our organization based on our industry, based on what we're seeing in the wild, and make sure that they understand some of the investments they're making are going to help us protect against those and to minimize the risk for the business. And they're, they're hardcore businessmen. I mean, the bottom line is they what the cost. So I have to get really creative. And I know the reason I mentioned that is my next year's budget, for instance, like a lot of companies with economic uncertainty, you know, there's been a lot of reduction in force, been a lot of budget cuts. And so I. My budget amount for next year is way less than what it was for this year. But I've been able to invest in a lot of great technology to continue to enhance my program because I'm really diving in and leveraging AI startups. And with the startups and the founders, the ones that get it, they understand, like having my name and the company's name as an early adopter is more valuable than making a dollar.

David Spark (21:14)

Right.

John Barrow (21:14)

Day one. Right. They need exposure. That's what really, really hit a chord with my cfo. Is. He's like, wait a minute. So you're telling me we can enhance the program and you're saving the company money? He's like, so it tastes great and less filling, John. I'm like, yes, sir. And he's like, you're a wizard. But I think, I think people need to, to do that. I know we've talked about AI a little bit, but I think not just the business embracing AI to innovate and have a competitive advantage, but from a security side, it's the only way you can keep up with the volume and speed of the threats and the alerts. In fact, like, I had to reduce two SOC analysts, which I only had two SOC analysts. I did transition a help desk analyst over as a SOC analyst. But the only way. So we were going to be essentially dead in the water. And so I made sure that my leadership clearly understood. I said, we have to invest in an AI SoC. That's the only way we're going to be able to continue to protect the company. So we've done that and I'm excited about it. I know a lot of CISOs and a lot of cyber leaders are real hesitant and really concerned about having your level one, level two triaging done by agentic AI. But it's been a game changer for me and my program.

David Spark (22:24)

All right. I love John's take on creative negotiations that support the business and your security program. And we've talked about this before with regards to working with startups, and I didn't think that that could all sort of play into a GRC program on top of it all. Have you had kind of the same experience with your board doing sort of creative, sort of growth in security programs, working with vendors that support business efforts? For sure.

Mike Johnson (22:53)

And I really do think John points out that there's a lot of opportunity there where you have a startup who's doing something new, innovative, that can really help you out and what you're putting back into it isn't dollars. You're putting experience. Those startups, they're getting something for the discounts that they're giving. And what they're getting back is that experience of working with a John who has this experience, who has a real environment and real challenges that they can't really get elsewhere. They can probably go and find some other startups to support, but they're not going to get the same value that they will out of working with John. And we see the same thing where we've had some startups. We were actually a very early customer For a company who recently had a very large acquisition and they got a lot of value out of that partnership with us. We see it time and time again. And I totally agree with John. Look, for those opportunities, it is mutually beneficial for everybody involved. Just recognize that you're putting some of your time back into that in order to make it work.

David Spark (24:08)

By the way, I will quote a mentor who told me when I was personally starting out in business, I was frustrated with getting my price negotiated down. And when I was talking with, he was in the process of launching his third business. And when I said that to him, he goes, oh, geez, you're starting out. Don't worry about the money, just get the stories. And I go, what? And he goes, yeah, yeah, you need the stories to be able to sell the business. And I was looking at his and it dawned on me. I didn't even look at what he was doing. He had this portfolio of clients that were either completely pro bono or paying him half what he normally would get. And he was collecting stories. And he could not have been more right. In fact, because I remember we did something early on with Microsoft and that story was so phenomenal. And having such a blue chip early partner that allowed and being able to tell that story, which was one of these things that looked like it was gonna become a failure but turned into a success. Those are, by the way, the best ones to tell. Business started landing left and right after that. And I think, you know, I'm assuming that's what all these startups want.

John Barrow (25:21)

Yeah, they need exposure, they need early.

David Spark (25:24)

Adopters, they need that story.

John Barrow (25:26)

Yeah.

David Spark (25:27)

Hey, coming up on this week's security tip, we've got a warning that moving over to pass keys will actually make you less secure. But it's not what you think. Stay tuned.

Host (25:40)

This week's security tip is brought to you by Tenable, the exposure management company.

David Spark (25:49)

Don't let old passwords become new exposure paths. When organizations move to passkeys, it's a major win for security. Yay. Pass keys eliminate phishing risk, remove password fatigue, and close off entire categories of credential based attacks. But there's a hidden danger that often gets overlooked. The old passwords don't go away. They linger. Active, valid and forgotten. Unless it's explicitly revoked, the password just sits there as a legitimate login method. And forgotten credentials are some of the most dangerous. They're more likely to be reused across personal accounts, more likely to appear in breach dumps, and more likely to be exploited without anyone noticing. In the rush to modernize Authentication it's shockingly easy for old passwords to quote take a ride in a breach and still work inside your environment. This is a critical exposure management issue. Make sure that enabling passkeys automatically disables legacy authentication for every user across every identity store. Audit four accounts, including service accounts. They're still configured to accept passwords and integrate credential hygiene into your EM program, so outdated login paths don't become invisible attack routes. When you create the passkey, then replace the existing password with a random password of exceptional length. Give the customer the ability to reset it via email as a standard recovery procedure, and then start the process over again. New password, new passkey that way, if the database is stolen and or hacked or the username is compromised elsewhere, a simple password or reused one is never a problem.

Host (27:31)

This has been your weekly security tip. To learn more about exposure management, go to tenable.com. As a ciso, what do you think about this.

David Spark (27:51)

Quote when you say people are the weakest link, what you really mean is we built a broken system, trained, no one properly ignored usability, and now we're blaming the humans who had to navigate the mess. End quote. Love that quote. That's Joshua Copeland of Crescento, and that's his unpopular opinion, and he's calling out what he sees as lazy leadership. If your users keep clicking bad links, ignoring MFA or finding workarounds, the that's not malice. They're showing you where the friction lives. Good point. Most policies are written for auditors, not people. He bluntly said humans are the most honest mirror of how bad our design really is, end quote. Can you actually use that mindset? Every failure is a design problem, not a people problem as a means to bolster your security program? This seems like right on the money here, Mike. Or does that thinking let people off the hook when they generally don't follow basic security hygiene? Also a good point. What's your take?

Mike Johnson (28:55)

This is one of my favorite topics and it's the basis of my rant against phish testing employees. If you have set up your system such that if somebody clicks on a link, it's not them who's failed, it's your security program and that's really how we need to think about things. I don't like. Is Joshua Copeland's opinion here unpopular? It shouldn't be. We really should be recognizing that we have humans. They work for our company. We have to recognize that they are going to be humans. We can't ask them to be any different. So we have to design such that they are going to make mistakes and our system remains resilient. We have to design our system so that we're not having them jump through 13 hoops in order to get something done. We really need to recognize that the value of the company, in almost every company, the vast majority of the spend is for employees, is for salaries. The company needs to get the value out of that. And we need to support the employees both in making it easy for them to get their jobs done and recognizing that they are going to make mistakes.

David Spark (30:11)

So you are the proponent that yes, people make mistakes, but this is sort of a two sided issue. I mean you have to have some level of human security hygiene and at the same time you need to build out your security program. And also human behavior does signal where there could be flaws. John, Agree, Disagree.

John Barrow (30:32)

No, I agree, I agree. That's something I've really drilled into my team for the last three years. Like with our program is we have to minimize operational impact. We have to minimize operational impact. Everything we do, if we make the controls too stringent or too uncomfortable and there's too much impact to the business, like 13 factors. Like 13 factors, they're just going to bypass our process anyway.

David Spark (30:57)

Right? Right.

John Barrow (30:58)

They're going to find a workaround. I was like, so it's on us to make sure that we thoroughly test everything. We minimize operational impact, make it as easy as possible and easy for them to adopt to and then they'll follow it. And that's why I've always kind of been anti the whole zero trust thing. I mean, I know it's a buzzword and I have always hated it. Because if you fully implement zero trust, the company can't exist, the company can't operate. I mean, sure, there's areas where you can implement it and there's flavors of it, but I think you have to create an environment where you are minimizing the risk. But it's risk management. It's not risk avoidance, right?

David Spark (31:42)

Yeah. Well, it's. Zero trust is also asking you to bring risk down to zero too, which is not possible.

John Barrow (31:47)

Yeah, it's impossible. And you have to partner with them. You have to talk to them. Like I said, you have to explain the why. You got to communicate. You got to make sure that people are given the chance to ask questions and raise concerns. Because if your employees, your team members understand the why, they feel like they're partnering with you and that you're not just shoving it down their throats. They're more likely to follow your process and your policies.

David Spark (32:13)

But here, let Me close out, though, with one quick question from both of you. Super quick, Mike. Have you seen a human behavior? And you're like, oh, we have to fix the security program because people are doing this regularly. Anything.

Mike Johnson (32:27)

Well, again, I think the Phish testing is one of those where people don't trust the security team because we keep Phish testing them. That's something that we have to fix because people are having a behavioral reaction to something that we're doing.

David Spark (32:45)

A negative reaction.

Mike Johnson (32:46)

Exactly. That's something that we need to fix.

David Spark (32:49)

And I'll ask you the same question, John. Anything that you notice of human behavior. It said, oh, security program needs to change because of this behavior.

John Barrow (32:58)

Yeah. Our AI adoption, like our general counsel sent out a mandate, said no one can use AI until we have guardrails and a policy. So we, my team blocked all AI platforms as far as we knew. I'm sure there were ones that slipped through. But as soon as soon as we blocked them, people started screaming and, hey, why'd you do this? You know, like, well, you saw the mandate. People are going to do it anyway, right? So we had to kind of adjust and stand up, you know, our AI steering comedian kind of rather than saying, no, you can't, like, yes, you can, but let's partner, let's help you do this the right way, you know.

David Spark (33:30)

All right, well, that brings us to the very end of the show. John, thank you so much for joining us. I want to thank our sponsor, and that would be Vanta. Remember, Vanta.comcshoco go there to automate compliance, manage risks, and accelerate trust with AI. No more manual nonsense. Have it done continuously. No single point in time. Go to vanta.com CISO Remember, add that CISO lets them know that you heard about them through the CISO series. A huge thanks to you, Mike, and another huge thanks to you, John, for joining us today. And thanks to our audience. As we always say, we greatly appreciate your contributions. I'm not just blowing smoke here. And by the way, if you cancel with us, I will not send you a note that I'm gonna charge your credit card for another year. But we don't want you to cancel with us. Please stay with us. It's free to listen to us. Thank you for listening to the CISO series podcast.

Host (34:30)

That wraps up another episode. If you haven't subscribed to the podcasts, please do. We have lots more shows on our website, cisoseries.com please join us on Fridays for our live shows, Super Cyber Friday, our virtual meetup and Cybersecurity Headlines Week in Review this show thrives on your input. Go to the Participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you're interested in sponsoring the podcast, contact David's Spark directly at david at cisoseries. Com. Thank you for listening to the CISO Series podcast.