Click for Full Transcript

(00:01):

Hi, it’s Jodi Daniels and I’m the founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant and a certified informational privacy professional. And I help provide practical privacy advice to overwhelmed companies.

(00:19):

Hi, Justin Daniels, here I am a cybersecurity subject matter expert and business attorney. I am the cyber quarterback, helping clients design and implement cyber plans as well as help them manage and recover from data breaches. Additionally, I provide cyber business consulting services to companies.

(00:38):

This episode is brought to you by Red Clover advisors. Red Clover advisors helps companies comply with data privacy laws and establish customers’ trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology, SAS, e-commerce media agencies, professional services, and financial services. In short, we use data privacy to transform the way companies do business. Together, we’re creating a future where there is greater trust between companies and consumers to learn more, visit red Clover advisors.com or email info@redcloveradvisors.com.

(01:20):

All right, and today we’re really excited to have a Verdean Senior Vice President of security and compliance. Paul Caiazzo. He focuses on corporate development, technology alliances and strategic initiatives guiding a Verdean clients through challenging security problems. Paul also leads a Verdeans internal security and compliance initiatives and works to reduce risk across the organization and its customers. Paul has 23 years of experience with an extensive background in the federal government and financial sectors. And I’m also going to add that he is a successful entrepreneur as well cause he had his own business for many years before becoming part of a Verdean. Paul Whats up?!

(02:02):

Justin and Jodi. Thanks. I’m delighted to be here today. Excited doc.

(02:06):

Yeah, this’ll be fun. It’ll be like the continuation of the fun that we had earlier. Was it really the spring? It feels like that was yesterday and really long ago. All at the same time. I thought you

(02:18):

Remember that that’s when Jody was in the closet

(02:20):

Doing her part. I think I love graded now have a blank wall. I really was hiding in the closet. That was fun. That’s it. That’s the way to do it, in the closet. I was in the closet. Oh, a different one.

(02:35):

It was in a hotel room. So, you know, it all worked out. I haven’t been in a hotel room in quite some time now for some strange reason, but uh, those sessions were great. I thought, uh, you know, we had a very lovely conversation around incident response, in the work from anywhere sort of paradigm. So yeah.

(02:51):

Yeah. Well, I think to get started, you know, Justin, you kind of started on the, you know, Paul was an entrepreneur him, yourself, and I think that would be really is help us understand how you got to Verdean, but kind of rolling back to the company that you started and, and, um, you know, maybe even how you found your way to security overall. Yeah,

(03:10):

Sure. Boy, that’s a, a long story. I’ll condense it. So, um, as you noted in part of that introduction, Justin, I have about 23ish years of experience in cybersecurity. I started, um, really as a systems administrator, a very technical hands-on person. And I think having exposure to a really broad variety of technologies allowed me to become successful at security because you have to sort of understand how things work together, to really be able to secure them. I worked, and live in DC or the DC area and I worked for some defense contractors on various different, you know, military bases here supporting submissions for the Navy, for the Marine Corps etc. And then, moved to a different program that was supporting a foreign military sales for Northern African country. They had a really significant counter terrorism initiative going on because Al Qaeda, was you know, really prolific in that country at the time.

(04:10):

And so we were working on building out a network that basically supported the national 911 type systems so that people could call in emergencies. And I was able to take the lead for all the security initiatives with respect to that, implementing all the technologies, evaluating, selecting, and et cetera. And that single program really instilled in me, you know, sort of the self belief that was required to go out and do my own thing. That led me to start my company true shield in 2008. We did a lot of federal government contracting a lot of financial institution contracting and consulting and things along those lines and ended up starting a managed security services program about three years in. So in 2011 we became a MSSP. So 24 seven monitoring and threat detection and things like that, which is what sparked the interest of the private equity group, but ultimately ended up purchasing a true shield in 2018 that is Sunstone partners, the company that bought my company, as well as the now three other companies that have been purchased and rolled into what became averdean.

(05:13):

I’m still around here because I’m super excited about what we’re doing in averdean. And I think we make a difference and that’s something which I’ve really held near and dear to my heart for a long time, is that cybersecurity at the end of the day you are making a difference. You can you help companies protect themselves, protect their customers, similarly Jodi, for, from your perspective with privacy, you know, helping to build the trust of our customer’s customers so that they can operate securely and protect everybody. And that’s sort of the key thing for me is we strive to make a difference.

(05:45):

I love it.

(05:47):

Well, Paul, on the Verdean front, would you like to talk a little bit more to educate our audience about the kind of services that have averdean been provided since it is the merger of four companies provide a pretty vast array of different cybersecurity services?

(06:01):

Yeah, sure. So, you know, we are, we consider ourselves to be sort of a Fullscope cybersecurity company. We split the business into really kind of two practice verticals, one professional consulting services, and the other is managed security services. On the professional services side, we really focus on compliance, risk governance, things like that. So a lot of PCI work where a PCI QSA, we do quite a lot of HIPAA work, high trust where high trust certified, assessing organization. So there’s a lot of privacy impacts there as well. Quite a lot of, various different bespoke offerings when a customer’s got some complex security problem they’ve got to try to solve, we can parachute in some really seasoned experts as well as incident response falls under that practice as well. So when the company gets breached or has, you know, a major ransomware hits, which happens frighteningly ofte you know, our experts can help get a company through that on the managed services side of the house. We’re a 24 seven shop. We, do threat detection and response, using a variety of different technologies like a SIM or EDR tools. I mean, you probably are hearing my dog in the background and I apologize,

(07:11):

There’s not property there. So there’s not a threat as we’re talking about threat, we have a very sophisticated security system here called the loud dog.

(07:20):

Yeah. Mine’s a tiny little Westie. So I don’t know that he’s going to really scare anybody off, but he certainly thinks he’s bigger than he is, but anyway, apologies for that. But yeah, within the MSSP space quite a lot of endpoint detection and response or managed detection and response SIM based monitoring and threat detection vulnerability scanning, etc. So again, Fullscope cybersecurity shop. We try to do a lot for our customers with all those different services and things up in here. So our timing is great.

(07:47):

I just did a video yesterday actually about how we’re not going to apologize for our dog. This is a podcast. So everyone listening, just enjoy the dogs. They’re part of the fun. So in all seriousness, thinking about how you started your company and where we are today, and now that you’re a combination of other companies and thinking about the threat landscape that exists, what, how have you seen the market evolves and a little bit of where, where we came from and where we are, and then a little crystal ball, like where you think we’re going to be going, what are you seeing happening with the evolution the next, maybe two to three years?

(08:28):

So, you know, I tend to think that business problems don’t change anywhere near as fast as technology does. I think people struggle with some of the same stuff and will continue to struggle with a lot of the same stuff, mostly around information governance and threat detection, which is really the problems that we try to solve. But I think the strategies that companies take to try to overcome those challenges, they do tend to change as technology evolves and a lot of what we’ve seen, um, interest growing in, uh, and really just thirst or hunger for information about it, revolves around zero trust networking as a strategy to, to really help secure data assets, um, and also to assist with, uh, threat detection and response. Also, we’ve seen sort of the emergence of a category of tools called XDR or extended detection and response. And there’s been a huge amount of interest in that this year.

(09:16):

Traditionally people use things like a SIM. That’s focused on monitoring the network edge for threats that are coming inbound, but really, you know, that doesn’t work anymore because the perimeter sorta no longer exists, you know, we’re working from home, everybody’s working from home, data is no longer in a data center. It’s in, you know, one of many cloud providers and often in multiple cloud providers. So trying to maintain consistent, data governance, information governance, and even identity governance across that diverse environment is a challenge. And I think that’s where organizations are investing their time and effort and also their technology spend on solutions that will work well to provide secure connectivity, to provide, you know, that, that real manifestation of need to know and least privilege. And to me, that all boils down to zero trust, I think in 2021 and beyond, you’re going to see much more adoption of zero trust strategies.

(10:06):

Zero trust is not really a tool necessarily. It’s more of a discipline or a philosophy of how, how do you ensure that first off the people that need to access a data resource or are the right people contextually identify that human and then give them access to only the things that they need in a dynamic manner, which supports a lot of the orchestration and automation that rapid response really requires. So that’s where I think the market’s going and what our customers have been telling us.

(10:38):

Paul, just for the benefit of our audience, you talked about zero trust being a change of philosophy. So, you know, if I’m a person in C-suite and I’m not as familiar with the term, like zero trust for the benefit of our audience, explain the difference with the zero trust philosophy from what you might typically see now.

(10:57):

Yeah, sure. So I think traditionally the sort of paradigm is that if a user is on your network like physically located on your network, they are trusted sort of by default sort of a de facto trust is granted to that individual. People outside the network are not trusted. So there are extra steps of authentication that are required, um, or there may be different levels of access that are granted to them because they’re not on the network. So the idea behind zero trust is we want to treat all of those types of users, the same. We don’t trust any of them, whether they’re on the network or not on the network. So location is not really a factor for whether or not you should trust a user. It’s all, it all boils down to the, the identity context.

(11:39):

So, you know, where is that user logging in from is the device that they’re logging in secure, has that user logged in at that particular time, in the past a wide variety of different things you can use to contextually identify the user and then only grant them to the stuff that they actually need. Now, the problem with that is that most organizations have not gone through the comprehensive sort of workflow analysis and that data classification process that has to happen to support that. And that’s one of the key barriers that has to be overcome for an organization to start drifting towards the zero trust model, but it really boils down to don’t trust anybody until they’ve given you a reason to be trusted.

(12:18):

So what does that look like? The data classification piece and the work that has to get done when, when does that company need to do, to be able to get to that foundation that you just described

(12:30):

First off, what sort of business are you in? You can get some good insight into the types of data that you’re going to have depending upon, you know, what what’s, what industry you’re in. For instance, a financial institution is going to have a different type of data than a healthcare institution, but at the end of the day, it probably needs to treat that data pretty similarly. So you’d really need to map your business processes. You’re consuming data from your customers. You’re consuming data from your third party vendors. You’re consuming data from your employees. And all of that is, you know, sensitive data in some way, shape or form. There’s also going to be intellectual property that an organization has that they’re going to need to, you know, take care of. And for some organizations that might be the most important. They’re know, you’re a heavy development shop that has, you know, some interesting new technology or you’re a startup, you know, that IP is probably the most valuable thing in the network. And so you have to you have to protect that. bBut I think the other thing about it and that’s, this is what I always think is the most challenging component for our customers is not just what data do you have, but where is it? Because, you know, I think very often, people have sensitive files on their laptops, for instance you know, in a Dropbox account or something like that, or in their email. It can be difficult for an organization to map all that stuff out. There are some tools that assist with that, but it really boils down to understanding your business very well. The processes that your users use to interact with data and resources, and then ultimately how you’re interacting with third parties, like your customers or business partners.

(13:52):

Well, thank you. I think that’s really helpful.

(13:56):

I think we want to change gears just slightly and I’m going to take over Jodi’s role for a minute and yes, well, now that Paul just taught me that if I text you in the house in a zero trust environment, you’re not going to trust me whether I texted you in the house, outside the house in another country anywhere. Yes. Well, you do that. Well sometimes anyway, Paul, the question I had is, what role do you think the increased privacy regulations, especially what we’re seeing in California will impact your business from a security standpoint?

(14:32):

Well, there’s a couple of ways. Whenever I see new regulations and this is really the business development side of me speaking here, but whenever a new regulation comes out, we view that as opportunities, right? Because a customer, a company is going to struggle, trying to understand how to comply with the new retina set of regulations. And we generally can help with that sort of thing. So we view it as opportunity, but there’s also a challenge there for us, right? Because if you think about what, I described earlier around our MSSP services, our job is to monitor our customer networks, right? And so we’re in the process of collecting a lot of identifiable information, right? A geo locate, a user we’re going to profile that user’s behaviors. We’re going to track their email addresses and all those sorts of things, which, you know, could constitute PII in one way, shape or form.

(15:19):

So we have to be careful about how we protect that data. In the normal course of operations, we’re not collecting things like social security numbers or Phi or things like that, but it sends we’re capturing log data. And in some cases can do packet captures of networks. There exists a chance that we’re going to collect something which is protected data, or really needs to be protected. So we had to work pretty hard, to, you know, first off, build out the systems in a way that we have that zero trust architecture built into our platform so that the only people that can access that type of data are the ones that need to be able to use it. So users outside of our cyber ops centers of excellence, which are our security operation centers, they can’t access any of that customer data at all.

(16:00):

Only the analysts can, um, and that’s really, you know, I think part and parcel to doing the job correctly, but we’ve also had to approve, you know, that we’re able to do that. So, you know, by going through the various third party audits that we go through, which, you know, fall down to me as our CSO, um, that, uh, I think it gives our customers some confidence that we know what we’re doing, which we do. So that’s a good thing. But it’s been a challenge and it’s simply because just like anybody else, when a regulation changes, you have to react to it. And preferably try to get in front of it by doing it correctly, to begin with. But there’s just so many different jurisdictions for privacy at this point that I think that’s going to be that that’s going to be the big challenge until there’s a single national privacy standard. People are going to struggle to have to figure out which jurisdiction do I have to comply with.

(16:46):

So have you seen companies kind of, I’m not sure anyone loves regulation and signs up for it and says, this is great, but are you seeing companies being more willing to really review their security measures now because there’s a regulation because there’s fines and penalties associated with it, whereas before, it was well, I probably should have, but maybe I won’t. Are you seeing that or not so much? And are you seeing only the companies who have to deal with the California regulations? Or what about we’re in Georgia, maybe I’m a local company here and I really don’t have California companies. I’m pretty regional. Am I paying attention to it because it might come or I’m still ignoring?

(17:33):

So I think that anytime there’s a thou shalt versus you should have, then you have people tend to move more quickly in response to that sort of thing. Uh, so certainly the potential for fines and things like that as I’ve moved the needle for some of the customers that we talked to. I don’t think I’ve seen too many organizations that really have no current potential exposure to CCPA, really worry about it too much. So to your example Jodi, however, you know, if you’re a Georgia based e-commerce company, for instance, a very good chance you’ve got California, citizen customers. And so therefore you do have something to worry about. I certainly think a lot more people are paying attention to security right now, but I would actually say in a lot of cases, it, that is more incident driven.

(18:20):

Um, and what I mean by that is you don’t need to look through too many, Google search pages to find really scary ransomware stories. I think that’s, that’s really driving a lot of people, to take it more seriously than ever before. Again, from a business development standpoint, the business guy in me, when I see one of those reports says, well, there’s opportunity there. But the security guy made it sort of shakes his head cause there was probably some fundamental problem that should have been solved a long time ago that created that particular incident. I always hate to see somebody have that really bad day of being hit by a serious security incident.

(19:00):

Paul, I want to kind of walk you through a scenario and we’ll get to a question. So we talked about increased regulation. Companies who get hit with ransomware or my other favorite is phishing that leads to wire fraud, and then they realize, Hmm we need to have more security, but that’s not the business that we’re in. So we’re going to go to a third party provider like Verdean and have Verdean help us with our security. But now what happens is as a Verdean gets bigger and you have hundreds of clients and I’m the threat actor I’m thinking, I don’t need to go after those. I’m going to go after the common point, which is the MSSP. And so I’d love for you to talk a little bit about your thoughts around what may keep you up at night, which is the security of the MSSP. Who’s helping lets the security of all its customers.

(19:50):

Yeah, yeah, absolutely. And that does keep me up at night. So as I mentioned, I Marcyso in effect, I view that as being the de facto Caesar for all of our customers and you know, the million plus devices that we’re monitoring you’re effectively they roll up to me for accountability. So it certainly does keep me up at night, that potential impact to us could really compromise the security of our customers. Now, the way that we’ve architected our platforms really mitigates that risk down to basically zero because there isn’t the ability for it’s right after the jump from environmental environment. However, I do agree as our profile grows or as any service provider’s profile grows you do become a bigger and bigger target. And I know that there are threat actors out there. APT10 is a great example.

(20:35):

They focus specifically on service providers and an app to great effect that night. I actually worked on an incident where they were the bad guys compromised, managed services provider, not managed security services, but more of a managed it provider. And because their networks were not architected very well, they were able to compromise, a large array of enterprise class companies that were, customers of this MSP. So that happens pretty frequently. And given that, you know, those threat actors, they’re there to find the quickest way to monetizing that illicit access. And so sure if I can compromise one company and by proxy also compromise their dozens of customers or hundreds certainly that’s going to be an attractive proposition to a bad guy and I guarantee you they’re going after it. So we we take it seriously.

(21:23):

We not only have architected our systems to provide the defensive measures, but we use the same detection and response technologies to monitor ourselves as we use to monitor our customers. So the same threat intelligence, the same detection strategies, you know, the same sort of rules that we use to monitor the customer metrics. We’re also using ourselves, give ourselves some advanced warning that also helps us curate additional threat intelligence, which we can provide to customers. And also published out to the markets. If you follow us on LinkedIn, you’ll read some of our threat advisory reports. Yeah it’s a serious issue that it’s happened recently. In fact, I think there was some emesis PAs recently that were attacked by a networker, a ransomware as a service threat actor pop one of our competitors, which I’m not going to name. That certainly opened my eyes.

(22:12):

Yeah, it’s a big risk. So what, we talked a little bit about privacy and security and new regulations and how companies might be struggling with that, where do you think companies are still struggling just in general different threats that are out there? What are some of the top areas where they’re struggling?

(22:31):

Yeah, there’s a handful. And I think the threat detection is challenging. Being able to detect a sophisticated threat actor on a company’s network is not an easy thing to do. And if a company’s trying to do that themselves, chances are pretty good that they’re not doing well at it. The tools that support that sort of motion are tricky to, to make work and to integrate well together. So that’s, I think one of the key things is just being able to detect the bad guys. Then they’re actually responding to it when, when something does happen. The other big thing really, and I think one of the other two big things is information governance. Like I mentioned earlier, just knowing what data you’ve got, where it exists and how to protect it and secure it in a manner that actually works for the business.

(23:13):

That’s, that’s a big challenge. And I think the third and last one I’ll mention is really just the users themselves, users still, unfortunately security awareness is just not as high as it needs to be. People get fished all the time, day in and day out. That I think is not going to change. You can try to implement all sorts of email gateways and things like that, but just, you know, one good phishing email lands in the wrong inbox person clicks it. And either, you know, pays the fraudulent wire to your point, Justin, or download some malware, which because the network is very open and flat creates a really significant propagation event where malware gets dispersed throughout the network very quickly it’s through that simple one phishing attack. So that I think is something to keep focused on and it’s not going to taper off.

(24:00):

I love the comment about data. I mean, I feel like that’s what I do all day. People will come and they’ll ask for a privacy notice or something. And I said, well, but we have to go back to the data. So the single point of truth is always understanding the data that you have in what you’re collecting. And on my side, I’m always about, well, what are you doing with it and who you sharing with it with and how are you using it? And then on the security side, we need to know where it’s being stored and all those different places, just like you described.

(24:29):

Yeah. And I think the other thing, sorry, Justin, this speaks back to the ransomware, situation, and I’ll just, real quick on this. So ransomware threat actors now are moving towards double extortion, which you’ve probably heard of, but for the sake of the audience, this is where the ransomware threat actor, not only encrypts the systems for impact, but then also steals data, before actually encrypting all the systems. So that data theft is what there’s, what is being used for leverage to get the victim, to pay the ransom. What will often happen is the company that’s been ransomed does not know exactly what data’s been stolen. Very often, and I asked this question during most events where I give a talk on ransomware, how many of you would be willing to negotiate with threat actor?

(25:15):

And there’s very few people that ever raised their hands and say, yes, but the problem is because of this double extortion, you have to, you have to know what database take and it’s incumbent upon you to understand what data has been stolen from you, because you may have breach notification guidelines that you must comply with CCPA, HIPAA. They all have breach notification regulations that you must comply with. So if you don’t do the job of understanding what the threat actor is taken from you, you’re sort of negates as it relates to the stewardship of that data. So that’s a key thing. And Justin, I know I cut you off. No, that’s all right. Jodi does it all the time.

(25:52):

So thankfully this won’t air before Thursday because I’m working on a tabletop and one, and that’s exactly what it is. But the other interesting point that I’d love to have you talk about with that is how often if they’ve paid the ransomware, do they find out that the Extraction of the data was not as widespread as they thought it was? And that’s part of what the threat actor is counting on, because if you don’t know and you don’t pay it, it really puts you in a position where they’re incentivizing you to pay.

(26:22):

So I think the first thing you’ve got to do, if you’re in a situation like that if you, you know, you find a ransom note on your laptop, for instance, or on a server is call a guy like Justin, not because you need counsel in a situation like that, you need outside counsel it’s really important.

(26:36):

And something, I always say, it’s not just a fluff you up there, Justin, but it’s, it’s really important that, outside councils very quickly anyway, um, what, what you then do if you start negotiating with the threat actor and you’re, you’re concerned about that data theft is you ask for what’s called a proof of life, which is effectively going to be screenshots of folders or directories, or, you know, in some cases the actual files that have been taken and a threat actor will be able to provide that with you or to you. And if they can’t like, if they’re saying, well, we stole, you know, a terabyte of data, but they’re unwilling to show you what data they had stolen. I wouldn’t trust them. I would think they’re probably just, you know, using that as leverage and probably having to actually purloin the data that they purport to.

(27:17):

So I would be looking for the proof of life. Then if you ultimately do pay the ransom, uh, what I’ve seen happen is the threat actors, especially the more sophisticated ones they do destroy the data, or at least don’t leak it because it’s, it’s in their interest from a business perspective to do so, uh, if they get the reputation of people pay and then they still have the data leaks and then people are gonna be less likely to pay because the incentive is sort of diminished. Then additionally, they’re kind of defeating their own, you know, again, interest of monetization by, by not doing that. Um, what I have seen happen is less on the data that side, but on the decrypter. So when you get a ransomware, it’s not going to encrypt your systems, what the threat actors going to do if you pay it is provides you with what’s called a decryptor.

(28:07):

Those are generally pretty sloppy on because they’re not, you know, sort of enterprise class software that’s built to encrypt and decrypt consistently. And so you often will wind up with corrupted files even after having a paid the ransom. The decryption process itself can be very cumbersome depending upon whether you get what’s called a universal decryptor, which is basically one decryption key, which is gonna work for all the systems that have been encrypted, or if it’s unique to each individual system. So if you can imagine a situation where you’ve got, you know, let’s say 10,000 machines in your network and they all get encrypted and I’ve seen that happen. And then you’ve got to have the individual encryption key for each individual system recovery from that you might as well just start over. And we have guided customers to do that as well.

(28:53):

I’m thinking that we should have the secret of that Russell Crowe, Meg Ryan movie, proof of life. I’m thinking screenplay Paul. Well, Paul, this has been a really fun conversation with proof of life screenplays and zero trust conversation, and just overall good practices that companies should be thinking about. And what we are asking everyone is if you can share. So since you do this all day, every day, you probably have some favorite personal cyber security tips or things that you do. So what would be a favorite personal cybersecurity tip?

(29:36):

Multifactor authentication all day long, that’s the most important thing anybody can do because you know, your credentials are just assume at some point they’re going to be compromised, but if you have that second factor, you’re doing a better job of protecting yourself from a personal standpoint, whenever I’m on the internet, like even right now, I go through a personal VPN. So there are platforms out there which can encrypt every single bit of traffic that you’re ever engaged with on the internet, the platform that I use, I have on my laptops, my mobile devices and it’s consistent across all of them. So the user experience is pretty transparent and I use that for everything. And since, you know, at least in the old times, I traveled pretty much constantly. I, you know, I did not want to use a unsecured wifi in an airport or a hotel without having some added level of protection. And so that personal VPN is important for me. So I think those are really the two things that I would recommend everybody do is multifactor and a personal VPN.

(30:29):

So do you have any particular brands or services that you use we’d love to include them in the show notes so that people can go and grab them.

(30:38):

Yeah, sure. Happy to have. I have no personal relationship with any of these companies. But, um, the VPN that I use is called a private internet access or PIA. Um, so, you know, it’s a subscription, you pay an annual subscription. It’s not terribly expensive. And it works very well for multi-factor authentication. So at a Verde and we use Okta, which actually is a strategic partner of ours. Um, and that’s more for corporate use for personal use, generally your platforms that you interact with, whether it be your bank or Gmail, there’s going to be a multi-factor option built into that, and you can just simply enable it.

(31:12):

Great. Well, thank you.

(31:15):

Yes. And now we’re going to divert completely from security. What do you like to do when you’re not in the office? Not securing everyone’s network for fun? I’m a musician, so I like to play guitar and piano. That’s a nice way to relax a little bit. I like cooking so last week was fun for me being Thanksgiving. I did still, even though the crowd was rather small, I cooked a large meal. Then I think probably the other big hobby that I’ve always had is working on cars. So I’ve got some old cars that I, take apart, put back together and sort of in perpetuity and working on some cars someplace.

(31:57):

Well, my dad used to enjoy that when he was, when he was young. I personally don’t get it. I have like go bring car to the car. People, they do that, but I like the cooking one. I cook, it’s very relaxing and therapeutic. I like it.

(32:12):

Great. So for me, it’s trapping an onion, right?

(32:15):

Chopping an onion is good. I like baking and mixing, and then you put it in the oven and then, magic upstairs

(32:22):

Baking. I’m not good at, uh, and this is, I think the difference between baking and cooking, one’s an art, one’s a science, right? Because baking, you got to get the recipe. Right. And I’m not a recipe guy, so,

(32:31):

Yeah. And see, I’m very methodical. I want my recipe, then I can follow it. And this magic happens. The whole art thing. I got to know how to magically put it all together.

(32:46):

Well, Paul, thank you so much. How can people stay in touch with you? Well, I’m pretty active on LinkedIn. Um, so you want to maybe drop my LinkedIn profile link. They can call me there. There’s always some content that we’re producing around cybersecurity threats the nature of the risks that we’re all basing. And that’s pretty much it. Other than that, if you, if you follow aVerdeans websites I write a lot of the white papers and content there with the rest of my team. So there’s always good resources there too.

(33:18):

Awesome. Well, thank you very much. And I think Paul and I are going to get to work on that screenplay on big visions. Now cyber security can be cool. There you go. Ransomware screen. No proof of life. There you go. Yes. Ransom. I think Russell Crowe going to play you or me? I’m going me. I’ll have to grow the beard out though. Yeah. Well, thank you again,

(33:46):

Jodi. Justin, this has been great. Thanks very much. It’s happy to do it. And then look forward to doing it sometime again soon.

Privacy doesn’t have to be complicated.