Proactive Approaches to Cyber Risk Management

Intro 0:01

Welcome to the She Said Privacy/He Said Security Podcast, like any good marriage, we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st century.

Jodi Daniels 0:22

Hi, Jodi Daniels, here, I’m the founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant and certified informational privacy professional providing practical privacy advice to overwhelmed companies. Hi.

Justin Daniels 0:36

I am Justin Daniels, I am a shareholder and corporate M&A and tech transaction lawyer at the law firm Baker Donelson, advising companies in the deployment and scaling of technology. Since data is critical to every transaction, I help clients make informed business decisions while managing data privacy and cybersecurity risk. And when needed, I lead the legal cyber data breach response brigade.

Jodi Daniels 1:00

And this episode is brought to you by — there was no ding, just hitting me does not work, people — Red Clover Advisors, we help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology e-commerce, professional services and digital media. In short, we use data privacy to transform the way companies do business together. We’re creating a future where there’s greater trust between companies and consumers to learn more and to check out our best-selling book, Data Reimagined: Building Trust One Byte at a Time, visit redcloveradvisors.com and for those of you who might be listening for the first time we do our intros live, and Justin is supposed to be the dinger to introduce the sponsorship company name. And sometimes he fails.

Justin Daniels 1:52

Because I’m trying to have fun. But it’s silent.

Jodi Daniels 1:55

Well, no one can hear silence. Did you accuse me of violence? This is not the meditation, quiet, calming podcast. This is the Privacy and Security Podcast.

Justin Daniels 2:09

Let’s move on to our guest. Today we have Dave Sampson, who is the VP of Cyber Risk & Strategy for Thrive. So in this role, he heads Thrive consulting practice where he and his team of experts join forces with clients to deliver strategic guidance on a range of topics. Dave, welcome to the mayhem.

Dave Sampson 2:33

Good day. Thank you for having me. There’s nobody here to hit me, so I feel safe about any dinging challenges.

Jodi Daniels 2:41

Indeed, I am glad you feel safe, absolutely and for everyone listening, Dave has an incredibly extensive background, and we highly encourage you to check out his full bio on the show notes page. I don’t know if our mics are gonna let you hear our wonderful other co host named basil. He’s the chief canine officer over here at Red Clover Advisory, so he might be joining our party here too. So Dave, can you share a little bit about your career journey to where you are today?

Dave Sampson 3:09

Sure. So once again, thanks for having me. I really appreciate the opportunity. I have been in the really high availability and compliant technology space for the majority of my career, over the last 25-plus years, did some work in the.com space way, way back in the day, there around the year 2000 I know we all remember that, or a good number of us, too. And then pivoted primarily into the data center space. So getting into the data center space, outsource data centers, managed solutions, and moved from there to cloud, and then just about eight years ago, I joined forces with thrive, delivering next generation managed services, private cloud services and cybersecurity. So thrive is a MSP and an MSSP as well as a private cloud provider, and we have grown quite significantly in my tenure at Thrive over the last eight years, just about 23 acquisitions. We’re a Boston based company, about 80 or so folks when I joined and now we’re about 1600 folks globally. Very big presence in the US, down the east coast, as well as in the UK, Hong Kong, Singapore. We have folks all over the world, all Thrive employees.

Jodi Daniels 4:27

That is exciting. What an exciting evolution. I know we’re gonna dive a little bit deeper into some of the different areas that you focus on, but it does. I have to just do this. My brother is all about puns. It seems like you’re thriving. I had to do it, even that was cheesy.

Dave Sampson 4:42

Know where you’re at, I feel you. You’d be so proud.

Justin Daniels 4:45

That was some serious cheddar.

Jodi Daniels 4:47

Because I’m so I don’t have the humor gene, as you always point out. But when it comes to puns, I can sometimes do them, and I have to take the opportunity when it’s available.

Dave Sampson 4:56

That was a little hanging fruit, so I. It. Don’t hold it empty. I get it, but yeah,

Justin Daniels 5:03

there we go. It’s a pitch right down the middle.

Jodi Daniels 5:06

We’re coming back to Thrive thing. Nice job, baseball player. All right, off you go.

Justin Daniels 5:12

So Dave, can you talk to us a little bit about how the Thrive cyber platform works, and what problem or problems are you trying to solve for companies when it comes to cyber security.

Dave Sampson 5:23

So from the perspective of my consulting group, we really help folks understand where they sit today and how they align with best practices based on common security frameworks like the CIS or NIST. But part of the magic of what we deliver at Thrive really is our security platform. So we have an entire platform of services that exist around cybersecurity. When we think about strategic initiatives, about the proactive approach to cyber, and framework alignment, cyber risk mitigation through technology, there’s a lot of different pieces to that puzzle as it exists today. There’s no single solution that you can go out and plug in and install and that’s going to solve all your cyber risk problems. Generally speaking, you need a number of different solutions. They’re coming from a number of different vendors, and they don’t talk to each other out of the box, generally speaking, right? The other thing is that, from the perspective of an organization that’s trying to deploy these tools, it takes a wide variety of skill sets to deploy them, maintain them, manage them, monitor them, any tactics you’re taking, any process you’re deploying, any deploy tool that you’re using to mitigate cyber risk or to put those controls in place, can only be substantiated if evidence exists to demonstrate that it’s doing what We think it’s doing, right? So if there’s no evidence, we can’t really say that we’re doing anything. And at the end of the day, this is not just a one, two or three person job. We have all these tools. They all work differently. Requires a lot of different skill sets. So we collaborate with the best software and technology vendors in the space. We deliver those services as managed solutions, and then we tie all those solutions back through our sim platform, and we are able to analyze those logs in real time. We have a number of automation and AI solutions on the back end that correlate data between the platforms and present that data to our SOC engineers, who are then able to determine what actions might need to be taken on how it’s delivered, what that threat looks like, right? So, as opposed to deploying it yourself or putting it out there, having to monitor it, having to respond to alerts, people go to sleep, people go on vacation. Like any managed service, we deliver that 24/7, availability. We bring the expertise to the table, but then we glue it all together through our integrated security platform, and that’s a very big differentiator for us.

Jodi Daniels 7:50

There any follow ups? Mr. Purple. Mr. Purple.

Justin Daniels 7:54

So Dave, I was wondering if you can talk a little bit by way of example, because it sounds like if I’m somebody who needs help with threat management, threat intel, endpoint detection, you can help me figure out, hey, you might need Sentinel, one, you might need Fortinet for this, and then help manage that. So is that can give us —

Dave Sampson 8:16

That is very accurate, right? So from the perspective of my consulting team. We will go in, and we will do basically a read only analysis, and say, Okay, let’s go take inventory here. We’re not going to change anything. We’re coming in. We’re going to look around. We’re going to identify, again, as I mentioned, evidence based on what’s deployed, how it’s deployed, and how it’s operating, who’s operating it? Is there a process that exists, and is somebody really keeping track of this thing, so we’re able to make strategic recommendations by performing those assessments. And a lot of our customers, especially new customers, will have those assessments performed. Other folks, maybe, like what you just mentioned. You know, we’re looking for an endpoint protection solution. We need a third party email filtering solution. We need to have somebody manage our Microsoft 365 tenant. We can go right in and do those things as well. But I think one of the pieces is when it comes to cybersecurity, when it comes to the proactive approach, and when it comes to really making sure that you are protecting your organization, being honest with yourself, and understanding where things exist, what’s working, what’s not working, and what the Strategic Initiatives might look like is really critical to being successful, right? Nobody wants the dreaded all of you know disaster is unfolding, and nobody really knows where that could lead, right? If we’re not prepared properly, that’s really what my team pushes folks to do now the wider portfolio of Thrive, because we’ve been around for 25 years, and we’ve really been deep in the cyberspace for about the last seven or eight years. Thrive started out as a regular IT services provider, a managed IT services provider. So from the operational perspective of our organization, we have our MST. MSP teams that deliver help desk services, Windows updates, operating system updates, all those traditional IT services. Then we have our security services team as well as our private Cloud team, so we’re able to cover a very broad spectrum of services that is not typical of a lot of providers.

Jodi Daniels 10:18

So speaking of all different types of tools that companies use. You recently had an interesting post on LinkedIn talking regarding the Harvard Business School article, kind of summarizing lessons learned from CrowdStrike. I don’t want to give it away, so I’d love if you could share for those who didn’t read it, and after you listen to the show, you should go back to the January LinkedIn and go read that post. But Dave, can you share a bit more of what your take on the article and thoughts are?

Dave Sampson 10:50

Yeah, so the entire crowd strike incident was really just something that was unexpected, right? Nobody knew it was going on. There were some Microsoft pieces that were going on that day with Microsoft, 365, stability. People thought that it was a problem that was driven from Microsoft. People thought it was hackers. People thought it was an issue with CrowdStrike. There was all these different things going on, and I just because I travel a lot, either at events or doing work with customers, depending on what’s happening. I just happened to be at the airport that day trying to get home, and that was a Friday in July, and I live on Cape Cod, so that’s a good day to want to get home because the weekend’s coming nice weather. But you know, really, what happened that day was that this automated update from CrowdStrike went out and disabled systems globally, all over the place, right? And really what it came down to was some challenges that existed around how the change management functions work and work within that crowd strike platform, and the type of disaster event that folks really are not planning for, right? What is the disaster event that disables our systems, renders them useless? What is the level of transparency that’s taking place around those systems. How do we get more insight to that transparency, and how do we be prepared to correlate all the data that comes across from our different sources of information, our different tools, and understand how to react and respond that entire incident really introduced an entirely new scenario for folks to consider when they think about planning for disaster and planning for recovery. One of the things that I will say, you know, from a cyber risk mitigation perspective, one of the key tenants around cyber security is making sure that your data is available and that is available in the way that it is supposed to be right with integrity. So data recovery backups, disaster recovery plans, all of that fits. And people think of it more as traditional IT services, but it fits within that bucket of cybersecurity and cyber risk mitigation planning. And we need to make sure that, as we move forward, that any obstacles to do, any of those pieces are just really just removed, right? They need to be out of the way. One of the things that I like to do with business leaders is ask them key questions, if an event occurred today, how long will it take you to get back online? Who are you going to call what does your disaster recovery plan look like? Is your data backed up? How do you know? And a lot of folks really may or may or may not know the answers to those questions, right? I would say it’s 5050, but I think that’s probably an exaggeration on the positive side, but those are the answers that you kind of need to have in your back pocket. When we look at that particular crowd strike event, one of the things that continues to astonish me is the level, the amount of time it took for large enterprises to recover their systems, right? And I don’t know what was happening within their environments and their data centers, but my takeaway is that the preparation was not there for a predictable return to operations. So what were the barriers there that existed? And from a business perspective, how do we overcome those barriers? Those are the things that we really need to be looking hard at as we do, planning going forward.

Justin Daniels 14:07

That’s an interesting perspective, Dave, because I was at the airport that day, and in Atlanta, you fly Delta, and it was Atlanta two days ago.

Dave Sampson 14:19

I was trying to figure out if it was yesterday or not. I’m not sure where I’d been,

Justin Daniels 14:25

but what I wanted to add to your analysis is one of the things I learned from being at the airport is Delta in particular, this crowd strike issue impacted their software that deploys their crews and whatnot to the planes and the different airports. And it seemed to be that that was a older piece of software. And so I thought what was interesting, adding on to what you’re saying is, how do you get back up to speed? But then it’s also saying, Hey, do I have older software that could be more susceptible to certain types of events? And in this case, this software really. Was the root cause of causing Delta to take so long to get back up. And I mean, people were sleeping at airports.

Dave Sampson 15:08

It was if I if I wasn’t determined to get home, and my flight was actually leaving on time, so I was going to get on that airplane, because it was a zoo, and I was actually at Dulles, but the number of news crews that existed interviewing passengers and folks waiting in insanely long lines, I would have stopped to start to talk to some of those folks, but I just didn’t want to risk missing my flight. But every sign board in the airport was offline, and there were guys going around the airport with keyboards to plug into those computers to get them back up and running right? These are the types of events that nobody had really thought of before. But I would say even if you have a legacy software platform, you should still have a plan that’s tested and effective to restore that platform, regardless of what it is. And one of the pieces that’s really happening, and I know part of this was referred to in the article that you referenced, but transparency around operations, transparency around cyber risk, for years now, and I would say at least 15 years, there’s been a lot of diligence questionnaires circulated around how data is being handled, how cybersecurity is being addressed, how IT systems are being addressed. And I’m sure this is something that you see and deal with with a regular basis, right? The privacy equation is so complicated, especially when you think about the various legislation that exists on a state by state basis, but the amount of diligence around who we’re interfacing with from a business perspective, what are our business partners doing about cyber how are they protecting data that we’re entrusting them with. Do they have the ability to recover their systems in a predictable way? That level of data and the digging on that is really going deeper on an ongoing basis? Right? If we’re going to entrust software vendors to schedule all of our flight crews and our aircraft and track all of our fuel usage and our weights, for our baggage. What happens if they go online? What offline? What plan do they have to not go offline? How have they tested it? How often have they tested it? If you have a disaster recovery plan and you’ve never tested it, you don’t have a plan, in my opinion.

Jodi Daniels 17:16

Yeah, excellent points. And Dave, you touched on the privacy pieces. And so I wanted to segue there and hear a little bit more about how you’re seeing companies be impacted and respond to the growing trend of privacy laws and also some of the requirements for risk assessments and those questionnaires that you were saying, I know we certainly see an uptick in those questionnaires, and companies really focused and starting to think about, how do I put privacy and security together in those third party risk management programs? I’m really interested to see what, what are you hearing and seeing, and how are you helping?

Dave Sampson 17:55

Well, there’s, there’s deep complexity happening on all of these fronts, right? Cyber security, privacy compliance and regulation, right? We think about things like CMMC getting rolled out, and the rubber starting to meet the road there, from the perspective of folks that are doing business with the government and the DOD and the CMMC security requirements that have existed for years but have been kind of not put into force, and that’s finally happening, that’s kind of freaking people out, right? What do we do? How do we comply with this? And I’m sure on your side, and I track some of this stuff, but the privacy laws on a per state basis are all varied, right? For notification times, what constitutes a breach, what the notification needs to look like, etc, one of the pieces that I push forward to everybody from a cyber perspective, but it applies in many different aspects. Is you need to understand within your organization what your skill sets are and where your strengths are, and where those start and stop. So maybe from a cybersecurity perspective, we know within our organization that we’re very capable of deploying Windows patches or we’re capable of managing our firewall, or whatever it is, but I think one of the important pieces is the recognition of where those strengths and skills are, what we can handle internally and handle effectively, and then where we need to look for outside expertise. Because those outside experts won’t only have more skills and deeper knowledge, they are going to be most familiar with the trends of what’s happening and where those moving targets are and how they’re moving and how to help your organization achieve the best results while still aligning with whatever the requirements look like. I think we’ve moved into a space where outsourcing is just ultimately required, right? Outsourcing was kind of a convenience before you know, we’re gonna take care of your servers for you. We’re gonna take care of these documents for you. But now the level of expertise and ongoing training, knowledge and tracking that is required, outsourcing is part of that equation. It’s really something every organization needs in some regard, or they are going to fall short there, and it’s. I don’t mean this in any type of threatening way, but some bad result will occur if you don’t have the right folks at the table to help guide you get to where you need to be to protect your organization and align with all these different laws. Right from a privacy perspective, you think about if you have, you know, personal data from customers or clients, or maybe even your customers, customers that spans multiple states and you have a data breach, what does the notification path look like for that? Right? There’s folks out there now that are just doing privacy notifications for breaches, and basically you give them the data, and I’m sure you’re more familiar with this than I am, but they will go out and do those notices as appropriate based on the laws that exist within the state and the jurisdiction of those particular individuals.

Jodi Daniels 20:49

Yeah, we’re certainly moving with privacy and security into those niche areas, much like many other laws and companies hire experts in each of the different disciplines and areas all across their business, privacy and security are, in my mind, are also catching up with the need for that specialization and those particular skills.

Dave Sampson 21:09

Yeah, I think the other piece there too is, and I try not to go too deep on this one, but you know, the reality is that I, as much as I’m hopeful, that we can establish more widespread standards through federal legislation that’s going to take a very long time. You can’t entrust the government to guide you from a policy perspective about what you should be doing, because it’s going to take too long, and the protection just really isn’t there. So the best thing you can do as an organization is to identify what the best practices look like, find the right resources and experts and go out of your way to follow those best practices. Use those resources, protect your organization, protect the data of your customers, protect your intellectual property, and ensure that you’re able to maintain overall operations without being impacted by a threat actor or a data leak, or a systems outage, or any of these things that could occur that really falls within that risk equation.

Jodi Daniels 22:08

Makes a lot of sense. I guess

Dave Sampson 22:10

I would add sounds so simple, doesn’t it?

Jodi Daniels 22:12

It does sound so simple, but it is not simple.

Justin Daniels 22:16

No, it is not because, I guess, Dave, as you were saying before, about, you know all this, you know the data backups and all that. I mean I would add to that, really, what you’re talking about is, if you have a data incident, how do you spend your time most effectively? And you’re trying to prepare people for that. Because what I would add to your list is, what are your contractual notification requirements? Jody knows that you have breach notification, but I deal with the ones that are in the contract all the time, and those are only getting stricter, 24, 48, 72 hours, and knowing what those are. And then you know, on top of that, my take on the crowd strike situation is is, I’m fascinated that one word in the crowd strike, Delta contract completely changed how Delta could approach that situation, because if the word gross isn’t in there, when it comes to liability of gross negligence versus negligence as a legal construct, those are two very different things, which goes to as people negotiate their contracts with their vendors and their other customers, those limitation of liabilities are your first line of defense on how the financial responsibility gets allocated if the worst happens.

Dave Sampson 23:23

Yeah, and I know that’s really a talking point in many contract negotiations when folks are outsourcing to technology and other providers, but one of the recommendations I do have, and I expect that you likely deal with this as well, is when you are engaging in those contracts, look for the opportunity to insert language regarding transparency. So getting your vendors to agree to provide you with the right level of data to allow you to perform what you find to be thorough and reasonable diligence. Right? You want them committed within that contract document to providing you with whatever evidence is reasonable to attest and validate that they are doing what they represent they’re doing, and that is becoming much more common. We’re seeing that quite a bit, and it’s one of the recommendations that we’re making to our customers regularly.

Justin Daniels 24:09

Well, earlier in our conversation, you had mentioned that you have some back end AI tools that help platforms talk to each other, and we wanted to ask you just more generally, how are you seeing AI show up in terms of cyber tools that you might deploy, or maybe it’s impacting how sophisticated you’re seeing phishing campaigns or other stuff. Or maybe the AI used in cyber from your perspective is a little overblown at this moment.

Dave Sampson 24:35

Well, AI is the night report of the day, right? So everything that is happening is happening through AI one way or another, at least from a marketing perspective, no disrespect to anybody, but you know, from the AI perspective within the cyber, cyber space, within systems, right? So from an attack perspective, wherever threat actors have the same access to tools that we do, so they’re able to develop code faster. They’re able to crash. Left those those phishing emails, much better. They’re able to put chatbots together to try to garner people’s information through automated systems. So all of those things are happening without question. They’re also able to analyze environments mass traffic more easily. There’s a lot of new capabilities they have. At the same time, we are able to correlate and analyze data faster. So we’ve actually done some benchmark testing, and we can present a case to a SOC engineer and say, Okay, this is what the situation looks like. And we can time that engineer and say, okay, it took them 27 minutes to analyze this. And then they’re at a point where they can make a decision. The back end platforms that we use to correlate data, kind of do all the lookups and evidence collection and discovery that’s required, from an automated perspective, can be done within seconds. And what ultimately ends up happening is the final decision is presented to a human and says, you know, this is what this all looks like, which they would have spent that 27 minutes going out and researching, right? And these are your choices, and here are the recommendations. So from that perspective, we’re able to move much, much faster. One of the things that is likely to occur, but not guaranteed, is that over time, there’ll be more interoperability between some of these cyber risk mitigation platforms. But at the moment, it’s not really done on a plug and play basis, or a consistent basis, or a standard basis, which is one of the things that makes it more complicated, right? When you are looking for solutions and you fall in love with multiple solutions that come from disparate vendors, how do we get those to talk to each other? The majority of organizations are not in a position to put together the technology and systems to actually perform that. And then on top of that, even if they do, there is this full piece where it needs to be monitored on a 24/7 365 basis, right? So, all of the automation technology and the AI components are helping us do all of those things. We have multiple 24/7 staff security operations centers. But as a result of all of our investment in our security platform, we’re able to do that much more efficiently than a lot of other folks.

Jodi Daniels 27:11

So Dave, given all of your cybersecurity knowledge, I imagine at a party, people might come to you and say, so what should I do? And we always like to ask all of our guests to share their best personal cyber tip.

Dave Sampson 27:28

Well, I generally encourage everybody to think about a couple things. One is, Be suspicious of inbound requests, right? Whether it’s at your business or in your personal life, if somebody’s inbounding you and you’re not expecting them to inbound you, whether it’s through a text, a phone call or an email, treat it as suspect, go out and find an alternative way to contact whoever it says that it is, and contact them via that means on your own and find out if they’re really inbounding you. The second is just make sure that you are leveraging what’s now really standards, best practice, standards, right, multi factor authentication, endpoint protection, keeping your systems and your personal devices updated your iPhones, right, having that three year old version of software on your iPhone is probably not serving you well in a number of different ways, but making sure those updates happen are and are in place because those are the paths that threat actors use to exploit devices, exploit systems. That’s how they start to get access to data. So just from the perspective of a couple low hanging fruit items, I could go on and on about this topic, but understanding what those low level best practices look like, and executing them from both a personal and a business perspective, using different passwords across platforms, using complex passwords. Don’t use your dog’s name, right? I was interacting with somebody a couple days ago, and they asked me to turn around, or they typed in their password, and I know that they’re a dog lover, and I said, I’m sure that your dog’s name is your password, or it’s your dog’s name plus two numbers. And they did not respond to me. They were completely silent. And I’m a very big dog person, by the way, I haven’t seen your dog here, but if the dog happens to jump through the screen, that’s great. But you know, people, this is real deal stuff.

Jodi Daniels 29:12

It is, for sure, actually. And anyone who’s in this space who has a lot of animal names needs to also be a company with strong security measures, because there are so many company or so many people who use their dog names as passwords. Do you use your dog? About the dogs? Don’t use my dog’s name as a password. Basil is Basil. Everyone. Basil’s not sleeping. Basil is not part of my password system. He’s just part of our podcast.

Justin Daniels 29:42

Well, Dave, when you’re not out securing enterprise universe, what do you like to do for phone?

Dave Sampson 29:48

Well, I enjoy boating. I do travel quite a bit for work and for pleasure. I have a very interesting I guess it would be classified as vintage, but it’s about a 25 year old, 27 year old, maybe now bluebird Class A motor coach that I travel around in sometimes, when time allows, traveling by land is not it’s a time consuming process, so I don’t always get to do that as much as I’d like to. But living on Cape Cod, it’s boating in the summer, and the winter, it’s trying to get south and enjoy some some warmth and, uh, enjoying the motor coach. And I occasionally do some other things, like maybe some nightclub DJing here and there, but that’s a very rare appearance these days.

Jodi Daniels 30:35

Well, can be fun. Have to hear a little bit more about that.

Dave Sampson 30:38

I might be, you know, giving too many answers here, but I’ll be truthful about the answers, though, you can usually find me in one of those categories.

Jodi Daniels 30:47

Okay, all right. Well, if anyone’s looking for days, so that was gonna be my next question. Is, if they would like to connect with you and learn more, maybe don’t know where your motor coach is going or which nightclub there’s the DJ at. Where should they go now.

Dave Sampson 31:00

So those two pieces of information, you’re not going to find out. Usually, I don’t usually advertise where I am, unless it’s at a conference. One place where I do advertise where I am, which I am very passionate about, is public service, and I do a lot of volunteering in my community. So if you want to see me at a public meeting, that’s a place you could you could definitely find me. But if you go on LinkedIn, I’m David J. Sampson on LinkedIn. So LinkedIn slash David J Sampson, you can very easily find me. I’m pretty easy to track down by email or phone or whoever you’d like to so if you want to send me a message via email, dsampson@thrivenextgen.com, is the way to do that. But you know, hit me up on LinkedIn. And I do post a lot of ongoing current events, stories, cyber risk stories, the piece you mentioned from Harvard business, you know, those types of things. And I’d be very happy to share my expertise with you, or interact with you, or collaborate with you, whatever, whatever trouble we can get into, just like we’re doing here today.

Jodi Daniels 31:59

There you go, everyone. It’s an invitation to get in trouble. So you have to, you have to,

Dave Sampson 32:04

yeah, we need to have a little bit of fun, right? We can’t just be totally serious. People think I’m much more serious than I might be, but, you know, yet to be seen, amazing.

Jodi Daniels 32:13

Well, Dave, thank you so very much for joining us today. Just on any last closing thoughts, nope, we engaged in some man, we did all right. Well, thank you again.

Dave Sampson 32:22

Thanks for the opportunity. I appreciate it.

Outro 32:29

Thanks for listening to the She Said Privacy/He Said Security Podcast. If you haven’t already, be sure to click Subscribe to get future episodes and check us out on LinkedIn. See you next time.