CMMC Requirements and What You Need to Know

Unsecurity Podcast

UNSECURITY Episode 66: Board of Directors Presentations, CMMC, InfoSec News

Episode 66 features a conversation about how to speak with your board of directors or executive leadership about information security. They also touch on the new and upcoming CMMC requirements and, as always, some relevant news stories. Give it a listen and let us know what you think at

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Podcast Transcription:

[00:00:22] Brad Nigh: All right, welcome back. This is episode 66 of the un security podcast. And I’m your host this week Brad Nigh today is february 10th and joining me is my co host co host. Why was a tough one? Evan Francen. Would you just call me? I don’t know kind of coy’s I need more caffeine. Good morning Evan. Good.

[00:00:45] Evan Francen: How you doing Brad? Uh yeah. This weekend. Huh?

[00:00:48] Brad Nigh: Yeah. Sick kid. So you know not a whole lot of sleep and is what it is joys of

[00:00:55] Evan Francen: parenthood. But we got slammed by snow on what day was that

[00:01:00] Brad Nigh: saturday night and yesterday about a raccoon.

[00:01:04] Evan Francen: I was grateful that my flight got in on saturday. I was down in Huntsville Alabama. Besides shout out besides

[00:01:12] Brad Nigh: that’s cool. Would you talk about

[00:01:14] Evan Francen: security? What? Yeah, that’s all I know raising Children you know uh I was besides Huntsville uh spoke on saturday about how to secure America. Mhm. Piece of cake. Very cool. Yeah. I was warned ahead of time that I wasn’t allowed to talk about sex, religion or politics and I was like, well I might as well just go home, What am

[00:01:44] Brad Nigh: I doing that? That was my whole presentation

[00:01:46] Evan Francen: And I was wondering kind of how they it’s interesting. How did they, how did they know? Did my reputation precedes me or something. That’s weird. But I gave two talks last week. One is a bunch of counties, bunch of the Minnesota counties, the Minnesota computer county consortium like that. Talk about ransomware, Give them the ransom. I read this tool.

[00:02:10] Brad Nigh: Lots of, lots of that out there.

[00:02:12] Evan Francen: Yeah. If you’re, yeah, the ransom, our readiness to

[00:02:16] Brad Nigh: I’d like to give away free stuff,

[00:02:17] Evan Francen: you know that? So I give away free stuff. It’s cool giveaway six books at the talk. I just brought him, you know, give him away. That’s very cool. Oh, there was a kid there with his dad. They sat in the front row and what was his name? Son of a gun. Uh, anyway, he just wants to get into, you know, cyber security call it. Yeah. And so I went down and signed a book to him. How old? Well, he must have been 15, maybe 16 high school, but he was, he felt so special to be picked out, you know, from the crowd. And then, you know, given a book that I signed right there for him. He thought it was the coolest. That’s

[00:03:01] Brad Nigh: awesome. Yeah. So last week I actually went to, uh, well, let’s see if I get this right Spring Hill Lake High school and talk to their class with Brandon. Our marketing guy did a combo. Like he talked about the marketing side of it and then I talked security and we did uh capture the flag, that type of stuff with them. And it was really cool. There’s some really good questions and put me on the spot. And of course any time you do a live demo, what happens? It didn’t work, it didn’t work, had all kinds of issues. My computer wasn’t connected to the internet, but they’ve got on it and a couple of them were clicking through and solved a couple of the capture the flags before. Like we were able to show one how to solve one of them got one of the easier ones.

[00:03:48] Evan Francen: Now do they still have access to the so they can still continue the competition?

[00:03:53] Brad Nigh: Yeah. And it was cool. One of the teachers just saying that he was going to use that as part of their lesson plan is going through and doing some of it because it would think it was things that they had talked about in class. So yeah, that was really cool. I was, we’ll talk 20, in that range kids in there, 10 through 12th grade. So all a bunch

[00:04:15] Evan Francen: of little actors,

[00:04:16] Brad Nigh: it was really cool that they were to see them like my linkedin blew up, you know, like the day or two before. It’s cool and it’s all of them and they had questions that were, it’s really yeah,

[00:04:29] Evan Francen: Well K through 12 is a big, big focus for security studio. We built the s to school which is an information security risk assessment specifically for schools and then as you know, we’re breaking that down into level 12 and three because all the schools are different, right? Big mega schools trying to take their assessment and slam it down the throat of a rural school

[00:04:54] Brad Nigh: won’t work well. And I think kind of what we’ve already, we’ve already started only the full risk assessment and a small business version and realizing that even that small businesses too much for some companies to handle if they’ve got nothing. Right.

[00:05:10] Evan Francen: So that sound like I have a cold. I feel like I do.

[00:05:14] Brad Nigh: It is that time of year. Yeah.

[00:05:18] Evan Francen: Yeah. My nose is stuffed up. Right? Yeah. Which makes you want to talk less. It’s weird like my nose is stuffed up because I can hear the echo and my,

[00:05:28] Brad Nigh: that’s funny

[00:05:29] Evan Francen: this week we’re heading up to me and jim nash, our state representative from Minnesota reading up to North Dakota to talk to bismarck is, I don’t know. It’s not really an exciting place to go. I don’t think february.

[00:05:45] Brad Nigh: Yeah. Not in february. It’s nice in the summer. Very pretty.

[00:05:49] Evan Francen: So well. Making the 6.5 hour ride up there to speak with Sean Riley, the Ceo and kevin ford the sea. So I’m excited about that because they’re doing some really cool things up there and I’ll be good. I think there’s some things we can do to help.

[00:06:06] Brad Nigh: Hopefully this freezing fog we had to come into through this, this morning is gone.

[00:06:11] Evan Francen: The trees look pretty,

[00:06:13] Brad Nigh: it was really weird the driving in and then just like clusters just appear because the fog just hits it anyway.

[00:06:22] Evan Francen: So then in just real quick. So we mentioned SMB S K through 12 and government, that’s really the focus right now for security, studio, state, local government, K through 12 and SMB S. Those are so underserved. We’ll have to talk about that sometime in the podcast. Just how underserved those markets are and what we can do collectively to help.

[00:06:42] Brad Nigh: Yeah, I actually had a really good conversation with someone uh potential client last week who was a little bit bigger. Um, but still not, you know what, we probably classified as enterprise and they’re asking what our approach was. You know, let’s focus on the fundamentals for the small to mid size and then we can scale up that’s easy. But If we could try and take what works for a Fortune 500 And throw it down a 50% or 75% company, throw it, it just is going to be a failure. Everyone gets frustrated, but we can take what we do for That 75 person company and scale it up and then it’s just really what solutions you pick to do it that are going to be different. But the fundamentals are always going to be the same,

[00:07:29] Evan Francen: right? And the big companies, a lot of the big, larger mid market and smaller, large market and even large market companies all suck at the fundamentals to

[00:07:41] Brad Nigh: so funny work to do, that happens all the time,

[00:07:45] Evan Francen: Like asset management. What do you have?

[00:07:47] Brad Nigh: I don’t know stuff. Right. All right. So uh, last week we were going to touch on this board of board presentation, talking to board of directors, uh but we got, you know, a little worked up and did we spend a little more time on? Uh we’re talking about the money grab, so we’re gonna skip over money grab. We

[00:08:08] Evan Francen: should do a live show from our esa, I’ll be live and then just yeah, me

[00:08:14] Brad Nigh: fired up, I’m not gonna get a word in edgewise, it just be like commentary over you ranting. Oh gosh. Um so we’re gonna talk about the board, talking to board uh board of directors. So um you know, as it said, I literally in the notes copied what you put last week. So I’m going to be you uh we’ve both had a privilege on many occasions to talk to boards and executives and so we want to talk through kind of what tips are, what you know, where do people get, where they successful, where do they, you know, kind of struggle. Um I did put a couple of articles, there’s four articles that I had pulled up that I thought were, we’re pretty useful or at least had some good talking points in them, but you know, I think the biggest thing for me talking to the board the first time I was so nervous because well the first time I ever talked to him, is there the, you know, you, they kind of get this, especially when you haven’t done it before, it’s almost uh Mhm, I don’t know, I don’t know what the right word is, but it’s like mythic aura, right? It’s the board, I don’t know, that’s not the right word I’m trying to go with, but you know what I’m saying, get this like this, you get this vibe, it’s like, oh, I’m talking to the board, these are really powerful people, right? And, you know, and then once you actually talk to them, they’re just normal people, that’s the, and I was like, oh, oh, okay, so I think that’s my biggest thing, right off the bat, is they’re just regular people that are good at what they do, and security typically isn’t what they do, right? So, you know, there’s a lot of times they’re going, oh great, it’s the security guy, I’m going to be like, you know, whatever over my head talked down to, so it’s kind of an interesting, you know, dynamic there, that that was kind of eye opening the first time I realized it,

[00:10:16] Evan Francen: yeah, and there’s tons of, there’s tons of um not experience, uh guidance on how to speak with boards of directors, and I think, you know, so if you were going to do your first ever board presentation um and you were, you know, to just google, you know, tips for speaking to the board, you might get a little confused because there is so many different tips. Uh but talk to somebody who’s talked to this board before, if you’ve never talked to this board, because every board of directors is different. So if you were going to think that just that every board of directors is the same and they want the same things, you know, that’s mistake number one.

[00:11:00] Brad Nigh: Although I think the one, like you said, the one thing every board you can do for any board presentation, is that exactly understand? Right? Right. Do do your homework on the board, regardless understand what they want. That’s always going to be Kind of # one. Right?

[00:11:16] Evan Francen: And this is this and this is, is this the first time they’ve they’ve talked about security at the border. Is this, you know, have they been getting a message regularly up until this point? And you’re getting into it because that will also dictate the message, you know, that you send to the board because if they’ve never heard anything about information security before, well then you get to set the stage

[00:11:41] Brad Nigh: divine where you start

[00:11:43] Evan Francen: right? Whereas if they’ve regularly been briefed on information security and this is a new brief from you, well then what’s the message been before, so I can stay somewhat consistent with it? I don’t want to switch gears completely.

[00:11:56] Brad Nigh: Can I see what’s been presented? So I know,

[00:11:59] Evan Francen: yeah. So do doing your prep work ahead of time, you know, getting to know the board, getting you know, talking to other people who have talked to the board. You know, they’re every boards got personalities, you know, what are the personalities on the board?

[00:12:11] Brad Nigh: Who are the people that you need to like focus on in terms of how you presented

[00:12:17] Evan Francen: or what’s the culture you know, of the board? Um You know that prep work pays off a lot. You know sometimes the board will give you, you know, say they they’ve got you slotted for 15 minutes. You know, count on five.

[00:12:34] Brad Nigh: Yeah. As I say five to maybe 10 depending, but that’s where you need to know how many, what’s the Q. And A. Like do they ask a lot of questions? Do they just listen if you finish in five minutes and are they going to stare at you for 10 going really? That was it? Or are they going to Ask 10 minutes of questions and you have a 15 minute presentation you’re not going to get through? Right?

[00:12:56] Evan Francen: And in some cases, you know, some board, you know, boards um you and other executives may practice a couple of times before you actually do the board meeting. That’s not crazy uncommon depending on the company in some cases you brought in as an independent expert. So you’re being brought in as your c so, you know, the C so is bringing you in,

[00:13:19] Brad Nigh: these are always uh fun, but I think those are almost a little more nerve wracking because you are being brought in as the outside expert. And yeah, you have a champion on your side in the sea. So or C. I O whoever is bringing you in, right?

[00:13:36] Evan Francen: But but you also have to maintain some sort of independence, right? Because if the seashells bringing you in, he’s bringing you in for your credibility or whatever, so he’s not bring you in because he’s your his or her buddy, even though you might be buddies, right? So to the board, you have to show this, I’m an independent expert. If security here was different than what you’re being told, I would tell you. You know, I mean, setting that sort of, I’m here to tell you the truth, not what you want to hear, including what the sea. So,

[00:14:09] Brad Nigh: Well, I’ve done it with, you know, uh Organisations, big big organizations that scored very well above 700 on the assessment, Right? And they’re like, oh, yeah, but that doesn’t mean you’re done. There’s still areas to work on, you still have areas of risk. And if you just sit back and say, well, we’re here where we wanted to be, you’re gonna go backwards and you could, you know, obviously the cso knows that. But to hear it from that outside, you could see a couple of the people kind of go, all right, fine. Like really? I thought we were we’re here. No. Yeah, you are now if you stop, you won’t be.

[00:14:55] Evan Francen: Yeah. I think, you know, funding as much information as you can about the board who’s on the board, you know, what other boards do they sit on? You know, if you’ve got a board member who has some security chops, well, you’re probably going to change your message just a little bit for that person, potentially versus the others because the board probably they all know each other. So if you have a security person or somebody who has some security chops on the board, they probably know a little bit more about security. So you don’t have to start them off with.

[00:15:29] Brad Nigh: Maybe you get the basic, you can throw some heavier, a little bit heavier on. There may be more mature terminology.

[00:15:37] Evan Francen: If you have the opportunity to find out specifically what the board actually wants, that helps because then you can kiss your message towards that. Um, using, I like to use, I don’t, some people will tell you to only use facts. I don’t, I don’t agree with that. I think where you state fact, state facts, your state opinion, make sure that everybody knows that this is your opinion.

[00:16:03] Brad Nigh: Yeah, that’s good.

[00:16:04] Evan Francen: You know, so they don’t mix the two because I don’t want them taking my opinion as fact, potentially. Yeah.

[00:16:12] Brad Nigh: From what I can see, you know, you have a good program, you are putting investing in the uh in your security program. But the fact is you can’t sit back,

[00:16:24] Evan Francen: Right? So one having um you know, I don’t know, sometimes in a board meeting you have a presentation. Sometimes you don’t, that’s also important. I like to keep presentations, you know, When I prepare for a board meeting, I might create a 30 slide presentation very much longer than what I’m actually going to end up giving. And then when you do that prep work ahead of time, you know, you’re talking with other executives and things like that, you’ll cut back the last board presentation I gave, I think my initial slide deck was 32 ended up being five, which was totally fine. But that also is a, you know, sometimes when you create something you like, you don’t want it changed, you know, you don’t want to take input, but you got to be really open to that because

[00:17:12] Brad Nigh: Yeah, yeah, it’s, it’s always interesting to um no or try and figure out what’s the right level and yeah, it I don’t know that’s part kind of the challenge to is and part of the fun of it too, I guess. Sure.

[00:17:31] Evan Francen: Yeah, yeah. I mean, I’ve never seen two boards the same. For sure. So doing that prep work at a time, if it’s a larger company, they probably expect more prep work. Um Yeah, the last the last board presentation and I did give them the truth, right? I gave them this is where you were. This is where I see you today. You’ve spent a lot of money on information security. This is what I think it’s gotten you. What it hasn’t gotten you is risk elimination, Right? And I so I gave them three warnings at the end. One was um to really fight back against complexity. Yeah. If if there are things happening in the information security program that don’t make sense or or seem confusing to ask right to try to get clarity on those things that seem mysterious to you. It’s okay to hold your c so hold people accountable and have them explain what they’re doing with information security in language that everybody understands. So that was one of my, you know, give them takeaways, right. Fight complexity. Because you’ve spent they’ve spent billions of dollars on information security over the last four or five years.

[00:18:56] Brad Nigh: You know, do you actually understand what you got? Right? What it’s doing?

[00:18:59] Evan Francen: The mystery is, you know, we just chalk it up as well. It’s mysterious. Well, is it mysterious, are you just being ignorant what that money was spent for? Right? I mean, it’s it’s a fine line. It’s not that I’m asking the board of directors to metal and get involved in available detail about information security, but at the end of the day, these are the people that are held responsible for it. Yeah, Charles fight complexity. I know the more money usually throw at a problem to the more technologies you buy, the more blinky lights you get.

[00:19:32] Brad Nigh: Yeah, but do you actually understand what, what you’re getting for that? What is it doing? What how is that helping?

[00:19:40] Evan Francen: The second bit of advice that I gave them was, and this one was just a couple weeks ago. So it’s fresh. It’s top of mind. Excuse me. The second bit advice was don’t take your eye off the ball. You made all this progress, you’ve spent, you spent all this time, all this money on information security, you’ve reached new levels based on, you know, the s to score, right? Uh huh. Now is not the time to feel like you’ve arrived. No. You know, it’s it’s not like, oh, we made it. It’s almost we can pick her off the ball. It’s almost harder

[00:20:18] Brad Nigh: to maintain that higher score than it is to get their

[00:20:21] Evan Francen: sometimes, right? It should be less expensive, but it should be

[00:20:25] Brad Nigh: hard because well, I think part of it is that maybe some of that energy or push goes away. Hey, we’re here, like you said, we’re here so we don’t need to keep spending or we don’t need to keep doing these things because we’re there, we’ll know

[00:20:42] Evan Francen: well, why do most companies spend or increase their spending on information security reality is you’ve been told you have to compliance? Right. Something bad happened. Right. So the pendulums usually swings the other way when before something bad happened, you weren’t spending enough time enough money, enough whatever on information security. And then all of a sudden the bad thing happened, right? And then the pendulum swings the other way. Now you’re spending too much on the information given budget is wide open spend as much as you want, do whatever you want. Yeah. You know which which I think is just as dangerous as the other side. Right. It’s where do I find that middle? Uh the middle area.

[00:21:26] Brad Nigh: Yeah. Yeah. Having that even keel and having somebody who’s got experience there has been through it is just invaluable at that

[00:21:34] Evan Francen: point. And then I think the third reason people spend money on security is because they actually get it. Mhm. That number has been increasing but it’s not fast enough. I think part of the smallest

[00:21:46] Brad Nigh: the people that get it have are usually part of that second group. They’ve been through this somewhere else. And like they get somewhere new and they’re like, no, we are going to be proactive and get there before this happens.

[00:21:57] Evan Francen: Right. Right. And so if you were to guess, let me ask you this. If you were to guess how, you know, I said three buckets, compliance, something bad happened or you actually get it If you were to break 100% of all information security spending and just put them into those three buckets, what would your guesstimate be?

[00:22:15] Brad Nigh: I’d say Man 75, 80% compliance regulatory, 15-20%. Something bad has happened and whatever is left, they get it single digits.

[00:22:31] Evan Francen: Yeah, I think you’re right. I think I would be brought that same. I think I’d say more like 80, 10, 10, maybe 85. Well I would have

[00:22:41] Brad Nigh: Maybe two or three years ago. But I think there’s been enough, sadly enough bad happening that that percentage is growing as people are having gone through it. So now as they move around and stuff that would be more proactive.

[00:22:56] Evan Francen: I don’t know why people still, I mean it’s just ingrained in us then we just feel like stuff isn’t going to happen to us. Yeah, it happened to the business right down the road. But you know, it’s never going to happen. We’re

[00:23:09] Brad Nigh: not in an industry that wouldn’t, that he would do anything

[00:23:12] Evan Francen: with wonder the bad things that happen to people. We should ask them that in an incident response you all those people who didn’t think this was ever going to happen to you.

[00:23:20] Brad Nigh: They usually volunteer that especially the executives again. They usually say I had, how did this happen, right? We spent all this money, how, how could this happen,

[00:23:30] Evan Francen: bingo And, and hey, that’s the third thing that that I warned this particular board and it was a big company was um to understand the difference between risk management and risk elimination. The goal is risk management because it’s going to happen, you’re going to have a breach and I’m not gonna, and I don’t want what I don’t want what’s not healthy is to have the breach or bad thing happen and then you come back to the sea. So and say we spent x millions of dollars on this. You must, you know, I don’t want you thinking that this c so isn’t good at their job because the bad thing happened because it’s not a function of how much money you spent, it’s going to happen, right? Yeah, there’s a certain loss of return on investment where, you know, you don’t just spend wildly, but no matter how much I spend, I’m not going to stop it all.

[00:24:29] Brad Nigh: No, you can’t, you’re just trying to push it out and you know, minimize the up the risk of it happening sooner. Just keep doing the right things and keep pushing that threat out. Right?

[00:24:47] Evan Francen: So those are three things that the three main themes in my presentation to the last board was For those three things.

[00:24:55] Brad Nigh: So I got, I was thinking about is we’re just talking what was your toughest or hardest board presentation?

[00:25:02] Evan Francen: Oh, uh probably ST jude Children’s research hospital um

[00:25:09] Brad Nigh: super on top of it. What was,

[00:25:11] Evan Francen: well I did a couple of board presentations are one, it’s, their board is huge. Like 100 or something.

[00:25:19] Brad Nigh: I mean, it’s like a huge board, the biggest one that’s like, I think it’s like 25 and that’s a big board holy cow. We had people calling in from all over the whole man

[00:25:29] Evan Francen: and these are really, really powerful people ST jude Children’s Research Hospital is a big deal. And so there were executives from all sorts of companies, big companies. And um the first time I did an assessment of all sac, which is the financials are not the financial, the fundraising side of ST jude. Um, we spent maybe 34 days on site, you know, um, gathered all this information and I was the lead. Um, so I came back to the office and normally I wait a week or two before I actually start writing the report. This is back when we had to write the report manually. Right? And so, and the reason why I do that is because, you know, you take a step back, you get some fresh perspective and then I go to my notes and start writing, well, uh I lost my notes.

[00:26:26] Brad Nigh: Yeah, that would be a bit of a panic.

[00:26:28] Evan Francen: So I went from recollection and I went from the other people that were with me kind of used whatever notes they had and so I wasn’t 100% confident, I don’t think in all the assertions I was making in the assessment. And so, you know, you give this board presentation and I’m already not 100% confident in myself and my own conclusions. Plus people. Yeah. And then you got 100 plus people there. And yeah, the end of the day went really well. This is back when we used to do the assessments, A B C D E F. And so, uh, they understood it. I think it went well. They hired us again for future work. So, um, and they liked, they liked the metrics. They liked numbers.

[00:27:19] Brad Nigh: It’s easy to understand and digest. They’re not, they’re not security people. So give them something that they can understand.

[00:27:26] Evan Francen: Exactly. So, you know, they like the fact that we put a number to it or a grade and then they wanted, you know, they gave us things to do. There was action items that came out of that board meeting, which was awesome because then the management had to respond. So we moved the ball forward and then the board wanted an update using the same methodology using the same metric, using the same numbers so they could see the delta between where you started and where you’re at. Now We took care of these 10 most significant risks. What’s next. So that was really neat to get them systemized. And they picked up on that really quick. So that part was good. But it was, it was a little nerve racking. It was nervous for

[00:28:15] Brad Nigh: sure. So I think the worst or the hardest one for me was had a presentation and got through like two slides because they just wanted to talk and that’s fine. But man, does I put you on the spot when they’re, they’re just asking security questions, not even related directly to the company. Yeah, but just like, well what about that? And it was, it was fine, don’t get me wrong, but like that when they just throws you because you’re like, okay, we’re going to go through and talk these five things that we’re going to do these things and, and then like, just off the rails immediately.

[00:28:52] Evan Francen: Yeah, well, I mean, okay,

[00:28:55] Brad Nigh: it’s part of the, I guess that’s part of the fun.

[00:28:57] Evan Francen: Well, it shows that they’re paying attention. Oh, it was that’s good.

[00:29:00] Brad Nigh: It was fun. Like after the fact I’m kind of like exhausted. But then Yeah, exactly, thinking as I told,

[00:29:07] Evan Francen: well then sometimes like the last, the last presentation because it was, you know, the two, you know, two weeks ago. Yeah, and they didn’t ask any questions, so the exact opposite was that good at presenting what I do is just completely Yeah, so I have an email, I have to send an email, I meant to do it last week, but I got away from me too quick. Um but just send an email to the sea. So hey, what did you hear afterwards? So I think that’s also important for the board is they may not bring up things in the meeting themselves. They may, they may not feel comfortable asking a question in the board meeting. This is just like I said, different boards are different, you know, they’re all different. Um, so it’s always good to, to follow up, you know, follow up and find out. Yeah. Did you hear anything afterwards? What could have been better, you know, whatever.

[00:30:03] Brad Nigh: Yeah. Yeah. I think it’s uh, so is it’s always, yeah, there are no to that are the same. No. And understanding and growing from it. And

[00:30:15] Evan Francen: I’ve had some where they, he made me feel like I was part of the board. Like you’re, you’re there, you know, because usually get excused, right? Your little Tony dance and then, yeah, you get excused. But I’ve had some boards where they kept me there for like an hour. Uh huh. Okay. We just keep talking about security stuff like kind of like yours. And then I’ve had other ones where you feel like you’re wasting their time, you know? Yeah. I’m looking at their watch and I’ve, you know, I’ve been talking for 30 seconds now.

[00:30:50] Brad Nigh: Yeah. And I think board executive leadership, so not even just the board where they’ve come in quarterly or whatever, but speaking to all the day to day C level executives very similar, Right? Those are, I like the ones where you get brought in specifically or there’s a meeting specific for discussing it and you can tell pretty, I think I feel like you can tell pretty quickly if the executives apart are bought in or not. You know, like the ones that are super argumentative and you know, it’s like, yeah, okay. I get it. Right.

[00:31:31] Evan Francen: Yeah. And and if I had a in an opportunity places where you have a new board or um, you know, board that’s never talked about security before and you kind of have an open slate. I try to cover you know, five things with them. I mean I’ve sort of standardized on those things like one. What is information security to where we at? Where are we going when we’re going to get there? How much is it going to cost? So those require numbers and metrics. Right. So we use the s to score. So what’s your current as to score? We’ve done the road map so that we’re going to make recommendations to the board and where we need to go next. That gives us our future as to score. That also gives us when we’re going to get there and it gives us how much money and I’d like to afford to pay attention to that number. So we don’t have to spend a ton of time going through this over and over and over again. Right. So we can just operationalize, Your current score is a 602, your score next quarter when we come and talk to you again should be a 6 12, Right? You know what I mean? It just gives them something to track along and put things into context. And then the fifth thing that I, you know, talk to maybe some current events.

[00:32:47] Brad Nigh: Yeah. Yeah. It was internal or external. It was like to hear. And yeah. How did how could that relate to to them? Right.

[00:32:56] Evan Francen: Right. So if you’re struggling, you know, of any other listeners are struggling with, you know, I’ve never talked to the board before, but I think I have an opportunity to present to the board or something like that. I think that’s a good place for you to start. Is all right. Make sure the board is all on the same page with what this is. What is information security? What should I be responsible for? What? You know, isn’t an IT issue or is it a business issue? You know, I mean that has to be a discussion because it’s a business issue and that’s why I’m here with the board otherwise. Right. Otherwise I’d just be reporting, you know, I just be given that stuff to the C. I. A. Which unfortunately happens in too many companies. Mhm. But that’s those are the things, it’s uh what is security? Where am I at? Where am I going? When am I getting there? How much is going to cost? And then just some current events?

[00:33:47] Brad Nigh: Keep it simple.

[00:33:48] Evan Francen: Yeah. Then you can get through that once you’ve gotten in a rhythm, you know, that’s a easily 10 minutes? Oh,

[00:33:57] Brad Nigh: oh, talk. Yeah, it’s perfect timing. Yeah, they’re interested enough.

[00:34:03] Evan Francen: Right, right. When you have to put that framework of understanding, I know a lot of people are using the N I S T C S F. And I think that framework, it’s a beautiful framework, but even that framework can get a little too confusing for, you know, if you just take the categories,

[00:34:17] Brad Nigh: put that up on a slide, it’s too much, God

[00:34:20] Evan Francen: you’re going to sit there for could potentially sit there for a long, long time if you put the functions even that, you know, those those five functions.

[00:34:28] Brad Nigh: Yeah, because then they’re going to go, well, what, wait, what is it

[00:34:32] Evan Francen: what’s identifying to write more about

[00:34:34] Brad Nigh: that? Yeah, So I’m with you, I think using the CSF great presenting on the CSF? Dangerous.

[00:34:44] Evan Francen: Well, I mean, you expect board of directors to they’ll hurt, they will have heard of probably the N I S T C S F. Uh but expecting them to understand how it works and how it functions and all that other stuff. Most of the people in the information security industry don’t even know it. Yeah, the framework is nice applying the framework is it’s not easy for some people,

[00:35:08] Brad Nigh: so it’s a lot of work. Right, Weird.

[00:35:12] Evan Francen: So yeah, 40 board

[00:35:14] Brad Nigh: stuff there you go. So um yeah, we’ll post some talking points as well. Just like I said, I think there’s some good articles or some not good articles, but I think that what was interesting to me on those um is that the overall theme is the same, right? It’s pretty, that’s the biggest thing. So what you’re talking about have a plan.

[00:35:35] Evan Francen: Yeah, the biggest repaired the one that I loved the most was it actually came from the council, which I’m not a big fan of the council,

[00:35:42] Brad Nigh: but no, it was a

[00:35:44] Evan Francen: speak the language that is understood that’s critical. If you, if you’re not speaking their language, you disconnect, you might as well be speaking

[00:35:54] Brad Nigh: well. It would be like if you go into a german company and speak english and they only speak german, it’s the same exact thing, you know, avoid the acronyms avoid. God. Yes, like just keep it as simple as you can. So, so the other thing we wanted to talk about that’s kind of, I think getting some, just a little bit of play is C. M. M. C. C. What? I

[00:36:18] Evan Francen: know. Weird,

[00:36:19] Brad Nigh: that’s a thing apparently. Um So yeah, that just dropped last week, was that month, I don’t even remember the

[00:36:28] Evan Francen: last week or so. Two weeks ago. It was last week anyway, you’ve got some time because they don’t even have, you can’t get certified yet anyway. No, there’s no accrediting body.

[00:36:41] Brad Nigh: The that was the heart. That was people we get, I keep getting asked by our sales team, what are we gonna do, What are we going to ask? Uh What do you mean? You don’t know, I don’t know what does it mean to become a certified assessor? Nobody knows right. It doesn’t exist. Oh well don’t they have to do it by june?

[00:37:09] Evan Francen: Who do what do by june

[00:37:10] Brad Nigh: become see MMC certified by june Who? Yes. Uh And I think that’s kind of the fun part. So uh see MMC is supposed to apply to uh D. O. D. Contracts. So if you’re right, I understand that if you’re a contractor or subcontractor anywhere down the line in the supply chain, in the supply chain, uh you will need to get see MMC certified and there’s multiple levels and you don’t get to choose your level, you are told what your level is. So that will be, I think that I actually like that because there’s too much confusion out there and people are like, well I’m Phipps low medium, well you’re making a judgment call on that and what if they disagree now you’re out of luck. So um

[00:38:05] Evan Francen: Yeah so version one of the c. m. m. c. Was published right? For people who don’t know what See MMC is its cybersecurity maturity model certification. The framework is published um but there’s no way to become certified yet. Uh They’re going to be doing some training on the defense acquisition university’s website but that doesn’t even come until summer. So you can’t even be trained on it until summer. Right. And at about that time allegedly the D. O. D. Is going to pick the 1st 10 contracts to be subject to see MMC. So I don’t know how many Dodik you know contractors there are out there but 10. Yeah. So

[00:38:55] Brad Nigh: I mean there’s gonna be thousands and thousands. Right?

[00:38:58] Evan Francen: So you won’t even see them popping into RFP s request for proposals until the fall? So yes you should be aware of them. Yes you should start if you are a D. O. D. Contractor you should start implementing these things and getting guidance and whatever else. But in terms of achieving that certification I would you know, depending on who I was if I’m not one of the big, you know a big big big defense contractor, you know, working with some pretty sensitive information, I might push my goal to be see MMC certified into middle of next year, maybe even the end of next year because they’re not expecting to have all of these. They’re not expecting to have the C. M. M. C. In all of the FPs until 2026. So no panic take your time do it. Right.

[00:39:53] Brad Nigh: Yeah we keep getting asked. Well what should we be doing? Well, okay. Start with a risk assessment that’s mapped to known standards that where are we? Right. Hey we’re gonna get see MMC started but have you ever done a risk assessment? No. Well. Well okay then why don’t why are you jumping in the deep end if you’ve never even been in the water? Right. Exactly.

[00:40:16] Evan Francen: What? And if you do it like a search on google for C. M. M. C. My God, everybody and their mother does see MMC Prep and certification. So everybody will want your dollars for sure on this. Um some of them are fly by night, you know, consulting companies and some of them are really good. But that I guess if I had one piece of advice, take your time. Yeah. Slow down your do your homework right? You don’t have to choose somebody to do your CMM C. Certification now because you can’t, there is nobody who can do a certification yet but just take your time. And like you said, do the fundamentals, security fundamentals. Our security fundamentals. It doesn’t matter if it’s for this that or the other thing. If you haven’t done the foundational fundamentals of Information security, I could give two craps about whatever certification you’re going after because you’re not going to get it. If you did by chance somehow finagle your way into getting it. It’s not going to be sustained.

[00:41:22] Brad Nigh: No. Yeah. At some point it’s going

[00:41:24] Evan Francen: to So yeah, you’re right, do a do a fundamental fundamental information security risk assessment. That is something that I would do all the time. Right. I would have done that already. But if I hadn’t and I was going for C. M. M. C. That would definitely be the place I would start right

[00:41:41] Brad Nigh: now. I think that that’s a good good point is, yeah, start start with the basics like that’s something doing a good risk assessment

[00:41:53] Evan Francen: was was hank Aaron born hitting home runs. Well maybe. I don’t think so. He had to learn.

[00:41:59] Brad Nigh: Yeah. No, but you know, reality is no matter what, See MMC Hip Ff is whatever it is. Even if it’s just vendor, you know, you’re getting asked doing a risk, his husband is always defensible, yep, there is no downside to just doing, where am I? What does my program look like? Where are my strengths? What are my weakness is where should I be focusing time and effort? So, you know, if you haven’t ever done it start there, it doesn’t matter what industry you’re in, What regulatory, what contractual requirements you’re going to be in a good position for having done it or a better position. I should

[00:42:39] Evan Francen: have such a good educational tool to. I don’t know how many people out there are confused about information security and confused about, you know, all the things that we have to, you know, in this industry, whether it be see MMC HIPAA compliance FF. You know, you mentioned F F. I C N I S T E N I S. T. C. S

[00:42:58] Brad Nigh: like let’s talk

[00:43:00] Evan Francen: acronyms. I mean on and on and on. If you’re confused about that stuff and you’re looking for a place to put your feet down? It’s got to be an information security risk assessment because it makes sense of what all this crap means. And it also, uh, is a great educational tool so that, you know, the next thing to do. Yeah. I’m not confused by all this peripheral

[00:43:22] Brad Nigh: Crap and make sure that the one you choose is based on a well known standard, the CSF for the ISO 27,000 series, probably the two. My business friendly. Sure. Yeah. And cover everything. Yeah.

[00:43:38] Evan Francen: Because, you know, I like the fact that the D O D. Is coming out with the C M M C. I like the fact that, you know, there’s a reason why they’re putting such an emphasis on, um, you know, their supply chain because that is where the most significant risk is probably going to come from. Right? So I like all of that. And in the private industry we can learn from this. Where is your most significant risk going to come from? Probably your own supply chain. Right. So what is your generous management program look like? Do you have one? Do you know how many vendors you have? Do you know what they do? You know, there’s so many times where you get you ask this question and people like, well, we don’t have many vendors, what does many mean? It only takes one You know, or we don’t we don’t have any vendors, it’s like really, you made your own operating system if

[00:44:24] Brad Nigh: your own internet that you develop. But how do you what do you let your routers and switches? How do you

[00:44:30] Evan Francen: connect exactly? You know? So it’s just this uh I like the fact that D O D. Is going here, I like the fact that there somewhat going methodically on this, you know, I like the fact that you published the framework first so people aren’t getting, you know, because it would really suck to publish the to finalize the framework tomorrow and then the next day expect people to be certified, you know I mean? Yeah, I like the way they’re going about it. I hate the fact that our industry capitalizes on crap like this and just causes so much confusion. Yeah.

[00:45:05] Brad Nigh: Although yeah, I’m with you on that. I do like and I like the from what I’ve seen, I haven’t I’ll be I’ll be the first to admit I haven’t read through all 380 some odd pages of

[00:45:16] Evan Francen: the it would have been nice they would release the damn thing in a spreadsheet. So I had to the functional level breaking the law or anything but I had to un password protect the pdf which is you know save the pdf is your own pdf without the password whatever because they did password protected Pdf was like I don’t understand why you did. That

[00:45:39] Brad Nigh: makes you elite hacker leet

[00:45:42] Evan Francen: and then uh you know, I did put it all into a spreadsheet. So if you want it in a spreadsheet form

[00:45:48] Brad Nigh: you have to do it yourself

[00:45:49] Evan Francen: because you have to have a bunch of things. Because what I don’t want people to do with a waste of money is for you to do see MMC. And do you know uh you know an iso certification and do a sock to and do this and do that and do that. Is there a commonality where I can do one assessment and satisfy multiple requirements? Right? So I’m not redoing efforts and pissing away money everywhere. So in order to do that sort of mapping and things you have to break it down into a spreadsheet, right? Or some form like that.

[00:46:24] Brad Nigh: And what I don’t get is, yeah. I don’t know why they would do that.

[00:46:30] Evan Francen: No. Well and that was that was the I don’t I haven’t looked at the latest one, the one that was just published because I didn’t expect there to be much changed between the one that was actually published in the previous draft version,

[00:46:42] Brad Nigh: I d I didn’t look at the like I said I haven’t read through all of it. Um But I do like from what I’ve seen I like it better than the d fars it’s more it’s more functional right? From a business perspective right? It’s not just

[00:47:01] Evan Francen: and I’m so tired of the government with their acronyms everywhere. Oh my God.

[00:47:08] Brad Nigh: Yeah.

[00:47:09] Evan Francen: So yeah I think overall I like the C. M. M. C. It’s maybe a little too prescriptive. It’ll be nice to see you know when these 10 11th one sort of come back and we start getting some inputs.

[00:47:21] Brad Nigh: Yeah I think understanding. Yeah what exactly is going to happen and what is there like? Well level is it getting seen? Certified. Give me the same as federal. Right. We don’t know I mean if that’s the case that’s a whole other issue because that’s a major undertaking.

[00:47:41] Evan Francen: Yeah. Yeah so uh it’ll be interesting to see how things flaw. I like the fact that the government is taking this seriously and sort of clean up the deforest thing and with the C. M. M. C. And we’ll see. Yeah

[00:47:55] Brad Nigh: don’t panic take

[00:47:57] Evan Francen: your time. I understand I understand what you’re doing every dollar you spend that information. Security should be accountable to something so just relax educate.

[00:48:07] Brad Nigh: Yeah there you go get that. We’re talking security and stuff

[00:48:12] Evan Francen: like security most of the time. Yeah sometimes I

[00:48:17] Brad Nigh: don’t. All right well let’s talk to some news real quick here. News

[00:48:21] Evan Francen: news news real like like

[00:48:24] Brad Nigh: the old movies like before the movie or whatever

[00:48:27] Evan Francen: like Israel like the old Israel and then this is the news

[00:48:29] Brad Nigh: real. I don’t know interesting. All right. Lots to talk about. So when you brought up that I hadn’t seen yet that victoria. Who does our kind of our weekly news recap. I hadn’t read it

[00:48:43] Evan Francen: shout out to victoria. She’s awesome.

[00:48:46] Brad Nigh: So this is actually off of quick country dot com.

[00:48:50] Evan Francen: Quick country.

[00:48:51] Brad Nigh: Yeah, it’s Rochester’s number one for New Country. Uh, it says on the website. 20

[00:49:00] Evan Francen: now we’re

[00:49:01] Brad Nigh: Getting a little bit punchy here. I’m tired. 27 56. It’ll be a long day. Twin cities man charged with turning off hospitals oxygen tank. That’s kind of a big deal. Yeah. So felony damage to property against a 39 year old larry read dune raccoons. Um, he was seen walking towards the fenced off area where the hospital tanks are located, seen standing behind one of the main tanks and then moves out of the camera’s view and then they were informed oxygen pressure was decreasing. He checked and found they had been forced open and zip ties and stainless steel watches had been tampered with and broken. So you know, people go, what does that have to do with security? Oh, I would say that you’ve got some physical security issues if there’s not camera coverage of something that critical. And how is he able to walk in there that easily?

[00:49:53] Evan Francen: Well, thank God they had some, you know, some detective controls as

[00:49:57] Brad Nigh: I say, that’s really impressive that they were monitoring or got the alerts that quickly. Right? And then respond. And not only got the alerts actually responded and paid attention. Yeah. Right.

[00:50:10] Evan Francen: When the engineer who responded said it was fortunate the problem was taken care of right away because the sudden loss of oxygen could have caused injury or death to multiple patients. So that’s a weak area then for hospitals. Right? What happens if he would have destroyed it? Right. Yeah. So that it couldn’t have been brought back online so

[00:50:33] Brad Nigh: quickly revisit those physical controls in place to right strengthen them if it’s that critical to the life or death, literally.

[00:50:43] Evan Francen: Right. So your preventative controls. So preventative controls failed in this instance because he was able to get to disable. Right? So cause the damage thankfully there. Detective and responsive controls were on part right. They detected it right away responded to it right away. Um But yeah, it’s kind of scary when you think about it. You know, you take out hospitals oxygen supply in a large health care facility.

[00:51:20] Brad Nigh: Yeah. Well people die. I don’t know. Yeah. See then that’s part of it. That is a good question. Do they have secondary tanks or secondary uh you know, supply for the critical or is it separate for like the O. R. Right. Like things like that could be or I see you. So they’ll be interesting to hear, understand a little bit more on some of

[00:51:45] Evan Francen: that. But I wonder what is. I wonder what his motive was.

[00:51:49] Brad Nigh: Yeah, he said he was upset. So there you go. Um So next one off of info. Security magazine motet spreads via newly discovered wifi module. So that’s awesome. Um A motet is designed to spread to any nearby wifi networks protected only by weak passwords uh worm dot txt. First action it takes is to copy the service e x E string to a variable that we used during file spreading main loop and begins profiling wireless networks using DLL calls to spread to any networks that can access. I can’t imagine this not being it, there’s no way it’s gonna be a problem like downtown areas where there’s hundreds of uh

[00:52:39] Evan Francen: you got the creativity of the the malware writer, you know,

[00:52:44] Brad Nigh: I mean it’s actually really impressive.

[00:52:46] Evan Francen: Calls it worm Daddy XC. Yeah, we’re

[00:52:50] Brad Nigh: not trying to hide I mean, but nobody’s catching it. So, you know, but you know, it is pretty impressive the way they they put it together again. I I just wonder how, how much further we could get if these guys put some of this brainpower like to a positive because I mean it’s really impressive to see some of the stuff they do.

[00:53:15] Evan Francen: Right? So pond start off a warm day, they exceed the first action is to it takes us to copy the service that dxy string to a variable that will be used during file spreading next it steps into the main loop and immediately begins profiling the wireless network using WN api dot DLL calls in order to spread to any networks that can access.

[00:53:41] Brad Nigh: Yeah. So what’s interesting and there is the Where Maxie Timestamp is April 16, 2018. Mhm. So um

[00:53:54] Evan Francen: it’s been it’s been running for a while.

[00:53:56] Brad Nigh: Yeah. Or you know, who knows that? It’s not not ideal. Um I like the detection strategies, active monitoring for in points for new services installed, uh not happening most places and um you know, stronger wifi passwords. Well, you know, people can get MFA installed because it’s too disruptive. Can you imagine changing wifi passwords? Oh well I don’t that’s just you can’t do that. Yeah wow. Yeah

[00:54:30] Evan Francen: strong wifi passwords. We’ll see.

[00:54:33] Brad Nigh: Um So it’s interesting. Mhm. Uh Next one is from G b hackers dot com. Robin hood, ransomware borough vulnerable driver to kill antivirus and encrypt systems file Windows system files. So it

[00:54:48] Evan Francen: was something about this last week to

[00:54:50] Brad Nigh: Yeah, there was uh well no this is I think different this is the this is different from because that was for the uh nets killer where they were getting in and they were getting into them closing after they’ve already established persistence. So this is a different one. So this one with better names I know we’re going to fight over who came up with it first. Uh This is using a digitally signed, vulnerable driver to bypass the protection by killing files belonging to endpoint security products By passing 10 bypassing Tamper Protection and anti virus software to encrypt the system files. So they’re using a living off the land technique and using a gigabyte driver vulnerability Trekked as CV 2018, 193 20. So you should hopefully have I don’t know, I didn’t even look, they should hopefully have gotten that patch by now. Um, so so folks came out and said this is the first time we’ve observed ransomware shipped shipping a trusted signed third party driver to patch windows kernel in memory, load their own unsigned malicious driver and take out security applications from Colonel Space. Yeah, that’s scary. Right. And so

[00:56:12] Evan Francen: and this is disclosed

[00:56:15] Brad Nigh: everywhere. Yeah, that’s not a good good one

[00:56:20] Evan Francen: wow. So what can I do with this, remember,

[00:56:25] Brad Nigh: make sure you’re patching everything, not just Windows get your driver’s patched,

[00:56:31] Evan Francen: this only affects, it only affects gigabyte now. Extreme gaming engine, oc, guru, app center in the hours, graphics engine,

[00:56:43] Brad Nigh: so, but it’s a pretty big name and true out there. So

[00:56:49] Evan Francen: uh, supposedly Yeah, there is an upgrade. Well, is it? I don’t know Because CP 2.3 Yeah, there’s not great. You should be, you should feel the patch patch patch please people patch their hardware.

[00:57:05] Brad Nigh: I’m gonna guess not very many.

[00:57:09] Evan Francen: Most of them are focused on operating systems. And then if we get our hands on operating systems then sometimes we’ll go after applications and if you get your hand around applications then

[00:57:20] Brad Nigh: and about Trevor’s Yeah. And and how many manufacturers make driver upgrades and patches easy to get?

[00:57:30] Evan Francen: Well, if you happen to be one of these people that gets hit by this, I mean, you’ve got endpoint protection in place. So you might be thinking we’re good, but if you mean you may not be right, you might be running hardware. Yeah. Yeah. All right. So be careful about that one.

[00:57:53] Brad Nigh: So yeah, last one. Um and I was going to talk about is from Krebs on security. The domain corp dot com is going up for sale kind of Yeah, not always agree with some of the stuff and how crops does it, but he just really does a good job writing up kind of the history and backstory and sending what’s going on. So it’s got a really good background of um where this is coming from and you know, the investor that originally bought it and why he’s selling it and you know, there’s there’s a hope that Microsoft will buy it. Um we’ll see what happens. But if cybercriminals were to get it, you could definitely has some issues because how many people use ah corp is their internal right? You know? And so that’ll be interesting to see what happens. But it’s a really, it’s a long article article. It’s really good though.

[00:58:57] Evan Francen: So the risk is that you’re using corp dot com or something dot corp dot com as an internal domain, Right? Because which then also could potentially become resolvable on the internet, which would then point you to iP addresses outside of your network when you intended to be

[00:59:15] Brad Nigh: internal and part of that is Microsoft used to or long ago said name it corp Right. So it was kind of their guidance. Mhm. So

[00:59:25] Evan Francen: So that the asking price is $1.7 million. Which

[00:59:31] Brad Nigh: honestly for Microsoft they should just snap it up. Right. Yeah. It’ll be interesting to follow and see what happens with Taiwan

[00:59:41] Evan Francen: when you can’t really fault him either. Michael Connor, because Michael Connor Bought it in 1994. Uh He bought a bunch of them man. This guy’s got some cash, doesn’t he? Bar dot com cafes dot com grill dot com. Police dot com. Pub dot com. Television dot com. Corp dot com. Uh huh. Yeah. For the past 26 years he refused to auction corp com because of, you know, I think partially because of this. So good for him.

[01:00:17] Brad Nigh: Yeah. Yeah, there’s some interesting back and forth in terms of was he, you know, an investor or was he a cyber squatter? Because he never had any

[01:00:26] Evan Francen: back then. The cybersquatting was okay, sort of, you know what I mean? There was so wild back then the people buying domain names of everywhere making money. I mean it was just another way to make money I suppose.

[01:00:41] Brad Nigh: Anyway, that’s a good read some.

[01:00:42] Evan Francen: All right. How about the city rants, racine Wisconsin? They got hit by ransomware.

[01:00:47] Brad Nigh: I didn’t see that one. Where did that come

[01:00:49] Evan Francen: out? I don’t know last week sometime

[01:00:53] Brad Nigh: there’s too many to keep up with, you know,

[01:00:55] Evan Francen: but it’s back to that. Maybe we pick that back up again. Mhm. Just the things we can do, the things we can do to help local government with rain somewhere. Right. Yeah, so I think they were down, it might still be down, but they were down for a while like days. So, you know, racine Wisconsin, you know, I’m from Minnesota, so we protect everything west of us from Wisconsin from the Wisconsin invasion. Oh, but it’s sad that, you know, when cities get hit by by this stuff

[01:01:31] Brad Nigh: and you know, I mean there’s so many like, well then there was the Cisco, all the city fun pone, whatever affecting later to it’s just yeah, it’s almost too much to sometimes try to keep up with.

[01:01:48] Evan Francen: So what do you do? Just go back to the fundamental fundamentals fundamentals

[01:01:53] Brad Nigh: patch. I know what you have, right,

[01:01:56] Evan Francen: So we should do a show maybe just on the fundamentals, what are the fundamentals? Maybe we’ll do a show on that. I think next week I’ll have maybe um very hot jim, nash joined us as a guest again because we’re leaving for North Dakota today. Maybe governments

[01:02:15] Brad Nigh: are doing for

[01:02:16] Evan Francen: we have to get to get his take because there are some things that I’m sort of surprised about with state government. I would have expected better. Like, does your state government do vendor risk management?

[01:02:29] Brad Nigh: No, I don’t have any idea, but I’m gonna go out on a limb and say new. But you know, that’s

[01:02:36] Evan Francen: kind of a bad deal. Right? You kind of maybe should do something

[01:02:40] Brad Nigh: that they do our FPs. True, So true. Right? Isn’t that the same thing?

[01:02:45] Evan Francen: True. Yeah, maybe. But you know, those are questions that, you know, I don’t think we many of us think about enough, you know, we just assume that our state county and city governments are doing, but they should be doing. It’s not because of incompetence. I’ll tell you that for sure. I was talking to one before we wrap up. I was talking to one. You know, I talked to a bunch of counties last week in one county counties don’t run themselves like businesses. If counties ran themselves more like businesses, I think they would find themselves more budget, you know, because one of the ladies is who was in the audience was just like, I can’t get budget. Why can’t you? Anyway, we’ll talk about that. It’ll be an interesting talk. Maybe we’ll do that next week. Just about how maybe, um, we can help people get budget. Yeah, something like that. Right.

[01:03:49] Brad Nigh: Well, that sounds good. Um, so that’s it. We’re done 66 done. Thank you to the listeners in the bag keep the questions and feedback coming. Um, we’re still waiting. Haven’t seen any, uh, people volunteering to be interviewed. But if

[01:04:07] Evan Francen: Oh yeah, I interviewed. If you’re looking for, you’re looking

[01:04:09] Brad Nigh: struggling. Please send us some were more than happy to talk to you so you can send things to us by Eddie by email at If you’re the social type socialize with with us on twitter, I’m @BradNigh have been is @EvanFrancen and you can follow security studio @StudioSecurity and FR Secure @FRSecure. That is it talked to everyone next week.

[01:04:35] Evan Francen: Awesome.