What is the Cybersecurity Maturity Model Certification?

Unsecurity Podcast

The duo adds a discussion about IT Security, Information Security, Cyber Security, and Physical Security. They field a listener request about the Cybersecurity Maturity Model Certification for the third segment and wrap up with a Twitter exchange about what it takes to do InfoSec as a job.

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Podcast Transcription:


[00:00:22] Brad Nigh: Hi Unsecurity podcast listeners. It’s me Brad Nigh, this is episode 49 it is october 14th Evans here to say hi Evan.

[00:00:31] Evan Francen: Hi brian. How are you?

[00:00:33] Brad Nigh: Good. Been a couple of weeks. We talked the other day and I was like, it’s like the Eminem santa commercial. He does

[00:00:40] Evan Francen: exist. Yeah. We haven’t seen

[00:00:44] Brad Nigh: each other for about well, since it’s probably the last podcast we did together. Right? Two full weeks.

[00:00:50] Evan Francen: Yeah. And my beard is growing so long. It’s actually hitting a microphone right

[00:00:54] Brad Nigh: now. I noticed I was having that you could feel it just really gotten along.

[00:00:59] Evan Francen: All right. It’s like that guy that goes off and you know, uh, just ages over time. You know, I look like, uh, what was that movie? Castaway? Yeah, I’m starting to look like him now.

[00:01:13] Brad Nigh: This has gone off the rails. Really?

[00:01:15] Evan Francen: Yeah. Did we have show notes? Well, sort of when was the last podcast we did together? It was 47. No, really to podcast away.

[00:01:23] Brad Nigh: It wasn’t 40s were you in where we know that was when you, were you in Bulgaria? Was

[00:01:28] Evan Francen: That 46 was 40? I don’t know. I don’t know, but it’s only been two. Yeah. Last week it was me and

[00:01:34] Brad Nigh: john right? Yes. I was in the SAN, Diego airport getting ready to board. So that was not going to record well new. They don’t like your recording podcasts on the airplane.

[00:01:48] Evan Francen: They don’t weird.

[00:01:50] Brad Nigh: Uh huh. So yeah, it’s been a couple of weeks. You’ve been having an insane schedule. Mine has been pretty busy. I feel like you know, I’ve done a lot more traveling than normal, but I definitely can’t complain compared to what you guys have been doing.

[00:02:05] Evan Francen: But we’ve had a lot of fun though. I mean we’ve met honestly some amazing people last week I was on the, on the road by myself uh in Orange county California. John was in Madison.

[00:02:18] Brad Nigh: Yeah. You went out there the day after I was there. Yeah, I think you were avoiding me.

[00:02:25] Evan Francen: No, no, no, no, no. You have to make sure the place was safe. You were like the, you like the

[00:02:31] Brad Nigh: king’s food tester, make sure there’s no poison there.

[00:02:34] Evan Francen: Right. Yeah, it was good though. Man who meant some really good people a uh on my blog, I write on sunday, I write the past weeks sort of um road show a lot of call outs this week and just, you know, all the cool people that I met, you know,

[00:02:53] Brad Nigh: so it is, it is good and everything that I’ve had, you know, talking with people that we don’t normally interact with. Uh it sounds like our, our message is resonating. Which is always encouraging. It’s like okay, we are doing something right? People are like, ok, it makes sense.

[00:03:15] Evan Francen: Well, yeah, because you know, some of the companies that I was meeting with last week and people I talked to, you know, I’ve never heard of their companies even, you know, you get so sheltered up here in Minnesota. You go out to California like, oh, okay. There’s this company here, tell me how you do security. And they’re like, they tell you and you start talking about security like damn, nice. We’re doing it right. I mean both of us you are and I am and it’s just cool. You know, so we’re looking for partners looking to help them build better information security practices for, you know, themselves and yeah, their clients, it’s really cool.

[00:03:53] Brad Nigh: Yeah. We had last week we hosted Spice Works user community meet up on Wednesday.

[00:04:00] Evan Francen: How many people came for that? That’s 16. Nice. And they all came here. I came

[00:04:06] Brad Nigh: here and uh yeah, it was good. We talked, started with some incident response and then kind of just went off into just Q and A. And questions and I told him what we were doing with the s to Oregon. A lot of like wait, what you’re doing, Huh? That’s cool. So that’s good. But it was good to hear. They had some really good questions and it’s like I can bring up an IR slide deck if you guys really want to do that. But let’s just

[00:04:36] Evan Francen: talk, Yeah, I think it was two weeks ago was besides the last week. It was ice aka the Orange county chapter, you know, for me and man, they’re just cool people. I mean there isn’t, I haven’t met a single, well maybe, but they probably just don’t come up to me after the talk, you know? But I don’t think I met a single jerk. I mean they’ve all been super nice.

[00:05:01] Brad Nigh: Yeah. I met with so many in the insurance industry out in san Diego were there and talked for, oh, good in the hour. Just didn’t realize they were gonna be there were both there for the same thing and I started talking and it was, it was really cool to hear their side of it and how it resonates and how they’re, they’re struggling for their customers. They were really happy to hear what we were doing and cool. So yeah, it makes you feel good.

[00:05:33] Evan Francen: It does make you feel good. It makes you feel good when you’re doing good. You know what I mean? It makes, uh, it makes it all seem worth it. Yeah. When you’re tired and you’re like, I don’t feel like getting out right? Yeah, that’s good.

[00:05:45] Brad Nigh: That’s good. Yeah. So, um, yeah, roadshow we’ve talked about that a little bit, um, I will say today this week is our all hands. Meeting everyone’s coming in. So that’s

[00:05:57] Evan Francen: exciting. I’m looking for coming from all over the country, right?

[00:06:00] Brad Nigh: Yeah. Growing, Yeah, 22nd in the fast 50, which was, that was unexpected. I didn’t expect. I thought we would be, we kind of take friendly wagers right now nothing changing hands. But I thought right around 3033 last year and kept going up, wow, that’s cool. Crazy. Think how far

[00:06:24] Evan Francen: We’ve come. Well that’s really good growth. Right? I mean 75% right for

[00:06:29] Brad Nigh: a consulting services company. Not a lot of them are software companies and things like that where you can ramp up creating quickly. Right? So

[00:06:39] Evan Francen: well and I think it’ll even get better because you know, as security studio continues to grow and you know, and as we continue to, you know, fun moving into other markets and things like that with fr secure.

[00:06:52] Brad Nigh: Well did can you get fun back of the napkin math for next year And we’re going to be probably higher. Wow,

[00:07:00] Evan Francen: that’s cool. So I got a great team man. Honestly you guys, you guys are amazing. I uh from top to bottom both sides. I mean everything is just cool. We don’t have a single dickhead.

[00:07:13] Brad Nigh: Well, so I said I was reading that book and it’s the title of the book is the no asshole rule. So I don’t think I can get in trouble for actually reading the saying the title of the book. But uh I was talking to somebody, I don’t think we talked about this on the podcast but over the holiday back in september and just tell them how we don’t have any the kids, right? It’s like, have you read this book? I was like, no. So I read it and it’s a really, it’s an easy read, but it really was like, yeah, that makes sense basically as a company, do you make a decision that it doesn’t matter how much revenue somebody produces if there negative overall impact to the organization and they’re bringing other people down and constantly requiring maintenance, it’s just not worth

[00:08:02] Evan Francen: it to cancer man.

[00:08:03] Brad Nigh: So it’s really cool. We don’t have that here. But I’m looking forward to seeing everyone our I. R. Teams coming in. So that’ll be nice to give them a little

[00:08:13] Evan Francen: time getting here is they’re going to get here while we’re recording. Probably so we’ll see what start

[00:08:18] Brad Nigh: start uh trickling in here.

[00:08:21] Evan Francen: Yeah. And for people who don’t, haven’t seen pictures of our studio, we were recording what’s called the fish bowl, right? So it’s all glass and we can see people who walk by and I’ll give us weird looks and try to make us laugh. But I have no sense of humor. So I won’t laugh right

[00:08:38] Brad Nigh: now. It’s called it in this. The guys that were here on guys and girls that were here on Wednesday were like, what do you guys is that? That’s cool. Yeah, it looks kind of got the data center racks and ladders and stuff. So

[00:08:54] Evan Francen: yeah, this would be a crappy data center though, wouldn’t it?

[00:08:57] Brad Nigh: It was supposed to be the blinky light

[00:08:59] Evan Francen: one. Yeah the one where you show customers. Yeah I suppose for that it’s not too bad. It’s got its

[00:09:04] Brad Nigh: own no production data thermostat here. So there you go. We can turn that on and drawn out everything. All right so uh good things. Uh What the other thing I think really that we can see coming is we’re we’re both nerds so we watch the numbers for the show and kind of watch that grow. But the other way we can really tell that it’s starting to get some traction is we’re getting a lot more emails which is awesome. So uh one last week that came in was how defining information security and policies but struggling with the term of I. T. Security. Uh And that camp to article that’s linked in the show notes. Was it was an article I. Yeah

[00:09:58] Evan Francen: yeah so the article is titled you know what is the difference between I. T. Security and cyber security? Uh

[00:10:04] Brad Nigh: huh. I don’t. Yeah and no you wrote the note so you kind of wrote what I and I was like yeah no I don’t know if that article help with anything. Right? I read it this morning like maybe I’m not awake yet but

[00:10:19] Evan Francen: right I mean and then if you if you read some of the comments on that article it was like they’re like yeah you nailed it. Exactly and I’m like what the hell? I don’t understand what he said. I know I but anyway, you can simplify this. And uh and it it is important. I mean, another part in the article was how important, you know, is it really even important that we get these words correct? Yes, absolutely. It is right. Because the people are making the decisions of the people who are supposed to be making the decisions are confused as hell. And we just keep confusing them because you keep coming up with new words,

[00:10:57] Brad Nigh: right? Or the phrases or words that don’t have a consistent definition, right? How how are executives or anyone supposed to be making decisions? If I say information security and you say it and it has two completely different meanings, right? That that’s not a good, good way to be successful. It goes back to our mission, You know, nobody speaks the same language. And I think this article really drives it home. Yeah. It says even he’s writing this and he’s still killing. It doesn’t really matter. No. Yeah, it does.

[00:11:35] Evan Francen: It certainly does. Yeah, yeah. And and uh and it’s funny every most meetings, you know that I go and sit and talk with other security people. They’ll use the word, you know, cyber security or you know, and I’ll ask him, are you do you mean cybersecurity? Are you talking information security? They’re different, right? And they’re different on purpose, right? I mean if you use different words for things, they’re going to mean different things. So it just blowing over and saying, oh, it doesn’t matter. It’s like but it does. Right?

[00:12:11] Brad Nigh: Yeah. No. And what’s interesting is any time I’ve talked with anyone and they’ve kind of gone through, okay, what’s information versus cyber? And while cyber is about computers, right versus information, which is administrative, physical and technical and go through it and they’re like, yeah, yeah, yeah. Like it makes sense.

[00:12:33] Evan Francen: It’s funny how many people I mean, and we’ve been, I mean I preached it so many times. I even get tired of hearing myself say it. But you know, and that’s what so much of this road show is about to, right? It’s just the fundamentals. It’s the basics. Let’s talk about the basics. And the reason why I want to talk about the basics is because it’s not sexy. It is hard work, but it has to be done right? If you don’t cover the basics, if you don’t cover the fundamentals, everything else is just lipstick, right? It doesn’t matter

[00:13:07] Brad Nigh: well. And you know, going back to the um spicewood thing on on Wednesday, they said, you know, well where do we start, what do we do? How do we help? What makes a good program? You can have a great Ir plan. You have a phenomenal document, if you don’t have asset management in place. If you don’t have, you know, some sort of data classification? So you can classify things correctly if you don’t have these fundamentals, who cares? Right? Like we’re seeing it in I. R. S where it’s like where is this traffic coming from? I don’t know. Well I can’t help you. I can see malicious traffic on your network and you can’t tell me what device is on what port, what’s A B Y O D. Okay. Um uh you’re like, why? What is going on? So yeah, I think like you’re right, The fundamentals are what we really are struggling with. And I think it comes back to all this confusion around definitions and what should we be doing? Just simplify?

[00:14:13] Evan Francen: Yeah, absolutely. Simplify fundamentals. Ah you know, obviously you still need to be compliant and that’s really what the purpose of the road choices. Getting everybody speaking the same language, getting everybody working the same definitions, getting everybody to focus on the fundamentals of the theory Is 90-95% of all your risk is in the fundamentals. Right? So, um, and that’s our definition. Right? So for the listeners, you know, the definition of information security is managing risk, right? Not eliminating managing risk to information confidentiality, integrity and availability. We’ve all heard of CIA before using administrative, physical and technical controls. And so and how that differs from cyber Security, cyber the word itself. Cyber. If you google the words cyber, it’s over pertaining to computers. Right? So that would be a subset that would fit within technical controls of our definition of information security and then where it security comes its information technology. Right? So that would again refer to techno technological controls

[00:15:25] Brad Nigh: and maybe some of the administrative for the documentation process perhaps, but primarily the technical piece.

[00:15:32] Evan Francen: So in my definition or in my thought process, both I. T. Security. If you used I. T. Security and cyber security synonymous, li I would almost I would just give you a pass on that because the technology

[00:15:44] Brad Nigh: but

[00:15:45] Evan Francen: information security is the overarching thing, right? That’s what we’re trying

[00:15:51] Brad Nigh: to.

[00:15:52] Evan Francen: Yeah. And people are the most the most significant risk. You can’t treat information security like its I. T. Security or like its cybersecurity because you’re missing the most significant risks. Right.

[00:16:06] Brad Nigh: Right. Yeah. It doesn’t mean we’ve talked about it. It’s I’m not going to hack a firewall if I can go and sweet talk the receptionist into giving me access, right? Like it’s a lot easier to get through a person than it is through technology, assuming it’s configured properly

[00:16:23] Evan Francen: and Attackers are running their businesses like it’s a business. Right. So what’s the greatest return on investment? It’s sending email? People fishing, it’s picking up the phone and making a few phone calls. I mean it’s not going to be a guy behind the keyboard. You know, looking for some zero day exploit in your firewall. Yeah. That’s cool. It’s sexy. It’ll sell tickets to the next convention or the next, you know, keynote. But the end of the day, it’s the basic crap that you really kind of focus on, you know,

[00:16:51] Brad Nigh: You know, and from a technical perspective, those basics include knowing what is open on your firewall, right? Don’t give them an open door in. But at the end of the day, those are easy things to, to do. Focus on, right. The, the people

[00:17:09] Evan Francen: when it’s sad to see the camp to article sort of not answer the question, you know, really skirted the question. Uh, and whether it did sort of touch on the, the answer to the question, it was wrong.

[00:17:23] Brad Nigh: Yeah, it was, it felt like it, the two like it says the two diagrams are kind of uh

[00:17:30] Evan Francen: yeah, they didn’t fit.

[00:17:32] Brad Nigh: Yeah, they’re in conflict.

[00:17:35] Evan Francen: So my, and then we get wrapped around, you know, because I did have some discussions uh, do you know the cool thing about the roadshow is you get so many different discussions with so many different types of security people and sometimes we get wrapped around the axle on risk, right? You know, one of the people that I was talking to, they said, well, we stopped even referring to security as risk and I’m like, okay, well then what do you refer to it as? And he’s like, well we just, we refer to it as measurements like an index and I’m like, okay, but what does that index represent? Right? You know? And it’s, well, it’s, I guess it’s sort of risk, okay.

[00:18:13] Brad Nigh: There’s it’s that sort of, it is,

[00:18:15] Evan Francen: yeah, I mean it has to. Right. And so that’s interesting. Yeah, it was an interesting discussion. Um, and then there was another discussion with another ceo of a security consulting company who doesn’t care at all about risk. Their whole business is on compliance. Their whole business is just checking the boxes. And uh, it’s like God, and they’re making a ton of money doing it. It’s like, man. So, wow. Yeah. So I mean if you really want to, so, you know, getting everybody to speak the same language to manage security similarly, right? At least using the same definition, we have a measurement that we use and you know, and it works well. Our customers understand it, our customers buy into it.

[00:19:05] Brad Nigh: I think that and that’s the biggest challenge a lot of times is what’s the risk? How do you explain that to a non security person or a non technical person? And that’s where I think we’ve done a good job in creating that method of, I’m saying, okay, here, here’s your risk score. Right, Right. And people go, oh, okay, I

[00:19:27] Evan Francen: get that. Right. And I had another, you know, really good discussion. All these are good discussions and I respect all the people that, you know, I have them with. But uh, I was talking about, you know, quantitative risk analysis. And I was like, okay, not basic, not fundamental. It would be great if you could actually do it, but just, you know, choose a a standard unit of measurement. You know? And I and I use my fingers a lot. So I’m holding up at some, some point somewhere in history. Somebody chose that. This was going to be an inch. Right? Just and then we just applied that same inch everywhere all the time. And so then it became consistent and so if you do a qualitative, you know, may start off qualitative, but if you keep using that inch everywhere, it sort of starts to become quantitative. And so yeah. Anyway,

[00:20:23] Brad Nigh: well, you know, going back to that company that just does compliance that we get. We we do run into that a lot. Like, well why are you more expensive than this other company? Well, do you want checkbox compliance or you want to do security properly? We’re going to focus on security and in the process get you to compliance or you can do the bare minimum and check the box and hope nothing happens and defend yourself in.

[00:20:52] Evan Francen: Well on the way in the way security works, right? Is eventually you’re going to have to do it right. Eventually you’ll get forced to one way or another would be a breach, it’ll be something. And you so you eventually you’ll have to focus on the fundamentals and the way you build a security program, the cost, the most significant cost is in the building of the program. Right? So your first one or two years of building your security program will be the most costly for you. And then it’ll taper, your costs will taper off because you’re in maintenance

[00:21:23] Brad Nigh: right now. It doesn’t stop. And I think there’s a problem a lot of people see as well or don’t See. Right, right. Oh, we’re 7:50. We can kind of sit back and just coast. No, Right. You still have to go and keep doing things. But

[00:21:39] Evan Francen: When you have to maintain for sure, all those things that you bought to get two or

[00:21:44] Brad Nigh: well and the, all the policies you have to continuously review all the procedure. I mean it’s not like you can just sit back and be done and we’ve seen those companies to where their score drops year over year because they hit, hey, we got a 700 were happy then the next year it’s like a 6 80. Cool. Why do we backslide? Well, you quit doing things? It wasn’t a priority anymore. So yeah, it’s not, it’s not, it’s never ending.

[00:22:11] Evan Francen: But in terms of cost, you know, in the long term doing security, right costs you less than

[00:22:16] Brad Nigh: coins. Yeah.

[00:22:18] Evan Francen: So if you’re, if you’re myopic and short a short term thinker, you may think that checking boxes is cheaper because you compare to, you know, solutions right out of the gate. The secure solution is going to be more expensive than the compliance solution but over time it’s going to flip flop quite a bit and you’re going to be kind of screwed so yeah do it right. The first time that’s the way my father helped me to do stuff.

[00:22:44] Brad Nigh: Yeah it might be a little bit more of the first time to do it that way, but it saves you so much. I mean even not just insecurity just in general. Right? Oh yeah yeah I like that. We should make a diagram at some point.

[00:23:00] Evan Francen: Yeah. And it’s a simple diagram. Right? I mean just put information security is a big circle and then put the other ones inside of it. There

[00:23:06] Brad Nigh: you go. Done. Yeah. Just get on that

[00:23:10] Evan Francen: were like really stranded. If we’re smart

[00:23:12] Brad Nigh: we’ll see if they actually listen. Well now they’re going to send us a diagram about because that’s what you’re talking about. All

[00:23:21] Evan Francen: right. And into the into the listener, you know who sent that sort of question and thing into uh you know the podcast. Hopefully we answered your question right In our definition which we want to be. I mean at least if you have a better definition than bring it. But that’s the definition of security that we use information security encompasses all these other parts of security cybersecurity I. T. Security. Physical security fit within that.

[00:23:48] Brad Nigh: Yeah. And I think what I like ours. It’s simple. Keep it high level. Keep it simple.

[00:23:54] Evan Francen: It’s easy to understand. Right?

[00:23:55] Brad Nigh: So All right. So on the note of listener emails, we also got one and you mentioned it in the the notes last week

[00:24:07] Evan Francen: that we were going to cover this

[00:24:08] Brad Nigh: week, the cybersecurity maturity model certification, uh should we talk about this event? Yeah, you have the notes in there um in the Show notes about kind of the highlights of it. Um I did read through it uh the .4 version and I was surprisingly impressed. I was like, I was very skeptical of going great here we No, this is actually pretty good.

[00:24:43] Evan Francen: Right. Yeah. Yeah. Well, it requires that validation that requires, I mean it’s the same concepts that we had with um you know, Phipps 1 99 and I think that s T S p 153 but it it’s better and I think and it talks about application.

[00:24:59] Brad Nigh: Yeah, it’s a little, I think it’s easier to understand the uh maturity levels that they have and the examples of kind of what you’re looking for I think are well thought out and again, they’re clear so, and I think a big difference is it doesn’t seem to be yeah, It’s more like the CSF and it’s thinking versus the 853 where it’s super black and white and green, there’s a little bit more business functionality seems to be built into it.

[00:25:36] Evan Francen: Well, yeah, because I think even the government, you know, so the implementation at least the initial implementation of the C M M C is just gonna be D o D contractors and suppliers. Right. And I think the government is starting to sort of figure out that if we want the best solutions that the private sector can afford or the private sector can create for us, we’re going to have to make it so they can give it to us. Right. Right. So we have to be more business friendly in our approach, just Treating everybody like government entities doesn’t work. If I’m a 20 employee company, I can’t afford to do your

[00:26:15] Brad Nigh: Well, we’ve seen it with multiple manufacturing companies that have that are subcontractors that have to do 801 71. And I mean, it’s almost on overbearing and overly burdensome stone, whatever. Yeah. Whatever you want, how you want to put that.

[00:26:35] Evan Francen: And for the listeners, that’s the same as deforest. Right?

[00:26:37] Brad Nigh: Yeah, Yeah. So, yeah, they come in and they’re like all these controls and it’s a manufacturing of A specific part for a specific piece of military. Yes, they’ve got secret stuff. It’s really, there is important to their, but to expect them, you know, a 50 person Shop that has 40 of the people on the floor making carts to do the same as a government entity. It’s just not realistic.

[00:27:11] Evan Francen: Well, that’s one of the reasons why, you know, because we’ve been asked for, we don’t do a lot of federal government work. And I’ve never really been interested in it. And people have asked me, well, why not? Because it’s a pain in the ass. It’s so much easier to service. And they can make such a bigger impact on, you know, s MBS or, you know, private, um, you know, private companies why deal with it for the short for the small margins, You know, it’s just not Well, and it’s very good that booz allen, you know, have that business,

[00:27:43] Brad Nigh: Right. one. That’s a lot of, you’ll see a lot of that compliance focus driven stuff. They’re going to do just the minimum to check the boxes because

[00:27:52] Evan Francen: right. So it almost seems like to me, you know, as I was writing to it because I agreed with you, At least the version.4 Look pretty impressive and then.6 is coming out next month and then the final will be January. Uh and that will be this kind of the same time that I think they’ll be starting to enforce it. But it seems like the government actually listened in the development of this, you know what I mean? Listen to like what is what’s not working with the fires and what makes it so difficult for you to do business with the government and they’re like, oh, well, we can do security better by creating these maturity levels and by, you know what I mean? It just seems more business friendly like you’re saying, and the government must have heard that from somebody.

[00:28:38] Brad Nigh: Yeah. I’m wondering if, you know, they probably got a lot of non compliant of those Defar reports back and went, okay, something’s wrong here. If the majority, I’m going to guess the majority of our sub cons or sub self cons, right? Multiple levels down. Can’t comply with this. We’re not something

[00:29:01] Evan Francen: wrong. Right? Yeah. You know, and they also put together a really nice F. A. Q. You know, which is linked to in our show notes. Um It doesn’t so before it was controlled but unclassified information was really what it d fires and it’s applied to here. It’s that’s not dependent, right? It doesn’t matter necessarily if it’s controlled unclassified information. It’s if you do business with the Department of Defense, you have to do this, right? Which is sort of good. You kind of want defense contractors to have some assurance of some security controls regardless. Because the way that everything is connected nowadays, you know, just because you don’t have C ui information doesn’t mean that you threw you somehow. They couldn’t get to write that information. Well

[00:29:55] Brad Nigh: and honestly, I was reading through it and I’m going, you know, I could see us utilizing this. Oh yeah. Right. This is D fars and uh pain is there? We do with that. But It’s yeah, it’s a pain this was actually something I was like, okay, I could see us doing like the kind of what we do like to talk to. We’re going to do that assessment, that gap assessment for you and help you get to do it that with 800. Those are just it’s like it’s so prescriptive, right?

[00:30:26] Evan Francen: And they simplified, you know they took the various or the you know the control standards like You know 800-1 71. 800-53 I so and put them all kind of in one sort of easily reference a bull. Yeah standard.

[00:30:44] Brad Nigh: Yeah I was I was pleasantly surprised. They’ll be they’ll be something to definitely keep an eye on.

[00:30:50] Evan Francen: Yeah. Yeah. So generally positive we’ll see you know how the final version ends out, you know, which again keep an eye on it, january 2020 is when uh the version one the one that they intend to enforce right is completed.

[00:31:05] Brad Nigh: Yeah it’ll be interesting to see because for the mentioned that you have to be a £3 to credit and to become that for 871 or some of those other. It’s a it’s a burdensome process. So I think you see you’ll still see that there’s very few big companies. Yeah you’re three powers but

[00:31:29] Evan Francen: well and I wonder because you know they’re setting up an entirely because they just issued the R. F. I what the third I think of of october for the accreditation body which is who will determine how that all gets handled. I’m guessing it probably will be because if they listened enough on this piece, maybe they’ll listen enough on that piece too. I see. But they should open it up to more participants as well. Right? Not make it so rigorous for the assessors. Make the

[00:32:00] Brad Nigh: yeah there’s not a whole lot of them out there right

[00:32:03] Evan Francen: now. No I mean you and you can vet an assessor and you know and spot check, you know quality standards and things like that without making it so darn cumbersome for them

[00:32:13] Brad Nigh: too. Yeah. We’ve been asked if we would do it like uh for the old, I’m like the amount of work it’s just not for like fed ramp and all that. It’s not worth it for us

[00:32:25] Evan Francen: know and we make plenty of impact and help tons of companies not being that

[00:32:31] Brad Nigh: anyway. So. All right. So the next thing we had uh and again driven by a listener feedback was on twitter and this was interesting. So it’s again the show notes it’s twitter’s fun. Yeah. Yeah it can be. Uh So lots of people. So this is at C. Zero B C. H. I. K. Uh Lots of people whining about empathy and info sack this morning.

[00:33:01] Evan Francen: This is what he or she said yes and I don’t know if it’s a he or she. That’s the thing about twitter necessarily know.

[00:33:07] Brad Nigh: What are you all on the same sensitive mailing list or something enabling bad behavior in the name of empathy doesn’t make you a good person makes you a coward. So it goes on around that and uh, you responded about some truth. Um, and yeah, so I’ll let you start with this because I have some thoughts do. But since you, you actually interacted, I’ll let you go with this. But

[00:33:33] Evan Francen: well I think it for one, I think it was, I like when people express their points of view without, um, just say what you mean. Yeah, I mean don’t sugar coat things, don’t worry about being politically correct. Just put it out there. You know what I mean? And so it, uh, I think it took some guts for him or her. I’m guessing it’s probably him, but I don’t know to put that, you know, to put this out there. And I grew up an only child. My dad was a 20-year marine vet. My mom was a marine vet. Uh, you know, so we had discipline in in my house and uh, and I didn’t get a lot of emotional sort of support. Like poor Evan. You know, it was like pick yourself up and get going right. And I appreciated that toughness that, you know, I grew up with and it’s uh, it’s come in handy for me. You know, when you’re, uh, if there’s something that you believe in, you stand up for it, right. Right. I don’t roll over. Um, and it really helps in this job.

[00:34:44] Brad Nigh: Yeah, I think you said it. Well, that uh be honest. But empathy helps you have to be you have to have it and understand how it works. Like the if you’re not your kind of sociopathic and that’s not good either. Uh, but yeah, I’ve so many places and so many times you see the people that are afraid to say something because yeah, uh, they they’re afraid of hurting someone’s feelings. Or I don’t know what it is. But, you know, sometimes those things have to be said and you know, we we see it. And unfortunately, sometimes it cost people jobs,

[00:35:22] Evan Francen: all right. And I

[00:35:23] Brad Nigh: think, and I think that’s why people are afraid, right? Nobody wants to, Well, most people don’t want to intentionally hurt someone else. But occasionally it’s like, hey, here’s the reality.

[00:35:33] Evan Francen: Well, that’s it too. I mean, as long as you’re you should keep with the truth, it doesn’t matter to me. Uh, there are ways to express the truth, you know, without purposely, you know, offending somebody. But at the end of the day, if you’re offended by the truth, that’s your problem. It’s not mine. And I think in in order for you to be bold enough to say stuff like that, you have to really know what the truth is, then, don’t you? Yeah. And so like with information security, you know, you have to master what your craft enough to where you know, I will tell you the truth. I mean, and I’ve had this to, you know, on the roadshow to I mean, But like the guy that was all about compliance, right? You know, I mean, I that was bold enough and this is the ceo of a company, right? You know, with 100 or so employees and have being bold enough to tell them. I think you’re wrong. Well, actually, I know you’re wrong. Your approach to information security is not helping. It’s not helping the cause it’s not helping my cause. It’s not, you know, but in order to two to do that, you have to be confident,

[00:36:44] Brad Nigh: right? Well, you have to think there’s a right. There’s we talk about it. There’s an art to saying telling someone their baby’s ugly, right? I mean, it’s kind of the analogy is a lot of times we have to use, here’s the facts. But you have to do it in a way that’s, you know, not accusatory because people go immediately on defense. Well then you’ve lost him as well. Right? So there’s I think you’re right. I think you got to tell the truth, but you have to be able to use empathy appropriately and know when to some

[00:37:17] Evan Francen: tact. But but also um when somebody says something and I think one of the points for the twitter author to was um or the tweet author is uh to have a little thicker skin. You know, if somebody says something that, you know, because I can I can control how I’m going to behave right? I can control you know being empathetic. But what if somebody else is not what is whining going to do about it? Well and what’s complaining going to do about it? Just either ignore it or confronted or what run away.

[00:37:56] Brad Nigh: So like a good example I think was you know, we’re working incidents and we deploy some tools to help contain and they started seeing what they considered slowness or performance impacts on some of their devices six weeks after deployment. So we hadn’t changed anything and all of a sudden had some performance issues but rather than let us know they just started uninstalling the agent. So total unwise. Right? Without telling us right? You asked the next day what’s going on? Well while I was slowing things down we couldn’t do business now I’m I’m empathetic to their need to do business. However, the response was well you understand we just lost by you doing that. We’ve lost visibility into what’s happening. We now have something completely anomalous happening. And we have in the middle of an indian in an incident and we have no way of contain or control at this point. Why did you do this? I’m empathetic. I understand why they did it like or well the reasoning right, Well we got to do business. We can’t be down. Uh huh. What is wrong with you for lack of a better phrase call them out on it.

[00:39:12] Evan Francen: Yeah. And you’re gonna you’re gonna be more down. Well that’s exactly so you know that even fixed. Did that even fix their problem?

[00:39:19] Brad Nigh: So

[00:39:21] Evan Francen: uh performance issues

[00:39:23] Brad Nigh: they they have multiple problems. Um It was not related because we were able to push this back out and hasn’t had any issues on it since. So yeah. But yeah it got their attention and they were became a priority to put it back on. I said, okay you you had some slowness yesterday we’ve seen evidence of ransomware in your network. What’s the performance impact on your business impact going to be if if these get ransom now look right legit question got some

[00:39:57] Evan Francen: attention when we run into that. I mean you run into that all the time. Right? I mean the status quo is easy, right? Going with the status quo? If if i if my job as a security person is to I mean really have two jobs. One is to assess risk and consult the company, consult executives on what risk is and you get pushed back all along the way, right? Because you essentially sometimes what you’re doing is you’re telling the executives that your baby is ugly, right? And they’ll say well they’ll challenge and that’s fine. It’s a big job, right? So being able to stand your ground like no this is factual information. I’m sorry if you don’t like it. It also helps though, you know being a consultant because you know if you I want to fire me you can yeah. You know I will sleep well knowing that I told you the truth,

[00:40:49] Brad Nigh: right? I did everything I could to help you, right? It’s I can’t I can’t make you do the right thing.

[00:40:55] Evan Francen: Yeah. And it seems like most of the people, most people who wine our discontent for one reason or another um then they’re not comfortable in their own skin and you know, so

[00:41:09] Brad Nigh: yeah, there’s a bill of uh insecurity,

[00:41:11] Evan Francen: right? So I think, you know, and it takes I think if you really want to be good at any job, you know in this job for sure you have to have thick thicker skin, you have to be able to kind of roll with the punches you have to take.

[00:41:26] Brad Nigh: Yeah. Well

[00:41:27] Evan Francen: it’s a career limiter. If you if you can’t do that, you know you

[00:41:32] Brad Nigh: burn out,

[00:41:33] Evan Francen: you’ll burn out or you’ll just

[00:41:34] Brad Nigh: give up. Yeah. Yeah. I think I’ve always said you know, kind of going along those lines even back in I. T. If if you asked me a question or challenge me from as a from to my bosses or whoever either I need I’ll have the answer or I know where to get the answer. If I don’t then then I haven’t done my job, but I want them, I want that challenge to make sure I’m not missing something. They’re looking at it from a different perspective that’s fine. But at the same time, if I give you those answers, you have to accept that this is this is the truth, right? Right? So, there is a kind of a give and take between the

[00:42:11] Evan Francen: two and the thing is, is you said they have to accept that this is the truth. What if they don’t? Because how often does that happen? They just refuse to accept the truth.

[00:42:20] Brad Nigh: Yeah, Well, and that’s when,

[00:42:22] Evan Francen: I mean, I’m not going to beat my head against the wall if you refuse

[00:42:25] Brad Nigh: to accept. I think that’s where you start seeing kind of going back to the mental health back in. That’s when you start seeing the head against the wall and the burnout occurring, where this is what the stats say. This is what the numbers say. And I can’t change

[00:42:41] Evan Francen: What’s happening one. If you’re good at your job. If you’re good at information security and you work in a place where they refused to accept the truth. My advice has always been just to go out and get your job.

[00:42:52] Brad Nigh: Oh, there’s plenty of jobs out there, right? You don’t have to be in that

[00:42:55] Evan Francen: position. There’s plenty of jobs out there for some people. Yeah, true. All right. Anyway, So, yeah. Get my advice for anybody who wants to, you know, become an influencer in this industry for anybody who wants to actually help companies. You’re going to have to have some thick skin and you need to be polite, you need to be gracious, but tell the truth, always tell the truth. Yeah, I think ever not tell the truth

[00:43:22] Brad Nigh: taking, you know, honestly. I think what helped me is, I mean, I did theater in high school. Right? So you can learn how to communicate. You learn,

[00:43:30] Evan Francen: is that how you see a theater? I thought it was theatrics. No,

[00:43:33] Brad Nigh: I don’t know. Whatever. It’s got the

[00:43:35] Evan Francen: little tray.

[00:43:36] Brad Nigh: I’m not that snobbish

[00:43:38] Evan Francen: about it because it seems more the that’s that’s being Yeah. So you were a thespian? I was actually that’s awesome.

[00:43:47] Brad Nigh: One of words about it, which is crazy.

[00:43:48] Evan Francen: That’s really cool man pictures.

[00:43:51] Brad Nigh: All right. Yes, awesome. I need to see that there’s some bad ones anyway. That’s really cool. But you know, looking at it that really help because you have to learn how to communicate and read people and do that. If you’re if you don’t have that experience and you’re struggling, go take a community, like learn how to communicate better. Yeah. Right, Take a class, improve yourself. It will absolutely help your career.

[00:44:16] Evan Francen: Yeah, absolutely. And I think, yeah, learning introspection, Learning to look in the mirror first before pointing fingers or attacking other people, you know, certainly helps a lot to

[00:44:26] Brad Nigh: kind of, one of the things we’re doing here is, you know, we really focused on this as a leadership team is giving the benefit of the doubt. Don’t just immediately assume. Well, Evan said this because whatever. Well, there’s, there’s probably a reason behind it. Understand what that is before you.

[00:44:45] Evan Francen: Well, yeah. And go ask, go ask for clarification rather than assuming. Yeah, that’s a that’s a communication thing too. So, so what’s another word for thespian isn’t another word is hypocrite. I think if you google him hypocrite, I’m going to google that where you go into the next topic. Oh boy. Something called

[00:45:05] Brad Nigh: today opened up anyway. All right. So we’ll move on to the news stories. Uh, First one is off security affairs dot ceo. Alabama Hospital chain paid ransom to resume ops after ransomware attack.

[00:45:21] Evan Francen: I might have gotten that word wrong.

[00:45:23] Brad Nigh: Well, you’re not there. You can make things up.

[00:45:25] Evan Francen: Damn it. That’s wrong. I thought hypocrite was like an actor

[00:45:29] Brad Nigh: maybe, I don’t know. Hippocratic oath for doctors.

[00:45:33] Evan Francen: I don’t know. It’s not trapped, wow. All right. Maybe we’re just trying to be smarter than we are.

[00:45:39] Brad Nigh: It’s also really early on a monday. So we’ll blame that uh, Alabama hospital chain is restored operations after paying ransom requested after crooks infested infested infected systems with ransomware. So they got hit with rock. Uh, looks like they did recover most, but they were still recovering some non critical systems they had to revert to paper files, you know, we talk about it and ransomware is the easiest thing to recover from. We actually have one of our incidents is they’ve got riot and it took a little longer but they recovered from backup you know they the backup server got right to build a new one. They had ingest all their tapes and inventory of those and then recover. But it worked and they didn’t pay a penny. Well yeah. Right. I mean now they’ve still got a lot of work to do and they’ve got other issues on how it happened but it just it continues to blow my mind that realistically ransomware is the easiest one of the easiest things to recover from. If you do some simple prep.

[00:46:55] Evan Francen: Well how long have you been in technology?

[00:46:58] Brad Nigh: I started in 21 years

[00:47:02] Evan Francen: Amp. Alright. So 21 years ago. Did we did we ever talk to you about backups?

[00:47:08] Brad Nigh: Uh. Oh yeah. Right. I know

[00:47:10] Evan Francen: That’s what it’s like here we are in 2019 and we still can’t get companies to back up their data appropriately. I don’t

[00:47:19] Brad Nigh: I don’t get it.

[00:47:20] Evan Francen: It goes back to the fundamentals right? I mean this is where we started the show like fundamentals. Back up your data, protect your backups before we had to physically protect our backups. Right? That’s what we primarily thought of because ransomware wasn’t really a thing then. But now the threat is ransomware. So now it’s physically and logically protect your backups

[00:47:40] Brad Nigh: which I mean unfortunately it goes back to air gapping or or something.

[00:47:45] Evan Francen: It’s just protection of backup data. Right. The same crap. I mean here we are Because, yeah. When I first got started in I. T. Technology. Yeah. We were preaching backups. Right. Right. We did back up a little differently then. But man, they were really, really, really important.

[00:48:02] Brad Nigh: Yeah. Yeah. I’ve

[00:48:03] Evan Francen: had while we were primarily trying to protect ourselves against back then was, you know, hardware failures.

[00:48:08] Brad Nigh: Yeah, exactly. Yeah. I’ve gone through that. You learn from it, But yeah. How do you? It’s, I

[00:48:15] Evan Francen: don’t, I’ve really lost, you know, anybody who is, it’s like, I don’t know, I’ve lost patients in empathy for organizations that get hit by ransomware and are unable to restore from backup and or pay ransoms because it’s easier.

[00:48:30] Brad Nigh: Right? And I think we’re starting to see and I’ve talked with several people in the insurance industry where they’re starting to wake up. Yeah, push back a little bit Well because a, they’re tired of being labeled as the bad guy, right? Which we saw at the hacks and hops. Um, where there was a big and uh, there’s some healthy tension between you guys, the insurance and security side of things. But other people that I’ve talked to have said the same thing like why are we paying out? Because you didn’t do fundamental like you don’t have a backup. You don’t have anything. And we’re having to pay Well 10s or hundreds of thousands of dollars.

[00:49:10] Evan Francen: Right. I mean your insurance going to pay for my car. If I don’t put, if I never change the oil. Right?

[00:49:15] Brad Nigh: Right. So I think you’re starting to see, I think you’ll, you’ll see some change because insurance companies don’t like paying out either. Right.

[00:49:22] Evan Francen: Well, the thing that, you know, there’s, there’s illogical arguments because I heard from one insurance because you know, we have, we, we, um, have relationships with insurance people and um, one of them said to me, um, well, why is this any different than, like if your house gets, you know, blown away by a tornado, we pay. And I’m like, but you’re not paying a criminal, I don’t pay a criminal to build my house.

[00:49:52] Brad Nigh: If I, if I leave my doors and windows open and then,

[00:49:57] Evan Francen: well that’s, and then, and then somebody comes and steals your stuff right there, they may reimburse you for your stuff, but they’re not going to pay the criminal,

[00:50:04] Brad Nigh: right? In addition, it would be like, it would be like, hey, they stole my stuff and they want money or they locked themselves inside the house. Right? That would be a better one. Well, you have to pay them to come out so I can get my stuff back and

[00:50:18] Evan Francen: that’s what you would never do that. And when you hear, when you talk to people about, you know, fundamentals, you talk about dr or because having insurance is a fundamental, but when you talk to people about other fundamentals, What they’ll often say is all we got insurance for that. No, You don’t use insurance to cover other fundamentals. That’s just more lipstick on the pig, right? It’s not an either or it’s both. I need to have an asset management program. I need to do backups regularly and I’ve got insurance. It’s not bad.

[00:50:47] Brad Nigh: Yeah, it’s part of it. Yeah. So for anyone listening, we do have on our secure dot com under I think it’s resources there is a ransomware readiness tool that you put together Evan um that you is free. Just go download it and do it and see where you’re at. Yeah.

[00:51:07] Evan Francen: Yeah, there’s no no. Uh Well, do you have to register for it? Yeah, but

[00:51:12] Brad Nigh: yeah, so, you know,

[00:51:14] Evan Francen: I’ll spam the crap out of, you know, we

[00:51:17] Brad Nigh: won’t know. I could

[00:51:19] Evan Francen: we better not better not know. That’d be against our would be against our mission.

[00:51:24] Brad Nigh: Yeah. Then do I get to run you over? It’s gonna say you get to run someone over

[00:51:29] Evan Francen: your truck. Yeah. See I’m waiting for that opportunity.

[00:51:34] Brad Nigh: All right. Uh Next one. This was a good one. This is on G. B. Hackers, 18 international hackers who steal tens of millions of dollars arrested for a. T. M. Skimming attack. It was a really good read. I was interested that was interesting to see uh you know, so it’s got kind of what they did, you know, a t m skimming, they’d put the device on, collect it later. Get all the information that’s, you know, pretty standard at this point. But the list of the defendants their ages where they reside in their nationality. It was, I thought that was an interesting mix of uh background,

[00:52:09] Evan Francen: lot of romanians. It’s Romania and us are the two primary citizenships or nationalities.

[00:52:17] Brad Nigh: Yeah, it was interesting. And then you know, most of them were living this couple in in Mexico and Italy, but most of them were in florida and new york, some Nashville Tennessee and Russellville Arkansas which seemed to kind of random. But You got two people out of Russellville anyway. Uh Yeah, so I was interesting to see, I I didn’t have a chance to read the actual complaints and stuff, but I’m sure that that that would be a really interesting read.

[00:52:51] Evan Francen: Yeah, I like reading, you know, some of these complaints, this one will be interesting because You know, they basically broke a whole ring. This was a criminal ring of of 80 m skimmers uh

[00:53:05] Brad Nigh: yeah the ages are all over the

[00:53:07] Evan Francen: Place. So that also explains why they’re geographically dispersed because their attack was geographically dispersed. But the national nationalities between, you know, the people, it’s Romania and the United States one. What is it? one person from Greece probably got lost.

[00:53:26] Brad Nigh: Yeah. Well and you look at the names and the kind of the the uh I don’t know what the right word is for like when you look at the structure of the like the last names and stuff and and kind of a genealogy. You can definitely see some some uh

[00:53:42] Evan Francen: yeah, Eastern european, South eastern european kind of things. Yeah.

[00:53:46] Brad Nigh: Even the ones that were here in the US. Yeah. Anyway, that was that was pretty cool.

[00:53:53] Evan Francen: Yeah, bust the hackers, bust the hackers. Right.

[00:53:56] Brad Nigh: All right. Last one help net security dot com consumers concerned about connected home privacy. Still few implement safety practices. Yes, I read that one. Thank you. Uh, but it was well done. Um, I liked it. It kind of reinforces what I’ve seen on a much lower scale talking with parents at, at the schools and doing those types of things where they’re like, You know, one of it said most uh 57% of Americans, of Canadians. So they have not changed their router password or did not know if it had ever been changed since install. Well, I can tell you from personal experience when I talk about this, like how do I don’t even know how to do that? It’s not that they don’t want to do the right thing. They don’t know. And then, yeah, there’s not good resources out there to teach them either

[00:54:52] Evan Francen: one. And at some point you have to put yes, you know, we we’re trying to do better. We’re trying to tell them better. We’re trying to teach them better, but they also seem disinterested, you know too far too often.

[00:55:06] Brad Nigh: Right? Well, it’s unknown. It’s scary and we’ll find it works right. Like that’s not definitive but it’s kind of the

[00:55:13] Evan Francen: mindset. Well I think they just haven’t and they also haven’t suffered really any consequences. Right? I mean what are the consequences of a privacy breach for you? Well, you don’t really know what

[00:55:25] Brad Nigh: you’re starting to see. I think what you’ll see is more of these stories where we see the the hackers took over the camera system and we’re talking and right, we’ve talked about that one a couple months ago, I think as you see more of that

[00:55:38] Evan Francen: that’s what it’s going to take I think you know and I think what it’s going to take as a safety more safety issues I think it’s going to take you know kids what kids are doing and you know kids are being uh huh And we just started sort of cracking down with our own 14 year old daughter in you know, really restricting what she can do because and that was based on some conversations I’ve had with other people, right? What’s what’s been happening to their Children? Yeah,

[00:56:03] Brad Nigh: It’s I don’t know. Yeah, my daughter is 13. So so

[00:56:07] Evan Francen: I mean I’m with you, you have to start bridging that gap like our parents rather than just being ignorant completely ignorant. So it works. Yes it works. But is it safe? No, it’s not safe if you can’t answer that question with any sense of like certainty. It’s not safe. It’s just not

[00:56:28] Brad Nigh: And here’s what’s crazy, so kind of a personal story, but I think it kind of fits in. My daughter was looking older, 13 year old was looking for cartoon characters for something, for some project or something. So she searched famous cartoon characters and she was, a lot of them are like the humanization of like Homer Simpson and stuff like if he was a human and some of that and it was it’s pretty creepy and she was like, what, why is it showing up? Why isn’t safe search stopping this stuff? And I’m like, no, it’s on and this is what’s getting, she’s like what’s out there? And I’m like that’s why. And she’s like okay, like it kind of clicked for her that there’s some really messed up stuff and that’s what she saw was. I mean honestly it was pretty benign. I mean it’s just what home would look like if it was a person based on proportions. But I think that really clicked with her like, okay, here’s this, okay, that’s why dad does all these things and my other daughter was there and was like okay and that I’m so glad that it was, you know, innocent as it were versus yeah, well there’s a reason we say to do these things and she kind of like I get it right

[00:57:49] Evan Francen: well and Children, whatever you think Children are doing. If they’re unsupervised on their phones or mobile devices, whatever you think they’re doing, it’s worse than that. Oh yeah. Yeah. Just just know that as a parent, you know, for anybody who’s listening, as a parent, you haven’t had a discussion with your child about what they’re doing. And even if you have controls in place and you think that those are effective, their kids, they get around him. Oh yeah, no, you’re not going to control. Had a I have a friend of mine who uh his daughter um started sort of her, you’ve heard of the love languages before, right? Her love language is words of affirmation, right? And so if you told her you look pretty today, she would that would make her feel really good. And uh so she had her um instagram and Snapchat associated with each other and uh one thing led to another and found people, you know, people found her, right? That made her feel good, right? Which is normal, right? But then they took advantage of it and then she started sending bad pictures, right? And this is this is a this is a child who can’t even drive yet, That’s right, and this continues on and on. And then you know you they find out about it. And so they take the phone away. Well the people that she was hanging out with at school went and got her a new phone, wow. Right? So mom and dad have the phone from you know Verizon 18, whoever the hell that phone is and then she goes and gets another phone kind of uh I don’t know if it’s a burner phone or she set up a whole new account or what, but this happened three times. Oh my

[00:59:42] Brad Nigh: gosh. So one of the big things we talk about her that I talked about with parents is it’s not about punishment. It’s communication and education, right? It’s the same thing. You may not understand it. But if you communicate with your kids and explain and talk to them and have a level of trust and it’s, it’s not, it’s easier said than done, I totally understand that. But you gotta start, right. If you just immediately go to punishment and don’t explain why or whatever that’s what’s gonna happen. Kids just find ways,

[01:00:13] Evan Francen: well what? And it’s not punishment, right? I explain to my daughter my job is to love you and protect you and you know what I mean?

[01:00:22] Brad Nigh: But from from the kid’s perspective, it’s punishment.

[01:00:26] Evan Francen: I didn’t seem like punishment when I talk to her,

[01:00:29] Brad Nigh: you know, for the other one, right? For her friend or whoever

[01:00:34] Evan Francen: that went so far because there was, there was ignorance from the end of the beginning, right? That’s what I’m saying when you have your child, when you have your child out there already trying to get other phones, there’s an addiction problem

[01:00:45] Brad Nigh: now. Absolutely, but that’s where that communication and education and understanding come in versus right? If you do that, it’s the tighter you grab your hold the sand. The more that slips through you have to do

[01:00:58] Evan Francen: that had gotten so far where you had to have an intervention and actually remove her why it got bad. So, I mean if you but to prevent that stuff, right. Like you’re saying have a dialogue with your child before it gets

[01:01:11] Brad Nigh: that right. Exactly. Yeah. Don’t wait.

[01:01:14] Evan Francen: Right. And that’s what we’re trying to get across with a lot of parents is because all these things are related. Right? If you think that safety and privacy and security are not related topics, they are right there all about control, you know, controls and vulnerabilities and threats and

[01:01:33] Brad Nigh: risk. And even if you talk to your kids, like I know I’ve had the conversation with my daughters many times. I still continue. It is not once and done. They’re going to do things that they don’t realize because there their kids. Right. Anyway. All right. So we’re now seeing all the people start trickling in so we should probably, that is indicator. It’s time to wrap it up. Is it? I think so. Alright. Alright. So at this whole 49 is a

[01:02:00] Evan Francen: wrap. It is. I go to Chicago today in Dallas by the end of the week.

[01:02:05] Brad Nigh: I’m here all week. I’m so excited

[01:02:07] Evan Francen: 80° in Dallas. That’s gonna be nice.

[01:02:08] Brad Nigh: Yeah, it was snowing and gross all weekend. All right. Like many of you listening, we do have another busy week ahead. So thank you to all our loyal listeners. Thank you for the tips and the feedback. Please keep sending it. Um, email at UN security at proton mail dot com. Or you can socialize with us on twitter. I’m at brad and I and Evan is at Evan francine and is far more active. But I do actually read it. I just never remember to post.

[01:02:34] Evan Francen: So antisocial I

[01:02:35] Brad Nigh: am. Uh and also you can follow @StudioSecurity, for the road of the I’m sorry. And the hashtag art man. Let me try that again. #S2Roadshow. Uh, see what’s going on with Evan and John and barbecue reviews.

[01:02:51] Evan Francen: Have you seen the barbecue? Yes, We’ve got like six of them.

[01:02:56] Brad Nigh: I did not post my 24 ounce porterhouse that I had. I don’t wanna make you too jealous.

[01:03:02] Evan Francen: No, no. I’ll just, I’ll just show up at your house. I know where you live. I didn’t eat for like two days.

[01:03:08] Brad Nigh: So All right, well thank you everyone and we’ll talk next week. All right.