“Security Compliance” vs Being Secure

Unsecurity Podcast

We took a deep dive into the differences between “security compliance” vs what it means to be “secure”. Give it a listen and let us know what you think at unsecurity@protonmail.com

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Podcast Transcription:

[00:00:22] Brad Nigh: Good morning. Today is April 22. This is episode 24 insecurity podcast. I’m Brad and I and I’m the host for today’s show joining me. Today is Evan say Hello Evan. Hello Evan. Okay we have a special guest with us. We have one of the mentees from the mentor program. I’m working with Drake. Hello? Yeah

[00:00:44] Evan Francen: Drake not Dylan.

[00:00:45] Brad Nigh: No correct and he does not have a microphone because we’re not that professional yet.

[00:00:49] Evan Francen: Well we could we have another mixer over there except we can’t figure it out. There’s that. Why do you why you so damn transparent?

[00:00:57] Brad Nigh: It’s because we do security not audio.

[00:01:00] Evan Francen: They said they were damn going to put us on the explicit list. Probably not. Yeah I think you can say that 24 episodes for you watch TV now haven’t you? Yeah they say a lot

[00:01:14] Brad Nigh: worse on T. V. So yeah as you know we participate in this mentorship opportunities so it’s up to you drake how much you want to chime in But this is our is it shared experience shared experiences. He’s going to sit and listen to his talk.

[00:01:33] Evan Francen: That’s cool. This is what security is. This is what we do Except I did yeah I did something. Yeah a different one. That’s all good.

[00:01:44] Brad Nigh: Oh man. All right so anything exciting last week

[00:01:50] Evan Francen: uh Actually on a serious note? Yeah, last week was awesome. It was so called flying everybody in here from, you know, we had people in from Kentucky people in here from Nevada florida because we had our quarterly meeting, you know, and it’s always cool to to see everybody. I get jacked.

[00:02:07] Brad Nigh: I really like, I was glad we, I like seeing everyone come in.

[00:02:11] Evan Francen: Isn’t cool because it’s like a party around here for a week. It really is. Maybe and I don’t drink, but maybe this is like a hangover the monday after.

[00:02:19] Brad Nigh: Yeah, it’s back to business and yeah, yeah, it really is a party

[00:02:26] Evan Francen: atmosphere. Yeah, every night there’s the text services team is doing hack night or something. We have game night, there was a lot of fun.

[00:02:34] Brad Nigh: They went out and did a lot of team activities, trivia night. I was, it was good,

[00:02:39] Evan Francen: but I think they rigged the game because I didn’t win.

[00:02:41] Brad Nigh: Well I told him I wanted somebody else to have a chance. I wasn’t able to do it. I was being nice. I get it. How’s your survey got last? I heard it was suspended.

[00:02:52] Evan Francen: So do the listener, did we mention the survey last week? I thought you did. Okay. Yeah. So trying to figure out what normal people think so created that survey sent it out. There is 42% abandon rate. So they paused my survey and uh I’d have to rework it still. Okay, so I haven’t re sent it. Have

[00:03:14] Brad Nigh: You looked through the results? You get? How many did you get? 84? Not bad,

[00:03:19] Evan Francen: But I paid for 250. Well

[00:03:22] Brad Nigh: did you figure out which one was my

[00:03:24] Evan Francen: wife’s? No, I know I haven’t, I haven’t yet but I think people don’t, I think just in general people don’t like to think too hard. You know, they want to click the buttons, they don’t want to have to like, oh I have to type something in here. Yeah,

[00:03:38] Brad Nigh: that’s probably a big part of it. She didn’t have any negative feedback. But again, she’s also married to me and is not

[00:03:47] Evan Francen: oh yeah she’s used to that. I get a different perspective.

[00:03:50] Brad Nigh: Yeah, I mean she sat in on for the whole podcast in your life. So

[00:03:55] Evan Francen: That was fun. That was one of my favorite podcast # 16 I believe. Yeah.

[00:04:01] Brad Nigh: Yeah I was definitely got a lot of positive feedback.

[00:04:05] Evan Francen: Yeah that one easter that was yesterday was to have a good easter. Would you

[00:04:12] Brad Nigh: do smoke to ham? Who?

[00:04:14] Evan Francen: So you send me a picture

[00:04:17] Brad Nigh: brought some in. You can you can try some if you want after the

[00:04:20] Evan Francen: do you like him drink likes ham smoked

[00:04:23] Brad Nigh: homemade spiced apricot glaze on it. Never you’ll never be able to do him any other way ever again. I liked him. Amazing

[00:04:32] Evan Francen: at a brunch. Um eat brunch

[00:04:35] Brad Nigh: just all you. It was neat. I mean that’s not bad either. That was good man. No, it was good. Just played with the kids and kind of unwound a bit to work last night, but not too much.

[00:04:50] Evan Francen: We went to church on friday, good friday service. That was cool. And then did you have just hung out, had a nice relaxing weekend. Except you know, the weather was so nice. I did some physical labor. It hurts. Not, that’s not my, that’s not my jam. Dude, that was not cool. So I woke up this morning and I was like, nope, my alarm set for 4:30 and then Set it for 5:30 and I was still, nope. So 6:00. That’s why I got in here like 30 seconds before we started this,

[00:05:22] Brad Nigh: Mine went off 5 15. That’s just like, what have I done? Yeah, burned.

[00:05:28] Evan Francen: I got new muscles. I didn’t know there’s like, there’s like one right here on the outside of my leg here. I didn’t know that that one was there. That hurts. I don’t know how to stretch it either. What the hell? Yeah. Now I just live with it.

[00:05:42] Brad Nigh: You’ll be fine. Tylenol take a couple of days. It’s the worst part about getting old. Takes longer to,

[00:05:47] Evan Francen: I’m sorry, I’m sorry. Did you call me

[00:05:50] Brad Nigh: old? Getting old?

[00:05:51] Evan Francen: Yeah. Okay. Thanks. Yeah, older than yesterday.

[00:05:56] Brad Nigh: Older than high school. Yeah. In high school and if I did it now I wouldn’t be able to move for a week.

[00:06:03] Evan Francen: I was just thinking so drake goes, can I say to school are we allowed to say the school are we allowed to see your high school without getting in trouble? Okay. So Drake goes to Wayzata high school and I grew up in Minnetonka. So I went to Minnetonka high school, big rival schools. But then I was thinking 31 years ago. That’s when I got out of my school. This this cat still in school. That’s crazy. Right?

[00:06:26] Brad Nigh: At 24 and 24 is here. I don’t know man. All right, well this is

[00:06:32] Evan Francen: now now that we’re now that we’re depressed. Yeah. All right. We’re gonna talk about security.

[00:06:38] Brad Nigh: We can talk about my depression. I know. Let’s let’s talk about something fun. So good topic when I we don’t will be more transparent again. We don’t always have a good plan leading up. It’s only like, hey you’re going to lead and speak for yourself. It’s Wednesday and you’re like, oh no, I’m all about playing right?

[00:06:58] Evan Francen: I have six shows playing the head right now.

[00:07:01] Brad Nigh: We actually do have a series plane coming

[00:07:03] Evan Francen: up. What you do I do, we do about it. Oh okay

[00:07:08] Brad Nigh: yes. Leading into july for the next tax and Hops. Oh yeah,

[00:07:12] Evan Francen: we have a guest next week.

[00:07:15] Brad Nigh: That’s exciting. So I guess the professionals.

[00:07:19] Evan Francen: But we have a guest we had a guest we have a guest this week to drake. Yes.

[00:07:24] Brad Nigh: So anyway I have called this week and it just this guy made a comment that just it’s just I don’t know

[00:07:36] Evan Francen: are we getting into the discussion part? Okay. So you want to see my blood pressure go up. We’ve got one of those blood pressure thing.

[00:07:44] Brad Nigh: This is fun. So we’re gonna talk about being compliant versus be insecure. So what the comment was that triggered? This was we went through and we’re talking about how do you identify your risks and how do you prioritize how what you should be doing? And he responded with what is the absolute minimum I have to do to be compliant with you know whatever regulatory requirement, Hip hop or whatever. And I think what do you mean? He’s like I just want to do just what I have to so that when they come in I’m fine. I don’t want to go do anything else. I don’t want to I just want to know what’s the absolute minimum. Yeah that’s about that.

[

[00:08:28] Brad Nigh: We’re probably not the right company to work with you in that case because that’s not how we do things you can be compliant and not secure. You can check the box and we’ve seen pc I breaches where their pc I compliant. We’ve seen breaches around health care where the organizations were high trust certified in areas and was it everything or not? That’s not how we do it. We have to do with we’ll get you secure and in the process you become compliant. That’s a huge difference between the do and that’s

[00:09:03] Evan Francen: not. So was this was this a company that had a security program? And did they have a good security program? And then this was just sort of an add on.

[00:09:11] Brad Nigh: This was a no, it’s like a conversation with the potential new client. So this was their approach to

[00:09:19] Evan Francen: this approach to security in general or just an approach to the compliance requirement.

[00:09:23] Brad Nigh: Just it felt like it was to security, but I didn’t he?

[00:09:31] Evan Francen: Yeah. Because they were going

[00:09:31] Brad Nigh: with because I’m going to do anything with

[00:09:34] Evan Francen: us. Right. So compliant is different than security. And so it gets frustrating when people use them interchangeably. Right. Yeah.

[00:09:45] Brad Nigh: Yeah. I mean compliance is are you doing this? Yes. You’re doing it correctly. It doesn’t matter. I have a I have a firewall. Right. Okay. I’m compliant. Well, I got any any open to the internet. You’re not.

[00:10:02] Evan Francen: Yeah, definitely. So check box security does tick me off, you know, as it does. I think most security people. But the difference, but I wonder if how many more people build their security programs just on complaints or did they build a good security program based on risk the way we teach. And then compliance is like one of those things they have to add on. So then at that point I can almost understand the checkbox. Right. I’ve got a good security program. This is just a pain in the ass check the boxes, move on. You know, there’s not going to be in the R. O. I probably. But then there’s the other way where it’s like if I’m building my security program based on compliance based on the check boxes in and ignoring risk. Well, then that’s another thing, right? Yeah.

[00:10:49] Brad Nigh: And I think that’s what we’re seeing. Well, it’s a mix, right? We do see some people that they get it and are like, All right. I’ve got to do my sock too, because my customers requested it, but it’s easy for them. They have a good program. So this was more just,

[00:11:08] Evan Francen: yeah, you need to. So I think many of our listeners probably know the difference between compliance and security, but for those who don’t, should we tell them?

[00:11:17] Brad Nigh: Yeah, go ahead.

[00:11:18] Evan Francen: You can put me on.

[00:11:20] Brad Nigh: Especially we should make drink, do it.

[00:11:22] Evan Francen: No. Okay. I don’t know if he wants to

[00:11:24] Brad Nigh: so compliant.

[00:11:27] Evan Francen: I don’t know. I’m very blunt. So I’ll do it because compliance is doing what you’ve been told to do. That’s it, Right? It’s like my mom would tell me to clean my room. I’d clean my room and I do the minimum possible shove stuff under the under the bed until they got onto that. You know, then throwing the closet until they got onto that. And then I’d even was so creative, I didn’t throw things in the heater event, right? Whatever it took. Even though it was a lot easier probably to just throw the garbage in the garbage. Right. Right. But that’s kind of the behavior that compliance creates. Is this minimum necessary to get by? Because I’ve been told to do something from somebody from authority. Right. And that’s and security is managing risk. Right? To administrative, using administrative, physical technical controls, trying to protect the confidentiality, integrity, availability of information. That’s totally different. It starts with managing risk. Not with checking boxes. Right.

[00:12:22] Brad Nigh: And I think exactly, checking the boxes, that’s that’s the big thing is, it’ll say you must have a firewall, you must have segmentation. You must have this. This is well, it’s yeah, you can do that. But if it’s not done correctly, if you’re not, you don’t have an asset inventory to protect things against. How do you know? Right. You have a Yeah, yeah, horrible policies that nobody understands that nobody

[00:12:50] Evan Francen: reads well, because the fact of the matter is I don’t think there’s any ry in compliance, but you can find an ry in managing risk, right? People manage risk all the time. Especially with in business, you have financial risk, you have reputational risk, you have compliance risk. There are many risks that you that you handle and manage in a business information. Security risk is just another one of those yet. People don’t a lot of people don’t treat it that way.

[00:13:20] Brad Nigh: How many places have, you know, CFOS or do financial risk analysis on every move, but don’t have see so, or CS or whatever title to manage. Right? It’s an 80 function.

[00:13:37] Evan Francen: Right? Well, that’s another issue. And that takes me that takes me off even more. Yeah.

[00:13:42] Brad Nigh: But you’re as big of risk or potentially larger from a security breach than making a bad financial decision around opening a new location or a merger acquisition. But you know, how many places have we seen? What’s the damage of having a breach and

[00:14:02] Evan Francen: Yeah, yeah. We have a long ways to go in this. By the way. The what if you were to guess and I probably asked you this before if you were to guess what percent. Actually give me the top three reasons why people spend money on information security.

[00:14:18] Brad Nigh: Yeah. We’ve talked a little bit about it with the percentage, but it’s definitely have a compliance requirement. Banking, healthcare, whatever. Um, I’ve been breached so I have two or somebody in charge has worked somewhere where there’s been a breach and is trying to now become proactive or is, but I would say it’s probably, yeah, you’re, you’re being told you have to, you had a bridge and now it’s like, oh, we should be doing this.

[00:14:47] Evan Francen: So compliance is by far and away the largest driver for investment in security. Right? So that’s frustrating, isn’t it? I mean because they’re different things Take hip, 1996 is when that was came out the security role. One of the things in there which was pretty cool was you have to do risk analysis, administrative, physical technical safeguards. That kind of fits with our definition. So that seems cool. But people didn’t do it right or the way they did. It was yeah, it was half asked right enough to check the box, not enough to actually drive business

[00:15:30] Brad Nigh: or they would scope down to, you know, we’ve seen that where they were we were doing a risk assessment on your EMR system. No. Right everywhere else is directly connected into it because you have no segmentation between systems or anything. No, I get that corrective action plan that says, oh, enterprise wide risk assessment.

[00:15:51] Evan Francen: Right, so let’s get deep a little bit, you know, even though this is your leading this one, how do how would how would we fix us? We know that compliance is the biggest driver of information security, spending interest, information security in general. And we tried it seems like because we’ve we’ve been saying the same things security people for a long time and nothing’s changing.

[00:16:16] Brad Nigh: I think we use that though. Right. So okay, you have this compliance, you need. What we’re gonna do is we’re gonna get you secure and in the process you will become compliant with with HIPAA Yeah, if we can do security correctly, it makes compliance really easy. Yeah.

[00:16:36] Evan Francen: And we said that but it just doesn’t seem to be resonating with people.

[00:16:39] Brad Nigh: No, I think it’s definitely we’ve had people respond very positively to that and say, okay, I like hearing that. That is a differentiator between

[00:16:52] Evan Francen: maybe that’s just where I was, because it was a mantra for me, ever since we started, essentially. But maybe it’s just the breath, the people, the number of organizations we’ve been able to work with so far, it’s just kind of been limited by that.

[00:17:07] Brad Nigh: Maybe also, you know, the the environment is changing a little bit. So, you know, you’re now seeing a newer wave of people coming in who are, who have now been affected by breaches. So maybe, you know, a little more cognizant of that, trying to avoid it from happening.

[00:17:30] Evan Francen: It’s hard to be patient. You know, I’ve been in, You’ve been in this industry for 20 years. I’ve been in for 2025 and sort of tired of the same message, aren’t you?

[00:17:44] Brad Nigh: Yeah, but it’s don’t, you know, just gotta keep hammering

[00:17:47] Evan Francen: it. Yeah. But I’m wondering if there’s a better more creative way for us to hammer that some kind of thinking what we’re doing right now. I’m sorry. I coughed.

[00:17:57] Brad Nigh: I don’t know where the cough button is.

[00:17:59] Evan Francen: Yeah, We don’t know how to use this stuff. No. So that’s what this stuff like this podcast, talking about it here

[00:18:08] Brad Nigh: getting out and speaking more, I think that the more people we can reach.

[00:18:13] Evan Francen: So you think it’s more of a get more creative in the way we reach people versus get more creative in our message.

[00:18:19] Brad Nigh: Yeah, I think the message residents. It does. Uh, you know, it’s not going to be forever. You know, and that’s going to trigger this. But yeah, the people that hear it and are looking for the right thing. Okay. They’re in. Yeah.

[00:18:39] Evan Francen: Yeah. It’s sad though, you know, for those people who don’t get it because building a security program can actually bring value to your business. I mean, I think you can find ways to make more money, right? We have lots of sayings, complexity is the enemy of security. If I can find processes that are overly complex and simplify those processes that I can find a return on investment, right? And manage risk better. At the same time you can integrate and weave this into your business so well that you actually have a well functioning business,

[00:19:10] Brad Nigh: Right? one. Like you said it,

[00:19:12] Evan Francen: you won’t be able to do that with compliance. True. I don’t know how you could.

[00:19:18] Brad Nigh: No. Yes, compliance is. We’ve got our certification. So we’re set. We’re checking that box,

[00:19:25] Evan Francen: right? You might be able to get more business, but eventually the house of cards

[00:19:28] Brad Nigh: will fall. So, you know, in the notes, I have two articles from news now. No, no, no from Krebs, which by the way I lean pretty heavily on him this week. Uh, he had some really good

[00:19:44] Evan Francen: ones. See that’s drake drake forgot to turn off his uh, what do you call that ringer. Yeah. I never had my ringer on. I’m not as popular though. Probably as drinking all

[00:19:56] Brad Nigh: minor is work emails pinging through. I don’t want to hear that. Uh No

[00:20:02] Evan Francen: Krebs has.

[00:20:05] Brad Nigh: Yeah. Right. Yeah. He’s so that guy. Well, we can talk about that in the two insect. But you know, he wrote an article in 2016 around this value of a hacked company. Uh Sad truth is far too many organizations spend only what they have to insecurity, which is often to meet some kind of compliance regulation. Our obligations such as HipAA or P. C. I. Whatever real effective security is about going beyond compliance, focusing on rapidly detecting, responding to intrusions and constantly doing the gap analysis to identify and show up your organization’s weak spots before the bad guys can exploit them. And I saw that it was just like that. Yeah, he he clearly gets right. That’s exactly it. Um You know, 2014 Forbes um which was a article by Sun Guard. Being client won’t save you from being hacked requirements are not the same as best practices. Prescriptive requirements are often the bare necessities of information security to defend against all purpose attacks. Full information security programs and best practices must be implemented. So I mean this is nothing new. Like you said, this is the same message. We’ve been

[00:21:19] Evan Francen: been preaching there since 1992

[00:21:23] Brad Nigh: and and I just found those two and quit looking because that really just sums up exactly, yeah, my thoughts on this and

[00:21:33] Evan Francen: yeah, yeah, it’s part of it’s frustrating, but you know, you’re you’ve always had a more positive sort of outlook than I do, I think and some of these things. But so if you tell me that, that we’re making a difference, that because I know we’re making a difference, if you tell me we’re making progress,

[00:21:51] Brad Nigh: it’s so slow. It is we I think we are right. I think the message is getting across, you know, But

[00:21:58] Evan Francen: because I see areas where we are getting the message across, but then I see areas where it seems like we’re back stepping a little bit, you know, take for instance information security, right? We have our definition. But then cybersecurity becomes this, this buzzword now. Well, because it’s sexier. Right. Right. I mean it’s one less syllable that’s definitely going to get me more sales. Yes, but cyber is of or pertaining to a computer. It doesn’t. So when I’m driving so hard trying to make information security of business issue and then we start using the word cybersecurity, it’s a small little difference, but it’s a difference. Words matter. It’s,

[00:22:36] Brad Nigh: you know how much that it’s marketing and messaging and with the media drives on and

[00:22:41] Evan Francen: I’ve had people that are like, yeah, man, I believe that, yeah, I get it, you know. But then you see their twitter posts or something. It’s back to cyber cyber cyber cyber and information security, two different things that

[00:22:54] Brad Nigh: does drive me crazy too, you know?

[00:22:58] Evan Francen: So how do we, how do we squash that? Like if you, I mean cybersecurity, if you want to use the word, fine use it, but it’s used for what? It’s right. It’s defined as

[00:23:06] Brad Nigh: right? Yeah. Well even insurance, cyber insurance and

[00:23:12] Evan Francen: defensive

[00:23:13] Brad Nigh: to information security insurance, right?

[00:23:17] Evan Francen: Because people are the biggest risk, right? I mean everybody agrees with that and when you have a

[00:23:21] Brad Nigh: breach, it’s because most often somebody clicked on the link they shouldn’t have.

[00:23:26] Evan Francen: And when you give a talk, you get this. This is one of my frustrating things. You know, I’m going to rent more when you give a talk and you say, you say these things and you see in the audience this everybody’s nodding their head right? I wonder how many they’re just sorry, but they’re just headwaters. It’s like do something about it, treat it something treated as something different. Like actually do it like asset management. Everybody agrees. Oh yeah, yeah. That’s important. I can’t protect what I don’t know. I have. Yeah, yeah, that’s really important. And then do it right. Yeah. Do it. You know, information security is all about managing risk. Yeah. So what’s risk, tell me what risk is? Well,

[00:24:05] Brad Nigh: a game. Yeah,

[00:24:08] Evan Francen: it’s like, okay, so, and I get it. If you don’t know what risk is, it’s the likely something bad happening in the impact. If it did two things go into that threats and vulnerabilities. Exactly. And it’s okay to not know stuff. I mean I’m around all kinds of crap. I don’t know, but ego, I think drives a big part of this business to

[00:24:28] Brad Nigh: write well. And I think, yeah, I think you’re right on that nobody, A lot of people don’t want to admit right. They aren’t because do you think everything

[00:24:35] Evan Francen: here’s, here’s a dream of mine? So we do risk assessments all the time in your day, right? Not just, I’m not work, not this formal stuff that we do, but like every day you get up in the morning, you start doing these little risk calculations in your mind and you don’t even think twice about it. The one I like to use is when you’re coming up to a yellow light in a car, you do a risk assessment and snap. You don’t think about it. You just do it. You start looking are there cars, you know, cars, traffic, is there a cop, how fast am I going? All these things, you know, the road conditions and then you make a decision and then you just get on with your day. You don’t, you don’t, you know what I mean? Is almost like subconscious right? And my theory is you do that because you grew up with that, you grew up with, you know, sitting in the backseat with mom and dad, you saw how they did it? You, you know, you’ve been in a car a million times by the time you actually get behind the wheel and do this yourself. Yeah. And with information security, I think it’s still so foreign that people can’t just grasp.

[00:25:40] Brad Nigh: That’s what I’m excited to be easily with like drake and the high school programs. And even, you know, my daughters are in middle school and elementary school and starting even at that age, hopefully, you know, that becomes a little bit more problem prevalent. But I mean, the programs aren’t, there aren’t that many of them, Right? This is a problem. It’s

[00:26:05] Evan Francen: if you could get business leaders to start thinking that way to start understanding what information security is. Start being able to almost 2nd, you know, just second nature calculating risk and make those decisions. Like would I ever acquire another business without ever doing a risk assessment? Alright. Whenever merged with

[00:26:29] Brad Nigh: another club an ongoing. Yeah. Are around one.

[00:26:33] Evan Francen: Yeah. I mean, but that’s a big deal, right? As a business person, I’m making a big, big, huge decision. And I didn’t even think of information security was crossed my mind.

[00:26:44] Brad Nigh: Mm Well, mary mary, that’s another huge one. Right? Yeah, Yeah. Looks good financially. We’re safe. We’re all set. Oh crap.

[00:26:54] Evan Francen: Yeah. And I’m guessing both Marriott and this other entity, Starwood, was it? Was it Starwood? Whoever they bought. I’m guessing both of those places were compliant?

[00:27:05] Brad Nigh: Well, pc I

[00:27:06] Evan Francen: well, I mean what if whatever the hell the compliance, what

[00:27:10] Brad Nigh: what else would there be for background. That’s the problem. Yeah. Well we’re driving our program by compliance. So we protect the cd for

[00:27:20] Evan Francen: where do where do people think these laws come from by the way? You mean? How many people like you were in that that shirt, which I love by the way? Schoolhouse rock. But like how do bills, how does a bill become a law? Just just simple civics. Yeah. Because what happens like right now you’ve got google facebook, Apple Microsoft. All these companies are pushing really hard on a federal privacy law. I mean right there does that like what? Really? These guys. Yeah, but why do they want that? Because they don’t want to comply with 50 different state laws,

[00:28:03] Brad Nigh: easier to have one that they basically wrote then state laws that they didn’t have but in put in. But

[00:28:11] Evan Francen: do you know what some people actually believe and maybe even the majority is that facebook really cares about my privacy because they’re pushing so hard in advocating so hard for a federal privacy law to protect me as a consumer as

[00:28:26] Brad Nigh: a post passwords in clear text

[00:28:29] Evan Francen: which couldn’t be more. Well you saw some of the things that came out last week about facebook. I mean they were actually willing at not willingly willingly wanton word selling data. Right? two. They should never have sold and it went all the way to the top. I mean, Zuckerberg himself is you bring these messages

[00:28:51] Brad Nigh: and then Yeah, but they care so much about our privacy that will happen. Yeah.

[00:28:56] Evan Francen: So it brings it all back, understand risk, manage risk, security, all about risk. If you don’t know what risk is hell you ask for help. There’s lots of people that would love to teach what risk actually is. There’s a ton of different methodologies. You mentioned last week the fair methodology. That’s a that’s a that’s a good methodology. We use vices score. Uh, there’s probably a half dozen or so. Just that are good risk assessment tool.

[00:29:23] Brad Nigh: Use it. And then like actually adopt it and buy in,

[00:29:28] Evan Francen: right? And then operationalize it. That’s another thing I see a lot of people struggling with is you do these risk assessments and then who’s supposed to make the risk decisions right? Not me. I’m a security guy. You don’t want me making risk decisions.

[00:29:41] Brad Nigh: Well, I’ll be secure

[00:29:44] Evan Francen: and you’ll be out of business because I don’t know business businesses and business to make money. So the business person has to make

[00:29:53] Brad Nigh: risk decisions. Securities should be. Here are, here’s what the risk is. Here are some options, right? Here’s what each of these options, you know, the outcomes or whatever, right? You tell me what’s acceptable, then yeah, we can implement whatever you want to do.

[00:30:11] Evan Francen: And truly, I think if you’ve never done this before. I’m talking to business leaders, I’m talking to Ceos anybody’s listening in that level, if you’ve never done this before, it does feel awkward at the beginning because it’s a learning experience. These are things that you’ve never had to make decisions on before, but you need to get over that hump, you need to operationalize this because it does give you a competitive advantage. Yeah. In time,

[00:30:35] Brad Nigh: guaranteed. And I mean, I think a lot of it is you got to trust your staff, right? If you’ve got good staff if you’ve hired well, but even if I would hope so, I believe, you know, the benefit of the doubt.

[

[00:30:48] Brad Nigh: A whole nother rabbit hole. But if you have a security person coming to you insane, hey, we’ve got this risk, We can either do this and here’s the impact or we just leave it and here’s what, what could happen. You got to understand that, you know, they’re taking this seriously and you need to make a decision and it’s okay to accept that risk. That’s the other thing, but, and well, you know, no, it makes you think that’s the speaking the whole language thing and how can security better frame that to a business because that’s probably a big part of it as well, for sure. Like you just said, you’re not a business person, how do you turn and take, hey, if we don’t, I’ll use the example from the, from a book, from a mentor program, you know, if the DDoS attack takes us down and here’s what our impact is and we expect this to happen four times a year at this cost and then here’s our options of mitigating the solution. How do you frame that so that a business person understands a cost both ways and how to make the right or how to make a decision,

[00:32:02] Evan Francen: as a an information security person, I’m a consultant to the business, I might be hired as an employee, but I’m still a consultant to the business, right? I consult the business on, hey, these are the risks. This is what risk means is what it means to us. You know, you build those relationships and then let them make those decisions and just like a consultant, just like here, I’ve always preached, there are three things that we need to to get a new client right, trust credibility, you have to like us. So if I’m a consultant, if I’m a security person inside of a business and I’m having troubles getting the business to listen to me or whatever, There’s probably a deficiency and they don’t trust you, they don’t think you’re credible or they don’t like you.

[00:32:51] Brad Nigh: Uh, I’ve absolutely worked

[00:32:53] Evan Francen: with. I mean, look in the mirror sometimes and then sometimes you have places where you just can’t get over those humps then go leave or get another another job.

[00:33:00] Brad Nigh: Well I think part of it is thursday small, hopefully portion of security people that are very much my way or the highway, right? Which doesn’t help. So they’re not gonna like you write Renan and then you make decisions for the business, which is not the right thing to do and then they don’t trust you because hey, you did this and it took a negative, had a negative impact. We lost business or we couldn’t

[00:33:27] Evan Francen: or I didn’t even take the time to build the trust in the first place. Just

[00:33:31] Brad Nigh: come in right away

[00:33:32] Evan Francen: and just assume that they know what the hell you’re talking about, throw around a bunch of acronyms thinking that that’s the way you build trust. No, it makes you click it. Yeah, Turkey. Yeah. You know, acronyms are one thing, but taking the time to actually sit down with the business, explain to them what this means. This is what risk is. And I know that executives don’t have all the time in the world, so use that time really wisely. You’ve got five minutes what’s the most impactful thing I can say in five minutes prepare for it. Right? You know, that’s why I mean, I think those are the if I had had advice for any c so out there and I think a lot of them do a good job, especially in larger companies, but the ones that are struggling. It’s got to be a deficiency somewhere in trust credibility or they don’t like you

[00:34:17] Brad Nigh: I’ve said, I think part of it is you have a lot that just come in right away and just sweeping changes. Right, Okay. I’ve got a

[00:34:25] Evan Francen: make my mark. You can do that after a breach.

[00:34:28] Brad Nigh: Yeah. But if there isn’t one right? Listen to the organization, understand why have they done things the way they’ve done them? It’s not always maybe the right reason, but there is a reason, but that’s going to at least my experience, it builds that trust, right? I’m listening to you. Okay, So you’re doing it this way? Well, here’s some whatever changes that won’t well, still fit in and reduce that risk, right? Not just absolutely. Well, you can’t do that. We’re not doing that anymore. I’ve seen those people as well.

[00:35:04] Evan Francen: Yeah, yeah, yeah. You don’t tell the business, they can’t do

[00:35:07] Brad Nigh: something, you’re out. You’re never going to succeed.

[00:35:10] Evan Francen: Well, yeah. And I’ve seen a lot of, a lot of security people and I’ve done it myself, I’m sure where instead of being the yes people were the no people, you know, there should be the yes people. But let me hear some risks that we should account for. So try to look for controls around whatever it is that the business wants to do. And eventually, if you’re yes enough, uh you’ll start to be able to be proactive because I’ll start inviting you to meetings, planning meetings that you were never in before, and you’ll be able to account for those and see a better perspective of how security fits everywhere, Right? Because a lot of times it seems really reactive. But I think you have to be reactive before you can be proactive, right? So, the reactive is like, yes, you can do it and hurry up and scramble and figure out how you’re going to put some controls in place. But you’re building that trust.

[00:36:02] Brad Nigh: Yeah. Like, Yes. But yes, we can do that. But I need you to understand this is the risk. Here’s some alternatives I’d like to eat. At least consider. Yeah, we can do that. That’s fine. It’s your call. Do you understand the risk around it?

[00:36:19] Evan Francen: Yeah. If you can do that, then then the ceo and executive management begins to champion your cause because that’s when you won the game,

[00:36:27] Brad Nigh: because at that point you’re so much as it is framing right? Yeah. Okay. That’s a great idea. But did you consider these things? Because that’s what you’re paid for, right? To look at the risk that they’re not considering and how can we improve this? How can you do what you want to do but do it correctly or do it securely or? Yeah.

[00:36:48] Evan Francen: It’s amazing how many security people don’t even know what their jobs are in the business. So, you mentioned, you know, this is what you get paid for. I wonder it goes back to our our why? Like why am I here, Right? What’s the purpose of my I don’t know,

[00:37:06] Brad Nigh: because the regulatory requirement is you have a named right security officer.

[00:37:12] Evan Francen: So I think if you’re, if you are a security, so there’s all kinds of advice. I think in this, if you’re a security person who agrees that security compliance are two different things. If you don’t agree, then you probably should you have another job because it’s like so obvious, right? I don’t even want to debate it with anybody anymore. So if uh, if you’ve been struggling with getting the business to operate that way, so the person that you would talk to on the phone, if that was a Ceo who was saying I just want to do the minimum amount possible. And I’m a security person who works in that organization. I think there’s a lot of those types of people out there that are struggling with getting business to truly understand the compliance and security are two different things that we really need to build a security program here based on risk. I really need your involvement here. I need not just involvement, but I need you to champion this with me because this is part of our business and it’s different than anything we’ve done before. Okay. So if you’re struck stuck struggling in that position, I think the best bites that I could give them is work on that trust credibility. And do they like you think because yeah, because then you can start making security even fun. Imagine that when it’s actually an enjoyable experience that people want to do and then when you miss a meeting they’re like, hey where’s our security

[00:38:33] Brad Nigh: meeting? Yeah. Hell

[00:38:35] Evan Francen: yeah, this is, you know, we didn’t get there then that’s a great spot

[00:38:39] Brad Nigh: we have a really important decision to make. But what’s going on? Right. Yeah.

[00:38:44] Evan Francen: So that’s I mean if you’re looking at it from that perspective, if you’re a Ceo or a business leader and you’re looking at it from the other perspective, you’re missing out on huge opportunities and huge opportunities to take every information, security dollar that you spend. You’re missing opportunities in translating that into some type of a return.

[00:39:05] Brad Nigh: You know and I’m gonna go back because it made me think of this, you know, one of the surprising programs that really got it that went from, I wanted to argue every single point policy to why do we have to do these, you know, and going through where they made some edits where it’s like wait time out, what are you, what what are you doing here? Ah They went to between the meetings that came with a meeting of you know, well what about the new watches that have cameras on them and how does that affect areas with medical records and here’s our thoughts on this and they’ve done, you know, it blew my mind but it’s

[00:39:50] Evan Francen: become part of how they because

[00:39:52] Brad Nigh: of how they actually took it seriously and learned from it. And we’re like, okay. So yeah, you know, we could have reached out, but we’re going to see how we did on our own. Here’s the risk. What do we do? Because we don’t allow phones with cameras into these areas. What do we do with watches? We make people take them off, you know? And that’s a that’s a that’s a tough one. How do you enforce that? Even? How can you tell which watch has that on it?

[00:40:21] Evan Francen: Well, you go back, you mentioned one thing. So in what you just said, you said taking it seriously. And I think a lot of people, I mean everybody would say that they take security seriously. But I mean if you ask them right. Right. But if I think security means compliance, I could be taking that as seriously as as all get out. But I’m still doing it

[00:40:46] Brad Nigh: wrong. Right? Yeah. They got it and are right

[00:40:50] Evan Francen: doing it because I’ve seen a lot of companies, man, they take it seriously. They spend hundreds and hundreds of thousands of dollars on high trust certification and ISO and all these other things yet their risk assessments or their risk, their handling of risk is just crab. So but you brought up a great example of they took it seriously and they’re doing it right.

[00:41:12] Brad Nigh: Yeah. That’s beautiful. It’s a second. Yeah, I was I was blown away when and they had some really good thoughts, you know around how do they do it and how do they change, you know, what do they have to say in their policy because it said specifically around phones. Do they need to change? They thought the entire concept of they thought policy and actual reality of it. And yeah.

[00:41:41] Evan Francen: So I thought, you know, thinking it’s crazy. Yeah. It’s amazing what happens when you think.

[00:41:49] Brad Nigh: But those are those things that you know, make you keep going right? You’re seeing these successes.

[00:41:58] Evan Francen: It was failure all the time. And this would be such a drag. At least we know how things work. So it’s like even when you get confronted with opposition, you’re able to overcome that. I mean, we’ve been through this enough times and we’ve seen it work enough times that there’s only one way to do this. Right. Yeah. You have to manage risk. I mean, there’s no other way

[00:42:21] Brad Nigh: to do it. Right. Right. All right. I love those.

[00:42:27] Evan Francen: It was I love didn’t have conversations. It was fun to listen to. Uh huh. We’re still here. And I was getting

[00:42:34] Brad Nigh: I know we do it kind of just go off on that.

[00:42:37] Evan Francen: All right, jake likes disturbed. We should place at some disturbed next time. I want to figure out some new bumper music.

[00:42:43] Brad Nigh: Yeah. With the fear that’s the licensing stuff are on that too. I don’t know. Okay.

[

[00:42:52] Evan Francen: What? Let the lawyers figure that out. I met a lawyer.

[00:42:54] Brad Nigh: Yeah. I’d rather not have

[00:42:55] Evan Francen: them What you do, what I can tell you what happened. So what happens? You get a cease and desist and then just stop using it. Then you go to somebody else’s music.

[00:43:02] Brad Nigh: I’d rather not do. That. Sounds like a hassle.

[00:43:05] Evan Francen: No, it’s easy and through it many times.

[00:43:10] Brad Nigh: All right, so we’ll talk some news. Uh, easter attack affects half a billion Apple IOS users via chrome bug. This is on threat. Post easter attack, Apple IOS, so about half a billion Apple IOS users in counting have been hit session, hijacking, um, malware attacks. So this work of the E gobbler gang, which is

[00:43:37] Evan Francen: not a stupid

[00:43:38] Brad Nigh: name now, they’re going to attack me. I know. Um but yeah, mainly attacking us users, there’s been some european activity. E cobbler. I

[00:43:51] Evan Francen: know you couldn’t come with anything better than that.

[00:43:53] Brad Nigh: I don’t I don’t know anything about

[00:43:55] Evan Francen: them. I’m actually I was gonna tell you about this later though, but I’ve got some people targeting

[00:44:03] Brad Nigh: me. Well, that’s what happens

[00:44:05] Evan Francen: when you and now we got the Gobbler maybe they’ll be targeting me too. Yeah,

[00:44:10] Brad Nigh: so uh yeah, basically Chrome on IOS, where the built in pop up blockers failing is popping up and giving you the Yeah, whatever page. Congratulations. You’ve been selected to spin. Can’t get a block out of it. Uh Yeah, so it’s basically getting out of the sand boxing. Uh that’s supposed to be set up as far as I know. I didn’t see an update that it’s been fixed yet.

[00:44:42] Evan Francen: So it’s happening through mass advertising

[00:44:45] Brad Nigh: malicious, basically allowing javascript to execute even when blockers are in place. So safari.

[00:44:53] Evan Francen: And so when you encounter that that pop up with the okay button, you’d never click the OK button, just

[00:45:00] Brad Nigh: kill your,

[00:45:01] Evan Francen: just kill the session because then, I mean if your sessions hijacking to kill the session well then Right. No loss. Right. Right. So, but a lot of times people don’t do that I suppose. Do you use IOS know your

[00:45:15] Brad Nigh: I do have okay. Do

[00:45:18] Evan Francen: you use uh to use chrome?

[00:45:21] Brad Nigh: I’ll use I do have it, but no use primarily either. Well Brave, which is based on chromium or Firefox.

[00:45:30] Evan Francen: And I still use just safari. I mean I don’t like Safari and like lots of things

[00:45:35] Brad Nigh: like Firefox because there they actually are right uh nonprofit. Then they do have some real legit security yeah, behind it.

[00:45:45] Evan Francen: So, so if he had advice for the listeners on one particular browser to use on IOS, you

[00:45:52] Brad Nigh: probably have Firefox. Firefox. Yeah, it’s not perfect. But at least it’s as far as I know not allowing a hijacking of your javascript or pop ups. So yeah, not as far there’s no update on that article of if it’s been remediate remediated, so be careful with that. Um next one. This is a big one we probe was breached and in there on the new article there. Krebs wrote three different articles about it. There’s one from Forbes, one from Cso.

[00:46:30] Evan Francen: Yeah they must have pissed crabs off

[00:46:33] Brad Nigh: I think. Well you could tell the the story of what he did but basically they got breached and and I didn’t really want to. Yeah I admit to it. So I think if we pro right. Yeah The India’s third largest 80 outsourcing company public

[00:46:55] Evan Francen: publicly traded

[00:46:56] Brad Nigh: multi month intrusion from an assumed state sponsored attack.

[00:47:01] Evan Francen: Um state sponsored script kiddies could do some of these things. Right?

[00:47:08] Brad Nigh: So Yeah it’s just a little bit on their April nine. He reached out Crabs reached out to we broke for a comment April 10. Head of communication saying he was traveling a couple of days because that’s that’s how you respond to brian Krebs calls that step

[00:47:27] Evan Francen: out of the meeting that is like

[00:47:29] Brad Nigh: red alert, stop everything and figure out what happened because you’re in trouble. So two days later he sent a statement that didn’t acknowledge any of the questions was just yeah it’s marketing gibberish. Um

[00:47:49] Evan Francen: Yeah see the thing is is not only is crabs so well known but he’s well known because he researches every one of his stories. His sources are better than any sources you’ll find. So when he calls so good. So when he calls you take the call

[00:48:07] Brad Nigh: I hope it’s like a bulldog around something like this.

[00:48:12] Evan Francen: Well and if he does. I think you work with him, right? It’s uh yeah you know you take it seriously you work with him and then hope that he writes something when he will he’s always written truthful articles as far as I know. So if you’re working with him and being transparent and and all those things you could use this actually to your advantage if you did it right. I mean you can take bad events and if you can control the message you can make it make yourself look really good. Right? Because I mean the fact of the matter is no matter what I do I can’t prevent breaches from happening. Right. Right. And so these are all the things that we did to try to prevent this breach from happening. This is this is a place where we didn’t you know we didn’t see it. We’re humans we apologize we’re gonna you know what I mean? You just be truthful in your message and what we pro did was just stupid.

[00:49:06] Brad Nigh: Yeah. So they were saying in the article that one of the Customers said at least 11 other companies were attacked evidence from file folders found on the intruder back in infrastructure named after the various clients. They wouldn’t admit it or tell who it was I guess disclose it but he’s got you know follow up article that was experts for each and it was sort of outsourcing giant re pro then we pro intruders targeted other major IT firms with more details and then the best one at least that I really enjoyed was how not to acknowledge a data breach and I would recommend going and listening to the embedded audio and

[00:49:49] Evan Francen: God it was classic. I’ve never heard anything so cool.

[00:49:52] Brad Nigh: You tell it

[00:49:53] Evan Francen: Oh yeah. Well so they have their earnings scholar quarterly earnings calls, a publicly traded company and we probably was denying some of the things are claiming, some of the things that Krebs was claiming or inaccurate. And so crabs called in two The earnings call and directly, you know, can you tell me specifically what in my article was incorrect or misstated and they just backpedaled. They they were not expecting him to call at all during that quarterly meeting and the reactions hilarious. So there, well can we take this call, you know, can we have a second call or whatever? And crabs like you know, I just want to know what what was false what’s up.

[00:50:39] Brad Nigh: Yeah, so a little bit more on that one. You know, they’re saying it was a zero day attack and he’s basically calling very correctly like politically correct calling bs on them. Well

[00:50:54] Evan Francen: here’s what I call Bs. You see this crap in every breach and this reminds me back when I used to write the breach blog invite and every breach, it’s always the same crap state sponsored sophisticated zero day uh, you know, this was just us as they were going after. I mean all those things to try to minimize and every time you use those words I think you’re being less and less transparent because the fact of the matter is I don’t care if it was state sponsored or not because so what yeah I mean an attacker’s an attacker you had a breach. You had a weakness that you didn’t either didn’t account for. I didn’t know you had something, you know what I mean? Yeah just that stuff just ticks me off when you try to minimize and you because what you’re doing is you’re treating people who are reading that like they’re stupid.

[00:51:40] Brad Nigh: Yeah and yeah

[00:51:43] Evan Francen: you know I’m not stupid. You know you just had a breach. Just explain what happened in the breach. What was exposed what you intend to do to fix it to make sure it doesn’t happen again or at least you minimize the chances of it happening again. Just be open and transparent with it rather than trying to flub around with this crap that’s really irrelevant.

[00:52:06] Brad Nigh: Uh And this will go to the I. R. Stuff that we’re planning to talk more about around messaging

[00:52:12] Evan Francen: and hundreds of P. R.

[00:52:14] Brad Nigh: But so his recap of their public response, ignore the reporter’s question for days and it nit pick the story during a public investor conference call questioned the stated timing of the breach. But refused to provide alternative timeline downplay the severity uh of the incident and then say the intruders deployed a zero day attack then refused to discuss details of said zero day claim the indicators of compromise you’re sharing with affected clients were discovered by you when they were sent by one of your infected clients to you. And so they’re just literally just digging themselves deeper.

[00:52:52] Evan Francen: Yeah, yeah, there and there, you know, we saw the same, not like this, but with the Equifax breach also on how not to respond to a breach. That was the worst pr disaster response I’ve ever seen. So take the things that you learn from which pro which is really they’re misleading statements, their statements to try to mislead you from the facts. So you never do that in public, you know, in a you’d never do that. The problem with the Equifax is they just didn’t think things through. They just didn’t Oh yeah. How would this be perceived? So their pr was just like Yeah, but yeah, and when we talk about incident response, that’s one of the things you really have to get your hands around right off the bat is controlling communications, controlling communications internally in the organization and then controlling communications outside of the organization, right? Only one person should be able to speak or a group of people.

[00:53:48] Brad Nigh: That’s it. Right? But one

[00:53:51] Evan Francen: then if everybody else talks about you take them,

[00:53:55] Brad Nigh: I think that so the Krebs piece was really good from a technical detail. All three of those uh, then Forbes and Cso online, it really comes down to third party risk, supply chain security. These I’m going to guess that there are some really big companies that were and our using we pro for this what was their third party risk? Did they do any risk assessment on them to say

[00:54:25] Evan Francen: bro? Just so big like they like

[00:54:27] Brad Nigh: a Microsoft just going to accept it like yeah that’s you know that’s a whole different different ball game.

[00:54:36] Evan Francen: But because these clients that are using the pro also have some liability, oops sorry I also have some liability here. Right. Right. Yeah. If you didn’t you know we come

[00:54:46] Brad Nigh: For at least 11 of them that were breached and now you have to defend your decision to use

[00:54:53] Evan Francen: this. The sucky thing is there’s so many of these lawsuits don’t ever settle. Yeah they settled but they don’t there’s there’s no real liability, right?

[00:55:02] Brad Nigh: Yeah

[00:55:04] Evan Francen: because I’m gonna open up a whole another can of worms like center for certain words worms. Uh Senator Warren about her wanting to hold ceo is criminally liable for breaches and executives. We don’t even hold them civilly liable. So I don’t understand that criminal would work. Uh

[00:55:24] Brad Nigh: Yeah it’s tough. Something’s got to change.

[00:55:28] Evan Francen: Well if they’re negligent, I mean define truly what negligence is. I mean I think the courts have so much to learn to about what security is because if they’re negligent then

[00:55:37] Brad Nigh: reliable. The problem is you’ll get that happened and then you know six months a year later, two years later after they’ve gotten their golden parachute they just got another gig.

[00:55:47] Evan Francen: Well and that and that’s okay. But somebody has to

[00:55:50] Brad Nigh: pay but they’re

[00:55:52] Evan Francen: not. That’s exactly the problem fun you know. Yeah.

[00:56:00] Brad Nigh: All right. Uh last story today facebook. Oops. We logged 100 times more instagram plaintext passwords than we originally thought. Yeah,

[00:56:11] Evan Francen: of course he did. Whoops.

[00:56:13] Brad Nigh: Um yeah, it was it’s been a weekend since I put this together and don’t remember. Oh just

[00:56:23] Evan Francen: remember facebook bad.

[00:56:25] Brad Nigh: Yeah, basically just

[00:56:27] Evan Francen: for privacy. That’s how they say it over in the UK privacy.

[00:56:31] Brad Nigh: If you’re using instagram or facebook just change your password and use multi factor.

[00:56:37] Evan Francen: We never heard that before. Yeah. And coffin it’s all that physical labor. I know right. And there was like dust

[00:56:48] Brad Nigh: working all the bad stuff. I did. Oh um yeah. March the damage was said to involve hundreds of millions of facebook lite users, tens of millions of facebook users and tens of thousands of instagram users.

[00:57:00] Evan Francen: There’s a facebook lite.

[00:57:02] Brad Nigh: I don’t yeah additional logs of instagram passwords stored in readable format issued impacted millions of instagram users

[00:57:11] Evan Francen: instagram that’s real popular. Yeah. So I’m guessing my 14 year old daughter’s password is probably in there somewhere.

[00:57:19] Brad Nigh: Yeah. Yeah. Which

[00:57:22] Evan Francen: kind of sucks. But then you got like because I’ve seen this happen before. Like when somebody, one team gets another teens password that can get bad right. Then you get cyberbullying kind of crap and posting things on their accounts that so even if you’re a parent and you have kids uh maybe just teach them how to change their password, maybe change their password anyway, just as good hygiene. Because if I were like if I was for my daughter, 14 year old daughter, if I was my 14 year old daughter there’s some people I would not want to have my password right?

[00:57:58] Brad Nigh: So yeah, well my my daughter just turned 13 this year and got instagram we set up multi factor and all that but still

[00:58:10] Evan Francen: yeah I have a wisdom thing. Okay do you really done? Yeah for the show. Sure. Do you have a wisdom thing? I thought about this, Go ahead you go. No I don’t hear yours. Oh no I thought about this on saturday night in the middle of the night I woke up this thought, tell me if I’m crazy, well you know I’m

[00:58:34] Brad Nigh: saying yes but what’s your thought?

[00:58:36] Evan Francen: Okay so while the prudent man drives to herd the wolves devour the sheep. Uh huh You know what the prudent man is talks about negligence. So really what it is, it’s it’s about this herd mentality where we’ve got the Prudent man is where the herd is right but that’s not where it’s supposed to be because it’s not good enough and so the wolves are devouring the sheep because the prudent man is driving the herd not you see what I’m saying. I should be driving my heard, I should be managing my risks. My risks are related to me. You have a different set of risks, right? Yeah. So if the average of us is the prudent man and then others who have different risks joined that herd, which is what, that’s what executive management does. What’s the number one question you get? When you, when you deliver results, we compare with everybody else. Who cares how you compare with everybody else? Worry about your own risk. So that’s the point with the while the prudent man drives the herd, the wolves devour the sheep deep. Right, wow, I woke up. It’s I don’t know what time it was. It was a saturday morning. I don’t have a life, This is it. Well, that is deep. Thank you. That’s actually gonna be truth number 15. That goes out this morning.

[00:59:58] Brad Nigh: You go so with that, I don’t know how I can top indian on that note. So thank you for I should be sitting on the top of

[01:00:05] Brad Nigh: a somewhere robes Alright, that is it for episode 24 with Evans thoughts. Um don’t forget you can follow me or even on twitter Evan at Evan freaking scene or at brad and I and you can email the show at insecurity at proton mail dot com. Everyone have a great week and we will talk to you next week.

/by