Balancing Security with Usability in Cybersecurity
Brian Wrozek: Don't take your job so personal or serious. We are inundated with threat reports and breach notifications that this job can get really stressful. But at the end of the day, it's going to be okay. Business is going to continue. And so, I think we've got to, you know, cut ourselves a little bit of slack. Don't be so uptight and you know, things are going to work out just fine. [ Music ]
David Moulton: Welcome to "Threat Vector," the Palo Alto Networks podcast where we discuss pressing cybersecurity threats and resilience and uncover insights into the latest industry trends. I'm your host, David Moulton, Director of Thought Leadership at Unit 42. [ Music ] Today, I'm thrilled to be speaking with Brian Wrozek, Principal Analyst at Forrester, with a career spanning roles as a CISO, a security officer, professor, and trusted advisor. Brian's deep expertise include cybersecurity management, operational technology risk mitigation, and threat intelligence for critical infrastructure. He's led global teams across multiple industries, developed groundbreaking strategies and is also a cybersecurity professor at the University of Dallas, helping shape the next generation of security leaders. Today, we'll be diving into an essential topic for every cyber security leader: collaboration and alignment on security strategy, especially when it comes to people. We'll also get Brian's perspective on how CISOs make critical decisions about budgets, a challenge that often defines the success or failure of a security program. In a world of rapidly evolving threats, fostering collaboration and alliance security with business needs is vital to ensuring resilience.
Brian Wrozek: You know, it's funny, I've been watching, "Only Murders in the Building." So, I'm watching series about podcasting and look at this. I'm on a podcast now.
David Moulton: You're on a podcast. Yes. Well, I see in your profile that you're a strong advocate for balancing security and usability with business alignment. And you've done that throughout your entire career. You worked with global teams and taught the next generation of cyber security professionals. How has your practical experience shaped your approach to fostering collaboration within security teams and with business leaders?
Brian Wrozek: So, being kind, I always like to say I'm your friendly neighborhood security professional. And curious about again, what they're doing. So again, it's not just about cyber security, but it's about you know, "What's happening in your business? What's happening in your team?" Because what I have found is most people, they want to do the right thing. So, how can I help them do that right thing and succeed but do it in a secure way because I'm not concerned about just protecting our corporate assets and our corporate data, but I'm also concerned about protecting their personal information and their reputation. I don't want a threat actor to do something bad under their name and then they have to try to go and clean that up. I've always thought a healthy sign of a security culture is when people feel comfortable reporting either suspicious activity or reporting that they made a mistake. Right? "I accidentally clicked the link. I wanted to report that I clicked it because it looked suspicious afterwards." You know, that's the mark of a really good security culture.
David Moulton: I think so. Yes, I don't know that that's easy to do. It sounds like it's a lot of work and to your point, being that security -- friendly security leader is important, you know, where you feel like you're not going to get reprimanded or trouble or fired for making an error. Some of these things are very tricky to not screw up. We were on -- we were talking to some other researchers about some of the deep fakes, and I've only seen that get better and better. And I can imagine you know, if the little -- the little voice in your head goes, "I'm not sure that Brian or Dave was real on that call, and I'm not quite sure what to do about it," it sure does make a difference if you go, "You know what? I do know what to do. I'm going to call it in. I'm going to say that this is a little weird."
Brian Wrozek: Yes, I've got a -- I've got an interesting story about that. So, I remember when I first got into security, I was assigned a job to check identification for people coming into a shareholders meeting, and I accidentally stopped one of the board of directors, because I didn't know. I was new to the security team and the company, but I stopped the board of directors and said, "I need to see your ID before I let you in." And to his credit, he goes, "You're right. I should have my ID. I'm going to go back to my car and get it." And so, again, I felt empowered to follow the rules and to ask the question, and I wasn't punished for it. What a great culture to be able to work in.
David Moulton: Yes, definitely applaud that. That board member not going, "Don't you know who I am?"
Brian Wrozek: Exactly.
David Moulton: No, and get your ID boss. So, today we're going to get into the importance of collaboration and alignment on security strategy, especially focused on people. And some of your thoughts on how CISOs can approach decision-making, particularly around budget allocation. And we've got a lot to discuss. So, we're going to jump right into it. Brian, you've worked with global teams across industries and your experience. What are the key challenges in aligning security strategies across diverse teams and regions, and then how do you foster collaboration to overcome some of those challenges?
Brian Wrozek: So, it's recognizing that there is more than one way to accomplish your goal. And so, your way may not always be the best way. Even if it is a good way or a right way. One of the ways that I've been able to kind of build that collaboration is to leverage a local or a regional champion. Somebody who can be an advocate for you. And they really serve two key purposes. So, one is they can provide insight into what's happening locally, as well as to you know, cultural differences or regional differences. And they can also amplify your message. So, you know, when you're dealing with time zones and language barriers, you know, having that advocate is really key. And then the other thing that really helped me in the past was meeting other teams you know, on their terms. So, that could mean in their time zones, as well as in person. There's just no substitute for working with people in person, going out to eat to their local restaurants and really getting to immerse yourself into their culture. And then the last little bit of it -- advice I wanted to give David is, is this doesn't happen just automatically. You need to really learn about these cultures. So, whether that's taking a class, you know, reading some magazines or some books. But you need to invest some time into learning these other cultures and areas.
David Moulton: I studied Japanese as an undergrad and some of the things that--
Brian Wrozek: Nice.
David Moulton: -we'll consider, you know, norms here in the states are certainly not acceptable practices elsewhere. And some of the interactions just making the effort to try to understand where you might come across as offensive or at least not sensitive to things is appreciated. I'm wondering if you've got any, you know, stories like that, anything that comes right to mind of you know, how do you make sure that your cultural differences don't impact those security alignment priorities that you have?
Brian Wrozek: Yes, I actually remember an example when we started rolling out laptop locks to all the laptops across the organization. And our employees in Japan were offensive at that. They'll like, "Why do we need to lock our laptops, you know, in our own office buildings?" You know, they thought that was the craziest idea in the world. But on a trip that I took over there, you start to realize, yes, the culture's different. You can leave your wallet, you can leave personal effects just laying out on your desktop overnight, and they're not going to disappear. And so, once you recognize that, realizing you know, this one approach doesn't necessarily work across the board, but by experiencing that I was able to adjust the policies for those regional differences. And giving them the backstory of why we are implementing that in the first place, so it wasn't that my intention was I'm not trusting everybody, but here were some incidents in the past of stolen devices. And so, I was trying to look out for the company best interest.
David Moulton: Brian, when we think about the importance of people in cyber security, how can organizations create a security culture that aligns with their business objectives, while also focusing on the human element?
Brian Wrozek: Yes, so for me and for others in security leadership roles, it shouldn't always be about cyber security. So, if every time, you know, Wrozek shows up, it's about a security incident or some other threat that I'm talking about, you know, pretty soon people are not going to be looking forward to you, you know, coming to their office or department meeting. So, championing other initiatives. You know, understanding, you know, what is happening in your business. What are new products that are being, you know, released? And how can you get involved and help champion those? You know, employees both on your team and across your organization, you know, they need to see you in action, you know, supporting HR initiatives and other activities that are important to the company so that they don't just see you as, you know, "All you talk about is cyber security. That's all you care about," when there's a bigger, broader picture and strategy in place that we need to achieve.
David Moulton: That's interesting. And so, having security come in and look at other initiatives and understand, "This is a great business impact," or "How can you -- you know, the security team improve the UX, the overall experience?" that's a way of winning hearts and minds that hadn't necessarily occurred to me.
Brian Wrozek: Yes, one of the things I did, you know, we used to publish a quarterly security awareness bulletin, and you know, there would be a section on policy. There'd be a section on other security metrics. But I always saved one section of that security awareness bulletin for other groups. So, you know, this quarter may be physical security will publish something. Next quarter, it will be HR, or it could be the legal department. But the idea was to demonstrate that you know, we all play a role in cyber security, and I want to give you avenues to get your important message out, so that when I come to them saying, "I need your help on this cyber security initiative," they realize, "Oh, yes. Brian gave us time to publish in his awareness brochure. Let's help him out on this campaign or this activity." So, it's kind of a give and take across the board. [ Music ]
David Moulton: Brian, CISOs are often caught with these limited budgets, and you know, if you read the news, growing threats. What factors should CISOs prioritize when they're considering their budget decisions to ensure that they have that maximum impact for their security posture or security outcomes?
Brian Wrozek: So, first and foremost, get the most out of your existing controls. You know, how many times have we deployed a product and you're using 10, 20% of the functionality? So, really making sure that I'm getting as much use out of my control and my technology as I can. And then the other way is to really have a method to your madness. So, you know, what -- what are you doing and why? What's the purpose? How does this align to a, you know, a industry framework or a standard? And can you back up your decisions with things like external threat intelligence, maybe some benchmarking, or other you know, frameworks and industry standards? That way, you know, you've got a lot of ammunition to back up your budget decisions.
David Moulton: When you talk about those frameworks or those industry standards, some of those are pretty technical, not necessarily the first thing that people understand, you know, when you're communicating your value, what are some of your recommendations to make sure that those nontechnical stakeholders, especially those that can impact your budget, understand the value that you as a CISO are driving for the business?
Brian Wrozek: Just the fact that I'm following a standard, right? So, I'm not winging this as I go. And how other members of our industry, are following similar standards. And then rolling that up to more high-level summaries. That's what's beautiful about the NIST cyber security framework, right? There's five high-level categories. You can roll up a lot of that technical detail just into those five layers. I'll give you an example of using an industry sort of framework to -- around budgeting. So, I can remember a time where I mapped the security controls to the cyber kill chain, which is a, you know, process that was created by Lockheed Martin. And what was really fascinating after we mapped all of our different security controls, the costs of seven-steps of the kill chain, is noticing that we had a lot of overlap of security controls at the beginning of the kill chain and in the middle, but we had very few, in fact none, at the end of the kill chain. And so, by that -- just that visual representation alone, forgetting the details of what the controls were and what step it was of the kill chain, you know, I was able to reduce my budget in areas where I was over-invested and shift that money to technologies that covered you know, the back end of the kill chain. So, I'm not asking for extra money. I'm just asking for additional money and showing a willingness to reduce expenses, where you know, it wasn't needed. But I would never have seen that if it wasn't for that framework and going through that mapping exercise.
David Moulton: That makes a ton of sense of going through and running that analysis and finding where you've got over-investment and you've got a -- what sounds like a pretty major gap, and were able to redistribute your funds and improve your security all in, you know, one shot, maybe with a little extra -- a little extra funding, perhaps? Brian, a common theme in your career has been balancing security with usability. And as a 20-year designer in mobile software and interbright [phonetic] software, you know this is an area that's really of high interest for me. I'm curious how CISOs can make decisions that protect an organization without hindering the business operation or the user experience of those employees?
Brian Wrozek: Yes, this is something I've been very passionate about is -- because if security is difficult, people are going to, you know, work around it, or avoid it. And that's worse than having no security control at all. So, the first thing is, you have to be realistic about the risk. You know, I had a boss that always used to ask me, you know, "Is this something that, you know, I could do, or you know, do you need to be a physicist and stand on one leg and Venus and Mars have to be in alignment?" So, really being realistic about the risks that you're dealing with. And then a technique that used to work really well for me was to get advice from non-security experts. So, if everybody you're talking to are fellow security professionals, we're all paranoid. We're all going to look at the worst-case scenario and we all read threat reports about just how dangerous the internet is. Getting advice from you know, somebody in the sales department, the marketing department, the engineering department, gives you that perspective and kind of grounds you a little bit better. And then the third aspect is looking at compensating controls. So, you know, there's multiple aspects to security. You can protect it, you can detect when something bad happens, you can react better if you detected that something bad happens, and there's insurance, right? You may have to take legal action. That could be your only recourse. So, looking at it from those different perspectives also really help you keep that balance between being super-paranoid and providing just the right level of security.
David Moulton: Do you have any example or any insights from your own experience on navigating those tough decisions between security and -- and business needs? And for the listening audience, Brian's nodding along. I suspect that it's not just one, but maybe it's your favorite one?
Brian Wrozek: Oh, yes. I remember one time when we had a malware outbreak in our manufacturing environment. And I was freaking out. And in classic CISO fashion, you know, I wanted to isolate the asset and you know, shut off the password and disconnect -- all that typical incident response activities that you see. And then luckily, one of the factory managers got ahold of me and said, "Is production still running?" The answer is, "Well, sure." "Is any data getting out of the environment?" "No, everything's fine there." Just, "So, what are you worried about?" And I was like, "Wow. You know, you're right." You know, I was so focused just on the malware aspect that I wasn't looking at what the business impact was, and there was no business impact. So, getting used to live, you know, with a piece of malware that maybe isn't causing any damage with something that was foreign to me, but you know, I figured it out, and was able to you know, clean that up during one of the maintenance windows, you know, later in the year. But I think that whole experience really helped me you know, look at incidents in a different frame of light.
David Moulton: That's really interesting. So, from a pure security metrics, you've got malware in there and you want to get rid of it as quickly as possible from the business standpoint, they're going like, "Please don't shutdown the production. Leave us alone. We're good." Yes, I can see how that would be unsettling. And you know, but it's a good perspective if -- especially if your main customer's going, "Get it later, Brian. Get it later. It's fine." When it comes to turning threat information into actual intelligence, what strategies can organizations use to ensure that they're acting on the right data and not getting overwhelmed by information overload?
Brian Wrozek: So, in this case, let the providers and the threat intelligence platform do the hard work for you. So, don't complicate the situation and just let the platform, the AI analysis algorithms help you with that prioritization and analysis of the data. And while it's doing that, certainly you want to measure and kind of review the performance of your threat intel and make any necessary adjustments going forward. But I always wanted to default to taking action rather than overanalyzing. I had a boss who had a really great slogan that I continue to follow to this day, and that is, "Take action, and I reserve the right to get smarter in the future and take a different action if necessary." And I thought that was really insightful, because sometimes we take an action and then we feel like, "Well, we can't change our minds, because it'll look like I'm flip-flopping or did I make a mistake in the past." But, hey, as you get more information, you may need to make a different decision in the future. But don't wait. Take some action now. [ Music ]
David Moulton: Brian, how should CISOs approach budgeting for emerging cyber security technologies like AI, especially given this rapid evolution in threats and of course like we talked about earlier, there are limits to how much your team's going to receive in financial resources?
Brian Wrozek: So, set aside a small part of your budget and time for experimentation. And you can draw a really nice analogy to you know, your existing company's you know, R and D efforts. They set aside a pretty substantial portion of revenue for R and D. That philosophy applies to cyber security as well. And as you do that, you also have to ask yourself, "What am I going to sunset or potentially stop doing in the future are well?" So, you can't just keep adding more and more technology and more and more process, you know, to your program. At some point, you've got to stop something, or you have all this overlap. And so, that's another key part of you know, being able to invest in you know, cutting edge or new technology is demonstrating that you're willing to get rid of the old. And then also, you know, pay close attention to what your competitors and partners are doing. You know, if you have smart partners who are investing in, you know, AI technologies and you're not, does that make you feel good? Does that make you feel confident? You know, maybe you need to you know, pay attention to what they're doing as well?
David Moulton: That's interesting. I've often said, "I'd be willing to take on any project for six weeks, and I normally can talk executives into the same thing." It's limited risk, right? The time is the factor there. And when you're talking about investing, it feels like you could make the same argument for your portfolio, your financial portfolio. You know, maybe you've got a couple of wild bets in there, but it's not the massive portion of the portfolio. The trick then is understanding, "Did the best work?" You know, is the experiment worth continuing past that six weeks or beyond the small portion of investment that you started out. Curious how you go about assessing the ROI of adopting some sort of cutting-edge technology, versus continuing to invest in your tried-and-true security measures?
Brian Wrozek: I look at the activity from the point of view, "Am I filling a gap?" You know, "So, is my security portfolio, you know, is it missing something?" Or "Am I making improvements to an existing control or an existing process?" And "How monumental of a leap forward is that improvement going to be?" Now, sometimes this is subjective, and that's where it's also helpful to bring in third party experts who can provide, you know, that unbiased opinion in analysis of what you're doing and what improvements that's going to be. And then in other cases, you know, it's hard to tell, and you may need to, you know, have a little bit more time with that. But I always like bringing in some experts to provide some additional insight into that activity.
David Moulton: Yes, I like that. And sometimes you know, it's difficult to quantify every single thing, but you've got to make some decisions. You've got to make some bets and be a leader. And if you believe strongly in the signals that you can't quantify but that you can feel, sometimes I think it's okay to continue to move in a particular direction a little bit longer. Give something time to -- time to marinate.
Brian Wrozek: And I think this is where being a good storyteller really comes into play, David, because if I can't put a dollar figure or a quantitative value to that ROI, can I tell a compelling story of how this is going to reduce our risk or improve our security posture? And again, reference that back to threat reports and industry case studies and really paint that picture for my executive team. They're executives for a reason. They're smart women and men. They can understand and they can help put two and two together, if you can present that compelling anecdote.
David Moulton: Absolutely. And I'm so curious if you've had a moment in your career that sparks, you know, for you when I say, "What's the story that you told to that executive, to that stakeholder, that helped you move in a direction that you didn't necessarily have the analytics or a quantitative/qualitative kind of an argument to go forward with something?"
Brian Wrozek: So, one example, again going back to you -- kind of an operational technology standpoint, you know, it was very difficult to understand the cyber security impact and threats to industrial control devices. But by zoning in on the outcome and helping connect the dots to -- you know, it doesn't matter if it's a, you know, tornado or the janitor hits the emergency shut-off button with the broom handle, or it's a ransomware attack. The end result's the same. Production gets shuts down and we potentially put people's lives in danger. And that really got people's attention realizing, you're right. Whether it's you know, a stream of bits or whether it's a physical weather event, if the end result's the same, we need to take protective and preventative measures to make sure that that doesn't happen.
David Moulton: I like that story. I like how you've connected things that people can see as tangible. I actually pictured that broom handle swinging out and absolutely, you know, poking a button that it wasn't supposed to, and you know, there's the end of the production. And that's no different than an attacker reaching in through you know, a network or a thing that shouldn't be on the network. And you know, pushing a different kind of a button. Actually, you know, Brian, your work involves protecting a lot of critical infrastructure through OT security. And I'm curious, what are some of the unique challenges of aligning security strategies in an OT environment compared to the IT environment?
Brian Wrozek: A lot of the cyber security foundational principles and fundamental principles apply, but they have to be implemented different. You know, in a corporate setting, you're worried about, you know, confidentiality of the information. You know, in industrial control settings, it's all about the availability and the safety. And so, getting comfortable with changing your frame of reference. So, you know, where I may scan you know, your laptop daily looking for vulnerabilities, in industrial control settings, I'm doing that passively. You know, monitoring traffic, doing asset inventory to understand what those vulnerabilities might be, so that I don't disrupt you know, the process. And the other aspect is the manual and physical controls. You know, as you've probably read about some of the cyber attacks against water treatment plants. You know, you'll often see in the article where they say, you know, "While we shut down or disconnected from the IT systems, we were able to continue to deliver water through manual processes." And that's something that CISOs need to remember. In these environments, you have manual and physical controls, automatic shutoff valves, and things that you can leverage during incident response that I just don't have in the traditional corporate cyber environment.
David Moulton: What advice do you give to CISOs who are trying to integrate that OT security into their broader cyber security strategies?
Brian Wrozek: You have to weave cyber security into the, you know, operational rhythm and existing initiatives that they have. And I'll give you one example. You know, every, well, every quarter, you know, members of the industrial control team would have to go through a safety training course. In fact, even if you wanted to get access into certain areas, you had to have a quick five-minute safety briefing. Well, I was able to weave some cyber security awareness into those safety briefings and into those safety programs so that operators wouldn't have to spend you know, an extra 30 minutes at another you know, cyber security training course. So, and, the other neat aspect was you know, doing things like putting information you know, in the cafeteria, you know, like I'm a little cafeteria table-tent you know, about cyber security. And just finding ways to sneak it into their daily routine, so that it doesn't become an extra burden for the employees to become more educated on cyber security in those environments.
David Moulton: I'm picturing you buying an ad on the back of the cereal boxes and then distributing that. So, you know, you're sitting there having your flakes in the morning and you're getting your security updates. I love it. Brian, let's shift gears a little bit. There's this increasing complexity in the global threat landscape. How can organizations ensure that their security strategies remain aligned with international regulations and standards?
Brian Wrozek: So, this is where you get to make friends with your legal department. They follow and track all these different laws and regulations, and you need to help them translate those legal statements into what that means to your IT environment, and what that technical application is going to be. So, you need to work together and collaborate. And I wouldn't panic because many of the laws and regulations that we see, they tend to be very similar. They may say things in different terminology, but at the end of the day, a lot of your foundational controls and activities are going to apply. And then the other thing I've learned in talking to lawyers, there's a lot that's open to interpretation. And so, you're going to be involved in many collaboration environments where you need to understand, you know, "Is this a specific requirement of the law, or is this your legal counsel's interpretation of how that law needs to be applied?" And so, you can work together towards that right interpretation that works for you.
David Moulton: Brian, you've led successful global security teams. What are the key elements to building and maintaining security teams, especially when managing them remotely across time zones?
Brian Wrozek: Yes, a lot of late-night teleconferences. That's for sure. Yes, I've got a funny story around those teleconferences that I'll share in a moment, but first, you know, the thing that is really key when dealing with global teams is you need to give them some level of autonomy when it comes to leading initiatives. You don't fall into the trap of having all projects you know, led by an employee out of the United States. And include them in team building activities. So, if you celebrate birthdays in the U.S., you should celebrate birthdays in India and in the Philippines. And also, emphasizing cross-training and job shadowing, and again, include them in those types of efforts. So, it does take a little more work. Like I said, you may be on a few late-night calls, but the more that you can engage and have similar motions across the different time zones, the more they're going to feel like they're part of the team and the more excited they're going to participate in these activities. So, I'll tell you a funny story. So, we used to do these late-night calls. And in one case, I had a member of my team from France. And as my daughters, I have three daughters, as they got older, sometimes they wanted to, you know, listen in on some of these team calls and meet you know, the team members from these different regions. And they always got excited when it was Jean Luc Marc [phonetic] from France because they loved his accent. So, they just got a big kick out of talking to him and listening to his accent.
David Moulton: Those French accents are absolutely, what's the word, dreamy? Right? You can just get lost in them for sure.
Brian Wrozek: Exactly, but it was fun. And again, it just brought the teams closer together, you know, as -- again, as we took a little bit of time at the beginning of the call, you know, to talk to the girls and to you know, just share some personal stories. And it again, it just brings the team closer together. So, it was fun. [ Music ]
David Moulton: So, you mentioned continuous improvement as a key focus in your leadership. How can organizations embed continuous improvement in their security strategy without becoming reactive to threats?
Brian Wrozek: So, first off, this continuous improvement, it needs to be an item on your priority list. So, have you know, budgets set aside. I used to create a little budget item that was third-party assessments. And I left it generic for a reason, so that each year I could maybe change the focus of the assessment, but it still, you know, came out of that assessment bucket. And have metrics. So again, back to the industry standards or frameworks. You know, tracking your maturity level. You know, doing some benchmarking, whether that's informally with just, you know, colleagues that you know, or more formally with these types of maturity assessments. And then -- and it's not just continuous improvement, you know, from my security strategy but I also looked at it from the standpoint of continuous improvement of my staff. So again, building individual development plans, building continuous improvement into their performance reviews to make sure that this is important. We're going to set aside time and money for it. And I'm going to evaluate you on your ability to continue to improve.
David Moulton: Are there any metrics or indicators that stand out as a favorite of yours or that were really effective that you'd want to share today?
Brian Wrozek: I liked the perceptions of other people, of our security program and our security team. So, in some cases, it'd be like a formal survey. In other cases, it may be an informal survey. And I also looked at how often were my team being invited to participate in cross-functional teams or come speak at department meetings. When other groups are reaching out to you, I think that's a very positive sign. And if you can track that and see that growing over time, you should feel really good about that.
David Moulton: Yes, I agree. One of the questions I love to ask in these conversations is what is the most important thing for a listener to take away from what we've talked about today?
Brian Wrozek: So, besides, "That Wrozek guy is one heck of a cyber security expert," it's, "Don't take your job so personal or serious." You know, again, we are inundated with threat reports and breach notifications that this job can get really stressful. But at the end of the day, it's going to be okay. You know, business is going to continue. And so, I think we've got to, you know, cut ourselves a little bit of slack. So again, back to our discussion around balancing usability and security. Don't be so uptight and you know, things are going to work out just fine.
David Moulton: That's a very midwestern point-of-view, man. I love it. [ Music ] Brian, thanks for a great conversation today. I really appreciate it. Your insights on collaboration, security strategy and how CISOs can make critical budget decisions has been informative for me. I've also enjoyed getting to know a fellow Midwesterner that's hanging out here in Texas.
Brian Wrozek: Well, thank you for the opportunity to participate, and also thank you for putting on these very informative podcasts. This is a great way for people to grow their skillsets and to get the information out there, and I know it takes a lot of work. So, thanks for all you do.
David Moulton: Well, I'm glad that it's landing for you. We do aspire to educate, to engage, and occasionally entertain. And if you like what you heard today, please subscribe wherever you're listening, and leave us a review on Apple Podcast or Spotify. Those reviews and your feedback really do help us understand what you want to hear about. And you can reach out to me directly. My email here at "Threat Vector" is, threatvector@ paloaltonetworks.com. I want to thank our executive producer, Michael Heller, our content and production teams, which include Kenne Miller, Joe Bettencourt, and Virginia Tran. Elliott Peltzman edits the show and mixes the audio. We'll be back next week. Until then, stay secure, stay vigilant. Goodbye for now. [ Music ]
