Jara Rowe: Gather around as we spill the tea on cybersecurity. We are talking about the topic in a way that everyone can understand. I'm your host Jara Rowe, giving you just what you need. This is The Tea on Cybersecurity, a podcast from Trava. MarTech, or a marketing technology, for those unfamiliar with the term, is the perfect example of where technology, marketing, and cybersecurity intersect. And as we all know, data and information is so readily available, especially as we all move through our daily lives. So finding the balance between leveraging MarTech and protecting our privacy is super critical. But how do we navigate this? And as we know, I am not the expert, but I always have one with me. And during this episode of The Tea on Cybersecurity, I have Chris Vannoy, Vice President of Product and Engineering at The Juice. Hi, Chris.

Chris Vannoy: Howdy. Thanks for having me. I'm excited to talk about this. I've been working in MarTech for a while now, and I've had a lot of fun conversations around this particular topic, and I'm excited to talk to you about it today as well.

Jara Rowe: I am so excited to get into it. Especially as a marketer myself, I just have so much interest in this. So, will you go ahead and introduce yourself a little more for our listeners?

Chris Vannoy: Sure. As you mentioned, I'm currently the Vice President of Product and Engineering at The Juice. The Juice is a B2B content platform for marketing and sales professionals and the brands that hope to reach those folks. In a previous life, I was a senior product manager at a account based marketing company called Terminus, where I did their de- anonymization, so turning anonymous web visitors into known accounts. I also did their advertising targeting and their intent solution. I used to joke that I was in charge of all the creepy stuff. Before that I was a director of engineering at a company called Sigstr, that did email signature marketing on clean banners inside of that, and also handled a lot... I was there when GDPR first became a thing, so had to navigate that landscape right at its inception, and that's really informed a lot of what I've done since then.

Jara Rowe: I love it. So you just have so much experience in this topic, so you're the perfect person to talk to.

Chris Vannoy: Aw, thanks.

Jara Rowe: And we will get into GDPR a little later. I have a question for you around that in particular. So before we really dive into the nitty- gritty, for those that may even be unfamiliar with MarTech, can you go ahead and just explain what that is, and then maybe give an example or two?

Chris Vannoy: Sure thing. So you kind of mentioned it, like a short for marketing technology. But fundamentally, it is software and services that help marketers do their jobs better. And a marketer's job, since you are one, you know this, are pretty wide- ranging. Y'all have to touch a lot of stuff in the course of a day. So it can be things like email deliverability, email campaigns. There's a large startup, well startup way back in the day, here in Indianapolis called Exact Target, they did email marketing, and eventually got bought by Salesforce, for instance, which is why... I'm talking from Indianapolis, and we have a big concentration of that sort of MarTech stuff that spun off of that. So it can be things like that. It can be things like custom landing pages. It can be account based software to do advertising and that sort of thing. Like I mentioned, it was Terminus earlier. Or it can be things like The Juice or media companies even that are more advertising, and how do you reach an audience? How do you identify that audience? How do you work with sales teams in some cases? Because a lot of marketing ends up being generating leads or helping opportunities for sales a little bit later. So it's this broad umbrella, much like marketing's responsibilities are pretty broad, of software to help marketers do their jobs.

Jara Rowe: Yeah. And I will say, as a marketer, this MarTech technology, all of these fun apps and everything, are a game- changer and a lifesaver, especially for small teams. When you have two people doing all the marketing, you need a little extra help. So MarTech is perfect for that.

Chris Vannoy: Yeah. And some of the fun sort of cycle we're in now for MarTech is also consolidation. So you've got these bigger tools that are tying together all these individual point solutions into one thing, which also brings up some, we'll probably get to it later, some fun sort of privacy hops in between like this thing knows this and this thing knows this. And in the old days, those would be two separate systems that didn't talk to each other. But as we consolidate, you end up with, oh, the left hand and the right hand actually do know what each other is doing, which can introduce some fun, I have a weird sense of fun, fun privacy considerations for the end user, and also how marketers deal with the landscape as far as how the public has thoughts on privacy shifted over the course of probably the last five years.

Jara Rowe: You are leading me straight into my next question. So with the rise of MarTech, what are some privacy concerns that people need to be aware of?

Chris Vannoy: I'll actually start there before I get into the creepy scary stuff. On the plus side of things, like I mentioned, the public perception and value of privacy has changed a lot over the last five years, through things like GDPR, and just generally folks' awareness of what's going on. You're starting to see browsers for instance, eliminate third party cookies, which is a way that folks could track people around the internet for a long time. You're also seeing the rise of things like IP anonymization through Apple for instance, and also the rise of people using VPNs to do their work, because IP addresses are also a way that you could sort of tie people around the internet, if you could get an IP address and tie it to a person. And those were the core of that sort of privacy concern for end users. I'll get the business privacy concerns here in a minute. But for end users, that's sort of like... It's the same sort of thing I mentioned earlier, the left hand knowing what the right hand is doing, right? So if one site can identify you through your Marketo cookie, then being able to have that cookie follow you around the internet, be able to track your activity is where you get anecdotal stories. There was a story from Target a couple of years ago about a woman who was at Target buying things, and then Target told her she was pregnant before she knew she was just based on her buying habits and things like that, right? And it's that same sort of tracking has gotten so sophisticated. And there are so many third party groups of these that you can... If you're not... Well hold on, let me back up. So if you care about it and you're not careful, you could end up tracked around and they can know a lot about you, which you're either comfortable with or you're not. On the business side of privacy, depending on the type of business, you can end up storing a lot of PII, or personally identifiable information, right? And there's different classifications of that, all that fun stuff. But you as a business have to hold onto that and not let it get out, which is where the cybersecurity angle of this also comes in. But not only do you have to keep it private from other users and it becomes a major security breach if suddenly any of that... Say you accidentally rigged something up that a user can see all the other users inside of your system, or all the information you have tied to them. That ends up being a major privacy violation on their end, and a major cybersecurity problem on your end to where you got to go fix all that. There's also different handling of that personal identification depending on... Like I mentioned, there's levels. So some stuff you can keep in clear tech. Some stuff you're not going to be able to do that. There's some stuff your engineers can look at and there's other stuff they don't. And we'll talk more about, as a business, how you can mitigate that sort of stuff a little later, I suspect, but those are the major concerns, both end user and company. It's like end user around the internet is just like, man, there's a lot of stuff people could do to track me around the internet. On the business side, it's like we're collecting all this data and we have to make sure that we're storing it in a secure way that doesn't cause privacy, headaches or security headaches for us a little bit later.

Jara Rowe: Right. Oh my gosh. So terrifying. Target inaudible. Oh my gosh.

Chris Vannoy: Again, that's a illustrative story. Not everybody's doing it to that level. And I don't even know that Target's still doing it to that level. Because that story got out and people were like, " Whoa, wait a minute." But sophisticated targeting is still going on in a lot of places.

Jara Rowe: You Google something one time, and then suddenly you're being delivered ads on it on Instagram or something. It's like how do you know? I appreciate you paying attention. But at the same time, it's kind of creepy that all of it talks together and you're able to now give me this ad, so I understand. So you started talking about it a little bit, but how has the relationship between MarTech privacy and cybersecurity evolved over the years?

Chris Vannoy: A lot of it has been driven by regulations as well. Regulations and the rise in privacy consciousness of end users. So for marketers generally... We're going to back out of MarTech for a minute and just talk about marketers like yourself. In the old days, and still a little bit today, I get on calls occasionally with marketers and they ask for this sort of information. You could work in lists of people in lots of cases, like I mentioned, email address targeting, that sort of stuff. That's become a lot harder in the age of GDPR and a similar one in California where there's a lot of additional responsibilities for companies that store and collect that sort of data. When you're a MarTech company, like The Juice for instance, we are the controller of a lot of that data. And so in the old days, we might share it. It might just be a thing that just passes between us. Because in those days, end users weren't as conscious of it, and businesses didn't have any regulations around it, or even hadn't thought through the ethical considerations of all that. This is all early internety sort of days, right? Whereas these days, we don't let any of that out. That's all our data. We don't share it with customers at the individual level. It also has upped the penalties for breaches of that privacy. Like I mentioned earlier, that data leaks sort of thing of there's been credit bureaus for instance have lost all of their member information, all the customer information. It ends up being billions and millions of dollars for them to be able to mitigate that later. So as a business, as you keep, especially in MarTech really, as you keep building up these data streams over time, yes, it becomes an asset for your business, but it increases the liability of when you goof up, right?

Jara Rowe: Right.

Chris Vannoy: The more data you have, the more painful it's going to be. If you mess up your cybersecurity and all that leaks out.

Jara Rowe: That's a lot.

Chris Vannoy: Yeah.

Jara Rowe: So you've mentioned it a few times, and so I would love to just go ahead and segue into this. But as a business or a company, how do you mitigate any potential risks or anything like that when it comes to privacy with this sort of technology?

Chris Vannoy: Some of that is... And you've had other podcasts folks who have talked about this, but there are certifications for doing this. And SOC2 has a pretty good list of stuff you should do, and even if you're a company the size of The Juice. We're pretty small and pretty early. And also, our particular business isn't as sensitive to customers needing SOC2. We're still doing a lot of the SOC2 stuff even though we haven't gone through the certification, right? So you limit data access to just the people who need it, so engineers, that sort of thing, and you have controls around that so that people can see it. And also, the other challenge, I mentioned, is less technical regulations, but it's also ethics and ethos a little bit. Like I mentioned, oftentimes working with marketers, especially they've been doing it for a long time, they're used to that world where you could go and buy an email list, and then start sending them emails. Or they want to know, yes at this account, but who at this account? Who at this company was looking at? And it's like we're at a day and age now where I can't give you that information. Not only from an ethics standpoint, but increasingly, like I mentioned up at the top, as third party cookies go away, as IPs get harder to anonymize, just literally physically cannot give you that information. I don't know. The best I can do is that they might work for this company, right? And that also fits well into the regulatory landscape. But you still have custom... When you work in MarTech, you still have customer pressure for, no really, who's the person? Right? Because they're used to... Then I can send them emails, and I can invite them to things, then I can do all this other sort of stuff. So maintaining that balance between what is regulatory and ethically versus what do customers actually want to go do can sometimes get into a fun sort of conflict. And as a business working in MarTech, you have to decide where in that fuzzy gray area between those you sit, right? How much information are we going to give because customers want it versus how much are we going to save or not store at all? In some cases, that's always best, not store at all because we know we don't want to mess with it. And it's figuring out when you're working in MarTech, where are you comfortable with in that line, whether that's just personally or in consultation with legal in lots of cases. I've had lots of talks with lawyers about where that line is for a particular company.

Jara Rowe: So with The Juice, how do you all determine what data you're going to keep for whatever reason versus what you're just going to pass through and let it go?

Chris Vannoy: Yeah. In our case, we're a little bit odd in that in past MarTech companies I've worked at, we were essentially a pass through. We were a holder of our customers data. And in that case, you have a lot of different responsibilities. If it's customer data, it's your data, it's your responsibility to safeguard this sort of stuff. We will pass pretty much everything onto you because this belongs to you. We just happen to hold it for you. The Juice, because we have this sort of social networking component... Right?

Jara Rowe: Right.

Chris Vannoy: This is actually... There's a subset of this, our member data. That's our data, right? So we don't share email addresses, we don't share names with customers, unless... Without the user's permission, today we don't give the user the ability to give that permission. That might change in the future. But for today, they can't say, " Yes, it's okay for you to share my information with this company." So we don't. We will share company name and we will share job title information, and that's as far as we're going to go. We don't do geolocation for instance of the individual. We don't do any of that sort of stuff, nothing but job title and that's only if the user gives it to us. We're not inferring and we tell them upfront that's what this is for and company name and we feel comfortable with that from regulatory perspectives and also just ethically feeling good inside. You're not going to start getting a lot of emails from people that know you from the juice, right? We wouldn't feel good about that. We wouldn't feel sleep all that well at night or want to wake up in the morning, go to work, right? And that's, again, because of that data ownership sort of level. In this case, those members are ours, right?

Jara Rowe: Right.

Chris Vannoy: They're members of The Juice, and we have to be careful with what we share. Like I mentioned, other MarTech I worked at and lots of other MarTech is more this is your data, whether it's like your Salesforce data, your HubSpot data, your advertising data, things like that that it's like this is the customer's data. And so we will share all that information directly with you because we're just the holder of it. That situation, just as an aside, opens up a whole other mess of worms, because then one customer's data you don't want to share with another customer, and the crossover of that data is where you end up having to talk to a lot of lawyers. Oh yeah.

Jara Rowe: I'll say as a user of The Juice, I definitely appreciate that. I don't have a bunch of people contacting me like, " Oh, I saw you on The Juice." That has never happened.

Chris Vannoy: And if it does, let me know because we going to have something we need to go fix.

Jara Rowe: I will for sure. All right, Chris, so I know that you're an engineer by trade. So how do you approach building MarTech systems that are secure and protect everyone's data?

Chris Vannoy: Step one, I kind of alluded to this earlier, is only store what you absolutely have to, especially when we're talking about personally identifiable information. Unless a product person has told you specifically what it is and why they need it, don't store it. Don't store stuff just in case don't store additional data. So that's step one. The stuff that's hardest to eventually leak out is the stuff you don't even have. Yeah, because it can't happen. So second of all, like I mentioned the principle of least access. Keep the access to these systems to just the people who absolutely have to use it, and keep an audit trail of when they access it and what they do. That's fundamentally it. Now, like I mentioned, there are different levels of this sort of data. In this case, we're talking about low level PII,, it's names, it's email addresses, that sort of stuff. If you start getting into healthcare or into e- commerce sort of stuff and you start getting into credit cards and social security numbers and medical records and fun stuff like that, then you're talking about encryption so that even your own people can't read this stuff. Luckily, MarTech doesn't have a lot of that, where usually the level below that PII that's like we can store it in plain text. We can let engineers be able to poke around at it and do stuff. We just have to be careful about where stuff hides with one another and make sure it doesn't leave our system.

Jara Rowe: Yeah, awesome. All right, so again, from an engineering lens, what role do engineers play when it comes to, again, building these systems that comply with regulations like GDPR?

Chris Vannoy: Yeah, the fun thing is working with engineers most of my career is that a lot of the privacy ethos and ethics are particularly strong in engineers. So oftentimes, engineers end up being the bulwark sometimes of product or marketing or even executive level of, " Hey, that thing you're wanting to do, that's probably not a good idea. So there's that aspect of it. And also I mentioned designing systems to be secure from the start. Like I mentioned, at The Juice, we're small enough that we haven't gone through a SOC2 thing, but we're still working as though we were, right? So encrypting the data, that's important, making sure that we have good audit trails and tracking and ticketing along the way so that we can control and be able to report back when we're audited somewhere down the line of this ticket went live at this time by this person, this was accessed at this time, this is limited to just these folks. So building the system from the start, even though you're not going through SOC2, ISO whatever today, knowing you will eventually need to get there, right? And most of the principles that are buried inside of those things are actually super helpful to building secure systems generally. So as an engineering organization, part of your responsibility to the business is go ahead and start doing that now. That way later on, when you work with somebody like Trava, you can say, " Hey, we already did all the stuff. We just need your health to actually get audited and make sure everything works right."

Jara Rowe: Yeah, so a couple episodes before this one, we talked about the different compliance frameworks, and the team of guests that were with me talked about, definitely start from the beginning, make sure everything's in order. Because once everything's in order, everything's a breeze from there. So definitely just get all your cybersecurity plans and risk management strategies and everything together at the inception of said company.

Chris Vannoy: And like I mentioned, it's not even because you're preparing for audit later. The Juice may never go to SOC2. The nature of our business, yeah, they're mostly good ideas and good principles. It's like if you want to build a secure system, just look at the SOC2 things and just do them. And it's a lot easier to do it from the start, like you kind of mentioned. If you try and bolt it on later, lots of times, you have to break a lot of bad habits, where folks maybe haven't been doing that or kind of used to... And sometimes this is fun, but used to doing cowboy sort of stuff, right? Way back in the day, I haven't done this in a long time, but logging into a server and changing code and saving it without anyone logging that you logged in or anything. Can't do that anymore. The days of live editing PHP files on a server some way, not a good idea. So that change management, change control, all that fun source stuff, it's just inherently part of SOC2 or just good ideas for engineering practices generally.

Jara Rowe: All right, so again, we talk about moving data across all of these different platforms and tools and things like that, but we also exchange data and things with other vendors. So how can a business ensure that a third party vendor or company that they're trying to partner with also adhere to good cybersecurity practices?

Chris Vannoy: The easiest way to do that is to ask them if they already have a certification. We're talking about this a lot. But if they've already gone through SOC2, if they've already gone through ISO, you can just ask them for that. And if they tell you they have, then you're probably good, because somebody somewhere else has already verified that they do all those things. And like we said a couple of minutes ago, those are all good things that they should probably be doing. If you're interacting with a vendor that's smaller, a little bit like The Juice, you can ask them that question. And then I tell you, " No, not yet," but we are comporting ourselves as if we were, right? And then you can ask more specific questions. In fact, you can just copy and paste from the SOC2 thing. You just ask them, " Do you do these things?" is one way to do it, or to get an engineering leader like myself from the vendor on a call and ask them. You'll either get very confident answers to that, or you'll get a lot of, let me get back to you or not quite, and just having that conversation around those sorts of things. Generally speaking, if your vendor has confident answers to that, they're probably in pretty good shape. If they are all a complete surprise to them, maybe not.

Jara Rowe: I would be like, " Do you guys do this?" I'm like, " Oh, I don't know. Let's check." I'm like, oh man, I want to no."

Chris Vannoy: At least have an answer. Lots of times there are things I know what the questions are because I care about it and I've been researching it for a while and I've lived through SOC2 certifications in the past, so I also know what questions get asked in that audit. Things that we're not doing today, I'm prepared for why that is, right?

Jara Rowe: Right.

Chris Vannoy: We're not doing this or that because it doesn't make sense for our particular setup, or it we're not handling that sort of data right now. It's weirdly a little bit like sales and marketing where you have to understand what the objection's going to be ahead of time and have answers for it. And if they don't, maybe ask some more questions.

Jara Rowe: Yeah, definitely ask more questions. That is cool you have to think farther in advance of they're probably going to ask me this, so this is the answer that I have prepared.

Chris Vannoy: And maybe it's not the full answer, but it is like, this is how I'm thinking about it, right? This is like I know they're going to ask it. This is how we're going to approach it. You're not... There's some engineers who work well at this where they'll write out the entire answer ahead of time. Don't necessarily do that, but be prepared with how we're thinking about it. If this gets asked, how are we going to approach it? Have a good answer for it. And if they don't, from the other side of the thing, be a little worried.

Jara Rowe: Yeah. So much good information for engineers. This is great. This is a great episode. All right, Chris, so with all these emerging technologies, and we know that AI is just a huge topic right now, how do you think that these things will affect cybersecurity and privacy?

Chris Vannoy: AI is interesting in that the rise of deep fakes and the writing in the style of someone else or the recording and copying of voices of someone else make it so that it's more difficult to tell what's real and what's not, or could be in the near future, as these tools become more available to more and more people, which... When it interacts with privacy, it gets interesting, because you as a business could do everything exactly. But if someone does a convincing enough AI driven deep fakey sort of thing, how are you going to be able to prove that you did everything and this is clearly not from you. I could imagine you end up in a world where you have these AI generated fake privacy leaks. It may even be lawsuit bait, that sort of thing even. There's a whole universe of that sort of stuff that's even outside of your direct control that a lot of these tools can introduce. There's also, as we look into more pen testing sort of stuff, and right now that's all humans, you could also enter a world where AI can generate testing plans and pen testing plans and things like that and actually execute them, right? And they may do it on your behalf. You contract and do it all out and actually run it, or it could be someone looking for holes. The ways folks would look for exploits in the past, they're very sort of brute force. And we know this is a PHP endpoint and we'll just hammer it crazy, right? As AI makes coding and the ability for things more democratized and more people can do it, you may end up in a more sophisticated world of those sorts of threats, of AI generated can poke around in more sophisticated ways like a human was actually poking at your site, which as... I don't know, I've been in engineering long enough to know there's a big difference between automated testing and human testing. And so automated, it's not going to find everything. But if you put a particularly clever human and point them at a website, they'll probably find something. And so if you think of AI as eventually, maybe not today, becoming a kind of clever human, or at least a persistent one, even if they're not clever, they're not going to get tired, point them in a website, they'll probably find something. And so using those tools on the business side to find something before someone else trains in AI to go fund it might not be a bad idea as these tools get a little bit better over time.

Jara Rowe: For sure. We actually have an episode on pen testing coming up, so I can't wait to dive more into how AI can help or hurt that topic in general.

Chris Vannoy: I'd be curious to listen to that too. This was all off the top of my head just thinking through stuff, so I'd be really excited to hear an expert talk about that, and maybe they say like, " Nah, he's full of crap."

Jara Rowe: All right, Chris, well, we're having so much fun. So I want to bring more fun in. We're going to take a step aside from these MarTech questions and I'm going to ask you some funner cybersecurity related questions. Are you ready?

Chris Vannoy: Yeah, I guess.

Jara Rowe: What's the most bizarre cybersecurity myth you've ever heard?

Chris Vannoy: One of them is... This is very, very long ago, and I will withhold the name of the company for their sake.

Jara Rowe: inaudible

Chris Vannoy: Way, way back in the day. Lots of times companies have this need to impersonate users, to go check an account or something like that. And there are secure ways to do that. A company I worked with a long, long time ago, and don't go trolling my LinkedIn to try and guess which one they thought the way to do that was you'd have an engineer go into the database and copy and paste password and stick it in and log in inaudible now. And so this thought of engineers having access to things like that and it would be okay is not cool. It wasn't cool then and it's not cool, certainly now. I'd like to think we have better ideas of how to do that sort of thing now, but back in the day, that used to happen fairly frequently.

Jara Rowe: Oh wow. All right. Well, so you may have seen some passwords. So that leads me to my next question. What's the best password you've ever seen?

Chris Vannoy: One that is auto- generated, not by me. So I use password manager and the best ones are the ones I just let it pick. I don't even know my own passwords for some stuff. It's just in there. And I throw it into whatever prompt is there, and then looks at it. Lots of numbers, symbols, letters, all sorts of fun stuff. Now, if you want to talk memorization, ones I actually have to memorize, I've usually found it best to do word combinations and number combinations, stuff I'm going to remember maybe, or at least it's not personally useful to me, but it's a string of words that I can look at and go like, oh, I can remember that. I'm not going to tell you what any of them are right now, but if I got to remember it, that's usually the technique I use.

Jara Rowe: That's awesome. Yeah, those password managers, those are super, super helpful. Definitely. All right, so last one. If you could create a cybersecurity superhero, what would their powers be?

Chris Vannoy: Supersede. Some of this is fundamentally, we are all human and we're going to make mistakes. And I think a lot of superpowers I've found in engineers and cybersecurity folks a lot are the ability to quickly diagnose and fix problems because problems will happen, right? So having the ability to quickly recover from when stuff does mess up, can probably help a lot. As much as I'd like to thank superpower of prevent errors from ever happening, I don't think that one's plausible. So instead, I'll go for the totally plausible super speed one.

Jara Rowe: Awesome. All right. So Chris, I've definitely enjoyed talking to you about this topic. Again, it hits home for me. But before I let you go, are there any other things you would really want to drive home?

Chris Vannoy: The biggest one is kind of as I mentioned earlier, if you're building any software at all, keep in mind that anything you store becomes your responsibility to not let out, right? So don't store things just because, or just because you think it's a good idea. Make sure if an auditor or a CO or a person investigating a leak comes to you later and asks, " Why were you storing this? You have a good answer." Right? And a good answer is not, " Because it felt like it might be useful someday." So only store what you need, and make sure you know why you need it.

Jara Rowe: Fantastic. So much hope for information during this episode of The Tea On Cybersecurity. Tune in to a future episode coming up on pen testing. Now that we've spilled the tea on MarTech and privacy, it's time to go over the receipts. I will say this topic really hit home for me as a marketer. I use MarTech tools all the time. I never really thought about the different privacy concerns or cybersecurity concerns until I started working at Trava and started hosting this podcast. So I've learned a lot during this conversation with Chris, and I hope that all of you have as well. So let's dive into the receipts. The very first thing I took away is when it comes to how the relationship between MarTech, privacy and cybersecurity has evolved and changed over the years, it really comes down to two things. One, regulations and frameworks and things like that have changed, and two, people have their own concerns about their privacy and how it's being used. The next receipt that I have is when it comes to a company mitigating potential privacy concerns and risks, again, it really comes down to following a framework or regulation like SOC2, ISO, or GDPR. And we've learned a lot about these frameworks this season on The Tea On Cybersecurity. The next receipt that I have is when it comes to building a product and engineers in particular, it's important to only store the information that is needed. If you don't think you'll ever really need the information, then don't store it. And it's also important to only give access to who needs it. Only give access to the ones that it's necessary for them to have. And with that, it's important to keep an audit trail to see who has been accessing what and when. And the final thing that I took away from this episode, which is something that I've taken away in all of the episodes from season one, and season two so far, is that it is essential to be secure from the start of the company. And that wraps another episode of The Tea on Cybersecurity,

Speaker 3: And that's The Tea On Cybersecurity. If you like what you listen to, please leave a review. If you need anything else from me, head on over to Trava Security. Follow wherever you get your podcast.