Powderkeg Unvalley Panel: Cybersecurity in 2022, Not A One Size Fits All

Brittany Penny: ...about cyber security in 2022. We are going to be talking about how cyber security is not a one- size- fits- all approach. My name is Brittany penny. I am an Integrated Technology Solution Cybersecurity Specialist at CDW, and I'm going to be leading our discussion today. During this discussion, we're going to be asking a lot of different questions and learning from our great panelists who come from years and years of experience. We will also be fielding questions from our attendees and viewers. So feel free to drop any comments and questions within our Q and A. We will be running through some great tricks and tips. I'm going to start by introducing our amazing panelist, and then we'll jump into our Q and A session. Our first speaker is Jim Goldman. Jim is the CEO and Co- Founder at Trava Security. Welcome, Jim.

Jim Goldman: Thank you.

Brittany Penny: Our next speaker is Tim Horoho. Tim is the CTO at Zylo. Welcome, Tim. And our next speaker is Rupal Thanawala, CEO at Trident systems. Welcome, Rupal. All right, so let's dive into today's topic. This first question is going to be for Jim and Tim. Cybersecurity threats, they are continuing to evolve and continuing to change. Something common that we have heard is that, at a startup stage, that startups are a lower risk for cybersecurity threats. Have you both found this to be true, or have you found this sentiment to begin to change?

Jim Goldman: I guess, I'll jump in first. I've found that changing and I'll give you a couple of examples. I just saw a study that 81% of successful phishing exploitations happen against small and medium sized businesses. Now, granted, those are not necessarily startups. But I can tell you from personal experience on the startup side, when we registered our domain name as Trava Security, literally within a matter of hours, there were similar domain names being registered, not by us. And that's sort of one of the basic ingredients towards a potential phishing attack or ACH fraud at some point in the future.

Tim Horoho: Yeah. Just to reinforce what Jim said, you think about cybersecurity, you think about the goal of the bad actors, if you will. Their goal is to get their hands on as much data as possible. The source of where that data comes from is really less important to most of the exercises that are out there running. They're constantly scanning. They're looking for new opportunities, vulnerabilities, open ports, anything that is out there. Startups, oftentimes, are getting in early with great brands, great companies bringing data into their platforms. And oftentimes, startups have less security measures and protocols around patching and verifying that you have ports closed, and all the kind of fun things on the back end that cyber security criminals are looking for. And so, what we found here at Zylo and what I found in my years of experience, if you have data, there's bad actors out there looking to get in. So I wouldn't take that as true in any way.

Jim Goldman: Just to reinforce what Tim just said, in my time at the FBI, one thing that I found is cyber criminals are basically like every other criminal in that they're lazy. And they're going to target the easiest target, if you will. So as Tim pointed out, it's those startups that don't have the mature programs, don't have the mature defenses. That's exactly who the cyber criminals are going to focus on.

Brittany Penny: Now, Tim, Jim, great points there. And just to circle back and another question to piggyback off of that, so many startups and companies are trying to balance this rocky foundation of," Okay, I need security foundations. I need to grow. I need to hire the right talent. I need to implement the right technologies." What recommendations do you have for companies as they start to balance this growth and secure mindset?

Tim Horoho: Yeah. Jim, I'll jump in first here.

Jim Goldman: Go ahead, please.

Tim Horoho: I think, when you're in a startup, your early phase, funding budgets are always tight. You're balancing across the entire business on where to put your dollar. You can solve security through many ways. You can, first, rely on engineers that have a security- first mindset. You could do some security focused training for your engineers to handle some of the kind of early phase needs from a security perspective. The balance of when do you bring on your first titled security engineer, that's always a good question. I can tell you at Zylo, for us, it was last year. Up until that date, five years into the business, we were handling it all internally with software engineers and others, ops folks, to handle that. But our security program has just dramatically improved as we take that next step with a fully titled professional that has years and years of experience in security. The software engineers greatly enjoy having somebody that kind of cover their back and make sure we're doing the right things. And so it's a tough question. You can ask this same question about product, about design, about sales, about CS, really across the business. My recommendation is, it all depends on the business. It depends on what you're doing.

Jim Goldman: Yeah, that's exactly right. It's all about prioritization. When we talk to startups, we often start trying to reassure them by saying," If you try to eliminate 100% of your cyber risk, you'll do nothing but bankrupt your company and you'll be out of business. It's just not realistic." The other analogy I sometimes use is, if you had a problem with your automobile and it was breaking down or whatever, you wouldn't go to an auto parts store and grab a shopping cart and just start pulling random parts off the shelf, right? You'd have some kind of diagnosis done first. And so what we say is, it's important for every company, regardless of their age or size, to have a risk assessment done. That risk assessment then gives you a prioritized list of the things that you ought to address. And then again, as Tim said, based on budget, you start basically working your way down that shopping list and say," This year, this is really all we can do. And we're going to have to worry about something called mitigating controls for the rest of it."

Brittany Penny: Man, that's a great analogy, Jim. I really like that. So no, thank you. And I think that makes a ton of sense, so thank you both for your feedback there. This next question is going to be for Rupal and Tim. Many companies, they're required to go through maybe a yearly penetration test for compliance regulations. Other companies may go through a penetration test just to understand where does risk exist within our environment. When do you think is a good time for a company to go through a penetration test? And what does that look like?

Rupal Thanawala: I would say that it has to be part of your process to have your system secured. That has to be number one priority. And security has to be part of every everything that you do. I work mostly with large organizations, and one of the things we talk about it... I'll give a similar analogy that you do not want to just put a big padlock on a front door, but you also want to make sure that each and every window is also secured. I think having the mindset, and the culture, and the importance of having everything special... If you are a software company, then making sure that security is part of your entire end- to- end development program. It is a part of your testing. It is part of your UAT and everything that you do. So it has to be embedded in every stage. However, a few things that you want to consider is, it also depends on which industry you support and what kind of products do you have.

Jim Goldman: Right.

Rupal Thanawala: And that can also depend... There's some kind of an industry nuances now I want to bring it in. For example, if you are working very closely with patient data, then you have an added complexity of HIPAA compliance. If you're working in finance or insurance, and some of those financial institutions, banking and all, then there's a mandate that you have to go through certain security compliance also. So what you are asking a question is, what could be a yearly process? I would say, please make sure what kind of data you have it and what kind of industry compliance also you have to do, because that is very critical because that could result into some of the security breaches. First of all, you may not be able to do the business with your clients, because if you're a product owner there or service provider, then, yes, your customers you are serving in that industry, they may have one of the mandates that you have to follow.

Tim Horoho: Yeah. Rupal, good point. I'll double down on that point. I think, as a startup, oftentimes things like penetration tests are derived from the customers that you're doing business with. And as you get into working with large medium size to enterprise businesses, they're going to absolutely require a penetration test. And so, that could be year one, year two into your business. That could be year four or year five. The other point I'll bring up from a really innovation technology perspective, a penetration test is there to find those gaps that you didn't really know you had. And you're outsourcing kind of ethical hackers to go dig out those holes and really find those problems before the real bad guys do. And there's much rather have somebody do that on your behalf versus have somebody get in and expose your customer data and immediately create a bad brand for your startup, because you didn't do something that you could have easily taken care of. And then the last point I'll make here is, the earlier you are in a startup, the complexity of your code base is often quite a bit less. If you've been working on a product for two or three years, you're just getting off the ground. You're continuing to build your products. And the complexity, the data models, it's a lot easier to patch these things in the early days and to build off of a secure base versus to be doing things not as thorough as you could be. And then you find five years later that you have to go re- architect a major part of your application because you didn't know about this problem three or four years ago. So to me, the earlier, the better. And if you don't have customers asking for it today, you might in six months, if you are out there landing a large enterprise deal. And it'll make you that much better from a service provider.

Jim Goldman: To Tim's point, there are very cost effective alternatives to a full blown penetration test that younger, newer, smaller companies should take advantage of. For example, if you're in the software development realm, include a web application scan. It's sometimes called a dynamic application security tool that looks for typical software vulnerabilities like cross- site scripting, SQL injection in your code. Also, we know several companies that, before they invest in full time application security engineers or a full blown penetration test, just invest in a bug bounty program. And that's another way, very cost effectively, to have a third party be basically testing your software for you.

Brittany Penny: Great point and great perspective. Thank you all for that. Jim, Tim, circling back with you on one question here, we've talked about the penetration testing piece. Now, let's say that a company goes through some sort of cyber attack. We've often heard that cyber attacks are not a matter of if, but more of a matter of when. How important do you think it is to have an incident response strategy and playbook in place? And when would you recommend that companies start to build that out?

Jim Goldman: You want to go first, Tim?

Tim Horoho: Yeah, sure. The incident response strategy sounds like a super complex thing, but it can really be as simple as having the right contacts documented, having the right source systems identified and documented. And just having kind of a skeleton perspective of what we need to do if, for some reason, we were to find evidence that there's somebody in the system that shouldn't be. That's something that could be done in year one and year two. That is something that is... You're kind of documenting your system along the way as you go. You're documenting who are the right people that need to know. Oftentimes, something at that level, you want to escalate that up to the CEO level, to the executive team so there's full visibility while you continue to understand the impact of what might have happened, the exposure that might have happened, how you want to communicate it to your customers, and so on. I certainly recommend you have a skeleton of a plan early and understand what you're going to do because when it happens, things quickly escalate, things quickly get out of control. And having that plan in place just helps kind of create a little bit of... I don't know... Help with the chaos, I'll say.

Jim Goldman: I couldn't agree more. Literally, you can't do this too soon. But to Tim's point, when the company is relatively small, the plan itself should be small as well. In other words, I think some of the reason why people put this off is they have this notion that it's this onerous huge plan that needs to be professionally written. Nothing could be farther from the truth. It might be a couple of pages. Here's the phone numbers. If this happens, call so and so. If this happens, call so and so. Here's where the logs are. Literally, it's just that simple to start with. But even just that much makes such a difference when the situation actually happens. The only other thing I would say, again back from my experience with the FBI, the time to get to know your local FBI agents is not in the midst of an incident, but it's sometimes beforehand.

Tim Horoho: No, nothing better than a nice coffee chat with your local FBI agent. I can't imagine a better time.

Brittany Penny: Oh, man. Oh, man. I love it.

Rupal Thanawala: I could add one more thing, besides knowing your FBI agent, getting the mindset of your customer. Because as much as you're thinking about how do you have your business continuity plan, which is what we are talking about, plan for a D- day, but think about what if something happens at the client site and how you can react also? Because many customers nowadays ask when they buy a product from you that," Okay, what if this system fails? How do we incorporate procedures that we have from your side into our procedures?" So the moment you start having your first customer, you should have your plan ready because many a times that's just part of one of your RFP process. They're buying the product from you, they're going to ask for you.

Jim Goldman: You are so right.

Rupal Thanawala: So, it's a first thing that you should have it. And there has been situations like you may think that your product has been used for a smaller or midsize company. Who knows that product would be used by a very large corporation, and they may have very stringent processes, very rigorous behind cyber attacks? And it will trickle down to you, so please have that handy.

Jim Goldman: And in that regard, decide beforehand who in your company is authorized to make what kind of statements to the customers. Because in most cases, the customer's going to call whomever their most common contact is. That may be a salesperson. It may be a customer support person. Those people are not necessarily trained to say the right thing at the right time.

Brittany Penny: Yeah. Oh my gosh, you guys absolutely nailed it and so spot on there. Tim and Rupal, next question is coming at both of you here. The state of remote work, that has been evolving for a lot of companies worldwide. And so for many even startups, they have started as a remote company. Maybe they started out of their house and then slowly expanded and they thought about," Okay, how do we hire the right talent regardless of the location?" What are pitfalls that you see that companies make, or that they may overlook when they're adopting a work from anywhere strategy?

Tim Horoho: Rupal, you want to go first?

Rupal Thanawala: You can take it up.

Tim Horoho: Okay. For me, I think coming from the perspective of security, I think when you're sitting in the same office, you're sitting in the same room, it's easy to pick up hints and try to kind of reach across the aisle and understand how somebody solves a problem, both technically and securely, and so on. When you have a workforce located in different geos, different time zones, maybe not even working on the problems within the same hours of the day, because of the time zone issue, you just don't have those conveniences. And so having a clear statement of what your requirements are that you're doing, having thorough testing procedures in place, so you can test edges of what you're building and think about the security pitfalls that you need to test for, those are the things you have to have in place with a remote workforce. And that's kind of thinking from a software startup architecture perspective. From an IT perspective... I don't know if you want to go there... but I'll see if, Rupal, you have any thoughts.

Rupal Thanawala: No, that's a great point. So, what we do... Because my entire team is from all parts of the world. And some of the things that we have been working very diligently is, what kind of devices that they're using? Number one. So we get to that level. What kind of security does it have? I have some clients, even the screen sharing is controlled. There's absolutely no way to download the data. All the data has to be stored in the company cloud only. Nobody can save anything on their personal devices. So there has been lot of techniques that are there nowadays that companies implement, because we definitely want to make sure that the code has been not stolen. So I think that kind of challenges we have. And besides, I work mostly in life science and regulated industry, so we have to be even more careful that our client data has been also secured. That means people cannot use their personal devices. The internet connection that they're using has to be secured. Most of the times, they can only access the data with Citrix server, and so forth, and so on. So I think there are lots of ways we have to make sure that, yes, we want to be very accommodated beyond, of course, pandemic. Work from home and remote working is absolutely the new way of working in our industry, but then making sure that the data is secured is critical.

Tim Horoho: Yeah. I'm going to jump in here and come back to... We did a poll to see what was the most concerning cybersecurity threat out there, and phishing attacks was kind of the top answer there. I think that's fantastic. And it's good to know that people are recognizing that as a major concern. It absolutely is a major concern that we should all be thinking about. How do you protect against it? You test. You test against it. Don't be afraid to test your own team. Don't be afraid to go out and outsource a third party to test against those phishing attacks. And when people do well, you recognize the people that are doing well within the company and people that repeatedly fail. I know, in my past life, they used to get an email from me or a Slack message directly from me, and maybe... And when Jim and I used to work together... People probably don't know that, but we worked together in years past... Jim would go knocking on their door and talk about the importance of understanding phishing attacks, and how to be diligent, and training your team and your employees on how to recognize those phishing attacks. So, just wanted to bring that up. I think, as you think about remote work, that's no better way to do that than real life testing and training for your team.

Brittany Penny: I love that. I love that. I mean, you can't create better advocates by not testing them, right? Like you've got to test them on security best practices, see what they click on, see what they fall for and train them in the best ways. So, absolutely love that. And thanks for that perspective. When we start to think about users working from anywhere, now we can start to think about our applications and our data and how that is shifting into SaaS applications and public cloud platforms. Jim, Tim, this question is going to be for you. How closely do you think that public cloud and security are often thought about in the same manner or in the same conversation? Or do you think that oftentimes security is an afterthought?

Jim Goldman: Boy, that's a big question. Let me start with the cloud part because I think Tim can speak certainly to the SaaS part and what we sometimes refer to as shadow IT. With the cloud part, there's all this wonderful cloud infrastructure now, be it from AWS, or Google, GCP, or Azure. And the problem with those platforms is that people think," I don't have to worry about security because these cloud platforms are super secure." Which is true, or at least partly true. What people need to understand is that those platforms are designed to allow customers to quickly and easily get their data on there, get their application on there, have their services run. In order to have those services run quickly, there tends to be not a lot of restriction, elevated privilege if you will. And so the point is that the onus is on the users of those cloud infrastructures to lock them down and to restrict the access. And so it's very important that customers using any of those... And they're all good... using any of those to do what's called a cloud scan on those environments and understand what might be unlocked that they never intended to be unlocked. Or, is there elevated privilege where there shouldn't be? That type of thing. So, yes, they're great services, but there can be just as many... To be clear, they're not really security vulnerabilities. They're configuration vulnerabilities in those cloud services.

Tim Horoho: Yeah. And I'll speak to the broader SaaS concern. I think Zylo, the company that I work at today, we are built to help companies manage their SaaS. The biggest value add that we bring to many of our customers is the visibility, what SaaS applications companies have in their business. Oftentimes, companies think they have a 100 or so... Small to medium size businesses we know have 500 plus SaaS applications that are... They just don't even know it. Large enterprise, you're up near a 1, 000 SaaS applications. Why is that important? Because every person that is using that SaaS software, they're uploading customer data. They're uploading your data into those applications. You have to have that visibility. And so, from a cybersecurity perspective, you have to understand what SaaS is in your business. You have to understand what your employees are using and what you're allowing them to use? How you find what SaaS is being used? And also, what those applications are? How secure are those applications? Are they, the applications, secure themselves? And then, also doubling down on Jim's point about the public cloud, the public cloud is a great place to innovate quickly. But there's so many controls that are the responsibility of the technology team to implement those controls, to make sure you have good designs in place, separation of duty between your production environments and your development environments. All of that is so important for building a secure solution in the public cloud.

Brittany Penny: Great points. Thank you both for your perspective there, and totally makes sense. All right, this next question is going to be for Rupal and Tim. Cybersecurity insurance, that's something that we've seen often as a topic of discussion. When would you recommend that companies begin to embark on that journey? And any tips and tricks around cybersecurity insurance policies?

Tim Horoho: I'm going to actually give this one to Jim. I think he's a better person to answer that one here.

Brittany Penny: Okay.

Jim Goldman: Yeah. Trava is also in the cyber insurance business because we feel that cyber insurance is an integral part of a cyber risk management process, risk assessment, risk mitigation, risk transfer to cyber insurance. The thing that I would say about it besides the obvious fact that the whole cybersecurity industry right now is basically a giant dumpster fire, is that what most people don't realize is all cyber insurance policies are not created equal. So, you really have to dig in. There's only about five standard provisions in most cyber insurance policies, and then there are what are called 13 or 14 different endorsements, those almost like options. Those endorsements may be included. They may not be included. The endorsements may have what are called sub limits, that type of thing. And so what I would say is, cyber insurance is absolutely critical because it's part of an overall risk management strategy. It's not this other thing removed over there. But all cyber insurance policies are not created equal and you don't want to be paying for something that you don't need. But at the same time, you want to make sure that you're covered for the most likely residual risks that you actually have in your business.

Rupal Thanawala: I would just add a few things, not from actual insurance perspective, but what is the cost of cybersecurity attacks? So we believe that currently, on an average, it costs our industry almost$ 10. 5 trillion due to the cybersecurity attacks. But what we are talking here is now literal numbers, but there is a difference between what is a cost versus value? So I just want to briefly talk about why it becomes more of a value question than the cost question. So, in 2013, when Target had biggest breach, which actually there was 41 million records, the credit card records of customers were stolen. At that point, after four years Target had to pay$ 18.5 million to settle that lawsuit. But think about that, that every company... And even if you are not a publicly traded company, it still impacts you, even if you're a smaller company. So we believe that 11% of the stock prices fall down right away after the cybersecurity attack or a major breach. And then the brand damage that happens. And the last, the customer losing the faith and trust in your company. So I look at insurance questions slightly differently because that's the kind of questions I get asked more than in the literal sense," How much insurance we should pay?" But rather on the flip side," What would it cost us literally even if we have an insurance?"

Jim Goldman: inaudible.

Rupal Thanawala: Because insurance is going to take care of some of the procedural or new people we have to hire or put new IT or security around what systems we have. But then I look at it slightly differently because this is a huge conversation in the boardroom. And I don't want to use word boardroom in a big way here. Even if you are a small startup, you have your investor, you have your stakeholders, and they are going to look at it. They want to make sure that you are secured and there are no challenges due to cybersecurity attack or anything that would damage your business. So I think I just look at that way.

Brittany Penny: No, that's a really, really great perspective. And thank you both for sharing. This next question is going to be for Rupal and Jim. When companies get to a large enterprise stage, what should their board of directors and governance committees be paying extra attention to?

Rupal Thanawala: Yes, I'll just continue the thought process that I was just sharing. So, the board of directors are just, of course, number one, looking like they are making sure that... Actually, SEC just announced a recent requirement that every publicly traded board must have one person who is either trained or having knowledge of cybersecurity, so that is where it starts. And some of the things, of course, stem from the Target breach that I was talking about. But then they are also making sure that there are internal and external controls into the system. That means not only that our systems are secured, but the products that we are buying... And that, for example, if you're a small size company, and you are part of their ecosystem... that has been also secured. So because they are looking for their companies' end- to- end security. And it is their responsibility to make sure that not only our data and finances are secured because that used to be back in the days. But now looking at how does it impact our brand? How does it impact our market share? How it's going to impact our stock price? So everything has been looked at. So it is a 360 degree view. And having CSO present the regular reporting into the board meeting is becoming now norm. Every CSO has to provide the security report to the board regularly. And we just talked about few minutes back, Jim was talking about the moment there is a huge cybersecurity threat, it goes all the way up to the board. That's a board conversation, number one. So the visibility is very, very high.

Jim Goldman: That's exactly-

Rupal Thanawala: And Jim-

Jim Goldman: Oh, I'm sorry.

Rupal Thanawala: ...You can add more to that. I'm sorry, Jim, Tim, whoever.

Jim Goldman: No. That's exactly right. And there is actually a framework. This has been evolving over time. If you stop and think, what is the primary job of any board of directors? In a nutshell, it's to manage risk. All right? Not just cyber risk, but manage risk in the broadest sense, as Rupal pointed out. The risk to brand, the risk to reputation, financial risk, human resources type risk, that type of thing, natural disaster risk, geopolitical risk. That's the job of the board of directors. And there's a framework for this called enterprise risk management that's been introduced to boards over the last few years. So there is a structure to it. But at its heart, it's just basic risk management. What has happened is, cyber risk management has become more of the conversation, if you will. And the awareness at the board of cyber type issues has escalated in the last couple of years with the escalation of ransomware attacks. All of a sudden boards of directors are talking about ransomware and how protected are we? And what's our ransomware protection strategy? That kind of thing. That's just the level of conversation now is in the boardroom literally.

Brittany Penny: Yeah, you both are spot on. Absolutely. So companies who are joining us today, they could be joining us at any stage of their journey. They could be a startup, they could be large enterprise businesses. As a cybersecurity product company and service provider that's serving companies of all sizes, including large corporations, what have you all found as the most important to larger companies? And Rupal and Jim, this question is going to be targeted towards both of you.

Rupal Thanawala: I think as a larger corporation now, or whether you're... I'll just give you an example. If you're a product company and you are selling your product and plugging in with another software company, or your product has been used by any large corporations. I think they're really not only just looking at your product, but then also looking at the overall posture of your company. They really want to make sure that your end- to- end product has been secured. And I'll just give you an example. I've been helping one of the large corporations and they're building their strategy and thinking about it that you're providing the products. But in a case of cyber attacks and somebody just shuts down our manufacturing plant, do you have ability to serve from different location? Do you have an alternate location? Or, if there is a physical attack to your company, how are you going to operate? So I think the companies are looking at not only to cyber attacks, but any kind of risk that can actually disrupt their operations. So, you can operate in any situations. I think that is very critical nowadays when you're working with a large corporation. And then, as we just earlier talked about all of the controls in place, whether you are going for funding from VCs, or you are applying for large RFPs, they have a very, very rigorous process nowadays too. They have questionnaires probably 10 pages long. And out of that, half of them are not what you can do, but what can you do if something falls off?

Jim Goldman: Yeah. I would just dovetail with those comments and say, years ago, risk management was seen as a once a year activity. You did your annual risk assessment. You updated your risk register, you updated your roadmap. Maybe you met quarterly to review it or something like that. What has happened... And this is in the largest enterprises because I was in charge of security governance, risk management and compliance for all of Salesforce... is risk management is a perpetual process now. It has to be a perpetual process that the whole organization has to buy into. So there's two things. One is, it's nonstop. And two is, it is everybody's job. You may have a group that's more or less in charge of it, but everybody has to buy in to the risk management process. And it's almost like a frame of reference, you need to live it and breathe it every day.

Brittany Penny: Great point, great point. We had a couple anonymous questions come in through the chat, so I'm going to throw these out to the group. First question is, from a security standpoint, as a startup building towards a pen test, what are the top things to implement prior to trying to cover as many gaps as possible before the ethical hackers uncover the obvious?

Jim Goldman: What I would say is do your own scanning. In other words, there's a variety of different types of scans, external scans, certificate scans, web application scans, cloud scans that I mentioned earlier, agent scans on your laptops, et cetera. Those are more or less easy to implement, relatively low cost, et cetera. And so it's like kind of do your own home inspection before you invite the professional home inspector in.

Tim Horoho: Yeah. I agree, Jim. I was going to say something very similar. But I would also just kind of say, I wouldn't worry about it. You're trying to understand what those gaps are. Every developer, DevOps engineer technologists that I have worked with in the past, they want to do things right. They want to do things well. And they're going to do their best to follow what they know is the right security protocols to get things done the right way. And so there's going to be decisions made, some right, some wrong. That pen tester's there to help you find out. And don't hold back bringing that in because you don't want to look bad. It's okay, you can look bad, go fix those issues quickly. And then do it again. And so, that iteration is, it's software development. And that pen test process can just be something that helps makes your system better, helps everybody learn.

Brittany Penny: Awesome, I love that. Rupal, any thoughts on that question as well?

Rupal Thanawala: I think we are covered. Thank you.

Brittany Penny: Okay, awesome. Awesome. And I think we have time for one more question. We have one more anonymous question that came in. If a company has gone or is going through a compliance process like SOC 2 or HIPAA, what is the next step to stay secure right now and in the future?

Jim Goldman: I actually love this question. I wrote an article about this and that's the difference between compliance and security. They're not the same thing. As Rupal pointed out earlier... And make sure you hear this... Target was compliant, but they obviously weren't secure. So, don't ever mistake those two things for each other. And so, the real question is, how do we assure security? I think that's through this perpetual risk management and approach, right? Always working your way down through those lists, doing pen tests, et cetera. And then as a byproduct, have someone else come in according to a framework like SOC 2, like ISO, like HIPAA and have that third party assure that your security program really is compliant with this framework.

Tim Horoho: Yeah, thanks. Spot on.

Brittany Penny: Awesome. Well, Rupal, Tim, Jim, thank you so much for your time today. This is a great conversation. I know I learned a lot that I'm going to take back with me. For everyone who joined us, thank you so much for joining our session today. Check out the other sessions that are going on. Signing off for now, but thanks everyone. Have a great day.

Jim Goldman: It was a lot of fun. Thank you.

Tim Horoho: Yeah, Steve...