Simply Solving Cyber

Podcast Trifecta - SSC, BKBT, CyberRanch

Aaron Pritz

Welcome back to Simply Solving Cyber. This is Aaron Pritz, and today we are joined with a few different guests and I will let George introduce us.

George:

Welcome to a very special podcast event. We've called it the podcast trifecta. We have in the house and behind the mics, the hosts from bare knuckles and brass tacks. I'm George K with bare knuckles. We have Alan Alford with the cyber ranch podcast, and we have Aaron Pritz and Cody rivers of simply solving cyber.

Why are we here? We are here because we got a bone to pick. with October, also known as Cybersecurity Awareness Month. So we're going to start with a history lesson. We're going to air some grievances. And then we are issuing a challenge to the community. So stay tuned as we embark on this adventure. Alan, I'm going to turn it over to you, resident historian. Catch us up on the origins of Cybersecurity Awareness Month. Well, if you go to csa. gov slash cybersecurity dash awareness dash month. You will find out that since 2004, the president of the United States and Congress have declared the month of October to be cybersecurity awareness month, the whole premise behind this, what got it all started was we had a populace in general who weren't. caught up with cybersecurity needs, right? And so the idea was the government was going to try to kind of poke people a little bit and get them, get them heading down the cybersecurity rabbit hole, if you will, and give them some basic prompts. And if you go to that website today, there are in fact, four basic prompts still there. And I love them. Use strong passwords in a password manager, turn on multi factor authentication, recognize and report phishing, and update your software. Pretty good tips for the novice, pretty good tips to sort of baseline a cybersecurity posture, if you will. And so I think the origins of the whole thing are not bad. I don't think they're bad, they're bad necessarily in their own right, but I think that what we've seen is an evolution. And I think we've got, um... Some challenges now with how we approach Cybersecurity Awareness Month, both as practitioners and as vendors. Uh, everyone knows I, I've been on both sides of that fence and, and I don't know if any of us are doing it right. George, what is your take on this as a practitioner? Yeah, thanks Alan. Um, I can, I can tell you this, since I got into this industry in like 2016, uh, I find it completely insufferable. And the reason why is because, like, just, you know, real talk about it, guys, like, there's no awareness month for secure operations, right? You're either building a security culture or you're not. Um, and, you know, it's not just, it's not like Christmas, it's not Advent, we don't get a calendar, we open a piece of chocolate every day for like, oh, cool, my password doesn't suck. Like, that's not how this thing works. Um. I think what it's turned into and actually what it was, even when I started an industry work in sec ops, um, it's just an occasion for marketers to have a reason to have a theme to be extra annoying when they're trying to push pitch. That's, that's literally what it's an industry to industry thing, because if you talk to anyone else in like the normal world of. People who have normal jobs that do things and gives them calluses in their hands, they don't give a shit about cyber awareness month. The fuck does that even mean? Right? It's just something that's like weird to us. Um, and again, you know, like I, I treat it more like it's, it's the, a Hallmark holiday for cyber sellers, right? It's like Mother's Day and Father's Day kind of thing, right? Which, you know, respect to our moms and pops, it's, yeah, like, and again, so it's, it's one of those things that I think it could be done better. Um, you know, and I was saying, like, the reality is you should be working to build and reinforce a security first culture at your organization all year round. Um, You don't want people to care about their cyber hygiene for one month of the year and then go back to using 1, as their passwords for the rest of the year, or just having the same password across their entire enterprise. Um, I, I really, I'd be interested to see though what Aaron and Cody have to say as a former client side practitioners. And you guys are now working in the consulting game, whereas I started in the consulting game and I'm now a client side CISO. We like to do things backwards. So, yes. Awesome. So a couple of things, I do think that there's some big opportunities and some big challenges here. I think, first of all, I agree with you on, and George, I think this is your, your passion, bailiwick, and I won't steal all of your thunder on the marketing and sales size. Absolutely. It's a usurped holiday for extra spam marketing. And I don't know that that's the spirit of awareness, which is not helping cybersecurity people understand the basic commodity awareness things. It's to help non educated end users that are not it people and not cybersecurity. If they don't already know the basics to maybe get more interested in it, but I think we're missing the, get more interested in it because we're spraying them with. Extra phishing messages and extra, you know, before proof point SAS awareness tool modules, it's really just not making that much of a difference. Now, I will say, let me take a step back when I was on the practitioner side and, um, I guess was unlucky or lucky enough to be at a very large fortune 500 organization that. Had a very public insider threat arrest with the FBI. And, you know, it come to Jesus moment with, uh, the workforce needing to do something very different than relying on it buried in the literal and proverbial basement to quote unquote, protect them. Um, so I think for me with a front row seat to that and trying to drive, okay, how do we make cybersecurity and more specifically insider threat? Something that scientists and marketers and all of them can play their role. Cause like my front row seat learning was, Hey, there were good it controls in place, systems were locked down insider threat wise. You got credentialed people that have legitimate access that are doing things either and compromising the company. And the only way to get underneath that is to help people understand what your crown jewels are. And. How to know if something feels off in an interaction and so on and so forth. So bottom line, I guess I was, I'm going to go with lucky enough to experience that and have a lot of senior leadership support for doing some really provocative and significant and avant garde things. In the awareness space that aren't commodity. So I, I like, I like to joke with clients now on the other side of the table that I'll never see that level of budget again. And I may, and I hope that the companies that we work with don't get to that same level of budget from the perspectives that we did, which was we got to throw a lot of money at a problem. But we try to, you know, now I try to recreate like, how can you do it more economically with some innovative methods that aren't spraying out more white noise? So I'll leave it at that. Turn it over to Cody. Who's kind of come from the tech side and, you know, had the pleasure, I think, of, of joining some kind of big, large corporation awareness things, and maybe share some of those tactics or. Innovative approaches that aren't the things that I think Alan, you alluded to that just don't work or, uh, George, a, you know, things that, you know, are annoying and, and let's separate the marketing side and George, we'll get back to you on the marketing side because that's a whole different bone to pick. Yeah. Good. Yeah, no, absolutely. And like, we always say like awareness, like done right. Is it's a comprehensive, like year round program. You know, like you leverage it with other business initiatives within the business, you know, if you want, if your goal is going to be cultural change, you've got to involve the culture and the movement versus to your point, just like spraying them with, you know, a simple, a simple video or some phishing or password, you know, but we've seen things like, you know, building champions programs, getting other, you know, functional areas involved in the business, getting them educated. Um, you know, you see like the character and the branding, you know, building campaigns that go year round that are going to tie more into like, you know, info sec initiatives. But again, getting out of the, the, the fund, the fundamentals and kind of Aaron's point that the commodity things, departmental challenges, gamification. Um, but a lot of those things, you create the intrinsic driver within the culture, you know, why does this matter to me outside of at work or at home with grandma with, with cousins? Um, and that's what we've kind of seen work a lot, a lot better. That's, you know, to get that cultural change versus you sign a check for a piece of software, you know, it's usually a high number. You don't see the change you want, the tool goes away, you spent money, no results, no one's happy, you know, and then you're kind of left, you know, hold the bag. Yeah, Alan, I love that there's the federal government involvement and stay safe online. But my, you know, the last few years, and I think you pointed it out, like, it's the same four topics re skinned with a different variant, but it's phishing, it's basics, it's all the stuff that is the lowest level. And I think people. One either don't care that's the stuff that they've got every month already You got to hit them with something different. You got to hit them with something that Resonates with their family or within the job function that they're in. And they're like, Oh, wow, I get it now. And, and I think too, we were talking the other day, actually yesterday about that, but it's like, we'll give you the same old thing with fishing or ransomware or something, but nothing on reporting concerns. So here's all the things that could go wrong, but let's not tell you what to do. If something happens, who to report it to the company that's tailored to the organization. Yeah, the sas tool doesn't tell you that out of the box. That takes a little extra work to like is it an email box? Is it a phone number? Is it a slack account? Yeah, it's a comment box in the basement and just fill out a three by five card. It's like we're talking now like actions on incident response processes, like part of security awareness. If we're going to have a substantive conversation talks about. What happens when this scenario occurs? There's an entire industry of TTX now, which part of it, which is, I think I consider a subset of security awareness training. And I think the biggest problem I was talking to another CISO a few days ago, and I was just like, man, are you not finding that you're spending most of your time really just. Reworking and building process problems across the company. Like we're not even doing like security anymore. It's now about like, how do we guide different functional groups to not making a mistake or how do we give them the right protocol? So if something happens, they know what to do and they don't just freak out and not say anything. Yeah. Yeah, I love that George. Go ahead, Alan. All you. I was just going to say, I'm deconstructing the phrase Cybersecurity Awareness Month. All of us picked on month. Everybody thought a month ain't enough, right? All of us agree on cybersecurity, and all of us are challenging the ideas of awareness and what those might be, right? Is awareness simply putting some posters on a wall? Is awareness marketing spam? Is awareness that deep seated need to really figure out the cyber implications of what you're doing, right? And so, Now we're even challenging cybersecurity itself. To George's point, I'm a practitioner, right? I've been a CISO five times. I find myself very often doing not cybersecurity work as part of my quote unquote awareness, right? So, so it's almost like all three of the words in Cybersecurity Awareness Month aren't hitting the mark anymore. Right. Words. Yeah. And, and Georgia, I was going to say like the whole, like finding business challenges, like I've done tons of cybersecurity technical assessments. I find very few organizations that are doing business process assessments, but when we do them, we found that the find that there's more ahas and more, Oh shit. It doesn't control this risk for me. I'm handling stuff in PowerPoint and word and unstructured data. And it's going over email and it's going over other channels, mobile devices, chats. And until you trace the data through a business process and pick your critical ones, like start at the top of the pyramid, you are just handling the commodity level stuff. You're not getting in at the side note, when you review the business processes, Alan, to your point, you actually add business value. I've had assessments where it's like, Hey, did you know that out of 20 different touch points on this, only five are needed. And it's never been challenged over years. Oh crap. We just saved a million dollars because there's waste. So like, that's it. That's like the cybersecurity practitioners dream. If you can add dollars and cents values and, you know, fix some security things, that's a win win, but I think a lot of groups are born out of it. And they're doing it systems and let's stay in our lane. Let's stay in our lane. Go where the risk is. Go where the data is. Find your crown jewels. I'm still surprised that I walk into companies and ask them, what are they protecting? And they're like, I can't even articulate the business that they're in. Right. It's crazy to me. We're, we're, we're talking about ultimately needing more than cybersecurity, more than awareness, and more than a month. Let me ask you guys this then. How do you define the ROI? On a security awareness training program. We're back to the ROI on awareness period, right? And I've got, I've got a rant I've given about this before. There's a famous blog out there that picks on a certain demographic of people. And one of the, one of the subjects of the blog is this idea of raising awareness that we've all embraced as this big, critical, meaningful thing. I can raise awareness about cancer, but that doesn't mean I'm doing the research to fight it and destroy it. I'm just selling t shirts and bracelets, right? And, and there's a certain amount of that for cybersecurity awareness with me too, that, that we're. We're talking about it. We're not doing something about it. We're talking about it. And so the ROI on awareness in general, to me, the only cybersecurity awareness that has a measurable metric that you can actually demonstrate has an impact to the bottom line is if you're doing anti phishing training and you're reporting not on the negative stuff, but on the positive reporting rates. If I have a thousand fake phish emails come through my shop. And when I started my awareness campaign, two people clicked a report and said, Hey, this looks like a phish. And by the end of that reporting cycle and the end of the awareness campaign, a hundred people have clicked and said, it's a phish. There's some demonstrable progress. I don't know if there's any other ROI on awareness that I can point to. Yeah. I, we do a lot of metrics and reporting projects in general, to your point. I think if you're not measuring everything you're doing and figuring out if it's working or not, you should stop doing it. I see a lot of these metrics that we're measuring a lot of things, but there's no decisions being made on that. So I think specifically to awareness, every, every workforce intervention that you're doing, whether it's champions or, you know, marketing type campaigns that go out to employees or creative videos that are trying to catch people's attention, whether it's measuring impressions. Or engagement, like are people responding to it if you're gamifying it with it in department and saying, Hey, let's pit departments against each other. Look for the actions we're trying to drive behaviors on and measure the volume of like, how many times are we doing it? I think it's not always dollars and cents or ROI from like a CF what the CFO would be concerned about. But it's, are you getting the behaviors that you want to see? And are you, are you sustaining those? Not like, uh, I just did it once and then I'm going back to my same old, same old. Right. I did my awareness campaign. I'm going to bed now. That's right. Check that box. Cecil is sleeping. And I, and I would say too, the behavior change from a standpoint of getting other functions involved. So with like, with like the champions program, you've got someone in. Finance or operations who before it was like, great. I have been postsec don't care. I'm not worried about, you know, our risks. Once you, you show them from a standpoint, what the crown jewels are, what risks do they own, there's a lot more aptitude and a lot more, uh, you know, uh, movement from their side to be involved and say, okay, if I own this risk, okay, now I'm as going as an ally to this CISO asking for additional dollars in budget to help fix the risks that I own InfoSec can resolve. But I think you get more motivation from the business, you know, leaders, if they are, if they are educated and aware of what their crown jewels are, the risks they own and the threats to those things, you're going to get them, you know, a little more open to, to talks with the CISO with InfoSec to address those and, and, and have some movement. Um, I guess I am the odd one out on this recording. I am on the vendor side and I feel very seen at the level of vitriol directed at vendors. But I wanted to chime in to say, when I got into InfoSec and people were saying, Oh, we should do something around cyber security awareness. I will tell you as the relative outsider, my initial take was, why would we do that? Aren't they InfoSec professionals? Like, why would I try to teach CISOs, the idealized target buyer who we can debate whether that's true or not, like what ransomware is like, don't they deal with this shit every day? Like, I think they're kind of tired of it. And yet the whole. Uh, competitor Twitter feed at the time it was Twitter was all of that. It was like all this one on one stuff. So to your point, Alan and George, it sort of like mutated from what would these cyber security companies be doing to basically educate their own families, the general public, and, and somehow got distorted into like, let's direct that fire hose at the buyer, even though it literally makes no sense other than the fact that it has the word cyber in it. Yeah, George, I would say now on the, you know, we're consulting, um, and we, we have a pretty big social focus. Like our thing is like content marketing and give back and like put some stuff out there that helps others. But I would say like our, our social media person that coordinates everything for us, like gave us safe, you know, stay safe online info. And it's like, Hey, here's the same stuff. Let's come up with some stuff. And I actually, to be honest, after prepping for this conversation, I'm like, we are not going to give any basic information. Now I will say some of our, our followers are small business leaders and we do some specific programs tailored to that. So I do think like, depending on the company. If your target market is a broader audience, that's not a cyber security professional that's buying your tool, you know, there may be still some value, but you look at some of these very large, hard technical tooling companies, and they're only selling B2B to cyber professionals. So like, yes, they're not going to influence, you know, Joe. You know, uh, small business that just happens to be coming across their feed and like, Oh, I should pay attention. Right. So, uh, out of a perverse curiosity. My question to you all is, can you name, like, the most annoying or cloying cybersecurity awareness month marketing that you've gotten? Has anything stand out in recent memory of, like, why are you sending this to me? Can't think of one in particular, but mine is always like, you know, what's the cost if you don't do it? Like the age old, you know, fear mongering, do this, or... You know, or, or, or, or lose your job. Oh, I got one that, and it's not even just a, for the awareness month thing. It happens all year round. Every once in a while, some marketing person or some BDR will take a recent breach or compromise that occurred and basically send you the equivalent of, you don't want that to happen to you. Right. And it's like, I got friends that work there, like, yeah, you know, that place that's on fire by us and you won't be on fire. Just like, yeah. By the way, those are my friends burning. Right. I love that one. My, my favorite one of all the cybersecurity awareness month, specific ones, the bullshit that they send you. And I get to say bullshit on this show. I like that. Um, they send you what looks like a decent free package to distribute to your users. In other words, they're not insulting me to see so they know it's my users we're talking to and they know it's cyberscreen awareness month. Here's this great plethora of tips and tricks and then you actually watch the material, look at the slides or watch the little video or whatever it is and there's two things wrong. Number one, they're giving bad advice and number two, it turns into a hardcore sales pitch at the end. Oh, the bait and switch. The bait and switch, right? But on top of that, it's bad advice. Like vendors that are coming to me saying, share these materials with your users and they'll participate in Cybersecurity Awareness Month thanks to our free stuff that we're not charging you for. And then it's like, you know, make sure you write your password on a sticky note. Do you guys think it's GTP? Like, as marketers find the cheat code to, you know, come up with materials. Do we think it's going to be more mindless dribble? Yes. Yeah. Marketing, unfortunately defaults to early adoption of automation technologies to do bad things faster in general, in the, in the main, a lot of MarTech, like all the. outreach, email automation is just do the bad thing, but do it at like massive volume, massive scale. Um, and that's also in this economic environment where you've seen a lot of contraction, a lot of merger acquisition, a lot of business, there's going to be a desperate play there. And I, Think that's why we want to help change that. So we'll take a break here. We have aired our grievances, but we're not here to admire the problem. We have a gauntlet to throw down to the industry, and we will reveal that when we come back. Okay, and we are back. All right, gents, uh, we talked offline about what could we do to change this behavior that we've talked about and we've come up with two challenges because I think it's two fold. So for the marketers, I'll take that. So for the vendors, I want to come to you and say the challenge for October is to not do what everyone does, right? Stand out, don't send 101 marketing shit to people who do cyber year long, day in, day out, right? So to that end, I would like to see you take on this challenge of what we are calling Cyber Community Month, right? And I want to see vendors. Using this time to contribute to the cyber community at large. And the challenge is to come up with a program that does that, and to share it with the hashtag Cyber Community Month, and we'll be watching. And, uh, we have some prizes that we're putting together. We're pooling our resources among our networks and friends. But, as an example, Maybe you sponsor something for your customers to bring their parents on and you could teach them about vishing. You could teach them about voice cloning, which is really on the rise against senior citizens. Extend it outside of your immediate customers. And what could you bring to their families, to their friends, to the community, how can you give back? Um, so that is the challenge to vendors. Uh, Alan, I want to turn it over to you. What is a challenge that we can issue to the client side, to the, to the people who are also tired of doing something heavy in October and not year round? All right. So practitioners, I think we've talked about cybersecurity awareness and month. And I think we've, we've kind of gotten in lockstep a little bit about where we want to head with that. I think ultimately what we need to do is the same thing we're asking the vendors to do. I want to involve community. I want to see you guys going back to your vendors and pushing for, and I know some vendors will do this. Hey, that EDR I'm paying for, how about you give me my clients to my home users for free? Let my employees use their ADR client on their systems at home for free. Let's work that into the next deal we ink, right? Um, let's, let's do the same thing the vendors are doing. Let's, let's reach out to mom and dad and buddy and sis, right? Let's not just go to our employees and hang the posters on the wall and do the usual BS in the break room. Let's actually cybersecurity matter. To the human beings who work for us, remembering first and foremost that they are in fact human beings, and they have relatives, and they have elderly parents, perhaps, or they have little kids, perhaps, or they have middle kids, perhaps. Any and all of us can be doing something to outreach to those folks. We do this all day long. We breathe it. We live it. We don't even think twice about it. The whole point of Cybersecurity Awareness Month when it started was there's a massive populace who doesn't breathe it like we do. So let's give them that fresh breath this month. Yeah, I want to turn it over to you, George A, because I also think it's been my experience that a lot of InfoSec professionals want to do that, as we all know. Time is at a premium. Teams are getting downsized, do more with less, and I think that they just don't feel like they have the freedom to get out of the chair to take, you know, the hour lunch break to go read at their kids school or whatever. So, George, you know, I know you have some thoughts here about how that helps professional development. Want to give you a moment there in some space to talk about that. Yeah, thanks, George. So I think again, when we talk about, um, Like getting involved with the community and, and how you frame this, how you sell everything, unfortunately, unless you're working at a pure public sector shop, uh, it always boils down to the ROI for the business or how's it going to benefit the business and in the framing that I would. Look at is our community reputation as an organization improves when we go out and we actually talk about what we do, and we actually give it context and we educate people. Right? I think going to schools. Going to, even if you go to community centers, if you go to places where, you know, there's kids who, um, you know, there are places where there's kids with learning disabilities or kids who really aren't doing too well on the normal educational track, and they're often technical or vocational schools, right? A job like cybersecurity is perfect for them because they're probably neurotypical. They're misunderstood. Right. They get shown this new thing. It's cool. It's, it's, it's teachable. It's learnable. A real person is actually showing it to them. And it's not some crazy thing they see in a movie. It's not some NCIS nonsense. It's actually something that you can fucking do and you can have a good life with it. Right. If we talk about this as a, as a bridge to build our communities is this is something that we can actually educate people. We can improve the cyber hygiene. of the people around us and also improve our corporate reputations by being out there and being like, Hey, we care about the community. We can do this. Right. Um, I think you get a lot more support. And again, George, you kind of hit the nail on the head. We're so busy because if we're not actually monitoring and managing the operation ourselves, there are umpteen different projects from a developmental roadmap standpoint, cleaning up tech debt. If you're part of a CICD pipeline, you're basically providing security advice for every single new product that's coming out, uh, within that sprint cycle or within that PI. So, you know, you have to kind of decide, like, are you going to choose to make the time to do the thing? Right. And, and I think of it, you know, Outside of, um, let's say in a completely different context, non cyber related, um, I like to, you know, like once a month or whatever, I like to go and, uh, serve the homeless, right? First Sunday of the month. Um, they're, they're the only reason why realistically that I do it. Um, I do it as like a bit of a humbling exercise, uh, my part of my ethnic community, we, we do it as a group, but I think it's important that no matter how good you're doing in life, you have to connect with people. And you have to kind of see people at their most raw. And it's the same thing when you're dealing with a group of kids, you know, George, I know you did the thing at your kid's school. Your kids are absolute superstars. We're all going to work for them someday. Believe me, George is geniuses. That's a really good example of like a super positive, like fun experience. The real work is actually going into a school, dealing with kids who might be a little bit troubled. And giving them an opportunity to see a new chance at having a life for themselves. And I see that as like what cyber and cyber awareness can do, even if they don't want to do it for work. At least understanding how to operate safely on their phone and on the internet to not be preyed after. Right. To have their data be secure. These are the simple things. It's empowering people to defend themselves and be more capable online because at the end of the day, on a personal security level, on a safety level from, you know, sexual predators or people who want to elicit violence or drug dealers on the level of just knowing how to operate in a growingly more. Digital or digitized economy. I should say people need to know how to get the most out of their tools out of their devices And not just spend money getting the newest thing or whatever bothering their parents about it or whatever they have to do That's where I see, you know, and sorry if it sounds like a bit of ramble guys But it's how you actually frame the business case for support for going out into the community And just bring the cyber hygiene and cyber narrative to people who have nothing to do with your business and nothing to do with generating revenue for you. That's actually going to be the thing that gives your business community longevity years after you're gone. And George, Katie, your first question, you know, how do you find the time we're all busy? Yeah, I'm a CISO. In fact, I'm a multiple CISO now with kind of a combination of CISOing and consulting and all the things I'm doing. I'm busy. Doesn't matter. It doesn't take a lot of time. It doesn't. I spent a couple of hours over the course of a month putting together a cyber education program for a Girl Scout troop. Just took me a couple of hours to do it. I spent about an hour putting together for a presentation to, I kid you not, a group of kindergartners called how to be a hacker took me about an hour to write it and 30 minutes to present it to a room full of kindergartners and they loved it. They ate it up. Um, time is not really the problem. Prioritization is the problem and to George's point, there's things you can do to give back that are far bigger than any dollar and cent bottom line thing. We're only talking about a little bit of time here. I know so many good companies in this community that do so many things that have programs where it's like, Hey, one day a year, we're all going to go volunteer somewhere where you get a free X days a year of volunteer time to go volunteer to wherever you want to volunteer. There's companies have tons of these kinds of programs. We just haven't rolled cyber into that same mindset. That's all that's missing. Bingo. Totally. Cody, do you want to talk about the board you're on and how we've connected that into George and George's, uh, call for action here? Yeah. Yeah, absolutely. And I think it's going to line up well, so i'm going to board for a Nonprofit called kids voice and what they do is they're an indiana company and they represent kids in the court of law and custody battle so Demographic spans from income across the board, low income, privileged, you know, all different kinds of income, but the lawyers and these, these, uh, representatives are the kids lawyers. And so it's a non profit. They handle a lot of data. They do a lot of, um, they do like a couple thousand kids a year just in the Marion County, which is the central county in Indianapolis, Indiana. And so what we're doing this year is since, you know, I'm on the board for them and I work with reveal or real risk is we're going to do kind of a team day where our company is going to go on site with them and do kind of like a, um, workshop with, with their employees, teaching them some cyber hygiene, helping them with some crown jewel assessment and helping them with the kind of a monitoring. A fundamental roadmap of like where the program is today. What are some key things to do? Um, but all pro bono, so it doesn't, doesn't help us from any standpoint of oversight, revenue standpoint, something we give back. Um, one of our employees, myself, I'm involved with it. Aaron's wife as well as a volunteer for the organization. Um, but to your point, kind of going out in the community. Improving it. They're doing phenomenal things. They don't have, you know, the CSO or the budget to go do, you know, security stuff there. So just a time we can use, uh, Alan, to your point, you know, we can use our, our talent, uh, to go and enrich and invest our talent and time into some individuals doing some amazing things with community, um, keep them safe. And then in turn, protect thousands of kids. You know, in rough situations across, you know, central Indiana. So it's, to your point, like time, talent and that investment's gonna, you know, Metcalf's law, right? Two goes to four, goes to eight, goes to 16. So it's gonna multiply out quicker than if I were write, you know, a couple thousand check to, to a fundraiser. Yeah. And I would argue that our team will be better even if you didn't care about the philanthropical part of it, which we, we do. Our team will be better for going into work like that and figuring out how to stretch 0 to something or something where they're not going to get a huge budget to buy all the greatest tools. Like how do we use our brains to innovate in that space? You know? Yeah, that's, that's perfect. Um, all right. Well, I, I think we should probably wrap there. So thank you everyone for joining and to the listeners. We will have more details on social, but the gauntlet has been thrown. And the prizes are going to be fat. Yeah, they're going to be amazing. We got, we're really well connected, I think, enough to get you some good swag and incentivize. Uh, some really creative ideas. So as Aaron said, what can you do to get creative? Well, let's take that out. So vendors, what can you do to give back to the community of cybersecurity professionals, clients, and customers? What can you do to empower your cybersecurity employees to get out there in the community? Yeah, it's gonna be really exciting. Um, but this is the first I hope of many of these challenges. Maybe we can get, get it done every year. The prizes will get bigger. Um, but yeah, thank you everyone for joining us. What's the hashtag, George? Let's end on the hashtag. What's that? Oh, there you go. Yeah. Good marketing, Aaron. You got to end with the call to action. So we want to see this. We want to see it on social hashtag cyber community month. We want to see great stories, share them widely, and, and we'll share them as well. So, uh, yeah, thanks for listening. Thanks for joining and let's make October way better than it has been historically. Relevant. Hey, let's make the whole theme of our show, let's make it less shitty. It's off. Making October suck a little less since 2023. Great work with you guys. By the way, this is an awesome show. I hope we get to do work with you guys again. Likewise. Appreciate it. Thanks for the invite.

People on this episode