1 00:00:00,040 --> 00:00:03,120 I think people hear the word compliance and they 2 00:00:03,120 --> 00:00:06,840 automatically think of a check the box activity or let me just 3 00:00:06,840 --> 00:00:09,920 throw a bunch of stuff at someone to see, you know, if it 4 00:00:09,920 --> 00:00:12,400 kind of sticks. But really when you start to 5 00:00:12,400 --> 00:00:16,760 step back and think about the whole reason for a compliance 6 00:00:16,760 --> 00:00:20,360 activity, in particular like a Sarbanes-Oxley, it's to be able 7 00:00:20,360 --> 00:00:23,960 to provide someone, and that's usually an external party, a 8 00:00:23,960 --> 00:00:27,560 level of comfort around how you're protecting something. 9 00:00:27,600 --> 00:00:29,600 So it all comes back to protection, right? 10 00:00:29,880 --> 00:00:32,759 It all comes back to making sure that you have the appropriate 11 00:00:32,759 --> 00:00:36,560 kind of security and you have the appropriate rules and and 12 00:00:36,560 --> 00:00:40,160 kind of processes in place to really say that we are 13 00:00:40,160 --> 00:00:44,360 protecting this information or providing information with a 14 00:00:44,360 --> 00:00:46,960 good faith effort. You can apply just about any 15 00:00:46,960 --> 00:00:50,360 framework you want to validate that protection. 16 00:00:50,360 --> 00:00:55,040 So you can do a NIST framework or you can have a GDPR really 17 00:00:55,040 --> 00:00:58,640 HIPAA, you know, most of that is kind of industry specific 18 00:00:59,200 --> 00:01:02,320 determine on which framework. But the whole compliance 19 00:01:02,320 --> 00:01:05,960 function or the audit IT audit functions that sometimes is 20 00:01:05,960 --> 00:01:10,040 referred to is really just about providing assurance around your 21 00:01:10,040 --> 00:01:13,880 tools and your processes. So if you are and I am 22 00:01:13,960 --> 00:01:17,040 professional and let's say you are managing or you are 23 00:01:17,040 --> 00:01:20,920 responsible for that, that are back or or whatever is that 24 00:01:20,920 --> 00:01:24,360 piece of audit evidence. It may seem that it is one 25 00:01:24,360 --> 00:01:27,720 discrete piece of evidence, but really and especially an 26 00:01:27,720 --> 00:01:32,200 identity and access, it's really a key to how your organization 27 00:01:32,200 --> 00:01:41,640 is operating. This is identity at the center 28 00:01:42,520 --> 00:01:45,520 if it has anything to do with IAM. 29 00:01:45,520 --> 00:01:52,040 This is the go to podcast now your hosts Jim McDonald and Jeff 30 00:01:52,040 --> 00:01:59,680 Steadman. Welcome to the Identity 31 00:01:59,680 --> 00:02:01,560 Epicenter podcast. I'm Jeff, and that's Jim. 32 00:02:01,560 --> 00:02:03,520 Hey, Jim. Hey, Jeff, how are you? 33 00:02:03,840 --> 00:02:06,120 Oh, not so bad yourself. I'm doing great. 34 00:02:06,120 --> 00:02:07,760 I'm really excited for this episode. 35 00:02:07,760 --> 00:02:10,880 It's a continuation of that series that we started in the 36 00:02:10,880 --> 00:02:14,400 beginning of the year. And I talked to our friend and 37 00:02:14,400 --> 00:02:16,880 guest for the first episode, Ghazi. 38 00:02:17,400 --> 00:02:20,840 He told me today, and this is unprompted, right? 39 00:02:21,000 --> 00:02:23,680 He said he's still getting people who are watching the 40 00:02:23,680 --> 00:02:26,840 episode for the first time reaching out to him. 41 00:02:27,120 --> 00:02:31,080 I think it's one of the great things about, you know, our show 42 00:02:31,080 --> 00:02:34,640 and like have and the guest that we have on is these episodes 43 00:02:34,640 --> 00:02:38,080 have a long tail. So we put on an episode, it 44 00:02:38,080 --> 00:02:42,200 could be a year ago or two years ago, it can still be completely 45 00:02:42,200 --> 00:02:44,280 relevant. I think the topic we're going to 46 00:02:44,280 --> 00:02:46,680 talk about today will be relevant. 47 00:02:46,680 --> 00:02:49,600 I mean, it's been relevant for the whole time I've been an IT 48 00:02:49,960 --> 00:02:53,080 and probably for the rest of our of my career as well. 49 00:02:53,320 --> 00:02:56,520 So, you know, I'm excited about this topic. 50 00:02:56,760 --> 00:02:59,880 I'm excited about this series, and I'm excited by the fact 51 00:02:59,880 --> 00:03:02,320 that, you know, there's proof in the pudding that people are 52 00:03:02,320 --> 00:03:05,960 still reaching out to our guests a long time after they come on. 53 00:03:06,720 --> 00:03:08,480 Yeah. I mean, we have a long tail. 54 00:03:08,480 --> 00:03:10,320 We have great audience out there that listens. 55 00:03:10,320 --> 00:03:11,680 So we definitely appreciative of all that. 56 00:03:11,680 --> 00:03:13,720 And hey, new people are discovering all the time, which 57 00:03:13,720 --> 00:03:15,880 is pretty cool. It's on the Internet, so it'll 58 00:03:15,960 --> 00:03:19,680 live forever, theoretically. So, yeah, I think people 59 00:03:19,680 --> 00:03:21,920 discover this. And I think you and I have 60 00:03:21,920 --> 00:03:23,880 talked about this and mostly you is like, this is like a time 61 00:03:23,880 --> 00:03:27,560 capsule, right? Of as of today or 2025 in March, 62 00:03:27,720 --> 00:03:31,920 as we're recording this, this is what this topic was like. 63 00:03:32,160 --> 00:03:35,520 So who knows, we might be in a history book in the future 64 00:03:35,840 --> 00:03:37,520 somewhere. It's like, all right, well, this 65 00:03:37,520 --> 00:03:39,320 is where, you know, some artifacts that people might look 66 00:03:39,320 --> 00:03:42,200 at. And with this being our 340th 67 00:03:42,200 --> 00:03:44,520 episode, there are certainly a lot of content that people kind 68 00:03:44,520 --> 00:03:46,320 of pull through. But yeah, it's pretty cool. 69 00:03:46,320 --> 00:03:49,360 I'm. I actually, I like this series 70 00:03:49,360 --> 00:03:53,360 that we were kind of working with RSM on and because I think 71 00:03:53,360 --> 00:03:56,840 this is important topic where we want to show well-rounded 72 00:03:56,840 --> 00:04:00,680 identity people, you need to know more than just 100% 73 00:04:00,680 --> 00:04:03,640 identity to get by in the digital identity space. 74 00:04:04,200 --> 00:04:06,840 So that means things like what we're going to talk about today, 75 00:04:06,840 --> 00:04:10,400 compliance, governance, that means cyber security at large. 76 00:04:10,800 --> 00:04:12,920 You know, there's we're probably going to talk about AI and the 77 00:04:12,920 --> 00:04:15,640 cloud, right? You don't need to be, I get it. 78 00:04:15,640 --> 00:04:18,640 You and I are, you know, identity people, but we also 79 00:04:18,640 --> 00:04:21,279 need to be able to talk about other topics and be able to 80 00:04:21,279 --> 00:04:23,360 relate and have a more well-rounded knowledge around 81 00:04:23,360 --> 00:04:25,480 that stuff. So I guess that's a long way to 82 00:04:25,480 --> 00:04:28,760 say is I, I'm happy that we're doing this type of series 83 00:04:28,760 --> 00:04:31,440 because I always believe in sort of that well-rounded education 84 00:04:32,200 --> 00:04:35,560 to make sure that we can spread the gospel of digital identity 85 00:04:35,560 --> 00:04:39,720 in as many ways as we need to to people who maybe aren't what 86 00:04:39,720 --> 00:04:42,600 they consider identity folks. Yeah, it's one of the reasons 87 00:04:42,600 --> 00:04:46,120 also that you can come from so many different backgrounds to be 88 00:04:46,120 --> 00:04:50,320 successful in this industry is that there's so many different 89 00:04:50,320 --> 00:04:54,880 types of angles you can take not only to get in, but even when 90 00:04:54,880 --> 00:04:59,160 you're in the industry, you know different areas you can focus on 91 00:04:59,160 --> 00:05:02,600 or be expert in and it makes up for maybe the areas that you 92 00:05:02,600 --> 00:05:04,680 don't have. So if you're not technical, you 93 00:05:04,680 --> 00:05:07,240 might be a project manager. If you're neither 1, you might 94 00:05:07,240 --> 00:05:11,320 be a subject matter expert in something like compliance 95 00:05:11,320 --> 00:05:17,040 privacy, kind of like the the paper or the regulation side of 96 00:05:17,240 --> 00:05:19,240 the industry. All the, all those things are 97 00:05:19,240 --> 00:05:22,480 all important and they make up the big picture. 98 00:05:22,840 --> 00:05:24,480 Yeah. Or maybe you just have golden 99 00:05:24,800 --> 00:05:27,720 golden, you know, radio pipes and you do a podcast every week. 100 00:05:28,040 --> 00:05:30,880 That could also be it. Yeah, I don't think that's why 101 00:05:30,880 --> 00:05:33,280 we do the podcast every week, but I'll, we'll just go with 102 00:05:33,280 --> 00:05:35,040 that. But I, you know, one other 103 00:05:35,040 --> 00:05:38,440 thing, and this will be my professional segue, like I've 104 00:05:38,440 --> 00:05:41,640 been trying to do, is the conferences, like just look at 105 00:05:41,640 --> 00:05:45,280 the conferences and nobody wants to say they have tracks anymore, 106 00:05:45,280 --> 00:05:48,400 right? They want to have themes or I 107 00:05:48,400 --> 00:05:51,440 don't know, because they, they want the idea that you can go to 108 00:05:51,440 --> 00:05:54,360 the conference and bounce between the tracks. 109 00:05:54,760 --> 00:05:56,280 But they're, they're still tracks, right? 110 00:05:56,480 --> 00:05:59,880 And they, they vary from executive leadership to 111 00:05:59,880 --> 00:06:06,120 technical to, you know, other business regulations, standards, 112 00:06:06,360 --> 00:06:10,560 the whole 9 yards. And so I think conferences are a 113 00:06:10,560 --> 00:06:15,360 perfect way to, you know, continue that education and, and 114 00:06:15,360 --> 00:06:18,960 build yourself out. And if you're not an expert in 115 00:06:19,640 --> 00:06:23,080 compliance and regulation, you have two choices. 1, you can go 116 00:06:23,080 --> 00:06:25,240 to the conferences that will go over our discount codes. 117 00:06:25,240 --> 00:06:28,920 And 2nd, the other is come to the Identity Center Podcast and 118 00:06:28,920 --> 00:06:31,440 listen to this episode. Yeah, We'll get you started and 119 00:06:31,440 --> 00:06:34,760 then you can continue on your discovery, your journey of 120 00:06:34,760 --> 00:06:37,000 discovery past that. But that was a very professional 121 00:06:37,000 --> 00:06:38,160 segue. Let's build on it. 122 00:06:38,360 --> 00:06:41,200 We do have some conferences that we're going to be at as well as 123 00:06:41,200 --> 00:06:44,120 have discount code for. So the first one coming up here 124 00:06:44,120 --> 00:06:46,560 pretty soon, Jim, is the European Identity and Cloud 125 00:06:46,560 --> 00:06:49,200 Conference in Berlin. So that's put in my cup in your 126 00:06:49,200 --> 00:06:53,840 coal, that's May 6th to the 9th. And if you use the code ID AC25 127 00:06:54,040 --> 00:06:57,360 MKO, you get 25% off. So I know you and I excited 128 00:06:57,360 --> 00:07:00,360 about getting out there for the first time and checking that 129 00:07:00,360 --> 00:07:01,600 out. So that's one that's coming up 130 00:07:01,600 --> 00:07:03,280 pretty shortly. So hopefully, you know, we'll 131 00:07:03,280 --> 00:07:06,040 see some new friends and maybe some friends that we've seen 132 00:07:06,240 --> 00:07:09,280 come across the pond to us and Ideniverse, which we also have a 133 00:07:09,280 --> 00:07:11,280 code for. So if we want to talk about 134 00:07:11,400 --> 00:07:14,520 Identiverse that's in Las Vegas, that is June 3rd through the 135 00:07:14,520 --> 00:07:18,520 6th, you and I will be there. We have some, I mean we have 136 00:07:18,520 --> 00:07:19,800 some things that we're going to be planning on there. 137 00:07:19,800 --> 00:07:22,360 I don't know if now is the right time to mention it yet, but we 138 00:07:22,360 --> 00:07:27,040 will be part of the opening kind of ceremony type thing at the, I 139 00:07:27,040 --> 00:07:29,240 guess the opening night of the Expo hall and stuff like that. 140 00:07:29,240 --> 00:07:32,760 So I've kind of alluded to that over the last maybe several 141 00:07:32,760 --> 00:07:35,160 months, but it's official and now we're just working out the 142 00:07:35,160 --> 00:07:36,760 details of actually how to pull it off. 143 00:07:36,760 --> 00:07:42,600 But if you use that code IDV 2, five dash, IDAC 25I know it 144 00:07:42,600 --> 00:07:44,960 rolls right off the tongue. You get 25% off. 145 00:07:45,200 --> 00:07:48,000 I'll have both of those codes in our show notes and they're 146 00:07:48,000 --> 00:07:50,960 always on our homepage at idacpodcast.com. 147 00:07:50,960 --> 00:07:53,360 So if you just Scroll down, you'll see the codes we've got 148 00:07:53,360 --> 00:07:55,360 there active. I'm sure we'll get some others 149 00:07:55,360 --> 00:07:58,560 as you go throughout the year. So check back and you know, if 150 00:07:58,560 --> 00:08:00,280 you've reached out with questions and things like that 151 00:08:00,280 --> 00:08:01,320 about the kind of stuff, check back. 152 00:08:01,320 --> 00:08:03,680 We would generally will try to get something for all the major 153 00:08:03,680 --> 00:08:05,560 conferences or as much as we can so. 154 00:08:06,320 --> 00:08:08,720 You know, one of the main things I'm happy about is that the 155 00:08:08,720 --> 00:08:13,120 conference code, that conference codes that we give out are not 156 00:08:13,120 --> 00:08:16,720 case sensitive because if they were, this would get really 157 00:08:16,720 --> 00:08:18,840 confusing. Not case sensitive. 158 00:08:18,840 --> 00:08:21,280 And typically we strive to get like the best code that we 159 00:08:21,280 --> 00:08:23,680 possibly can so we're not in like an awkward position of 160 00:08:23,680 --> 00:08:26,600 like, oh, I heard this code and there's a better one over here. 161 00:08:26,600 --> 00:08:29,240 So typically we try to make it make sure that at least it might 162 00:08:29,240 --> 00:08:31,760 be a tie, but at least you shouldn't find anything better. 163 00:08:31,760 --> 00:08:33,840 So hopefully we become the one stop shop for those types of 164 00:08:33,840 --> 00:08:35,679 codes and you've done a lot of work on that. 165 00:08:36,240 --> 00:08:38,760 Yeah, no, I, I, I insist on that. 166 00:08:38,799 --> 00:08:42,400 Like, if we're going to go ahead and give out these codes, we 167 00:08:42,400 --> 00:08:46,200 want to make sure that they're not usurped by a better code 168 00:08:46,200 --> 00:08:48,720 somewhere else. So feel confident to use the 169 00:08:48,720 --> 00:08:50,640 codes that you find here on the podcast. 170 00:08:51,160 --> 00:08:52,920 Yep. OK, enough preamble. 171 00:08:52,920 --> 00:08:54,800 Let's get to our guest. She's been patiently waiting on. 172 00:08:54,800 --> 00:08:58,440 She's put up with a whole lot of our stuff getting set up and 173 00:08:58,760 --> 00:09:00,680 prepared for this. I want to introduce Kia Smith. 174 00:09:00,680 --> 00:09:03,920 She's a director in R Sims security and privacy risk 175 00:09:03,920 --> 00:09:05,360 consulting practice along with us. 176 00:09:05,360 --> 00:09:10,080 Jim, welcome to the show, Kia. Thank you so much for having me. 177 00:09:10,080 --> 00:09:12,880 I'm very, very excited to have this conversation. 178 00:09:13,240 --> 00:09:17,640 I'm humbled to be invited. I have listened to a lot of your 179 00:09:17,640 --> 00:09:21,000 distinguished guests. So I I hope I can continue maybe 180 00:09:21,840 --> 00:09:24,560 to contribute to the discussion in the discourse that you guys 181 00:09:24,560 --> 00:09:26,520 have here on, on this great platform. 182 00:09:27,520 --> 00:09:28,680 Well, I have no doubt that you will. 183 00:09:28,680 --> 00:09:31,040 That's why you're here. You're an expert in this space. 184 00:09:31,040 --> 00:09:34,480 And so why not pull in some of the smart people that we work 185 00:09:34,480 --> 00:09:37,320 with the talks on these topics? I guess the first thing that I 186 00:09:37,320 --> 00:09:39,680 always like to get into is backgrounds of people. 187 00:09:39,680 --> 00:09:42,160 Jim alluded earlier that people come from like kind of all kinds 188 00:09:42,160 --> 00:09:44,840 of backgrounds. It was a bartender before I got 189 00:09:44,840 --> 00:09:47,120 into IT, so. And I don't drink. 190 00:09:47,200 --> 00:09:51,040 So figure that one out, folks. But there's always interesting 191 00:09:51,040 --> 00:09:54,200 stories and I'd love to hear how you got into the cybersecurity 192 00:09:54,200 --> 00:09:55,800 space. And then I guess, do you 193 00:09:55,800 --> 00:09:57,440 consider yourself a cybersecurity person, a 194 00:09:57,440 --> 00:09:59,240 compliance person, both, something else? 195 00:09:59,240 --> 00:10:00,480 Tell me a little bit about your journey. 196 00:10:01,200 --> 00:10:03,520 Yeah, that's a great question. And and Jim was spot on. 197 00:10:03,520 --> 00:10:07,360 I think myself, like most people have that very non traditional 198 00:10:08,080 --> 00:10:10,560 kind of journey to get here. I always say, you know, 199 00:10:10,560 --> 00:10:15,600 cybersecurity and compliance IT audit was my side hustle all 200 00:10:15,600 --> 00:10:18,880 through school. So I went to school and did a 201 00:10:18,880 --> 00:10:21,720 lot of school because I was, I went to grad school and I went 202 00:10:21,720 --> 00:10:25,480 to law school and I was a public policy major. 203 00:10:25,480 --> 00:10:27,600 And then I went to law school and I thought I was going to do 204 00:10:27,600 --> 00:10:30,960 education law and I was working on a lobbying firm, writing a 205 00:10:31,200 --> 00:10:32,920 his briefs and doing all the things law. 206 00:10:33,560 --> 00:10:36,600 And the whole time I was doing that, I was an IT auditor in the 207 00:10:36,600 --> 00:10:38,760 federal government and that was my side hustle. 208 00:10:39,040 --> 00:10:43,040 And so in the government then they just wanted someone to kind 209 00:10:43,040 --> 00:10:46,360 of learn this cyber and compliance things. 210 00:10:46,360 --> 00:10:50,000 I didn't really know what any of them meant, but I always said 211 00:10:50,000 --> 00:10:52,680 yes to all the trainings, to all the opportunities. 212 00:10:52,920 --> 00:10:56,240 And it's just something that a career that kind of developed in 213 00:10:56,240 --> 00:10:58,880 and of itself. And throughout all of my 214 00:10:58,880 --> 00:11:01,640 education and all of my experience on the legal side, I 215 00:11:01,720 --> 00:11:05,480 always kept coming back to my experiences that I had in 216 00:11:05,480 --> 00:11:08,360 working in the field. And so I really felt that this 217 00:11:08,360 --> 00:11:11,720 is where it spoke to me. It, you know, much to everyone's 218 00:11:11,720 --> 00:11:14,640 chagrin, that was like what, you know, like what was all of that 219 00:11:14,640 --> 00:11:17,680 about for law school and LSAT and everything. 220 00:11:17,680 --> 00:11:22,120 But I certainly think it helped give me some good perspective. 221 00:11:22,120 --> 00:11:25,080 And there's certainly lots of transferable skills that I took 222 00:11:25,080 --> 00:11:29,520 from my education, but I truly have decided and determined that 223 00:11:29,520 --> 00:11:32,840 I'm really more of like a cyber professional that just happens 224 00:11:32,840 --> 00:11:35,400 to focus on a lot of compliance and governance things. 225 00:11:35,400 --> 00:11:37,920 So let's. Talk a little bit about that law 226 00:11:37,920 --> 00:11:39,560 background, because I think we've had actually a couple 227 00:11:39,560 --> 00:11:42,080 people, Jim, if I remember that have sort of law backgrounds 228 00:11:42,080 --> 00:11:43,680 that have moved into the space of cyber. 229 00:11:44,240 --> 00:11:47,800 What was that transition like? And I guess was it like flipping 230 00:11:47,800 --> 00:11:50,880 a switch and make, oh, now I'm this or it was like a gradual 231 00:11:50,880 --> 00:11:53,000 transition? I guess talk to me a little bit 232 00:11:53,000 --> 00:11:53,920 more about that. Yeah. 233 00:11:53,920 --> 00:11:58,760 So I think there is particularly between law and where I 234 00:11:58,760 --> 00:12:02,040 specialize most Times Now, which is a lot of compliance work. 235 00:12:02,600 --> 00:12:06,120 Most of the compliance that I deal with is regulatory legal, 236 00:12:06,720 --> 00:12:10,280 so big, you know, documents and lots of critical analysis and 237 00:12:10,280 --> 00:12:14,200 interpreting of statutes and terms and contractual kind of 238 00:12:14,200 --> 00:12:18,440 clauses, all which are things I did in law school and I learned 239 00:12:18,440 --> 00:12:20,160 to kind of interpret and investigate. 240 00:12:20,160 --> 00:12:24,320 So I think that piece of it for me was a little bit more of a 241 00:12:24,320 --> 00:12:28,120 natural fit, but really it was just kind of interesting. 242 00:12:28,120 --> 00:12:31,560 I distinctly remember I was AGS, nothing in the government 243 00:12:32,160 --> 00:12:36,920 working on this kind of, you know, very generic IT governance 244 00:12:37,320 --> 00:12:40,560 audit that they were just trying to literally build. 245 00:12:40,560 --> 00:12:41,920 They didn't really even know what it was. 246 00:12:42,840 --> 00:12:46,560 And I was talking to an administrative law judge who for 247 00:12:46,560 --> 00:12:48,440 those that don't know administrative law judges, they, 248 00:12:48,560 --> 00:12:50,120 they practice law on behalf of the government. 249 00:12:50,200 --> 00:12:53,200 It's great way to, you know, simplify it. 250 00:12:53,520 --> 00:12:58,920 And she suggested that maybe I position myself to do the work 251 00:12:58,920 --> 00:13:01,640 that I'm doing, but within the Office of Inspector General, 252 00:13:01,640 --> 00:13:04,360 because that had more executive oversight, had a little bit more 253 00:13:04,360 --> 00:13:07,480 congressional leaning, lot more statutes, thought it would lend 254 00:13:07,480 --> 00:13:10,760 itself more to what I would be interested in being with my law 255 00:13:10,760 --> 00:13:13,240 background and public policy and all of that. 256 00:13:14,000 --> 00:13:16,080 So that's really where I found my home. 257 00:13:16,080 --> 00:13:19,040 And it kind of just merged all of these skills that I've been 258 00:13:19,280 --> 00:13:23,600 honing, you know, my critical analysis, my ability to kind of 259 00:13:23,600 --> 00:13:28,680 read and understand and apply laws to facts that we were being 260 00:13:28,680 --> 00:13:31,240 presented. The facts were cyber and 261 00:13:31,360 --> 00:13:35,000 technological, but they still were facts nonetheless. 262 00:13:35,000 --> 00:13:37,080 So I think there's lots of synergies there. 263 00:13:37,080 --> 00:13:40,640 That's why you tend to see, you know, some retired lawyers and 264 00:13:40,640 --> 00:13:44,320 others of us hiding kind of in the mix in the cyber, cyber 265 00:13:44,320 --> 00:13:47,800 sphere. Well, their loss is our gain. 266 00:13:48,040 --> 00:13:49,840 Being one of our colleagues, it's always great to hear from 267 00:13:49,840 --> 00:13:51,840 you. For people who aren't familiar 268 00:13:51,840 --> 00:13:55,160 with what a director in a consulting practice does right, 269 00:13:55,160 --> 00:13:57,640 it's kind of somewhat of a generic of a title. 270 00:13:57,880 --> 00:14:00,960 What is your day-to-day like? Like what would you say you do 271 00:14:00,960 --> 00:14:04,160 around here? Oh, what do I do around here? 272 00:14:04,160 --> 00:14:06,000 Sometimes I ask myself that as well. 273 00:14:06,720 --> 00:14:09,000 There's, there's lots of things that you do, you know, and in 274 00:14:09,000 --> 00:14:12,760 any firm that you you have, there's a lot of an industry and 275 00:14:12,760 --> 00:14:15,800 education component. I think where I'm at as a 276 00:14:15,800 --> 00:14:19,160 director, I see that as probably one of my most important roles 277 00:14:19,160 --> 00:14:21,600 that I play. And the education is both 278 00:14:21,600 --> 00:14:27,040 internal to our teams, to our our junior colleagues and folks 279 00:14:27,040 --> 00:14:30,400 that we're trying to train up. And really, I know Ghazi was on 280 00:14:30,400 --> 00:14:33,480 your show before, spoke about our apprentice model that we 281 00:14:33,480 --> 00:14:35,440 have. It really is an apprenticeship. 282 00:14:35,440 --> 00:14:39,200 That's how I learned really growing up how to apply and what 283 00:14:39,200 --> 00:14:41,520 are some techniques and how to interact with clients. 284 00:14:41,920 --> 00:14:44,920 So that's a big part of my job is the training and the 285 00:14:44,920 --> 00:14:47,240 education and kind of in that apprenticeship. 286 00:14:47,840 --> 00:14:50,280 But another big part is doing things like this. 287 00:14:50,280 --> 00:14:53,080 Actually, it's thought leadership, it's participating, 288 00:14:53,080 --> 00:14:56,200 being a force in the industry, making sure that we're sitting 289 00:14:56,200 --> 00:14:59,680 at the table that we're staying up on, particularly in my field, 290 00:14:59,720 --> 00:15:03,440 regulatory and compliance type changes that have happened, that 291 00:15:03,440 --> 00:15:06,640 we understand trends and that we're really, you know, working 292 00:15:06,640 --> 00:15:09,160 with our clients to meet them with what they need. 293 00:15:09,440 --> 00:15:13,000 And that takes a listening ear. It takes a lot of educating me, 294 00:15:13,000 --> 00:15:16,240 educating them on what I'm seeing as a practitioner and 295 00:15:16,240 --> 00:15:19,480 then educating me on what what they're feeling needing and what 296 00:15:19,480 --> 00:15:23,400 the market is kind of demanding. So that's what a lot of my job 297 00:15:23,400 --> 00:15:24,720 is. I mean, I could go through all 298 00:15:24,720 --> 00:15:28,080 the minutia which you know about with, you know, billable hours 299 00:15:28,080 --> 00:15:29,600 and, and all of the other things. 300 00:15:29,600 --> 00:15:32,800 And obviously we're doing reports and all the things that 301 00:15:32,800 --> 00:15:37,480 you would immediately contribute to professional services firm. 302 00:15:37,680 --> 00:15:40,760 But I really think that's my my main charge kind of as a 303 00:15:40,760 --> 00:15:44,280 director at this point. And in my role and in the firm, 304 00:15:44,280 --> 00:15:48,280 it's really kind of being that that interval education piece, 305 00:15:48,280 --> 00:15:51,640 internal and external to really promote us for to make sure that 306 00:15:51,640 --> 00:15:55,120 we're, we're really bringing the best power and the best minds 307 00:15:55,360 --> 00:15:58,600 and talent out in the market to, to meet our clients needs. 308 00:15:59,000 --> 00:16:04,160 So Kia I, I think back to, well, First off, I think that the 309 00:16:04,160 --> 00:16:08,680 listener base of this podcast are the I am practitioners of 310 00:16:08,680 --> 00:16:12,040 the world, Those people throughout the career journey, 311 00:16:12,040 --> 00:16:14,760 people who are just starting out, just getting their arms 312 00:16:14,760 --> 00:16:18,800 around cyber and identity all the way up to the most senior 313 00:16:18,800 --> 00:16:21,240 people. But I think back to the early 314 00:16:21,240 --> 00:16:24,600 days of my career and it was right around the time that 315 00:16:24,600 --> 00:16:27,840 Sarbanes-Oxley became law, right? 316 00:16:27,840 --> 00:16:32,200 And it was like everything you could do to justify a project 317 00:16:32,200 --> 00:16:35,480 was like we're solving these Sarbanes oxy problems. 318 00:16:35,680 --> 00:16:39,520 They really didn't have context for what was happening or why 319 00:16:39,520 --> 00:16:42,280 that was relevant from a cyber perspective. 320 00:16:42,560 --> 00:16:45,720 So I was wondering if you kind of, you know, think thinking 321 00:16:45,720 --> 00:16:50,320 about that person who's maybe implementing the controls or 322 00:16:50,560 --> 00:16:54,960 trying to align their projects to these frameworks that are set 323 00:16:54,960 --> 00:16:59,240 up with the the regulations. How does somebody think about 324 00:16:59,240 --> 00:17:03,040 what the parts and pieces are and how that affects 325 00:17:03,320 --> 00:17:07,079 organizations and how they do IT and cyber? 326 00:17:08,119 --> 00:17:11,520 That's a great question and it's something that I wish I too, 327 00:17:11,520 --> 00:17:14,839 when I was maybe first starting out, had a better appreciation. 328 00:17:15,079 --> 00:17:18,160 I think people hear the word compliance and they 329 00:17:18,160 --> 00:17:21,880 automatically think of a check the box activity or let me just 330 00:17:21,880 --> 00:17:25,000 throw a bunch of stuff at someone to see, you know, if it 331 00:17:25,000 --> 00:17:27,480 kind of sticks. But really when you start to 332 00:17:27,480 --> 00:17:31,800 step back and think about the whole reason for a compliance 333 00:17:31,800 --> 00:17:35,400 activity, in particular like a Sarbanes-Oxley, it's to be able 334 00:17:35,400 --> 00:17:39,000 to provide someone, and that's usually an external party, a 335 00:17:39,000 --> 00:17:42,600 level of comfort around how you're protecting something. 336 00:17:42,640 --> 00:17:44,640 So it all comes back to protection, right? 337 00:17:44,920 --> 00:17:47,800 It all comes back to making sure that you have the appropriate 338 00:17:47,800 --> 00:17:51,600 kind of security and you have the appropriate rules and and 339 00:17:51,600 --> 00:17:55,200 kind of processes in place to really say that we are 340 00:17:55,200 --> 00:17:59,400 protecting this information or providing information with a 341 00:17:59,400 --> 00:18:02,080 good faith effort. You can apply just about any 342 00:18:02,080 --> 00:18:05,480 framework you want to validate that protection. 343 00:18:05,480 --> 00:18:10,160 So you can do a NIST framework or you can have a GDPR really 344 00:18:10,160 --> 00:18:13,760 HIPAA, you know, most of that is kind of industry specific 345 00:18:14,320 --> 00:18:17,440 determine on which framework. But the whole compliance 346 00:18:17,440 --> 00:18:21,080 function or the audit IT audit functions that sometimes is 347 00:18:21,080 --> 00:18:25,160 referred to is really just about providing assurance around your 348 00:18:25,160 --> 00:18:29,000 tools and your processes. So if you are and I am 349 00:18:29,080 --> 00:18:32,080 professional and let's say you are managing or you are 350 00:18:32,080 --> 00:18:36,480 responsible for that, that RBAC or or whatever is that piece of 351 00:18:36,480 --> 00:18:39,400 audit evidence. It may seem that it is one 352 00:18:39,400 --> 00:18:42,760 discrete piece of evidence, but really and especially an 353 00:18:42,760 --> 00:18:47,280 identity and access, it's really a key to how your organization 354 00:18:47,280 --> 00:18:49,760 is operating. It's really a key. 355 00:18:49,760 --> 00:18:55,520 It really, it really displays to anyone that's looking at what is 356 00:18:55,520 --> 00:19:00,160 your general kind of stance in terms of security and 357 00:19:00,160 --> 00:19:03,800 protection. So it's oftentimes we get lost 358 00:19:03,800 --> 00:19:06,600 and especially when you start to hit audit season, it just seems 359 00:19:06,600 --> 00:19:09,760 that maybe you're getting hit by multiple external parties. 360 00:19:09,760 --> 00:19:15,640 And sometimes it can be kind of hard to decode which audit means 361 00:19:15,640 --> 00:19:17,400 for what, right? Because there's all these 362 00:19:17,400 --> 00:19:19,800 different external kind of parties asking questions. 363 00:19:20,400 --> 00:19:24,000 But just know that the evidence that you provide rolls up into a 364 00:19:24,000 --> 00:19:26,040 bigger picture that makes a statement about your 365 00:19:26,040 --> 00:19:28,680 environment. So it's always important to 366 00:19:28,680 --> 00:19:33,280 really know that all all of it matters and telling the complete 367 00:19:33,280 --> 00:19:36,560 story of kind of how your organization is is running 368 00:19:36,560 --> 00:19:38,600 itself. Yeah. 369 00:19:38,880 --> 00:19:43,720 And I feel like the word compliance and security 370 00:19:43,880 --> 00:19:48,600 sometimes get mixed up and some people think that, oh, we're, 371 00:19:48,800 --> 00:19:51,680 we're just chasing after being compliant with these 372 00:19:51,680 --> 00:19:54,840 regulations, we should focus on security. 373 00:19:54,840 --> 00:19:59,680 But the same time, you know, usually the end goal of of a 374 00:19:59,680 --> 00:20:03,920 regulation is to get you to be more secure in certain areas, 375 00:20:03,920 --> 00:20:04,760 right? So. 376 00:20:05,760 --> 00:20:08,800 I'm sure you've run into this question or this conundrum 377 00:20:08,800 --> 00:20:11,000 before. How do you think about it? 378 00:20:11,920 --> 00:20:14,320 Yeah. So, and, and that is something 379 00:20:14,320 --> 00:20:18,360 that I think a lot of times we will start an engagement, right, 380 00:20:18,360 --> 00:20:20,800 a compliance engagement or, or let me start with this. 381 00:20:21,080 --> 00:20:25,600 I think compliance, when you think about it, compliance is, I 382 00:20:25,600 --> 00:20:28,560 think more of a reactive, right, process. 383 00:20:28,800 --> 00:20:32,000 Compliance is usually an external somebody or something 384 00:20:32,000 --> 00:20:35,040 that's asking you to, to validate or show what you've 385 00:20:35,040 --> 00:20:37,920 done, right? So it's a, it's a view of what 386 00:20:37,920 --> 00:20:40,480 you've been doing, right? A reactive or a post. 387 00:20:40,480 --> 00:20:42,960 It's in the past. Show me what you've been doing. 388 00:20:43,480 --> 00:20:46,920 Governance, though, is really a proactive kind of activity, 389 00:20:46,920 --> 00:20:48,920 right? Like that's the behaviors, 390 00:20:48,920 --> 00:20:52,280 that's how you want to be, how you want the how you want your 391 00:20:52,280 --> 00:20:55,840 organization to run. And within both governance and 392 00:20:55,840 --> 00:20:59,440 compliance, you can't decouple either from security, right? 393 00:20:59,640 --> 00:21:02,560 So I think they're not mutually exclusive. 394 00:21:02,560 --> 00:21:05,320 I don't think that you're either a really secure or a very 395 00:21:05,320 --> 00:21:08,040 compliant. I think that you're secure first 396 00:21:08,040 --> 00:21:12,880 or most organizations should be secure 1st and then you may need 397 00:21:12,880 --> 00:21:15,800 to change how you're demonstrating that security to 398 00:21:15,800 --> 00:21:18,920 align with that compliance framework, but they shouldn't be 399 00:21:18,920 --> 00:21:21,160 decoupled or thinking of AS2 separate. 400 00:21:21,160 --> 00:21:24,280 So if I'm going to be very secure, I can't be compliant 401 00:21:24,280 --> 00:21:26,880 because you're absolutely right. At the end of the day, that 402 00:21:26,880 --> 00:21:30,200 compliance is really about sharing and showing and 403 00:21:30,200 --> 00:21:34,920 demonstrating that you have a level of a level of security 404 00:21:34,920 --> 00:21:38,160 around your your organization or around your processes. 405 00:21:39,880 --> 00:21:45,280 So I, I, OK, just from my perspective, Sarbanes-Oxley and 406 00:21:45,280 --> 00:21:50,880 PCI, those are kind of like the OG regulations for me, you know, 407 00:21:50,960 --> 00:21:54,760 and throughout, throughout, I'd say quite a bit of my career, it 408 00:21:54,760 --> 00:21:58,280 was like, oh, these are your socks and PCI application. 409 00:21:58,520 --> 00:22:00,440 So those are the things you chase after. 410 00:22:00,640 --> 00:22:06,760 But it seems like today there's a much more complex regulatory 411 00:22:06,760 --> 00:22:09,960 environment. And I'm wondering, like, have 412 00:22:09,960 --> 00:22:14,640 you seen that shift as well? And you know, when you think 413 00:22:14,640 --> 00:22:17,720 about that, what are kind of some of the most significant 414 00:22:17,720 --> 00:22:21,720 drivers of that shift? Yeah, there definitely has been 415 00:22:21,720 --> 00:22:24,040 a shift. And I think a lot of the shift 416 00:22:24,040 --> 00:22:27,840 is due to organizations, businesses and governance 417 00:22:28,080 --> 00:22:30,720 heavily relying on third parties, right. 418 00:22:31,720 --> 00:22:35,280 And what the advent of third parties, cloud service providers 419 00:22:35,280 --> 00:22:38,240 and and quite a few other kind of organizations bringing into 420 00:22:38,240 --> 00:22:42,080 the mix of how companies and businesses go about their their 421 00:22:42,080 --> 00:22:45,080 work. They have extended them into 422 00:22:45,080 --> 00:22:49,000 kind of the regulatory framework of regulatory pool, for example, 423 00:22:49,000 --> 00:22:51,640 right. I'll I'll use the government, 424 00:22:51,640 --> 00:22:55,320 for example, the government is one of the bigger consumers of 425 00:22:55,320 --> 00:22:58,400 third parties. That's either, you know, a 426 00:22:58,640 --> 00:23:01,520 managed service providers, they leverage a lot of cloud service 427 00:23:01,520 --> 00:23:06,320 providers, a lot of tools that are third party custom off the 428 00:23:06,320 --> 00:23:10,000 shelf tools for vital reasons, for efficiencies, for cost and 429 00:23:10,000 --> 00:23:13,640 you know, cutting and just for, you know, best practices really, 430 00:23:13,640 --> 00:23:16,440 right, best in class. Well, those might not be 431 00:23:16,440 --> 00:23:21,080 traditionally tools or organizations or third parties 432 00:23:21,240 --> 00:23:24,400 that would normally be subjected to compliance because they're 433 00:23:24,400 --> 00:23:27,800 not a government thing. But now because they have 434 00:23:27,840 --> 00:23:31,640 entered into the government ecosystem either by being a 435 00:23:31,640 --> 00:23:36,440 third party vendor or by being a third party provider, they now 436 00:23:36,440 --> 00:23:39,920 find themselves subjected to some sort or at least, you know, 437 00:23:40,240 --> 00:23:44,040 casually related to some sort of compliance or regulatory 438 00:23:44,040 --> 00:23:46,840 activity. So you see all kinds of 439 00:23:46,840 --> 00:23:51,280 different actors now that are being subjected to maybe DoD 440 00:23:51,280 --> 00:23:55,200 type compliance regulations because they are a fourth or an 441 00:23:55,200 --> 00:23:59,120 NTH party provider to a subcontractor. 442 00:23:59,120 --> 00:24:01,000 And now all of a sudden they're starting to see, you know, 443 00:24:01,000 --> 00:24:04,720 contractual language or things that are requiring them to meet 444 00:24:04,720 --> 00:24:08,440 regulatory, you know, regulatory requirements in a way that they 445 00:24:08,440 --> 00:24:11,200 never would have or they generally don't have to because 446 00:24:11,200 --> 00:24:13,720 they don't really play in that space traditionally. 447 00:24:14,000 --> 00:24:16,880 So I think as the world and business has continued to kind 448 00:24:16,880 --> 00:24:20,280 of expand and kind of merge across various different 449 00:24:20,280 --> 00:24:23,720 industries and use, use and leverage products differently, 450 00:24:24,400 --> 00:24:27,640 you've really seen kind of the expansion of the regulatory 451 00:24:27,640 --> 00:24:31,560 landscape. And I think a lot of external 452 00:24:31,800 --> 00:24:35,360 compliance and regulatory authorities have really 453 00:24:35,360 --> 00:24:37,560 recognized that. And so you started to see the 454 00:24:37,560 --> 00:24:41,760 shift in the last really three to five years of a heavy focus 455 00:24:41,760 --> 00:24:45,040 on supply chain or sometimes it's called supplier risk 456 00:24:45,040 --> 00:24:47,320 management. But really it's the idea of 457 00:24:47,320 --> 00:24:51,680 understanding that now the way businesses perform is a lot of 458 00:24:51,680 --> 00:24:54,640 services are outsourced. And so if services are being 459 00:24:54,640 --> 00:24:58,840 outsourced, our companies also outsourcing risks that they 460 00:24:58,840 --> 00:25:01,880 should or shouldn't be, right. And so there's been a lot of 461 00:25:01,880 --> 00:25:07,760 focus in continuing movement towards really having strong 462 00:25:08,080 --> 00:25:10,840 third party processes and supplier risk management 463 00:25:10,840 --> 00:25:13,960 processes just because that regulatory and compliance 464 00:25:13,960 --> 00:25:18,000 landscape has now gone outside and maybe the primary business 465 00:25:18,000 --> 00:25:21,200 and stretched into vendors and and other parties. 466 00:25:21,400 --> 00:25:26,080 So I think it's something that that I deal with it quite often. 467 00:25:26,080 --> 00:25:29,200 I, I can't tell you how many companies or organizations will 468 00:25:29,200 --> 00:25:33,360 reach out to us to talk about a certain thing and they'll start 469 00:25:33,360 --> 00:25:35,960 the conversation with saying, I don't even understand, Like 470 00:25:35,960 --> 00:25:37,240 we're, we don't work with the government. 471 00:25:37,240 --> 00:25:39,800 I don't even understand how this came into my contract or why do 472 00:25:39,800 --> 00:25:42,720 I need to do this or why, you know, why do I have to, you 473 00:25:42,720 --> 00:25:44,960 know, do the specific way of split tunneling, like, you know, 474 00:25:44,960 --> 00:25:48,640 very specific kind of technical things that are kind of specific 475 00:25:48,640 --> 00:25:50,920 to the government, but it's really through those contractual 476 00:25:50,920 --> 00:25:54,280 relationships and that and they're we're just, you know, we 477 00:25:54,280 --> 00:25:57,640 are, we are grouping and working differently than what we were 478 00:25:57,640 --> 00:26:00,720 even 1015 years ago. Yeah. 479 00:26:00,920 --> 00:26:03,680 It's just what you said there really something that I've 480 00:26:03,680 --> 00:26:07,280 always wondered. So you talked about do you, are 481 00:26:07,280 --> 00:26:10,320 you outsource, you're outsourcing a function, are you 482 00:26:10,320 --> 00:26:15,280 outsourcing the risk? So let's take a sample of ACRM 483 00:26:15,280 --> 00:26:17,600 system. You outsource it to a client or 484 00:26:17,600 --> 00:26:22,000 to a company and they have sock 2, they have all the, you know, 485 00:26:22,200 --> 00:26:28,760 check boxes checked and then they have a breach like, I mean, 486 00:26:29,480 --> 00:26:35,080 is that company now I you may have shifted the work, but 487 00:26:35,160 --> 00:26:38,000 really you're the one who suffers from that breach, right? 488 00:26:38,440 --> 00:26:39,240 Correct. So. 489 00:26:39,760 --> 00:26:43,720 Spot on. OK, yeah, that's I guess the way 490 00:26:43,720 --> 00:26:48,440 I've always thought about it. But yeah, what else can you do 491 00:26:48,440 --> 00:26:50,480 other than check for those things, right? 492 00:26:50,880 --> 00:26:53,200 Yeah. And so a lot of what a 493 00:26:53,200 --> 00:26:55,320 compliance, a lot of the compliance frameworks that we 494 00:26:55,320 --> 00:26:58,720 deal with in this kind of move is they kind of recognize that, 495 00:26:58,720 --> 00:27:01,200 right? They recognize that the way 496 00:27:01,240 --> 00:27:04,320 businesses were interconnected in ways that we weren't 497 00:27:04,320 --> 00:27:06,880 previously, right. There's lots of different actors 498 00:27:06,880 --> 00:27:10,600 and providers across industries that are bringing best in class 499 00:27:10,600 --> 00:27:14,840 services, you know, in a way that we maybe hadn't thought of. 500 00:27:14,840 --> 00:27:18,120 So a lot of compliance frameworks have been really 501 00:27:18,120 --> 00:27:21,840 developing and putting additional kind of focus on. 502 00:27:22,000 --> 00:27:25,160 So what are you doing around that SoC two? 503 00:27:25,160 --> 00:27:28,400 OK, great. You get a SoC 2 that says they 504 00:27:28,400 --> 00:27:32,200 use least privilege or that says, you know, everything is in 505 00:27:32,760 --> 00:27:34,560 AWS or that says whatever, right. 506 00:27:34,840 --> 00:27:37,440 But what are you, the organization that's, you know, 507 00:27:37,440 --> 00:27:39,800 contracting them? Did you validate that? 508 00:27:39,800 --> 00:27:43,720 Did you do a spot check? Are you, you know, looking at 509 00:27:43,720 --> 00:27:47,040 that on a regular cadence to confirm that nothing has 510 00:27:47,040 --> 00:27:50,080 changed? Do you have contractual language 511 00:27:50,080 --> 00:27:53,720 that requires them to notify you if they're changing something? 512 00:27:54,400 --> 00:27:59,800 Are you making sure that their cyber risk posture is in 513 00:27:59,800 --> 00:28:02,520 alignment with your cyber risk posture? 514 00:28:02,720 --> 00:28:06,320 Maybe you align to a certain framework or certain sticks? 515 00:28:06,600 --> 00:28:09,520 Are you ensuring that those clients and those companies that 516 00:28:09,520 --> 00:28:12,480 you're partnering with because they are providing services on 517 00:28:12,480 --> 00:28:16,360 behalf or for you that they're really operating in a way that 518 00:28:16,360 --> 00:28:19,280 you find appropriate? So it's really putting a lot of 519 00:28:19,280 --> 00:28:23,640 focus and onus on. We understand that third party 520 00:28:23,640 --> 00:28:27,120 and service providers is really kind of how we operate in the 521 00:28:27,120 --> 00:28:30,440 world and in business, but we don't outsource risk. 522 00:28:30,440 --> 00:28:32,600 We outsource processes and services. 523 00:28:32,600 --> 00:28:35,800 So since you can't outsource risk, what are you going to do? 524 00:28:35,800 --> 00:28:39,480 What is your governance again? What is your internal kind of 525 00:28:39,480 --> 00:28:43,480 business behaviors and processes going to be to really make sure 526 00:28:43,480 --> 00:28:45,960 that you're managing and in monitoring that relationship, 527 00:28:45,960 --> 00:28:48,920 you didn't just like kick over the function and be like, good 528 00:28:48,920 --> 00:28:50,800 luck to you. Hope you know, hope nothing 529 00:28:50,800 --> 00:28:53,760 fails. You're actively involved in it. 530 00:28:55,320 --> 00:28:58,280 So I think this is a super timely question to ask because I 531 00:28:58,280 --> 00:29:01,960 feel like this is the new, well, maybe not new, but supply chain 532 00:29:01,960 --> 00:29:04,120 attack. It's not just like physical 533 00:29:04,120 --> 00:29:07,520 goods of things, it's also the services that every company 534 00:29:07,520 --> 00:29:10,320 relies on from others. And I guess, you know, you talk 535 00:29:10,320 --> 00:29:13,760 about some of the controls or layers of control that you might 536 00:29:13,760 --> 00:29:16,320 put in like legal language within a contract. 537 00:29:16,920 --> 00:29:18,920 Who's responsible for that sort of language? 538 00:29:18,920 --> 00:29:22,360 Is that something that lawyers for the company should be 539 00:29:22,360 --> 00:29:23,960 thinking about? Is it something that maybe a 540 00:29:23,960 --> 00:29:26,560 risk officer or AC so should be thinking about? 541 00:29:26,600 --> 00:29:29,160 I mean, should an identity person be thinking about those 542 00:29:29,160 --> 00:29:32,480 sorts of things and say, hey, have what is our repercussion of 543 00:29:32,480 --> 00:29:34,760 this? Because there's a lot of SAS 544 00:29:34,800 --> 00:29:36,920 services that are used by identity people, right? 545 00:29:36,920 --> 00:29:39,000 A lot of companies are moving their products, that sort of 546 00:29:39,000 --> 00:29:41,840 thing. I guess we know this is going to 547 00:29:41,840 --> 00:29:43,440 happen, right? It's just a numbers game and 548 00:29:43,440 --> 00:29:44,640 say, OK, someone's going to get breached. 549 00:29:44,640 --> 00:29:45,960 There's going to be some sort of issues. 550 00:29:45,960 --> 00:29:47,480 Humans are going to human, right? 551 00:29:47,480 --> 00:29:50,440 Mistakes will be made. What do I do about it though? 552 00:29:50,840 --> 00:29:55,480 If I, let's say I don't have the, the legal language, is it, 553 00:29:55,480 --> 00:29:57,720 do I have a control within my organization? 554 00:29:57,720 --> 00:30:00,040 It says this is what we do to check up on our suppliers. 555 00:30:00,040 --> 00:30:03,320 It's sort of like a third party risk management type thing, you 556 00:30:03,320 --> 00:30:05,360 know, what can I do as a customer of these sorts of 557 00:30:05,360 --> 00:30:07,360 things? Because like you said, you can't 558 00:30:07,360 --> 00:30:09,280 outsource the risk. At the end of the day, I'm 559 00:30:09,280 --> 00:30:12,280 responsible to you as my customer to make sure whatever 560 00:30:12,280 --> 00:30:15,200 I'm doing meets your needs. If something behind the scenes 561 00:30:15,200 --> 00:30:18,640 is having a problem, that's my problem, not yours. 562 00:30:18,640 --> 00:30:20,360 I can't just pass the bug and say, well, it's not my problem. 563 00:30:20,560 --> 00:30:23,320 You know Microsoft did something that's not going to work in the 564 00:30:23,320 --> 00:30:24,520 real. World, right? 565 00:30:24,760 --> 00:30:28,240 And really, you know, in, in a true consultant answer, it's all 566 00:30:28,240 --> 00:30:32,080 of the above, right? But it's, it's amazing 567 00:30:32,080 --> 00:30:35,360 sometimes. And again, I always deal in like 568 00:30:35,360 --> 00:30:39,440 the contract area because a lot of what I do from a compliance 569 00:30:39,440 --> 00:30:44,200 standpoint is contractually enforceable or regulatory, you 570 00:30:44,200 --> 00:30:46,280 know, bestowed upon groups or organizations. 571 00:30:46,280 --> 00:30:48,720 So we always end up in like a document of some sort. 572 00:30:49,680 --> 00:30:52,600 And so it's, it's funny because we'll often in those 573 00:30:52,600 --> 00:30:55,800 conversations, I'll say, well, can I have your security folks 574 00:30:56,080 --> 00:30:57,720 on the line? Can I have your legal? 575 00:30:57,720 --> 00:31:00,120 Can I have your procurement? And everybody's like, what do 576 00:31:00,120 --> 00:31:02,480 you like? Why, Why would my security like, 577 00:31:02,480 --> 00:31:04,520 why would my security people be be here? 578 00:31:04,880 --> 00:31:08,200 And I'm like, well, what is your security clauses say, right 579 00:31:08,200 --> 00:31:13,400 about how you expect them to behave and identity and access, 580 00:31:13,600 --> 00:31:16,520 no matter what compliance framework that you're looking 581 00:31:16,520 --> 00:31:20,480 at, it's really kind of at the cornerstone of kind of security 582 00:31:20,480 --> 00:31:23,800 101. Do I know who has access right? 583 00:31:24,440 --> 00:31:28,560 Is there access appropriate? And am I doing something to 584 00:31:28,560 --> 00:31:32,800 monitor, remove or, you know, completely authenticate and make 585 00:31:32,800 --> 00:31:35,520 sure that it is who it's supposed to be when it's 586 00:31:35,520 --> 00:31:39,760 supposed to be, right? That is a tenant that is in 587 00:31:39,760 --> 00:31:41,920 every single compliance framework, no matter which 588 00:31:41,920 --> 00:31:46,960 industry, whether you're talking socks or, you know, CCMMC or 589 00:31:46,960 --> 00:31:49,400 FISMA Fed ramp, it, it really, it literally doesn't matter. 590 00:31:49,400 --> 00:31:51,680 HIPAA, all of them have a huge set. 591 00:31:51,680 --> 00:31:55,400 It's always the largest group of access and identification 592 00:31:55,400 --> 00:31:57,840 controls. IA controls AC and IA, right? 593 00:31:57,840 --> 00:32:00,840 And they go hand in hand, you know, like best friends that 594 00:32:00,840 --> 00:32:03,400 they are. So when you really start to 595 00:32:03,400 --> 00:32:07,880 think about how do we set our program up to make sure that we 596 00:32:07,880 --> 00:32:12,240 organization understand what our suppliers, our vendors, our 597 00:32:12,240 --> 00:32:16,280 partners are doing, usually it is the most enforceable way is 598 00:32:16,280 --> 00:32:17,760 through that contract vehicle, right? 599 00:32:17,760 --> 00:32:20,200 That's how you get legal. You can apply legal 600 00:32:20,200 --> 00:32:23,560 repercussions, right? I am agreeing the service you 601 00:32:23,560 --> 00:32:28,640 agreed to do X and the X really should be a combination of your 602 00:32:28,640 --> 00:32:32,680 security folks and your IE folks say, hey, we don't allow, you 603 00:32:32,680 --> 00:32:35,240 know, group accounts, right? So whatever you do, you can't 604 00:32:35,240 --> 00:32:38,680 have a group account. We have, we run quarterly access 605 00:32:38,680 --> 00:32:41,120 reviews. We expect you to run monthly 606 00:32:41,120 --> 00:32:42,800 reviews and report to us quarterly. 607 00:32:43,040 --> 00:32:46,120 We exercise least privilege. Like those are things that 608 00:32:46,120 --> 00:32:49,120 should be set out. If that is the cyber security 609 00:32:49,120 --> 00:32:52,800 and your security posture and your organization, it should be 610 00:32:52,800 --> 00:32:54,680 passed along and it should be detailed. 611 00:32:54,680 --> 00:32:59,120 And so you started to see, even with a lot of like cloud service 612 00:32:59,120 --> 00:33:03,320 offerings, there are a lot of kind of frameworks are body of 613 00:33:03,360 --> 00:33:04,880 evidence, as they'll sometimes call it. 614 00:33:04,880 --> 00:33:07,440 So sometimes you'll see, you know, cloud service offerings 615 00:33:07,440 --> 00:33:10,160 will say, well, we're not fed ramp, you know, authorized, but 616 00:33:10,320 --> 00:33:14,000 here is our Fed ramp equivalent. And essentially it's just how 617 00:33:14,000 --> 00:33:17,000 they're performing against all the controls so that that 618 00:33:17,000 --> 00:33:20,640 organization can look and see, you know, is there identity and 619 00:33:20,640 --> 00:33:23,480 access management like the way they're managing, you know, 620 00:33:23,480 --> 00:33:27,800 they're, they're very they're very high administrators. 621 00:33:27,800 --> 00:33:30,160 Does that match what what we think administrators should be 622 00:33:30,280 --> 00:33:31,640 or is everybody an administrator? 623 00:33:31,840 --> 00:33:35,040 Does everybody have access to every single thing all the time, 624 00:33:35,040 --> 00:33:37,440 right? Or if you are providing a 625 00:33:37,440 --> 00:33:41,240 service for us, how are they, how are you restricting and 626 00:33:41,240 --> 00:33:46,240 making sure that a person for my company only has access to my 627 00:33:46,240 --> 00:33:49,240 company and right, they're not able to dip in, you know, across 628 00:33:49,240 --> 00:33:52,040 three different companies and put my information somewhere 629 00:33:52,040 --> 00:33:54,160 that it shouldn't. Like where are those rights? 630 00:33:54,160 --> 00:33:57,480 Where are those group policies? Those are things that should be 631 00:33:57,480 --> 00:33:59,520 included and should be thought of. 632 00:33:59,560 --> 00:34:01,960 And to do that, you need practitioners. 633 00:34:02,040 --> 00:34:05,120 So that's not something that generally a procurement officer 634 00:34:05,120 --> 00:34:08,639 can just detail out themselves. The procurement should 635 00:34:08,639 --> 00:34:12,239 absolutely be working with their security specialists. 636 00:34:12,679 --> 00:34:15,199 They should be working what folks that are administering 637 00:34:15,199 --> 00:34:18,880 their I am to understand, hey, what is our access policies and 638 00:34:18,880 --> 00:34:22,400 what do we expect, you know our vendors to be doing? 639 00:34:22,639 --> 00:34:26,719 And since we're reviewing what what would you need to see right 640 00:34:26,719 --> 00:34:30,320 so that that language is codified and put in to 641 00:34:30,320 --> 00:34:33,320 contractual or rules or mammogram them, whatever is 642 00:34:33,320 --> 00:34:36,480 going to dictate, you know Sops how you were going to interact 643 00:34:36,480 --> 00:34:40,280 and behave with one another. So I think you answered the 644 00:34:40,280 --> 00:34:42,239 follow up question. I was going to ask to say where 645 00:34:42,239 --> 00:34:44,320 does this start? Is it, is it legal? 646 00:34:44,320 --> 00:34:46,960 Is that really where it starts is to have that teeth behind a 647 00:34:46,960 --> 00:34:49,880 contract to say, look, these are security requirements that our 648 00:34:49,880 --> 00:34:53,760 organization has and make sure that language is in the 649 00:34:53,760 --> 00:34:57,080 contract. What concerns me sometimes is, 650 00:34:57,320 --> 00:34:59,720 are the right people looking at the contract to make sure that 651 00:34:59,720 --> 00:35:01,440 that's in there, which you just talked about? 652 00:35:02,360 --> 00:35:04,400 Yeah. And maybe it's I, I, I don't 653 00:35:04,400 --> 00:35:06,080 know where that information comes from because it's just 654 00:35:06,080 --> 00:35:08,240 experience. Is there are there sources 655 00:35:08,240 --> 00:35:10,920 online that people get it? Is it, hey, drop a note to key 656 00:35:10,920 --> 00:35:13,400 on LinkedIn and ask her for if I sent it right? 657 00:35:13,400 --> 00:35:15,680 That kind of thing. But I feel like sometimes there 658 00:35:15,680 --> 00:35:19,120 is a pressure also to say, well, they don't do that. 659 00:35:19,120 --> 00:35:22,880 So we're just going to have to accept the risk in case 660 00:35:22,880 --> 00:35:25,640 something happens. Talk to me about how the 661 00:35:25,640 --> 00:35:27,800 business gets involved with making that decision. 662 00:35:27,800 --> 00:35:30,760 And how do you how do you make sure that that, you know, people 663 00:35:30,760 --> 00:35:32,600 who are listening to this, people who are in identity and 664 00:35:32,600 --> 00:35:35,400 cybersecurity are saying, OK, we've got we're doing our best 665 00:35:35,400 --> 00:35:38,080 to protect our environment. But every once in a while you 666 00:35:38,080 --> 00:35:39,840 get the business. It's just like, just do it. 667 00:35:40,520 --> 00:35:41,360 Right. Right. 668 00:35:41,400 --> 00:35:43,800 How do you how do you help manage that discussion? 669 00:35:44,440 --> 00:35:50,400 Yeah, I, I do think it's a, it's a measure of a collective group 670 00:35:50,520 --> 00:35:53,960 in the procurement and contracting process, right. 671 00:35:53,960 --> 00:35:57,000 So I think it starts with, obviously sometimes it's your 672 00:35:57,000 --> 00:35:59,800 lawyers and it's your procurement specialist, but I 673 00:35:59,800 --> 00:36:04,880 think it is going to your, your cyber, your security folks and 674 00:36:04,880 --> 00:36:08,280 literally asking what is it that we do here is. 675 00:36:08,280 --> 00:36:10,960 And, and oftentimes when you partner with a third party, they 676 00:36:10,960 --> 00:36:14,440 provide you kind of like there's their customer shared 677 00:36:14,440 --> 00:36:18,000 responsibility matrix or customer responsibility matrix, 678 00:36:18,000 --> 00:36:20,120 whatever it may be, right? They, they have different terms. 679 00:36:20,120 --> 00:36:22,520 Basically they'll say, here's all the things we agree we're 680 00:36:22,520 --> 00:36:24,800 going to do and these are the things we're not going to do. 681 00:36:24,800 --> 00:36:28,160 It's on you, right? And so I think the first thing 682 00:36:28,160 --> 00:36:31,760 that I see a lot of times is organizations will get that kind 683 00:36:31,760 --> 00:36:34,440 of a standard paper, but it's not really reviewed. 684 00:36:35,200 --> 00:36:37,880 And, and the folks that are reviewing it are usually not the 685 00:36:37,880 --> 00:36:39,960 folks in security. And you should be having your 686 00:36:39,960 --> 00:36:43,440 security folks review it because the security folks are the ones 687 00:36:43,440 --> 00:36:47,560 that can say, hey, they don't really practice any type of, you 688 00:36:47,560 --> 00:36:52,400 know, maybe they use all group accounts for everything they do 689 00:36:52,400 --> 00:36:55,560 or system accounts. They have no real, you know, 690 00:36:55,560 --> 00:36:58,240 identification or authentication methods at all. 691 00:36:58,240 --> 00:36:59,600 It's kind of like the wild, Wild West. 692 00:36:59,600 --> 00:37:03,560 Somebody like you work there, you get everything right, and 693 00:37:03,560 --> 00:37:06,560 you need somebody, but only a security person is going to be 694 00:37:06,560 --> 00:37:10,360 like, hey, we don't want that, and here's why we don't want 695 00:37:10,360 --> 00:37:12,360 that, right? That's that risk we're talking 696 00:37:12,360 --> 00:37:14,560 about. So then when that executive says 697 00:37:14,560 --> 00:37:18,000 we're going to accept the risk, they actually understand what 698 00:37:18,000 --> 00:37:20,920 the risk is, they're accepting it, and it should be documented. 699 00:37:21,040 --> 00:37:22,800 That should still be documented, right? 700 00:37:22,800 --> 00:37:27,480 Like the idea to not act should be documented the same way as 701 00:37:27,480 --> 00:37:29,960 how you do ACT when you're thinking of governance. 702 00:37:29,960 --> 00:37:32,680 Again, this is that proactive kind of behavior. 703 00:37:33,120 --> 00:37:35,760 We've decided that we are going to continue this relationship 704 00:37:35,760 --> 00:37:38,520 with this third party. We're going to, you know, accept 705 00:37:38,520 --> 00:37:40,240 their procedures or their security. 706 00:37:40,360 --> 00:37:45,360 Security basically as it is. We've accepted that these, you 707 00:37:45,360 --> 00:37:49,520 know, 10/15/20 things that they say that they're not responsible 708 00:37:49,520 --> 00:37:51,520 for. We've accepted the risk of of 709 00:37:51,520 --> 00:37:53,200 managing it or not managing that. 710 00:37:53,400 --> 00:37:57,520 That should be a proactive, documented decision. 711 00:37:57,680 --> 00:38:02,200 It just shouldn't be a decision by, you know, almost by neglect, 712 00:38:02,200 --> 00:38:04,040 right? Like we, we don't really know 713 00:38:04,040 --> 00:38:05,520 what it means. So we're just going to sign it 714 00:38:05,520 --> 00:38:08,680 anyway, right, Because that's still not making the decision. 715 00:38:08,680 --> 00:38:11,440 That's just kind of, you know, moving along and and the whole 716 00:38:11,440 --> 00:38:16,240 point is, again, governance is the behaviors you want, it's 717 00:38:16,240 --> 00:38:18,520 internal, it's who we want to be, right. 718 00:38:18,520 --> 00:38:22,440 And so all organizations should and usually have a goal and 719 00:38:22,440 --> 00:38:25,040 security to have very strong governance practices. 720 00:38:25,320 --> 00:38:29,080 So the idea that you are proactively acknowledging and 721 00:38:29,080 --> 00:38:33,400 accepting risks, security or otherwise, should be something 722 00:38:33,400 --> 00:38:35,960 that should be involved with multiple parties, legal 723 00:38:36,080 --> 00:38:40,800 executives and and security. I'm always a fan of bringing our 724 00:38:40,800 --> 00:38:45,040 security practitioners to those conversations because the 725 00:38:45,040 --> 00:38:48,840 insight that they provide make the words make sense, right? 726 00:38:48,840 --> 00:38:52,560 A lawyer that's reading it has no idea half the time why any of 727 00:38:52,560 --> 00:38:55,000 that matters. What you know, what tools 728 00:38:55,000 --> 00:38:57,560 they're using, even why that matters? 729 00:38:57,600 --> 00:38:58,840 You can. You're going to need a 730 00:38:58,840 --> 00:39:01,440 practitioner to die. Digest that for you. 731 00:39:02,160 --> 00:39:04,880 You know, as I'm sitting here listening to you, I'm thinking 732 00:39:04,880 --> 00:39:07,320 I'm learning so much. This is awesome. 733 00:39:08,000 --> 00:39:11,280 And like Jeff, I had a question queued up. 734 00:39:11,280 --> 00:39:16,640 I think you answered it, but it made me think of one thing I did 735 00:39:16,640 --> 00:39:19,480 recently. And I'm sure this was regulation 736 00:39:19,480 --> 00:39:21,880 driven. I went to my doctor like, oh, we 737 00:39:21,880 --> 00:39:23,480 have all these things for you to accept. 738 00:39:23,480 --> 00:39:28,000 And it was like 10 pages of small 10 point font text. 739 00:39:28,000 --> 00:39:33,720 And I was like sign, sign, sign, I, that's a whole other episode, 740 00:39:33,720 --> 00:39:36,280 right? But kind of the question I was 741 00:39:36,280 --> 00:39:39,800 getting toward is, you know, we do a lot with the middle market 742 00:39:39,800 --> 00:39:44,680 at RSM. We don't maybe have the middle 743 00:39:44,680 --> 00:39:49,160 market maybe doesn't have the weight all the time to go to a 744 00:39:49,160 --> 00:39:52,640 SAS vendor and kind of put them through the paces, right. 745 00:39:52,640 --> 00:39:56,520 If you're $1,000,000 client, they'll run through the paces to 746 00:39:56,520 --> 00:40:01,040 win your business, but they might more or less send you to a 747 00:40:01,040 --> 00:40:06,160 website is what I'm thinking. But here's the the thing I was 748 00:40:06,160 --> 00:40:10,640 getting ultimately getting at was there are certain services 749 00:40:10,640 --> 00:40:13,480 now. That are almost like you can't 750 00:40:13,480 --> 00:40:17,120 run them on site or only you know, nobody would run them on 751 00:40:17,120 --> 00:40:18,720 site. So I'm just thinking of like 752 00:40:19,000 --> 00:40:22,560 authentication. You know, very few organizations 753 00:40:22,560 --> 00:40:28,160 want to run their own external authentication system on Prem 754 00:40:28,160 --> 00:40:29,480 right? They just get a cloud. 755 00:40:29,760 --> 00:40:34,720 And you know, the thing that you mentioned that really stuck to 756 00:40:34,720 --> 00:40:39,160 me was, you know, they might not have the form that you're 757 00:40:39,160 --> 00:40:42,880 looking for to say we're Fedramp compliant, but they might be 758 00:40:42,880 --> 00:40:45,600 able to show you that their processes exist. 759 00:40:45,840 --> 00:40:48,960 You might be able to look at those processes and say they're 760 00:40:48,960 --> 00:40:53,560 better than our own processes. So from a risk evaluation 761 00:40:53,560 --> 00:40:57,160 standpoint, it's not just to check the box exercise, it's an 762 00:40:57,160 --> 00:41:00,640 evaluation. Hey, they do all these things as 763 00:41:00,640 --> 00:41:02,600 well as we do them. They've actually got them 764 00:41:02,600 --> 00:41:05,600 documented. Maybe your organization doesn't. 765 00:41:05,600 --> 00:41:08,840 So that that was my thought. I wanted to get into that 766 00:41:08,840 --> 00:41:12,320 conversation, but I also wanted to just shift. 767 00:41:12,320 --> 00:41:17,000 So let me shift to another discussion around kind of which 768 00:41:18,080 --> 00:41:21,120 you talked about a lot of different regulations so far 769 00:41:21,120 --> 00:41:24,560 during the episode. And I wanted to get like the 770 00:41:24,560 --> 00:41:28,160 most impactful, but I think there's two types of impact. 1 771 00:41:28,160 --> 00:41:34,400 is what regulations are having the biggest impact across all 772 00:41:34,400 --> 00:41:37,800 industries. And you know, I'll put my vote 773 00:41:37,800 --> 00:41:41,400 out there for GDPR because I keep running into it where 774 00:41:41,400 --> 00:41:46,160 organizations, especially over the last 10 years have had to, 775 00:41:46,640 --> 00:41:51,600 you know, make that a major requirements impact in terms of 776 00:41:51,800 --> 00:41:56,480 deployment of identity systems. Now I think the other most 777 00:41:56,480 --> 00:42:00,480 impactful could be where does a, a single regulation hit an 778 00:42:00,480 --> 00:42:06,680 industry especially squarely in the eyes and say this completely 779 00:42:06,680 --> 00:42:09,240 impacts our identity access management. 780 00:42:09,240 --> 00:42:12,880 And so I have experience working with utility clients. 781 00:42:13,120 --> 00:42:17,440 They have a nerk SIP body of regulation, right? 782 00:42:17,440 --> 00:42:20,680 And it requires that there's an air gap. 783 00:42:20,680 --> 00:42:24,120 And so for people who don't know an air gap is it's a complete 784 00:42:24,120 --> 00:42:30,000 separation of the network between corporate and power 785 00:42:30,000 --> 00:42:34,440 generation, especially nuclear. And so you know, you can't, when 786 00:42:34,440 --> 00:42:37,720 you have a completely separated network, you can't have IM 787 00:42:37,720 --> 00:42:39,920 systems with one foot on both sides. 788 00:42:40,360 --> 00:42:43,920 You're basically duplicating your identity systems as well. 789 00:42:44,720 --> 00:42:48,640 So I've seen that is like a huge impact on that. 790 00:42:48,840 --> 00:42:52,760 You know those companies are hit squarely with that one. 791 00:42:52,760 --> 00:42:55,560 So I'll turn it over to you and kind of the where do you see 792 00:42:55,560 --> 00:42:57,960 that like the broad and the narrow? 793 00:42:58,600 --> 00:43:00,920 Yeah. I mean there, there's some, I, I 794 00:43:00,920 --> 00:43:06,320 would definitely say one that is disrupting lots of industries. 795 00:43:06,320 --> 00:43:08,680 So I will say this goes across industries. 796 00:43:09,400 --> 00:43:15,320 Is the cybersecurity maturity model certification, CMMC and in 797 00:43:15,320 --> 00:43:19,000 its ruling or in its stated purpose, you would think it has 798 00:43:19,000 --> 00:43:24,480 a pretty narrow scope because it is written to impact the defense 799 00:43:24,480 --> 00:43:29,160 industrial base, but the defense industrial base is huge. 800 00:43:30,000 --> 00:43:35,320 It is organization. So just think about you, you 801 00:43:35,320 --> 00:43:38,760 have a prime, so the big primes of the world, think about any of 802 00:43:38,760 --> 00:43:43,080 the major aerospace or you know, aerospace engineering, our 803 00:43:43,080 --> 00:43:46,760 defense contractors, right? But it's everybody in that 804 00:43:46,760 --> 00:43:51,320 defense supply chain, all the companies in their supply chain 805 00:43:51,400 --> 00:43:56,840 are also impacted by CMMC and it has no, it takes no 806 00:43:56,840 --> 00:44:01,320 consideration of size or profit share, right, And who it 807 00:44:01,320 --> 00:44:04,120 impacts. Literally the mandate is that 808 00:44:04,400 --> 00:44:07,520 anybody in the defense industrial base supply chain 809 00:44:07,760 --> 00:44:11,160 will maintain a certain standard of cybersecurity. 810 00:44:11,520 --> 00:44:15,880 And much like the air gap you're talking about in CMMC, there is 811 00:44:15,880 --> 00:44:20,200 no commingling of information. So this information that it's 812 00:44:20,280 --> 00:44:24,560 targeting or CUI that it's important, it has to be solely 813 00:44:24,560 --> 00:44:27,440 and completely separate from anything else in the 814 00:44:27,440 --> 00:44:29,760 environment. So this is where I say I start 815 00:44:29,760 --> 00:44:33,840 to have these interesting conversations with, I had, I was 816 00:44:33,840 --> 00:44:36,360 on a call with the maintenance company, right? 817 00:44:36,360 --> 00:44:39,280 They, they do lawn care and maintenance and they are 818 00:44:39,280 --> 00:44:43,480 subjected to CMC and they're like, why am I talking to you? 819 00:44:43,480 --> 00:44:45,920 Right? Like we, we do maintenance, but 820 00:44:45,920 --> 00:44:51,120 because they support, you know, DoD locations and other places 821 00:44:51,120 --> 00:44:54,520 that are considered to be sensitive and they're in the DoD 822 00:44:54,520 --> 00:44:56,920 supply chain. Now, granted, they're probably 823 00:44:56,920 --> 00:45:00,600 like 15 down the supply chain, but they're in the supply chain. 824 00:45:00,760 --> 00:45:05,520 They find themselves subjected to these, you know, regulations 825 00:45:05,720 --> 00:45:08,440 that have specific kind of so they're like, so you're telling 826 00:45:08,440 --> 00:45:13,000 me I now need to find a way to segment my whole environment. 827 00:45:13,000 --> 00:45:16,160 So I have my whole commercial environment, but because I do 828 00:45:16,160 --> 00:45:18,200 these, I have these, you know, four or five, whatever 829 00:45:18,200 --> 00:45:22,880 contracts, it puts me into the defense industrial based supply 830 00:45:22,880 --> 00:45:25,280 chain. And now I find myself having to 831 00:45:25,280 --> 00:45:29,360 create a separate enclave or a whole separate environment just 832 00:45:29,360 --> 00:45:31,760 to manage those contracts, right? 833 00:45:31,880 --> 00:45:36,320 So it starts to have huge implications and, and really 834 00:45:36,320 --> 00:45:38,840 we've been seeing it across every industry. 835 00:45:38,840 --> 00:45:42,400 It's impacting, you know, healthcare providers, like I 836 00:45:42,400 --> 00:45:46,720 said, maintenance, huge manufacturing implications. 837 00:45:47,400 --> 00:45:50,360 Think about people that make small bolts that might autumn, 838 00:45:50,400 --> 00:45:56,360 you know, ultimately end up on some kind of jet or some sort 839 00:45:56,360 --> 00:46:00,800 of, you know, or some sort of DoD equipment, right? 840 00:46:01,040 --> 00:46:03,840 They, they may not even, they, a lot of them didn't even know 841 00:46:03,920 --> 00:46:06,480 they were in the supply chain until they started seeing all of 842 00:46:06,480 --> 00:46:09,040 these things flow down. And so it's completely 843 00:46:09,040 --> 00:46:14,480 disrupting how, you know, they are delivering and how they're 844 00:46:14,480 --> 00:46:16,760 providing their business. And, and in a lot of those 845 00:46:16,760 --> 00:46:20,200 cases, when we go and talk to them, like, OK, we need to make 846 00:46:20,200 --> 00:46:22,840 sure that only appropriate people have access to this 847 00:46:22,840 --> 00:46:25,400 information. Show me, you know, your role, 848 00:46:25,480 --> 00:46:27,920 role based access or show me your RBAC or show me what you're 849 00:46:27,920 --> 00:46:29,200 doing. They're like, well, there's 850 00:46:29,200 --> 00:46:32,480 three of us, So what would you like us to show you, right? 851 00:46:32,480 --> 00:46:36,080 Like we all have access, we all do everything, We all can see 852 00:46:36,080 --> 00:46:37,800 everything. Is that a problem, right. 853 00:46:38,120 --> 00:46:41,360 And we're like, oh, let's dive into that a little bit, right? 854 00:46:41,360 --> 00:46:44,400 And see for this environment, you may have to do something 855 00:46:44,400 --> 00:46:47,160 slightly different because it does require you to do least 856 00:46:47,160 --> 00:46:50,440 privilege and it may require you to set up slightly different 857 00:46:50,440 --> 00:46:52,800 kind of access permissions and things like that. 858 00:46:53,040 --> 00:46:58,720 So I definitely think CMMC is one it, the rule has been 859 00:46:59,120 --> 00:47:04,360 meandering for the past, you know, 10 years or so since the 860 00:47:04,360 --> 00:47:08,440 idea came, came about, but it went final in December. 861 00:47:09,240 --> 00:47:11,040 And I think a lot of people thought it was going to roll 862 00:47:11,040 --> 00:47:13,920 back and it's full steam ahead and its requirements and 863 00:47:13,920 --> 00:47:17,360 certifications. And so it's requiring lots of 864 00:47:17,360 --> 00:47:22,800 organizations across lots of different industries to really 865 00:47:23,440 --> 00:47:26,680 figure out how and what they're going to do to implement it. 866 00:47:26,680 --> 00:47:31,200 And and I will say one of the tricky things is that identity 867 00:47:31,200 --> 00:47:34,800 and access management piece of it because the whole cornerstone 868 00:47:35,080 --> 00:47:39,040 is that only the appropriate people have access to the 869 00:47:39,040 --> 00:47:41,720 information. And when now you have to set up 870 00:47:41,720 --> 00:47:46,200 to your .2 separate environments and you can't swivel chair or 871 00:47:46,200 --> 00:47:48,360 you can't figure out what do you do? 872 00:47:48,360 --> 00:47:51,960 Do you have two totally different kind of directories 873 00:47:51,960 --> 00:47:55,840 and policy and you're totally managing two different like how 874 00:47:55,840 --> 00:47:57,560 do you do that in a way that makes sense? 875 00:47:57,560 --> 00:48:00,480 And so that's what we're constantly kind of working on 876 00:48:01,320 --> 00:48:04,520 with some of these regulations. So I think that's a big one. 877 00:48:04,760 --> 00:48:06,920 And then I think your second question is what is maybe a more 878 00:48:06,920 --> 00:48:10,000 smaller or one that we're also seeing. 879 00:48:10,800 --> 00:48:16,280 I think there has been in the in the last few years with GDPRI 880 00:48:16,280 --> 00:48:20,680 think some of the healthcare in expansion of some of those have 881 00:48:20,680 --> 00:48:23,800 also started to find the way across. 882 00:48:24,240 --> 00:48:27,040 Not just a specific kind of usually used to be just like 883 00:48:27,040 --> 00:48:32,040 hospitals or medical facilities, but you're starting to see the 884 00:48:32,040 --> 00:48:35,240 advent of more like medical devices. 885 00:48:35,480 --> 00:48:38,200 Companies are being pulled into certain compliance things 886 00:48:38,920 --> 00:48:42,840 they've, they've technically or have always been with the kind 887 00:48:42,840 --> 00:48:46,200 of maybe HIPAA or HPA, but now they're starting to see high 888 00:48:46,200 --> 00:48:49,960 trust and GDPR and some other things because they often have 889 00:48:50,240 --> 00:48:53,840 international manufacturing places. 890 00:48:53,840 --> 00:48:57,560 And so that opens them up kind of in a way that they didn't 891 00:48:57,560 --> 00:49:00,320 expect. So I think it can, for me, it 892 00:49:00,320 --> 00:49:03,440 gets kind of exciting when you kind of see how everything 893 00:49:03,440 --> 00:49:08,000 starts to really intertwine. But it certainly can provide 894 00:49:08,000 --> 00:49:12,800 challenges because most businesses are not set up to 895 00:49:12,800 --> 00:49:16,800 only respond or be organized in a way that compliance 896 00:49:16,800 --> 00:49:20,760 frameworks, you know, speculate right there. 897 00:49:20,800 --> 00:49:22,600 They are designed to run their business. 898 00:49:23,160 --> 00:49:25,920 So it's always very interesting in working with clients to kind 899 00:49:25,920 --> 00:49:30,240 of figure out how to right size their footprint or right size 900 00:49:30,960 --> 00:49:35,040 their processes to fit their business needs, but more 901 00:49:35,040 --> 00:49:39,080 importantly, their governance aligns with their compliance. 902 00:49:39,440 --> 00:49:43,520 So again, it really goes back to what are the proactive behaviors 903 00:49:43,520 --> 00:49:47,200 that they can put in place so that compliance is just a thing 904 00:49:47,200 --> 00:49:48,880 that kind of checks on their governance. 905 00:49:48,880 --> 00:49:51,600 It's not a different thing that they actually have to do. 906 00:49:53,240 --> 00:49:58,200 So you've got me thinking now, Kia, the supply chain of, you 907 00:49:58,200 --> 00:49:59,840 know, all the different parts of the especially for like 908 00:49:59,840 --> 00:50:02,400 government type stuff. You mentioned CNC, Is this 909 00:50:02,400 --> 00:50:04,600 podcast supposed to be seen MC client? 910 00:50:04,600 --> 00:50:08,280 Because I know that we're on podcast players in some of those 911 00:50:08,280 --> 00:50:10,960 environments. So I don't know if we have to. 912 00:50:11,800 --> 00:50:14,720 I don't know, it depends. I've seen some really strange 913 00:50:14,720 --> 00:50:17,480 things come into scope in some of these assessments, right? 914 00:50:17,480 --> 00:50:20,320 I mean, as long it depends on what you start talking about and 915 00:50:20,320 --> 00:50:22,600 what you start recording and what you start, you know, and 916 00:50:22,600 --> 00:50:25,560 that's where a lot of the theoretical conversations come 917 00:50:25,560 --> 00:50:28,720 in at, right? Like what really should be 918 00:50:28,720 --> 00:50:32,320 considered sensitive or what really in the DoD space, what 919 00:50:32,320 --> 00:50:35,160 should be considered CUI, controlled, unclassified. 920 00:50:35,160 --> 00:50:39,200 So the idea that there's this whole body of information that 921 00:50:39,200 --> 00:50:41,880 is sensitive enough, it needs to be protected more than just 922 00:50:41,880 --> 00:50:45,240 regular information. But it's not like top secret 923 00:50:45,240 --> 00:50:47,880 things, right? But it does require some 924 00:50:47,880 --> 00:50:49,720 additional layers and effort there. 925 00:50:50,440 --> 00:50:53,320 So, you know, you may be somebody might be reaching out 926 00:50:53,320 --> 00:50:56,360 to you and want to know, you know, kind of like where's fed 927 00:50:56,360 --> 00:50:59,040 ramp or where you know, some of these compliance things on your 928 00:50:59,040 --> 00:51:02,200 road map because they want to be able to use your podcast in 929 00:51:02,200 --> 00:51:04,480 their environment and their environment is fully compliant. 930 00:51:04,480 --> 00:51:05,880 You're knocking them out of compliance. 931 00:51:07,480 --> 00:51:10,800 Well, air gap will, you know, you'll have to buy an A tape 932 00:51:10,800 --> 00:51:12,160 cassette player. There you go. 933 00:51:12,440 --> 00:51:14,720 Record us a tape and put us in a room and just put us on a 934 00:51:14,720 --> 00:51:16,360 speaker and that's the way we'll cover that. 935 00:51:17,280 --> 00:51:19,640 I know where I, I want to like be cognizant at a time. 936 00:51:19,640 --> 00:51:22,880 And I have one more question I want to ask you because I feel 937 00:51:22,880 --> 00:51:27,120 like we've set a record, Jim, in the last year where we've gone 938 00:51:27,480 --> 00:51:30,400 over 45 minutes without mentioning really AI. 939 00:51:30,800 --> 00:51:35,000 And so I want to get Kia's, Kia's thoughts on where do you 940 00:51:35,000 --> 00:51:39,160 see AI really impacting sort of the space between compliance and 941 00:51:39,160 --> 00:51:41,440 some of the things that people in the digital identity and 942 00:51:41,440 --> 00:51:43,440 cybersecurity space you really need to start to think about? 943 00:51:44,320 --> 00:51:48,720 Yeah, I think when you think about AI, right and and its 944 00:51:48,720 --> 00:51:53,040 usefulness, it's really used to kind of advance or make 945 00:51:53,040 --> 00:51:56,560 processes more efficient. There's certainly a lot of 946 00:51:56,560 --> 00:52:01,000 routine and kind of either governance and security type 947 00:52:01,000 --> 00:52:04,800 things that you could use AI to really help you check on a 948 00:52:04,800 --> 00:52:07,280 regular basis. And again, I think from a 949 00:52:07,280 --> 00:52:10,680 governance standpoint, that's very powerful and really 950 00:52:11,000 --> 00:52:14,920 maturing your cybersecurity posture for it, right? 951 00:52:15,120 --> 00:52:18,480 Being able to use these where there's a little bit of a 952 00:52:18,480 --> 00:52:23,960 temperance is, is that at the core, right of most compliance 953 00:52:23,960 --> 00:52:29,120 is understanding and always being able to know exactly where 954 00:52:29,120 --> 00:52:32,720 things are coming from, who specifically is doing it. 955 00:52:33,000 --> 00:52:34,960 And if somebody's reviewing it, right? 956 00:52:34,960 --> 00:52:38,040 So it's still putting back that human element that kind of the 957 00:52:38,040 --> 00:52:40,760 whole purpose of AI is to kind of remove some of that, right? 958 00:52:40,760 --> 00:52:44,640 So I think there's a little bit of a pull right now and a little 959 00:52:44,640 --> 00:52:49,440 bit of a hesitation from a compliance standpoint and really 960 00:52:49,440 --> 00:52:54,720 how to evaluate the use of AI in environment. 961 00:52:55,280 --> 00:53:00,840 Now there are like for example, ISO, I know I think A to LA is 962 00:53:00,840 --> 00:53:03,080 coming out with statements. I know there's different kind of 963 00:53:03,080 --> 00:53:05,480 governing bodies that are starting to put out more 964 00:53:06,240 --> 00:53:10,000 literature, more guidance around acceptable off like acceptable 965 00:53:10,000 --> 00:53:14,560 use cases of digital identity or other type of like control 966 00:53:14,560 --> 00:53:18,960 activities or even data, a lot of data gathering activity. 967 00:53:18,960 --> 00:53:24,280 So for if you think about AI in a financial industry and how can 968 00:53:24,280 --> 00:53:26,840 be used to kind of aggregate large quantities of data 969 00:53:26,840 --> 00:53:30,200 reporting, there's a lot of questions and maybe some 970 00:53:30,200 --> 00:53:33,080 controls and frameworks coming around on how to validate the 971 00:53:33,080 --> 00:53:37,600 inputs so that you can rely on the outputs that are generated 972 00:53:37,600 --> 00:53:41,080 from whatever AI tool. I think that's going to continue 973 00:53:41,080 --> 00:53:44,040 to expand because it's not going away and and people want to use 974 00:53:44,040 --> 00:53:46,480 it. I just think as everything 975 00:53:46,640 --> 00:53:51,600 technology is light years ahead of, you know, laws and 976 00:53:51,600 --> 00:53:55,240 regulations. So that's nothing new to anyone 977 00:53:55,240 --> 00:53:59,440 that's there, but I think organizations, again, from a 978 00:53:59,440 --> 00:54:03,160 risk perspective, and again, we're cyber, I'm a cyber risk 979 00:54:03,160 --> 00:54:06,040 practitioner at heart, right? Everything to me always comes 980 00:54:06,040 --> 00:54:09,320 back to risk. Again, you never can outsource 981 00:54:09,320 --> 00:54:11,560 your risk. So no matter what you're using, 982 00:54:11,600 --> 00:54:15,680 tool or otherwise, as a cyber risk practitioner, I'm always 983 00:54:15,680 --> 00:54:19,000 going to question, OK, but how do you get comfort of validate 984 00:54:19,000 --> 00:54:21,280 that what you're doing is appropriate? 985 00:54:21,760 --> 00:54:25,480 And that may mean spot checks, that may mean that you you use 986 00:54:25,600 --> 00:54:29,280 AI in a limited fashion over certain areas where the risk or 987 00:54:29,280 --> 00:54:32,640 the impact is less in your environment versus others. 988 00:54:33,120 --> 00:54:37,480 But I certainly think it will be continued to be pulled in more 989 00:54:37,760 --> 00:54:41,040 from a compliance perspective. But I think we're just they're 990 00:54:41,040 --> 00:54:44,600 just behind and really evaluating how it's going to be 991 00:54:44,600 --> 00:54:47,120 acceptable within the frameworks as they exist today. 992 00:54:47,440 --> 00:54:49,840 I feel like we could talk for hours and hours and hours on 993 00:54:49,840 --> 00:54:51,160 this, but I don't want to do that to you. 994 00:54:51,920 --> 00:54:54,720 So I think this is probably a good spot where we kind of start 995 00:54:54,720 --> 00:54:58,240 to wrap things up. I've learned a lot just in the 996 00:54:58,240 --> 00:55:01,080 last, you know, hour or so that we've been talking and I think 997 00:55:01,080 --> 00:55:02,000 there's so much more we can cover. 998 00:55:02,000 --> 00:55:05,280 So hopefully we'll come back and continue to educate us on on 999 00:55:05,360 --> 00:55:07,640 some of the things that might be changing in the world and things 1000 00:55:07,640 --> 00:55:08,760 that we started thinking about, right? 1001 00:55:09,520 --> 00:55:11,920 It's OK to get smarter. I think it's that's one of the 1002 00:55:11,920 --> 00:55:14,200 things that we should always be cognizant of is like, OK, 1003 00:55:14,280 --> 00:55:16,880 hindsight's 2020, what can we do next time to be better? 1004 00:55:17,360 --> 00:55:19,920 And so I think back to like where we started, maybe the 1005 00:55:19,920 --> 00:55:22,920 conversation run contracts and legal if that language isn't 1006 00:55:22,920 --> 00:55:26,080 there now when it's up for renegotiation, maybe that's a 1007 00:55:26,080 --> 00:55:27,760 good time to start thinking about it, right? 1008 00:55:27,760 --> 00:55:30,160 So there's continuous improvement and you know, from 1009 00:55:30,160 --> 00:55:33,160 that standpoint. So let's go ahead and leave it 1010 00:55:33,160 --> 00:55:35,240 there for right now. I do want to end a lighter note 1011 00:55:35,440 --> 00:55:39,200 because we were talking and sort of preparing for the show and 1012 00:55:39,200 --> 00:55:44,520 you totally blew my mind with the concept of a pickle pop. 1013 00:55:45,320 --> 00:55:49,480 I am not a pickle fan. I will go on a on a platform and 1014 00:55:49,480 --> 00:55:52,720 a hard stance, a hard opinion of I do not like Pickles. 1015 00:55:53,080 --> 00:55:58,120 And so the idea of a pickle pop really, I find personally, I 1016 00:55:58,120 --> 00:55:59,760 hate to say it, but a little bit revolting. 1017 00:56:00,520 --> 00:56:05,760 So tell me about a pickle pop. What is it, why is it, and who 1018 00:56:05,760 --> 00:56:10,040 is it? The pickle popsicles are a 1019 00:56:10,040 --> 00:56:15,280 delicious in from Jim's input, a nutritious, apparently snack 1020 00:56:15,520 --> 00:56:18,200 that one can enjoy any time of the year. 1021 00:56:18,880 --> 00:56:24,840 No, it is really frozen pickle juice goodness in a popsicle. 1022 00:56:25,600 --> 00:56:28,600 And so either on a stick or in like the little old school, you 1023 00:56:28,600 --> 00:56:32,200 know, plastic little push pop push ups, you can get them 1024 00:56:32,200 --> 00:56:34,400 anywhere. As I explained to you, they are 1025 00:56:34,400 --> 00:56:38,280 I'm not a, you know, a population of one and enjoying 1026 00:56:38,280 --> 00:56:41,080 pickle pops, but they're just delicious treats and you can do 1027 00:56:41,080 --> 00:56:42,360 all kind of variations with them out. 1028 00:56:42,360 --> 00:56:45,000 If we didn't go this far, but you know, in certain areas of 1029 00:56:45,000 --> 00:56:48,360 the South, people may put certain types of seasoning on 1030 00:56:48,360 --> 00:56:52,040 top of their pickle pops. Teejan is one that's pretty 1031 00:56:52,480 --> 00:56:55,160 popular kool-aid or sugar sometimes. 1032 00:56:55,160 --> 00:56:58,560 So you have a little bit of that, that sweet with that salty 1033 00:56:58,560 --> 00:57:02,640 like dill pickle bite that you get with that sour pickle juice. 1034 00:57:02,960 --> 00:57:04,800 It's just a refreshing kind of treat. 1035 00:57:05,000 --> 00:57:06,880 I I suggest everyone should try one. 1036 00:57:08,560 --> 00:57:10,560 I will try anything at least once. 1037 00:57:10,560 --> 00:57:14,440 So what is if I'm going to go out and look for a pickle pop, 1038 00:57:14,800 --> 00:57:16,600 what is the one? You're like, Jeff, I know you 1039 00:57:16,640 --> 00:57:18,640 don't like Pickles, but you've got to try this. 1040 00:57:18,640 --> 00:57:21,160 Like what's the flavor or whatever that I should? 1041 00:57:21,200 --> 00:57:26,520 I am very old school. I like the best plain dill 1042 00:57:26,600 --> 00:57:29,600 pickle pickle pop. There are some zesty ones. 1043 00:57:29,600 --> 00:57:32,160 I do kind of like a little spice sometimes so I'll get the spicy 1044 00:57:32,160 --> 00:57:33,440 ones. But since you're just getting 1045 00:57:33,440 --> 00:57:36,040 started and you don't really know, you're very unsure about 1046 00:57:36,040 --> 00:57:38,080 it, I would go. Be careful, I'm a newbie in the 1047 00:57:38,080 --> 00:57:38,680 pickle. World yeah. 1048 00:57:38,760 --> 00:57:40,680 I don't want to scare you. I don't want to do too much too 1049 00:57:40,680 --> 00:57:42,520 soon. So I think you just start with 1050 00:57:42,520 --> 00:57:46,040 the plain dill pickle pickle pop, OK. 1051 00:57:46,720 --> 00:57:50,520 And usually they're green, they're long, you know, and they 1052 00:57:50,520 --> 00:57:53,720 have like a little pickle picture on top of it. 1053 00:57:53,720 --> 00:57:55,960 It's like a pickle, like a pickle man with a hat or 1054 00:57:55,960 --> 00:57:59,080 something. It's, it's just a, it's a, it's 1055 00:57:59,080 --> 00:58:01,760 a delightful treat. I think it's a surprising treat 1056 00:58:01,760 --> 00:58:03,760 and it gives you that salty. So especially if you're a 1057 00:58:03,760 --> 00:58:06,960 savoury person, I feel like it gives you a little bit of that 1058 00:58:06,960 --> 00:58:10,320 salty, but it's it's frozen. So it's kind of refreshing. 1059 00:58:11,920 --> 00:58:13,120 Jim, have you ever had a pickle pop? 1060 00:58:14,000 --> 00:58:17,000 I have. So Kia pointed out something 1061 00:58:17,000 --> 00:58:19,720 that I said. They were nutritious. 1062 00:58:19,960 --> 00:58:24,120 So I'm a baseball nut. And by the way, when we're 1063 00:58:24,120 --> 00:58:26,600 recording this opening day is tomorrow. 1064 00:58:26,600 --> 00:58:29,960 Shout out to my friend Arturo. We're going to be following. 1065 00:58:29,960 --> 00:58:33,920 We're going to be texting, but it's a game that starts in 1066 00:58:33,920 --> 00:58:36,960 spring, goes all the way through the summer. 1067 00:58:37,480 --> 00:58:41,880 The World Series is in October. End of October is very cold, but 1068 00:58:41,880 --> 00:58:47,000 there's that point in the middle from Memorial Day to Labor Day, 1069 00:58:47,000 --> 00:58:51,520 especially in July where you're out there in the sun playing 1070 00:58:51,520 --> 00:58:54,520 baseball. You get dehydrated. 1071 00:58:55,000 --> 00:58:58,920 That's what the pickle pop. What I thought it was invented 1072 00:58:58,920 --> 00:59:02,160 for was getting those electrolytes and getting your 1073 00:59:02,160 --> 00:59:05,360 water at the same time. Now I want to point something 1074 00:59:05,360 --> 00:59:06,880 out because I'm a big pickle fan. 1075 00:59:06,880 --> 00:59:14,520 I also like olives is the only type of Pickles aren't the color 1076 00:59:14,520 --> 00:59:19,200 of Kia's background? You can also pickle things like 1077 00:59:19,520 --> 00:59:25,080 garlic cloves, carrots, and my favorite which is pickled. 1078 00:59:26,800 --> 00:59:28,600 What are those things called? Cauliflower. 1079 00:59:28,880 --> 00:59:32,120 Pickled cauliflower is like heaven on earth. 1080 00:59:32,680 --> 00:59:36,160 I don't even know what to say at this point because I, I don't, I 1081 00:59:36,160 --> 00:59:39,600 don't, I don't, I don't know how we can top pickle pop talk. 1082 00:59:40,000 --> 00:59:42,840 My wife used to run marathons. I, I, I'm going to have to ask 1083 00:59:42,840 --> 00:59:43,920 her about this. I'm like, Hey, have you heard 1084 00:59:43,920 --> 00:59:44,840 about this? Because she's always been 1085 00:59:44,840 --> 00:59:47,600 talking about like, you know, like she has these gels and 1086 00:59:47,600 --> 00:59:49,440 electrolytes, right? And all that stuff that for 1087 00:59:49,440 --> 00:59:52,120 endurance running and etcetera. But I've never heard of pickle 1088 00:59:52,120 --> 00:59:53,360 pop. And now you're starting to say 1089 00:59:53,360 --> 00:59:57,320 that there's other pickle or other pops like cauliflower, I 1090 00:59:57,320 --> 01:00:00,720 mean. Are these just my vegetables? 1091 01:00:01,800 --> 01:00:04,240 Yeah, I know. That's the most delicious other 1092 01:00:04,240 --> 01:00:08,600 than frying broccoli, which is like fried broccoli is awesome. 1093 01:00:09,160 --> 01:00:14,280 But if you pickle things, things that you didn't like before, you 1094 01:00:14,280 --> 01:00:17,200 might like now you don't like Pickles, so probably not. 1095 01:00:17,200 --> 01:00:22,560 But pickle cauliflower is pretty awesome because cauliflower is 1096 01:00:22,560 --> 01:00:26,680 like doesn't really have much of A flavor, so you just get the 1097 01:00:26,680 --> 01:00:29,680 pickling flavor. So what I need is like a pickled 1098 01:00:29,680 --> 01:00:31,800 chocolate chip cookie. That's kind of what I'm looking 1099 01:00:31,800 --> 01:00:34,440 for. If they make that, then I will 1100 01:00:34,440 --> 01:00:36,960 definitely try that. So I'm going off the rails here 1101 01:00:36,960 --> 01:00:39,440 at the. End that that is that I don't 1102 01:00:39,440 --> 01:00:42,960 know about that one, but I I am a fan of olives. 1103 01:00:42,960 --> 01:00:46,880 I'm a fan of most things that are pickled and I, I agree 1104 01:00:47,160 --> 01:00:50,160 wholeheartedly with Jim's sentiment that you pickle 1105 01:00:50,160 --> 01:00:53,040 something and it it almost automatically tastes better. 1106 01:00:53,040 --> 01:00:56,240 I don't know, it's something about the process or infusing 1107 01:00:56,240 --> 01:00:57,360 it. It just gives it a different 1108 01:00:57,360 --> 01:01:01,480 kind of flavor. But the pickle pops, I'm sure 1109 01:01:01,480 --> 01:01:03,080 you're going to come back and be like, you know what? 1110 01:01:03,080 --> 01:01:08,320 That was surprisingly tasty. All right, I'll give it a shot. 1111 01:01:08,320 --> 01:01:10,720 I pulled up this. Will be known from here here for 1112 01:01:10,720 --> 01:01:13,320 it as the Pickle Pop episode. The Pickle Pop episode never 1113 01:01:13,320 --> 01:01:14,640 covered it. Before I even I picked. 1114 01:01:14,640 --> 01:01:17,400 I chose a background for you because of that, right? 1115 01:01:18,040 --> 01:01:19,880 A little subliminal advertising. I got you. 1116 01:01:20,560 --> 01:01:22,960 Obviously. All right, we're going to go 1117 01:01:22,960 --> 01:01:24,720 ahead and leave it there for this week. 1118 01:01:24,720 --> 01:01:27,560 Kia, thank you so much for sharing the time with us. 1119 01:01:27,920 --> 01:01:29,760 I'm sure there's so much more we can get into, and like I said, 1120 01:01:29,760 --> 01:01:31,560 hopefully we'll come back and have another conversation. 1121 01:01:32,120 --> 01:01:34,680 I'm going to have your LinkedIn profile and our show notes for 1122 01:01:34,680 --> 01:01:37,160 people to check out in case they have questions about compliance 1123 01:01:37,680 --> 01:01:40,720 or if they have a favorite pickle pop flavor that you want 1124 01:01:40,720 --> 01:01:43,400 to try. Either way, yeah, let's talk 1125 01:01:43,400 --> 01:01:45,880 about it. So yeah, with that, we'll go 1126 01:01:45,880 --> 01:01:47,320 ahead and leave it for this week. 1127 01:01:47,480 --> 01:01:50,360 You can find us on the web, idacpodcast.com. 1128 01:01:51,040 --> 01:01:53,560 Check out our YouTube channel, idacpodcast.tv. 1129 01:01:53,560 --> 01:01:55,520 We'll take it right there. Do all those cool fun things 1130 01:01:55,520 --> 01:01:58,560 that helps Jim and I out. Get great guests like Kia on, 1131 01:01:58,760 --> 01:02:01,280 like subscribe, share with friends, share with enemies, 1132 01:02:01,280 --> 01:02:02,800 doesn't matter. As long as people are listening, 1133 01:02:03,240 --> 01:02:05,640 that's all we really care about. So with that, we'll go ahead and 1134 01:02:05,640 --> 01:02:08,160 leave for this week. Thanks everybody for watching 1135 01:02:08,160 --> 01:02:10,880 and or listening and we'll talk with you all in the next one. 1136 01:02:13,160 --> 01:02:16,080 You've been listening to Identity at the Center. 1137 01:02:16,440 --> 01:02:20,520 We hope you've enjoyed the show. Make sure to like, rate and 1138 01:02:20,520 --> 01:02:24,160 review, and we'll be back soon. But in the meantime, hit the 1139 01:02:24,160 --> 01:02:27,560 website at identity@thecenter.com. 1140 01:02:28,160 --> 01:02:32,280 See you next time on Identity at the Center.