WEBVTT

00:00:00.000 --> 00:00:03.140
Today on our Tech for Business podcast, Nate,

00:00:03.299 --> 00:00:06.280
our Director of Cybersecurity, and Todd, our

00:00:06.280 --> 00:00:11.240
COO and CISO, are joining us to talk about building

00:00:11.240 --> 00:00:16.239
your security culture. And so Nate, this came

00:00:16.239 --> 00:00:20.500
up in a podcast earlier. Actually, we recorded

00:00:20.500 --> 00:00:23.140
it this week, but it came up in a podcast earlier.

00:00:23.160 --> 00:00:26.260
So I would like you to explain why this topic

00:00:26.260 --> 00:00:31.019
is important. Yeah, so... What we're talking

00:00:31.019 --> 00:00:35.500
about today is really building a culture of security

00:00:35.500 --> 00:00:38.140
and why that's so important, right? So if you

00:00:38.140 --> 00:00:41.420
go listen to many of the podcasts that we've

00:00:41.420 --> 00:00:43.880
talked about in the past is like, what's the

00:00:43.880 --> 00:00:46.880
top recommendation? It's drive the culture of

00:00:46.880 --> 00:00:50.000
security, right? And because if you don't build

00:00:50.000 --> 00:00:53.619
a security culture, it will not adhere and it

00:00:53.619 --> 00:00:56.859
will not stick and you will face frustrations

00:00:56.859 --> 00:00:59.759
and resistance. in the initiatives you're trying

00:00:59.759 --> 00:01:03.140
to do. So I'm sure we'll get into it a little

00:01:03.140 --> 00:01:06.700
bit deeper, but you know, it's like your executives,

00:01:06.700 --> 00:01:11.019
they expect an organization to be operational

00:01:11.019 --> 00:01:14.819
and secure. But your end users are usually the

00:01:14.819 --> 00:01:17.079
ones that will face most of that resistance.

00:01:17.219 --> 00:01:19.519
Things like, well, I don't want multi -factor.

00:01:19.579 --> 00:01:23.260
I don't want this, right? It's the inefficiencies

00:01:23.260 --> 00:01:25.939
that I have to kind of jump through the hurdles

00:01:25.939 --> 00:01:29.760
and it slows me down. while sometimes again,

00:01:30.159 --> 00:01:33.599
your business leaders, that is the expectation.

00:01:34.079 --> 00:01:39.420
And so it's okay to be slightly sometimes inefficient

00:01:39.420 --> 00:01:44.560
in the sake of the global, the broader mission

00:01:44.560 --> 00:01:49.879
essentially at place. So it oftentimes feels

00:01:49.879 --> 00:01:52.959
like there's a disconnect between the business

00:01:52.959 --> 00:01:57.000
owners and their employees when trying to approach.

00:01:57.599 --> 00:02:02.140
Cybersecurity. Yeah, I'd agree. In the role that

00:02:02.140 --> 00:02:04.540
I am, we help consult with a lot of organizations.

00:02:05.000 --> 00:02:08.259
And I do have the opportunity to talk to business

00:02:08.259 --> 00:02:10.539
leaders. So your C suites, your upper management,

00:02:10.780 --> 00:02:15.139
board members, et cetera. And it is often well

00:02:15.139 --> 00:02:17.340
understood that cybersecurity is a risk. It's

00:02:17.340 --> 00:02:19.039
something that wants to be handled and managed

00:02:19.039 --> 00:02:22.280
and so forth. I do find it interesting that there's

00:02:22.280 --> 00:02:25.479
so many stories that we could tell, if you will,

00:02:25.620 --> 00:02:29.389
that Level of urgency does not trickle all the

00:02:29.389 --> 00:02:31.930
way into the organization. And so that kind of

00:02:31.930 --> 00:02:33.949
brings us to what we're talking about today is

00:02:33.949 --> 00:02:36.250
Why does security matter? How do you build the

00:02:36.250 --> 00:02:39.030
culture? I am assuming that there's at least

00:02:39.030 --> 00:02:41.289
somebody saying there's a need for the culture

00:02:41.289 --> 00:02:43.389
to begin with So we'll just skip that layer and

00:02:43.389 --> 00:02:44.830
somebody has already bought in and we're going

00:02:44.830 --> 00:02:47.689
forward But when you're looking top -down most

00:02:47.689 --> 00:02:50.389
organizations care a lot That's they they don't

00:02:50.389 --> 00:02:52.030
wake up in the morning going boy. I sure hope

00:02:52.030 --> 00:02:55.770
we have a bad day today yeah, and there's a lot

00:02:55.770 --> 00:02:59.120
of cybersecurity professionals that obviously

00:02:59.120 --> 00:03:01.659
know this is important. So we're kind of talking

00:03:01.659 --> 00:03:04.439
to those people that this is not their day to

00:03:04.439 --> 00:03:06.560
day, this isn't what they're doing, they're kind

00:03:06.560 --> 00:03:09.919
of those non -security professionals. So Todd,

00:03:10.340 --> 00:03:13.000
when we're speaking about those, that group of

00:03:13.000 --> 00:03:15.879
people, what are some misconceptions right off

00:03:15.879 --> 00:03:20.250
the bat that they have about cybersecurity? It's

00:03:20.250 --> 00:03:22.490
funny. I literally was just listening to a podcast.

00:03:22.650 --> 00:03:24.870
It was unrelated to cybersecurity, but they were

00:03:24.870 --> 00:03:28.050
talking about just general IT architecture. And

00:03:28.050 --> 00:03:30.030
the comment came up and he said, I don't really

00:03:30.030 --> 00:03:31.849
care. That's what I have a VP of architecture

00:03:31.849 --> 00:03:34.569
for. So I'm going to make the analogy of that's

00:03:34.569 --> 00:03:36.389
what I have a cybersecurity person for. That's

00:03:36.389 --> 00:03:38.909
why I have IT. And they're just going to take

00:03:38.909 --> 00:03:41.270
care of it for me. And we've done other podcasts

00:03:41.270 --> 00:03:44.050
in the past. And I've mentioned, in my opinion,

00:03:44.210 --> 00:03:46.990
a lot of people day to day kind of go. My team's

00:03:46.990 --> 00:03:49.710
taking care of me. I know there's fishing, and

00:03:49.710 --> 00:03:51.449
I know there's this and that, and they've made

00:03:51.449 --> 00:03:53.330
me paranoid because of the fishing simulations

00:03:53.330 --> 00:03:55.370
and all that. I said, I don't need to worry about

00:03:55.370 --> 00:03:58.639
it. I took my training or I didn't because there's

00:03:58.639 --> 00:04:00.300
plenty of organizations out there where we've

00:04:00.300 --> 00:04:02.219
got people that are tardy on completing their

00:04:02.219 --> 00:04:04.520
cybersecurity training for the month. The reality

00:04:04.520 --> 00:04:06.500
is, is somebody's taking care of it for me. I

00:04:06.500 --> 00:04:08.180
don't need to worry about it. And I think that

00:04:08.180 --> 00:04:10.939
perpetuates through organizations. And it's a

00:04:10.939 --> 00:04:14.120
little unfortunate as I was looking at my agenda

00:04:14.120 --> 00:04:16.240
for today and I saw this podcast was on there.

00:04:16.339 --> 00:04:19.740
I was reflecting on CIT and I'm going, I'm extremely

00:04:19.740 --> 00:04:23.060
lucky we're in the business that we are because

00:04:23.060 --> 00:04:26.860
our team cares. And maybe it's not 100 % adoption

00:04:26.860 --> 00:04:28.300
throughout the rest of the organization. But

00:04:28.300 --> 00:04:30.019
when it comes to the culture of cybersecurity,

00:04:30.579 --> 00:04:32.759
we talk about it in leadership meetings. We talk

00:04:32.759 --> 00:04:35.480
about it in the lower breakout meetings. It comes

00:04:35.480 --> 00:04:38.579
up all the time. And again, when I say we're

00:04:38.579 --> 00:04:41.139
lucky for being in the industry, we see it. We

00:04:41.139 --> 00:04:43.500
see our customer base struggle with it. And we're

00:04:43.500 --> 00:04:46.000
like, boy, that stinks. We hate that for them.

00:04:46.279 --> 00:04:48.819
And so we kind of have internalized that for

00:04:48.819 --> 00:04:50.819
ourselves and do the right thing, if you will.

00:04:51.480 --> 00:04:54.410
Yeah, I'm curious. And maybe we don't know the

00:04:54.410 --> 00:04:57.209
answer, because CIT has been around for a while.

00:04:57.329 --> 00:05:00.589
But was it always like that? Or was that kind

00:05:00.589 --> 00:05:04.189
of a culture you had to grow into or get to?

00:05:04.750 --> 00:05:06.149
We'd say we had to grow into it. So I joined

00:05:06.149 --> 00:05:09.129
the organization nine years ago. And at that

00:05:09.129 --> 00:05:11.689
time, we really didn't have a security program.

00:05:11.829 --> 00:05:13.910
We offered a couple of things that were kind

00:05:13.910 --> 00:05:15.629
of like that. So we did some trainings, and we

00:05:15.629 --> 00:05:16.990
did some fishing. So it was pretty lightweight,

00:05:17.550 --> 00:05:20.240
though. That time, we were kind of looking at

00:05:20.240 --> 00:05:21.720
the world going I think this is going to get

00:05:21.720 --> 00:05:24.000
kind of bad and it's gotten significantly worse

00:05:24.000 --> 00:05:26.120
than I would have ever imagined unfortunately.

00:05:26.579 --> 00:05:29.560
So the answer is we did have to build that and

00:05:29.560 --> 00:05:32.439
Nate joined shortly after I did and one of the

00:05:32.439 --> 00:05:34.259
things that we kind of started to do almost right

00:05:34.259 --> 00:05:36.899
away was again we were looking at our customer

00:05:36.899 --> 00:05:40.259
base and we're going this sucks and maybe I shouldn't

00:05:40.259 --> 00:05:43.769
say suck but I did. This is bad, right? We hate

00:05:43.769 --> 00:05:45.370
this and we don't want to see this anymore. And

00:05:45.370 --> 00:05:47.430
so we got super proactive. And as we started

00:05:47.430 --> 00:05:49.970
getting more and more proactive, we were internalizing

00:05:49.970 --> 00:05:52.050
it, right? So almost everything we do, we tend

00:05:52.050 --> 00:05:54.769
to test on ourselves first. Like, does this work?

00:05:54.870 --> 00:05:57.550
Is this good? Et cetera. And because we did that,

00:05:57.550 --> 00:05:59.529
we started to build what was going on. But like

00:05:59.529 --> 00:06:01.670
I said, I think the biggest tipping point for

00:06:01.670 --> 00:06:04.550
us was so many of the individuals inside the

00:06:04.550 --> 00:06:06.850
organization see what's happening around us.

00:06:06.850 --> 00:06:08.750
And it just makes it a little bit easier for

00:06:08.750 --> 00:06:11.870
us to push the culture forward. Yeah, I totally

00:06:11.870 --> 00:06:16.129
agree. CIT has really been what we, I mean, we

00:06:16.129 --> 00:06:18.230
have to, we had to change our own internal culture

00:06:18.230 --> 00:06:20.910
along the way, right? And, and to Todd's point

00:06:20.910 --> 00:06:22.689
is we looked at our customers and everything

00:06:22.689 --> 00:06:25.990
like that. Oh, for lack of better terms right

00:06:25.990 --> 00:06:28.509
now, I'll use the same thing. Todd got called

00:06:28.509 --> 00:06:33.810
out for saying, oh crap, but is that boiled frog

00:06:33.810 --> 00:06:37.250
approach or turning up the heat, right? Is here

00:06:37.250 --> 00:06:41.199
at CIT, right? So most organizations. However

00:06:41.199 --> 00:06:44.420
long ago you typically didn't require multi -factor

00:06:44.420 --> 00:06:48.199
inside of your office, right? We still see Customers

00:06:48.199 --> 00:06:50.480
try and do that today say well, it's just inside

00:06:50.480 --> 00:06:52.899
the office Why do I need multi -factor right

00:06:52.899 --> 00:06:55.980
maybe outside of my walls? I need multi -factor

00:06:55.980 --> 00:06:59.199
and we know that There's token theft and all

00:06:59.199 --> 00:07:00.899
of this type of stuff that happens no matter

00:07:00.899 --> 00:07:04.899
where you're sitting, right and so I remember

00:07:04.899 --> 00:07:08.790
here at CIT we didn't have multi -factor internally.

00:07:08.949 --> 00:07:11.009
It was only externally at the time. And then

00:07:11.009 --> 00:07:14.529
I was like, well, hold on. I disagree with that.

00:07:14.569 --> 00:07:16.990
Let's put it internally as well. And there was

00:07:16.990 --> 00:07:19.310
resistance even on that at the time, right? And

00:07:19.310 --> 00:07:21.670
so I had to do some creative stuff of like, well,

00:07:21.670 --> 00:07:24.509
hold on. We'll do not the password. We'll do

00:07:24.509 --> 00:07:27.769
just the multi -factor push and kind of getting

00:07:27.769 --> 00:07:30.810
to that password -less feel. And that was like

00:07:30.810 --> 00:07:34.709
in seven, six or seven years ago or so when we

00:07:34.709 --> 00:07:37.610
started down that I want to be passwordless,

00:07:37.610 --> 00:07:40.649
you know, feel you're at CIT. And so it was some

00:07:40.649 --> 00:07:45.069
of that creative approaching, you know, to be

00:07:45.069 --> 00:07:47.730
able to continue to drive it forward. And then

00:07:47.730 --> 00:07:49.930
it was, well, hold on. Now I'm going to start

00:07:49.930 --> 00:07:52.310
challenging the frequency of it. Now I'm going

00:07:52.310 --> 00:07:54.730
to start, you know, maybe looking at the device

00:07:54.730 --> 00:07:57.959
that you're looking on, looking at again. We

00:07:57.959 --> 00:07:59.959
have podcasts in the past about you know zero

00:07:59.959 --> 00:08:03.459
trust and the maturity models of continuous evaluation

00:08:03.459 --> 00:08:06.779
But so I'm making changes on the back end to

00:08:06.779 --> 00:08:09.899
increase the security ever so slightly and maybe

00:08:09.899 --> 00:08:12.519
every month or two I'll turn something up or

00:08:12.519 --> 00:08:16.240
maybe every quarter, you know But if you slowly

00:08:16.240 --> 00:08:19.639
turn it up it starts to become the norm and if

00:08:19.639 --> 00:08:22.579
you do it slow enough and strategic enough people

00:08:22.579 --> 00:08:25.240
don't really ever notice the big changes and

00:08:25.240 --> 00:08:31.189
then I do want to come back to one of the misconceptions

00:08:31.189 --> 00:08:34.429
because I do believe it aligns with this conversation

00:08:34.429 --> 00:08:39.830
is security is only there to become more complicated

00:08:39.830 --> 00:08:43.450
and slow me down. With the journey of things

00:08:43.450 --> 00:08:47.330
like single sign -on and passwordless, the reason

00:08:47.330 --> 00:08:51.950
why I love identity so much is that it is taking

00:08:51.950 --> 00:08:56.120
security increasing its effectiveness while also

00:08:56.120 --> 00:08:59.500
reducing the complexity and the resistance of

00:08:59.500 --> 00:09:03.460
the end user, right? Hey, if I just take, I think

00:09:03.460 --> 00:09:07.279
I have one on me, if I just take my YubiKey or

00:09:07.279 --> 00:09:11.220
my fingerprint or my face or anything like that,

00:09:11.440 --> 00:09:14.139
and I just touch the fingerprint sensor, I'm

00:09:14.139 --> 00:09:17.399
logged in. So it's super easy to get into myself.

00:09:17.759 --> 00:09:19.960
And now I can get into all my different applications

00:09:19.960 --> 00:09:22.230
because they're all interconnected. with single

00:09:22.230 --> 00:09:26.269
sign on, we are able to evaluate that in a very,

00:09:26.269 --> 00:09:29.409
very strong security posture. But to the end

00:09:29.409 --> 00:09:32.049
user, I'm logged into my computer, logged into

00:09:32.049 --> 00:09:35.429
my systems within 10 seconds based off of just

00:09:35.429 --> 00:09:37.950
who I am and the device I'm coming from. Right.

00:09:37.970 --> 00:09:40.669
So that is, I think, a big misconception is security

00:09:40.669 --> 00:09:44.769
is only there to make your life harder. Definitely.

00:09:45.370 --> 00:09:48.590
So if we're talking to the people, I mean, the

00:09:48.590 --> 00:09:51.899
slow rollout is a good idea. But if we're talking

00:09:51.899 --> 00:09:54.220
to people who don't have control over that and

00:09:54.220 --> 00:09:57.500
we still want to kind of empower them, how do

00:09:57.500 --> 00:10:00.600
we take someone who is not the cybersecurity

00:10:00.600 --> 00:10:05.879
professional and allow them to still be like

00:10:05.879 --> 00:10:10.899
a leader in the culture of the business around

00:10:10.899 --> 00:10:13.700
this topic that they don't know a lot about?

00:10:14.120 --> 00:10:16.620
Yeah, it's a really good question. I am a little

00:10:16.620 --> 00:10:18.779
concerned that Nate tipped our cards and told

00:10:18.779 --> 00:10:21.480
everybody how we're doing this. They're getting

00:10:21.480 --> 00:10:24.200
noticed now. None of our employees look into

00:10:24.200 --> 00:10:27.240
this. This is just where Todd and I ran. I will,

00:10:27.259 --> 00:10:30.799
just for clarity's sake, I will say that we do

00:10:30.799 --> 00:10:33.120
make some rather things that may be a little

00:10:33.120 --> 00:10:35.059
uncomfortable. I'll use an analogy that way.

00:10:35.139 --> 00:10:37.120
When we did cybersecurity phishing simulations,

00:10:37.539 --> 00:10:40.139
when I first started, we rarely did them. I think

00:10:40.139 --> 00:10:41.600
it was like once a year, and then we moved them

00:10:41.600 --> 00:10:43.139
to quarterly, and then we moved them to monthly.

00:10:43.500 --> 00:10:44.980
And we got to a point where we were doing them

00:10:44.980 --> 00:10:47.259
every single week. We don't do that anymore.

00:10:47.500 --> 00:10:50.139
We've got the culture we're looking for. We've

00:10:50.139 --> 00:10:52.120
got the behavior set the way we want. And so

00:10:52.120 --> 00:10:54.039
we've backed it off. So that does happen too.

00:10:54.419 --> 00:10:55.720
And that's kind of where Nate was going with

00:10:55.720 --> 00:10:57.940
is eventually you'll get to a point where it's

00:10:57.940 --> 00:10:59.960
not completely in your face. We aren't here to

00:10:59.960 --> 00:11:01.279
make your lives miserable. We're just trying

00:11:01.279 --> 00:11:03.659
to get to the behavior we're looking for. So

00:11:03.659 --> 00:11:06.139
the reason, well, I guess there is no reason

00:11:06.139 --> 00:11:09.080
that I want to throw in there. Anyways, going

00:11:09.080 --> 00:11:11.659
back to the... How do you get other people in

00:11:11.659 --> 00:11:14.600
it? I think I would go back to the culture in

00:11:14.600 --> 00:11:16.539
general, how that typically works. And in most

00:11:16.539 --> 00:11:18.639
culture changes, it is kind of a leadership thing.

00:11:18.740 --> 00:11:21.620
And so to me, that is not just cybersecurity.

00:11:21.860 --> 00:11:24.139
It's not cybersecurity team. It's not cybersecurity

00:11:24.139 --> 00:11:26.600
leadership. It's the leadership of the organization.

00:11:27.639 --> 00:11:29.299
And usually, as you're working through these

00:11:29.299 --> 00:11:30.940
kinds of things, this is going to be some pretty

00:11:30.940 --> 00:11:32.840
broad strokes. But you're usually looking for

00:11:32.840 --> 00:11:35.759
those early adopters of who are the people that

00:11:35.759 --> 00:11:38.059
can quickly grasp what I'm going for, why we're

00:11:38.059 --> 00:11:40.980
doing it, and then help start to matriculate

00:11:40.980 --> 00:11:43.360
that through the rest of the organization. And

00:11:43.360 --> 00:11:46.279
that's typically how it starts. But when you're

00:11:46.279 --> 00:11:48.240
a non -technical leader, what that means to me

00:11:48.240 --> 00:11:50.860
is it's listening, understanding that the security

00:11:50.860 --> 00:11:54.080
team is not trying to make your or your employee's

00:11:54.080 --> 00:11:56.379
life miserable. It's there to help mitigate the

00:11:56.379 --> 00:11:58.240
risks that are associated with various types

00:11:58.240 --> 00:12:01.399
of security events and organizations. And so

00:12:01.399 --> 00:12:03.620
working with them to understand what's going

00:12:03.620 --> 00:12:07.559
on. And in case you don't know this, your security

00:12:07.559 --> 00:12:09.519
leaders do care about what's going on inside

00:12:09.519 --> 00:12:12.220
of the organization. So if we've made a security

00:12:12.220 --> 00:12:15.580
control that is overly complicated or creates

00:12:15.580 --> 00:12:17.539
too much friction, we do want to hear about it.

00:12:17.820 --> 00:12:19.960
There are almost always ways that we can make

00:12:19.960 --> 00:12:23.169
that. less friction -based, if you will, or we

00:12:23.169 --> 00:12:25.309
can find some additional compensating controls

00:12:25.309 --> 00:12:27.429
to get to where we want to go that aren't quite

00:12:27.429 --> 00:12:29.549
so in -your -face. That would be my first place

00:12:29.549 --> 00:12:31.610
to start, is just working with and understanding

00:12:31.610 --> 00:12:34.190
and communicating back to your security team

00:12:34.190 --> 00:12:36.409
and leaders on what you're seeing and feeling.

00:12:37.529 --> 00:12:41.710
You know, the thing I'd also say is, if you are

00:12:41.710 --> 00:12:43.870
concerned about some of the security controls,

00:12:44.110 --> 00:12:46.309
or, you know, I'll pick on an employee, he's

00:12:46.309 --> 00:12:48.549
retired now, so he's probably not listening to

00:12:48.549 --> 00:12:52.669
this, is... There was an individual here at CIT

00:12:52.669 --> 00:12:55.429
that for a little bit him and I were oil and

00:12:55.429 --> 00:13:00.570
water. It was I was trying to improve the security

00:13:00.570 --> 00:13:03.529
posture of the organization and he was vehemently

00:13:03.529 --> 00:13:06.490
opposed to many much of that because it slowed

00:13:06.490 --> 00:13:16.509
him down and as a How the relationship was restored

00:13:16.509 --> 00:13:20.149
and turned into a strong collaboration when it

00:13:20.149 --> 00:13:23.470
came to security was every time that I would

00:13:23.470 --> 00:13:27.309
do something and it impacted any of his daily

00:13:27.309 --> 00:13:30.490
flow I would get a complaint about that right

00:13:30.490 --> 00:13:32.769
or a concern maybe complaint is not the best

00:13:32.769 --> 00:13:35.110
because that this is approaching me from I think

00:13:35.110 --> 00:13:37.710
it's a complaint don't work through it and we

00:13:37.710 --> 00:13:42.309
talked with each other right and eventually it

00:13:42.309 --> 00:13:44.970
got to the point of I think that thing that clicked

00:13:44.970 --> 00:13:49.600
was I started calling him my Bug bounty finder

00:13:49.600 --> 00:13:53.019
right or am I my my bug tester is when I screwed

00:13:53.019 --> 00:13:55.639
up He would tell me about it and then we'd start

00:13:55.639 --> 00:13:57.980
working together and it all of a sudden it became

00:13:57.980 --> 00:14:01.460
one of these things of like hey Can I use you

00:14:01.460 --> 00:14:04.379
first to test instead of you know him wanting

00:14:04.379 --> 00:14:07.460
to be the last one? Was let me test with you

00:14:07.460 --> 00:14:09.659
first We'll figure it out make sure it works

00:14:09.659 --> 00:14:12.600
successfully and then we'll roll it out and he

00:14:12.600 --> 00:14:15.820
loved that he wanted to be engaged in the process

00:14:15.820 --> 00:14:19.320
and so If you are one of those individuals that

00:14:19.320 --> 00:14:23.899
is very resistant to security, try and get involved,

00:14:24.120 --> 00:14:26.500
right? You know, voice those concerns. Say, hey,

00:14:26.519 --> 00:14:28.480
there's other considerations that you should

00:14:28.480 --> 00:14:33.500
put into the plan. They may not always be widely

00:14:33.500 --> 00:14:36.740
adopted, right? But at least you are part of

00:14:36.740 --> 00:14:39.240
that process. So I think that's something really,

00:14:39.240 --> 00:14:41.740
really critical for those that are opposed to

00:14:41.740 --> 00:14:44.240
security, right? And then I think there's another

00:14:44.240 --> 00:14:47.529
layer in here is There's the IT leaders that

00:14:47.529 --> 00:14:49.950
want to drive security, but aren't getting the

00:14:49.950 --> 00:14:52.529
executive buy -in from the business for some

00:14:52.529 --> 00:14:55.070
reason or another. I think that's another layer

00:14:55.070 --> 00:14:57.929
that we often see because they'll say, hey, we

00:14:57.929 --> 00:14:59.730
need to go implement the security control, but

00:14:59.730 --> 00:15:03.870
they can't relate why that is. Right. So there's

00:15:03.870 --> 00:15:06.490
a whole topic about that as well as how do you

00:15:06.490 --> 00:15:10.429
translate business need to tech need and security

00:15:10.429 --> 00:15:12.889
and risk. So we could have a whole talk ass on

00:15:12.889 --> 00:15:16.470
that, but I think there's a little bit of a sometimes

00:15:16.470 --> 00:15:20.590
driving that security to non tech leaders right

00:15:20.590 --> 00:15:24.330
you know and so kind of bridging each gap along

00:15:24.330 --> 00:15:28.149
the way yeah you know I think kind of just condensing

00:15:28.149 --> 00:15:30.549
what we both said is I think what we're trying

00:15:30.549 --> 00:15:32.909
to get at from from being the security leaders

00:15:32.909 --> 00:15:35.090
and how we work with non IT leader I'm sorry

00:15:35.090 --> 00:15:37.899
my 90 year security leaders is we're looking

00:15:37.899 --> 00:15:40.580
for advocates to work with us. And there is a

00:15:40.580 --> 00:15:42.240
bit of understanding that, again, what we're

00:15:42.240 --> 00:15:44.600
trying to do is find ways that we're helping

00:15:44.600 --> 00:15:46.799
the operation of the business. We're trying to

00:15:46.799 --> 00:15:48.980
make sure there isn't disruptions and losses,

00:15:49.639 --> 00:15:51.559
reputational damages, all those risks that are

00:15:51.559 --> 00:15:53.779
associated with businesses. And so we're looking

00:15:53.779 --> 00:15:56.019
for advocates to work with us on them and partner

00:15:56.019 --> 00:15:59.389
with us to get through it. Ultimately, as Lee

00:15:59.389 --> 00:16:01.509
had a great example for us, what he was talking

00:16:01.509 --> 00:16:03.590
about is he created an environment that was very

00:16:03.590 --> 00:16:05.409
safe for this individual to give them feedback

00:16:05.409 --> 00:16:07.990
and escalate and saying, here's what I'm experiencing,

00:16:08.070 --> 00:16:10.070
how can we work through that? And those are great

00:16:10.070 --> 00:16:12.429
examples of how we can kind of continue to move

00:16:12.429 --> 00:16:15.409
forward and move the culture to the rest of the

00:16:15.409 --> 00:16:18.549
organization. Yeah, I wanted to touch a little

00:16:18.549 --> 00:16:20.490
bit, and I think it fits into what we're talking

00:16:20.490 --> 00:16:23.809
about right now is there's, we've talked about

00:16:23.809 --> 00:16:27.370
having this maturity model. in other things and

00:16:27.370 --> 00:16:32.250
I think it applies to this culture as well. How

00:16:32.250 --> 00:16:37.090
can you transition from on that scale of just

00:16:37.090 --> 00:16:40.490
having a company that complies because you have

00:16:40.490 --> 00:16:43.990
to and a company in a culture that's actually

00:16:43.990 --> 00:16:46.870
committed? I mean, what does that transition

00:16:46.870 --> 00:16:50.309
look like? Can you see it even happen? What's

00:16:50.309 --> 00:16:53.429
the difference between the two? What's that like?

00:16:54.070 --> 00:16:57.559
It's a big question. There's the big question

00:16:57.559 --> 00:17:01.039
and my mind instantly goes to that has to be

00:17:01.039 --> 00:17:05.779
driven from the business side so the reason why

00:17:05.779 --> 00:17:10.099
I say that and I just had conversations on both

00:17:10.099 --> 00:17:14.099
ends of the spectrum is I want zero downtime

00:17:14.099 --> 00:17:17.519
basically with however much money it takes to

00:17:17.519 --> 00:17:21.000
do right and and so We can get you there. It's

00:17:21.000 --> 00:17:22.950
gonna cost you a lot of money, right? And then

00:17:22.950 --> 00:17:25.529
I've had conversations earlier, you know, even

00:17:25.529 --> 00:17:29.569
this week about, Hey, I just signed up for three

00:17:29.569 --> 00:17:33.150
years on my current antivirus. I just had ransomware

00:17:33.150 --> 00:17:37.089
and. I don't want to implement any of the new

00:17:37.089 --> 00:17:39.609
security controls I would replace and, you know,

00:17:40.150 --> 00:17:42.069
improve the security posture of our organization

00:17:42.069 --> 00:17:45.289
because I'm tied to this three year contract

00:17:45.289 --> 00:17:47.789
that I just signed with this other vendor that,

00:17:47.829 --> 00:17:50.109
you know, it really wasn't that big of a contract,

00:17:50.230 --> 00:17:55.670
but I'm going to put. pause on my entire business,

00:17:55.890 --> 00:17:58.849
you know, and improving the security of it because

00:17:58.849 --> 00:18:01.470
I don't want to really deal with it and I am

00:18:01.470 --> 00:18:04.869
tied to my decision that I made, maybe a little

00:18:04.869 --> 00:18:09.250
prematurely. So if the business on both ends

00:18:09.250 --> 00:18:14.589
says we need to drive security, you will drive

00:18:14.589 --> 00:18:17.650
security and move away from the compliance to

00:18:17.650 --> 00:18:22.180
secure, right? If the business says I don't want

00:18:22.180 --> 00:18:25.519
to deal with that. And my risk appetite is massive.

00:18:26.420 --> 00:18:28.339
That's the way that the business wants to operate,

00:18:28.539 --> 00:18:30.799
right? They are willing to accept whatever those

00:18:30.799 --> 00:18:36.500
risks are, compliance or not. My answer is...

00:18:36.599 --> 00:18:39.579
I would say the organizations that adopt the

00:18:39.579 --> 00:18:42.160
security fastest are the ones that do have compliance

00:18:42.160 --> 00:18:44.660
requirements. They just do, right? It's not optional.

00:18:44.660 --> 00:18:48.059
They have to come along the way. And most organizations

00:18:48.059 --> 00:18:50.359
have at least some level of that due to the fact

00:18:50.359 --> 00:18:52.480
that most are trying to get cybersecurity insurance.

00:18:52.940 --> 00:18:55.299
And cybersecurity insurance dictates you must

00:18:55.299 --> 00:18:59.279
do X, Y, and Z. However, if an organization is

00:18:59.279 --> 00:19:01.440
committed, like Nate said, it typically starts

00:19:01.440 --> 00:19:04.039
at the top, and you usually will hear extremely

00:19:04.559 --> 00:19:07.140
strong lane that comes and matches with core

00:19:07.140 --> 00:19:09.700
values and that type of stuff. So it's very strategic

00:19:09.700 --> 00:19:12.559
of this is who we are. This is how we behave.

00:19:12.859 --> 00:19:16.200
This is our expectations. Had touched on an item

00:19:16.200 --> 00:19:19.160
that made me go back in my way back machine in

00:19:19.160 --> 00:19:21.799
my mind of we were making changes at one of the

00:19:21.799 --> 00:19:23.920
other organizations I worked at. And as we started

00:19:23.920 --> 00:19:26.619
this, the feedback that came back from the leader

00:19:26.619 --> 00:19:30.160
was understand that culture changes more often

00:19:30.160 --> 00:19:33.150
than not. It's a multi -year process. And it

00:19:33.150 --> 00:19:35.650
usually takes a couple of months, somewhere in

00:19:35.650 --> 00:19:39.049
that 6 to 12 month range before the organization

00:19:39.049 --> 00:19:42.130
starts to feel that change. So it's long, and

00:19:42.130 --> 00:19:43.910
it takes a long time. So you can't just go, hey,

00:19:44.029 --> 00:19:46.210
I did training once, and bang, we're there. It's

00:19:46.210 --> 00:19:48.990
not like that, unfortunately. It's long. You

00:19:48.990 --> 00:19:50.829
got to keep working at it. You got to keep pushing

00:19:50.829 --> 00:19:53.269
on it. There's a flywheel analogy, if anybody

00:19:53.269 --> 00:19:56.720
has ever... read the hedgehog concept that those

00:19:56.720 --> 00:19:58.279
are kinds of things and you do it over and over

00:19:58.279 --> 00:20:00.200
and over again, get super good at one thing and

00:20:00.200 --> 00:20:02.259
then you'll eventually get the flywheel to continue

00:20:02.259 --> 00:20:05.200
to move on its own. Typically how you start to

00:20:05.200 --> 00:20:08.319
transition from compliance to committed, I am

00:20:08.319 --> 00:20:11.019
definitely in and it's typically the leaders,

00:20:11.619 --> 00:20:13.660
I'll say beaters that make that change happen.

00:20:14.759 --> 00:20:17.759
It warms my heart when internally someone that's

00:20:17.759 --> 00:20:20.180
in a non -compliance role says, well then I have

00:20:20.180 --> 00:20:22.200
to create a tick and track that for our SOC 2

00:20:22.200 --> 00:20:27.539
compliance, right? Yes. You sure do. You understand

00:20:27.539 --> 00:20:31.420
the assignment. That's so great. Well, you know,

00:20:31.420 --> 00:20:33.900
that kind of leads me in my next part and getting

00:20:33.900 --> 00:20:37.119
back to kind of practical steps for those non

00:20:37.119 --> 00:20:43.279
-IT people in the, I mean, what can they do that's

00:20:43.279 --> 00:20:46.779
really helpful and really practical to support

00:20:46.779 --> 00:20:49.430
what you guys are doing within the business,

00:20:49.730 --> 00:20:51.950
you know? You say you're looking for advocates.

00:20:52.170 --> 00:20:55.910
Okay, I'm here. But what do I do? Yeah, I think

00:20:55.910 --> 00:20:58.630
what Nate just highlighted is incredibly powerful.

00:20:58.690 --> 00:21:00.789
So as an organization, in theory, we don't have

00:21:00.789 --> 00:21:03.049
a compliance requirement. We do. We're part of

00:21:03.049 --> 00:21:05.410
the supply chain. So we want to make sure that

00:21:05.410 --> 00:21:07.250
we're doing that. So we are compliant for those

00:21:07.250 --> 00:21:09.490
reasons. But when we started, that was not the

00:21:09.490 --> 00:21:11.849
case. We did it because we thought it was the

00:21:11.849 --> 00:21:15.190
right thing. But as we're talking about culture

00:21:15.190 --> 00:21:17.490
shift, I'll just use the example that Nate just

00:21:17.490 --> 00:21:19.509
did of someone saying, hey, well, because we

00:21:19.509 --> 00:21:22.529
have this requirement on our end for our SOC

00:21:22.529 --> 00:21:25.309
2, Type 2 compliance, we have to do X, Y, and

00:21:25.309 --> 00:21:28.470
Z. And his example is an employee did something.

00:21:28.569 --> 00:21:30.990
As you're starting this out and you're trying

00:21:30.990 --> 00:21:33.410
to get some traction on it, if your organization

00:21:33.410 --> 00:21:35.829
has some sort of incentive program, that's a

00:21:35.829 --> 00:21:37.970
behavior that you reinforce, right? That's a

00:21:37.970 --> 00:21:40.369
bang, here's a thank you for doing that, whether

00:21:40.369 --> 00:21:43.680
it's a $20 gift card. five bucks, a cup of coffee,

00:21:43.720 --> 00:21:46.279
whatever it is that makes sense for your organization

00:21:46.279 --> 00:21:48.480
and it drives behavior change. Those are the

00:21:48.480 --> 00:21:50.279
things you want to focus on. And that's an easy

00:21:50.279 --> 00:21:52.619
start. I kind of touched on a handful of other

00:21:52.619 --> 00:21:54.460
things too, right, is listening and feedback.

00:21:54.660 --> 00:21:57.640
But to me, the rubber hits the road stuff as

00:21:57.640 --> 00:22:00.480
you're really pushing it down. Every leader has

00:22:00.480 --> 00:22:03.119
the capability of reinforcing the behaviors they're

00:22:03.119 --> 00:22:06.660
looking for. Yeah, I think public recognition

00:22:06.660 --> 00:22:09.920
is a big one as well, right? It is one of the

00:22:09.920 --> 00:22:13.279
things that we do here at CIT. recognition wall,

00:22:13.420 --> 00:22:15.980
we do monthly summaries of those and you know

00:22:15.980 --> 00:22:18.400
even on our all company you know like quarterly

00:22:18.400 --> 00:22:21.279
updates and everything like that those get shared

00:22:21.279 --> 00:22:24.660
out as thank you for whatever it is right this

00:22:24.660 --> 00:22:27.440
is outside of your current job duties or you

00:22:27.440 --> 00:22:31.640
know but you took the initiative to drive CIT

00:22:31.640 --> 00:22:36.700
forward one step right and so if it is the hey

00:22:36.700 --> 00:22:39.920
you know I noticed that there's possibly a risk

00:22:39.920 --> 00:22:43.420
in the way that I am doing my job, who do I talk

00:22:43.420 --> 00:22:47.099
to about that, right? And then as a leader, if

00:22:47.099 --> 00:22:50.079
one of your employees brings that to you, make

00:22:50.079 --> 00:22:52.440
sure it's well known, right? In your next, you

00:22:52.440 --> 00:22:55.680
know, company meeting or your leadership meeting

00:22:55.680 --> 00:22:57.720
or whatever it looks like, just, hey, I just

00:22:57.720 --> 00:23:01.119
wanted to give kudos to Sally Sue in accounting

00:23:01.119 --> 00:23:03.960
because she identified something that was a risk

00:23:03.960 --> 00:23:06.519
to the business and wanted to bring it to our

00:23:06.519 --> 00:23:09.099
attention, right? Make sure those things are

00:23:09.099 --> 00:23:13.359
well known. Recognize your employees. Yeah. I'm

00:23:13.359 --> 00:23:16.200
also thinking, you know, we've touched on a lot

00:23:16.200 --> 00:23:18.859
of different types of people and businesses.

00:23:19.319 --> 00:23:23.299
What about companies we work with that are outsourcing

00:23:23.299 --> 00:23:26.519
these services? So you don't have a dedicated,

00:23:27.039 --> 00:23:30.440
their everyday person doing these things. Does

00:23:30.440 --> 00:23:33.740
that change how they approach security and culture?

00:23:34.009 --> 00:23:36.009
Does it make it better because they've got an

00:23:36.009 --> 00:23:38.829
outside person yelling at them? What is that

00:23:38.829 --> 00:23:41.769
like for you guys when you're working with companies?

00:23:42.589 --> 00:23:44.650
Just to be clear, I'm not the one that would

00:23:44.650 --> 00:23:50.210
be yelling at you. We do escalate, but we do

00:23:50.210 --> 00:23:55.849
it very politely. I strongly recommend. No, I

00:23:55.849 --> 00:23:58.990
mean, really, I don't think it's much different,

00:23:59.369 --> 00:24:04.559
right? You may have a third party like CIT. driving

00:24:04.559 --> 00:24:07.720
the tools, driving the recommendations, but building

00:24:07.720 --> 00:24:11.059
the cultures relatively the same, right? Here

00:24:11.059 --> 00:24:14.259
at CIT, again, we can strongly recommend things

00:24:14.259 --> 00:24:16.859
and start working with the business owners on

00:24:16.859 --> 00:24:20.400
stuff like that, but every organization we work

00:24:20.400 --> 00:24:24.660
with has a different culture. Some of them, security

00:24:24.660 --> 00:24:27.220
is sometimes a friction point, right? And we

00:24:27.220 --> 00:24:29.640
have to try and work and solve around some of

00:24:29.640 --> 00:24:32.319
those challenges, or sometimes it is. We got

00:24:32.319 --> 00:24:35.519
to back tools off a little bit in order to make

00:24:35.519 --> 00:24:37.900
sure that the business is operational, right?

00:24:38.000 --> 00:24:41.000
But that goes back to the risk appetite and the

00:24:41.000 --> 00:24:43.859
culture that's been driven internally in those

00:24:43.859 --> 00:24:47.000
organizations. So I don't think it's wildly different

00:24:47.000 --> 00:24:50.680
who is managing the security. Sometimes it's

00:24:50.680 --> 00:24:52.859
easier when it's outsourced because now you're

00:24:52.859 --> 00:24:55.039
contractually obligated to keep it around where

00:24:55.039 --> 00:24:57.960
sometimes internal it's just I heard too many

00:24:57.960 --> 00:25:00.690
complaints and it's getting ripped out. Yeah,

00:25:00.690 --> 00:25:02.549
it's interesting. I feel like I could have thrown

00:25:02.549 --> 00:25:05.390
in my phrase, but I'll find a different way to

00:25:05.390 --> 00:25:08.529
go about it this week. We don't have a ton of

00:25:08.529 --> 00:25:11.589
transparency into organizations, so how the adoption

00:25:11.589 --> 00:25:14.950
of the tools is received isn't always directly

00:25:14.950 --> 00:25:18.470
fed back to us. But what we do as our approach

00:25:18.470 --> 00:25:21.190
is we tend to, I always use the analogy, it's

00:25:21.190 --> 00:25:24.210
just included. So we go out of our way to just

00:25:24.210 --> 00:25:26.529
include the core things that we think you absolutely

00:25:26.529 --> 00:25:28.349
have to have, and we're just going to start doing

00:25:28.349 --> 00:25:31.230
those. As we start to do this, this is getting

00:25:31.230 --> 00:25:35.230
back to Nate's example very early, when we start

00:25:35.230 --> 00:25:37.190
doing cybersecurity trainings, they tend to be

00:25:37.190 --> 00:25:39.410
pretty easy. Frishing simulations tend to be

00:25:39.410 --> 00:25:42.269
pretty easy. And then as we start to continue

00:25:42.269 --> 00:25:44.230
to mature with an organization, things start

00:25:44.230 --> 00:25:47.150
to get a lot more complicated and harder to recognize.

00:25:47.150 --> 00:25:49.690
Again, the intent for us when we're doing these

00:25:49.690 --> 00:25:51.230
things we've been through at enough times with

00:25:51.230 --> 00:25:53.190
enough organizations is we have a direction we're

00:25:53.190 --> 00:25:56.049
going. We also know that we're trying to make

00:25:56.049 --> 00:25:58.529
a certain behavior happen. I don't usually get

00:25:58.529 --> 00:26:00.569
feedback. There are some times when we've created

00:26:00.569 --> 00:26:02.609
enough friction where an org typically says,

00:26:02.890 --> 00:26:05.549
enough, we need you to pause or back off or something

00:26:05.549 --> 00:26:07.890
along those lines. But most organizations, they

00:26:07.890 --> 00:26:11.029
do tend to accept it. Again, back to the here's

00:26:11.029 --> 00:26:13.750
the things that we need to do to meet our requirements

00:26:13.750 --> 00:26:16.450
for compliance or insurance or whatever. Those

00:26:16.450 --> 00:26:18.589
typically are the things that drive things forward.

00:26:19.170 --> 00:26:21.589
I've also joked with a lot of organizations too

00:26:21.589 --> 00:26:24.420
and said, Blame me if you need to I'll be whatever

00:26:24.420 --> 00:26:26.640
you need you need me to be the hammer the fall

00:26:26.640 --> 00:26:30.119
guy Whatever it is you need to do to get to where

00:26:30.119 --> 00:26:32.559
we're going I'll be that for you. You need me

00:26:32.559 --> 00:26:34.160
to come in and talk to your organization and

00:26:34.160 --> 00:26:36.839
scare them I can do that prefer not to do it

00:26:36.839 --> 00:26:39.819
that way, but we can if we need to I think that

00:26:39.819 --> 00:26:43.299
being an outsource Can be very beneficial because

00:26:43.299 --> 00:26:46.000
you can kind of it's those guys. They're making

00:26:46.000 --> 00:26:48.900
us do it and they say we have to That's okay.

00:26:49.099 --> 00:26:52.289
We'll take that Oh, man, I love it. That's a

00:26:52.289 --> 00:26:55.529
great way. I want to make sure that we cover

00:26:55.529 --> 00:26:59.869
anything, but we took a wide journey, and I think

00:26:59.869 --> 00:27:03.369
we have a lot of practical advice, a lot of starting

00:27:03.369 --> 00:27:06.750
points. Is there anything else you want to touch

00:27:06.750 --> 00:27:09.829
on, or if you could kind of boil it down to one

00:27:09.829 --> 00:27:13.390
thing, what that might be on today's topic? I'm

00:27:13.390 --> 00:27:15.309
going to be communication. I mean, ultimately,

00:27:15.589 --> 00:27:18.230
I kind of think we started there. Like anything,

00:27:18.549 --> 00:27:20.970
when it comes to culture, the more you communicate

00:27:20.970 --> 00:27:23.029
it, the better it's understood and adopted, right?

00:27:23.089 --> 00:27:24.970
You can't, I mentioned it before, right, for

00:27:24.970 --> 00:27:26.869
it takes you years to get where you're going.

00:27:27.329 --> 00:27:29.170
You can't just say, I threw it out there, this

00:27:29.170 --> 00:27:30.849
is the direction we're going. Hopefully that

00:27:30.849 --> 00:27:32.910
just kicks in and happens. It doesn't work that

00:27:32.910 --> 00:27:34.990
way. You do need to continuously remind people.

00:27:35.549 --> 00:27:37.950
We use the terminology seven times, seven ways

00:27:37.950 --> 00:27:40.289
when it comes to communication at CIT all the

00:27:40.289 --> 00:27:43.529
time. And we communicate that much more frequently

00:27:43.529 --> 00:27:46.049
than that because that is... clearly not enough,

00:27:46.150 --> 00:27:48.450
but it gives you the context of how much you

00:27:48.450 --> 00:27:50.930
need to do it and continue to do it. We like

00:27:50.930 --> 00:27:53.609
using different voices, too. So, for example,

00:27:53.609 --> 00:27:55.990
if I'm going insane, here's the guy idea, here's

00:27:55.990 --> 00:27:58.930
the idea. As much as people join the podcast

00:27:58.930 --> 00:28:02.009
to listen to me pontificate, it's great shipping

00:28:02.009 --> 00:28:05.470
from Nate as well. So just getting those different

00:28:05.470 --> 00:28:08.509
voices really does help with delivering the message.

00:28:09.190 --> 00:28:11.829
We laugh because I've never once joined the podcast

00:28:11.829 --> 00:28:14.369
to listen to you. I don't know what you're talking

00:28:14.369 --> 00:28:19.230
about. I'm here to talk myself. So I think we

00:28:19.230 --> 00:28:21.609
started the podcast with, you know, there's a

00:28:21.609 --> 00:28:25.069
disconnect between the top and the bottom. So

00:28:25.069 --> 00:28:28.309
Todd's comment about the deep collaboration and

00:28:28.309 --> 00:28:29.849
trying to, you know, do the same thing in seven

00:28:29.849 --> 00:28:32.369
ways is very much of that top down approach.

00:28:32.809 --> 00:28:35.210
I guess I'll kind of conclude in trying to circle

00:28:35.210 --> 00:28:37.630
it all back to, you know, what the recommendation

00:28:37.630 --> 00:28:41.509
down at the general employees is. Kind of a common

00:28:41.509 --> 00:28:45.099
saying I have is have grace and patience, right,

00:28:45.240 --> 00:28:49.859
is when things are being pushed down, mistakes

00:28:49.859 --> 00:28:52.859
may happen. Give the other person who is trying

00:28:52.859 --> 00:28:56.019
to implement it some grace, right? And then also

00:28:56.019 --> 00:28:59.140
the patience is most people are not trying to

00:28:59.140 --> 00:29:01.359
make your job harder. And sometimes there are

00:29:01.359 --> 00:29:03.920
those kind of, to my other employee was, there's

00:29:03.920 --> 00:29:07.400
the bug, bug bounty, you know, bug finders that

00:29:07.400 --> 00:29:09.650
we have to work through. And sometimes it is

00:29:09.650 --> 00:29:12.849
a little painful to find those and disrupt the

00:29:12.849 --> 00:29:15.630
workflow. Have patience because we can usually

00:29:15.630 --> 00:29:18.549
work through those. No one's trying to come in

00:29:18.549 --> 00:29:21.670
with ill intent on any of it. We're just trying

00:29:21.670 --> 00:29:26.430
to align with what the business needs are and

00:29:26.430 --> 00:29:29.609
what has been requested of us along the way.

00:29:29.990 --> 00:29:32.710
That seems like a great place to end. So thank

00:29:32.710 --> 00:29:36.009
you so much for joining us today. If you enjoyed

00:29:36.009 --> 00:29:39.130
this topic, please let us know. like, subscribe,

00:29:39.509 --> 00:29:44.349
or reach out to us at info at cit -net .com or

00:29:44.349 --> 00:29:49.609
head out to our website cit -net .com slash podcast.

00:29:50.109 --> 00:29:52.390
We'll be back next week with an all new episode.