1 00:00:00,000 --> 00:00:01,000 I'm good. 2 00:00:01,000 --> 00:00:02,000 Do it. 3 00:00:02,000 --> 00:00:03,000 Todd, you go first. 4 00:00:03,000 --> 00:00:04,000 What did you read? 5 00:00:04,000 --> 00:00:07,680 I was kind of a work in progress too. 6 00:00:07,680 --> 00:00:14,760 But my paperback was a book called Elevate, which, you know, Elevate and Delegate. 7 00:00:14,760 --> 00:00:21,360 And then my electronic version is a book called Radical Candor. 8 00:00:21,360 --> 00:00:28,560 And then my audio book is called Soulbrand, which is a fantasy novel. 9 00:00:28,560 --> 00:00:29,560 There you go. 10 00:00:29,560 --> 00:00:34,160 Like you've got like the full mode out of all different types of books. 11 00:00:34,160 --> 00:00:43,040 Yeah, you can tell I have attention issues, right? 12 00:00:43,040 --> 00:00:45,080 Matthew, what about you? 13 00:00:45,080 --> 00:00:48,240 I'm currently reading The City We Became by N.K. 14 00:00:48,240 --> 00:00:49,240 Jemisin. 15 00:00:49,240 --> 00:00:54,240 And I'm going to count this because I'm so close to finishing it. 16 00:00:54,240 --> 00:00:58,920 Yeah, it's fantastic and everyone should read it. 17 00:00:58,920 --> 00:01:07,280 I'm also reading a beta reading a book for an author friend that I'm very excited to 18 00:01:07,280 --> 00:01:12,480 be finished and to share with everyone because it's amazing. 19 00:01:12,480 --> 00:01:19,040 And so, yeah, it'd be cool to see that come out into the world. 20 00:01:19,040 --> 00:01:24,200 I think the last one I listened to for an audio book was How Do You Do When You're Not 21 00:01:24,200 --> 00:01:25,200 In Charge. 22 00:01:25,200 --> 00:01:31,080 I listened to that one for, well, and I always run multiple audio books simultaneously. 23 00:01:31,080 --> 00:01:33,720 So I think that's the last one I actually finished. 24 00:01:33,720 --> 00:01:39,200 So I'm just trying to figure out ways to help encourage our team as well. 25 00:01:39,200 --> 00:01:40,760 It'd be better leaders. 26 00:01:40,760 --> 00:01:45,960 The actual physical book was last night because I'm teaching my son how to be potty trained. 27 00:01:45,960 --> 00:01:49,520 So as Peppa the Pig, George goes to the potty. 28 00:01:49,520 --> 00:01:59,440 Spectacular, classic, yeah, there's a surprise ending at the end of the mind. 29 00:01:59,440 --> 00:02:03,640 We are learning how to yell potty when we have to go to the bathroom. 30 00:02:03,640 --> 00:02:05,640 That works. 31 00:02:05,640 --> 00:02:11,200 Tara, what about you? 32 00:02:11,200 --> 00:02:13,600 Mine was not potty training related. 33 00:02:13,600 --> 00:02:18,880 Mine was one that I actually finished recently was a man called Ove or Av, however you pronounce 34 00:02:18,880 --> 00:02:23,120 it, but they moved it into a movie called A Man Called Otto. 35 00:02:23,120 --> 00:02:24,620 There is the original. 36 00:02:24,620 --> 00:02:26,800 It's just in a different language, which I did watch. 37 00:02:26,800 --> 00:02:29,400 I did not watch the Tom Hanks. 38 00:02:29,400 --> 00:02:30,400 Is that who's named? 39 00:02:30,400 --> 00:02:32,840 I didn't watch that version. 40 00:02:32,840 --> 00:02:34,960 Yeah, a Swedish novel. 41 00:02:34,960 --> 00:02:37,680 But that was me. 42 00:02:37,680 --> 00:02:38,680 Interesting. 43 00:02:38,680 --> 00:02:41,440 What about you, Aria? 44 00:02:41,440 --> 00:02:47,760 Boy, I think the last book I read was actually just Traction for Work. 45 00:02:47,760 --> 00:02:53,120 I've got my long list of books I got to read for work, and so that's what's filling my 46 00:02:53,120 --> 00:02:54,120 time. 47 00:02:54,120 --> 00:02:56,560 At least we can all empathize with having read them. 48 00:02:56,560 --> 00:02:58,320 Yes, it's a great book. 49 00:02:58,320 --> 00:02:59,320 It's great. 50 00:02:59,320 --> 00:03:00,320 I love it. 51 00:03:00,320 --> 00:03:01,320 It is very good. 52 00:03:01,320 --> 00:03:03,320 How long have you been with us? 53 00:03:03,320 --> 00:03:06,040 Why are you not done? 54 00:03:06,040 --> 00:03:07,040 I know. 55 00:03:07,040 --> 00:03:11,840 Because there's like five to seven books on this list. 56 00:03:11,840 --> 00:03:14,600 There are a lot of them. 57 00:03:14,600 --> 00:03:18,240 I've made a rather large reading list that we were like, we love books. 58 00:03:18,240 --> 00:03:19,240 You should love books. 59 00:03:19,240 --> 00:03:21,440 And she was like, oh, man. 60 00:03:21,440 --> 00:03:22,440 Yes. 61 00:03:22,440 --> 00:03:23,440 Yeah. 62 00:03:23,440 --> 00:03:24,440 For sure. 63 00:03:24,440 --> 00:03:25,440 How about you, Kelsey? 64 00:03:25,440 --> 00:03:26,840 I know you're a big reader. 65 00:03:26,840 --> 00:03:28,200 I know. 66 00:03:28,200 --> 00:03:33,040 I actually got the physical copy of Fourth Wing after somebody else as part of our company 67 00:03:33,040 --> 00:03:35,040 book club was like, you should read it. 68 00:03:35,040 --> 00:03:36,040 And I was like, OK. 69 00:03:36,040 --> 00:03:37,440 And then of course, books are going to be up. 70 00:03:37,440 --> 00:03:38,440 It is good. 71 00:03:38,440 --> 00:03:39,640 It does have a cliffhanger ending. 72 00:03:39,640 --> 00:03:40,840 I did really enjoy it. 73 00:03:40,840 --> 00:03:41,840 Would read again. 74 00:03:41,840 --> 00:03:43,240 Did it break my Kindle streak? 75 00:03:43,240 --> 00:03:45,280 It was a physical book and not on my Kindle. 76 00:03:45,280 --> 00:03:46,280 Yes. 77 00:03:46,280 --> 00:03:47,280 My weekly streak is still alive. 78 00:03:47,280 --> 00:03:48,280 My day streak broken. 79 00:03:48,280 --> 00:03:49,280 Big runner. 80 00:03:49,280 --> 00:03:53,600 But then on my Kindle, I'm reading This Is How You Heal by Brianna West. 81 00:03:53,600 --> 00:03:56,320 So I do that one every morning after I do a little meditative breathing. 82 00:03:56,320 --> 00:03:59,240 So it's a little bit of everything. 83 00:03:59,240 --> 00:04:00,240 Nice. 84 00:04:00,240 --> 00:04:01,240 Very cool. 85 00:04:01,240 --> 00:04:02,240 Very cool. 86 00:04:02,240 --> 00:04:08,560 Well, something I probably should have read or looked at is our cybersecurity framework 87 00:04:08,560 --> 00:04:13,080 2.0, which is what we're talking about today on our Tech for Business podcast. 88 00:04:13,080 --> 00:04:20,320 Tara, Kelsey and myself are joined by Todd, our COO and CISO, Matthew, our VCISO, and 89 00:04:20,320 --> 00:04:23,240 Nate, our director of cybersecurity. 90 00:04:23,240 --> 00:04:28,720 And because I did not come prepared, I'm hoping one of you can kind of get me up to speed 91 00:04:28,720 --> 00:04:31,400 as to what is this? 92 00:04:31,400 --> 00:04:33,600 What are we talking about today? 93 00:04:33,600 --> 00:04:39,120 And sort of what are the changes and updates coming down the road for us? 94 00:04:39,120 --> 00:04:41,120 Maybe you want to? 95 00:04:41,120 --> 00:04:45,800 Maybe we should start with the what the NIST cybersecurity framework is. 96 00:04:45,800 --> 00:04:49,720 This is something that CIT communicates all the time. 97 00:04:49,720 --> 00:04:53,040 But if you're new here, welcome. 98 00:04:53,040 --> 00:04:57,840 But yeah, so the NIST cybersecurity framework, NIST is a government agency, National Institute 99 00:04:57,840 --> 00:05:01,120 of Standards and Technology. 100 00:05:01,120 --> 00:05:06,640 They created the cybersecurity framework all the way back in 2014. 101 00:05:06,640 --> 00:05:12,320 So this isn't anything new if you're new to this topic, but essentially they put out 102 00:05:12,320 --> 00:05:15,520 the first version of this since 2014. 103 00:05:15,520 --> 00:05:22,760 Really the intent was how do you start communicating cybersecurity management and governance to 104 00:05:22,760 --> 00:05:31,120 your organization and start putting some type of consistent framework that could be applied 105 00:05:31,120 --> 00:05:34,520 to help increase the security posture of an organization. 106 00:05:34,520 --> 00:05:38,840 Back in 2018, they released another version of it called the 1.1. 107 00:05:38,840 --> 00:05:41,160 That's really been the standard ever since. 108 00:05:41,160 --> 00:05:45,040 I know we're, I think, in five years now after that now. 109 00:05:45,040 --> 00:05:48,040 So it's getting older and due for a revision. 110 00:05:48,040 --> 00:05:52,760 Therefore, the whole topic of the conversation is preparing for the cybersecurity framework, 111 00:05:52,760 --> 00:05:53,760 2.0. 112 00:05:53,760 --> 00:05:59,120 There's been a nice timeline that's been published as they continue to work on these revisions. 113 00:05:59,120 --> 00:06:02,080 It's not finalized just yet. 114 00:06:02,080 --> 00:06:06,120 They've received feedback from thousands of security professionals over the last couple 115 00:06:06,120 --> 00:06:09,680 of years and they've been incorporating those changes. 116 00:06:09,680 --> 00:06:14,080 So I don't know if, Todd or Matthew, you had anything else to add to that? 117 00:06:14,080 --> 00:06:16,080 No, that's wrap. 118 00:06:16,080 --> 00:06:17,080 Yeah. 119 00:06:17,080 --> 00:06:18,080 Cool. 120 00:06:18,080 --> 00:06:20,480 Very well, guys. 121 00:06:20,480 --> 00:06:24,240 You did cover a lot of what I would have said as well. 122 00:06:24,240 --> 00:06:29,400 The previous podcasts, I think, a HIPAA one would have come out just previously before 123 00:06:29,400 --> 00:06:30,400 this. 124 00:06:30,400 --> 00:06:33,120 I haven't listened to it yet, please do. 125 00:06:33,120 --> 00:06:37,400 That kind of covers a similar thing that we're seeing with HIPAA. 126 00:06:37,400 --> 00:06:41,280 Lack of updates, meaning that some of the questions maybe feel slightly outdated, while 127 00:06:41,280 --> 00:06:45,080 still relevant, just a little bit outdated. 128 00:06:45,080 --> 00:06:49,000 And NIST is working really hard to get this new version together to accommodate some of 129 00:06:49,000 --> 00:06:51,720 that, the changes. 130 00:06:51,720 --> 00:06:56,760 Whether you've listened to the podcast before or not, you'll know that we talk a lot about 131 00:06:56,760 --> 00:07:02,720 how much things change from start to finish. 132 00:07:02,720 --> 00:07:07,120 Just in the past couple of years, we can talk about AI and how little it was accounted 133 00:07:07,120 --> 00:07:11,120 for to the point of not being mentioned in most of these frameworks. 134 00:07:11,120 --> 00:07:18,600 So NIST is working really hard to get 2.0 out and really make it as modern as they can 135 00:07:18,600 --> 00:07:22,680 in relation to what you should expect to experience within your workplace. 136 00:07:22,680 --> 00:07:25,600 I guess. 137 00:07:25,600 --> 00:07:32,320 One of the things I can maybe ask you guys as we did that introduction is, why would 138 00:07:32,320 --> 00:07:35,160 a company even care about NIST? 139 00:07:35,160 --> 00:07:38,080 So maybe they're already doing something like healthcare, right? 140 00:07:38,080 --> 00:07:41,120 They've got the HIPAA and high tech and all that fun stuff. 141 00:07:41,120 --> 00:07:47,240 Or PCI or NC way or OCC or whatever it is, right? 142 00:07:47,240 --> 00:07:51,800 That they are obligated to is NIST still applicable? 143 00:07:51,800 --> 00:07:58,160 And then likewise, maybe they don't have those regulations as NIST, the cybersecurity framework 144 00:07:58,160 --> 00:08:00,480 applicable to them. 145 00:08:00,480 --> 00:08:01,960 Sure. 146 00:08:01,960 --> 00:08:05,920 I'll take that since there's so much silence and I can't stand it. 147 00:08:05,920 --> 00:08:08,720 I will fill in the void. 148 00:08:08,720 --> 00:08:13,800 For what it's worth, I mean, CIT adopted NIST as kind of the default framework that we use. 149 00:08:13,800 --> 00:08:17,320 If there was something or an organization had nothing, if you were not in healthcare 150 00:08:17,320 --> 00:08:22,200 and using HIPAA or high trust or whatever, we just said NIST is the framework we're going 151 00:08:22,200 --> 00:08:25,040 to use and we're going to go down that path. 152 00:08:25,040 --> 00:08:30,080 Thankfully, I do think that the updates are very timely and helpful because it does modernize. 153 00:08:30,080 --> 00:08:32,880 Nate and I have been with the organization a little bit. 154 00:08:32,880 --> 00:08:36,480 I've been with this a little over six years and Nate a little bit less than that. 155 00:08:36,480 --> 00:08:40,640 And just looking at the history of the organization, how much things have changed in cybersecurity 156 00:08:40,640 --> 00:08:43,000 in that amount of time is significant. 157 00:08:43,000 --> 00:08:49,320 So the trend over the course of nearly 10 years since the original releases is massive. 158 00:08:49,320 --> 00:08:53,240 But anyways, getting back to what the point I was trying to make before I went on my tangent 159 00:08:53,240 --> 00:08:56,360 was it is an important tool set. 160 00:08:56,360 --> 00:08:59,440 All the tools are very, very similar to each other. 161 00:08:59,440 --> 00:09:04,640 So whether you're using NIST or the FFIEC and you're in the finance industry or following 162 00:09:04,640 --> 00:09:08,640 the FTC rulesets, they're all very heavily similar. 163 00:09:08,640 --> 00:09:12,000 In fact, the FFIEC uses NIST as its core. 164 00:09:12,000 --> 00:09:16,200 So it is kind of the baseline that everybody kind of said this is for all intents and purposes, 165 00:09:16,200 --> 00:09:17,840 the gold standard. 166 00:09:17,840 --> 00:09:21,360 And if you've got nothing else, it's what we typically revert back to. 167 00:09:21,360 --> 00:09:26,440 In the security industry itself and especially in our industry, NIST is the framework that 168 00:09:26,440 --> 00:09:29,480 basically everybody defaults to. 169 00:09:29,480 --> 00:09:33,880 Not everybody can pivot to the other ones, but again, it is kind of the de facto this 170 00:09:33,880 --> 00:09:35,380 is the standard. 171 00:09:35,380 --> 00:09:38,240 So it's great to see that these changes are coming down the pipe. 172 00:09:38,240 --> 00:09:42,400 And again, it is a draft currently, but they're definitely on the right track getting all 173 00:09:42,400 --> 00:09:43,960 the things in order. 174 00:09:43,960 --> 00:09:45,120 Agreed. 175 00:09:45,120 --> 00:09:50,000 One of the things that I find, and one of the reasons I believe, and obviously there's 176 00:09:50,000 --> 00:09:55,280 a lot of reasons that NIST kind of rose to the top with this, but for me, at least I 177 00:09:55,280 --> 00:10:02,480 think it comes down to the majority of why people work with NIST and why it became something 178 00:10:02,480 --> 00:10:08,480 that people saw as often as they did, which comes down to a lot of what's called CUI or 179 00:10:08,480 --> 00:10:11,600 controlled unclassified information. 180 00:10:11,600 --> 00:10:17,360 This basically means information that isn't classified by the government, but is controlled. 181 00:10:17,360 --> 00:10:23,560 And so the guidelines around a lot of NIST was to protect that type of information. 182 00:10:23,560 --> 00:10:28,320 Because of that, if you worked with a government entity, if you worked as a contractor for a 183 00:10:28,320 --> 00:10:32,760 contractor of a government entity, you probably saw this or had it referenced to you at some 184 00:10:32,760 --> 00:10:34,320 point. 185 00:10:34,320 --> 00:10:39,480 The thing that works best with it is that information and that language. 186 00:10:39,480 --> 00:10:42,040 We talk about HIPAA and we talk about PII. 187 00:10:42,040 --> 00:10:48,400 We talk about FFIC and we talk about your financial data and your customer information. 188 00:10:48,400 --> 00:10:53,120 When we talk about controlled unclassified information, it does feel a little bit easier 189 00:10:53,120 --> 00:11:00,680 to assign that to the data that you have that maybe doesn't fit as PII. 190 00:11:00,680 --> 00:11:05,080 It seems a little bit easier to have it encapsulate what you have and treat it similarly, even 191 00:11:05,080 --> 00:11:07,120 if it's not that type of data. 192 00:11:07,120 --> 00:11:11,680 And because of that, it's a lot easier to imagine that these guidelines impact you even 193 00:11:11,680 --> 00:11:12,680 if they don't. 194 00:11:12,680 --> 00:11:18,320 There's a very clear way of saying, oh, this is data we want to control. 195 00:11:18,320 --> 00:11:23,080 This is rather than trying to pretend your internal data is PII so that you can meet 196 00:11:23,080 --> 00:11:25,840 the HIPAA guidelines that you maybe don't have to in general. 197 00:11:25,840 --> 00:11:28,720 It's a little bit of a roundabout way of explaining it. 198 00:11:28,720 --> 00:11:31,000 I know, sorry. 199 00:11:31,000 --> 00:11:34,040 But that's what it comes to for me. 200 00:11:34,040 --> 00:11:38,720 So it's easy to overlay the NIST guidelines onto your business because it's not saying 201 00:11:38,720 --> 00:11:42,760 this specific type of data with a specific name that relates directly to this. 202 00:11:42,760 --> 00:11:46,480 It covers a lot of different information. 203 00:11:46,480 --> 00:11:51,440 And because of that, you can implement it fairly easily with generic terms. 204 00:11:51,440 --> 00:11:55,280 And it feels like it fits without you having to change what you have in place already. 205 00:11:55,280 --> 00:11:56,280 Yeah. 206 00:11:56,280 --> 00:12:00,720 The one other little item I'd throw on there, too, is what we're typically seen in the industry 207 00:12:00,720 --> 00:12:06,000 is as more and more of these compliances push out, they are starting to very specifically 208 00:12:06,000 --> 00:12:07,000 state this. 209 00:12:07,000 --> 00:12:08,320 And we've done this in other podcasts as well. 210 00:12:08,320 --> 00:12:10,880 But in case you're joining us late, go back in time. 211 00:12:10,880 --> 00:12:13,120 I'm just kidding. 212 00:12:13,120 --> 00:12:17,320 As they're rolling out, a lot of them are calling for partners and vendors to have at 213 00:12:17,320 --> 00:12:21,040 least as good of security as whatever you're being held to. 214 00:12:21,040 --> 00:12:26,120 So even if you're not currently in that industry, it almost feels like, and we'll probably get 215 00:12:26,120 --> 00:12:29,840 to this at some point in this update because there is a supply chain piece built into the 216 00:12:29,840 --> 00:12:34,120 new standard, you will eventually start to feel it. 217 00:12:34,120 --> 00:12:38,440 So understanding the compliance where it's coming from, why it's coming, even if you're 218 00:12:38,440 --> 00:12:43,520 not in that industry, it's certainly possible that you are working with somebody that is. 219 00:12:43,520 --> 00:12:49,960 So at some point in that supply chain, it's highly likely that it impacts most organizations. 220 00:12:49,960 --> 00:12:50,960 Yeah. 221 00:12:50,960 --> 00:12:59,520 And just for the last thing on what you said there, Nate, for me is when you ask a business 222 00:12:59,520 --> 00:13:04,040 who doesn't have any required guidelines, what does your cybersecurity program look 223 00:13:04,040 --> 00:13:05,600 like? 224 00:13:05,600 --> 00:13:07,920 How do you define it? 225 00:13:07,920 --> 00:13:12,600 For an experience that I've had previously where someone said, all right, we need to 226 00:13:12,600 --> 00:13:16,560 build this, create something. 227 00:13:16,560 --> 00:13:21,400 Looking at what you have, trying to find what makes sense, the NIST documentation is very 228 00:13:21,400 --> 00:13:22,400 clear. 229 00:13:22,400 --> 00:13:24,240 There is a lot of it. 230 00:13:24,240 --> 00:13:28,720 It is a great place to start because it is so clear. 231 00:13:28,720 --> 00:13:32,720 It does allow you to really sink your teeth into it and start answering questions straight 232 00:13:32,720 --> 00:13:33,800 away. 233 00:13:33,800 --> 00:13:38,880 It also provides very clear deliverables on what your outcomes look like, what your plan 234 00:13:38,880 --> 00:13:44,840 of action is, something that you can provide to a leadership team, which if you have been 235 00:13:44,840 --> 00:13:49,280 put in the spot where someone said that to you internally, hey, check it out. 236 00:13:49,280 --> 00:13:50,280 It's very helpful. 237 00:13:50,280 --> 00:13:53,040 I feel attacked because I know you're talking about me. 238 00:13:53,040 --> 00:13:54,360 I asked you to go build something. 239 00:13:54,360 --> 00:13:55,360 I'm not. 240 00:13:55,360 --> 00:13:56,360 Look at that guy. 241 00:13:56,360 --> 00:13:58,800 At least not that you knew I was. 242 00:13:58,800 --> 00:14:02,920 Oh, that's a softest dig on a podcast here. 243 00:14:02,920 --> 00:14:06,080 I guess I have one more comment here. 244 00:14:06,080 --> 00:14:10,560 I had two, but I lost one after I felt that jab. 245 00:14:10,560 --> 00:14:12,560 You're making a joke. 246 00:14:12,560 --> 00:14:18,880 Yeah, but the cybersecurity framework, the 1.1, the current version today, just before 247 00:14:18,880 --> 00:14:23,040 we start diving into 2.0, it's not a bad framework. 248 00:14:23,040 --> 00:14:28,000 Matthew did mention it's getting a little out of date, and there's some additional clarification 249 00:14:28,000 --> 00:14:31,680 that needs to come out of that to better help organizations. 250 00:14:31,680 --> 00:14:37,640 We'll get into those details in a little bit, but if you haven't started at all, it's a 251 00:14:37,640 --> 00:14:43,640 great stepping stone before you go deep into the weeds of potentially 2.0. 252 00:14:43,640 --> 00:14:50,040 So I think we'll have a whole section about where do I start if nothing else or something 253 00:14:50,040 --> 00:14:57,920 like that, but the biggest thing is as this continues to evolve, if you're not already 254 00:14:57,920 --> 00:14:59,800 on it, it's not too late to start. 255 00:14:59,800 --> 00:15:03,200 It's not overly complicated today. 256 00:15:03,200 --> 00:15:08,480 And so as you're getting deeper into this conversation and planning out for 2.0, I think 257 00:15:08,480 --> 00:15:12,440 you'll feel right at home and not too far left behind. 258 00:15:12,440 --> 00:15:14,800 Completely agree. 259 00:15:14,800 --> 00:15:17,920 It really is very accessible. 260 00:15:17,920 --> 00:15:22,560 Yeah, so, I mean, keep in mind, it's a draft. 261 00:15:22,560 --> 00:15:26,360 What are some of these massive updates? 262 00:15:26,360 --> 00:15:30,480 If you can kind of give us an overview, what's changing? 263 00:15:30,480 --> 00:15:36,200 Well, there's one really big thing that comes to mind personally. 264 00:15:36,200 --> 00:15:39,600 Also it's probably my favorite change. 265 00:15:39,600 --> 00:15:45,160 Those of you who've seen it previously know of the, as Todd likes to say, the five pillars, 266 00:15:45,160 --> 00:15:51,120 the five core functions they call them, they're adding a new one. 267 00:15:51,120 --> 00:15:59,840 The new core function of Govan, which is overarchingly reviewing and creating processes for administrating 268 00:15:59,840 --> 00:16:02,520 the rest of the sections. 269 00:16:02,520 --> 00:16:08,040 This covers things like your organizational context and risk management strategies, items 270 00:16:08,040 --> 00:16:14,360 that previously had been packaged into other sections, generally under your, depending 271 00:16:14,360 --> 00:16:18,280 on what they were, there's no one section they were under, has been pulled out so that 272 00:16:18,280 --> 00:16:24,000 you can, and it's placed at the start, as in the step of, before you even dive in, let's 273 00:16:24,000 --> 00:16:25,160 see what you have. 274 00:16:25,160 --> 00:16:28,880 Let's see what maybe you're missing to make better decisions. 275 00:16:28,880 --> 00:16:32,000 Believe we've had a podcast on risk assessments. 276 00:16:32,000 --> 00:16:37,200 Please listen to it, because we can and do talk about it in depth. 277 00:16:37,200 --> 00:16:41,640 But the Govan function is probably my favorite addition to this. 278 00:16:41,640 --> 00:16:47,800 Yeah, I think Matthew and I had chatted about this offline, so not in any one of these conversations, 279 00:16:47,800 --> 00:16:52,000 although we have had them in the past, but quite frankly, Govan is kind of where the 280 00:16:52,000 --> 00:16:54,920 rubber hits the road when it comes to any kind of security program. 281 00:16:54,920 --> 00:17:00,200 It is not the most interesting thing for most technical and in some cases, some security 282 00:17:00,200 --> 00:17:03,160 people because it's policy and procedures, right? 283 00:17:03,160 --> 00:17:04,360 And that is not sexy. 284 00:17:04,360 --> 00:17:05,760 That is not pen testing. 285 00:17:05,760 --> 00:17:10,080 That is not, it's just not all that, wow, this is so good. 286 00:17:10,080 --> 00:17:15,760 It is for some people and that's totally cool, but it is absolutely critical to everything 287 00:17:15,760 --> 00:17:16,760 else. 288 00:17:16,760 --> 00:17:19,800 If you can't say what you do, how do you do it, right? 289 00:17:19,800 --> 00:17:23,040 If you don't know what you did, how do you know where you're going? 290 00:17:23,040 --> 00:17:27,000 Todd, that was the gentlest way anyone's ever called me a nerd before. 291 00:17:27,000 --> 00:17:28,000 Thank you. 292 00:17:28,000 --> 00:17:29,520 I was going to make another joke about it. 293 00:17:29,520 --> 00:17:35,440 If you think it's sexy, you're just wrong. 294 00:17:35,440 --> 00:17:41,720 So I guess my one comment about that is this government component, I think is one of the 295 00:17:41,720 --> 00:17:48,680 most important additions to this because the cybersecurity framework today is very, for 296 00:17:48,680 --> 00:17:50,800 the most part, technical, right? 297 00:17:50,800 --> 00:17:54,960 You pass it to your IT, you pass it to your security. 298 00:17:54,960 --> 00:18:02,440 Governance really brings in business leaders that have to oversee all of the functionality 299 00:18:02,440 --> 00:18:05,280 and the responsibility of these teams. 300 00:18:05,280 --> 00:18:12,320 And now the business leaders are deeply ingrained in improving the posture of the organization 301 00:18:12,320 --> 00:18:14,080 from start to finish, right? 302 00:18:14,080 --> 00:18:20,600 And so I think it's easy to just say, hey, IT, start doing governance, but no, that really 303 00:18:20,600 --> 00:18:25,640 does come back to the CEOs, the CFOs, the COOs, you name it. 304 00:18:25,640 --> 00:18:29,360 They now need to be involved at a very deep level. 305 00:18:29,360 --> 00:18:37,320 Yeah, I think the biggest change that I've seen in my time in IT and in security has 306 00:18:37,320 --> 00:18:44,160 been the push for maturity levels, for explanations of where you sit in an answer rather than 307 00:18:44,160 --> 00:18:47,440 just a binary yes, no pass, fail. 308 00:18:47,440 --> 00:18:52,400 It's we have this or we don't have this or we do this informally. 309 00:18:52,400 --> 00:18:57,040 And I think the governance section really takes that to another level. 310 00:18:57,040 --> 00:19:02,680 One of the hardest things to do when you're an engineer, from my experience at least, 311 00:19:02,680 --> 00:19:07,000 was proving something was done in a certain way. 312 00:19:07,000 --> 00:19:10,840 And so for me, the reason I started working with documentation in the first place was 313 00:19:10,840 --> 00:19:12,800 I could say, hey, this is how I do it. 314 00:19:12,800 --> 00:19:14,600 This is how it's done. 315 00:19:14,600 --> 00:19:19,200 Any other person who's on this team can walk in and follow these steps and we know consistently 316 00:19:19,200 --> 00:19:21,480 what's done each time. 317 00:19:21,480 --> 00:19:25,200 That for me was just a way of feeling comfortable with the work that I was doing. 318 00:19:25,200 --> 00:19:31,960 But now it's very obvious to me that I was also providing evidence to the higher ups, 319 00:19:31,960 --> 00:19:36,680 to my boss, to my boss's bosses, of what the work looked like. 320 00:19:36,680 --> 00:19:39,840 And the governance section is really just an expansion of that. 321 00:19:39,840 --> 00:19:41,000 How can you prove you're doing it? 322 00:19:41,000 --> 00:19:45,160 You say the way you're doing it if you don't have processes that you're following and really 323 00:19:45,160 --> 00:19:51,920 segmenting that, pulling that out and making that its own item, let you see what a deliverable 324 00:19:51,920 --> 00:19:57,560 looks like to those higher levels and the upper management side of things. 325 00:19:57,560 --> 00:19:59,960 Something that previously, like Nate mentioned, was missing. 326 00:19:59,960 --> 00:20:01,480 It was about doing the work. 327 00:20:01,480 --> 00:20:02,480 Is this done? 328 00:20:02,480 --> 00:20:03,480 Yes or no? 329 00:20:03,480 --> 00:20:04,480 Okay, prove it. 330 00:20:04,480 --> 00:20:08,160 All right, I'll screenshot that I've got firewall rules in place. 331 00:20:08,160 --> 00:20:10,800 All right, but how do you make them? 332 00:20:10,800 --> 00:20:12,400 Why do you make them? 333 00:20:12,400 --> 00:20:17,720 Those additional steps, while still in there previously, were not given as much authority 334 00:20:17,720 --> 00:20:20,440 as was it done. 335 00:20:20,440 --> 00:20:25,840 And I think making that distinction shows that in any environment, the work would be 336 00:20:25,840 --> 00:20:31,280 completed the same way or should be completed the same way, which is just as important. 337 00:20:31,280 --> 00:20:32,280 We want consistency. 338 00:20:32,280 --> 00:20:36,000 We want to know where mistakes were made or where they weren't made or why something got 339 00:20:36,000 --> 00:20:37,000 in. 340 00:20:37,000 --> 00:20:43,400 Yeah, what's the saying, Todd? 341 00:20:43,400 --> 00:20:46,120 There's a quote. 342 00:20:46,120 --> 00:20:48,960 If you don't know what you did, how do you know what to do? 343 00:20:48,960 --> 00:20:53,560 Right, so basically, if you didn't have it, this change management is another aspect of 344 00:20:53,560 --> 00:20:59,160 it and summary is how do you make sure that you're continually progressing? 345 00:20:59,160 --> 00:21:01,240 And documenting that is very, very important. 346 00:21:01,240 --> 00:21:04,160 Going through the assessment on a regular basis is incredibly important. 347 00:21:04,160 --> 00:21:10,200 And you will see that in pretty much every type of assessment, whether it's NIST or FFIC 348 00:21:10,200 --> 00:21:11,200 or HIPAA. 349 00:21:11,200 --> 00:21:12,200 It doesn't really matter. 350 00:21:12,200 --> 00:21:13,200 They're all doing the same thing, right? 351 00:21:13,200 --> 00:21:16,720 The intent is to constantly be on this process. 352 00:21:16,720 --> 00:21:21,880 This is to constantly be on this process of maturing and doing that through change management 353 00:21:21,880 --> 00:21:22,880 makes sense. 354 00:21:22,880 --> 00:21:26,680 Of course, if you've ever been in an audit, you know that the change management is incredibly 355 00:21:26,680 --> 00:21:29,760 important through the process as well. 356 00:21:29,760 --> 00:21:33,560 One of the other major changes that I think is worthy of pointing out is I kind of alluded 357 00:21:33,560 --> 00:21:37,840 to it earlier as well, is they are going through the process of, I don't want to say we're 358 00:21:37,840 --> 00:21:44,120 moving so much as not putting such a heavy emphasis on critical infrastructure and critical 359 00:21:44,120 --> 00:21:48,920 infrastructure in case anybody doesn't know, it'd be pipeline, gas, water, things that 360 00:21:48,920 --> 00:21:51,680 are critical to our way of life. 361 00:21:51,680 --> 00:21:54,560 And it's basically trying to apply it to all businesses. 362 00:21:54,560 --> 00:21:57,400 So when I mentioned, can everybody use it, the answer is yes. 363 00:21:57,400 --> 00:21:58,560 And that's what they're trying to do. 364 00:21:58,560 --> 00:22:01,400 It's very accessible to everybody. 365 00:22:01,400 --> 00:22:05,680 And it does make sense because quite frankly, if you went and sat to somebody and said, 366 00:22:05,680 --> 00:22:07,960 is it critical you had a job, the answer is probably yes. 367 00:22:07,960 --> 00:22:11,920 In fact, I think that happened during the pandemic where they said only people in critical 368 00:22:11,920 --> 00:22:16,920 infrastructure can continue to go into work and people are like, it's critical I go in, 369 00:22:16,920 --> 00:22:19,200 so off they went. 370 00:22:19,200 --> 00:22:23,280 So it blurring lines a little bit there, but I just thought it was incredibly important 371 00:22:23,280 --> 00:22:25,120 to bring that piece up as well. 372 00:22:25,120 --> 00:22:26,120 Yeah. 373 00:22:26,120 --> 00:22:30,440 For the sake of time, I might just quickly touch on a few of the other changes. 374 00:22:30,440 --> 00:22:32,940 I think most of them are pretty self-explanatory. 375 00:22:32,940 --> 00:22:35,000 It's not introducing a whole new concept. 376 00:22:35,000 --> 00:22:37,440 It's more just additions to it. 377 00:22:37,440 --> 00:22:40,680 Todd previously mentioned supply chain risk. 378 00:22:40,680 --> 00:22:48,840 So businesses are still going to continue or enhancing some of the security checks of 379 00:22:48,840 --> 00:22:50,000 their vendors. 380 00:22:50,000 --> 00:22:56,280 So for example, now they're going to be required to say, when you're moving from one vendor 381 00:22:56,280 --> 00:23:00,960 to another, are there security considerations being put into play? 382 00:23:00,960 --> 00:23:08,280 Also Todd mentioned, your third parties should meet or exceed your own security standards. 383 00:23:08,280 --> 00:23:13,440 You're not introducing new weaknesses within the organization. 384 00:23:13,440 --> 00:23:18,400 There's just some additional details about your business recovery process. 385 00:23:18,400 --> 00:23:22,800 For example, when do you kick in a restore? 386 00:23:22,800 --> 00:23:24,800 What's the criteria of it? 387 00:23:24,800 --> 00:23:30,560 Can you verify that those have integrity so you're not introducing a corrupt image back 388 00:23:30,560 --> 00:23:33,560 into the network after you do that? 389 00:23:33,560 --> 00:23:41,120 Do you have a checklist or criteria saying, when do we know that we're actually done restoring? 390 00:23:41,120 --> 00:23:46,920 There's just little subcategories or sub-tacks to some of that stuff. 391 00:23:46,920 --> 00:23:50,520 And then one of the other components would be Incident Response Management. 392 00:23:50,520 --> 00:23:56,400 So here at CIT, we've been helping organizations for years creating incident response plans. 393 00:23:56,400 --> 00:23:59,800 If that's something that you don't have, let us know. 394 00:23:59,800 --> 00:24:02,480 But they're going to take this a bit further as well. 395 00:24:02,480 --> 00:24:08,080 So introducing, what are some of the processes that you're going to do? 396 00:24:08,080 --> 00:24:13,520 Do you have capabilities to do forensics in the event that you actually need that? 397 00:24:13,520 --> 00:24:16,840 Communication plans, everything like that. 398 00:24:16,840 --> 00:24:22,440 And those have been core components of a standard Incident Response Plan today. 399 00:24:22,440 --> 00:24:24,040 They're just formalizing it a bit better. 400 00:24:24,040 --> 00:24:26,120 Matthew, I don't know if you had anything there. 401 00:24:26,120 --> 00:24:31,720 But oh, I mean, as you all know, I can talk about this for hours. 402 00:24:31,720 --> 00:24:34,160 Incident Response is one of my favorite topics. 403 00:24:34,160 --> 00:24:34,920 But you're right. 404 00:24:34,920 --> 00:24:39,280 I think it's more around, in this case, clarifying it. 405 00:24:39,280 --> 00:24:44,400 And we don't have to say you don't need someone on hand to do all of your forensic work. 406 00:24:44,400 --> 00:24:45,480 That's not a requirement. 407 00:24:45,480 --> 00:24:51,280 But knowing who you turn to in every way, I personally believe that this is one of those things 408 00:24:51,280 --> 00:24:54,160 you should have just to make yourself feel comfortable. 409 00:24:54,160 --> 00:24:59,720 I've said many times that it helps me sleep at night to know that we have one in place. 410 00:24:59,720 --> 00:25:05,920 But that's the things that they've put criticality on a part of that maturity process. 411 00:25:05,920 --> 00:25:07,640 Previously, they did have it. 412 00:25:07,640 --> 00:25:11,840 Now they're diving in deeper to explain it better, to clarify more. 413 00:25:11,840 --> 00:25:17,520 Those of you who maybe don't see this as directly or don't have this framework may actually start 414 00:25:17,520 --> 00:25:21,080 to see it come up in other ways, such as in cybersecurity renewals. 415 00:25:21,080 --> 00:25:22,760 There may be more requests upon you. 416 00:25:22,760 --> 00:25:26,320 So it's worth familiarizing yourself with some of these changes, even if you don't directly, 417 00:25:26,320 --> 00:25:31,880 if you aren't directly impacted by them or impacted or wonder how you might be impacted, 418 00:25:31,880 --> 00:25:36,520 just to keep on top of it. 419 00:25:36,520 --> 00:25:45,520 As part of that, when we're moving to this new version, there will be an expectation, 420 00:25:45,520 --> 00:25:50,240 I suppose, from a lot of people that you have to kind of instantly move to the new version, 421 00:25:50,240 --> 00:25:54,240 update as quickly as possible, just grab the new version when it comes out and start filling 422 00:25:54,240 --> 00:25:56,240 it out from scratch. 423 00:25:56,240 --> 00:25:59,160 Thankfully, they're bringing out a cross-mapped version. 424 00:25:59,160 --> 00:26:02,320 So I would have shown you where the answers you have previously will come across to the 425 00:26:02,320 --> 00:26:07,800 new version, hopefully save a significant amount of time getting that together, unless 426 00:26:07,800 --> 00:26:13,760 you're like me and reading through it, start to finish it again anyway, which I think everyone 427 00:26:13,760 --> 00:26:17,720 should do just so that they can see how the questions differ. 428 00:26:17,720 --> 00:26:22,720 But still, having something in place for the official document does cross-map will save 429 00:26:22,720 --> 00:26:24,720 a significant amount of time. 430 00:26:24,720 --> 00:26:29,520 Yeah, I guess I do want to clarify that just because it is cross-mapped doesn't mean there's 431 00:26:29,520 --> 00:26:31,920 not more work to do, right? 432 00:26:31,920 --> 00:26:37,840 Because we did talk about how they've introduced new sections and deeper insight into some 433 00:26:37,840 --> 00:26:38,840 of these ones. 434 00:26:38,840 --> 00:26:43,040 So, for example, if governance was never there as one of the core functions, you have work 435 00:26:43,040 --> 00:26:44,960 to do there, right? 436 00:26:44,960 --> 00:26:50,920 And then similarly, where some of those data recovery, business continuity planning, those 437 00:26:50,920 --> 00:26:54,160 have now been broken into multiple subcategories. 438 00:26:54,160 --> 00:26:59,520 So, Matthew, I don't know, I was taking a look at some of the draft stuff. 439 00:26:59,520 --> 00:27:05,000 It looks like probably 80% of it will map over nicely from what I could see. 440 00:27:05,000 --> 00:27:11,360 But yeah, I'd maybe say 20% of it will be brand new. 441 00:27:11,360 --> 00:27:13,040 Yeah, definitely. 442 00:27:13,040 --> 00:27:19,240 There's a document we'll link, which is the discussion draft, which includes all the items 443 00:27:19,240 --> 00:27:21,480 and what they currently map to. 444 00:27:21,480 --> 00:27:23,000 This is just open. 445 00:27:23,000 --> 00:27:25,960 It's just a draft, so it's not finalized yet. 446 00:27:25,960 --> 00:27:27,280 And so they may change further. 447 00:27:27,280 --> 00:27:31,520 But it shows currently where things have been moved to the new governance section, what 448 00:27:31,520 --> 00:27:35,800 their previous control was. 449 00:27:35,800 --> 00:27:37,560 And those things can be tracked. 450 00:27:37,560 --> 00:27:42,520 So you can see in the crosswalk map, that's what it will do. 451 00:27:42,520 --> 00:27:44,840 It'll show you, hey, this question used to be this. 452 00:27:44,840 --> 00:27:46,200 It's now this. 453 00:27:46,200 --> 00:27:49,480 And you'll get to answer some of those questions. 454 00:27:49,480 --> 00:27:53,400 But also, as Nate said, some of the questions have been split in half. 455 00:27:53,400 --> 00:27:56,760 What previously was just one question, the answer is now four questions. 456 00:27:56,760 --> 00:27:58,920 May even be split into two separate questions. 457 00:27:58,920 --> 00:28:04,520 So you've got eight questions for something you previously just said yes or no to. 458 00:28:04,520 --> 00:28:09,560 Really worthwhile reading through that document, just to kind of wrap your head around why it's 459 00:28:09,560 --> 00:28:13,520 different as well, because there's a reason they've moved some things to govern and taken 460 00:28:13,520 --> 00:28:16,080 them out of where they were before. 461 00:28:16,080 --> 00:28:21,160 May help some more with maybe assigning some of this work to different individuals so it 462 00:28:21,160 --> 00:28:24,600 doesn't feel like it's all on one person, which can be very helpful. 463 00:28:24,600 --> 00:28:30,200 Unless you work for a small org, then good luck. 464 00:28:30,200 --> 00:28:31,200 Yeah. 465 00:28:31,200 --> 00:28:35,640 I guess I have one more comment, and then I'll actually stop talking for a little bit. 466 00:28:35,640 --> 00:28:39,280 But until someone asks me a question, I want to speak up again. 467 00:28:39,280 --> 00:28:40,280 But the... 468 00:28:40,280 --> 00:28:41,280 Until they don't. 469 00:28:41,280 --> 00:28:42,280 Yeah. 470 00:28:42,280 --> 00:28:48,520 One of the things that I did kind of mention before was the 1.1 is very high level today, 471 00:28:48,520 --> 00:28:51,480 and this is going to start going into it. 472 00:28:51,480 --> 00:28:56,880 If you're jumping into this for the first time, there are some of the checklists that 473 00:28:56,880 --> 00:29:02,240 they have, essentially controls that they have saying, do you do this? 474 00:29:02,240 --> 00:29:04,440 Sometimes those are a bit vague. 475 00:29:04,440 --> 00:29:08,760 And so that's something where if you're stuck on that, that's okay. 476 00:29:08,760 --> 00:29:16,840 2.0 is going to bring in actual action-oriented questions to ask yourself to help guide you 477 00:29:16,840 --> 00:29:19,200 to do I have that or not. 478 00:29:19,200 --> 00:29:23,520 Because sometimes we know that there's people out there that they don't know what they don't 479 00:29:23,520 --> 00:29:24,520 know. 480 00:29:24,520 --> 00:29:30,040 This is going to provide that to you to make it better informed, to ensure that you actually 481 00:29:30,040 --> 00:29:34,040 have proper governance over your security program. 482 00:29:34,040 --> 00:29:36,240 Yeah, I think... 483 00:29:36,240 --> 00:29:37,240 That's a great note. 484 00:29:37,240 --> 00:29:38,240 Yeah, I'm sorry. 485 00:29:38,240 --> 00:29:42,120 I was going to transition slightly back to some of the comments that were happening earlier. 486 00:29:42,120 --> 00:29:47,200 I think Nate was kind of running through what it means to companies and how all these 487 00:29:47,200 --> 00:29:49,240 different things are coming out from the supply chain. 488 00:29:49,240 --> 00:29:53,440 And one of the things I wanted to mention there was, again, if you're curious of this 489 00:29:53,440 --> 00:29:56,240 impacts you, I would just go with the assumption that yes, it does. 490 00:29:56,240 --> 00:29:58,640 I mean, it really honestly... 491 00:29:58,640 --> 00:30:06,760 And the reason being is because if you're not doing your due diligence and you're not 492 00:30:06,760 --> 00:30:11,200 going through this, when we get into the conversation of saying, your vendors need to have at least 493 00:30:11,200 --> 00:30:15,080 as good as you do, we'll just think about that as somebody else too. 494 00:30:15,080 --> 00:30:18,080 So if you're working with an organization and they're suddenly going to start working 495 00:30:18,080 --> 00:30:22,320 with an apartment offense, they're going to implement this and they're going to say, 496 00:30:22,320 --> 00:30:25,320 Oh, company XYZ, you don't meet these. 497 00:30:25,320 --> 00:30:27,960 I'm going to have to go find a new partner. 498 00:30:27,960 --> 00:30:32,520 And since you're already doing a lot of these kinds of things to a degree for cybersecurity 499 00:30:32,520 --> 00:30:37,840 insurance, you might as well start planning on taking the next step and looking at a formal 500 00:30:37,840 --> 00:30:44,080 framework, which would give me to the next point, which is assuming that's true, whether 501 00:30:44,080 --> 00:30:50,280 it's 2.0 or if it's 1.1, where do you start? 502 00:30:50,280 --> 00:30:51,560 At the beginning. 503 00:30:51,560 --> 00:30:52,560 Which is? 504 00:30:52,560 --> 00:30:56,400 Come on, Matthew, it's your favorite subject. 505 00:30:56,400 --> 00:30:57,400 Where do you start? 506 00:30:57,400 --> 00:31:02,440 Yeah, I mean, seriously, at the beginning, go onto the NIST website and we'll link 507 00:31:02,440 --> 00:31:04,680 to that as well. 508 00:31:04,680 --> 00:31:06,960 And just start looking through their documentation. 509 00:31:06,960 --> 00:31:12,600 The NIST CSF is designed to be accessible because it is designed for organizations that don't 510 00:31:12,600 --> 00:31:16,400 have anything else in place. 511 00:31:16,400 --> 00:31:23,000 From there, you'll see the first step is reviewing what you've got, getting your document and 512 00:31:23,000 --> 00:31:24,440 getting documentation together. 513 00:31:24,440 --> 00:31:30,840 And when I say that, I mean things like finding what you have so that you can start to prepare 514 00:31:30,840 --> 00:31:34,120 for what a risk assessment looks like. 515 00:31:34,120 --> 00:31:38,840 If you're feeling like this is a lot, we obviously help with that. 516 00:31:38,840 --> 00:31:43,840 Love doing these types of assessments and they are all kind of interview based. 517 00:31:43,840 --> 00:31:46,440 It's just a discussion. 518 00:31:46,440 --> 00:31:51,200 There is no right or wrong answers because we're just trying to find out where things 519 00:31:51,200 --> 00:31:56,920 are now so we can find how things get better because it always does. 520 00:31:56,920 --> 00:32:00,200 Having that list in front of you may seem like a lot. 521 00:32:00,200 --> 00:32:04,560 So we're more than happy to guide through that process. 522 00:32:04,560 --> 00:32:12,600 The one thing that I'd say is that does have a component of reaching out if you need help. 523 00:32:12,600 --> 00:32:16,440 There are going to be some components that you still need to do internally. 524 00:32:16,440 --> 00:32:26,120 And so again, the CSF 1.1 today, like I mentioned earlier, was very technical oriented. 525 00:32:26,120 --> 00:32:30,440 Now you're going to start really bringing in interpersonal relationships because you're 526 00:32:30,440 --> 00:32:36,760 going to have to start really coordinating with your business leaders as well. 527 00:32:36,760 --> 00:32:41,360 And so one of the components I would say for how do you start is if you've never talked 528 00:32:41,360 --> 00:32:47,840 to the CEO, the CFO, the COO, whoever it is that's responsible for this type of activity 529 00:32:47,840 --> 00:32:55,560 in the business, start building those relationships, trying to ask them why do you do what we do, 530 00:32:55,560 --> 00:32:58,560 why is maybe the security budget really, really tight? 531 00:32:58,560 --> 00:32:59,560 Is there a reason? 532 00:32:59,560 --> 00:33:00,560 Right? 533 00:33:00,560 --> 00:33:06,720 And start having those conversations, building that up, building that influence because it'll 534 00:33:06,720 --> 00:33:12,120 only make it easier, number one, to identify that the controls coming out in the governance 535 00:33:12,120 --> 00:33:13,320 component. 536 00:33:13,320 --> 00:33:18,360 And then two, it'll help make it easier to implement because you're going to start building 537 00:33:18,360 --> 00:33:24,800 that executive buy-in that's going to be required to improve the downstream items as well. 538 00:33:24,800 --> 00:33:28,720 I agree with that whole heartedly, Nate. 539 00:33:28,720 --> 00:33:33,640 That's how I started moving into security in the first place is just wondering what guidelines 540 00:33:33,640 --> 00:33:39,320 I should set myself within the work that I was doing and realizing that that conversation 541 00:33:39,320 --> 00:33:42,920 was something that needed to happen. 542 00:33:42,920 --> 00:33:43,920 Very helpful. 543 00:33:43,920 --> 00:33:51,600 Yeah, I think it's important to reiterate that when this podcast comes out, this is all 544 00:33:51,600 --> 00:33:52,840 still a draft. 545 00:33:52,840 --> 00:33:55,760 So we are definitely talking about it again. 546 00:33:55,760 --> 00:34:00,480 We're definitely going to bring these three people on and maybe some other people in CIT 547 00:34:00,480 --> 00:34:04,840 to talk about what this is and what it could mean for you. 548 00:34:04,840 --> 00:34:09,840 If you have any questions or you need help with any type of risk assessment, you can 549 00:34:09,840 --> 00:34:17,520 always reach out to us at info at CIT-net.com or head out to our website, CIT-net.com slash 550 00:34:17,520 --> 00:34:18,520 podcast. 551 00:34:18,520 --> 00:34:23,760 Thank you, Todd, Matthew, and Nate for joining us today, and we'll be back next week with 552 00:34:23,760 --> 00:34:51,280 an all new episode.