Episode 12: One Year of Distilled Security, Auditor Quality, and Starting Your Own Company
All right. Welcome to Distilled Security Podcast. Guess what episode this is? What is it? Episode 12.
Justin:Wow. One year of recording and everything. Most people don't do that, you know. So I think we got a little round of applause. I got a little surprise for you guys.
Justin:We are partying this up. I love it. Cheers, guys. Cheers. One year.
Justin:One year.
Rick:Fantastic. It's been fun.
Justin:Yeah.
Joe:Hey, I think I have some confetti in the extra flavor I'm
Justin:These tasting notes are gonna be off now. All right. So to start off the episode with a bang and everything, I want to go over, you know, what you guys thought over the year. We've had a lot of different topics. We've had really good guests, you know, on the episode.
Justin:What are some of your most favorite things that we've done, talked about, general format? Anything come to mind, you know, from that perspective?
Joe:No, it's just amazing to be able to sit here and record something that for the first time ever and getting feedback from people that it didn't look like it was our first time. -Oh, yeah. -For the first several episodes, it's like the quality and the thought process that Well, it's a testament to what you did, Justin. Really,
Rick:know, I just wanted
Justin:to drink with you guys. And the only way I could get you to come over to my house is to do a podcast.
Joe:Right, exactly.
Justin:Exactly. It worked out well. Yeah, right. Success.
Joe:And so, you know, it's the quality of getting this put together, this like whole environment to do it, the quality of the recordings, the quality of just the, you know, the post production stuff.
Rick:Did you
Justin:say that after we released our blurry episode? Yeah.
Joe:I Quality. I I didn't I didn't look I didn't watch out too much. Just listen to that one.
Rick:Shout out to Buzzy on all on all that stuff too, making us sound better than certainly better better than I sound.
Justin:Yeah. A lot of people don't know, but we have somebody actually cutting and doing all the audio, putting the intro outros on. And I did it once on episode one. And I was like, yeah, I'm not I'm not into this, you know. So he's one of the big reasons why we've had this longevity of it.
Justin:So thank you, Buzzy. Epicast is his company and everything. So definitely look him up if you're interested in doing some of the stuff. So
Joe:Yeah. You know, I for
Rick:some reason, one of the things
Joe:that I
Rick:really remember talking about and really enjoying was the, you know, the is is does call is college worth it? Yeah. I just really enjoyed that conversation because people have so many different paths, and I think it's just so interesting how how people find their way into cybersecurity. And it feels different now than it used to be. Yeah.
Rick:Like, when we found our way in. So I just really enjoyed that topic.
Justin:Yeah. I really like I mean, we guys, we talk even outside of the podcast, But I love when we get into kind of gray areas. And even though we don't always agree, we're usually always agreeing on the end goal of it. There's just different pathways that actually get there and different experiences of, you know, this culture sucks, so I wasn't able to do what you're saying is the easy route, you know, or something like that, that really I feel like I've gotten more out of, you know, just hearing you guys' perspectives on some of the topics and everything like that. Also, too, I love getting our guests on, you know, just for, you know, all the many guests, you know, that their experience or unique, you know, perspectives, Ed, you know, actually doing distilling and everything like I
Joe:was going
Justin:bring that one up. Yeah.
Joe:Which brings up a different thing. Once in a while, I like it when we talk about non security things. Like just hearing Kim talk about the process of getting the distillery to work and his experience in getting into it was just fascinating to me. It's like takes me out of the thing I'm doing every day all day.
Justin:Yeah, yeah. Yeah. It makes me more of a guest in the podcast than, you know, an actual co host. It's like, you know, I just nerd out and be like, Oh, that's cool. But what about this?
Justin:You know, and what about this? You know? So, yeah. So we're excited to keep bringing you guys content and everything. We have some plans that we're going to be doing in the future here.
Justin:We're going to be building a new studio eventually here. We got a little bit of delay, but as soon as it's kind of passed, we're going to be building out something new. We're going to be switching out the layup. We're going to drop the lavalier mics and go to actual physical mics, boom mics and everything like that. And it would definitely be a little bit better.
Justin:We're dropping the couches, think, is probably the set them in. We'll be sitting at desks, and we'll have a nice little backdrop instead of a nice curtain in the back and everything. Additionally, we're going to be looking at sponsors here coming up. We actually got our kind of first pseudo sponsor that we'll be presenting probably next month or the month after. We'll figure out a good time, you know, into that.
Justin:But, you know, we're going to be looking at doing ads. And if you have a company that want to reach a good audience of cybersecurity, feel free to reach out to us, hellodistilledsecuritypodcast dot com, and we'll get talking with them. So love it. Great.
Joe:Yeah, that's awesome.
Justin:All right. Dive into our first topic here.
Joe:Yeah. Let's do it. Well, I'm just waiting to watch this video and see how much I jumped when you
Justin:had the confetti go off.
Joe:And then And how much
Justin:confetti is left in the glass?
Joe:Well, and then what I'm waiting for is to see if I can still find confetti next month when we come back.
Justin:That's actually why
Rick:he has to move studios.
Justin:I'm not playing. I'm just moving. Who wants to do you want me to introduce this? Yeah, go for it. Okay.
Justin:So, one of the topics we want to get into is about auditor quality and the kind of historical kind of movement from going to high quality auditors, getting thorough reports from an external party that you can actually trust where a trend over the last, what do you say, five years ish, they've gotten cheaper providers that do less work to do the same report. But at the end of the day, you're just getting a SOC two or an ISO or something along that lines that says, Yep, you're good to go. They plaster on the website and they go, you know, type of thing. So there's been a historical kind of degradation of this, as I would think, with some of the other products and tools making it easier, you know, to kind of, you know, get out there quickly, do it. But I feel like there's been a drop in quality into that.
Justin:What do you guys think maybe on that? Then
Joe:Well, what I don't want to get into so much is security versus compliance because that topic, we can hit on that a lot. That'll take a whole episode. And I think we can all agree that compliance is just something you pass on your way to getting to good security. You want to be at the
Justin:want to
Joe:be at the good security. But when you hire somebody to help you, and this is, you know, if you're a company out there and you're like, I want my SOC two. So what really matters, and does the quality of your auditor for the SOC two, the ISO certification, whatever it is you want, does the quality of the auditor matter to you as the customer? Or it was what matters to you is the document at the end of the audit that you can give to your customer. And so as, and we talked about this the other day, Justin, we were talking about competition.
Joe:And as auditors want to get the work, do they keep like lowering their price? At what point are there is their price to a certain degree that is so low that makes it hard to understand how they're actually getting through all the audit materials they need to given the time they can put
Justin:to it? Yeah, and that's where, I mean, obviously, those companies are making a profit at some point into this. So but a lot of tooling out there has done a lot of automation. Like, Oh, you've never seen a policy before. Here's all your policies, done.
Justin:You know, now they might not read them or review them again. Or implement anything or anything like But they're a checkbox into Right. Getting some of these certifications. You know, you have to have a statement that says your passwords are this, you know, type of thing. But then, you know, and with all that, then you have cloud checks, you know, that, you know, with the technical kind of controls into that, you just have to remediate those and that can be a flip of the switch to adjust your AWS cloud environment or whatever it may be into that.
Justin:And they just kind of rely on system checks moreover and I think skimp on some of the quality. You brought up something the other day that you found that an auditor, what was that, didn't check scope. They relied on the tooling, but there was a misconfiguration in scoping on some of their cloud environments.
Joe:Yeah. So one of the compliance I don't want to name any particular Or not name Yeah. But you get to the compliance automation tools, and the whole premise is that you tell it all the things you have. You tell it to go and check all of the through the integrations. You give it read only access.
Joe:It goes in and actually checks the settings. It comes back and tells you what it is. Theoretically, it's supposed to allow the auditor to quickly look at that and not have to do sampling, but be able to say if the system actually checked everything, now I have a full set. Yeah, full population. And I can look at that.
Joe:And that's great. Is.
Justin:Yeah, that's actually advancing a lot of the GRC, getting into more GRC engineering. Perfect. But
Joe:it doesn't hit the point that this auditor found. And luckily, they found it before they finished the audit. Otherwise, they would have written a report that was really misaligned. And what they found was that there was many instances, let's just say it was AWS, many instances of AWS integrated to this GRC platform, and they all said it was great. But when they went to do a final check of the scoping, what they discovered was there was an entire part of AWS not integrated into compliance automation tool that was necessary for the scope of one of the applications that was part of the SOC two audit.
Joe:So they got to nearly the end, almost said this is clean, but they didn't even have a good audit because they didn't have a great scope to look at.
Justin:Yeah. And that's where I feel like I think we're getting into and you can almost argue this with like AI and some of the other, you know, advancements in, you know, automation and everything like that. I think people are relying on the tool too much without understanding the scope and how. It's almost like giving the kid a calculator without describing how to actually do addition and subtraction behind the scenes and everything. Like you need to understand the core concepts and then the automation will be a good assistant tool.
Justin:But if you just hand a kid a calculator and be like, All right, it just works, you know, they're going to get things wrong, you know, because they just don't understand, you know, into that. And I feel like with the competition and everything else, you mentioned like priority of like getting certs and everything. I feel like that's everybody's number one priority. A secondary priority would be of good quality. You know, number one is getting past the audit.
Justin:If anybody's ever pushed to that, it's like, do want my piece of paper at the end of the day. You know, like nobody's coming after you like auditing you for three months for a SOC two. Like, you'd be like, no, Thank you. You know, type of thing, whatever the scope is. You know?
Justin:Like, you know, there's a level of that's too much that everybody, you know, says. Now do I want to attest at the end that everything's accurate and feel good that it's accurate? Yes. Absolutely. You know, that type of thing.
Justin:But more times than not, I feel like people are just want the cert because deals are riding on it, customers are requesting That's that's their main driver on a lot of this stuff here.
Rick:Yeah. I mean, it's definitely true. One thing that sticks out in my head as to, like, when you ask, like, oh, does, like, auditor quality matter? And when would you pay for a a big or good one versus maybe a a cheap one just to get the stamp? I feel like to an extent there are organizations that have a security team that's fully loaded, fully baked, and they do the security thing.
Rick:And if you're paying a group of people to keep your organization secure, how much are you willing to pay to do a compliance stamp on top of that? Like, you don't necessarily need to pay a super high quality auditor to do all the things or to validate all the things.
Justin:If you have the right level
Rick:of insurance. If you have the right level of security team internally or a good program that you're confident in. Right? Interesting. You could
Justin:So you're arguing for the cheap provider.
Rick:Well, if if you if you are already paying for security. Then you don't in my opinion, don't necessarily need to pay for security again as a byproduct of compliance. But if your security program isn't exactly where you want it to be, I think it makes a lot more sense to kind of take the harder path often, do get a quality auditor that might point at some challenging things, might make it a little harder for you to get over that bar. But now you're going to get some additional security as a byproduct of compliance, right?
Joe:I have a lot of it depends thoughts And I can actually agree with some of what you're saying, but I would focus that in a different direction. First, when I'm looking to and when we get customers all the time that are of both mindsets, they come to us, they say, I wanna be secure. And I say, well, if we get you to the point you wanna be at, then at some point, you're gonna be able to get that external stamp of approval that you can show and brag about to all your customers. But let's get secure first. And then I have other customers who come to us and say, I need to get this.
Joe:We said earlier, have you know, we found that we signed a contract that says that we need to have SOC two or some other
Rick:certification quickly How do we check the box as quickly as And
Joe:how do we get through that? How do you get us there? And we can quickly get you there. Now, don't like to do that kind of work if it's only for the purpose of getting the compliance, but not get the security because, you know, that's going be a bad reflection on us if something bad happens. But from the point where getting the lower bar auditor to come in that might do a $8,000 audit instead of a $40,000 audit, you know, in that case, you're actually helping your customer get to that point.
Joe:Now, if you want to talk about raising the bar, I don't say that at all for external audit. I do that all for internal audit. So whenever, like SOC two doesn't require internal audit. Well, we we bring we bring independent people to come in and be a
Justin:we've hired. Bringing another consulting firm to do it in-depth like.
Joe:Right. Or we've even been brought in to do an internal audit. Yeah. Really go through everything before they do their external audit.
Justin:And that I 100% agree with you. You don't skimp on those charges. You want experts in those field to come in to advise you where you're taking your roadmap, what are next steps, prioritization, all that. If it's not tied to a certification, you know, into that, you want the best, you know.
Joe:Right. Well, even even when it is tied to a certification, ISO requires an internal audit of your full scope before you can have the external audit. And that has to be happen annually. SOC two only requires an internal audit if your own internal controls say that you do an internal audit.
Justin:And
Joe:so we'll frequently bring an internal auditor in as part of the scope of the work we do. And it'll be somebody that we can get to come in, but be independent of our team who's helping. And so at that point, what you get is you get good security build and then we bring somebody else in. We recommend somebody. We point them in the right direction.
Joe:But we have an internal audit done. That's not like an internal audit team because a lot of the clients that we have, they're not big enough to have a regular full security team, let alone have a regular cybersecurity aware internal audit team.
Rick:I don't know that I heard a disagreement. You said you agree with most things, but I don't know if I heard a disagreement.
Joe:Oh, it was that you were saying to get a little bit tighter or do that harder audit.
Rick:Oh, I see. I see. And I was disagreeing for
Joe:that to be the external. Say that for the internal.
Rick:Oh, yeah. I think that's fair. Core point, whether it's internal or external, I guess from my perspective was I think sometimes the audit stuff gets a bad rap because people will use a cheap one when they should get a good one because they don't have enough internal advisement or strategic advisement at the right caliber, and they're just trying to do the cheap thing. It's like, well, I'm gonna buy I have an expensive car, but I'm gonna buy really cheap insurance that isn't gonna cover it.
Joe:It's
Rick:like, well, I mean, you can run with that risk, but at the end of the day, you might end up paying for it.
Joe:And the nice thing about a great internal auditor, and I once heard scope your internal audit to be two or more times the length of hours that you know your external auditor is going to spend. That way you have a multiple of chance of finding things that you can say you've discovered internally before the and then even get a chance to
Rick:correct Oh, yeah.
Justin:Oh, yeah.
Joe:Before the external comes in.
Justin:Yeah. The only thing is maybe not a caveat, but I've seen people skimp on both, you know. Like I had this one client in The UK. You know, they had a 27,001, and their internal audit that they paid was literally $1,200 a year. 1,200, not 12,000, 12 hundred.
Justin:And they did this little quick questionnaire over the phone, and they were done for the year. And we supplied that as evidence, and the ISO auditors like, Yep, in for audit check. And I think a lot of
Rick:this comes back to surprise, surprise, a communication issue, right? Because there are technical concepts, both from a math perspective when it comes to auditing and from just a technology security perspective that can be challenging to translate to C suite executives that aren't security or technology nerds. Right? And when that happens, you lose a bunch of fidelity because there can be an external party saying, Well, yeah, you can pay this person the $50,000 to give you the thing, but I'm gonna give you the same stamp. And it's the same stamp.
Rick:And by the way, I'm gonna do all the same things. And is that really true? Well, no, it's not really true. But the sales, the marketing, you know, all that stuff can be a problem. And and a lot of times, people don't necessarily understand what they're buying.
Rick:They select an expert because they're an expert in the field. Right? If I don't know anything about cars and I know that my engine's making a rattling noise and I can take it to a garage and they're like, well, it'll cost you $1,000 or I take it to another one, it's gonna cost you $10,000. I go, well, I don't know. I just want to stop rattling.
Joe:Yeah. Alright.
Rick:Is the fix gonna be different? Sure. Right? The quality is gonna be stock tape and
Justin:the other one actually fixed Right.
Rick:And I think this gets back to the it depends thing, right? Do I just need this car as a beater for, you know, the next six months until, you know, the thing that I bought is available? Or do I want this thing to run another ten years?
Joe:Yeah. Well, sometimes it's like going to the Audi or the BMW dealer to get your car serviced because that's inevitably more expensive than it's. I've always seen that way more expensive than taking it to your local I'm
Justin:gonna wash your car for you,
Joe:which is kind of nice.
Rick:But actually, I think there's another parallel here, I wanted to touch on, which is the concept of I have worked with a number of auditors in the past that feel like if they don't find anything, well, they have to find something. Oh, yeah. Like, well, if I say, if I don't give any improvement opportunities, then, you know, the client's going to be annoyed, right?
Joe:Well, there's a difference between improvement opportunities, which I welcome, versus somebody going out of their way to make you as a customer have to argue their actual legit finding, like a nonconformity, is really a problem and not just you have controls in place.
Rick:Yeah. Well, in my experience, I see it a lot, too, where there'll be whatever on the report, there might be five legitimate things. And then there's two other things that's just, for lack of a better phrase, like academic verbiage that could exist in any report. Right? It's like, well, yeah, communication can always be better.
Rick:Right? Right. And just like, you have five legitimate things. Why is this other thing
Justin:And that's why, like, you know, I think it's not a one fault issue. In fact, I want to bring that up on who you think, like, is at fault into this scenario that we're in. But one of the things is, I think one of it is proper auditor training. I've trained a lot of auditor assessors and they come in with a mindset of, I'm now a consultant and I'm helping you get to the business. But when you're auditing or assessing, you have a specific framework.
Justin:So you're going to the control and whether the scope of this assessment fits the control or not type of thing. Now you can make offhanded recommendations into that, but a lot of times it's like, This isn't sufficient enough. And it's like, Why?
Joe:You have to audit to the standard. Yeah, you
Justin:got to go back to the standard. But I've seen a lot of times people get overzealous and it's like, Oh, this is terrible. They do it manually. It was like, Woah. But is it effective?
Justin:You're like, You need to test to the control. And now if the control is not effective, there's no argument into that. But you can't just say, You need to automate this. You need to get a CMDB even though you have an Excel spreadsheet for your asset list. Like, there are bars, you know, like, and you have to paint yourself into this box of a framework.
Justin:Absolutely. You know, type of thing. You can still recommend on the outside,
Rick:you know, but I was going to
Justin:say You can't put on the findings list.
Rick:But do think, and this is where good auditors really shine or good assessors in general, whether it's a formal audit or not, they don't necessarily get creative on the scoping or on the control interpretation or anything like that. In fact, they intentionally don't do that. Where they can get creative is and consultative is understanding the business context and providing legitimate pragmatic recommendations to help solve things that they might find. To me, that's a huge mark. In addition to like just doing good assessment work, right?
Rick:The best auditors are the ones that can say, Yeah, you have this issue. I've seen this before. I've seen four or five different approaches towards fixing it. The one that's going to fit best for you probably looks like this.
Justin:Yeah. But the problem with that is that auditor has to come from a background of being in the business. And find a lot of times that if they've lived pure auditor assessor their entire lives, it's hard for them to get big context of like, how do I actually implement this or something like that. It can happen. If they're astute and, you know, study up or learn it in all their customer environments, it can happen, but you find it so many times.
Justin:They're like, Well, just do it. Just implement a CMDB. Why haven't you done that yet? You know, it's easy. Like, I just want to check that off my list.
Justin:It's yeah, it's more than You definitely get a different feel
Rick:having been a practitioner for a
Justin:Right, exactly. For sure. You know, so yeah, I feel like a lot of people don't gravitate that it's been in real world like operational experience to then translate that. But it's super valuable. Like when you got it, you know the ins and outs and what can happen, what cannot, you know.
Justin:I often say like, you know, we're jack of all trades, master of nothing, you know, in security because we've seen a lot of the system and we've lived it, we've done it, you know, type of thing. At least us three here, you know, like, you know, doing SQL statements in a database, going over unsecure secure connections or where the internet was wide open, you can see printers just online, you know, with public IP addresses. You know, it's like, you know this stuff, you know. Nowadays, you know, kids go through a masterclass of information security and just like just reads off the textbook, It should be like this,
Joe:you know. Right.
Justin:Like, why don't you have it? It's obviously best practices, you know?
Joe:So before we run out of time on this topic, I wanted to shift the focus of it just slightly, which is what can we improve? And what I'm
Justin:Yeah.
Joe:What comes to mind is, maybe not worrying so much about what everybody else is going to do for who they're hiring. But if you're a business and you're hiring a company to come and do a service for you, and your way to prove that company is good enough to come and process your information is because they have a SOC two or because they have a certification. So now I'm talking about third party vendor risk management. So how do we start training the third party vendor risk management teams to actually know the difference and spot the quality versus non quality audits?
Justin:Do you think that's the solution?
Joe:I think it's the way that it's going to help out there. I'm taking a different approach.
Justin:I think
Rick:it's an active gap.
Joe:Instead of So here's what happens today. So not my customers who are looking to get their stamp of approval, but rather the people they're trying to sell to.
Rick:Their prospects.
Joe:So, we help them too. And when we're helping them and we say, let's make your third party vendor risk management program better. Let's make sure that you don't have, people come in and start to sell you stuff. And you're looking at what are your checklist items and you say, well, do you have a SOC two? And the idea is if they have the reason to get the SOC two or I'll just use SOC two and interchange with everything else.
Joe:Yeah. The reason you get the SOC two is because you don't want to have to fill out the several hundred questionnaire form. And so you say, well, would you take this instead? And then what remaining risks do you have that I can deal with? And more than likely, are like, here's my SOC two, don't ask me any questions.
Joe:But if we're gonna start training security teams to do better, it's when you go and you hire that vendor and you look at the SOC two, is there a way to distinguish if that SOC two auditor was actually the $5,000 bargain basement one or the one that you pay that was paid $40,000 so that they could spend the adequate amount of time it took to audit that platform that you're gonna rely on. Is there a one with that? I think you're I think the light bulb went off for you.
Rick:Do well, I'm I don't wanna answer your question with a question. Mhmm. But there's an inherent I don't I don't know that there is a great way personally to determine other than just like brand name and reputation. Right? Like if you we all know like some names that we're not gonna throw out, but we could have the like, I would not use them for my company or I would go to these other people instead.
Rick:But like, I don't know if there's a good way to tell that, but I also am not in. It it comes back to the why are you looking at the SOC report? Are you looking at the SOC report so that you're confident there's not gonna be an actual operational issue with this vendor? Are you looking at the SOC report so that you can sue someone or not get sued yourself because if the vendor goes down and you can't fulfill what your
Justin:Or they get breached. Can proper due diligence. Right?
Rick:Yeah. Because again, and I think I think that that really matters. Now so I don't
Justin:I don't know, though.
Rick:I don't know that I know of any good ways to distinguish
Joe:Well, AICPA does peer reviews, and you can go to a website to see that. Now it's a little bit more voluntary, I understand. So not every peer review would be
Justin:out there.
Joe:It means that if you had a bad peer review, you may
Justin:not find You have the option
Joe:to lift up
Justin:or not.
Joe:I've had trouble
Rick:with
Joe:CPA firms who I know for a fact had a problem finding that problem on the peer review site.
Justin:You said had a problem. You eventually did find it or
Joe:I have people who've told me about the problems that these
Justin:folks had No, no, no. On their website. No. You said you had a problem looking at it. Did you
Joe:eventually find Oh, not me. If the auditor had a problem
Rick:with Like your quality insurance.
Joe:If the quality insurance folks had a problem with an auditor
Justin:Right.
Joe:It's not that information is not always on the AICPA Yeah. Yeah.
Rick:If you get a bad grade, you could potentially choose not to share it. But if you get a good grade, you probably
Joe:Now if you're an ISO auditor and ANAP and some of these oversight bodies find a problem with that, you could have your ability to be audited or to do audits suspended, and that will show up. And so you can find some more
Justin:Just that you're suspended or not. Right? Right. It's not over whether it's an audit. It could be potentially they didn't pay, you know.
Joe:No, this is like Yeah. Well, if you're saying you're an auditor in good standing, but you go check them out and you find they're not, then that's Right.
Justin:But you don't see that necessarily that it was quality issue.
Rick:Right? Yeah. Don't have
Justin:a big could be like we never paid our fees, you know, to them and then you get suspended. Like PCI is kind of the same They'll do behind the scene audits and usually they'll give you remediation items is how they go, but they have the potential to suspend you or remove you from the list of QSAs, you know, type of thing. But they don't say because of bad quality. You know, like, it could be because you didn't pay them $20, you know, because of that, you know, you're too late, you know.
Joe:But there are some telling. I did see a telling AICPA peer review on their site where somebody looked at the auditor and had lots of issues that if you saw those, like I can't remember them. Yeah. But they were, you know, that their internal quality their internal quality reviews weren't adequate and things like that. That their scoping wasn't That's what I was going
Rick:to say. Like, I do think you probably could go through an exercise of analyzing. Like, does this scope look and feel right? Does it articulate all the details I'd expect to articulate? Does the test of controls really like, does the index of controls being tested against an objective truly satisfy it?
Rick:Are there potential design gaps there? Things like that. But then you're
Justin:Well, that's literally optional for SOC two. Well, some of the yeah. Scope is optional. The trust services criteria is optional. Well, there's always some.
Joe:You always have to do security, but you had to pick
Justin:the other ones. That's only thing you have to do.
Rick:But even within
Justin:scope, like you could do one SaaS product and the rest would
Rick:come in being, you There's some variability. But even for the stuff that's mandatory, I guess my point is you could go through this exercise of really trying to pull those apart and pick that apart. And I think a, you would need someone fairly experienced and who's seen a lot of these things to do that effectively. And B, you're gonna burn so much time analyzing the quality of this SOC report. At the end of the day, the problem here is a trust problem.
Rick:Yeah.
Joe:Well, it's a risk problem.
Rick:Well, it
Joe:is. And so what you said earlier was, well, you're looking at this report, which I think that's a stretch for a lot
Rick:of companies. Think
Joe:that's They get the SOC two, they see it, they don't have the experience to read it. This is what I'm talking about. This is what we need to train third party vendor risk management teams on.
Justin:Real quick on that. I was talking with a customer, this is years ago. They got a SOC two from a data center vendor. I open it up. The data center deleted all the controls out of the report.
Justin:And like I opened it up, was like, where are all the attestation for the control? They just left the environment, all the description to the environment, and now the controls in? I'm like, where's all the controls at? They're like, oh, I don't know. To your point of the veteran
Joe:level Well, that's the training.
Justin:That's required. And when we went to them, they're like, yeah, this is IP. Is protected data. I was like, what are you talking about?
Joe:You guys sucked That's what
Rick:the NDA is seeing the guys' They
Justin:got called out somewhere in the SOC two, and they just deleted that section.
Joe:Right. And so that's why in a typical process, you have the NDA. What were you going
Justin:to say?
Rick:I was going say, I love that point, though, in terms of most organizations reading it.
Joe:Yeah. They don't read it. They're just going to say, Did they get a SOC two? Yes. If you're actually managing risk, so the other part of your question was, or your point was, What are they using this for?
Joe:And so is there a good scope or not? These are things that you need to What cost of
Justin:services criteria did they pick?
Joe:Right. And not only that, well, a lot of that comes down to, like some of my customers will come to me and say, I want to do a SOC two. Get me audit ready.
Justin:All right,
Joe:sounds good. What trust service criteria do you want? They're like, I want to do all of them. I'm like, well, first, why? Do you have customers who have active contracts that your customers are saying they need them all, or will they be satisfied if you get started with just security, the common criteria?
Justin:Usually, the contract is non specific. It's like Some
Joe:are Some aren't. And I've seen them both ways. And if you have it as, yes, you need to do these multiple. So we're going through some scoping right now for a readiness assessment and an implementation assistance for one where they decided they want all five trust service criteria for their readiness because they wanna make sure they're good. And they're going to use that to drive the improvements of their security program.
Joe:They're using all the right words, doing all the right things. And then they were debating whether they wanted to. And I think I got them talked out of going for more than just what their customers are asking for the first year. Like, hey, this first year, go for security. And so that's kind of addressed that point.
Joe:The other point I was making was what do we need to teach everybody? So you were saying, well first, open up and look at the SOC two. Second, look at the scope and see if the application was audited, the actual application you're gonna be getting your software as a service for.
Rick:That's the second biggest one that I ever see is like people accept the SOC two over some element of the environment that they're not even a consumer of.
Joe:Right.
Rick:That's the second biggest. The biggest one I see is the user control considerations or complementary control considerations. People don't even know that that's a section in a report.
Joe:They don't even know what that means. They don't. What does it mean?
Rick:Tell us. So it's basically the part of the report. So the whole report is to say, Hey, we're good enough at security or we're good enough at privacy, whatever trust criteria they pick, right? We're good enough at these things, and we have this third party say that we're good enough. But we're only good enough the agreement here is we're good enough at these things as long as you agree that you're gonna do certain things as a consumer of the service.
Rick:So if you know that you're breached, you're gonna change your passwords within twenty four hours or you're gonna do this or do that.
Joe:Well, here's a good example of one of the criteria that you have to do as the buyer that's typically in there a lot. And it's while the SaaS platform can take care of all these other things, you are responsible for removing a user if they're no longer
Rick:access Right. Right. Or securing the endpoint or like all the different things, right? Fully agree. So anyway, there's a whole section in these reports that's like, if you're a consumer of this service, yes, it'll be secure as long as you also do these things.
Rick:I'd say the biggest my biggest educational point that I've that people are surprised by is like, wait a minute. The SOC two, like, forces me to do things too? It's like, well, yeah, if you want to rely on
Justin:it. Yeah.
Joe:Yeah. And so that's good. I thought you were going to go with a different one, which is I love this one. They themselves are asked for a SOC two. So you got customer or you got a company asked for a SOC two, they're the seller of a service.
Joe:And they have their environment in Amazon or AWS or Azure. And what they do is they go download the AWS one and they send that and say, Yeah, all of our stuff's in an AWS environment. And then that's the one. And there are people who take that and say, We got a SOC two. Absolutely right.
Joe:So again, if are the third party risk management that I'm talking to right now and you receive a SOC two from Azure or AWS the customer or the service provider you're buying the service from send you that, that's great. You know that they're using a SOC two audited, not certified because you can get a SOC two certification, a SOC two audited data center. However, it doesn't talk about any of their controls.
Rick:The application layer, the the data layer, controls, all that
Joe:stuff. Yeah, software development processes that went in to make that. All the things that the SOC two should have.
Rick:So
Joe:that's just another thing that they need to look at.
Justin:You need
Rick:to validate
Joe:that the SOC two you have is actually for the company that you're buying services from, that has the right scope, has the right parts that you were talking about with what you're responsible for as a customer, you need to go and look at your own risks and make sure your own control framework has controls that match those. And then my favorite part is to scroll down to the control section where they did all the audits and you look for all the little comments. The first thing I do is I quickly scroll through and look for any write ups.
Justin:I don't think that's not like no notable whatever, you know, whatever it is.
Rick:Another one that I'd suggest that's important as you dig into these things is there are different varieties of a SOC report, right?
Joe:Oh yeah, yeah.
Rick:There's one, two, three, and then there's type one and type two. And they're all different things and we can get into it, I don't know if we wanna burn the time on it. But you need to understand what is the nature of the report, right, that you're getting and does it align with what you need? Because the type one report ain't a type two report.
Joe:Right. And a type one report is simply Well, let's just back up a little bit. Let's talk about So you have a SOC one that's more financial based, right? A SOC two is what
Justin:we're talking can make your own troubles for whatever you want into a SOC one.
Rick:Oh, yeah. You can.
Joe:And then what we're talking about here is typically SOC two. And then a SOC three is basically one that's made for more public disclosure, public sharing.
Rick:It's SOC two without the details.
Joe:Yeah, exactly. And so you have that. Now, when you go to the Type one and Type two, Type one is simply just a design review.
Justin:So
Joe:they're not going to test any evidence of effectiveness.
Rick:If everything went the way it should Sometimes
Justin:they do, very lightly though. They don't do full sampling, but sometimes they'll test to make sure the design you have is there.
Rick:Yeah. There's usually like a walkthrough, like it's a test of one. Like they'll get a test Yeah. They'll get a test of one. That's a controlled design walkthrough.
Rick:Absolutely.
Joe:Yeah. They're not doing sampling. Yeah.
Justin:Right.
Joe:That kind of thing.
Rick:But yeah, type one is, you know, the auditor basically saying, Well, if you were consistent in how you executed these controls, then We didn't check that ourselves, but if you were consistent, then yes, this would be secure. And a type two is, hey, we did statistical sampling to validate that you were or were not consistent in the execution of these controls.
Justin:So yeah, it's a difference between design and effective.
Rick:Yeah, exactly right.
Justin:And how many times have we seen that? I'm sure you've seen it with like different customers. Somebody submits a type one. Yeah, absolutely. Know, type of thing.
Justin:They're like, Oh, yeah, cool. We got our evidence checkbox.
Rick:And to your point earlier, I've seen people accept a SOC one as a SOC two because you can define effectively the controls and the scoping. Well, that's fine. Like back in
Justin:the day, I remember before there was SOC two. And we would actually design SOC 1s around a COBIT control implementation.
Joe:SAS 70.
Justin:Yeah, SAS 70.
Rick:But I would say I've seen them be choiceful in the controls that were selected.
Justin:Yeah. Right? So, not like a full Again, true.
Joe:Is the
Justin:thing like you can make the controls almost anything you want type of thing.
Joe:Yeah, the problem is, one of you called it out earlier, it's the people who are actually reviewing these aren't usually trained in all the things that they should be in order to effectively look at it. And it's really about managing risk. It's back to what risks are you concerned about? Even if there was a finding, you look at that finding and if it was addressed effectively by management and you don't feel that's going to be a problem, just because that SOC two was it's not a pass or a fail. A SOC two is this is what we understand the control environment to be.
Joe:It has its good and its bads, it's written up in this document. And when you're consuming that to decide if that vendor is good enough to process your critical information, then that's just part of your risk framework.
Justin:Go ahead. Finish your thought. I wanted to bring us back to another topic. Topic switching.
Rick:All right. So what I was just gonna say, okay, Joe, so now I'm the third party risk manager, right? And I hear everything you're saying, but here's my problem, right? It's just me and my organization uses 300 different vendors, right? And I suspect you'll have the same answer.
Rick:But Right? So how do I deal with that? It sounds like looking at all these SOC reports is a ton of work. So how do I go through 300 vendors for all this?
Joe:Well, is. Well, that's actually bringing Oh, it's all
Justin:300, like, critical vendors to you? Well, that's That's why
Rick:I thought he was going to go back to, Well, this is a risk problem.
Joe:Well, and it is. Actually, it's a more fundamental problem. It's that your information security management system in itself isn't well designed because it's not resourced. So if you were going to go for yourself to go get like an ISO 27,001 certification, you're going to have problems being able to show that leadership has resourced. That's one of the control objectives of ISO is that management has resourced the program.
Justin:And
Joe:if an auditor comes in and says, All right, you're supposed to be doing all of these things, the auditor would audit you, find that you were deficient in actually properly performing the check of proper third party vendor risk management. And so now, of course, that company probably isn't audited in your scenario. But what should you be doing as that security practitioner?
Rick:How do I do the best I can?
Joe:You need to do the best you can, but you need to balance it. You need to balance it through your risk register. So this is back to risk, and it's about talking to leadership with great communication to top leadership. So if you're in a company and you can't get like, if you're the only person and you report directly to somebody who's not the CISO or that Sure. Security role, then you're you're the person.
Joe:So what do you do with that? You need to have an open conversation with your leaders saying, Look, if something really goes wrong and we get compromised, you're probably going to be looking at me. Well, I'm telling you right now, if you come and look at me and say, This is the problem, I need you to know that I have five people's jobs to do and I'm one person.
Rick:Right. I only have the resources to look at 3% of these things or whatever that number is. And then But I think your point also is hugely valid,
Joe:which is Prioritization.
Rick:All right. So how do you prioritize this? Well, what are you using these vendors for? Which ones are more You
Justin:can only focus on a handful of them. Go for your most critical ones. Right.
Joe:Which ones are hitting the most critical data?
Justin:Either has the most sensitive data, PII, whatever, or could, if they is shut down. Know, that type of thing. Those are basically like when we talk about profiling a vendor, it's usually they should be short, like half dozen questions at most, I think, you know, something around there when you're profiling a vendor. And it's really those two core facts that you're looking at.
Rick:I would add one, which is do you have direct access into my systems for some reason?
Justin:Okay. Yeah. Fair enough. You know, type of thing. But yeah.
Justin:But I agree. It's those two looking for the criticality of this vendor. If they get popped or they go down, how are they going to affect you? You know, and the greater that is, the more up you need to do the level of assurance to be comfortable. Now I wanted to switch the topic.
Justin:Everything we said about reviewing, you know, outside assessment auditor reports, great. Yeah. But going back to our original point of going through the quality of the auditor, the actual like auditor assessor that's doing that, are we saying that if you think they have a bad reputation that you ax them? They're like, no, this isn't a good SOC two because it's
Joe:Well, my yeah. I had a quick answer to that, and that's that if you look look at the SOC two and you look and see whose signature's on it and you see that that's not up to whatever your company's standards are, then that means you need to have a conversation. That's what is the, Hey, look, you did this SOC two report. You sent it to me. I can show you these sources that say that the auditor you used, you know, isn't reliable.
Joe:And so now I can't really rely on that. So I still wanna manage the risk of what we're getting from you. So here's my 300 question questionnaire. Maybe that's one approach. But it's really a conversation with them to find out what controls are you doing and are they effective?
Justin:Let's say scope controls line up. Like the only argument you have is the outside, you know, rumors or evidence that you have that they're a company that doesn't care about quality essentially is what it is, you know? I
Rick:don't know. Like, I don't want to go to the worst. The worst performing surgeon. But if I'm dying, I'm going to go to the worst performing surgeon.
Justin:I guess I'd look at that. If I'm in like risk management and I say like this isn't good enough, I have to justify that. I can't walk up to a business executive and say, we're not accepting this because they have bad rumors. They're going to be like, but they have this
Rick:notification, I'm fully in agreement. I mean,
Justin:I think you're treating yourself.
Rick:Well, that's not about how you
Joe:framed it. That changed a little bit in the way you framed
Justin:If it's just a rumor
Joe:and you can't really stand behind
Justin:it, know Let's say there's even news reports out that you can cite like, Hey, they've been cited three times. Company's breached and they've been socked to
Joe:the business risk So the conversation I'm having with that business leader is you want to use XYZ SaaS. And we looked at the security of XYZ SaaS. They filled out our questionnaires. They sent us some information. The information that they sent us says that they were audited.
Joe:The audit came across clean, but the auditor they used has notoriously been cited for not being very good quality. So my recommendation is that you're going to engage with this vendor, but there's more risk here than I'm willing to say you should. We're going to log a risk and a risk register that says you're using a vendor that we couldn't sign off to the level that we typically would like to on the risk of using them. Like we can't validate or substantiate that they meet all of our qualifications. Now, can still choose to use them.
Rick:Well, and are there additional mitigating or compensating controls that you can throw into place? Sometimes there are. They're not always there. I don't know.
Joe:And that's what I
Justin:was talking To me, you're the service Yeah, exactly. If you're utilizing the service in standard service, there's not much you can do differently from that engagement.
Rick:Well if we're talking like a web application? Yeah, like SaaS or
Justin:something like that.
Rick:Yeah, but sometimes it's not that. I mean sometimes it's staff aug or sometimes it's process stuff or data processing.
Justin:You take more of the controls onto yourself versus allowing the staff out to do that.
Joe:Well, that's that extra validation I was talking about. You're to do some extra validation.
Justin:Yeah, but I don't know if a questionnaire Send them a questionnaire. Even if they were willing to answer the questionnaire, was that going to prove? They're going to answer, Oh, yes. And all right, great. We're back in the same spot, you know?
Joe:Well, maybe I should have rephrased. Instead of sending them the questionnaire, which would be like a, you know, like somebody just sends it and takes no thought into what they just sent, you're going to get that. But if you're actually a security practitioner who knows what they're trying to solve, then it might be asking them more questions. That's what I meant by sending the questionnaire. It's validating what purpose is this SaaS going to do in my business process?
Joe:And how do I know that it's not going to be I think
Rick:that's key, though. All of this stuff has to be about conversations, not questionnaires. And it doesn't mean it has to be a verbal conversation. It can be a conversation over asynchronous, digital medium, whatever. But if every time you hit a bump in the road as the third party risk manager or whatever, you're just like, Okay, we'll send them a questionnaire, which I know you weren't suggesting.
Rick:But if that's the approach that gets taken, like, yeah, you're going to get bad You have
Joe:to do the manual process that you were hoping you could automate through a SOC two sign.
Rick:Yeah, it's management by exception. Guess what? This is an exception.
Justin:Yep. So you got to deal with it. And honestly, like, I'm kind of the naysayer, you know, into this conversation. Honestly, I don't even think that this is the right approach. I think you should presume that vendors are going to get popped and you have a really good process to resolve
Rick:Oh, zero trust third party risk management. Like,
Justin:kind of accept what they have. You know, if they have something, great. You know, obviously you're validating the scope, you're validating the controls. All that is good due diligence. But if it's from a poor quality auditor, I'm going to accept and say we need to develop good responses within our incident response to say one of our vendors is going to get popped at some point during our lifetime, you know, type of thing and we need to appropriately respond to this.
Rick:Well, 100%
Justin:agree. You know,
Rick:like what's my cyber insurance policy
Justin:saying about specific Because spending more of the time is not going to, I think, lower the risk at all.
Rick:What's
Justin:that? Spending more time on the vendor to measure them, sending a number of questionnaire or whatever it may be. They're getting poor quality auditors. I don't think all that extra resource and time into that is not going to lower your risk even if you register on the, you know
Rick:Yeah. So you're saying like jump straight to the mitigating side or
Justin:jump straight like what you're going do We're going expect one of our vendors and it could even be like a good vendor. Let's say they got a good quality and they weren't on our risk register. They're probably going to get popped at some Well,
Rick:I agree. Talked about the CrowdStrike thing. AWS, I mean, they all have. Yeah.
Joe:Oh, 100% agree. I do feel that what you're bringing up is more security by design architecture that you're talking about that you should be considering well before you're doing the part that was the focus of
Justin:I guess I look at third party risk management. It's a lot of time for little value. You should do it. You should do it type of thing. But the amount of time that's spent into it, I don't think you get the return, you know, into what people expect.
Joe:And I'm sure there are companies that don't have as much reliance on all their vendors. Yeah. But I think it also depends because it's just like what we were saying. If you can only do if you have 300 vendors, can only do a few. Which ones are the most highest risk?
Joe:And why are they the highest risk? It's because, well, they're really having, you know, no matter what design you do, you're still opening up so much to them. That you're still going to be in a position that if they have a problem, you have a problem.
Justin:Yes.
Joe:And then you probably have other vendors that you can do what you were saying, which is design a little bit more securely so that you can prevent as much as you can, You can detect what's left, and then you have enhanced your incident response process accordingly.
Rick:I feel like we're talking about vendor threat modeling. Is that effectively what we're talking Yeah.
Justin:I agree with you, but the thing that comes down to it, even if like AWS is a big risk, like you're fully reliant on AWS as your cloud service provider into that, there's not too many companies that will also split off in the GCP or Azure or something like that to also host their website. There are some, you know, don't get me wrong. But like if they're fully reliant, you're relying on AWS to have their act together And a lot of companies accept that as they're fully reliant, single point of failure, even though technically they have a lot of
Rick:points So you're talking about this is like the risk of doing business. Like, no, we're not going to turn off access to the internet. Yes, I'm going to drive into work today. Like whatever those things are because, yeah, a catastrophic thing could happen, but you do enough to mitigate it.
Justin:Almost like it'll be DNS, you know, type of thing.
Rick:But you do what you can to mitigate
Justin:Yeah, I'm saying like, yeah, if you have like high risk, like we're fully reliant on AWS, not too many will go to another cloud hosting provider to say this will be our backup if AWS
Rick:goes So now we're talking about like black swan risk management.
Justin:Right, exactly. You know, type of thing. Again, there's a lot of controls that AWS puts in place, you know, to make sure that backup is upon And maybe that's okay for you, you know. But I'm just looking at like, if you're fully reliant on your payroll system, you know, or sort of ADP, you know, or something like that, Like, how reliant are you? Like, you'll have a lot of unhappy employees if transfers don't go out on that timely basis, you know, that type of thing.
Joe:Yeah. And all of the cloud vendors have had an interruption at some point in the last, you know, half dozen, dozen years.
Justin:Oh, yeah. Yeah.
Joe:And so but a as you're doing your third party vendor risk management, which I didn't wanna turn the whole conversation to TPRM, but as you're doing that, you should still be able to show that you did due diligence, that you did for the service you're getting from that cloud security provider, get their SOC two. Know you have it. It's there. You're really putting yourself in a defensible position at that point.
Justin:They're listing out controls. They are paying a third party to come in and attest.
Rick:There's like commercially defensible and then there's operationally defensible, right? And this gets back to the point that you mentioned before that you were both talking about in terms of that secure by design. Right? So you go, okay. Well, what happens if is this vendor really a single point of failure?
Rick:What happens if they go down? Okay. Well, we use this, you know, organization for payroll processing. Okay. Well, what if they what if something happens?
Rick:What are the somethings that could happen? What if they lose all our data? Okay. Well, why don't we keep some extra data internally in case something like that happens? Okay.
Rick:Well, what if they're late on a payroll run? Okay. Well, let's talk to our unions and make sure they're not gonna beat the crap out of us too bad if we're late on a pay Let's think about that in the contract. So this gets back into the think and I think we're kind of all agreeing or circling around the same thing, which is more or less, I mean, you just need to understand, like, what are the risks of the vendors that you have, the real major material ones? And whether it's a questionnaire or automated reports or digging into SOC reports or whatever, just make sure the way that you're getting comfort over how your vendors seek to make sure you don't have those problems is sufficient for your purposes.
Rick:And if it's not, you gotta go talk to them about it and design stuff internally
Justin:if it's still not good.
Rick:Or talk to other
Justin:vendors. Yeah.
Joe:My favorite part about this whole conversation is that we went from talking about how do you trust your auditor to evolving the whole conversation in the way that I just totally love it. Here's why. We just talked about the entire security program risk model that we need to consider. You brought us out of the side of that and said, well, assume everything's breached. And you said, well, what do we need to do if the biggest thing we rely on goes down?
Joe:And now we've extended this conversation from auditors into disaster recovery into business And can't talk about those two things without talking about crisis management at that highest level. And we covered all these things in past shows
Justin:as
Joe:is a
Justin:record for the longest topic. Longest topic.
Joe:Here I said, Do we have time to just go to this one little TPRM thing?
Justin:So, let's close it on this topic, but let's do last thoughts onto Do you guys have any last thoughts? I have last thoughts, so
Joe:You go first with your last thoughts.
Justin:Okay. So honestly, I like what we've hinted at at the beginning. I like the idea, like, maybe not going for the cheapest vendor, but something that I can reasonably work with that's not the most expensive. And then I'm going to rely either on my internal program or also hire external consultants to do the in-depth quality audit and give me a good roadmap and valid advice to actually get there. Like to me, the paper at the end is the most important into that.
Justin:Now I'm not saying do the cheapest but near cheapest, you know? Somebody I could work with that I'm not going to butt heads against because some of those people like poorly trained auditors have their own complications, you know, type of thing. But it's something I can have a logical argument with like that's outside the scope here, that control does not mean that, you know, type of thing. Like as long as we can reasonably agree on the set of controls, the scope of the controls and what they're testing to actually achieve that, that's my goal type of thing. And then I'll hire other people and put more of my dollars into an in-depth, free to site at whatever they want to get me to a good place and measure me every single year, you know, type of thing.
Justin:That's where I think, you know, I want to spend my dollars into that. Yeah. I think this is possible.
Rick:I think my takeaways are a lot of organizations use certifications or attestation kind of stamps as a shortcut. And that's good. That's what it's designed to do. But if you allow it to shortcut your understanding, that's a problem. It should shortcut a process, and you need to make sure you understand exactly what that certification or report is trying to tell you.
Rick:And that align and and you have to understand also, like, the risk that that report is trying to get at ultimately. Because if you're just like, oh, I have a SOC two, it's good. And, you know, and put that on repeat forever, like, you're not getting any of the value. You're not injecting any value into that process. And frankly, you might as well just not be doing it because accepting every SOC report that's sent to you and saying this vendor is good is equivalent to not getting any SOC reports except for you're wasting time and money.
Joe:Yeah. Really good point. So I'll sum both of those up with it sounds like you're both saying relatively the same thing as I am, which is take a risk based approach. Yeah. You need a risk based approach.
Joe:And when you find that there's some something you're not comfortable with signing off on, make sure that you have a way to escalate that, which is the risk register multiple My
Justin:base is your program.
Joe:Yeah. That becomes a prioritization tool for every communication you have with leadership. Yeah. And so get it in there, balance the uncomfortableness with a logged risk and an escalation to leadership. Get them to invest in what it is that needs invested in.
Joe:But again, make a balanced decision.
Justin:Yeah. Okay. All right. Let's review some bourbon.
Joe:Yeah. What do we have here? It's here somewhere.
Justin:Yeah. I was going to make you introduce us since you brought it here. So we got Jeffersons. We got the tropics, age in humidity. So just to give you a little background, if you're not familiar, Jefferson has been doing some experiments for quite a few years now.
Justin:They originally came out with their oceans where what they do, they take barrels of their aged whiskey and they put on ships and they leave it there for how long they age it for three, four, five years. I don't know if Jefferson lists out how long they age it for. A lot of distilleries keep that kind of on the back end into that. But essentially they age it for the life of the barrel in these ships. And a lot of the times what they claim with this is that the swishing of the ship helps kind of age it a little bit faster.
Rick:Takes some of environmental
Justin:stuff like the sea salt and the ocean air and all that stuff actually, you know, through the barrel and gives it a flavor and everything. This one is after the oceans. This is their kind of next one where it's still on a ship but they put over in Singapore in the area there and aged it. So they call it their tropics. Thoughts on tasting?
Justin:I think the notes they said was toffee, toffee, some spices,
Joe:aromatics, vanilla, caramel and toffee and a textured full bodied finish upon sipping.
Justin:Yeah. So
Joe:here's what it says. In May of twenty twenty one, they shipped a limited number of barrels, a fully mature Kentucky bourbon across the Pacific to Singapore, Eighty Five miles north of the Equator for an additional eighteen months. And Singapore's unrelenting heat and relative humidity. And the other thing they said is that they concluded that the bourbon's aging environment creates a powerful impact on the liquid profile. So that's what led them to create the first one on the ocean.
Joe:Then this one here aged in Singapore.
Justin:Okay. Gotcha. So it does have I definitely know it's a spice onto it. It does add a little bit to it. Now I will say as kind of a devil's advocate, a lot of the bourbon spirit community kind of claim that it's like, oh, it's just marketing, you know, like they're marketing.
Justin:I think this bottle retails for about $100 into that. So they can throw an extra like $30.40 because it's special, you know, type of thing. And there might be some truth to that. But it tastes I like it. Yeah.
Justin:And it's good.
Rick:Don't hate
Justin:this at all. Good sipping.
Rick:Reads a little hot
Justin:to me. Yeah. What's the
Rick:It's 52.
Justin:50 2. Okay.
Joe:A little chip of ice. But
Rick:I like the flavor. It's very sweet
Justin:up front. Yeah. And you mentioned with like some of the tasting notes, it almost seems more of a wintery drink. I don't get the taste out of that.
Rick:Yeah. You know? The tasting notes are wintery. Yeah, exactly. It just doesn't feel wintery when
Justin:I sip it though. Absolutely. Yeah, I agree. But yeah, if you want to try it, it's a nice easy drink. I'd say middle of the road, you know, bourbon, you know, for me.
Justin:Probably not worth the $100 I would say, but not bad. Know? So cheers, guys. Cheers.
Joe:So it's probably time for our friendly monthly B sides I love it. So I won't go into all the details because we've covered those in the last couple episodes. But July 11 at the Rivers Casino, still on track to sell a thousand, get a thousand people there this year. Are Ticket sales are going great.
Rick:Yep.
Joe:They For the first time ever, we've And I think this must have worked. A lot of people more than who have ever bought before by this time have purchased tickets because April 15, the price went up a little bit. Not much, went up a little bit. It goes up again in June. Go check the website for when it goes up.
Joe:And while you're there, just buy your ticket. And so the other thing is we had a great whoever told everybody to go submit papers did a great job there. So thanks for telling all your friends. We had a record, I think a record number of call for paper submissions that closed on April 15. Remind me, you don't
Justin:have a second submission. No. No. It's closed. Some CFPs have like to like they close and then reopen it and then close it again?
Joe:Yeah. I mean, we've done it in the past when we needed more submissions or we underestimated when we should have cut the set the cutoff date.
Justin:Gotcha.
Joe:This time we kind of pushed it out to what we've extended it to before.
Justin:So you have enough and
Joe:We received in the eighty, ninety range, I think, of submissions. They're
Rick:being
Justin:built
Justin:on
Rick:How
Joe:Three tracks. So about eight talks per track. About twenty, twenty four talks.
Justin:Does that include lightning talks?
Rick:Minus some lunch plus some lightning.
Joe:Yeah. So I'm not sure exactly what we're gonna do. And as we find great talks and if we get like several lightning talks, could be more talks and we might sacrifice or get a couple in an hour versus one.
Justin:Yeah. Yeah. Got it.
Joe:Yeah. So that's that's that's the deal. Bsidespghcom. S I d e s p g h Com.
Rick:Tickets aren't getting cheaper.
Justin:Nope. Yeah. So definitely sign up. And we mentioned last time there'll be an after party. So definitely plan on doing that.
Rick:And there is a hotel block. Although, is that expiring or is it expire? No.
Justin:It's in June and it expires. It
Rick:does expire.
Joe:Will expire. So early to hotel, baleeny hotel. There's other hotels down there as well. And oh, we also have We still have a few booths left. They're going fast.
Joe:We just got payment for several today. So if you're a sponsor listening, thank you very much for sending that money in. And all the money for this, it goes right to either funding this event or seeding the next event. And some of it we donate to worthy cybersecurity related causes. None of it goes to the pockets of the organizers.
Joe:And
Rick:if you liked the food last year, it'll likely be similar this year.
Justin:I forget what the food was, but it was good.
Joe:Lots of buffet.
Justin:Yeah. All right. Great. So I think we have what? Time for one more and everything.
Rick:Do you pick one?
Justin:Yeah. Is there one specifically we want to talk about? Go in order?
Joe:Yeah. We can do you know, there's we'll throw this out and you could be jealous if if we didn't cover it. But the CISO's Guide to Avoid Jail Time. Oh, yeah. That was one.
Joe:Another one is, Should I Start My Own Company? And then the last one we were debating was the MITRE CVE issue, which turned out not to be that big of an issue.
Justin:We should hold that to next time. I want to talk about that more in-depth. Feel like
Rick:I'm spend some time on that
Justin:with it. But I honestly want to do the company one. Do it.
Joe:Yeah. Let's start off.
Justin:The jail time, we've kind of talked about that. We've covered it. And that article was good, but it was like more we're already talking about this one topic. But it's like start up a council that you could shift the blame to was essentially the sum of it. Sounds like a foundation.
Justin:Yeah. It's like start up some stuff that other people take the responsibility to treat and race If
Joe:you used a software as a service that had a SOC two that you then make sure that whoever signs off of moving forward is part of the committee and you're not doing it yourself. Yeah. That's the whole thing.
Rick:So, topic you did want
Justin:to talk about, So, Justin, tell me. So, why would you start up a company that accepts, you know, CECL work? Oh, good pivot. Good pivot.
Joe:Nice. See, didn't pivot it all. So, you were saying you got asked this question, why would I or should I start my own company?
Justin:Yeah, got asked this at Tris and everything. A college student came up to me. He's like, Hey, saw you have your own company. Would you recommend me starting my own company? And it was a very broad question, that type of So,
Joe:I'm very interested if you can talk about how you addressed it then. I also want to understand if you'd even recommend to a college student coming right out of college to start their own company or
Justin:Well, I think that's the wrong question to start with. Right question is what value you're trying to provide to other customers. That's the question you start with in any endeavor that you're looking for. Even if it's just internal into that. Like you can be what they call an intrapreneurial where you're like very
Joe:entrepreneurial. Yeah.
Justin:You're very entrepreneurial minded type of thing but you're serving company.
Joe:You're helping your own company you work for succeed.
Justin:Exactly. Into that. And that's the first thing you need to kind of cover is like what is your value add proposition to customer base? And it might be it doesn't matter what age you are at that. I think it's better to get a little bit experience underneath your belt to be a little bit well rounded, you know, on how businesses run, how they think, how culture is terrible or something like that.
Justin:Like right out of high school, you might not get some of the pitfalls, you know, that you would run into if you've served in an organization or something alike. But it's not necessary, you know, into that. If you have a good value, you can kind of figure it out on the way to, you know, growing your own company and failing and succeeding and all that stuff. The biggest thing is I think a lot of people underestimate how much work actually doing your own company is. And another thing as well is understanding that you have to wear all hats.
Justin:Like a lot of people say that, but when you don't really like sales or marketing or promoting yourself or stuff of that nature and now you're in a business that if you don't do that, you die, you know, type of thing, like getting that past somebody is like you have to get past your uncomfortability about a topic very fast or pay somebody else to do it for you. And a lot of that is just, you know, you have to understand that you have to do this to survive. Sales is a huge thing. A lot of people aren't natural salespeople. Like to put themselves out, to be uncomfortable, to ask to get somebody's money, like I almost feel like that's a train thing most of the time.
Rick:You to learn to hear no. Yeah. Which is not easy naturally for me.
Justin:And sometimes we ignore no.
Rick:To hear no and keep going. I guess it's the actual thing.
Justin:When you hear like, yeah, got another company I'm interested in, but then you keep talking and they say, well, that's fine. But let me tell you a little bit about our company and how we're a little bit different, to kind of pivot the conversation into listening to that. And I've won deals just based on that. Find a common ground somewhere, you know, and it's like, oh, you've been involved in that. So have I.
Justin:And oh, okay. Yeah. Why don't you send me a proposal and, you know, all that stuff. I'm sure like you're the biggest out of all this, owning our own company. You've seen that probably dozens of times, you know, where they're like, we're good with Deloitte or E and Y, but, you know, let me tell you how we're better than some of those companies and everything.
Justin:And then once they kind of give you that little crack, you shove your crowbar in and Yeah. Or let
Rick:them come to you depending on Yeah. Yeah.
Joe:But should you start your own company? I don't know the answer. I don't know the answer to that question applies to everybody all the time. What I'm thinking about is I've always wanted to start my own company. Yeah.
Joe:For many, many years. So why? I'll come back to myself. Okay. I'll come I'll hit that first.
Joe:Okay. So why? It's because I wanted to be able to craft my own direction that I had ultimate control over. What I always didn't realize is how much responsibility that makes me have to have as well. And I'm not just responsible for me.
Joe:I'm not just responsible for putting a house and food for my family. But now I'm responsible for every one of my employees and their families and all the things that keep them happy and healthy. Yep. And so it's a larger burden than you originally think about when you think about the idea of, well, I wanna hang my own shingle and craft my own direction. And then it's, well, that's great, but what else does that mean?
Joe:And so thirty years ago, twenty years ago, I may I I had the same idea. I wanted to be able to go out and do something, but I wasn't ready then because I didn't have the experience from This is why I was saying, could somebody coming right out of college, could they? Yes. Should they? Maybe.
Joe:Will they always be prepared? The answer is no. They'll never be prepared.
Rick:Absolutely no.
Justin:I mean, entrepreneur, first time entrepreneur is never prepared. Like forget
Joe:about that. I would say you're never prepared for what you're getting into, even if it's your fifth company, you're still not going to be prepared for all the things. So you need some experience.
Justin:I think I
Rick:have a different answer, but it actually aligns with a lot of what you guys were saying, which is I would unequivocally recommend that if a in college or just exiting college person has the stability to
Justin:start a business, right, they absolutely should. They have the least rely not reliability, but dependencies onto them. Don't have to, you know, believe
Rick:you should. And because I think If fail, you're just another kid,
Justin:you know? Well, and again,
Rick:if you're like gonna be planning on living with your parents for a year anyway, whatever that is, if you have the luxury, and it's absolutely a luxury, right, to not go hungry, not go, you know, houseless, all that stuff, and you can start a business, I would say absolutely yes, because a couple of things will happen, in my opinion. You will learn, you'll be forced to learn most likely, all of these things that we just talked about. Is this for you or is this not for you? What does it mean to actually be the person that sells the thing, but also has to build the document templates, but also has to review the contracts, but also has to deliver the thing and do all of the things. You understand what you like, what you don't like.
Rick:You'll gain perspectives that even if you recognize that entrepreneurial stuff isn't for you, you're gonna gain skills and perspectives that future employers are going to find extremely valuable, both in your breadth of the things you have to deal with and the business context that you put it in. The only caution I would say with that is that you should only do that if you have enough stability to do that. But if you're going to overly rely on that stability, you're not actually starting a business. So there's a delicate balance there of being hungry enough to actually do it. But knowing that, Oh, you're actually not going to starve if it fails.
Rick:Because right out of college most people's things fail, and this is for people that have been in industries for years and years and years and years and years and have all the contacts and experience. Right out of college, you might succeed. It's unlikely, but that's okay.
Justin:It's unlikely no matter what.
Rick:It's unlikely no matter what. And there's so much knowledge to be gained in the failure.
Justin:Yeah. And I feel like if you're starting a business, probably not going to be the service area type of thing. A consultant. You're not going to start up a consulting company right out of high school type of thing. They're looking for experience for you to educate other businesses to say, I've done this before.
Justin:Here's how I'm doing it for you, you know, type of thing. It'll probably be product wise or some type of maybe a service that's like a bridge service, you know, just makes your life easier, you know, type of thing or Or
Rick:I could say, start a business in an industry that's not even what you're going to do potentially if it's not going to chew up too much time. Like starting a business doing lawn care is going
Joe:give you That's funny, was thinking this example.
Rick:Is going to give you so much experience and useful knowledge that'll be useful later on if you do want to start a business in an industry that you're into.
Joe:So I like that. And it's get experience starting and running a business. Doesn't matter what it's in. If your purpose, if your objective is to learn how to start something and move it along. Now, I found a couple of things.
Joe:One is actually you all know, and a lot of people listen to this might know my co founder, John Ziola. So he very intentionally took jobs in different industries throughout his career. So he could get to the point where he knew he wanted to go and get into running a business, entrepreneurship, some kind of consulting and engineering mode. But he has a background in a variety of things. I always admired what he did there.
Joe:He went and did some things in banking and in retail and in higher ed and in things that
Rick:have lots of A really intentional path.
Joe:Yeah. Yeah. PII. And the places he worked also had a huge variety of technologies that he got to put his hands Yeah. So that really helped.
Joe:So if you're wanting to do it someday, you might actually want to mirror a path where you go and say, that's my goal. And I want to finish you call it education, the first like ten years of your working experience, doing different things so you can come out and be qualified to do what you said first. What service do you want to provide? So thinking about it from that standpoint.
Justin:I remember I had a little consulting when I was like 18, like fixing people's computers, doing little websites. At first, I was embarrassed sending somebody an invoice asking for money, you know, type of thing. Like I remember this to this day and everything. That's not the case anymore. Know, the day I can send an invoice out, it's going out, you know, so I can start the clock.
Justin:But like I remember back in the day, like it, I was asking somebody for somebody else's money and it felt weird. Know, awkward, Yeah. You know, to send somebody else an invoice and say, pay me, you know, type of thing. So yeah, it was you have to force yourself to be uncomfortable a lot of times. And one of the advice I will give, you know, being self employed now for four years, five years?
Justin:Four years. Four years. Something like that. Pay other people to do the stuff you don't want to do. Like, there are a number of things that I'm not good at or I just don't like to do.
Justin:I've even hired Joe's company to do some stuff that I didn't want to do, you know, type of thing. And his team was phenomenal at it, you know. It was grunt work, you know, that was like, I don't have time to do this grunt work. And it was great, you know, like at the end. So get it, surround yourself with people that make you successful and focus you focus on the sales and the quality and the deliverable of what your core product is and then, you know, and pay other people.
Justin:I'd rather take a little percentage and have most of my time, You know, I'd like get a little percentage of it and have most of my time back than have to eat up twenty hours of my week and, you know, and And I just
Rick:I think there's so much value understanding that comes from the thing that you just said in terms of now you know. Because you've been forced to wear all the hats, you know which ones fit well and which ones are extremely And so you can pay people to do the ones that are uncomfortable, but that transcends all the if for some reason, I don't know, five things happen and quantum and AI and all this stuff and none of us are employed in security anymore, right, you still know the types of things you like to do and the types of things you don't like to do. And you'll take that with you in a bunch of walks
Justin:a lot.
Rick:Yeah. Think that's huge.
Joe:Yeah. Couple of different takeaways I had from what you said. One is when you were 18 and you were doing that, you just liked to build websites and meddle with computers. Right? Almost felt awkward asking somebody to pay you for something you enjoy that's exactly So if you're going to go and start a company, do something that you enjoy doing.
Joe:The other thing is, and hey, if my team's listening, he didn't mean grunt work, because there are people who actually enjoy making sure that governance documentation is ticking tied. And it's all good. So the thing that you may not love doing, somebody else might. Now, I'm not saying my team really enjoyed it or not. I'll let them tell me.
Justin:That's a natural progression of junior people going up to senior people. You have to do more manual tests. It might not be as mind challenging, but it's just you have to walk through it at a meticulous level.
Joe:But if you actually enjoy that stuff, that's the thing to go and do.
Justin:Oh, Those people are super valuable.
Rick:Well, it's
Justin:like because I don't enjoy doing that. So like at certain times, I've had people on my team that enjoy that meticulous stuff, I'm like, they are gold to me.
Rick:Right. But you have remember that there are other people in positions where you're gold to them because you enjoy walking into the room and challenging the auditor, and they couldn't think of anything worse than that.
Joe:Oh, absolutely. Or whatever it
Rick:is, right? And everyone has those things. My brain is broken. I like messing with big data sets, particularly in Excel, but it can be in a bunch of different tools, MATLAB, whatever, SQL. I really like doing that.
Rick:And when I can, I'm like, Oh, this is cool. I'm into this. Is it the most valuable use of my time? No. Based on where I am right now, it's not.
Rick:But when I can actually do those things, I super dig it. Yeah. Yeah. Right? So I think everyone has often more than one, but a couple of those superpowers.
Rick:But the thing to keep in mind is the thing that you're paying other people to do because you hate it, just recognize it. If there's a thing that you love, like, someone's probably willing to pay you to do that thing.
Justin:Yeah. Yeah. Yeah. Like my SEO contact, I'd love it. I've referred out multiple times now.
Justin:I got through you. Yeah. You know, a friend of yours worked with another girl.
Rick:Yep.
Justin:And now I refer all the time to different stuff,
Rick:you know, so And Joe and I, we both work with an individual we really, really like. So it's interesting how all that works. But it just so happens that Joe and I both don't enjoy a couple certain elements of business development in certain ways. And so when you can have someone like take that component of things and do it, it frees up your time, frees up your energy, allows you to go do things you enjoy more. That's huge.
Rick:Knowing that about yourself is so important.
Justin:And that's a really important thing. We're getting into more of the psychology of it. There are tasks that give you energy and there are tasks that take away energy. And I always want to maximize the time that give me energy and try to push off all the tasks that take away energy. That monotonous stuff, like I say grunt work, every time I hear in my head the Murdoch, I'm too old for this.
Justin:They're like, man, I've done this for years. I don't want to do another rock. I'm too old for this.
Rick:But I love your point. But there are people that love doing that, that's their specialty, and that's what they want to do, and that gives them energy.
Justin:Yeah. You know.
Joe:And so the other thing is, is starting a company right for everybody? And there's a lot of people who they don't they don't want the burden of the risk. They they don't want to deal with having to wear all those hats. Yeah. And and and it's okay if you're never want to start a company because you may not actually enjoy doing all the unenjoyable things that a lot of us have to do to get that done.
Justin:And I would say if your motivation is money, it's probably not right. Most likely it's not right for you to start it, you know, type of thing. I mean, eventually we're all hoping eventually like we'll get there, you know, from a money perspective. But if that's your primary motivator, you're doing it for the wrong reasons. Know, like there are plenty of jobs out there that you make boatloads of money and have less stress and not take it home with you and all that stuff and everything.
Justin:So it is if money is the primary motivator, you mentioned like freedom and all that stuff. Mine was like freedom to a part, but I have a very, and you guys are laughing me at this, conflicting personality. Know, like one of the things I tell with any of my bosses is just keep me in the loop, you know, with certain stuff. But when they start like shielding me from stuff and I ask questions, I'm like, well, why don't why aren't we doing this? Why aren't we doing it this way?
Justin:It makes sense that we do it this way. They're like, Justin, just do it because I said so. That rubs me the wrong It's like, what are you talking about? I have a very entrepreneurial spirit. I work with people, expect to help me understand why we're making this decision.
Justin:Why aren't we doing this now? If you're telling me like this isn't the right time because we don't have the budget, okay, I get that. You know, like, that's a logical thing. But if you're like, hey, Justin, we can't do this because, you know, you're asking too many questions, so just, you know, back off. I was like, no.
Justin:Like, what are you talking about? Like, I'm trying to do my job. You know, it's very logical. Like, I had one employee. I won't name names.
Justin:They wouldn't share with me what my employees were making from a salary perspective. And I'm like, Why not? Like, who's looking out to make sure that they're justly compensated? Like, I've given them performance reviews. I never saw what their bonus was.
Justin:I never saw what they were escalating up. I don't know what they're making today, you know? So who's watching out? And it turned out they're like, Oh, we do studies. We do studies once a year to make sure everybody's appropriately compensated.
Justin:I was like, Okay, you tell me that. I don't have any visibility into this, but all right, you know, type of thing. And then an employee came to me months later, literally months later, like, I got a better job, you know, offer. I was like, Okay, you know, and what was it for? Like, you know, they gave a number.
Justin:I was like, Well, what are you making now? And it was literally, they worked with us for like four years and they got like a $5 raise over those four years and it was a $30 difference. And I thought they should be up to where the job was off. I was like, what are you kidding me? Know, like three certifications later, way more responsibility.
Justin:And then like I hear this, I'm like, that's not
Joe:gonna tell you. One of the reasons you like being an entrepreneur is you don't have to worry about not having all the information to make the Exactly.
Justin:It's not like, again, like I say conflicting personality, but I just want to understand the full picture. No matter where I'm at, I want to understand the full picture. And if there are reasons that are justified, just help me understand that. I might not even agree or disagree with it. I want to understand the reasoning to why we're doing an action.
Justin:And most of the culture is very protective of their own jobs. And you get middle management, they don't share all details to the reason why. Either they don't know themselves or they hide it, you know, from the general employee, you know, type of thing. And I don't do well, you know, into that situation there. You know?
Justin:So if you're
Joe:going to start a company, find something. I'll go back to the very first thing you said, was, you know, the feeling awkward for somebody paying you for setting up that website and getting their computers for the thing because
Justin:Lean into that feeling. You just
Joe:love doing that kind of stuff. It was fun for you. And for someone to pay you, it was almost awkward.
Rick:I would do it for free doesn't mean you should do it for free.
Joe:Right, exactly.
Justin:And I didn't want to do Again, it was an awkwardness of me asking for money, you know, type of thing.
Joe:So a tip is upfront is, hey, here's my service. Here's how much it costs. Is this good? Set those expectations upfront, and then you're just asking for the thing that was already agreed to.
Justin:Right. Yeah. So
Joe:Yeah, I like it.
Justin:Yeah. That's great. So, I think at the end of the day, if we're given final advice and everything, do what you love. If it is a good product or service that you think you're ready for, understand it will be way more work than you actually think it is with everything else that you have to do. As you grow, pay other people to do what you don't enjoy type of thing.
Justin:Get good people around you to do that. I'll actually like pivot a little bit. I had a revelation. I told you guys this. Like I was trying to build a PISCE by myself for years, you know, into this.
Justin:And last year I'm like, I can't do this. I can't do consulting and develop a website. Like I would do 30 of like consulting and then try to build a website. At the end of the day, it's just like it was like a no go, you know, type of thing. And finally last year, I hired a full time developer and he's been phenomenal, you know, into that.
Justin:I hired a marketing girl last year. Like, I'm not good at being consistent on posting. Now we're posting every single day under a Piskey. We're posting multiple times. She does all the DSP stuff.
Justin:We're starting to get into my account and everything. She's phenomenal. Like, I love when people like lift it off me. I can see what they're doing. Give feedback.
Justin:Do the direction. But at the end of the day, I don't have to do the meat of the, you know, the work, you know, into that. Buzzy is a great one, you know, too. Know, like, again, I I dip my toes into, like, what it would be like to actually cut and put the audio and sync it up and intro for outro. I'm like, yeah.
Justin:And I got the connection through you, Joe, with one of your former employees and everything. And he's been phenomenal. He does all the cutting and everything.
Joe:And I hope he loves doing it. He does a fantastic And the thing that you hate, this goes back to what we talked about. The thing that you don't like doing, somebody else loves doing. And they get it done very well.
Rick:And a
Justin:lot of times, those tasks that we do, like it would take me three hours in some type of Photoshop or whatever that it would take somebody ten minutes, five minutes to do. You know? Like, I don't know all the hotkeyshortkeys, capabilities, but you get people who are experts. They're like, Yeah, I'll do that. Two seconds.
Joe:You know, a really great wrap up. So don't forget, get your third party risk management in order. Know what you're doing. Sign up for b sides. Yep.
Joe:If you like it, get some of this. But Justin said, don't overpay.
Rick:It's alright. Alright. I think it's tasty.
Justin:Yeah. I like it. Would you spend a hundred dollars for it? No. Yeah.
Justin:Okay. Yeah. But it's tasty.
Rick:Yeah. I'm happy to drink it.
Justin:If somebody gives you a free one, drink it.
Rick:So and
Justin:it won't be out by that time, so I'm not gonna say it. Alright.
Rick:But but and and I I think if you have the opportunity, if you have the luxury of starting a company, I think even just from a personal development perspective, it's worth doing. My two tips would be, one, do not underestimate the power of your network. That is like everything.
Justin:And
Rick:it will pay dividends forever. Yeah. Can't stress that enough. And then two, just to lean into what you said, you know, find those tasks that give you energy and lean into those things and find people that are willing to help you either professionally or personally or whatever with the things that take energy.
Justin:One more while he's born. Always be selling. That's a big thing that like I learned early in consulting because you have if you go into the consulting business, you do the work. But if you don't have somebody selling at the same time as you finish the work, you're like I gotcha. Oh, boy.
Justin:Where's the next work coming from and everything? So you need to always be selling to keep that pipeline, keep the pipeline full. Know, 12 episodes. Hey, cheers, guys. Cheers.
Justin:Many more. All right. Well, thank you everybody for tuning in. Don't forget to like, subscribe and comment into there. We'd love to hear your thoughts of what you're looking for from a topic wise and please feel free to reach out to us.
Justin:Thanks, everyone.
Rick:Have a
Justin:great one. Bye. It was so funny. Was so funny. Did you do the thing yet?
Justin:Yeah.
