In this episode of Cyber909, host Den Jones introduces the podcast's focus on cybersecurity and beyond, emphasizing discussions on emotional health, the future of security, and other off-topic subjects. Den welcomes his guest, Nic Moy, the Chief Security Officer at Scrut Automation, and highlights Nic's extensive background in the security industry, including his work in the Obama administration on cybersecurity policy.
Nicholas Muy is the Chief Information Security Officer at Scrut Automation, where he leads cybersecurity, data privacy, and compliance. A vocal advocate within the security community for building security programs that align to business objectives. Previously a security and strategy leader at Expedia Group in security engineering and architecture and M&A. Prior to this, a cyber policy strategist in the U.S. Department of Homeland Security. Passionate about security, Nicholas is an active member within the security and technology community promoting responsible innovation and building security.
Narator:
Welcome to Cyber909, your source for wit and wisdom in cybersecurity and beyond. On this podcast, your host, veteran chief security officer and Cyber Aficionado Den Jones taps his vast network to bring you guests, stories, opinions, predictions and analysis you won't get anywhere else. Join us for Cyber909, episode 10 with Nic Moy.
Den:
How folks, welcome to another episode of Cyber909, your podcast for a little bit of wit and wisdom, and we are the guys that we avoid the breach conversation and why did it happen and how did it happen? Every now and again, we might put one of them in, but we'd rather talk about other interesting off topic stuff, everything from emotional health to the future of security and where we see things going. And with that in mind, I got my good buddy, Nic over here, Nic, to CSO at scrut. Nick, why don't you introduce yourself just so I don't screw it all up.
Nic:
No problem. Good to be here, Den. Thanks for having me. So ciso, scru Automation. As Den said, I lead all our internal security product, security, security operations, compliance and everything at scrut. We're a 2-year-old, two and a half year old GRC compliance platform and help our customers with automation and managing their risk on an ongoing basis. A little bit about me real quick, besides being the privilege of being dense friend, I been in the security industry a long time. Started was in the security engineer at Expedia Group for many years. I did security, engineering, architecture, operations, product, everything. The privilege to see and unsee problems from the big company side have also been a CISO at multiple startups and seen it from both ends. And prior to that was in the Obama administration doing cybersecurity policy a long time ago.
Den:
Yeah, I was just about to say, you're another one of my friends who has circled around the halls of the White House doing some marvelous work for our country. So thank you for that. Nic, I think as part of your NIST work though, you were doing some of the writings in those documents and the collaboration. So what was your involvement on the whole NIST business?
Nic:
Yeah, no, on the cyber framework, there was, for people who don't know this cybersecurity framework, when that was put together back in 20 13, 20 14 timeframe, the precursor to that was an executive branch executive order. It came from the White House for DHS, NIST and a number of other public private sector partners to work together to put that document together. And a lot of the focus I had in my angle and at the time was on risk management and what is the future of cybersecurity at a policy level? How do we bring risk into this? Risk means a lot of things for every industry and at every level. And in the cybersecurity framework, my focus was really how do we make this, how do we focus this being on outcomes based, not a prescriptive document and that this, we don't need to go create P-C-I-D-S-S 2.0, we don't need to create HIPAA at 2.0, that's never going to work because that's why there is A-P-C-I-D-S-S, that's why there is a hipaa.
Those are for different industries, different kinds of businesses, and we didn't want the cybersecurity framework to be co-opted into someone's pet project to be the prescriptive framework for the be all end all. That was a real kind of knife fight and to keep it outcomes based because what we said was, it's not telling you how far you need to go, but it is giving you a set of dimensions to make sure you're looking at it in a holistic and complete way so you don't have to start from scratch. And I think a lot of us take for granted that now everyone's trying to tell you how to do it. Everyone's got a point of view.
Den:
And I mean even putting together the security framework, there's a lot of fingers in that pie, right? I mean, so getting progress, I mean I can't imagine how many people were working on it, but you got a lot of people there to try and appease. And I remember I was at Cisco once and there was about 75 people had had some involvement in this document about their zero trust, zero trust at Cisco internally. And I'm like, there's too many fingers in this pie. And you could just tell because there was conflicting information as you go through the paper. And I think the hard thing for you guys doing the NIST stuff was it is not just an internal, like a company document. It's something the world sees and the world's going to criticize or celebrate. I'm sure you got a mix of all of it. I kind of see those as one of those impossible government tasks that it doesn't matter how good you do, you're still going to take some shit somewhere along the line.
Nic:
Yeah, I call it the save the world memo. We all go write one at one point in our career. No, I mean that one was a, there was a series of workshops around the country for that version I heard for version 2.0. They actually went around the world, not just around the us. So that's great to hear. And the workshops were held on university campuses around the country, private sector was there, academia, everybody and everybody was there. So the Microsoft, Ciscos and Apples and everybody were definitely out there in force, but as well as representatives from the oil, natural gas sector, telecom, everyone felt like they had an investment in it, is how I could put it. And so it was nice to see everyone cared so much. It was great. Back then we used to say nobody cared and it was true. I mean, compared to 2024, the way a lot of politicians think about cyber, before it was a very kind of small group of people who cared in Congress. Now everyone's kind of got an opinion, which is different, but I think on the whole net net, that's a good thing. People need to care. Companies need to give a shit.
And back then that was a question, should companies give a shit? This is the government's problem. Is it the company's problem mean? Which sounds kind of crazy. Sounds kind of crazy to think about, right? 10 years later, we're all going on for a few decades. Every one of us in the security industry, we're neck deep in this stuff. And some of it feels like it hasn't changed at all and some of it changing constantly.
Den:
I mean, I would love to say that the technology changes constantly, but I don't know if the problem changes constantly. The problem seems to be get the basics right half the time. And we always have less budget, we always have less resources. We're always asked not to break shit, but we're also asked to secure stuff. And I've always had this, not always, I've gained this view over probably the last 15 years, which is I don't think CEOs or the boards really give a shit most of the time. I think they just don't want to be in the news. And if they could spend less money on security in it, they would because it's an expense. It's like an insurance policy. You don't want to pay State Farm for your bloody car insurance because you're like, it's bullshit, but you have to have it. And then if something bad does happen, then the real question is, would you have paid less for the insurance or State Farm or do you pay less because of the accident and cyber?
When I think and translate that over, I'm like, if the cost of doing nothing is a million dollars because we got breached and it cost us a million versus the cost of putting in some shady little bit of software, that doesn't always work well being like 500 grand. Do I want to pay the 500 grand and stop the thing? Or if it was more than the million, I'm not going to pay that. Maybe I'm just going to accept the risk. And I think in our industry it's when we have less budget and less resources, then you're looking at the top things you're going to buy this year or spend your money on or where do you invest? Not every vendor is going to get your attention or your cash.
Nic:
No, no. I mean I think it's an important reminder. Many wiser people, I've said it to me on many occasions in my career that at the end of the day, it's not about the computers, it's not about the servers, it's what they're for and for your business, is it running your online point of sale for an e-commerce company for your hospital? Is it running your patient medical records systems and billing and appointment scheduling and operations, and what is all that technology for? That's what the CEO and board cares about. I mean, they care about it in so much as it's for something, I think it's easy to lose sight of that a hard problem. It's not easy to secure everything, but you can't secure everything. So I think what are you Secure?
Den:
Yeah, so that's exactly it, right, is you make a conscious decision as a security practitioner, you make a conscious decision on what are the crown jewels. And as well every business, their crown jewels are different. But within a larger business, different teams think their crown jewels are more important than others. And you're like, I'm sorry dude, I don't care about your marketing shit. It is marketing. The only time I'm maybe going to be a little concerned about that is if I'm at a huge organization where they're about to unveil their next bloody golden egg, then the thing around the golden egg, it doesn't matter whether it's marketing or sales or whatever, whatever. But the thing around the golden egg, that's the thing you're protecting. So yeah, man, I think a lot of people forget we're running a business and the goal of the business is to make money. And anything that gets in the way of making that money is detrimental to the business security. I think we got to try. And also depending on the business you're in, if you're the security vendor and you're in the business of security and you get breached, that might have a different implication than if you are selling shoes.
Nic:
Yeah, no, a hundred percent. I mean I think these are all, they're must ask questions. We don't have time or money to be doing unnecessary security where we don't need it. And like you said, it is not necessarily easy, especially if you have a lot of stakeholders who all want an opinion on what is the most important thing and what the crown jewels are. So yeah, you're going to have to be pretty assertive about, hey, what is that process and how are we going to cope, kind of litigate, determine that throughout the company, especially out of Cisco and Expedia, Microsoft, when you have hundreds of thousands, tens of thousands of employees, just figuring out your list of crown jewels is a, that's a
Den:
Project. And yeah, man, God, yeah. Hey, that's a whole different podcast. That could be a whole different hour of a show.
Nic:
I could feel the PTSD.
Den:
Well, I was just getting back to at Adobe, you're doing data classification and then you're like, okay, well depending on the different data classification, then we're going to do this, this, or this. And at the end of it I'm like, how does the 40,000 humans know what classification is that file they're working on? Oh, you gave them training once a year. That'll help. That's it. You nailed that. You nailed that shit right there.
So yeah, so I'm like, oh man, data classification, let's not remember that. Right? So I guess nothing is allowed to exist this year unless you use the term ai, everybody. It doesn't matter whether I'm doing a slide or a podcast or I walk in the street to bring the trash can in. I need to mention AI to at least one passerby, otherwise it's not 2024. So ai, we were sharing pre-show that the number of times you're getting hit up and people trying to sell you their shit. So what does AI mean for Nick and Nick? What are you looking for when you talk to vendors or even internally about ai? What's important?
Nic:
Yeah, no, good question. And yes you can Sam Altman, thanks you for mentioning it for all of us, right? Yeah, a couple pieces. So yeah, what do I think about it and what does it mean? Well, what does it mean to me first, what it means to me is ai. If you're talking, I think a lot of us, especially this year and since 20 21, 22, are referring to generative AI models, large language models, let's just call 'em that and LLM specifically. And prior to that we had a lot of machine learning and other neural networks and progress that had been made on that type of applied the application of ai, I guess methods where it's really a fancy way of describing learning. I think of it as like, look, it is a technology, okay, it's just like it's both a technology and a concept. It's not a single thing.
And you have to talk about, are you talking about AI as you use it, the LLM itself? Are you talking about the features built on top of it? And this is no different than when we were talking about cloud 10 years ago when we were talking about migrating from SQL to no SQL databases and putting unstructured data and documents into massive databases, and we've been able to move beyond the shackles of SQL tables and yada yada yada. And large language models as far as that goes for me is like, Hey, this is something we have to understand how it works. We cannot underestimate its impact to our products as a product company. We have to understand how it works in our products as a company for our operations. We have to understand how it works relative to our users and our employees and staff and how we use it. But making it any more than that is just kind of unnecessary. It doesn't get the job done right? Because you could talk about it as some ephemeral, nebulous kind of other worldly divine shit. And then that's stupid to me in my mind, my humble opinion because I think you can't do anything about that. You can't do something about some ephemeral magical crap. You have to just be like, look, if this has been our product, we still do threat models, we still do, design reviews haven't
Den:
Changed, we're still doing the job.
Nic:
I was like, Hey. It's like, hey bro, it's like talking to your developers like you rebuilding products with using LLMs. Now that's fine, that's cool, but it doesn't change. But we still have to do stuff around that. We still have to go look at what are the inputs and outputs. And I gave a whole long talk where, and I did a bunch of research for this talk. I'm like what it means to do prep modeling for l LM based applications, which is very different from a lot of, there's a lot of good interesting discussion that is related, but not the same thing where it's like threats to the LMS themselves. Threats to the LMS themselves is very much like an anthropic open AI kind of Microsoft Amazon Apple concern. Unless you are hosting a massive LLM with bazillions of users and you are directly owning and controlling all of that, you control the weights, biases, training, everything, temperature. You are doing all of that, then that is your problem. You have to worry about threats to the LM directly because the LLM, that is your product, that is your
Den:
Application. That is your product. Yeah, that's your platform.
Nic:
For a lot of us building other software products using LLMs, we have to worry about our application, how we use your product, how we use the LLM. The LM is an application in our product. We are just using it like you would go use somebody else's API, how it behaves completely. It's very different than a traditional pc. A lot of integrations, a product company like Sret or any other SaaS product out there, when we have integrations with our partners and third party vendors and whatnot, it's very deterministic. We make an API call in that call. They're these parameters as part of the API contract. We know when we make that call what we're going to get back. It's like we do this, we get this, we do this, we get this. Sometimes there's an error and then nothing happens. Then we get a response. LLM is a little different.
LLM is what it is good at. It's not to do that. It is to actually be able to give you something slightly different and that is the value. But because of that kind of inherent behavior is that it can generate a string of tokens, a bunch of words basically. That sounds super accurate. It sounds like what it's supposed to. And that's how it works. And there's a lot of great analogies, YouTube talks, everything on the internet. You can go find about that, but you can't protect that in your application like you would a database or an integration with a third party vendor you're working with that you are dependent on. You have to deal with it in a way where you're like, do I want to trust all these outputs? Do I want to trust these outputs? Do I want to trust the LLM to generate API calls for me parameters for API calls for me, do I want it to?
And you have to decide. And a lot of people are using them to do these kinds of things. That's not necessarily bad. It's novel use of it. I think those are questions that we have to be looking at. But the bottom line is we just have to go do the normal stuff we've always been doing. Where is the data flow? What is the data flow? That part hasn't changed. What is the risk and what is the use case of our application? My application does X for my company's customer, then that is what I have to protect. I need to go look for that scenario. With respect to using an LLM, I don't have to go protect everything. It's not, my company cannot. We're not trying to go threat model. How to prevent someone from jailbreaking GPT-4 oh mini. That's open AI's job. They're much more well equipped to that, right? But
Den:
Well, we hope they are.
Nic:
I just knocked on wood in case you couldn't hear that. Solid walnut. Yeah, knocked on it real hard. Hope they are. And in the research, it turned out that the thing we could start doing that didn't require any vendor product was we need to go look at what is our business trying to do with lms? What is that application? What is the risk? Okay, what is the risk now threat model that now go identify those weaknesses in your product. And I mean in that way, it gives me a lot of comfort that it's like don't make it scarier than it is. Just do it. Right. And there's stuff you're not going to know, but you won't be starting from scratch. And there's no excuse for you to say, oh, it's so new. It's so surprising. But the vendors will tell you so
Den:
New.
Nic:
It's so surprising.
Den:
Yeah, well there's that whole FUD bullshit, right? Fear, uncertainty and doubt. And then they'll market the crap out of it and blah, blah, blah. Man, it's mind numbing. And I look at it like there's different, so there's different groups. So there's engineers who are building product and they're building AI into product. There's engineers who are leveraging AI to build product. There are other teams like IT or marketing or anybody else using AI to do ship. I know people now that won't send an email unless they've ran it through chat GPT first and then all of this information, not all of it, but lots of it is going up into these vendors and whether it's a co-pilot type scenario or chat GPT just for my fancy email. But the reality is if I use chat GPT to craft the email for this new product launch, I'm now helping chat.
GPT now knows I'm about to have a product launch. Does it matter? I dunno. Now a couple of things, I've got a pet peeve I do get, and we get as a consultancy, a lot of security vendors looking to show us their shit. Usually it's under the disguise of can you partner with us? But roughly it comes down to the can you help hunt my crap to your CISO network friends? And I'm like, no, we don't do that. It's not a service we offer Nick. So when I call you, you know that you're not going to get me showing you the latest whizzbang thing that somebody's given me five grand to push to my friends. We don't want to sell our souls out like that. We're not salespeople, we're practitioners. Now that in mind, I did see a demo and on the product screen, and I can't remember some report or something, but the title of the product screen had ai, blah, blah, blah, just so that I as the user know that AI is doing this magic and AI's inside as if that's a selling point.
You hit the nail on the head a minute ago, we still need to do the tasks. The how we do them might leverage some AI but also might not. So for me, I just turned around to this person and I said, you know what? A year from now that title, that screen's going to be different. You're not going to need the word ai. It's going to be assumed that you're going to have some AI in your product because every product a year from now either has it or doesn't have to say they have it. So I will twist it over to you. You've also gone through a bundle of these little dog and pony shows. What's been your pet peeve? So one thing you really didn't like but then follow up with. What's your ask and advice to vendors selling to CISOs?
Nic:
Yeah, one thing I haven't never do seem to and have seemed to come across more than I would like, is a lot of times the solutions are really cool. They're really slick. At least initially when you start peeling back the layers of how the solution works, how cool the is kind of questionable. But that's not even my biggest problem. I think my bigger problem is when it is obvious to me they are selling a solution for an imagined problem. It's not that the solution doesn't solve anything, solves something, but who it solves it for. Totally unclear. Unclear to them, unclear to me. If it's hard for me to figure out who to solve it for, I'm looking for guidance from you. You don't have a good clear story on who this is solving it for, then it's probably why you're talking to me. Because you just talking to everybody. You're like, if we go talk to Nick, maybe he'll be interested. You know, is it solving something I need to be solved? Or maybe this is good for the CSO of a hospital. I don't know. That is the worst thing. And I think it's happening a lot in stuff with and for AI and LOM specifically because people think if they put the emoji with the little star sparkle thing, it's like you put the sparkles on something that's ai.
Den:
Yeah, man, actually my emails, I'm just like chat GPT, make my email with more sparkle. That's
Nic:
Pretty much that. Now it's an AI email, emails with ai. Yeah, I think it's kind of crazy. And that hasn't changed either as far as if you are a vendor in security or just in technology in general. It hasn't changed. It's no different now than it was before the advent of llm. It still has to be clear who this is for and what this is solving. You could build it. Cool. Kudos to you. Who'd you build it for?
Den:
I turned around to one of my serial entrepreneur friends who's started many companies, many successful companies, and he is a seriously smart guy. And I turned around and I said, I think a lot of these AI companies are getting funding from the VCs, so they're being funded. I think they're building shit looking for a problem. I think it's AI first, not problem first. And he was not overly impressed with my statement. He, he's now working on a think tank and an incubator and I'm just like, I think when you're the soc, the seam, some of that stuff, first level triage, blah, blah, blah, help reduce the noise. Oh great. That could save money. And I think one of the problems when people are selling us stuff is they don't recognize that if the marketing thing from any vendor, and you guys can be the same, right?
Strut, you've got competition if you guys all say the same shit just slightly with different fonts, different colors, but ultimately you get all the best at what you do, you're super easy to deploy, you meet all the requirements and the price is great. Well, how does a normal person know which one is really great and best without PO cing? All of them, which we don't all have time to do. And ultimately I start to say to people, I'm like, maybe your sales pitch is not any of that shit. Maybe your sales pitch is we can save you money while reducing risk because at the end of it, everybody's under pressure to save money. And if you can meet my features and functional requirements and show me that it's not going to be operationally expensive, maybe I feel a little happier with that purchase decision. Anyway. That's probably a little off tangent, isn't it? That had nothing to do with the bullshit of ai. Well, I see it. The thing is they're just using different terms. It was digital transformation before then. It was zero trust. Zero trust. Everybody was a zero trust vendor just two years ago. The same vendors, they're AI vendors now. So for me, with some zt, so yeah, but I look at that now. So if you have one ask of the AI vendors, what would your one ask be?
Nic:
I think it would be like this is of the AI vendors or I mean, which I guess is all vendors, right? Credit
All vendors out there officially. I say you are all AI vendors now since that's what you said. That's what they told us, right? Yeah. That's every vendor on LinkedIn told us they're AI vendors. So that's great. I mean I think to be fair to all of them, maybe they're at varying stages of finding it. Maybe they're having a hard time. I believe if they can solve a problem, don't try to sell it to everyone. Find out who you're solving it for the best. I would bet. And whether or not it's a good business, it's totally off. Not in the scope of this podcast. You want to talk about building a good business. We could have a different whole conversation on that, but for all the vendors out there, it's like go find who you're actually helping. There's probably someone out there who needs it. I think the challenge is right now it's like your solution isn't for everyone.
There are a lot of different problems. I mean in security, that's been true. So I don't know, not saying anything special there and in how we use LLMs both in our products and by our employees and how our employees use them to build products and everything. But you need to go find who your ICP is in that segment and focus on talking to them right now. There are a lot of people with a lot of problems. They're not all the same different sizes, just like what you were saying den about reduce my risk at a good cost and how cost sensitive a company is will vary depending on the industry. Publicly owned, privately owned, privately owned, PE backed, privately owned, venture backed, that's all going to make a huge difference versus publicly traded sitting on piles of cash
And everything in between publicly traded and going broke. And cost sensitivity is one thing versus how elastic those customers are, how sensitive they are, depends on who they are. But I think this is where it's like go find who you need to be talking to. Just because it's not me doesn't mean it's nobody, but if it is nobody, then you're in trouble. So I would go figure that out. And I do talk to a lot of people who one solution that works for Nick for me doesn't work for somebody else in a completely different business geography. Their needs are different, their workforce is different. Their workforce is in the office. They use Windows or something. We're using AWS, we're remote. We're mostly a Mac shop. Well, we have a few Windows machines. I want to get rid of 'em all. Don't tell anyone, don't tell the other employees. And I think that's okay. I think that's why SaaS and kind of the technology market is beautiful. There's a lot of customers, they are very different based on the size. And some of these customers, they need more tool than support. Some of these need more support than tool. I think this is directly relevant for how you, Dan and you and your team are helping people in these companies now where it's like some people don't just need a fancy tool with a
Blinking light because they probably have 50 tools, they need 50 people, but they don't have 50 people. So they need advice.
Den:
They don't have 50 people, they don't have 50 people budget either.
Nic:
So I think if we could make a scale and someone could go put out a really, a VC will do list where they have their little spectrum and they're like, there's the customers who need more tool than support and customers who need more support than tool where it's like if you need more support than tool, you don't give a flying F what the tool looks like. You're like, Hey, I need to get the job done. That's cool. All the tools do the same thing. Great. What's the cost and what's the support look like? And then some people are like, now I have people, we have a very specific way we want to do this process and we need a tool that can be configured and customized and integrated with an SDK and everything else to work with our process. We have a very specific way of doing that. We need a powerful tool. We don't need support. They're the ones who are like, we got this. And then the other folks are like, no, you need to have this or we're not buying it. So I don't care enough of the demos.
Den:
Well, yeah, I mean I kind of look at this whenever I'm buying something. The purchasing decision isn't just a technology, it's the cost of deployment, the cost of the port, the cost of training, I mean just the whole thing. It's not just about that cost of the license. So Nick, I know we're up on time, man, listen, it's always great catching up with you. I want you to leave us with one little gem. Where do you think the AI industry is going to go next year?
Nic:
I think we're going to see the people who get a lot further on where this is actually going to help and what's going to stick. And that's normal. We go through these cycles where everything gets exciting, people put sparkles on everything. Now we're all AI companies and some people are going to realize like, wow, AI sucks for our business or LMS attached to everything isn't useful from a performance or engineering perspective. And some people are going to be like, wow, this is going to fully change how we deliver x. And I think the most promising things that I follow are ones where people are applying LLMs in areas that have been underserved, not as hyped and not as cool as the rest of where B2B SaaS has been in the last 10 years. And I think these underserved areas like manufacturing and other places, they're going to see the attention they deserve, I think, and there're going to be ways, and even in B2B SaaS, there's going to be a reckoning of like, are you just selling a tool that people have to go make work and how much work do they have to put in?
How much elbow grease do I need? How hard do I have to turn this freaking crank just to get some value and productivity? That bar was really low. Now the bar is higher. People don't want to do that anymore. The SaaS should be doing something and if you say it can't do it, it's clear you don't know how technology works and I think it'll take time. Not a lot of customers are still working on cloud migration. So we're all in different places, but I am optimistic mostly because people have to make money at some point. I know right now all the VCs are like build products, get users, don't worry about it. We'll see how long that lasts. I think it's going to be like, Hey, why aren't you profitable? Where's the money? Where did all the money go? I dunno. So I'm hopeful these things will have to come to a head next year and then I think that'll be great and look forward to seeing some goodness.
Den:
Awesome, man. Awesome. And I was going to say, so for me it's like I am a bit of a doomsday machine, I guess I said last year at an event in Canada, CDW Toronto, we're talking about AI predictions and I said, within two years, one of these big players will have a breach. And that's when people will realize their shit's out there. All this stuff that we keep throwing into that LLM or whatever, I see that being one of the things, it's around the corner and then the other one is post post-election. I keep hearing this whole lit FTC might open up and then the ability for acquisitions and things of that to happen might be more encouraging for the acquisitive and consolidation space. So it wouldn't surprise me if we get some of these little AI startups just getting swallowed up in some mad frenzy over the next year. So
Nic:
I see that. I think that's their hope at the valuation they want. I doubt, but
Den:
Yeah. Yeah, well, exactly. Yeah. Look, the problem, if the approach is I'm building AI for the sake of building AI and I don't really have that problem, that customer understood and I'm really not getting the customer knocking on my door, then yeah, the price for them might not be keen. So find out. Anyway, Nic, as always, sir, I appreciate it. Snowboarding season's coming up. You and I were both keen boarders, so we've got to make plans for some slope time at some point. Yes sir. Yeah,
Nic:
I think so. We'll be hitting up the slopes and the next episode of 909 Cyber909 you and I'll be doing maybe from the slopes.
Den:
Oh, we should do that actually on location. My good friend Bill Harmer, he'd done the bottom of Everest Base camp. He was out there for some work and he'd done a podcast from there. So maybe we can do it from the top of some nice resort somewhere. We,
Nic:
We'll see. Okay. We'll
Den:
See where the budget stretch is.
Nic:
Always a pleasure, Den.
Den:
And thanks man. It's great to be here. Take it easy. You too. Thanks.
Narator:
Thanks for listening to Cyber909. Subscribe wherever you get your podcasts and don't miss an episode of your source for wit and wisdom in cybersecurity. I thanks for listening to Cyber909. Subscribe wherever you get your podcasts and don't miss an episode of your Source for Wit and Wisdom in cybersecurity.