Sep 30, 2022

Big Mistakes in Cybersecurity With Mel Reyes

Host: Hi everyone. Thanks for tuning into our Scale to Zero show. I am Pursutham, co-founder and CTO of Cloudanix. Scale to Zero is a forum where we collect security questions from curious security professionals and invite security experts to learn about their journey and also to get these security questions answered. Our goal is to build a community where we learn about security together and leave no questions unanswered. With that, let’s get started on today’s episode.

For today’s episode, We have Mel Reyes. Mel has over 30 years of experience in the industry and has worked with many companies of all sizes, like large and small. He’s currently the head of IT and Security, CIO and CISO at Getaround, where he leads the security It operations, data governance, policy development, and much more. Prior to that, he was the Vice president of IT at Synchrony. Mel, Thank you so much for joining me in this show.

Mel: Thank you so much for the invitation. I’m honoured to be here.

Host: Thank you so much. So the way we do generally we record the episode is we have two sections. The first is we focus on security questions, and the next one is the Rapid File. So let’s start with the security questions.

So I want to start around setting up security programs at organizations.Llike Governance or Risk Management or Compliance. It’s often difficult to set it up properly for one organization. If you add one more to the mix, it becomes even more complicated. Currently, you are working on an M&A integration across three organizations. So,

What are the challenges that you have faced while working across organizations to set up the security programs and how did you overcome them and do you have any advice?

I know that there are many sub questions in It, but I’m curious challenges how did you overcome it and what advice do you have for future other leaders?

Mel: I love this question, and it’s one of those where if you haven’t been through it before, you almost don’t know what to expect moving forward. M&As while, they’re predominant in a lot of organizations. They’re not in a few earlier, about a decade or so ago, I had worked with a company that had, I believe it was about 20 some odd smaller companies that I had purchased over decades. Well, and it had never really created a digital strategy to unify them across almost anything.

So what we ended up doing was quite a few things there that helped me get to where I am today with Getaround. And one of the first things that I found, and a lot of leaders are going to say this, they’re going to be like, Mel, thanks for giving me the obvious information is it has to come down from the top as a mandate, as a mantra, as a new vision of how we’re going to be looking at pretty much everything. And we saw this a decade or two ago with digital transformation, data transformation. And every step of the way, the realization in the last two to three years when we had to do this, is it’s security now, right? It’s security where everyone should have been thinking about this a decade ago, two decades ago or otherwise. We’re now at a maturity model where, yeah, it’s getting pretty serious. We really need to create overall strategy, and it has to come top down. So that’s the first step. That’s the first big step.

Then the next step is you could bring in every vendor and every tool. You could outsource every function but the acceptance and the cultural education, different companies, if you’ve got, let’s say, three to five different cultural experiences, divisions or otherwise, everyone has to be in the same playing field of understanding why, right? So this is where you get to quantify and qualify. This is where you educate everyone on the personal responsibilities that they have when it comes to security. And then you kind of walk some people off the ledge as to the why we’re doing this. A lot of folks hate process logistics, oversight, stop watching my keyboard. And it really depends on the culture that you’re going into and the level that you’re trying to accomplish. You work in financial services, you can’t get a cup of coffee without submitting a ticket. You can’t do anything without getting approvals, right? You work at a startup, you have levers that you can take and different guard rolls you can take. So the first thing about M&A is that top down messaging. But a lot of it, you can’t get to a top-down messaging until you’ve got an assessment. But you can actually do that after the top-down messaging. We’ve got a mandate, right? There’s a mandate that comes down.

We need to be SOX compliant, SOC compliant, NIST Sys, ISO ties up, whatever the compliance framework or goal is. Why are we doing that? Understanding and educating. And then what is that we have to do is the third step, what are the actual steps that we need to get through now in order to resolve the noise, the friction and everything else? You have to customize everything, not just for the whole company, but for each of the individual groups. It’s a culture component, right? So you can’t speak about security incidents. You have to talk about safety, right? Are we safely ensuring that you can do your job on your computer and that it’s not going to impact the crown jewels? Everybody talks about crown jewels, right? Identifying them and going all the security logistics to make sure that all the key systems and PII data, all these wonderful things, these check boxes everybody goes through.

But at the end of the day, it’s a culture play, right? The last five to ten years, you’ve heard shift left, right, cliche now, but it’s still true. You have to start at the beginning, at the very beginning. And that’s why cultural change is the biggest impact. Everybody hears CNN or in the news, hack, ransomware, they said the other. But they don’t really understand that literally one click, one file, download one website could literally crush an organization to its needs. Billions of dollars are being spent annually to try to avoid that.

Host: Yeah, makes a lot of sense, like defining the vision and also communicating that effectively across the team’s divisions because there are different cultures and getting the messaging right to everybody has a major role to play, right?

So let’s say from M&A, I want to bring the scale down a little bit to let’s say startups, right? And in startups, how should they think about setting up the organization? Let me give you a scenario, right? Let’s say a startup with say around 100 people. They are in fintech or healthcare and they are handling a lot of PII data because they are in healthcare on fintech. So,

How should they think about setting up the security all and who should they hire first, keeping in mind that vision and the culture plays a major role?

Mel: I’ll tell you right now, if I was in An.org that had 100 people and they were dealing with healthcare and PII, and now you’re asking me about setting up a security program, I would be like, I don’t want to do anything with that company. But I get your example.

The most important thing for any founder, for any CIO or anyone in is you have to start from the beginning, right? It doesn’t have to be tools and you have to start from the beginning to accept the fact that there are systems that need to be locked down, process, some processes that need to be placed. You want to keep everybody agile and moving forward, but you have to have some baseline of an intent, right?

When you get big and you go IPO, everybody starts talking about due diligence and due care. When you’re small, nobody even cares, right? But if you have a trajectory of growing, making sure you kind of begin the documentation, at least spend some time tying things so that it does become easier. That’s one, two, if you’re getting to a point where you’ve got 10, 20, 30 people, you’ve got to partner with somebody immediately to start to say, listen, I don’t have the budget for a full infosec or SEC DevOps, but I need some guidance and I need some resources and some assurances. When you get to 100 people and you’re talking about healthcare and PII and down the line it could be FedRAMP because you’re working with the government, you’re going to be screwed, right? Because you’re going to have way too much work to go back and fix or redo and you’re going to piss off a lot of people who created a whole workflow that now has to be torn down or you’ve got to restructure data because it’s not in the right region. So you really have to kind of take a step in pre planning that and pull in a partner.

It could be a modified MSSP. It could be a security partner. It could be a DevSec Ops group. But you really have to be able to bring someone in to partner with you and say, listen, whether it’s equity based or a smaller package so you can get that. It could be a VCs group, it could be a cloud advisory group. It really has to be someone that has done this, has worked across all the major players and the frameworks and everything else. And that’s how you’re able to then leapfrog. Let’s say you buy another company but the company buys you. You don’t have a minutiae of remediations and you’re not making the wrong investments. Right? Let’s pull in the top right quadrant from Gartner because that will solve our problems. No, not really, because you don’t have the people to implement it, you may not have the culture to implement it. So you need to work that in. I would say any company starting to have at least some level of change management, process, flow credentials, et cetera. And then as you get to the 5-10-20 range, that’s when you really need to start having the conversation of, okay, we’re starting to grow a little bit.

We’ve got asset management, we’ve got endpoint management, we’ve got all these other things that nobody thinks about until they’re at the hundred mark. They’re like, oh crap, we’ve got to go do a PII assessment. Oh crap. All of our endpoints and all of our cloud instances, the configurations aren’t managed. We just went through with the default configurations. You can’t let it go too far before you do start to bring in that partner who could grow with you. And this is also where you start to build out.

Someone in your organization may be leaning more towards being whether it’s infosec and legal and all the other wonderful things that no one in it wants to do. Right. Because no one wants paperwork process, but it has to be done. Some of the internal folks may actually want to do more as security analyst, ethical hacking or Devset cops or lead into a VCC world. So you try to culture that internally. But if you can’t, you got to pull in a partner. You have to hand sell.

There’s nothing else you can do unless you’ve got a rockstar cousin who’s willing to come to your company for equity and who’s in the security space.

Host: Yeah, the takeaway for me from this is that if you have reached 100 and you don’t have a security program, you have made a huge mistake already.

Mel: Yeah, you are literally walking in a field of landmines if you’re already at that point.

Host: Yeah, like start early. If you are not able to hire somebody in house, at least partner up with others and have security in place. Right.

So one of the things that happens when you are a startup or when you are a smaller organization, your leadership may not pay attention or they do not put enough emphasis on security, right. Sometimes it’s, let’s say your engineers who bring it up that, hey, we need to have better security. So you have worked with many organizations, large and small according to you,

Security should that be a top down approach or should it be like a bottom up, like somebody from engineering or the individual contributors bringing it up and then sort of implementing it across the organization?

Mel: Yeah, it’s interesting. And I love both of these ends, right? I love both of these ends because number one, let’s start with the engineering. Any engineer in any language on any platform today that isn’t thinking about security may want to revisit their whole career life, right. Because you’ve got buffer overruns. There’s just so many other wonderful things that you have to consider taking into consideration. This is like for decades now, this isn’t something new, right? SQL injections, all the basic stuff. So you have to be able to think that way, number one.

Number two, you have to be the voice of concern to say, hey, we’ve got a five-step deployment process and we don’t do code scans, we don’t have checkpoints here where’s configuration management? And you have to kind of create a nice formalized view as well as release management as well as your Redundancy backup redundancy.

If your engineering team is not focused on one or all of these things, then you need a new engineering team, hands down, flat out. If your lead of engineering or your CTO or whatever is not thinking about things, then you’ve got to have a come to Jesus moment and tell them you have to make a top priority, whether it’s 10% now and 30% of the time later. Because guess what’s going to happen? You’re going to start to get a backlog once you do start doing scans and once you do start doing pen tests, a backlog of tickets that need to be addressed, right. So no matter what, you’re screwed if you do and you’re screwed if you don’t, right. But if you do it ahead of time and you do this, then the remediation and everything else shrinks through.

So number one, it has to be a mandate for everyone. I don’t care if you are a junior developer, QA or again you walk on water with Golang or anything else, right. It has to be that. Then the conversation that I really love is the lack of awareness of potential impact by so many other folks at the top, right?

Some folks read articles, they stay on top, they understand, they get the risk and the impact. But there are so many folks who don’t understand the true impact. So educating the board so that it is a top down, right? Educating the board to the every other C suite, to every other VP, however the organization structured, even if it’s two layers, board, CEOs, and then just a lot of engineers or heads of whatever that is. I say it all the time. These are words that I don’t actually like. I hate saying words that have legal or infosec backing, right? Due diligence, due care.

All of these words are bound by other efforts.

21 years ago, we had a financial crisis. What happened? And this is part of one of the groups that I’m working with, the Digital Directors Network, to elevate the importance of a security minded person on a board, audit teams that are targeting and really looking at, at the board level what the impact of cybersecurity are, and then trying to make sure that there’s raised awareness around a risk assessment and factor, right? So how deep and how small, but as long as there’s a conversation to be had, what are we doing about security and dev security and operations security across all of our data? As long as that conversation is at the top down, asking the CEO, which asks everybody else, that’s where that has to be, as well as acceptance of investments that need to be made. It doesn’t have to be day one, but it has to be. And except at some point you’re going to cross a threshold where you’re going to get too much data, too many users, you’re going to have the visibility that you’re going to become a TAC vector for a lot of folks. So you have to make an investment. So saying that there isn’t budget at all for anything in security is not an answer. Saying this is not the right time also not the right answer. Right. Because you can spend $600,000 on marketing campaigns this month. But guess what? You could lose $6 billion worth of value in just one attack.

Host: Yeah. So the takeaway for me from this is security should be a top down approach for sure. But that doesn’t mean your individual contributors should not care about it. It’s a joint responsibility between.

Mel: Everyone and everybody along the way. Those two ends are the most critical points, right? One funds it and make sure you’re getting the right direction, and one implemented to make sure that it’s ingrained in the culture. Because you’ve got marketing teams, you’ve got a lot of other teams in between. Everybody has to be conscious of it.

But if you take those two ends, those are those two critical path points.

Host: Right. Makes a lot of sense. So when starting in security, let’s say when an organization is setting up the security, often they are advised that maybe start with a security certification, like a Happy compliance program, like either Software or ISO or HIPAA. And those compliance families have certain controls which make sure that your basic security is done right.

According to you,

What is the right time to invest to sort of improve the overall security posture versus getting a security certification?

Mel: And you actually went through what I would call the graduating scale of difficulty, right? You said Soto, ISO and then HIPAA, right? So if you’re at a point where you need to hit HIPAA and you haven’t started talking about security at all, you might be pretty screwed. Again. A lot of refactoring data, relocation configurations, right? So at the base, you’ve got compliance fees, and then you’ve got frameworks, right? If you come into this with just if someone listens to this and they’re starting a start up and they hear this one bit of advice, it will save them millions of dollars in the future. Just start with a small framework. NISS SIS sock one, you don’t have to go through an expensive audit. As long as you have a foundation of things that you should be doing, doesn’t mean you have to do them. They should be doing.

And then seeing if you can create a gap and say, you know what? We’re only doing ten out of 20 controls right now. That’s okay. In three months, let’s try to see if we can target one or two more controls and learn about them. What is it we need to change in our process? What do we need to do with vendors, right? And then it becomes part of the culture. If, for example, you’re at 100 people, you’re about to sign that big government contract because you’re in healthcare, then you’re screwed. That’s when you’ve got a polling partners. And I’ve been working with groups like Gracie, which is a fantastic group that brings in a set of leaders as well as compliance, security, and risk teams.

And it’s also for a good cause, right? Grcie.org. It’s when you find those kinds of partners and you can come in and do the assessments and build out something and create the plans. So you either pay through some growth throughout your maturity, or you pay a lot at the very end unless you could find the right partners like I’ve been able to work with. Right? And that’s where Gracie comes in, because it comes in at a good shift. You’re not paying a VC. So 5000, $750,000 a year to now clean this stuff up, or an hour, right? You’re also ensuring that as a culture, you’re growing. So picking one of the frameworks, getting somebody identified to be the owner, whether it’s legal or whether somebody else say, listen, this is just a logistical process.

What do we need to learn? Get the head of engineering. Get the head of legal. If you don’t have a legal person, then I don’t know what kind of company you’re sorry if you’re running. If you don’t have a head of engineering, then it may not be a digital play, right? But at the end of the day, if you get that in there, you don’t have to boil the ocean at the beginning, you don’t have to boil the ocean at the middle. But once you’re ready to make that lead again, it could be from it could be 20 people or could be 100 people. If you want to be a global leader or a national partner or integrate with other companies and get someone is going to ask you for your stock to someone’s going to ask you for some level of due diligence and do care proof. So you have to at least showcase that you have a gap analysis, that you understand where you’re at, you understand your risks, you know where your crown jewels are and you don’t have to be certified until you’re ready to sign that and release. But having that gap in there reduce scope, just scoping to that specific key system that is pertinent to the project or the contract, all of these things are doable.

But at the end of the day you need at least one person to ask the question what are we doing about security?

Host: Makes sense. And I think you mentioned a very important point which is have the foundation and also do the gap analysis because you cannot implement all the controls from day one we’ll always start small. So having that gap analysis document where you know why you have decided not to implement a control has a major role to play that makes a lot of sense.

Now the question is,

Let’s say I did the security set up and all that, but still there are breaches that happens and nowadays organizations have taken security seriously. But when we talk to organizations we still see some basic mistakes being done, right? I bet you must have seen that as well with our other organization.

What are the top three things that you think organizations are still getting wrong and they know it?

Maybe they are not able to fix it or they think that they won’t get caught and they can get away with it. What are those things according to you?

Mel: So this is a really interesting conversation because I’ve seen it across multiple roles and the risk tolerance level of certain things is cute, right? It’s really cute in some companies, right? And what I mean by cute is, are you crazy? Why would you risk accept that? Right? But I pull it back and I say all right, let’s walk through this. So now things that I’ve seen or things that I’ve seen, why they happen, right? So the shifts in different companies that I’ve seen have been really partially tied to the culture, partially tied to the budget and partially tied to the priorities that have been set from top down.

So if the priority is to build out version 20 of the Widget and nothing can stop that and we don’t have resources outside of being able to build the new 3D Widget model online and in mobile, then guess what? You’re probably not going to get a lot of traction on, by the way, you’ve got 642 tickets. That 50 of them are at critical CVE levels, blah, blah, blah. That need to be addressed. Right. So there’s a risk if we don’t launch, we don’t make money. If you do launch with that, you could lose a lot of money, right. So there’s a risk acceptance.

There the way to communicate those and the exposure points and the impact rate. Once you have that analysis of your crown jewels and everything else, you could say, you can build that and you could be in a trajectory to be at $100 billion forecast. But guess what? It could be for not in one split second. That’s one, two – When I talk about risk acceptance, it really actually does come down to the consensus, right. Getting everybody at the table, senior leadership, the board, legal, whether you’re a global company or a local company, as well as the It leaders, to say, I’m going to paint the picture for you. Right.

For companies less than 1000 employees, it can cost at a minimum or on average seven to $8 million per incident to mediate research, everything else, right? That’s per incident. Right. So that’s for company less than 1000 employees. Now, can a small company take one of those hits? Maybe they might be able to write it off, but they take two of those hits. They may not have insurance after two of those hits. Right. They may not have cyber security insurance after that.

Right. If they got cyber security insurance. So as you go through this, when we see the malware news, it’s because it hit a utility or hit a major player or hit one of the major security vendors, right. But every day, every small company, every credit union, every is getting hit by something, right.

So if you don’t understand what you need in order to kind of push the envelope around, how do you address this from a visibility standpoint? Otherwise you really do get kind of lost. Now, I’m going off track here, so pull me back with the question because I want to give you the quick summary of it.

Host: Yeah.

And I want to touch upon your uncertainty, but it’s not always about the cost. It always affects your reputation as well. Right. Employees lose trust. Your customers lose trust as well. Right.

The question was around what organizations are doing wrong and they are not aware of it, and how can they fix that? And maybe they are aware of something and they are not prioritizing it properly.

Mel: The easiest fix is, number one, if somebody is raising a concern, whether they’re the CSO, an engineer or whomever, customer service, that there’s a security concern. Listen, don’t just dismiss it. That’s number one. Number two, do not become risk tolerant of everything.

Right. No, that’s not going to impact us because we do this here, and I say this a lot. I’m like, prove it to me where do you do it? Show me the log, show me the system, show me that, right? And the third piece is and I’ve said this now for about three years. This is before Cove and everything else. And now it’s become kind of the mantra with being able to go out with zero trust. I said, especially when you’re talking about vendors, right? This goes all the way back to all of the security vendors that had issues about three years ago, right? I said, don’t trust and reverify. Right? Because it’s cute that we’ve been living for decades with Microsoft security recommendations.

I don’t want to throw out any other names because they’ve already taken a meeting in the industry. Right. But don’t trust it. Why are these throttles and levels set to this? Why is that port closed? Why is that one open? All of these questions have to be asked, and they have to be asked on a monthly or quarterly, biannual or annual basis. Right? That’s why in a small company, when you don’t have resources, it’s hard to do a vendor assessment or vendor review. It’s also hard to do the reviews of your configuration management. It’s hard to do your reviews of change management, but it’s important you at least try to make an effort across those critical systems.

So if you’re going on the oh, yeah, Google has all these things, right? They’ve got DLP and they’ve got all this stuff. Well, are the license levels that you have have that enabled? Have you looked at the logs? Do you have the structure of your whole organization? Right? Or you have orphaned projects that aren’t in that umbrella to be monitored or otherwise, right.

So constantly reviewing those things. But at the end of the day, most importantly, I started with this is if you see something, say something. And if somebody says something, do something. Right? If you want to take a mantra out of this, do something. Listen to them, document it, get it to the right people. But for me, it has always been, at least in the back of my mind, not because I don’t trust the quality or the experience of somebody else. It’s just because I need to see a logistical piece, is don’t trust and reverify because things change. New systems get integrated, new properties get changed. Right. If you have ever done anything with networking and you’re scaling whether it’s physical or virtual or whatever, somebody changed something in the last month or the quarter or the last six months. Right. So you have to revisit that impact.

So to me, again, see something, say something, do something.

Host: Yeah, I love one thing that you highlighted trust and verify reverify, rather, that should be trust. Okay.

Mel: Don’t trust and reverify. Yeah, absolutely.

Because again, zero trust is a great concept that pulls a lot of things together and depending on the company implements, some of the hardening that you need. Right. You want to. Go to FedRAMP, just go straight to Zero trust and then rework every system that you have. What’s the feasibility of you doing that in a major corporation overnight? None. What’s the feasibility of doing something like that at a start up from the beginning? Better. Right.

But you’re still going to cause a lot of friction. Right. So where do you find that middle ground? As long as you’ve got the mindset and the culture to at least start to target something like that, that’s where you can achieve great things.

Host: Yeah, it makes a lot of sense. And thank you so much for these lovely insights. There are many nuggets of wisdom in that. I’m sure our viewers will learn something new and would love that as well.

Summary:

Here are the top three things I learned today.

First, security should be mandated from top down and it should be implemented in partnership with individual contributors or the doors, right? Who own the implementation.
Second, from a security standpoint, start small with frameworks like Nest, CIS, sock one and understand your risk tolerance. Do the gap analysis during the process as well.
Third one is for startups. Start early if hiring insecurity is a challenge, working with partners or VCs groups or security like advisory boards or cloud advisory groups to set up a solid foundation.

Rapid Fire:

So I want to move to the rapid fire section now.

So the first question is one liner code that keeps you going?

Mel: I don’t know if it’s quote., but I will say.

Having been in the industry for so long and having known what I needed to go through in order to keep moving forward and keep learning. I’ve come to the realization about two. Three years ago. Four years ago. That I needed to be physically somewhere else. I needed to have different exposure and I wanted to build a life for me. One of the things that I’ve been trying to focus on is trying to educate It leaders, security leaders that are out there, or folks who are in that trajectory to start to look at their own lives, number one.

And then number two, how do you give back, right? So I’ve used quotes from Nina Simone and others to continue to inspire me, right? It’s a new dawn, it’s a new day, it’s a new life for me. Right. Because we live in a world where we could spend 60 to 90 hours a week on incident management, on all kinds of issues, or It operations or M&A’s and reviews. But we have to be able to take a step back and say, is this the right place for me to be right now? Should I be working 80 hours a week so that I can learn and grow and make money, blah, blah? Or can I do this at 45 to 50 hours a week in a different organization? And I started this in 2019. My transition over. Lo and behold, you’ve got Covet and lo and behold, you’ve got everything else. So my motivating pieces and I say this to a lot of folks that I coach and a lot of folks that I talk to and my teams and everything else is the thing that we’ve ignored for decades is to be selfish.

Right? We think we’re doing the right thing where we want to do versus what we actually do. We actually live to work as opposed to work to live. So for me, everything to me is about how do I become selfish and how do I work to live the life that I want? So maintaining that balance so that you don’t burn out, rather you are contributing in a much better way, right? You’re saying this last two to three years with covet and the resignation and everything else, right? Yeah, absolutely.

Host: My next question is what advice would you give to your 25 year old self starting in security and why?

Mel: Number one, read more. Number two, make as many connections and learn from other people as much as possible. Ask as many questions as you could possibly ask, even if you think they sound stupid, and really get ingrained with as many of the pillars as possible, right? Some people just focus on one area. I’ve learned that being an expert generalist helps a ton across a lot of different topics. So read, connect, ask, learn as much across all the pillars. That’s what I would say 25 years ago. I’m still a little on the old side, but it’s still enough that within a five year period, you could leapfrog if you just took that advice right now.

Host: Makes a lot of sense. So assuming you’re hiring in one sentence, what stands out in the candidates you made for you?

Mel: I love this question. I love this question because the hiring side of things is something that always kind of kills me. You’ve got companies that have a regimen of this matrix of questions and process and blah, blah. No, I am hiring for showcasing of experience, ability to be able to communicate that and a display of something that is not the same or standard across a team. We could talk about diversity, but to me it is really about showcasing something that isn’t quite what you would expect. Prime example, I have a person who I brought onto a team that caught my eye because they were a professional magician, magician and musician, sound editing and magic.

And to me, I was like, okay, I need to get a hold of this person because if you think about it, in It or security magic, there’s a direct connect. But if you think about it, there’s a logistical workflow, there’s planning, there’s practice. So there’s all kinds of other intrinsic pieces that this person brought to the table. And I wanted to see if that person is a good fit for this role. I almost had an offer to somebody else, but I pulled back, and I did end up hiring them. So to me, it’s about that. It’s about finding the unicorns, the potential unicorns, seeing if you can develop them.

And that’s what I look for in a candidate, is how do they present themselves? And I get past all the other pieces. Right. I get past the they don’t interview well, or they didn’t answer that question well. And I try to pick up on some of the behavioral pieces and how excited they get when they tell me a story about something they’ve done.

Host: Yeah. I must say, that’s a very unique combination of skills, magician and magician at the same time. Yeah. Thank you so much. It was very insightful to speak with you. Yeah, it’s been working out perfectly.

Mel: I want to thank you for the forum. I want to thank you for the questions. And to be honest with you, I love speaking a lot, but these questions and the framing are perfect. So thank you for the opportunity.

Host: We look forward to learn more from you in future. And to our viewers, thank you so much for watching. Hope you learned something new.

If you have any questions around security, share those@scaletozero.com. We will get those answered by security experts and see you in the next episode. Thank you so much. Thank you.