All right, Elliot Franklin here from Fortitude. You're in Nashville. Look at that. We're here. I finally made it. >> Yeah. Good stuff. It's fun. I've had a lot of fun. We just finished up with our boy Dawn. And now we have you, which intro, incidentally, you introduced me to Dawn. >> That's right. Got the three stoes. But yeah, there's there's another one. >> Is there another one? >> Roger. >> Oh gosh. >> I'm meeting him later. >> That's right. That's awesome. Yeah. No, and you're wearing the dope jacket, looking super fly, looking like a boss. Yeah. And it's so nice to be here. So, how long have you been out here? >> Yeah. Moved from uh Texas to Nashville in 2018, so it's it's great. Great place to be. Love it. >> You love it out here. >> Yeah. I mean, you know, it's different. You know, I love obviously born and raised Texan, but uh you know, here they actually have four full seasons, so that's nice. In Texas, it's just pretty much hot year round. >> It's like just hot. >> Yes, that's right. >> Do you do you enjoy like being here? because it's like music city and everything like that. >> I do, you know, it's interesting back in Texas and San Antonio, I never really took advantage of a lot of the touristy things there, but here, yeah, it is nice. I mean, the events downtown, it it does afford you a lot of opportunities that probably wouldn't be able to do, you know, otherwise. So, it is nice. >> Something different for sure. But you're involved in everything, right? The RSA stuff, this thing, that thing, you're wearing a black hat next week. >> There's there there's a lot. Yeah. I mean, it's great to be involved in the community because Nashville's got a Middle Tennessee has got a phenomenal uh you know, security and IT community. So, it's it is great to be plugged in and give back. Yeah. Help try to mentor folks. >> What's your favorite one? >> Uh I would say the ISSA. I mean, I've been doing that forever since since back in Texas and just the connections you make there and the mentor, my mentor that I've still got, you know, just retired after 40 plus years in the business and saying I met I met him in San Antonio as president of the ISSH chapter there. He's he's still back in San Antonio. So yeah, it's um that's probably my favorite one. I mean RSA obviously gives you access to things you wouldn't have access to normally being on that program council and kind of seeing how they work. >> Yeah, you kind of have to have some kind of like a connection with all people, right? >> Yeah. I mean, you know, they say, you know, seven degrees of separation, whatever. I mean, cyber is especially tight-knit. So when you're looking at products, you're looking at problems, being connected to those folks certainly helps. Yeah. It's probably like important you go in and like when I'm meeting with someone or you're meeting with someone, it's like how are you going to get in touch or how are you going to talk to your peer group unless there's these chapters more or less everywhere, right? >> Yeah. I mean, when we've had problems with certain products, very well-known products, I mean somebody in the group's like, "Oh, yeah, I know the CEO of that company." I'm like, "Yeah, right." And he's like, "No, I'll just introduce you. You can just call them." And I'm like, "Are you kidding?" So, I mean, not that you need to talk necessarily to the CEO of a huge cyber company, but if you are having some challenges certainly helps. >> It helps. Yeah. I mean, I think like sometimes just having someone on the other end of the phone and that's one of the problems with a lot of companies actually is that the cyber companies you'll need to get in touch with someone, but how do you get in touch with them, right? Well, you going to add them on LinkedIn and then say what's up. I mean, sometimes that's the only solution, too. >> Yeah. I mean, it's interesting because yeah, I'm certainly not like a bug bounty person, but I have discovered some bugs and some things as I'm working. And you're right, I just have to, you know, sometimes you'll just reach out on LinkedIn. You're like, is this person ever going to respond? But having the network, you can just tap somebody and say, "Hey, do you know this company?" And there's always connection. So, >> you usually like uh I mean, I'm sure you enjoy a lot of the the cyber side of of things naturally given you've been doing this, but like tell us like how did you end up at Fortitude because technically it's a Carlile own company, right? >> Yeah. I mean, that was actually through ISSA. I mean, I was at an ISSA meeting. Somebody that worked at Fortitude stood up and said, "Hey, we're hiring our first ever CISO." And I was like, "Are you you know, are you serious?" And so I was working at a company in Atlanta and so I was commuting there uh and and I prefer to be in person and and so I was like you know I can come into the office every day and started chatting with them and a couple months later got the gig. So it was great. >> And now you've been there for a >> little over two and a little over two years. Yeah. >> Damn. >> You like it though? It's like a >> I do. I do. It's you know I never done um financial services before and so it's you know been done every industry before that with higher ed and healthcare and manufacturing and hospitality but hadn't done financial services. So there's a different level of uh stress >> stress. Yeah. What is the because it's so interesting because everyone has a different perspective on this. Like I have a friend uh colleague call customer actually but he's a he's a CEO of bank Luminor in in Estonia. But what would you say is like your uniqueness factor in being in FSI and in this uh in Portitude space? Yeah, the the great thing about the space that I'm in is we you know technically we since we are reinsurance I don't have any customer data because we are you know we take blocks of business from you know and reinsure other insurance companies but we don't have to have the the actual PII to make those decisions. Um but obviously you know we still have intellectual property with modeling data and things like that that we have to protect. So u you know you you are you know a little more well known than potentially you know if you're in manufacturing other things. People don't know who manufactures glasses for, you know, certain companies because it's so so deep in the supply chain. But here, you know, I mean, we make our deals very public on purpose and so you'll see it all over the news. Hey, you you just made a $5 billion deal with XYZ insurance company. And so that could potentially make you a target. So that's always a concern. >> Okay. Because you think that the Fortitude name may come in the news or >> because they know Yeah, it is. Exactly. When there's big deals, hey, you just, you know, you just did a $10 billion deal with, you know, so and so, you know, now I know you've got that money and they come after me. So >> after Yeah. Do you think that like cuz you you guys have a little bit of a different architecture right than most companies? >> We are. I mean that since we're a startup and if we can still say that after seven years you know we are 100% cloud architecture you know this is nothing on prim uh still a threat. It's just somebody else's data center but uh I do like that we are fully virtual fully cloud-based. So that certainly helps >> but this is like when you say 100% cloud I think people should probably understand it's like completely virtualized >> completely. Even the uh even the employees endpoints it's all virtual desktop. Yeah. Yeah. And then does that help? >> I you know I think it does. I think that that you know shrinks the attack surface and so I think it I think it helps but again we can't be naive and think that there's >> Did it start with you or did it start before you? >> No I cannot take credit for that. Yeah. So so while I'm the the first official CISO certainly there there were some staff there that were designated that for that architecture that did the design that went with the the virtual concept from day one when the company was started and founded and split off from from AIG. The decision was made we're going to be fully virtual. >> Fully virtual. That's pretty crazy, huh? Like that's like I mean that people are okay with that. I guess the speeds are like internet speeds are fast enough now where it doesn't really matter that much. >> Yeah. You know, it does. I will tell you some employees when they come in, it is a challenge in terms of they're not used to that. >> Yeah. And and they may not like that. You know, they're used to just getting a corporate laptop. And so, uh, it does take some some kind of convincing to some of the team members and they've got fancy spreadsheets and things they need to run and and and being able to to outfit their virtual desktop to be able to run that. you know, we we it take can take some work. >> Yeah. So, there's like pros and cons essentially. >> There's trade-offs like everything. Yeah. And there's a constant balance. People are always, you know, wanting to say, hey, you know, we had to go to corporate laptops. But I think if you look at companies, a lot of companies are actually moving to the virtual desktop model for numerous reasons, especially work at home. >> Yeah. I've seen like I mean, of course, not going to lie, I would say like probably 80ish 90ish% probably utilize the physical laptop. some of them. But then there there are a handful of companies that definitely use this completely virtualized uh concept at least for a subset if not all their employees. >> Yeah. Think about I know when I worked in healthcare I mean it was all virtual terminals. Same thing with hotels. Yeah. Hotel you know it's all virtual terminals. They don't need to have full devices. They can use dumb terminals. So uh I think there's definitely a place for it. And I seen credit unions you go to banks a lot of them are using dumb terminals as well. So virtual terminals I think um like I said from the tax service I love it. >> Yeah. It's just like only that one application, >> right? >> Yeah. Yeah. Do you think that like most of uh your uniqueness like does it does it drive that cyber security strategy at all or like what makes it different? >> I don't think it changes the strategy a lot. I mean, you know, like most folks, we follow the N cyber security framework. So, you know, you're still going to look at your risks. You've still got servers. They're just in somebody else's data center. You've still got SAS applications. >> They're still there. >> You still got email for fishing. So, I I I don't really think it changes the strategy that we take for cyber. Do you get do you get a lot of I mean it's a silly stupid question but do you get a lot of fishing emails? >> Oh, of course. Yeah. Very targeted. You know it's you know with AI I'm sure it's it's helped but yeah we get a lot of fishing messages. >> You get a lot of fishing messages on like what what's there and and I mean I'm assuming that you catch them. That's why you know >> well we we certainly catch as many as we can but we still do try to do our training as well to train folks on what to look for. >> Yeah. >> But it's a cat and mouse game. Some of the folks are really good and the social engineering in general now texting and the other stuff. >> It's just kind of Yeah, absolutely. I mean, there's definitely like a like an evolution of time. Yeah. Have some coffee. Of course. It's No, it's like what we used to do maybe 10 years ago may be different than what you do now. Like what would you say is like the focus difference between that and today? Well, for us, I think it's it's now the SAS vendors is now we're buying tools to like give us visibility into the SAS players and how they're securing your environment because we depend on SAS companies so heavily. Um, and that's out of our control for the most part. Yeah. And so that was new to me, buying a SAS security posture management tool that can go out and validate and verify, you know, what we're saying you're doing in the contracts with these SAS providers that we know that you're securing our data. Um, yeah, you can give us a sock, too. you can give us your you know pin test executive summary but but this is actually you know plugged into your environment through you know via whatever web API however it is to tell us if you actually are you know securing our data in your SAS environment so that's something that's a little different um than what you would typically be doing >> right I mean if you're doing most everything on prem if you're doing devops and and you've got everything in house I think that's a slightly different model >> yeah it's like I mean I think that when a lot of this developer side of things is another security area that obviously has a lot of conversations about it. So developer side, then there's the, you know, kind of the the internal IT side as well. Those are the kind of two areas of of of the cyber. >> Yeah. I mean, you got the folks with GitHub and everything and open it up think, you know, leaving their code open and exposing keys and things out there. And so again, that's another, you know, area attack surface. >> But you guys develop a lot of stuff yourself, too. >> We have some DevOps internally. Absolutely. Yep. >> Yeah. So then you have to go in and figure that part out as well. >> Yeah. That's a different mindset. you think you've got kind of application security even though we don't have an app per se and we don't have any external facing um you know website yeah but still internal development and still if that's being done in GitHub and and that's uh left open it's obviously a hole >> so then when you came in how did you take stock of everything like what was like your 30 60 90day plan >> yeah I mean that's you know that's the same that I do most every place and that's just you know you do your own uh you know I'll do a self assessment and try to you know there's plenty of spreadsheets out there where you can kind rate yourself >> on the different NS categories and uh it's just you know honor system question and answer with the different units >> and kind of peeling back the onion there and a lot of I know a lot of folks when they'll come into a job they'll just be overwhelmed they're like oh my gosh you know you're not patching you're not doing anything where do I start >> and uh you you've got to put together a road map I've done quite a few sessions on road mapping and just pick three things look at the you know look at the criticality and how much you know bang you can get for that >> yeah bang for the buck >> and especially if you've got existing tools that aren't being utilized when I came in, they had a a ton of phenomenal tools, you know, name brand, they gone out, bought all the name brand tools. Um, but if they're not, you know, implemented correctly or not being monitored correctly, >> what would be something that's like not implemented correctly? I mean, I know it's a silly question, but like what would be what would that be? >> Um, well, take for example your your your EDR software on the end points. Uh, you know, you can install it. >> Yeah. >> And but it's not set it and forget it depending on the the the company that you go with. Um, you've got to configure it, you've got to tune it, you've got to turn on, you know, updates for it as well, right? And um and so if you come in and it's not blocking anything, it's just there. It's kind of like with the old, you know, we implemented a firewall but left all the ports open or left any any we check we technically have a firewall, it's turned on, it's powered up. Same thing goes with EDR software. You can have it installed on every desk, you know, desktop but not blocking, not set the block. Maybe you just left it transparent mode, moved on to another project because you were short staffed. >> You just didn't realize that it wasn't configured correctly. >> And those are easy wins that you can come to the leadership team and do. Uh same thing with the 24 by7 security monitoring, you know, you know, putting some sort of, you know, hiring some sort of MSSP to help manage that. It's just it's a quick easy win to get that visibility. >> Do you think like I mean because this idea of misconfiguration and such like that it does come up on the on you know on the woke LinkedIn universe type of thing >> like like that's why I'm just curious like it happens all the time. >> It does. >> It does. you know, I'll come in. Again, I'm not going to mention any names, but there's certain software that we had, you know, set up. Again, it wasn't configured correctly. Again, I don't know that it was any fault. You know, you had transition, you've got people too busy, you've got one project to another, they buy it, they install it. And so, that's where I kind of push back on some of our partners and say, "Hey, aren't we going to quarterly business reviews? Aren't you going to don't you want us to continue using your software?" So, wouldn't you want to walk to make sure it's configured correctly so that we're getting the most value out of it? because if I stop using your software um and move to something else, it may be the greatest software ever, but it's going to look bad on you because again, we network closely and so I'm going to let everyone else know, hey, we had challenges with this, but it wasn't fair. It's not your software. It's the way that we set up. Yeah. >> But you should also help hold us accountable for that because we don't know best practices for that specific system. You do. >> Yeah. I think like sometimes when I think about it from a product perspective, there's been this like der of like very very good like movement around that, right? Because they're two separate organizations. People just take that and then throw it under the customer success team, but that's not actually part of the product management organization. And so that's where there's like a lack of the responsibility, accountability for, oh, it's misconfigured. Okay, fair. But now that's your problem, >> right? Yeah. And again, that's why I mean I'm huge on startups, but again, at some point, I'm sure most startups are gonna exit and become a huge company, but but you you're right. When you move to a huge company, they move it to another team. That team doesn't really care. Maybe they don't have quotas or whatever. They just check in the boxes. And that is unfortunate. I have to reach out and ask for QBRs. Yeah. And I have to buy another SAS security posture management software, which will tell me, hey, you have XYZ EDR. You don't have it set up correctly. We plugged in. We can see that you don't have these five things set up. you need to go turn these on. Well, great. I'm going to do that. >> Well, what would you suggest? Like, would you s I mean, because I mean, I have my own point of view, but I'm curious like what would you suggest to help fix that gap? >> Well, I mean, there's the paid way and the freeway, right? And using >> Well, forgetting about cost, right? >> The setting up of the of the QBRs are maybe even more frequent for, you know, as you're going the monthly calls. If they're willing to do it, get an engineer from their company on and walking you through the panels as long as they're not going to charge you professional services fees, which again blows my mind. Some of them do. I want I want to maximize >> I hate pro services, by the way. Yes, >> I hate I think it's the silly silliest thing where they're like, "Oh, by the way, you'd like to buy the product sounds good, but also you have to buy all the services around it, >> right? Do you want me to use it or not?" And and that is a challenge. And I and so I do feel for a lot of younger, you know, CISOs or security folks when they come in and they buy all these tools and then they and then they still have a breach and then the leadership team looks at them like what's what's the deal? We gave, you know, a couple million bucks to cyber and yet uh but but they didn't have a plan. They didn't have a roadmap. They tried to install it all at once. >> Um certainly there are a lot of companies that have a very small cyber team. Yeah. And uh so there are companies now that will actually manage your tools for you as well. Maybe that's what you have to do. You have to pay, you know, an outsourced company to come manage all your tools for you. >> I think like ease of use is important as well, right? >> It is. >> Well, and you know, I hate the AI buzz word, but as much as you can, you know, get to to to where it's going to recommend things, where it's going to email me or notify me and say, "Hey, you know, there's a new feature or there's this new setting we realized you didn't have, you know, implemented. Turn it on." How how hard is that >> uh for you to run those checks? you have access to my tenant, you know, as the vendor as the and so why don't you run those those monthly checks monthly checks >> and say this is best practices how you have it set up, you know, here's how you can change that. Uh we have some tools that do that for us. They tell us how to self-mediate. They give us a step by step. So I look at those as kind of the leaders and say well >> more and more should do that. giving you the look under the kimono. The look under the kimono is that people typically out of every product management manager I know they want to build a net new feature rather than tell you how to reconfigure something or make what they have better. >> Yes. And then and then when you turn that on then they then they send you a bill for it. They charge you for that module and they want to nickel and dime you >> and sometimes but by the way it's it's it's also like Sometimes it's not their fault. I want to say it's it's it's the training. It's the it's the idea that like for example, well, if I don't have that feature, I'm not going to be considered for the gardener MQ, >> which is weird to say, but >> right. And I don't like that because I don't like paytoplay. I just Yeah. But but I realize boards and other leadership teams do look to that. They they look to it to say, "Hey, you know, this is something that we can measure against." Um and there's a lot of those out there. they can be measured against um for you know uh for the tool functionality. So um it yeah that's you're right that is very interesting that they want to play that game. Yeah, I wish they didn't have to because I mean I look I personally have to deal with this all the time, right? So I can understand the like well if we don't build this feature we can make their product better or do you want to do this? And you almost have to make this business decision where it's like do I want to be part of that you know worksheet or because some people that's how they buy products too. You know they have a list of 20 features. If you're not have that one on there you're broken. >> Yeah that's true. when when we when we as cyber teams, you know, draft our our RSP and what we're looking for and build the scope of the project, we have to know there's some there's some things that have to be negotiable. We can't there's no perfect product >> perfect. Yeah. >> Because you may be able to do one part very well, but that may not be part of your, you know, requirements area. >> And I've seen more and more companies that try to do everything great and then they fall apart from the core. So I I see you stay with what you did. That was your core. That's what you were built for. >> I think we do need to educate people about that though. So, it's like if you're not good at what you actually do, that's worse than having 50 things that people don't use. >> Yeah. Exactly. Don't go buy seven other companies and try to integrate them just so you can check those boxes. I've gotten rid of those products because of that because then you forget why you were founded. >> Yeah. >> And then then that falls apart. >> So, yeah. I mean, there's there I get it. Small teams, you don't want 74 dashboards, but you know what? That's I would rather have that as long as each product is doing what it's supposed to do, >> what it's supposed to. Yeah. I mean, are you a are you a best of breed kind of guy or platform guy? >> Yeah. You know, I'll give the political answer. It depends, but probably, you know, we do I do like to look to to best of breed. >> Yeah. >> And why is that? Like what makes that so is it just the same reason you gave earlier or? >> Yeah, it is. Again, I I'd rather, you know, if I have to buy a couple of different point products, I I would rather that I've been burned too many times buying kind of an all-in-one multi-purpose tool. And sometimes you have to do that at a smaller company. Sometimes that's all you can afford and that's better than better than nothing. Uh >> yeah, I mean like I mean if it's if all you can have is Microsoft for example, what are you going to do? >> Then then just take advantage of it and configure it as best you can. And I've been to some companies where you're right that's all we could do or use those their suite of tools and then at that point I'm an open source fan. Let's go find some open source tools. Let's install some Linux servers and just throw some open source, you know, open boss or whatever for your vulnerability scanner, use some free things. That's how you can get the program established and build that trust. Do you think that like when you participate so heavily in the g the RSA and everything is giving me the confidence to like go in because sometimes I I look at you and I'm like he knows all this stuff very very very well. What is it that builds that confidence? >> I think a lot of it is uh I've had some really good mentors. I've had some really good bosses that have helped prepare me for you know going in and speaking to the board. Um I do have an executive coach now that you know that helps me from an executive presence standpoint. Um >> well what let's talk about those two things like one is the executive presence and executive coach like why is that so important you know because a you shouldn't go in with fear and certainty and doubt and you're going to kill yourself from the beginning if you just say that you know we're going to get hacked if you don't buy this nobody or or you say if we don't buy this we're not going to meet this regulatory compliance I mean sometimes you have to but if you're leading with that you know you need to understand business business risk you need to understand what your company does to make money uh you think it's silly but a lot of people don't know I didn't know you know what fortitude to make money up until, you know, probably about 6 months ago when I started reading this book. And it was like, you know, be here's an elevator list if your CEO catches you in the elevator and asks you to to explain what the company does or hey, take these people on a tour because they're potential investors. I couldn't actually tell them what we do to make >> and so because we just get so sucked into the IT component and uh >> and so I I think that that helps with the confidence if you can go into an executive meeting, a board meeting, and you understand it high level. You're not going to have the details but understand high level what the business does and how they understand risk because obviously healthcare manufacturing whatever you're at obviously you've got you've got risk you've got food born illness you've got slips and falls you've got all kind of risk cyber is just another risk and it's an insurance a company wants to buy it they want to invest in cyber or they don't that's their decision you know yeah they're going to have to deal with it later pay me now or pay me later but it's their decision as business leaders who have some smart business leaders in there and so if you come in very arrogant and saying how dare you know don't you want to protect the company don't you want to do this well of course they do but they also want to make money they also want invest in them, they also want to do this and so you know the pre >> so what would you recommend instead of saying hey you don't want to do this like it's going to be risk it's this it's that how would you >> I mean communicate that >> well I I would say meet with some of the meet with the CFO meet with some of the financial folks first but just going in and giving options hey we've got this risk we understand from the risk appetite of the company you you may you know you may want to accept it here's a couple of options that we would we think might be wise you know which direction would you like us to go I think when you come in with that you're giving them options you're not telling them oh man you're going to you're going to earn their respect and then they're going to start looking to you to say, "Well, what do you recommend?" And that's the sweet spot. >> So, do you think that's like a one of your tips and tricks is like, "Hey, give people a few options. Be like, hey, this is maybe what I recommend, but like what do we think makes most sense and here's like the the grading of highest risk to least risk." >> Yes, you got to have it. You got to use some sort of rating system that they understand in terms of giving it. >> Obviously, everyone is different on how they want that. >> They do. And the risk appetite of every company's different, but if you go in and give them those options and you can put it in a dollar amount, um that that's going to help. And you know what? You also have to to watch and I have a hard time with this. Watch your facial expressions because you're going to get shot down or you're going to get asked questions that are that may seem like condescending. And it's like again because these typically board >> what would be the most condescending question? >> Well, like you know, why hasn't this already been taken care of or I thought we gave you that budget last year, you I mean, and you have to these are board members, they're dealing with multi-billion dollar budgets and things and uh and so you just have to be, you know, willing to respectfully answer those questions and also say I don't know, which can be intimidating in front of, you know, 10 or 12 very highly educated, you know, board members or educ or exam. >> You think that like but like paint the scenario. So it's like, hey, you're in front of the board and you're But you usually is this happening um at the board meeting or maybe before with just the CFO and the CEO or how is it kind of >> Yeah. Uh I mean doing it to the to smaller committees of the board is smarter first and getting their feedback, you know, depending on how your board is structured. And same thing with the with the XCO, you know, meeting with, you know, a subset, you're exactly right, CFO and maybe some others ahead of time and going through that, getting their options. They're going to save you on that. They're going to help steer you in the right direction, >> right? >> Uh ahead of time. And so you may you may actually cancel and not even go and say, "Hey, that was on the agenda, but now that I've gotten this feedback, I need to pull it from the next meeting or something until I can gather some more information because you do not want to go in there and not have the right information to present your topics." >> So like what let's just say you have your slide, >> right? >> Is it usually an ask or is it usually like a report or is it usually like a just a how's everything going kind of thing? Like what is it? >> It's usually just a how's everything going, you know? Okay. And so if we, you know, if we have to rate ourselves and most board members work at other companies where they also follow the NIST framework and so you can say here's here's the score we've been given or that we've given ourselves based on the NISK you know categories and um here are the three biggest risk we see as a company in the last quarter um and here's what you know here's the last the three largest you know incidents that have occurred in the last quarter across across the industry other companies that have had incidents and here's how we might be addressing that. you know, it's just being open and transparent with them and communicating in between the meetings if you do the biggest thing that that I've learned recently too is proactive. Read the Wall Street Journal, read these other news sources because when they see something on the weekend, if you don't proactively send a note out and say, "Hey, we know you probably saw this SharePoint, you know, you know, hack in the news recently, we are aren't impacting here's what we're doing to to >> So, you think that like that that that proactiveness what it helps build the credibility or >> it it does because, you know, they're asking the question of all their companies. They want to know that there's on the board, you know, is is this a whole >> Yeah, the SharePoint one is They're liable. Board members are liable now, right? They've signed off on that and they and they and they are liable um for you know uh for the for the posture of the company overall and so they want to make sure you have to know to not spam them. So that be something huge but but something like that just being proactive. Uh I think that goes a long way in building that trust and then not wasting their money. You know you say that cliche but um you know we've given you XYZ dollars to buy products. You continue to come back to us and ask for more. >> But do you usually ask them or do you usually ask to find >> Yeah. Yeah. No, you're exactly right. I don't go to the board with those decisions. That's all made locally. your mail locally. Yeah, exactly. And do you think that like because it's so interesting because I think a lot of people talk about this stuff but they're not getting into the detail that you are right now. I just that's why I'm asking these questions. >> Yeah. Yeah. Yeah. No, you're right. It's all fluff or going to reading a book or going to a conference. Yeah. I mean, I live and breathe. They go >> very LinkedIn fluency. >> Oh my goodness. That's a whole another story. Wow. >> Why that story? >> I don't know. I mean, LinkedIn I I love LinkedIn obviously, but yeah, you're right. They're just like any social media platform. There are some people I see that post on there just to get the clicks. I mean they are you know high level security folks but I don't know how much of it is practical. >> So yeah there's like a practic I mean so in putting out from a founder lens like I think I yes I am in cyber security but I would say like my core skill strength is really not in running a cyber program. That's not my >> No, that's a great that's a great point. Um, and I same thing that people have a lot of people ask me why I'm not doing consulting and I said that's not I I wouldn't be over like the whole VCO thing and I'm like I wouldn't be good at it. I I I want to come into a company. I want to have my hands in it. I want to see results. Um, I want to help shape that company and so I I just don't think I would be a good consultant. >> Exactly. And so then that's where you know because you want to be the one executing. If you're just telling people what to do, it's not exciting. >> No. And then you walk away and then a year later you see they get hacked because they didn't follow it and there's nothing you can do about it. Yeah. you gave them the plan but they didn't follow it or you know they had financial constraints or what have you but no you're right so that the getting the hands on and building the plans I see so many CESOs or security leaders fail because they just go in and they just have all the tools they just say I want all this money they buy all the tools they hire the people and they don't have a roadmap and because that's not the cool sensy stuff nobody likes paperwork you don't like doing policies and procedures who likes >> who likes that stuff >> you know um who likes building powerpoints I'm horrible at it by the way I love the eyes for helping with that but you know being able to build the road map very simple you know here's want to do six, three months, six months, 9 months, 12 months, you know, it's going to change and aligning that, looking at the business objectives and making sure that every project aligns to a business goal. That's you nobody likes to do that stuff, but that's how you get the trust and the buying. So, >> so like you would recommend essentially go in have a little bit more of a optionbased plan for people when you're asking for things. It's a I think it's a great advice point. >> Yeah. Yeah. And then there's that whole you got to build relationships internal to it because when you come in, you know, typically the teams don't like you. You're big brother. >> Yeah. The it versus >> point out their failures, which that's what they feel like. You're pointing out their failures and you know, you're being big brother. You're saying you don't have this set up right. And why did you do this? And say I I've been super guilty of not doing that well. Just coming in and it feels like I'm pointing out all their failures because it's going to because it's impacting me like you're going to break security. But so trying to be a partner with them, trying to, you know, stand beside them and help fix things that are broke and not just saying here's a pentest, fix everything on here. It's not going to work. >> So, uh, no, that's awesome. Well, I mean, as we're like going through this, this one's turning off, by the way. I I got to ask you one question is like what makes you so excited about being in here? And like what would you tell someone who wants to be in your position one day? >> Again, you know, it sounds corny, but I I've always wanted to help people. I thought, you know, maybe I was going to be like a police officer or something. I mean, I love helping people. It's like, well, we're kind of doing the same thing, but for for cyber on the infrastructure side. just I love helping companies. There's there's something different that you get to do every day. >> Yeah. >> Um, you know, it's it's uh you get to touch every part of technology being in cyber. Um, >> and then also the the volunteer stuff. I mean, ultimately, you know, if I retire someday, I want to help on the, you know, going to the old folks homes, helping educate parents and teachers on this internet, you know, >> safety stuff and everything. Yeah. >> So, I I love that component. I love that aspect of it. But really, it's you're helping the company. you're you're um you know you're in investigations all the time whether it's internal or external you're seeing you know potential things that happen within the company from a from a cyber standpoint um and so you're helping them to be successful I think I I think that's >> you are very helpful man I got to say like you've helped us so much with dope as well >> yeah I mean and well you know we got to get back if we want good companies we have to be good partners I know it's you know being people say it you got to have a partnership but good luck if you don't >> yeah I mean with a big company >> but what made you like dove so much >> I mean it it met an immediate need that we invite anybody else to do, right? So, in terms of, you know, the latency and the things we were saying with our other, you know, solutions that were doing the secure web gateway and the challenges we had with that, being able to do it all on the client, you know, four to five times faster. Um, and we we just love that the flexibility, the ease of install. >> Yeah. >> Again, we talk about, you know, the other interfaces are so complex. You have to have a team of people to consider and again, this policy supersedes this and oh, it's not supposed to be blocking that. It's supposed to be doing this. I'm like, I don't have the time for that. >> Yeah. How really? >> We don't have enough people. And uh we need a simple tool with a simple interface, but yet it it has the same results are even better. >> It makes me it's like music to my ears cuz dude, I've been working on this for a long time. And I I really really appreciate you like making the intros, helping with everything and being a good partner as well, like saying, "Hey, this is where you could do better as well." >> You got to be honest otherwise. >> Well, this is like super insanely fun, man. >> Yep. Is there anything that you would do that wants you would tell someone who wants to be in your position one day that really wants to go in and be the CEO of fortitude for example? >> I would say a couple things. One is you got to be humble and two is you can't do it right out of college. It took me 20 years to to to get where I'm at. And so I think a lot of people are frustrated with the the instant everything society that click in the app and it fixes a thing. You you've got to you got to be humble. You got to be humble. I would start at the help desk which is where I started. You've got to dig in, help help out in in the baseline. And then you'll and then you'll when you do stuff that people see without being asked when you automate, when you ask how you can help with things that aren't part of your job description, you're going to be noticed and you'll be promoted and and and you'll be sought out for those >> asking how can I help you today. >> Yes. And and not saying it's not part of my role or it's not part of my job, but doing it in a respectful way, not overstepping your bounds or stepping into somebody's else's area. >> Yeah. Yeah, I mean there's like this new age of CESOS that I really think that you're, you know, uh kind of the leading the pack, if you will, is that you know this stuff, you understand it backwards and forwards, right? >> Yeah. And I think that that's because I started in health admin and I was, you know, that side of the house. So So I I worked my way up. I didn't just come out of college with theory and say I'm going to be a cyber pro. I had no idea actually when I left college that's what I was going to do. >> Right. Right. Right. Right. But man, like dude, again, super appreciate it. Epic time. We'll see you again here in Nashville.