kindsey@kirkham.it, davin.chitwood@irontechsecurity.com, info@webpossible.net
#

Back to videos

Understanding a NIST CSF Security & Risk Assessment

What is a NIST Cybersecurity Framework Security & Risk Assessment and why is it important?

Prefer to read? (Transcription)

[00:00:00]

Intro

TOM KIRKHAM: All right, let’s get started. Welcome, Richard. I hope everybody can hear me okay. If you can, just say so. I hope you can see the screen. Unchartered lower Alabama. Oh, UCLA, okay. That’s funny.

Okay, we’re all here to learn more about the NIST Cybersecurity Framework and the IronTech/NIST CSF assessment. Today we’re going to have Brayden, our company champion – he’s the one that actually does these. He’s the one that if you go forward with us, he knows the most about the assessment and how it works, and he’s going to talk about what you really go through. Kindsey’s going to have a little bit to say at the end of the webinar. Having said that, let’s get started.

[00:00:52]

If Any of These Things Apply to You…

If any of these apply to you, you need an assessment. If you rely on an IT specialist for your cybersecurity, you need an assessment. This is not an IT job. This is a security job. They have different objectives, and we’re going to talk about that in a later slide.

If you’re relying on antivirus such as Norton, McAfee, Bit Defender – I can go down the list, but basically if you’re relying on anything that you can buy from Best Buy, Office Depot, Staples, whatever, it’s just not good enough. You need an assessment.

If you’ve never done one, you need one. You need to find out the condition of your ship.

If you have to answer to others, or maybe you’re just gathering information – maybe you’re the boss but you still have a board of directors or a mayor or a governor or another executive director – whatever your organization is, general manager, managing partners – if you need to educate and justify this, then you need an assessment. Because it clearly will show you not only where your vulnerabilities are, but where your risks are, and it justifies it in a third party way, not just from someone that sells cybersecurity solutions. We prove the need to address your vulnerabilities. It’s proven. It’s undeniable when they look at the supporting documentation.

And finally, if you, like many of us – and frankly, I still worry about it; that’s our biggest number one worry, actually – but if you just worry about it and you don’t do anything because you have analysis paralysis and you just hope it doesn’t happen to you or your organization, well, you can relieve a lot of that anxiety if you do an assessment because that will get you to understand what the state of your cybersecurity defense is. Once you understand that, and then our assessment tells you what you need to do, you’re in a much better, informed place.

The worst thing you can do is just not know. That’s where you get anxiety from. If you know where you’re at and the risk is really low and – hopefully it doesn’t happen, but a breach occurs and you just said the risk was so low, then even if the worst does occur, you’re in a better place. You can say, I don’t think anybody would’ve spent this kind of money to a risk that was less than 0.001%. You’ve got to know. You’ve just got to know. So get an assessment first.

[00:03:56]

NIST Cybersecurity Framework

So NIST Cybersecurity Framework came out in 2014, Version 1.0, and the last update was about 4 years ago, and that’s the current one. So it’s only on Version 1.1, and it’s really good. I think they’re soliciting change ideas right now for an upcoming probably 1.2, I’m thinking. It’s a really good framework, but it’s based upon years and years of other organizations, internationally and nationally, that have developed cybersecurity policies and frameworks and procedures and requirements for various certifications and things like that.

But the NIST Cybersecurity Framework isn’t a certification. It’s something you can do yourself if you go through it. It’s designed for small businesses as well as Fortune 100 companies, and there’s nations that use it. So it’s not a Mickey Mouse thing. It’s a very serious, great framework. If you’re in a national or a state association that has gone down this path, I’d be surprised if they didn’t NIST CSF is the way to go.

What it does is it gives you guidance to manage and reduce cybersecurity risk. Now, what it doesn’t do is it doesn’t give you a lot of advanced state-of-the-art administrative controls. Some of you may have heard me mention that if your passwords expire every 30 days and you have to change them, that’s not a good policy anymore. Most IT people are doing that out of habit, and when you ask them why, there’s not a good reason. It’s because that’s what’s been done for 20 or 30 years. We’ve got a better way to do that. So you’ve got to stay up to date.

Actually, our way is better and it’s actually less hassle, which is highly unusual when you’re putting security in place. We improve the security and it’s less hassle.

Then it also doesn’t specify the exact technical controls. Like, “You keep saying antivirus is no good and I need an EDR, but how do I know which one to buy?” In fact, Norton says they’ve got an EDR. Well, we know that because we’re infosec specialists. We use the NIST Cybersecurity Framework to prove the vulnerabilities, and then we recommend best of breed – in other words, the best in the market, the best technology, the best support, the best everything that we can think of – and that’s what we recommend you implement.

And like I said earlier, the CSF references many, many other security standards, and I’ll show you that a little bit later.

[00:06:57]

Identify, Protect, Detect, Respond, Recover

So if you have looked at the NIST CSF or you go out and download it – it’s a free download – it can be overwhelming unless you’re an infosec specialist. It’s not hard to read, but it’s daunting unless you’re in the business.

So I’m going to make it easy for you. It’s composed of five parts. Identify, which is where the assessment comes in. Then you protect, you implement the recommendations that we make to protect your company. We put a detection system in place, and this is really, really important because the way security companies do this is they want both automated and infosec specialist-monitored to detect things, to look into anomalies, things that are suspicious. That’s something that you don’t get with off the shelf protection, and these days, these threats are all very complex. The NSA tools were stolen three years ago. The world’s elite cyberattack force had their own tools stolen, and now they’re available for free on the dark web. So you might as well assume that all the attacks these days are highly complex, state-of-the-art, nation-state attacks, even if it’s just criminals using them.

So you’ve got to have a detection system in place, and you’ve got to have lickety-split response, both automatic and by security specialists, that says “We’re going to respond to that.” And we literally respond within minutes of anything suspicious. It’s immediately being looked into, and even if it ends up being benign or the specialist says, “Oh, that’s nothing to worry about because this maintenance was taking place,” we know what it is. We’re not waiting until tomorrow or “I can’t get to you for three days.” This is 24/7 response and detection monitoring.

Then finally, the fifth thing in the NIST CSF is recovery. Worst case scenario, we’ve got to minimize the business downtime, perhaps make it where it’s 100% business continuity no matter what happens, or we’ve got to restore from a backup because of a ransomware attack – which is your number one worry. It’s everyone’s number one worry.

You’ve heard me talk about the scale of the international hacking, the black hat hackers. Don’t get sucked into thinking it only happens to Colonial Pipelines or JBS or Sony Pictures Corporation. There’s by far more ransomware attacks on businesses just like yours. Even if you’re in UCLA, the “Unchartered Lower Alabama” area, there’s no such thing as being too small. There’s no such thing as being too small, there’s no such thing as being in the middle of nowhere. It’s a numbers game. It’s numbers. They’re blasting out 100,000, a million emails at a time. Don’t know, don’t care who it is. They just want you to pay their ransom.

And they’re not going to change a small law firm in northern Mississippi, in Tupelo, Mississippi, $4 million. They’ve got automated stuff. It goes in and looks at how many terminals are on the network. If it sees there’s only three, you’re probably going to get hit with a $5,000 or $10,000 ransomware attack. They’re already going to know maybe a vague notion of the profile, so if they’re sending the emails out to a bunch of attorneys, they may up the minimum payment. And then if they’ve got 100 terminals, they may up it to a million dollars. But if it’s going out to a bunch of water utilities and there’s only three terminals on the network, they may just make it $3,000. But all of that’s automated. They’re just playing a numbers game. It’s done at scale.

[00:11:20]

What to Expect When Doing the IronTech/NIST CSF Assessment

I’m going to turn this over to Brayden. He’s our company champion, our Customer Champion at IronTech. He’s the one you’ll be working with if you go forward with this. With that being said, it’s all yours, Brayden.

BRAYDEN LATTA: Thank you, Tom. I’m going to share one of our security assessments with y’all real quickly.

As Tom stated earlier, the NIST Cybersecurity Assessment follows the Identify, Protect, Detect, Respond, and Recover. Even the questions themselves directly correlate to one of those five categories, and it lists them as critical, high, medium, or low. Let’s take a look at one of those risks.

Like this one here, detected events are analyzed to understand attack targets and methods. We’ll see that’s part of the Detect category. And it’ll give you that question where it sees something is wrong. “Do you have a threat detection product in place today?” If the answer is no, it tells you why that’s important and remediation steps you can take. Along with this, this would be one that we’d recommend if somebody didn’t have this in place, we’d say get an EDR.

[00:12:52]

The process starts with we’ll send you out an initial questionnaire that’ll help us get a lay of the land. It’s designed to help us figure out what you do currently, like how many machines you have, who you use for email provider, things of that nature.

Next meeting is a consulting meeting where we’re going to go over a questionnaire and eventually generate that report that I just showed you.

From there, we’ll take a little bit, we’ll look through that document, and from there we’ll analyze it ourselves and eventually got you a recommendation on what we believe that you should do. And hopefully with that recommendation we’ll provide you a little bit better security. I’m going to go ahead and turn that back to Tom now.

TOM: All right, thank you, Brayden. Sorry I got the slides messed up here a little bit.

[00:13:47]

What I wanted to do here is the top graphic you see is a page out of the actual Cybersecurity Framework from NIST, and the bottom is the way the report comes in. This is the report you’ll get from us. You can see that this critical one, this PR.AT-1, is directly mapped to the NIST CSF. This is U.S. Department of Commerce National Institute of Standards and Technology Cybersecurity Framework.

We’re not saying that because your users are ill-informed and untrained, it’s critical. NIST, U.S. Department of Commerce, is saying that’s a critical problem. So the results of the assessment directly map to the NIST CSF.

And over on the right, the informative references, you can see all of these other standards, both national and international. It references very specific things to say awareness and training goes directly to ISO 27001 specifications developed in 2013, and then the sections of that specification, the specification manual, following that. This is not only just NIST, but International Standards Organization, COBIT, CIS and other NIST references. That’s another NIST security reference that’s been referenced here. So this is undeniable, non-debatable vulnerabilities that we’ve uncovered that exist in your organization.

[00:15:38]

Identify

Let’s talk about identifying, because it is the most important thing. It is where the assessment occurs. As a result of the questionnaire that Brayden and others go through with you – and there’s others that work with you through the assessment – you’re going to identify the assets that you need to protect.

We’re also going to determine – and you’re going to help us do this – your organization’s security maturity. Do people reuse passwords? Do they use the same credentials on a bunch of different websites? That’s a no-no. Do you share passwords around? Do you have one account for the website instead of everyone having their own account? That’s a no-no. That’s a security risk.

If the answer to those is no, then just like that sample report, you’re going to see that you need security awareness training. Probably a password manager as well. And there’s a lot of other things. Password complexity, who’s got the keys to the server. It just depends on the organization, but there’s a whole lot there that goes into security maturity.

Incidentally, outside of actually buying the training, a lot of that stuff can be done through policies. It’s not like you have to pay money to increase your cybersecurity defense. But I will tell you this: if you do get cybersecurity awareness training, you cut your risk in half right out of the box, before you do anything else.

Part of the process is determining who the threat actors are. Now, for many, maybe even most of you on the webinar, you may only have to really worry about criminals. And we all have to worry about criminal hackers. If you’re a water utility, then you’ve got to worry about nation-states – and believe me, they’ve mapped out. They already know what water utilities they’re going to go after if we accidentally splash a MiG jet in the Persian Gulf. They already know that. A lot of them. Now, I don’t know if they know your utility specifically targeted, but there are utilities that are known to be vulnerable, and they’re ready to do that and pull that trigger. Electric grid. Any part of the critical infrastructure, we have to worry about nation-states.

If you remember that Biden-Putin summit in Geneva about a month ago, that’s what it was about. He gave Putin a list of 16 infrastructure industries, said, “Don’t touch it. Tell your cohorts, your brothers in arms, all the criminals in Russia, that we need to cool it.” I don’t know if you guys know this, but they did. I think they’re laying low and figuring out what their next move is.

At any rate, this assessment is going to specify the defensive controls you need to put in place. The NIST CSF is not – the exact defensive controls you need to put in place should be determined by an infosec specialist, not an IT guy, because they can’t keep up with all of this stuff.

Ultimately, you’re going to know the condition of your ship, and hopefully the condition of your ship is improved before you set sail any further in the cyberworld. Well, I know it will be if you do what we recommend.

[00:19:30]

Common Myths

Real briefly, I want to cover three of the common myths that we always talk about. Invariably, people think they’re too small even though I spend five minutes going over the sheer scale and the automation part of the hacking industry, and they don’t know, they don’t care, it’s a numbers game. I don’t know what to do other than just say there’s no such thing. It’s not a matter of “if”; it’s a matter of “when.”

Antivirus is no good. It’s about one notch above useless. Arguably, because it gives you a false sense of security, I would argue that it’s useless. There’s much better protection out there, and you can’t buy it off the shelf because it works in conjunction with infosec specialists. Part of the Detect – Respond – Recovery. If you can buy it shrink-wrapped at Office Depot, it’s not good enough. I don’t care if they even use the words “EDR” and some of the other words you hear for really good cybersecurity. It’s not best of breed.

Then finally, cybersecurity is not an IT issue. It’s outside of their scope, it’s outside of their objectives, and it’s not their specialty.

[00:20:53]

Infotech versus Infosec

Let’s take a look at those objectives. Ultimately, IT, or information technologies, was created 50 years ago and companies started investing in it, and now every business has it and every home user has it. It’s all about improving productivity, efficiency. It’s bottom-line focused. And IT knows that the bottom line is affected by end user frustration. It cuts into productivity. So the fewer help desk calls that they get, the more productive the company is. They want everything to run smooth, stay up. That’s their objectives.

Security is all about security first, not productivity, not efficiency. It’s not like minimizing frustration is not on our list, but we’re not going to sacrifice security because it’s a little bit of a hassle to set up or to deploy or to use. It gets into establishing that security-first environment and why it’s so important for your organization that the leadership buys into this completely. They’ve got to walk the talk. They don’t just go through the – it’s a management function to tell everybody they’ve got to do security awareness training; it’s a leader that makes it successful.

We’re going to put in least privilege access. We’re not going to open up a QuickBooks server folder to everybody. It’s not because we don’t trust them; it’s because we want to minimize the attack vectors. If you don’t need access to QuickBooks, why does your computer have access to it? We need to turn that off. We’ve got to minimize the threat vectors, as we call it in the business.

Finally, our ultimate objective is to protect all the stakeholders. Not just the company, not just the employees, not just the vendors, but everybody. For many of you, that could be your community. It could be the state. Could be a region of the country. Everybody’s a stakeholder. In your law firm, all your clients. Judges, courts, your vendors, water utilities. We’ve got to protect the water, make sure the business doesn’t get shut down because of a ransomware attack. Or the industrial control systems, the gates aren’t opened by a nation-state. It’s to protect all stakeholders. It’s a holistic approach to cybersecurity. It’s not just the company itself.

[00:23:45]

Threat Actors

Real quickly, you guys have seen these before. When we’re going through the assessment, we think about things – the criminal hackers, the nation-states, the hacktivists, the terrorists, and we also want to concern ourselves with inside threats. That’s where security awareness training comes in. You want to do something, you take care of that. Get security awareness training, and that’ll cut your risk in half. The insiders, it’s not the malicious ones like this video shows. It’s the non-malicious people that are conned into letting the bad guys in. A phishing email that says “Your bill’s unpaid and if you don’t do something about it, we’re going to cut you off.”

[00:24:30]

White House Deputy National Security Office Open Letter

This coincidentally matches right up with the way IronTech does things. This is from Anne Neuberger. She’s got a long title there, but basically, this is the best we have for a centralized clearing house, somebody in charge of cyberattacks on the nation and companies. She’s the one that answers to the president, and he’s the one that decides what to do. So this is as good as it gets. Funnel in NSA, CIA, U.S. Cyber Command, CISA, all these different places, all the DHS stuff goes to her, goes to the president.

This is an open letter to corporate executives and business leaders. That means small business people. June 2nd of this year, “What we urge you to do to protect against the threat of ransomware.” They need our help. They cannot solve this problem alone. It’s up to us to take care of ourselves and to protect your company and our clients and our colleagues, our families. She’s got five things that she says you’ve got to do to stop these ransomware attacks.

We have never had a client have a successful ransomware attack once they’ve implemented our recommendations. Never. Never, never. Never happened.

Her #1 recommendation is multi-factor authentication. That means a third piece of credentials. Username, password, and generally speaking it’s a random number, six-digit, some eight, that’s generated. It’s time-sensitive and it’s a device that a hacker would not have, so it’s impossible for them to get in. Well, nothing’s impossible, but it’s very, very, very difficult for them to get in if they don’t have that third piece, especially for remote access. Oldsmar, Florida did not have multi-factor. It would’ve stopped that from happening, for those of you that know what I’m talking about.

Her second recommendation is an EDR, endpoint detect and respond. EDRs use artificial intelligence and machine learning to monitor what the computer is doing. It doesn’t look for a virus signature. That’s what an antivirus does. Ransomware has no virus. There’s no signature to look for. Think about that. Antivirus looks for virus signatures. EDRs look at what’s going on on the computer, and to make a long story short, if it sees an Excel spreadsheet starting a macro that calls the Windows encryption service, it stops it because it knows that’s not usual behavior. It knows from learning that and experience, and it’s all automatically stopped. Then it’s investigated by skilled infosec specialists.

#3 on her list is disk encryption. That means all data should be encrypted by you for your organization, especially portable devices.

#4, just like I mentioned, you’ve got to have a skilled security team. It didn’t say IT. It said security. Skilled security. That means infosec specialists. It’s not a threat to IT. IT makes us better; we make IT better. Better protection.

And #5 is sharing and incorporating threat into defenses. What this basically means is you’ve got to keep your ear to the ground and you’ve got to understand what’s going on in the criminal, in the nation-state, and terrorist worlds to stay up-to-date on defenses. And you’ve got to have a skilled security team doing that each and every single day, reading the alerts. I get dozens every single day, and we all look at them and say, “Is that a threat to any of our clients? Do we need to respond right now?”

You guys may have seen the exchange server, the mail servers that Microsoft has – I mean, they sold. We have a lot of them. The moment we heard of it, we were responding and mitigating all of the exchange servers we manage. We didn’t wait until we got around to it because we’re deploying a new server. We’re a security-first company. If we had to shut it down, we shut it down. That was a very, very severe vulnerability in exchange servers.

And other things. When we see these things, we immediately think, “What do we have? Who’s our clients? What’s our exposure?” Mitigate, monitor. Even after we fix it, sometimes we have to continually monitor. We’re actually still monitoring for the exchange problem.

[00:29:45]

NIST CSF + IronTech Security

Just to review, if you do the NIST Cybersecurity Framework along with IronTech’s assessment, you’re going to end up with a situation where you’re not only complying with NIST CSF, but you’re extending it and you’re getting excellent, excellent security.

That’s because IronTech has a unique and relentless defense in depth practice. For those of you that’ve been through the main webinar, you know what I’m talking about. Defense in depth. Basically, it’s the onion principle. At the core of the onion is the assets that we’re trying to protect, and we just wrap layer after layer after layer around it. The more layers you have, the safer your company is. We don’t want to build a Maginot Line and put all of our eggs on a firewall, especially when over 90% of the breaches are because of a non-malicious employee insider. Did you know that? 90% of breaches are because an insider let them in – not on purpose. They were conned, scammed, socially engineered, if you want to use that term. Psychologically manipulated.

Anyway, with IronTech, our solutions have 24 x 7 security anomaly response teams. This isn’t “a threat has broken out” – this means even if it’s just something that doesn’t smell right, doesn’t look right, unusual, we’re there investigating it and responding immediately, within minutes. That’s the difference between infosec and IT. Remember, our number one job is to protect, to secure. IT’s number one job is to plan. “Let’s replace the server before something breaks on it. It’s five years old. Let’s get new desktops out there before something breaks. We’ve got to prevent downtime.” Our number one job is to secure the organization and all the stakeholders.

IronTech is the best of breed everything. That means all the products and services and even the administrative controls – or you may think of them as procedures – they’re best of breed in the industry and they’re state-of-the-art. They’re not a 10-year-old deal that force password changes every 30 days. We’re not bleeding edge, but we’re cutting edge. When we make a change to a policy – even if it’s a policy – we take it very seriously and do a lot of research on it. Discuss it with peers. If it makes sense, we’ll make the change. If we find a better EDR, we rip and replace. Best of breed everything.

And then finally, IronTech practices SOAR. That’s the orchestration of everything, the automated response and the human response, the infosec, and then we coordinate everything through what we call the command center. Sometimes attacks require not only our skillsets, but also vendors. We’ve actually used multiple vendors on a single attack, and the attack wouldn’t have been nearly as pretty if we didn’t put an entire team on it. So that’s part of SOAR (security orchestration automation response).

If you talk to somebody about security solutions and they don’t know what SOAR is, they’re not an infosec specialist. If they don’t know what NIST CSF is, they’re not an infosec specialist. If they can’t name an EDR that’s in Gartner’s Magic Quadrant, which is basically they divide up all of the stuff they review, and whatever’s in the upper right quadrant is considered best of breed – then you’re not talking to an infosec specialist. If they can’t describe to you the reason for the Colonial Pipeline breach and the failure in that company to prevent that – which I honestly believe is because they didn’t have a Chief Information Security Officer – they’re not an infosec specialist. I really believe that, because their CIO was running it, and they’re too big of a company not to have a CISO.

At the end of this year, 100% of the Fortune 100 companies will have a Chief Information Security Officer because it’s security’s job, not IT. I can’t stress that enough.

So if you have all of these things from IronTech and you’ve covered your bases with all of the things that NIST says you need to do, I don’t know how it gets any better that that, honestly. I mean, I really don’t. That’s as good as it gets.

Having said all of that on my soapbox that I frequently get on, I’m going to turn it over to Kindsey, because she’s got – I think she’s ready. She’s got a special offer for you.

[00:34:55]

Special Offer

KINDSEY HAYNES: Yeah. Since you guys attended our webinar today, we’re going to give you a special deal on our security and risk assessment. We usually charge $795 for the security and risk assessment itself, but since you attended the webinar today, we’re going to give it out to you for free. It’s rare we give them out for free like this, so you definitely want to take advantage of the offer. It does expire at midnight tonight, so that means you need to get some time on our calendar, click that link in chat, or go to NIST.irontechsecurity.com and go ahead and get that scheduled by tonight at 12 a.m. Central Time so you can receive that special offer.

And of course, you’re going to need to use that discount code, IRONTECH in all caps, to receive the discount. And of course, as we have discussed in the webinar today, you’re going to get at least 5 hours of assessment consulting with us. You’re going to get that report that Brayden was showing us earlier in a PDF format so you can share it with whomever. Of course, that report does contain recommended controls that you can apply immediately.

We work with your IT team, so if you’ve got an IT team or an IT guy or you’ve got an outsourced IT company, we’d love to have them on the meeting with us just because they’re going to have an insight that you may not.

And of course, if you have to present this assessment to stakeholders or your board, this is something that you can just hand over to them, have them look at, it tells you where you’re vulnerable, and then you’ve got the actionable recommendations right there ready to go for you, so you know your next step.

[00:36:43]

Again, you’re going to want to go to NIST.irontechsecurity.com, and it’s going to pull up this page right here. You’ll click “Schedule Now.” Once you click Schedule Now, it’s going to take you straight to our calendar page. You’ll just type in your first name, last name, phone number, and email, and of course, that discount code, which again is IRONTECH in all caps. You can schedule a time that works best for you, and you’re going to receive that special offer, originally $795, and for you guys today it is going to be free.

So go ahead and again, go to NIST.irontechsecurity.com, get some time on our calendar, and we look forward to meeting with you. Do we have any questions?

TOM: I’m trying to keep that last slide up there. Look for questions there. I’ll get this going. Here we go. There we go, I guess.

KINDSEY: Maybe.

[00:37:52]

Conclusion

TOM: Anyway, just to reiterate there, if you do have a board or a mayor, governor, president, CEO that you need to justify the assessment and justify the going forward, we can have a meeting with them and consult with them and answer any questions as well. So you’re not alone in this journey. I know there’s some on this webinar that know they need to improve their security defense, and we want to help you help your company get better.

And it’s not about buying from IronTech. It’s just about doing something. We’re all vulnerable if we don’t do something. If one of the law firms that I use gets hit with a ransomware attack, that’s going to have an impact on something, whether it’s tax or whatever I’m using – business stuff, a particular attorney. If my accountant gets hit, that’s definitely going to affect things. If my doctor’s office gets hit, it’s going to affect me. You just go down the list. If my favorite pizza place gets hit, I’m not going to be able to get my favorite pizza.

That’s what we saw with Colonial Pipeline. If you live in the eastern part of the United States – that was May – there were gas lines. I visited Florida. Just happened to be there about a week, probably, or 10 days, somewhere along in there. There were still a few gas stations that had lines. So it impacts our lives.

This is like everybody pitching together in World War II. Everybody made sacrifices to make it better for everybody. The next battle, the next war – I hope I’m wrong, but a big degree of it’s going to cyber. I call it the global cyber pandemic. Some of you may have seen some slides about that that I’ve presented before.

But doing nothing is not an option anymore. And I think you’d be surprised about how expensive it really is.

So we went a little over; sorry about it, but I see everyone’s still here, looks like. If y’all have any questions, last chance. Oh, and you can just call us. There’s no commitment to signing up, by the way. If you just want to ask questions, feel free to email us or call us. I can’t keep that slide up. I’ve got to figure out what the problem is.

But at any rate, we don’t have any questions, so that’s it. Thank you for joining us. See you again on another one.

KINDSEY: Thanks, everybody.

BRAYDEN: Thanks, everyone.