The Retail & Hospitality ISAC Podcast 3.13.24
Ep 46 | 3.13.24

Security Validation and the History of RH-ISAC


Luke Vander Linden: This is Luke Vander Linden, Vice President of Membership at the Retail and Hospitality Information Sharing and Analysis Center. And you have found the "RH-ISAC" podcast. [ Music ] Well, time marches on, and here we are already mid-March. And the RH-ISAC Cyber Intelligence Summit is less than a month away. I know, I know, you're like, Luke, we get it. Enough with the summit already. But no, look, it's a great event. Most of you have probably registered already, but for those of you who haven't, come on, you can't miss it. Are you still looking for a reason? Well, the agenda is officially out. We're talking about two dozen breakout sessions, six networking events, four keynote presentations, and a special training workshop facilitated by SANS. That's right. So let me tell you about those keynotes. Rich Agostino, CISO and Senior VP at Target. Rich is our opening keynote. Jayson Street, Chief Adversarial Officer at Secure Yeti and world-renowned social engineering expert. Andy Greenberg, Senior Writer for Wired. And you know, if that's not enough, I'll be there too, the internet's most adequate podcast host. I want to see you there. Please don't disappoint me. Denver, April 9th through 11th. Go to Now, I don't want to suggest this, but if you can't make it, we do go to places and help out at other events too. You going to RSA in May? We'll be there. Our President, Suzie Squier, is hosting a panel on digital fraud and theft on Thursday morning. We're also hosting our own meet-and-greet happy hour on Tuesday evening. We partner with lots of trade associations and groups that serve our sectors. We'll be at NRF Protect in Long Beach, California, in June. That's a great conference that bridges loss prevention and cybersecurity. Also, in June, we'll be at Infosecurity Europe in London. We get around. If there's a conference or event we can help you out with or someplace you think we should be, please let us know. See where we're going to be next at All right. On to today's episode. I sit down with Jason Mar-Tang, Field CISO at Pentera. We're going to talk about security validation, or, as they like to say, validate, remediate, repeat. Suzie Squier is back with a great plus one, Jim Cameli, who was associated with the RH-ISAC for a very long time. He was a founding board member 10 years ago and served right up until he left Walgreens Boots Alliance after nearly 30 years there just last year. Wow. So don't hit pause. Don't multitask. Keep listening with your undivided attention all the way through. As always, if you have something cybersecurity-related that you'd like to contribute, shoot us an email at, or if you're a member, hit me up on Slack or Member Exchange. And if your company is not yet a member of the RH-ISAC, it's time. No, really. Stop procrastinating. Go to to learn more and to start the process. [ Music ] All right. I'm now excited to be joined on the podcast by Jason Mar-Tang, AVP and Field CISO for Pentera. Welcome to the podcast.

Jason Mar-Tang: Hey, Luke. How's it going? Thanks so much for having me.

Luke Vander Linden: Pretty well. Better -- It's going better now that you're with me, so this is great. Pentera is one of our associate members. I'd love to know more, for the folks listening who don't know as much about Pentera as we do, a little bit about your organization.

Jason Mar-Tang: Yeah, sure. Our organization has been in business for a few years now. We came out of stealth in 2018, and our founder, Arik Liberzon, he spent many years in the IDF, the Israeli Defense Forces, heading the offensive security team there and the red team. And he had this eureka moment back in the day where he said, you know, everything that we're doing can be wrapped up in automation. And that eureka moment led him to found Pentera really to enable the rest of our customers to think and behave like the attacker in an automated fashion so we can ultimately become the world's security validation authority.

Luke Vander Linden: Wow. That's great. I love automation. We love automation at the RH-ISAC in all its forms, so that's excellent. So in preparing a little bit, meeting you, and getting ready to interview you on the podcast, I've seen all over your LinkedIn and Pentera's website the phrase, "validate, remediate, repeat." What does that mean? What is security validation? Explain that to me.

Jason Mar-Tang: This is the way, Luke. This is the way. So it's really the continual mindset that we want our customers to be in. So validate, what are we validating? Well, we're validating two things. We're validating, one, what our risk footprint is. So that is always a big question mark because the risk footprint is dynamic in our dynamic IT environment. There's always identities being added. There's always infrastructure being added or changing. So we want to validate that at all times, almost like a pulse. Where do we stand? What's our risk footprint? So validating that. We also want to validate the numerous amounts of controls. And I say that very generically because controls are built from, you know, logical controls, technological controls, but all those controls should be validated. We don't want to assume that they're working well. We want to make sure that they are working as expected. And, quite frankly, that the investments that we've made over time, all this money is actually being leveraged to its fullest capacity, so validate. Remediate, so if we notice something that is different or needs to be changed, we now know, and we can prioritize what needs to be remediated in order to make sure that we're effectively making the best use of our time and efforts. And then repeat: why would we want to do it once? Do it over again, and continue, continue.

Luke Vander Linden: So is this just a smarter rephrasing of something that's been done in our industry for a while? Is it completely new? Or is it really a new way of looking at security?

Jason Mar-Tang: I wouldn't say -- I think it's new in regards to, traditionally, when we looked at security validation, it was always done by third parties or specialized individuals, which I get. I mean, you know, security, you can be an identity guy, you could be a cloud person, you could just be infrastructure. So there's special niches, and typically red teaming and penetration testing, the offensive skills were a niche. What we're seeing now is that moving away from the once or twice a year, we want this at least once a month, once a quarter, whatever the appetite is to get that continual pulse. So that's what's new about it, and then wrapping automation helps augment existing teams.

Luke Vander Linden: Yeah, I was going to say that kind of repetition would be pretty onerous if not for the automation part of things.

Jason Mar-Tang: Exactly, and what it also allows, what we've seen is that organizations that do have, they're lucky enough to have, the funding or the personnel to have a red team, we can actually help them scale their operation. So everyone here is automation, right? You could, oh, you know, people are going to lose jobs. It's never like that, not from what I've seen. It really just helps teams be more effective and even better at their job because now they have a power tool in their tool belt that they can leverage to get their jobs done.

Luke Vander Linden: Yep, that's what we're seeing as well. So what are some examples where security validation helped reduce risk in programs?

Jason Mar-Tang: So it's interesting -- It's a good question. We've seen a lot of controls, what we consider, what we think, default controls like EDR and things like that. We think that it's working correctly. And I can't tell you how many times we've walked into an assessment. So we offer a proof of value. It's one day. Because of the automation, it's very easy to evaluate. Our tool, it doesn't take like weeks like some other tools. And we quickly notice, oh, these machines don't have AV on them. Why is this ransomware attack getting through? Oh, because AV was just in monitoring mode. So it's a policy change. It needs to be looked at. And that's very important because controls are never just on/off, right? It could be on, but you could have -- There's a lot of gray area that could be affecting the way the tools work. So looking at that. Or we have a PAM tool, but yet, you know, Pentera is coming in and still moving laterally. Oh, well, because we didn't deploy it in this part of the environment. So it's when we're noticing that, and we're incorporating elements of the environment that are high risk, like critical assets or, you know, assets that when you're considering your business impact analysis part of that critical chain, and we're starting to see attack paths, it's like all of a sudden we're going, okay, well, let's focus on that. And we can dramatically reduce the risk if we're just focusing on lower-hanging fruits, especially vulnerabilities that may not be considered high but they're the first step in a larger attack chain.

Luke Vander Linden: Wow. So it's a lot, which is great. So, if an organization wanted to start a security validation program, where do they start?

Jason Mar-Tang: Well, I always advise organizations to, again, evaluate what's critical to their business. So, if you're in retail, it might be the ability to sell your goods or services online or whichever. What's critical? What is your critical assets? We want to make sure that we're building our risk program around those assets and the availability of the assets, the confidentiality of the assets, and the integrity of those assets. So that's where I would start. But sometimes, there are organizations that already have a program set up. And what we do is we want to say, okay, let's mirror what you've already been doing. But then let's also now shift the focus or augment into another area or into another focus of the business.

Luke Vander Linden: Okay, that's good. So it seems like a great idea. Are there any challenges when it comes to security validation that might, you know, come up when you're getting started or when you're operating one?

Jason Mar-Tang: Yeah, I think that the teams that we work with, oftentimes they're, again, the penetration testers, the red teamers, they get pushback. And maybe that has a negative connotation, right? It's not necessarily pushback as it's more friction between the teams because, naturally, they want to go in, and they want to test because it's important to know the risk. But there's risk of damage or the availability of that information. And we see a lot of that commentary coming back, well, you can't do it, you can't touch these assets, or you can't do it during these times, or no, you can't do it at all. And in reality, it's like, well, wait a minute, the attackers don't care. They're going to do whatever. So whether they damage or they do do whatever, it's not going to matter. So what we do is we've taken very careful consideration for the exploits that are in our tool to make sure that we do it safely. It can be done. It takes a lot of work, but that's what we're very proud of. So that's what we see a lot of -- a lot of challenges as well as the fact that sometimes projects like this don't have executive buy-in from the top down where the teams may understand that this is necessary. But unless everybody's on board and you start to from the top down, get into this purple-teaming mindset, security is owned by everybody, we need to work together for the betterment of the organization, then it works. But if we don't have that mindset, it can be very challenging to try and operationalize something like this.

Luke Vander Linden: Yeah, I think that would hold true for much of cybersecurity. And we see a lot of that changing now, particularly with the emphasis on reporting and things like that, which is nice. So we talked a little bit about, you know, some of this controls and process. Is process better, and does it come into play more in security validation than just controls?

Jason Mar-Tang: I would say it's almost the yin to the yang. Maybe that's not a good analogy. But, you know, again, just because you have something that's going to alert, what are you going to do with that alert? Who's responding to it? Then what, right? So the SOC is going to be monitoring the SIEM, the SIEM is going to be getting logs from AV and your firewalls and anything else, and -- AV -- like EDR, right? [Laughing] I'm just stuck in the old-school mindset right here. So what we're looking to understand is -- Because you want to be ready. You want to have confidence in your security program. How do you have confidence? You have to test. And I always equate it to the fighting analogy. I'm a martial arts practitioner, so I'm always drilling, and I'm always ready. I'm always ready. So we want to make sure that the program is always ready, and the program doesn't include just controls. It follows its processes as well. So who's going to escalate? Who's going to respond? What information is going to be provided? And we see a lot of this when third parties are involved. So third-party SOCs or monitoring services, how quickly are they going to respond? What's the SLA? Are they going to meet the SLA? And if they meet the SLA, is it going to have all the information necessary for us to do a proper investigation? So we keep an audit trail of everything that Pentera is doing from an attack perspective. So we've seen third parties come back and say, yeah, something's going on, but only give half the story. And they never follow up. And it's like. So, you know, it's a nice way to keep these third parties in check. So that's what I mean by processes, like what's exactly going to happen. You don't want to wait for the real attack. You don't want to assume. Let's just validate everything.

Luke Vander Linden: Right, right. So putting on, you know, looking at your crystal ball, what do you foresee happening in the future in the industry and cybersecurity?

Jason Mar-Tang: Well, I hate to say it, but I think that AI, we're going to see more AI-powered attacks this year. We're already seeing -- I mean, last year, we saw it already, right, with some of the polymorphic malware that was out there. AI is not going to get any worse, right? It's only going to get sharper and sharper and sharper. And it makes the struggle of security practitioners really tough because you're already fighting the battle of dwell time in the environment. And it's just making the attackers that much quicker. So I think we'll actually see, as a result, too, a more, I want to say not reliance, but a push towards leveraging more automation, whether that's automation like we do, so testing the environment with automation, or even using automation to help secure environments in different ways. And, who's to -- I mean, that can happen in many different ways. I'm not here to predict that, but I think we'll see -- I think AI will definitely come into play a little bit more this year.

Luke Vander Linden: Right. Well, we can't have a segment of this podcast without mentioning AI at some point. So I'm glad you squeezed it in there, but you're absolutely right. You know, everybody's talking about it because it's real. Excellent. Jay Mar-Tang, AVP, Field CISO for Pentera. Thank you so much for joining us on the podcast, and thanks to Pentera for their support of the RH-ISAC. [ Music ]

Suzie Squier: Good morning. I am here with Jim Cameli, who I haven't had the pleasure of speaking with for a long, long time, as my guest today. So hey, Jim, how are you?

Jim Cameli: I'm doing very well. How are you, Suzie?

Suzie Squier: I'm well. I'm well. We're going to take a little trip down memory lane. And then we'll catch up with you a bit as to where you are today, too, if you don't mind.

Jim Cameli: Sounds great.

Suzie Squier: Good. So this is all about, we're coming up on our 10-year anniversary, and so going back to 2014, you were the global CISO at Walgreens Boots Alliance back then?

Jim Cameli: We weren't global yet.

Suzie Squier: Okay. You were Walgreens.

Jim Cameli: So back then, we were just, yeah, we were just Walgreens in the United States.

Suzie Squier: Back in the day.

Jim Cameli: Yeah, back in the day, exactly.

Suzie Squier: Can you remember when you, you know, back in those early days of 2014 when we had, you know, the couple of breaches that year, which, you know, made this necessary for us to pull a lot of our information security folks together? What was it like at Walgreens at the time, you know, even before we started pulling folks together, when, you know, the news hit? What were your executive leaders asking? And how was it in your environment at the time?

Jim Cameli: Well, they're probably, if I look back on then, and boy, it seems so long ago, but there were probably three things as I reflect back to 2014. First of all, the world back then seemed a lot smaller. So I think it was 2014 became sort of known and labeled as the year of the breach, year of insane media coverage around breaches in the year where I think, and I'm sure it wasn't just for me, and it's part of why we did what we did with RILA and ultimately RH-ISAC, but you kind of worked in a silo, right? You're worried about your world and how your world was being impacted and the threats that you faced and typically kind of thought of it very sort of singular. What do I need to do for this company? How do we protect this company? All about us, which at the time sort of just made sense. It was the way things had sort of come about, etc. I think if you look at 2014 and after the series of events, then ultimately, you know, I think many would say, unfortunately, Target, wrong place, wrong time, and right amount of media coverage. But they sort of became a poster child for what was really happening in the world and the fact that it was a much bigger issue. Cyber was a much bigger issue and it was becoming a much larger threat and something that retail organizations really need to stand up and say, you know, pay attention to. So that was kind of happening. And the media blitz and all the coverage clearly, to your point, got upper management quite involved. So the interesting thing for me is I remember, it was either day of or days of sort of the big announcement and all the dialogue, we actually had a town hall scheduled at Walgreens. And Greg Wasson, our CEO at the time, who was actually, I think, one of the leads of the RILA board, he approached me. We were both in the hallway. We were doing a town hall. If I recall, it was, I don't know, at one of the local hotels because you need a conference room. But he approached me in the hallway about 30 minutes before and started out, you know, hey, Jim, how are you doing? He would always ask me, how am I doing? But he said, I need to ask you a favor. And I was like, sure, you know, what can I do? And he's like, I'd like you to stand up in the town hall and talk about the breach. And I was like, really?

Suzie Squier: With 10 minutes to spare.

Jim Cameli: Yeah, well, it was -- I'm okay on impromptu, so that's never bothered me. But, you know, he's like, this is a -- it's a tough day. It's a tough day for the retail industry, obviously, a tough day. And I think he was good friends with the CEO of Target at the time. He said, but I think we should take this moment to not only reflect on how important cyber is, but, you know, let's also bring it home. We're going to have a large audience. Let's talk about things that people could do and should be thinking about, etc. So, you know, sometimes with, you know, with bad things, good things can come of it. I would say that I think it raised the bar on awareness. It got upper management a lot more involved. And it gave CISOs, not only such as myself but CISOs, I think, around the country, an opportunity and a little bit of larger voice and a seat at the table, probably more than we had previously had. That's what I would say.

Suzie Squier: Yeah. And I think it kind of elevated the position. You started seeing a lot more CISO titles coming out of it because the C-suite realized the importance of it all.

Jim Cameli: Yeah, there was a massive surge and growth and announcements of people, you know, shifting from directors of or whatever their titles were and suddenly you had a lot more CISOs. But it was the right thing to do. It really put a fine point on the fact that organizations needed somebody leading that role. And they needed to invest in it. And they needed to give somebody a title and the authority to do what was necessary. So it was a bad time, but it was also a good time in some ways.

Suzie Squier: Do you remember the first meeting we had at NCFTA when we started pulling people together? We kind of found the -- we found the ISAC model, you know, and we had FS-ISAC come and speak to us. So what are your memories of that meeting that we had?

Jim Cameli: Couple things. I remember it was a very small room. We weren't that large -- we weren't that large of a group. I mean, if you think about -- And it's one of the things that you should take a lot of pride in. And I know that, you know, I take a lot of pride in. But you think about where we started and where things are today, markedly different. But back then, I can't remember how many organizations we had in the room, but it couldn't have been more than 10 and I think it was closer to eight or less. But, you know, I remember specifically, I think Scott Howitt from JCPenney, Jenny Lay from Target, Bill Dennings from Nike. I can't remember the rest of the people that were in that room. I know the first round of board members we had, but it was pretty small and succinct in that room. But the nice thing about it was it was kind of exciting, right? It was a little bit of a crazy time, and everybody was a little bit on edge. But you had a group of people who came together with a concept. And if I remember, was it Lisa LaBruno?

Suzie Squier: Yeah, Lisa and I were working together on it. Yeah.

Jim Cameli: Yeah. So Lisa, you know, Lisa did, quite frankly, a fantastic job of giving us a platform to have a discussion to ideate about what we could do or what we might do. And it became the first step in a long journey to develop what ended up being the organization that exists today. So I remember a lot of people talking, and it was interesting because it was, you know, one of the first times where I think some of the guards started to go down. So what, you know, what we've emphasized and what was the big piece of initially our RH-ISAC and, you know, our ISAC, etc., but it was information sharing. It was everybody learn how to help each other and not hold things to yourself. And that was a new concept. So that was the first step to get there. So those are my recollections.

Suzie Squier: Yeah, no, you're right. And I think overall, we had about, not necessarily in the room, because it was a small room at NCFTA -- They were very gracious in offering their -- And they gave -- And they talked, too, which is good. But initially, we think like 30 companies were what I was able to gather together, you know, but the meeting was small. But we had to do a lot of in-person meetings too. And because of people weren't used to doing information sharing, we had to build that trust. Do you recall that as well?

Jim Cameli: Oh, absolutely. I mean, you know, between that and then eventually, as we began to sort of ideate the, you know, the ISAC model and the fact that we would become -- you know, all the paperwork and all the filings and all the things we would need to do. And we eventually, was it Booz Allen, I think, we got to help us? Yeah. I remember sitting in rooms and sitting on conference calls for hours, working through everything. But it was, I mean, it was fun. It was exciting. It was different. And we were building something that didn't exist for retail in the way that we were doing it. So yeah, unfortunately, I guess for me, I had a lot more time, it seemed like back then because I don't know how I could have done it in the world that I eventually lived in. But what was amazing was that everybody made the sacrifice that was necessary. Companies supported it. So, you know, they allowed us to go and do those things, which isn't always, you know, a given. So the timing was there. So a lot of things came together for the right reasons to create a great outcome in my mind.

Suzie Squier: Yeah, it was. And you're right. There was a lot of support because there was a lot of time spent pulling the organization. Booz was a great -- They had built other ISACs. It made sense for us to choose them to help with that. And then toward the end of the year, we created our board, and we asked you to chair it. You were our first chairman of the board. And like you said, I know it seemed like it was a bit of a, not slower pace because we had a lot going on, but there was a lot of time put in by you and the board in developing, you know, our original documents and organization and all of that. None of us had ever done it before. So that was --

Jim Cameli: Yeah, we were definitely on the leading edge of not knowing what the heck we were doing. But as I said, I think, you know, when you reflect back on that time, it was just, it was so important that we changed behavior, that we created a dynamic where people felt comfortable engaging with each other. And I think we did that. And I was obviously very, very interested in trying to help with that. And as you said, it was a big commitment. I remember lots of days and hours and weekends and evenings and flying. But the outcome of it was really, really cool. And I think there are so many people that can look back at what it took to get there, that there's a lot to be proud of. And I don't remember what our initial, you know, membership numbers were. But they pale in comparison to where they stand today. And I'm not even sure where you guys have moved it on since. But I imagine it continues at great volumes and great pace. And the reputation precedes itself, which is why people continue to join. And the concept of continuing to share information has only grown in magnitude and is such a large piece of why people are interested in the organization.

Suzie Squier: Well, yeah, I was going to ask you what you're most proud of, and I think that's it. I think you just said it, it's that we've built an organization where people are comfortable sharing. I think we set a good initial culture of welcoming people, which I'm really, really proud of. You know, we're not one of those that like, you don't know, you know, it's just like, bring everybody in and we'll help out.

Jim Cameli: Yeah, besides that, I think the other thing that was just really nice, when I reflect on the past, and I'm sure it's the same now too, it's occurred as well. But I just remember the relationships that were built out of this organization and how many times that came in handy, less even for me, but more of how I could help others. I remember individuals, and there's a long list of them, who would pick up the phone or shoot me a text or send me an email and say, I'm about to do X. Can I bounce something off you? Or I've been asked why. Can you let me know how you approached it? And what was nice was that people were comfortable doing that. And I don't know that prior to our existence -- I'm sure it was there. And I'm sure there were niches of people, and you had your networks. It felt like the world got much larger, but so did our networks, and so did our trust level. And it was just a nice shift. And if, you know, I'm not sure again, some of the things that have been able to, you know, to occur and the way that many groups have come together to conquer some of the adversarial events and issues that we've been dealing with could have ever been done without sort of the advent of this. So there's a lot to be proud of.

Suzie Squier: Yeah.

Jim Cameli: There's a lot to be proud of.

Suzie Squier: And, you know, just think, you know, fast forward, even, you know, the COVID, like the sharing of how are you doing this, the journey, it's not just the threat sharing, which is very important, but it's also the journey and how do you do it. And so that's been a huge impact from those early days and continues on today, which is great. So you moved on from Walgreens. Can you tell a little bit us about what you're doing now?

Jim Cameli: Sure. Yeah. So really, really excited about my new role. So, after a long journey with Walgreens, I decided to retire from the company but not from the industry. I was still -- still had some -- still had some gas in the engine, as you might say. But for the, you know, for, you may recall that there's still a company called LabCorp, but they decided that they were going to spin off the CRO. So the clinical research organization component of LabCorp and create their own independent CRO. So Fortrea, the company that I'm now the Senior Vice President and Global CISO for, is focused entirely on clinical research and all of the elements that go around with that. So 90 countries, lots of opportunity to make a difference in people's lives, which is still a sort of a continuance. I've always -- That's always been important to me, right? It was important when I was with Walgreens. It's as important, if not more, with Fortrea. And it's doing things that can help people, help their lives, and making an impact. It's a little bit of a different focus, right? Instead of filling scripts, we're running trials and working with, you know, major manufacturing companies, the Merck's, the J&J's, whoever it may be, but working on clinical trials, working on certain elements of things involving medical devices and drug development, but everything in that CRO space. So my only change is probably, you know, there's a little bit less in the payment side of things, right? So you don't have the tills at the end and all the debit card and credit card stuff that goes with it. But healthcare records and healthcare privacy and all of it regardless, even if you put data aside, the world of cyber for any company that has a public persona and a large customer base, it's the trust model. So I want to take and help, and I think we already have it, but continue to build it and broaden it and make it something that Fortrea is not only known as one of the top CRO companies, but it's just a given and a natural that everybody associates the security and the trust along with that. So my job hasn't changed. My focus hasn't changed. I've just shifted to a new organization. I'm really excited to be there with some really great people, some really talented leadership, and kind of get a chance to start all over again and build something from ground up. So that excites me, and so I'm looking forward to doing it for however long I decide to do it.

Suzie Squier: Well, great. Well, yeah, I know. You're a giver. You certainly have earned your -- you've earned your honorary role within the then R-CISC, now RH-ISAC. I mean, we couldn't have done it without you, and I know I couldn't have. Back in the days, we spent a lot of time talking and building, and it was a lot of fun. It was crazy, but it was worth it. And I can't thank you enough for all that you did for me and for the organization as we built -- as we built this great organization back in the day.

Jim Cameli: One hundred percent. And as I, you know, reflect on my career, that'll always be up there on one of the top accomplishments and things that I, you know, I have a lot of pride in. So, like I said, it was a team effort. Certainly, no one person did anything, but collectively, a lot of us did some great things. And then combined, we created, as you said, first R-CISC and then eventually RH-ISAC. But that, in and of itself, and your shift from RILA to the organization itself were just demonstrative of the evolution that the organization has continued to go through. And it just -- it doesn't -- it hasn't stopped. So it continues to evolve in a positive way, and although I'm no longer a part of it, my heart will always be there. And you know that I'll always be thinking of each of you. And, who knows, maybe some way somehow things work out. But for right now, I know they're in great hands with you and the rest of the board members and the members that are all part of it. So it's a great organization. It's going to do fantastic.

Suzie Squier: Thank you. It's all, you know, we have great leaders now, just as we had great leaders then. So thank you, and they're all very instrumental in keeping us, you know, focused on our mission, which is awesome. So it's great catching up with you. It's been too long.

Jim Cameli: Yeah, absolutely. Great to see you. Please pass along my best wishes to everybody. There's some people that, you know, we cross paths and still stay in contact, others not so much. But in the world of cyber, I expect that there's always the opportunity to connect. You never know when you need a networking partner. But if you ever need me, reach out, and again, give my best to everybody. Nothing but the best of success in the future. And great catching up with you, and great seeing you again, Suzie.

Suzie Squier: Thanks, Jim. Take care. [ Music ]

Luke Vander Linden: Thank you to my guests, Jason Mar-Tang of Pentera, our own Suzie Squier, and Jim Cameli. And as always, thank you to the production team who do their best to make us sound good. From the RH-ISAC, that's the amazing Annie Chambliss, and from N2K Networks, Jennifer Eiben, Tré Hester, and Elliott Peltzman. And thanks to you for tuning in. Stay safe out there. [ Music ]