Vulnerabilities Facing Retail and Hospitality Organizations and How Cybersecurity has Changed During the Past Decade.

Luke Vander Linden: This is Luke Vander Linden, Vice President of Membership at the Retail and Hospitality Information Sharing and Analysis Center. And I'm thrilled you've decided to listen to the RH-ISAC Podcast. [ Music ] If you are listening to this the Wednesday this episode drops onto Spotify, or Apple, or wherever you get your highest quality podcast. That means we're right in the middle of our summit in Denver. Hopefully, though, you're with me there. Lucky for you, this means I'll stop talking about how you should join me at the summit. Tomorrow, Thursday, I've been given a few minutes to update some of the attendees about our membership, it's great when I get to do that because it's a thriving and growing community. We're up to 266 member companies now. It's a sharing community that's even livelier, more varied, and more engaged than ever. And that in turn translates into a retail and hospitality sector that's more robust, more resilient, and better defended. I love this summit because there's no better way to build the kind of trust we need for our sharing community, than face-to-face, at lunch, at a bar, at sessions, and during networking breaks. If your company joined in the last three or so years, you've heard me talk about how welcoming and friendly our membership is during our onboarding process. I hope you found that to be true. The summit may be our biggest event, but it's not our only one. We have a great series of regional workshops that we'll be kicking off this Summer and going through the Fall. We go to where our members are. So, we'll be at Amsterdam, Atlanta, Chicago, London, Los Angeles, Toronto, and Washington D.C. Plus, we have a big event in September to really celebrate our 10th anniversary in Minneapolis. We are really excited to bring you all the opportunities for you to connect with the other members and take in more awesome content. I'd love to see you at one of these events. All the details will be announced as they're firmed up, so if you're a member, or you receive our email newsletter, don't be ignoring those emails. Or social media, or Slack Post. And if your company is not yet a member of the RH-ISAC, this is the perfect time to join. Go to rhisac.org/join, learn more and to start the process. All right. Onto today's show. Right before I left for Denver I sat down with Josh Donlan, Senior Solutions Engineer at HackerOne. HackerOne is, of course, an associate member. They source a lot of their expertise from the world of ethical hackers. We talk about those security researchers, and some of their vulnerabilities out there, and how they impact retail and hospitality. And our distinguished president, Suzie Squier is back with another one of our founding members, David McLeod, currently the VP and information security officer at the Walt Disney Studios. That's a cool gig. He's served on our board back from 2014 to 2017 and was at VF Corp., and J.C. Penny back then. Suzie's discussion with David is, of course, part of her series of, "Plus One Conversations with our Founders," in celebration of our 10th anniversary. If you were with us back when we were getting started 10 years ago, or if you have something cyber-security related that you'd like to contribute to the podcast, shoot us an email at podcast@rhisac.org, or if you're a member, hit me up on Slack, or member exchange, or if you're at the summit in Denver, find me. [ Music ] All right. I'm now joined on the podcast by Josh Donlan, Senior Solutions Engineer for HackerOne. Welcome to the podcast.

Josh Donlan: Great to be here. Good to meet you.

Luke Vander Linden: Thanks for joining us. And thanks to HackerOne for being one of our associate members. Obviously, you've got- given a lot of support to the RH-ISAC over the years. But for our few listeners who may not have heard of HackerOne before, give me a little background in what you guys work on.

Josh Donlan: Yeah. HackerOne is a really, really interesting player in the security states and that we have the largest and most diverse community of ethical hackers on the planet. So, we really work on everything from securing production environments, to tabletop exercises, all the way to secure code. But by using ethical hackers in unique ways.

Luke Vander Linden: Yeah, I love that. And one of your reports that I think we'll talk about later is the hacker powered security report. Love the name of it because it goes down to being generated by those ethical hackers. So, I guess looking at that report or just the work you do, bringing it home to our sector, why do you think retail and hospitality organizations are such a target- lucrative target for cyber criminals?

Josh Donlan: Yeah. It's really the million-dollar question, isn't it? But- God. But hospitality organizations really have the trifecta of attractive targets for cyber criminals. So, they have a lot of highly sensitive data in storage, an extremely high transaction volume. So, a lot of data in motion. And I think historically, a lack of operational security awareness. But I do think that that is changing. Hospitality organizations operate on the premise of knowing your guest. So, a lot of hospitality organizations store massive amounts of personal guest data, in order to know their guests and service their guest better. And I used to consult with hotels, which used to have for example, bride and groom's marriage licenses completely an obvious data- copied another property management systems. Just in case the paper gets lost, or in the wedding, right? So, there's a lot of a sense of- it's important to know your guests, but it's also important to keep their data safe.

Luke Vander Linden: Right. Yeah, yeah. That's something we talk about a lot. All just the stuff that they keep. Let's go into the hacker powered security report. I saw that it's the seventh one. So, congratulations on that, great ability there to compare year to year. But, tell me a little bit about what that report found and specifically related to our sectors.

Josh Donlan: Yeah. I don't think it's a huge secret that retail, hospitality, ecommerce businesses are really undergoing a huge modernization effort right now. So, there's a lot of constant refresh. And there's a huge efforts, specifically in the hospitality industry to move to a more streamlined point of sale, and the property management system. And if these aren't layered properly, it's very hard to secure the information that they handle. So, what the report found on this go-around and like you said, we've been doing it for a good couple of years now, is that we're starting to see fewer and fewer improper access control vulnerabilities because there's less nuance in the authentication mechanisms of the new systems that they're using. A lot of the time, we're more straight forward, login and it's a little bit more secure on the authentication side. But we're seeing huge spike in issues around information disclosure and cross site scripting. And the real concern around that is that it's easy to replicate those types of bugs across entire environments because it's very often that the risks that lead to those aren't sanitized, even across entire organizations.

Luke Vander Linden: Right. Interesting. So, wow. So, just the kind of the broad swoop is why it would probably make our industry more susceptible to this type of vulnerability. Yeah.

Josh Donlan: Yeah. It's very possible. You know? And I think something that we talked about a little bit on the report but also is a little bit separate is hospitality organizations are so susceptible to social engineering attacks. Again, because of that culture of, you know, wanting to be there to serve guests, to delight guests, they're so susceptible to phishing, phishing, any sort of urgency attacks on social with social engineering.

Luke Vander Linden: Right. Well, so, could you tell us about maybe some significant vulnerabilities found in our sector that were able to prevent an incident?

Josh Donlan: Yeah. It's- I think it was in the news. I'm not sure if you saw it. But back in 2021 we had a researcher, I can't call him out by name because this is all- publicly referenceable now.

Luke Vander Linden: No name. No names. Yeah.

Josh Donlan: No names. Okay. We had a security researcher who was, at the time he was a computer science student, undergraduate, who discovered a vulnerability on a third-party electron LS app, which was created by a Shopify developer who actually worked for Shopify. And the vulnerability exposed full get up access token, rewrite to a large portion of Shopify source code. It sucked for the actual company. And, you know, this security researcher did the right thing, reported it through HackerOne. Shopify did the right thing, revoked the access, got the vulnerability fixed within 24 hours. But that individual ended up making $50,000 through the platform, which was the top payment at the time. And you know the crazy thing is that through organizations like HackerOne, that's not completely out of the ordinary for some of these very, very hard-hitting bugs. I think it's just really applicable to the hospitality organization, and hospitality industry because of the similarities between ecommerce online, like Shopify, and a lot of retail and hospitality organizations.

Luke Vander Linden: That's great. Well, tell us a little more about these security researchers that the HackerOne is engaging.

Josh Donlan: Yeah. I said in the beginning, but HackerOne, you know, the researcher community is huge. It's the biggest one in the world. But I think more important than that, it's very, very diverse. So, I've met members of our community who are full time CSOS and they just hack for fun on the side. Yeah. And you know, I love to see that. You know people who have a day job but they want to just apply their skills elsewhere and potentially make, you know, $50,000.

Luke Vander Linden: Sure. Hackers- hackers going to hack, right? We love- we love it.

Josh Donlan: Right, right. Let's give them an ethical way to do it and get rewarded. Like medical doctors, airline pilots, it's really impressive. And 90% of our community is under 35 years old which, you know, kind of makes me like the old man in the industry, right?

Luke Vander Linden: Yes, I understand that completely. I used to be the youngest guy in the room and now that is definitely not the case anymore. But-but good for longevity, right? Yeah, that's good.

Josh Donlan: Yeah, great. I mean most are under 24 years old, is the huge part of our community, which is amazing, but it's just a lot of industry experience. It's a lot of diversity. And we can really get some real and unique findings that you wouldn't want in production.

Luke Vander Linden: That's great. So, let's give our members, our listeners, some advice. What are some key strategies that you think they could use to reduce the number of vulnerabilities found in production, things that they can adopt right now?

Josh Donlan: Yeah. At the risk of people plugging their ears because I say shift left, it is the buzz word in the industry, I know. But it really is just in best to find vulnerabilities early in the development cycles. And that's a common rule, hospitality or otherwise. But in hospitality and travel segment, one bug that's found in a production environment is awarded about $700. That's the average in the hospitality and travel segment. But you got to remember, that's one bug. And even then, it's much cheaper than finding it during an incident. That's always the most expensive to find vulnerabilities, is during an incident. But, you know, it's always best to reduce the baked in vulnerabilities by encouraging developers to take charge of their own code security, foster that culture of collaboration and accountability. Just to reduce the risk of having these things found in production, or in a nightmare scenario, of course, an incident. In 2022, it took hospitality orgs about 36 days to fix a bug. And we're seeing that really speeding up. In 2023, now it's 26 days. So, we're 10 days faster. But still, that's not great, right? I mean, you know, a 26 days on average to remove a data bug is not ideal, even if it is quicker. So, it's important to make sure that we bake these security practices into our SLBC.

Luke Vander Linden: Right, right. So, I will say that we can't have a conversation about really anything these days with bringing in AI. So, to what extent is Gen AI changing the way on both sides? How vulnerabilities are discovered, but also introduced?

Josh Donlan: Yeah. I think there's so much speculation in the space, especially as it comes to security. But I would speculate that we're going to see a huge swing in the exploitability of various vulnerability types. So, while there's the prevalence of some vulnerabilities like cross-site scripting, or SQL objection, may be very much so reduced due to AI powered inspection of input, which just renders a lot of those vulnerabilities as useless. Social engineering attacks may become much more effective because of things like deep fakes, you know, AI generated content which has an appeal to authority. Which again, is really, really strong in the hospitality organization and hospitality industry because of that appeal to the guest prioritized mindset. Also, you know, unfortunately I feel like just a lot of- a lot of hospitality and retail organizations have lent on security through obscurity. You know? They've just not prioritized security because they felt that they're just lucrative targets. But when you have AI sorting through massive datasets in a reconnaissance, it's very, very hard to hide from that. And wait on that gray event principle. So, just again, I cannot emphasize the importance of AI safety and security exercises. And those are two very, very distinct efforts and you really want to make sure to measure both of us.

Luke Vander Linden: Well, Josh. This was great. You've kind of opened our eyes to lots of things. And love the way that HackerOne approaches its security by employing ethical hackers. That's great. There's always an outlet. The report we talked about, the hacker powered security report, how do we get a copy of that?

Josh Donlan: Yeah. Absolutely. You could download it, actually, right off of HackerOne's website. Just hackerone.com and we have a link on there for the hacker powered security report. It's going to be the seventh version. I also post all of them as links on my LinkedIn page.

Luke Vander Linden: Oh. Good, good, good.

Josh Donlan: So, feel free to check that out. And you can download it directly off my LinkedIn page. But we definitely try to make these and circulated as possible to get these insides out there.

Luke Vander Linden: Excellent. Terrific. So, thanks for doing that and thanks for coming on the podcast. And thanks to Hackerone for the support of the RH-ISAC.

Josh Donlan: Thanks, Luke. Thanks for having me. [ Music ]

Suzie Squier: David McLeod, it makes me smile to see you, my friend.

David McLeod: So good to be with you again, Suzie. I have not forgotten about your Marine Dad and how you huddled us and had fun together and--

Suzie Squier: It was fun.

David McLeod: Fabulous time.

Suzie Squier: Oh, good. Well, I'm glad because we're going to go down memory lane in a little bit. But just real quickly, can you bring us up to speed on what you've done since we met, you were at VF Corp, and then you went to J.C. Penny.

David McLeod: Yeah. Went to J.C. Penny because of an affiliation I picked up through this group, who was Scott Howid [assumed spelling]. I spent one year there, there's a lot of fun to be had in retail. There's carnival fun, there's Dennis fun. That was a little more like Dennis fun. So, was there a short time and then had had my good fill of retail and went off to Cox Enterprises, a private, less regulated company to stand up a team, and only nine months ago landed at Disney Studios.

Suzie Squier: Oh, great. And how do you like it there? How's it going at Disney?

David McLeod: Love it working with the creatives. Yet another set of industry challenges, a lot more burden to be dealt with. But it's a good time, you know, we all need new puzzles every so many years.

Suzie Squier: Oh, good. Well, listen, we'll talk about that- we'll get into a little bit about, you know, some of the challenges that you can talk about. You know, just what it's like being in a different industry, like retail. But now, let's go back down to back in 2014 when you were with VF Corp, do you remember what it was like- what the atmosphere was like in early 2014 after we all got news of, you know, the Target breach, and soon after I think The Home Depot one, but maybe a little later in the year. So, what was it like in your world then? With dealing with higher ups and things among those lines?

David McLeod: Watershed moment, destiny changed in a single moment, because here's what happened. I was pretty new to VF, sitting in my office, 7:30 in the morning, and there's a knock on the door. And it's a CEO, Eric Wiseman. He come down from the, you know, the top floor of the building down to my lowly floor. And he said to me, he's like look, a good friend of mine was just fired from Target. What the heck is going on with the cyber security stuff? So, it was like the beginning of a huge set of stories of, I call it the cyber-security equivalent of "How I Met Your Mother," this was "How I Met My CEO." Everything changed at that point. And to give fact context, I want to say it was May 2nd, it was May of 2014 when the Target executives gave him the- gave Greg the [inaudible 00:16:59]. Yeah, other things were going in the business, but the tipping point was that breach. That was the beginning of new dialogue with board members, new level of access. It was the first time I had gone to a board party at a New York penthouse. I mean, no cyber guy ever got to do that. And a new level of investment in security, new level of engagement across the whole industry inside the company. It was just like that knock on the door changed everything forever.

Suzie Squier: Isn't that crazy? Like that- yeah. And I think the whole industry, I think we saw the rise of the CSOS, don't you agree?

David McLeod: Big time. The rise of the CSOS, and their responsibility. But also, a whole lot of cool people come together for good reason for the first time.

Suzie Squier: Well and speaking about coming together, I think, were you there when we went- when we met at- NCFCA Headquarters in Pittsburgh? I think you were a part of that one too, right?

David McLeod: Yes, I was there.

Suzie Squier: Yeah, right. Part of the original crew. And can you tell us any memories you have of like pulling that group together, and conversations we had, and all the discussions and stuff?

David McLeod: Yeah. The mind-blowing part for me was the leaders were super accomplished. Everyone, right? Big brands, big people that had been doing things, you know, kind of alone in the dark forever. But really cool things. But these accomplished people were so humble. So, we were there all about the problem. No egos in the room. Tons of positive energy, and we could make something out of nothing. And that's another aspect that was kind of mind blowing, it's like we had the shared passion and personal commitment to build something out of nothing. And we're sitting up in Pittsburgh. I was like, you know, what's with these 8, 10, 12 people? Why do they, you know, how can the thinking be so big and so profound? And this has never happened before. So, that was a big part of it.

Suzie Squier: It was. It was great. And I remember we had FS-ISAC there talking about how, you know, what the ISACs were like, how they worked, and I think that was also a big moment for us where we kind of saw that structure. And like you said, everyone just really embraced it at that moment. Don't you agree?

David McLeod: Yeah, yeah. And in that moment, too, separate from all the support, there wasn't really a fear, but definitely some really big energy that said, can we really organize ourselves, get enough people involved, to make a difference for all the companies, big and small? You know in terms of the brands, our resources, our funding available. So, the possibility that we might not be able to strengthen ourselves, I think was kind of that healthy, I don't know, that healthy discontentment that was kind of playing in background. But yeah, it was a, again, huge turning point. Destiny made in a moment.

Suzie Squier: Yeah, it was. And you were asked, along with few others, to be on the board and to help lead a newer instrumental, I remember specifically when Booz Allen helping us put it together. But you were instrumental in putting that, I don't know, like request for requirements together. And you know, I didn't know what language you were talking when you were going through all of that stuff at the time. But it was really, it was just a really fascinating, interesting time.

David McLeod: And I got to admit. Until you just mentioned that many, many pages document, I had forgotten about that kind of not fun detail of work. But I think it was because we just had a sense of we have to get this done. And getting partnered up as co-chair, I was vice chair. And getting partnered up with Jim Camelli [assumed spelling] as chair, and the way that we were just able to do so much outreach and taking in everybody's ideas. Again, just not what I expected from strong personalities that have run large functions, and really good at their jobs. There was definitely some magic in how we could collaborate, the mutual respect. But yet the details in this report, we had to take from people that we had never worked with. So.

Suzie Squier: Yeah, it was really. And it was a--

David McLeod: It never goes that way. But it went that way.

Suzie Squier: It did. It was coalescing moment. And I think I mentioned this, I told you I had recently spoke to Scott Howid, one of the others involved in that. And you know, I think in some instances, the right people come together. And we have the- the group we had throughout this whole building, you know, broader than just the board. Even the first companies that were also involved. Everybody was, really, created our mission, because everyone exemplified that jumping in spirit, lifting all boats, you know, kind of atmosphere.

David McLeod: Yeah, did anybody know each other before we came together?

Suzie Squier: No. Not that I know of. No. If we hadn't- nobody had pulled this group together. You know? This information security officers, you know, together. So, it was interesting. How was it taking that back to your organization? You know?

David McLeod: Super easy.

Suzie Squier: Oh, okay. Good.

David McLeod: Right after Eric Wiseman had knocked on the door, I could say whatever. I didn't. But it was super easy to say, if we just invest in getting us together, we're going to have a great defense for the whole industry, we're going to have clarity as an industry of what could be focused on, what to not worry about because there's more of this to come. Right? I think it was the beginnings of retail and our CIO bosses, and legal bosses, and CEOs realizing that the if but when was real. There would be others. Of course, we did not know it would accelerate the way it did. But it was easy to take back messaging because it was for the greater good. So, it moved from, you know, what is this? To wait a minute, you just need some meetings, we just need to take care of shared office space, we just need to share some analyst time, and write a check, for the greater good. It was kind of like no-brainer, self-insurance, let's get our act together.

Suzie Squier: Yeah. Yeah. I agree. And everybody, you know, my memories were crazy. It was a crazy time. That's for sure. Putting it together, creating a 501 (c) 6, you know things that none of us had done. But it was a great journey and it sure as heck had really, really fun people because I remember a lot of laughter along with a lot of like oh, my goodness, we have to keep moving this forward.

David McLeod: Yeah. Yeah. A lot of laughter. Didn't someone have to float us some money to even get started?

Suzie Squier: Yeah. Yeah.

David McLeod: Yeah, because we hadn't gone out on the fundraising and membership trail yet. But yet, we were trying to build the product that people would want to put money into.

Suzie Squier: The Retail Industry Leader's Association funded a lot of the money upfront. So that we could- so we could get Booz Allen on board to, you know, to help, you know, manage that project and, you know, whatever other stuff we needed.

David McLeod: Did we pay them back?

Suzie Squier: I'll check the books, but I'm pretty sure that was taken care of. And then, your companies, just like you said, I think we went for some seed money back to everybody once we had the organization in good shape that we could, you know, present them with the product and everybody dumped in with that seed money, as well.

David McLeod: And the product was a no-brainer already. For the seed money you got back where to focus, what would matter. You got the strength of all the teams in retail back for just being a member. And that wasn't typical, you know, not to knock the other subscription type services but it wasn't typical. You'd, you know, get more than a few people staff augmentation by just being connected and learning how to do it well.

Suzie Squier: So, yeah. What's your favorite memory? Overall takeaway from that time, and all that working with the group?

David McLeod: Other than the laughter, the Chicago Summit.

Suzie Squier: Oh. Good, yeah.

David McLeod: It was another mind blower of like, oh my god, we are real. This is a big milestone, we have stain power. I mean the conversations on industry-wide problems. It was deep. The professional development sharing, you know, CSOS to CSOS, you know, it's how we tell stories. Here's how we have influence. And the cool thing that, you know, the creative in me loved, was that- the artwork that was used. Do you remember the name of that? I don't.

Suzie Squier: It was- was it "Stranger Things"? Or was it, they used some sort of playoff on a popular show. But I can't remember what it was.

David McLeod: Yeah, I can't remember. Anyway, these huge visualizations of the entire conversation, the direction it went, our visualized dialogue, and the outcomes from it, it was just too cool for words. And it really did the trick. But that summit showed me that we were real, people needed it, wanted more of it, that small and large were included. And just like wow, we have momentum. Now, we have an obligation to keep going forward as opposed to a desire to make a change.

Suzie Squier: That's a good point. That's a really great way of putting it. It's now kind of an obligation to the sector and to, as we started out, keep lifting all boats. You know? Create that tide that lifts everything. So, tell me now that you've left retail, you're at Walt Disney. You're kind of in retail, I mean they have a retail component, but you're- you oversee the studios portion of it?

David McLeod: Yes. I take care of cyber- we call ourselves studio cyber. I am the- I consider it the foundation in basic cyber protections for Marvel, Pixar, Lucas Films, Walt Disney Animation, a lot of cool sounding brands. But it is still just cyber work, and this is different from the work the company does with sensitive information protection, different from the work done from content security, because here, you know, of course in the entertainment and media, it's about the movie on set. I mean who knew that movies would carry multi-billion-dollar value when credit cards carry, you know, X-dollars per records. Yeah. So, very different to give them their independence, very different to help them have the right security for the way they are working across the company because, you know, regulations are important, privacy is important, but the big asset is the content and the revenue that comes with those stories that are being told. So really, really different. Really, really challenging. But as I said earlier, we've got to have new puzzles. You know, just when you think you're smart enough, go ahead and change industries and see what you really know. So, it's been humbling and it's been fun, but really hard.

Suzie Squier: Yeah. Well, you've always been one up for new challenges, so I'm sure you're embracing that adventure.

David McLeod: I'm embracing it, and my body's telling me that you probably can't do this three more times.

Suzie Squier: Are you still located out there? Or where are you located?

David McLeod: Yeah, yeah. I moved out to the studios. Turns out movies are always made in person, so you've got to be there to get the flow and get the rhythm.

Suzie Squier: And you're involved-- I mean you're involved like that deep into it? Like when the movies are being made and things like that?

David McLeod: I have not been an extra in a production. I'm waiting for that magic moment, if it ever comes.

Suzie Squier: You're waiting to be discovered.

David McLeod: I'm waiting to be discovered. And I'm in a long line of people hoping to be the background guy running out of an exploding building. But no. But the tech teams behind it, they do pretty magical stuff. There's not a whole lot of standard tech in the movie making business, so the way they do it, the way they do their workflows. It's a lot of cool new widgets to look at and think through.

Suzie Squier: But I imagine just like in any situation that you're in that, you know, the roles that you've been in, a lot of it comes down to relationships. You know? Who do you need to create relationships with, you know, within the team members, and as you say work with them and be a partner to them. Do you feel it's the same?

David McLeod: Very much the same, even bigger now. Because what we have across the studios is these businesses had very strong capability before this cyber guy showed up. So, it's the relationship plus what extra dimension do you bring? Can you flex with me? Can you build to my way not hit me with your hammer? So, same progression, I'm sure, everywhere that, you know, CSOS now, ISO security teams have to, I think we've moved from 2014, you should do it this way because life will be better to wait a minute, what are you doing? How can I get creative to help to solve around that? Because this darn digital just went everywhere. So, we're all having to be relationship based. And way more flexible about how we're building trust, sharing investment, making tough choices about how much is enough since we've only got X dollar for security?

Suzie Squier: Right. Right, right. And you know, I think the big thing is, you know, how do you help to say yes to the business? But then at some point, there's a risk factor involved and then someone just has to sign off, if you're willing to take, you know, the risk in order to do X,Y, or Z, right?

David McLeod: Exactly. It still will come back to; this won't be perfect. The whole world is digital and since you can't put a lock on, I don't know, every single door, be really smart, and really precise.

Suzie Squier: Do you get involved with the other aspects of the Disney organization at all? Do you get together with other security teams from, say, their, you know, their, you know, parks and maybe, you know, retail or other aspects? Because it's such a huge organization.

David McLeod: Yeah. Disney is actually organized with an SVPC so, as well as a CSOS for the parks, a CSOS for corporate, a CSOS for what you know as Hulu and Disney Plus, and CSOS for studios, that's me. So, yes, we collaborate deeply. We're on our way to, you know, transforming even more in this industry, so we have lots of back to the, you know, the retail ISAC which is it takes a ton of collaboration to figure this thing out and deliver this thing in a reasonable, fast way.

Suzie Squier: Yeah. Yeah. Well, that's good. Any groups that you are a part of in your world that- in ISAC, and your world that help support you and that- the space that you're in?

David McLeod: ISAC similar? Not specifically the media and entertainment ISAC, I'm sure Disney has someone participating there. But even amongst the studio's business, there's quite a few forums around how we make movies, how cinematographers, you know, need to protect their content as it moves around the world. Yeah. So, lots of industry collaboration. Not as- it's probably older than retail, since the movie business is older. It, you know, it's pretty old. But yeah, very- I say very detailed, very specific for how the big movie houses do things together. It turns out it's a small business just like retail. A very family business, like retail.

Suzie Squier: Okay. Yeah. Interesting. It's like you said, it's a whole new world of experiences that you've jumped into. Well, I want to thank you for your time. Want to thank you for all the support you gave over the years, because it was a lot, it was a lot of time. I don't know if people will- probably don't realize that, you know, building it and- but it was also a lot of fun. And now we're coming up on 10 years.

David McLeod: Which is incredible. I got to thank you, you know, it's natural that people, you know, grow and move on. But you've been there from the beginning. I think you are probably the only employee one, that's still employee one.

Suzie Squier: Yeah. Well, I was there but then I left, you know, because we- they hired someone once we built it. And then I came back.

David McLeod: Yeah. I don't remember you leaving. I'm pretty sure we were always talking to you in some form or fashion.

Suzie Squier: Well, that is true. Always going on. But it was a lot of fun. We've got a great team now, you should be very proud of the effort you put in. Great members, as always. I mean, you know, who cannot love people in retail and hospitality, right? It's all about.

David McLeod: The fact that you added the big H on was cool, because I remember that challenge was coming and I see the broadcast and I see the teams, and it's like wow. This thing actually was a good idea. But, you know, congratulations and thank you for just keeping it going, because these things don't feed themselves.

Suzie Squier: No. No, it's a lot of caring involved. But it's worth it. And the members are great. Well, thank you so much for your time, it's so great to see you. Hopefully we can invite you to the 10th anniversary to join us at least for a dinner where we can get everybody back together, when we have that in '24 and we'll keep you posted on that. But thanks again for your time today, David. So fun.

David McLeod: You're welcome. I would love to be there.

Suzie Squier: Good.

David McLeod: Great to see you.

Suzie Squier: Good, you too. Take care.

David McLeod: Bye-bye.

Suzie Squier: Bye-bye [ Music ]

Luke Vander Linden: Thank you to our guests, Josh Donlan of HackerOne, our own Suzie Squier, and of course, David McLeod. And as always, thank you to the production team who are surprisingly successful in making us sound good. From the RH-ISAC by hero, Annie Chamlis [assumed spelling]. And from N2K network, Jennifer Eiben, Troy Hester, and Elliot Peltzman [assumed spelling]. And thanks to you, for tuning in. Stay safe out there. [ Music ]