Small-town street scene in Illinois American flag flapping in breeze by huge painted American flag fading from brick wall

Episode #35 - Cyber Risk Assessments: Everything You Never Thought You Wanted To Know!

What is a cybersecurity risk assessment? This week, the guys take a deep dive into the intricate world of Cyber Risk Assessments. They cover best practices from choosing an industry recognized cybersecurity framework, to scoping and preparing for your cyber risk assessment, plus how to make cybersecurity standards like NIST, CSF, and CIS Controls work for your company.

They discuss how these assessments work for different purposes and what to expect when you're planning for your first Cyber Risk Assessment.

Pick up your copy of Cyber Rants on Amazon.
Looking to take your Cyber Security to the next level? Visit us at
Be sure to rate the podcast, leave us a review, and subscribe!

Mike's Headlines:

Cybercrime Costs Organizations Nearly $1.79 Million Per Minute
Ransomware: To Pay or Not to Pay? Legal or Illegal? These Are the Questions

REvil Ransomware Asks $70 Million to Decrypt all Kaseya Attack Victims

Kaseya Hacked via Authentication Bypass

CISA, FBI Share Guidance for MSPs and Their Customers Impacted in Kaseya Attack

Bad News: Fake Kaseya VSA Security Update Backdoors Networks with Cobalt Strike

Agent REvil Unveiled in Kaseya VSA Ransomware Attack

Good News: Researchers Uncovered the Network Infrastructure of REVil – The Notorious Ransomware Group That Hit Kaseya

QNAP Fixes Critical Bug in NAS Backup, Disaster Recovery App

Microsoft – nuff said?

Microsoft Issues New CVE for 'PrintNightmare' Flaw
Microsoft Pushes Emergency Update for Windows PrintNightmare Zero-day
Experts Bypassed Microsoft’s Emergency Patch for the PrintNightmare


welcome to the cyber rants podcast where we're all  about sharing the forbidden secrets and slightly  
embellished truths about corporate cyber security  programs we're ranting we're raving and we're  
telling you the stuff that nobody talks about  on their fancy website and trade show giveaways  
all to protect you from cyber criminals and now  here's your hosts mike rotondo zach fuller and  
lauro chavez hello and welcome to the cyber ants  podcast this is your co-host zach fuller joined by  
mike rotondo and lauro chavez today we are talking  about cyber risk assessments everything you  
never thought you wanted to know about cyber risk  assessments but uh it's important topic because  
everybody needs to understand how they're exposed  at the highest level across an organization  
so before we do that mike you want to kick us off  with the news and get some interesting headlines  
for us today i'm not going to start out with  microsoft i'm going to save that for the end  
but anyway uh cyber crime costs organizations  nearly a dollar 79 1.79 million per minute um  
cyber crime costs organizations is incredible  1.79 million every minute according to risk iq  
the study analyzed the volume of malicious  activity on the internet exposed the scale and  
damage of cyber attacks in the past year finding  that 648 cyber threats occurred every minute  
researchers calculated that the average cost  of a breach is 7.2 dollars per minute while  
the overall predicted cyber security spend is 280  000 every minute well the e-commerce industry saw  
a record 861.1 billion in sales it lost 38 052 in  online payment fraud every minute healthcare lost  
13 dollars per minute on digital security  breaches in it in the past year court also  
looked at the impact of different forms of cyber  crime that showed that permanent there was 3 615  
loss to cryptocurrency scams and 525 000 records  compromised and six organizations victimized by  
ransomware and that is per minute the question  continues to come out ransomware to pay or not  
to pay legal or illegal these are the questions  so there's no guarantee that a decrypter will be  
forthcoming if you do pay the ransom that's one  thing we all need to understand uh basically on  
a recent cyber survey by cyber reason they found  that almost half of the businesses that pay for  
ransoms didn't regain access to all their  critical data after receiving their encryption  
why are people paying then well there's  one problem a whole new industry segment of  
ransomware negotiators and cyber insurance emerged  on the other a new business segment has been born  
companies and individuals began profiting from  facilitating the payment of extortion demands  
whether it's legal or not in october 2020 the  united states department of treasury office of  
foreign asset control or ofac declared it illegal  to pay ransomware demand in some instances which  
are still vague however aside from olfacts ruling  in the united states there's still no clear  
guidance on paying ransom demands and according to  experts it may actually be taxed about deductible  
so you know we got that going for us so it's  it comes down to an ethical business reason  
basically and there's no guarantee of getting your  data back we all heard about cassaya all right so  
i'm just going to run through some big headlines  on cassette basically our evil ransomware asked  
70 million to decrypt all cassette attack  victims cassaya hacked by authentication  
bypass it's actually a really good read cisa  has come out with fbi guidance on dealing with  
msps and their customers impacting the cassette  attack on the bad news side fake cassette vsa  
security update backdoor networks with cobalt  strikes so what's basically happening is there's  
a fake fix out there agent are evil unveiled  and kasaya vs vsa ransomware attack so they  
confirmed it's our evil and uh lastly researchers  uncovered the network infrastructure of our evil  
the notorious ransomware group that hit cassette  that's i guess the good news they've been able to  
track everything back to a cl uh a cloud provider  in eastern europe so some little news qnap fixes  
critical bug and nas backup disaster recovery app  uh check that one out and microsoft in the news  
again three fixes or actually three problems  they they had a new print nightmare flaw they  
released a new there's a new cda though cve that  was identified they then pushed an emergency patch  
and then experts were able to bypass the emergency  patch so good luck with uh printing with microsoft  
with that i turned to laurel and the exploits  since you saved uh microsoft the offensive child  
for last i'll go ahead and um just go ahead and  lead with what i have today which is wordpress  
again uh this week so lots of lots of wordpress  plugins this month so if you're again if you're  
leveraging wordpress please be careful with the  plugins you're using we've got three this week  
the project and document manager has a remote code  execution bad bad bad news for this so if you're  
running that that project and document manager  plug-in make sure that you're you're updating  
that beyond 4-2 the other one is plain view  activity monitor if you're writing that wordpress  
plug-in for monitoring activities there's a  remote code execution for that as well so make  
sure that you you've updated that beyond 2.0 and  last but not least if you're running the wordplus  
plug-in anti-malware security and brute force  firewall you are subject to directory traversal  
so again if you're playing with wordpress and  you you know you like being in that danger zone  
make sure you're updating your plugins because um  that that anti-malware security reports firewall  
up to 4.20 is vulnerable to that direct reversal  and that is all i have this week turn back over to  
use that without talking about with microsoft or  wordpress they ought to be sponsoring the podcast  
that's what i was thinking i wouldn't want i mean  it just be like a dirty like getting sponsored by  
like a dirty cesspool of stuff terrible we don't  want to associate ourselves with that stuff  
but uh yeah i guess everybody has problems just  some have a lot more than others so if you're  
on wordpress just just don't just just get off  yeah it's like if you think it's just bad for  
you if you think it's if you think you've got it  bad just you know be glad you're not microsoft  
the wordpress right now yeah exactly i've had  wordpress like web developers tell me that you  
know web development marketing companies tell  me that oh it's the best thing ever no there's  
never any problems with it it's you know it's  great it's it's secure i've never heard anybody  
anybody's wordpress site going down but anyway  let's let's transition and we're kind of beating  
a dead horse at this point right want even more  cyber rants be sure to subscribe to the cyber  
rants podcast get your copy of our best-selling  book cyber rants on amazon today this podcast is  
brought to you by silent sector a firm dedicated  to building world-class cyber security programs  
for mid-market and emerging companies across the  us silent sector also provides industry-leading  
penetration tests and cyber risk assessments  visit and contact us today  
cyber risk assessments and what you need to know  about and that's what today is all about we want  
to take you through a bit of a process for for all  the the millions of listeners as we established uh  
i think on our previous episode i want  to just make sure that everybody is clear  
on what a cyber risk assessment is what's involved  in the process and and how to look at it cyber  
risk assessment we're going to differentiate  this for today's purposes we did a series on  
penetration testing previously we're talking about  cyber risk assessment in in the form of what we  
would call a framework risk assessment following  an industry recognized set of best practices and  
following more of a paper analysis through  reviews of documentation through interviews  
that sort of thing so that's the the the  lens in which we're looking through today  
and i say that because it's all over the board  with what the industry calls these different  
these different types of assessments right so  starting out and mike and lauro love to hear your  
take on this but you have you really have to have  to look at it in a couple different ways right the  
big question is why are we doing this are we doing  this because some client is telling us we have to  
um are we doing it for a certain  compliance requirement say nist 800 171  
or cmmc for the department of defense or do we  really want to know internally where our strengths  
and weaknesses and across our whole cyber security  cyber risk management program and so i would say
it's generally split you know we get a lot of  requests for risk assessments because they're  
being required by somebody by a client or  prospect of one of our clients and then we  
also have a lot of companies that are they truly  are being proactive and they're doing it because  
they're getting in the best practice of doing  this at least annually let's talk about picking  
a framework right and and i don't know what you  guys think but i i we get a lot of these companies  
they'll come to us and they say hey we had this  risk assessment done a cyber risk assessment and  
the company that did it they know they had their  own they had their own framework they had their  
own way of doing it it wasn't falling it wasn't  any industry standard and that that always makes  
me cringe you know i think you should really be  following a a nist csf or cis controls or nist 853  
or some some formal standard that's recognized  across the industry that's put together by  
a governing body of very smart people what do  you guys think yeah you shouldn't be using buy  
you bojack's security framework yeah don't  want to get paid framework make it up as we  
go um what do you think about uh so for the  companies that are they're coming to you what  
you know what would be your considerations if  they're saying well you know we've never done  
this before what framework should we choose for  our first risk assessment call it uh maybe it's  
a mid-market company between let's say somewhere  between a hundred and a thousand employees
well i mean my general go-to is either  in this csf or cis so those are the two  
that make the most sense to me because  they you can you can then step them into  
uh other frameworks you can go  from the csf to 171 alpha to 53 853  
or cis is pretty much sufficient in itself  it just doesn't have the name recognition  
for some reason as nist does probably because  of the federal government attachment to nest  
yeah yeah no great point and that's the  other thing is that kind of ask them is  
it what type of clients do you have what  type of customers do you have do you do  
business with you know the the industries  that that would better recognize nist as a  
as a as a governing framework or are you in  you know kind of a technology b2b industry  
where you know cis would you know not  only be applicable but probably be more  
known about than than in the government wings yeah  yeah i mean i agree the thing i like also about  
those is there the the way the the data rolls  up between especially this csf with your five  
um major control categories um i think they do a  nice job of laying that out and cis does as well  
cis uh the latest version um 8.1 as of right  now they they really put a lot more emphasis on  
your um remote workforce so you know they  took all the lessons learned and things that  
companies were struggling with you know  when covet hit and put that into the new  
the new cis framework so i think that's beneficial  as well another thing to note there too is that um  
you know some of the these  are going to be more palatable  
for mid-market and emerging type companies  whereas a more sophisticated organization with say  
an in-house security department or at least a  fairly robust it department um something like  
nist 853 would would be more achievable for  them but but that's a lot to bite off for a a  
smaller organization by the way nist is national  institute of standards and technology and csf is  
a cyber security framework so you can google that  you can download the spreadsheets online and you  
can see exactly what we're talking about cis is  center for sorry center for internet security  
and then controls uh you can download from  their website as well the framework in the form  
of an excel spreadsheet and what you'll see is  it's really just a big list of things that you  
should have in place to be considered proactive  in your security program so for those people  
brand new to this stuff i wanted to give a give an  overview here so let's talk about scope a little  
bit so once we've picked a framework to run  with right and by the way we're talking about  
cyber risk assessment in the term of a of a  non-compliance related audit right so we're  
not talking about it in for pci or a sock 2 audit  that's a that's a different topic altogether um  
with with different auditors and all that so we'll  save that for another day we're talking about the  
things that you could even do yourself or bring  a third party in for a third party attestation  
of alignment so let's talk about scope what  what should an organization um do i mean other  
than you know doing the the risk assessment  across the entire company when would you  
suggest they they think about focus narrowing  the focus versus just doing it company-wide
well i'm always a proponent  of doing it company-wide so  
um i mean you can narrow the  the scope if you're doing like a  
business unit or a subsidiary but other than that  i mean with some of the small companies you just  
might as well do the whole thing it's my is my  belief i agree i agree i think i think we talked  
about this before too mike that you know it's okay  to probably scope things out initially so that you  
you're not overwhelmed with work yeah um but you  you need to i mean it's just it's ridiculous as an  
example i think so you know whether you go with  nist or cis they're going to require you to do  
continuous vulnerability scanning as an example  right we'll put one of the controls out so if you  
if you narrow the scope to just this one business  unit and you're trying to you know implement these  
control sets there and these these programmatic  continuous operationalized items that you're doing  
like vulnerability scanning it's ridiculous just  a vulnerability to run to implement vulnerability  
scanning just for one business unit right just  to say that one business unit is compliant  
but all of your other business units now they  have no vulnerability scanning of any kind  
you're not doing the same sort of threat awareness  or program management for the other sites so  
it overall you need like mike said you need to  work towards a holistic approach with a framework  
alignment it's okay to start small and not boil  the entire ocean at one time but you need to  
have that holistic goal in mind otherwise you'll  you'll find yourself in a place where you have  
very few places that are that are secured and and  running operationalized cybersecurity programs  
that are aligned to frameworks and the rest  of your business and and places will suffer  
yeah no i totally agree with that and the other  thing is that you know you got to focus on that  
that framework you got to focus on getting it done  because a 50 complete framework is just as useful  
as a zero percent framework because it all works  together yeah and these frameworks are going to  
give you programmatic tactics in in both documents  in process and in the technologies that you may  
need to either modify or implement this defense  and depth strategy right so everything that the  
framework is going to tell you to do is a good  it's a good thing to do in a mature cyber security  
program it's going to help reduce that risk for  the organization so that's why it's important  
to do the whole thing excellent point you know  another thing i'll touch on is rather than the ad  
hoc approach of make up cyber security as you go  if a breach occurs and you find yourself in court  
and the opposing counsel is asking well what was  your cyber security program based on and you say  
oh well we have some you know  smart techie people that are  
doing some cyber security stuff for us it's like  well no that's that's going to be considered  
negligence right versus if you're able to say  hey well we follow the csf uh framework we're  
you know 80 aligned this is this is where  we are on our plan of action and milestones  
they're going to say okay wow these this company  has their ducks in a row um they're not negligent  
they're actually making a valid effort day in and  day out to align to industry recognized standards  
that's going to hold up a lot better than saying  well we we made it up as we went so we aligned  
your runner we allowed to buy you bojack security  standard and down here that's just fine for us
we're gonna we're gonna we're  gonna patent that we're gonna  
create our trade market i should say make it our  own right well what we're seeing too is that um  
with the growth of the cyber security insurance  piece as i kind of alluded to in that one  
article was that insurance renewals are up  40 now because of all the hacks my assumption  
is they're going to start asking you to prove  that you have some kind of compliance in place  
in order to be insured they've been moving to this  for a while and i think this will finally take  
take root because these companies are going  to start seeing they're losing tons of money  
because these people aren't doing their job  i think they're going to treat it like health  
insurance right with this pre-qualified conditions  or you know what i mean like if you've got yeah if  
you've got certain certain things wrong with your  business they're going to say no thanks we're not  
going to insure you too high risk right yeah  and they do have the self the self attestations  
right that's what we see most commonly is  they send they their their questionnaires  
are getting more and more robust but i think  what they're going to i think it's going to be  
requiring either one of their own auditors to  come in um even for mid-market and emerging  
companies or a third party like us basically  giving a report um and an attestation letter  
showing the extent of alignment so i think you're  right and i also think cyber insurance is going  
to get a lot more expensive 1.79 million dollars  every minute from your article mike that's that's  
crazy that's just crazy unbelievable it's  staggering it shows where you know we are  
losing as a nation as a world we are losing the  fight against cyber crime and we're only making  
the the criminals more powerful so anyway i i  won't go down losing losing we haven't lost yet we  
forgot there's still a chance we're not we're  not um there needs to be a lot more done and  
um yeah a lot of a good thing you know a lot  of smart people are working to figure it out  
but um we we gotta look at ourselves and say you  know there's a lot we don't know um there's a long  
way to go here but um yeah i want to go back to  the self attestation piece real quick the last  
thing you want to do is ever lie on a self attack  station or state you've got something that you're  
implementing that you truly aren't because that  will blow up in your face with an insurance claim  
and then court really fast fraud it's fraud yeah  it's fraud if you try to use that as a method to  
to receive um a policy amount right that would  be due to you um through the insurance company  
yeah and that's you know that's the difference  i think between a civil you know fine and uh  
you know to quote the movie office space  federal pound me in the rear end prison  
i don't know if that's a direct direct  quote but for our uh under under 18 audience  
hello peter yeah what's happening  sometimes he's got a case of the mondays  
what the hell letter we need to do an episode on  office space one of these videos here right now  
i would correlate reality yeah i know i don't  let zach find me at friday afternoon afternoon
hello mike what's happening well hey uh after we  get so organization goes in they go they choose  
a framework they say okay well excellent makes  sense we're going to do this enterprise or cyber  
risk assessment across the entire organization  let's talk about what to expect in terms of  
that process what do they need for resources on  there and what is their involvement versus ours  
or you know an organizat and assessors  um i should say and then um what do they  
need you know to think about in terms of just  readiness and then and time requirements and such  
yeah i'll jump in so it's it's it's a pretty  seamless process right i mean i think the the  
first engagement pieces are going to be interview  based so you know you want to you want to have  
you know keep key individuals that are going to  be there to be able to answer questions about  
you know infrastructure process that sort of  thing that's going to happen any assessor is  
going to look and i think to prepare yourself  an assessor is going to look in three places to  
determine or ascertain whether or not you have a  control state in place so vulnerability scanning  
for example right we talked about that earlier so  if i'm trying to determine through the requirement  
if you've got vulnerability scanning in place  i'm going to interview them and i ask you right  
what you're doing i'm going to talk a little bit  maybe your it team about what technologies they're  
using to do this how often they're doing it and  then i'm also going to look at your documentation  
so there's always those three places we're  going to interview the human we're going to  
review the technologies and then we're going  to review the documentation and make sure that  
all three places hold um reasonable belief  right reasonable language and reasonable  
process that you're you've got those control that  control in place is that is that too much stack  
did you forget about the new cover  sheets on the tps reports exactly yeah  
no that's that's a great point the the three you  know it's it's the triple whammy it's it's a you  
know people your your documented processes and  then the technical review right uh for for the  
various controls um so that's important for people  to understand that they need to have those things  
in place and it goes back to our previous rants  about documentation and you document what you  
do right and do what you do i love reading it  yeah especially mike loves reading documentation  
so he only probably reads about seven thousand  pages a week i hear i hear that mike's gotten  
really good i heard that mike you got real  good at reading documentation through teary
eyes i know i have well so so you know so good  point on the so basically a series of interviews  
set up meetings uh at the frequency that your  organization can uh allocate the appropriate  
people right and so most of them will require your  your technical resources heads of i.t and such for  
certain scenarios they may need to get information  from leadership or access to other other data or  
documents or whatever but for the most part i  think we can usually work with the kind of the  
the lead you know technical individuals within the  organization that kind of know where everything  
is yeah and yeah they can answer the questions and  the other thing zach just to jump in here plan for  
plan for somewhere between four and four and  eight hours to go through the interview process  
for a framework assessment right depending  on how complicated the organization is  
yeah and if if you want to make it all on once  or on a saturday um you know mike i know you love  
that too so yeah that's my favorite thing but uh  but yeah break it up break it up over a few weeks
uh you know one thing to bring back too is during  these assessments i i think there's a lot of  
people that bundle up a lot of fear and they're  like oh my god i don't want to know how bad we  
are in reality a lot of the companies we find  when we go through them they're between 60 and 70  
compliant just by doing what you oh yeah that's  true they are they really are they've got a lot  
more going from them than they think they do  yeah um the biggest thing they're usually always  
missing is documentation yeah would you agree i  would concur yeah and the the other thing that  
i see is that a lot of times you know you get six  months into these projects and we tell them it's  
gonna take 18 to 24 months and people were like  well why aren't we got more donuts because because  
you guys aren't doing the work so you have to  be committed to doing the work and that's that's  
there's only so much a consulting company can  do because some of this internal processing has  
to come from you we can't do it all they can yeah  anybody that tells you they can build their your  
security program in a bubble and you don't need  to be involved you're not you're not getting a  
secure you're not securing your organization just  flat out unfortunately it doesn't oh jack security  
we could a company like ours could  take a lot of the heavy lifting off  
provide a lot of the guidance right shorten this  shorten the timeline tremendously and do it right  
the first time but you have to be involved right  just the fact back of the business but um well  
i feel better now knowing that most companies are  60 to 70 percent aligned a little good uh warm and  
fuzzy there so now when we go through the process  um interviews looking at documentation technical  
reviews all that stuff is done we go back and put  a full very robust report together um many many  
many many pages long and um so excellent reading  material our reports are the best we're told um  
so that actually at least the first the first  uh section that most people read is uh is uh  
should be captivating you should enjoy it and  um you know you probably want to probably want  
to share it with the the other interested parties  in your organization keep it internal but once you  
have that um you understand where the gaps are so  let's talk about prioritizing and remedying what  
do you do after you have this risk assessment  that says you're 65 in alignment with miss csf
after you drink a bottle of  scotch and cry yourself to death  
yeah then you gain some composure and  you you either you either ask us for  
the road map right for a roadmap for  prioritization or you try to prioritize  
what you've done on your own and what  i like to tell organizations is that  
like mike was was stating earlier a lot of  organizations have things that are really close  
so take care of the short the short ones first  right things that like you've got you know maybe  
you've got a company handbook and you need to  add some language to empower the acceptable  
use policy within it right or maybe you just  need to create a separate accessible use policy  
just get it done and knock it out it doesn't need  to be fancy there's no right or wrong way to write  
documentation okay what's important is it comes  on company letterhead it's approved language for  
the organization okay that's the simplest way that  i can put it as long as your leadership approves  
a language legal is a proven language and you  can send it out to your humans to read it that's  
good that's all we care about right that's all  any assessors should care about they shouldn't  
nitpick your language it needs to be impactful and  enforceable um but take care of those quick wins  
first and then there's going to be some items  that come out of this that may require you to  
make major configuration changes or even purchase  technologies and implement those technology yeah  
you know the the best thing about having a road  map right whether you get professionals to come  
in and build that plan out for you or you do  it yourself having that road map and that clear  
plan of action and milestones forward that's going  to make a tremendous amount of difference because  
now the whole organization leadership everybody  sees on paper where they're headed usually over  
the next next 12 to 24 months what needs  to be done what needs to be in place so  
it becomes a very measurable process right  so it's not it's no longer kind of a fly  
by night approach make it up as you go now  you have the plan everybody's everybody's  
signed off on it and then you understand from  there also what type of resources you need to  
allocate in order to get an alignment and  really really move forward now i will say  
that it's rare that any company is going to have  a hundred percent of the controls in place ever  
right they're going to be justifications around  them reasons why compensating controls whatever  
wherever it might be but the important thing  is that you are you are striving to attain uh  
alignment with a recognized framework and and uh  that roadmap will help get you there yeah well  
um and i think that you can also you have those  accountabilities too because there's going to be  
line items in that roadmap that you know you  as the leader may not be accomplishing right  
it may be you know individuals in your it teams  and you'll want to have those but but being able  
to look at that plan and say you know these are  the 15 or 20 things i need to check off in order  
to get compliant will help you know not only  drive that process but but also give you that  
you know that 30 000 foot view of clarity  and say you know we're almost done here  
right and but you know of course i think that's  the other point to make zack is that once once you  
once we go down this road right and we've  done the interviews and you've gotten the  
road map and you're working towards implementing  these things you know you have to realize that  
i've been telling clients this that these are  forever machines right you don't you don't go  
down a a cis 8.1 control framework one time when  you when you become compliant you're putting  
these programs and processes in place they are  forever machines they're going to last and become  
a inaugural part of the business from from you  know the point until the business is no more yeah
yeah that's excellent point i mean that is  your that is your ongoing your foundation of  
the security program so uh and then once you have  that also it becomes like we've said in previous  
previous podcasts it becomes much easier to cover  down on other requirements that might come up  
i know you mentioned this earlier mike but you  know any any other compliance requirements or  
if you need to switch over and map to another  framework you know again they're they're saying  
95 percent of the exact same thing just laid out  in different ways um so it's just a matter of  
mapping between them so don't get caught up too  early on on picking the exact perfect framework  
right there are some excellent ones to start with  and you need to start somewhere so it's better to  
do something a little more palatable and then grow  rather than trying to bite off too much but well i  
hope this helped everybody i hope people that are  diving into the cyber risk assessment world for  
the first time um gain some gain some insight  here and reach out if you have any questions  
anything like that but before we go mike lauro any  final comments thoughts rants office space quotes  
anything nothing well thank you everybody for  joining us uh subscribe to the podcast if you  
haven't already check out the book on amazon we  talk a lot about risk assessments we dive into  
pen tests and we dive into all the foundational  requirements for a cyber security program all that  
good stuff and reach out uh  there's a little web form there let us know what  
you want us to talk about on future episodes or  reach out on linkedin and uh let us know there  
so thanks everyone and fill out and fill out  your tps reports yes with the right cover sheet  
please with the right cover sheet hawaiian shirt  day on friday yes yes so yeah i'm gonna please  
please well thanks everyone on fridays don't  take my stapler and we'll see you next week