In this episode of Redefining CyberSecurity, host Sean Martin and his guest, John Sapp, navigate the complex terrain of cyber risk governance and the concept of cyber risk as a product.
Guest: John Sapp , VP, Information Security & CISO at Texas Mutual Insurance Company [@texasmutual]
On Linkedin | https://www.linkedin.com/in/johnbsappjr/
On Twitter | https://www.twitter.com/czarofcyber
____________________________
Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]
On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/sean-martin
____________________________
This Episode’s Sponsors
Imperva | https://itspm.ag/imperva277117988
Pentera | https://itspm.ag/penteri67a
___________________________
Episode Notes
In this episode of Redefining Cybersecurity, hosted by Sean Martin, listeners are invited to explore the complex landscape of cyber risk governance. John Sapp, a seasoned professional in risk management, emphasizes the importance of defining cyber risk from the perspective of various executives. The CIO, CFO, COO, and general counsel each own different aspects of risk within an organization, and understanding their perspectives is key to effective risk management.
The conversation takes an intriguing turn as John introduces the concept of approaching cyber risk governance as a product. This involves understanding the desired outcomes, defining the requirements, and creating personas for different stakeholders. The aim is to develop a common pane of glass, a unified perspective through which each persona can access near real-time information to make informed decisions.
John also underscores the importance of presenting information to various stakeholders, including the board and cyber insurance carriers, in a way that demonstrates the strength of the organization's cyber risk program. This approach has tangible benefits, such as a reduction in cyber insurance premiums based on the strength of the cyber risk program.
The episode concludes with a discussion on the importance of collective decision-making in managing cyber risk. John emphasizes that it's not about presenting some information and giving somebody responsibility to make a decision, but rather about presenting information in different ways to all the different personas to spur a conversation so that the team can determine the best path forward.
This episode is a must-listen for anyone interested in understanding how to approach cyber risk governance in a way that is both effective and efficient. It provides valuable insights into how to manage risk in an ever-evolving digital world.
____________________________
Watch this and other videos on ITSPmagazine's YouTube Channel
Redefining CyberSecurity Podcast with Sean Martin, CISSP playlist:
📺 https://www.youtube.com/playlist?list=PLnYu0psdcllS9aVGdiakVss9u7xgYDKYq
ITSPmagazine YouTube Channel:
📺 https://www.youtube.com/@itspmagazine
Be sure to share and subscribe!
____________________________
Resources
____________________________
To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit:
https://www.itspmagazine.com/redefining-cybersecurity-podcast
Are you interested in sponsoring an ITSPmagazine Channel?
👉 https://www.itspmagazine.com/sponsor-the-itspmagazine-podcast-network
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.
_________________________________________
00:00:00] Sean Martin: Hello, everybody. You're very welcome to a new episode of redefining cyber security here on the ITSP Magazine Podcast Network. This is Sean Martin, your host, where I get to talk about all kinds of cool things related to protecting the business and helping it, uh, Hopefully generate revenue, not just protect the revenue that they create.
And, uh, I truly believe as security professionals, we have, we have a role to play in, in helping the business define itself, uh, to operate accurately, functionally proper, if you will, uh, in, in the, uh, in the industries within which they play. So, um, today it's a topic that I absolutely love. Many people probably think I'm crazy for loving risk management, but, uh, That's the topic.
We're going to look at the broader GRC space today, and I'm thrilled to have good good friend on again We met a number of years ago. We've had a few conversations John Saps pleasure to have you on the show again,
[00:01:03] John Sapp: Sean Thank you It's always a pleasure to join you and we've had a lot of great conversations over the years and looking forward to having another one
[00:01:12] Sean Martin: absolutely, and It seems and you will get into a kind of your journey a bit, but it seems a lot of our conversations have been rooted in risk and connected to insurance in some fashion, be it health insurance, early days or just general insurance in early days and then and then cyber insurance at some point.
[00:01:34] John Sapp: Yeah, you know, it makes me think about. September 2008. Not that I remember it exactly, but, um, it was an episode or an, uh, an article in, uh, Information Security Magazine back then, and it was, uh, about, it was, uh, it was on GRC and actually I got, uh, uh, I got it posted up on the wall back there behind me, the copy of the article and, and we were talking about GRC and that was during the heyday of GRC and ITGRC and EGRC.
And so what I want to do today in today's conversation is I've trademarked a phrase that we are turning GRC around. So when you think about the letters GRC, governance risk and compliance, there's, I have a different view of it today, which everyone is talking about it, but it's cyber risk governance. So when you turn GRC around those letters, you get CRG.
And that is Cyber Risk Governance. And that's what we're going to dive into today.
[00:02:37] Sean Martin: You've made your own Rubik's cube of risk management there, John. I love it. Well, for those who haven't had the pleasure of meeting and, and, uh, hearing who you are, Maybe a few words about some of the things you've done in the past.
Um, I don't know if you want to tie that article in what prompted that article and some of the things you've done kind of leading up to today. I think that'd be super helpful.
[00:03:01] John Sapp: Yeah, absolutely. So, um, back in 2006, I was at McKesson and after, uh, you know, about 15 years of doing, uh, application development realized I needed to transition my career and, uh, had the opportunity of working with.
Um, at, at McKesson they were establishing a, an IT risk management function. And so that became where I transitioned into, uh, took the C-I-S-S-P and also, uh, acquired the C gt, uh, certified in governance of enterprise IT and c risk and, and a few other certifications to establish some level of, uh, credibility, if you will, uh, to enter the space.
And actually in 2008, as we were building that organization out. I had the opportunity to pick my title, and at that time, I recall Apple having advertised for a senior, um, GRC consultant, so I included the, you know, GRC in my title and was tagged a senior consultant of governance, risk, and compliance. at McKesson at that time.
And that led to an article, um, as we were implementing ITGRC capabilities in the organization. And my career has continued to evolve from there, getting more into, uh, roles that, um, you know, you, you mentioned, uh, at, at the top of the, the podcast that, you know, hopefully security could generate revenue instead of just protect it.
And that's actually one of the things that me and my team did is we converted our call center into a profit center at, at, at McKesson, because we were able to take technologies like encryption and DLP and other things, because you had HIPAA was, had, had become, uh, very, very, uh, prevalent at the time. And folks are trying to figure out that, you know, some of the smaller practices and organizations, how do they do that?
So we turned around and took the capabilities that we had implemented and turned it into. a product that could be included with an order of, you know, their, their software and services. So I've continued to evolve that into a few different CISO roles, medical device companies and financial services. And now again, back in the financial services, Uh, I had a stint in retail along the way, but, um, you know, so right now, um, CISO here at Texas Mutual Insurance Company, where I've, uh, worked to build out the program and evolve it and really pursue the org, one of the organization's top priorities, and that is improving our security posture.
[00:05:46] Sean Martin: I love that, John. And I think What I want to touch on here is the, because you've, you've had, and we're going to get into the topic in more detail driven by an event that you spoke at, but you've been in a number of different industries, and I'm curious if.
Different types of organizations do or should or shouldn't approach risk from a different perspective. The insurance, financial services, retail, healthcare, device builders, um, clearly they all have different things they worry about, but I'm wondering, does that mean they have to approach risk differently as well?
[00:06:31] John Sapp: Yeah, you know, it's a great question and one that I love having a discussion around and I think the, the answer is They should, the approach is the same, although the, the, the data elements are different because it will produce information that will drive the risk based decision. And, and that's the key to me is that it's all about, um, the collection.
Uh, aggregation, correlation, deduplication, normalization, prioritization, and visualization of that information in order to make that risk based decision. And I know all the Sean's I heard. Yeah. It's always at the top of my mind, Sean. And you know, when you think about it, it's. It's a data, it's, it's a problem that needs data to solve it.
And it's how you structure and organize that data will, will be the key to what decision needs to be made. And, you know, we, we've touched on, uh, you know, over the course of some of our conversations about, you know, this new SEC governance, uh, requirement for reporting cyber risk, uh, how cyber risk is being managed, cyber risk governance.
materiality of, you know, incidents and so that investors and the like have visibility into what's happening in an organization. And I look at it this way. CISOs, we don't make the decision about materiality. That's the number one thing I would say to a CISO is don't think that you own the responsibility for making a determination about materiality.
That belongs to the chief risk officer to the Uh, general counsel, uh, counsel's office to the CEO, and it's all about providing information, you know, from the security standpoint, we are providers of that information because we deploy a variety of security technologies to gather data to help us detect an attack and to prevent an attack or to protect us against an attack if, if one is successful, um, you know, so it is about how effective and efficient are we at doing that?
And taking that information and putting it into, um, a language that has business risk context for, uh, the folks I say up, down and across. So up to the C level and the board of directors so that they can understand it, because what you want to do is be able to paint the picture about the effectiveness and efficiency of your cyber risk management activities in financial terms, because that's what they absolutely understand.
No, um, translation needed. You know, but then you think about down to, and that's helping them understand the risk and impact to the business if an attack is successful. So they can make decisions about the investments that we are asking for from a, from a CISO perspective. And it, it helps to justify those investments.
But then you think about when you say, okay, well down, what do we mean by down? Well, it's down to the operational and technical level. The folks that are responsible for identifying, detecting, and remediating those vulnerabilities or the misconfigurations or the things that could be the, uh, the entry point for an attack.
And then across, that is that middle layer where you have management both from the IT functions as well as the business functions and Providing a level of visibility that helps them understand are the people down at the operational technical level working on the right things based on priority and those risk based decisions that are being made at a management level or at an executive level and making sure that everyone's on the same page.
And that's the. The elusive alignment that we've been pursuing for forever, it seems like.
[00:10:31] Sean Martin: So does your, cause I, I'm going to get to, uh, the, uh, presentation that you made at, uh, Planet CyberSec. And, um, so it was all around cyber risk governance. You've, you've changed the, uh, the order there, I noticed. And the first thing that you, or one of the key takeaways is defining what that is.
Um, And I'm wondering, by changing the letters, do we have to then redefine what we're looking at? Um, because you just talked about having a common, common view and everybody being on the same page. To me, that starts with understanding, well, what is it we're trying to tackle? So that, that definition. So do we need to redefine it?
And if so, how do you?
[00:11:19] John Sapp: Well, I don't know that we're redefining GRC, but what we are doing is bringing clarity and definition to cyber risk governance and what it is, as it, how does it roll up into a GRC program? Because unfortunately, what a lot of folks think about when you say GRC, you know, and I get calls all the time and emails from vendors, you know, asking, Hey, do you have a GRC platform?
Well, GRC is not about a platform. The tool is just. A mechanism to achieve the outcomes and the values that you're in pursuit of. So what we're doing is we're defining those outcomes and we're defining that value, and then we're identifying how we're going to achieve it and, and developing it, and it's really taking more of a product management approach to it and building a program using a product management methodology to it.
So you, you have your, your, your MVP, that minimum viable product is. A capability that allows me to understand what are the areas of risk that I'm, what are the areas of the business that are at risk to a cyber attack and cyber risk governance and cyber risk management is a component of cyber risk governance that is part of your broader enterprise governance risk and compliance or your enterprise risk management function.
And so, you know, we, we have an ERM function here and I've been Uh, members of ERM functions at a number of different organizations. And, you know, the CISO generally owns the responsibility of reporting risk as relates to, uh, cyber, but also the risk, uh, the IT risk, even though we often report to the CIO, the CIO can't define it.
And we are better, we are best suited and situated to be able to provide the information to frame up that risk. And while the CIO owns IT risk, it's making them aware of what that IT risk is. And in today's world, we are, it's a digital world. There is no turning back, right? You know, everything we do, you know, as much as we were five to seven years ago, talking about the move to the cloud.
And do you do it? Do you not do it? You know, people go into the cloud and then reverting back to on prem. Well, now it's, you know, SAS has taken over the world and, you know, the majority of organizations, SAS solutions are. Uh, are what drive their business or what, uh, when, when you look at it, I think there was some Gartner research that says that, um, 60 percent of, uh, of an organization's employee uses 42 different SAS solutions.
And so there is risk associated with that, but it is defining it so that we can align with, um, from a executive level. CIO owns IT risk, make sure that they see the picture from their perspective and what impact a, you know, disruption in the IT systems would have on the business. CFO owns financial risk, making sure they understand that what those risks are in the other areas that could produce financial risk and impact the company.
Same for COO and operational risk, general counsel for legal and compliance risk and things along that line. So it is I think it's establishing an explicit definition of what is cyber risk, how do we govern it, which in governance is about visibility to manage the risk that we've identified and that we are prioritizing and for a risk based decision.
[00:14:54] Sean Martin: Yeah. Visibility and authenticity as well. I want to, um, integrity, I'm sure isn't there as well. I want to pick on this a little bit. Cause I, you, you piqued my interest with, uh, this whole notion of building a product, because what I, what I hear when I talk to folks is that programs are generally. Driven by compliance or some event, or they recognize the need.
So they turn to a vendor who presumably has. The problem solved through their tools. So they just adopt the tool and try to cram it into their, their operations, or they select a framework or multiple frameworks and try to use that to figure out what the big picture and then, and then find a tool that supports the frameworks that have selected and cram it into their operations, what you described, and I don't know how much you want to share on this.
I'm happy to listen. I'm sure the audience would love to hear it as well. How you approach this from a product perspective, that doesn't say the product. Doesn't have a requirement to leverage a framework, to use a tool or tools, but approaching it from that perspective for, I've been a product manager for decades.
Um, so those requirements, the MVP, the minimum viable product, uh, is an important piece. Tell, tell us a little bit about that. Cause I think that's super cool and interesting.
[00:16:22] John Sapp: Yeah. So, you know, as, as you know, with, with product management, it's about knowing and understanding what is the outcome you're trying to achieve.
You know, it's, there's a vision. So usually you've got a vision frame of some sort that outlines what that vision is. So I've outlined and built out a vision for cyber risk governance. What is it? What does it seek to achieve? What are the outcomes that we're looking to gain from it? And not just from the CISO perspective, but from, you know, up to the C level board, operational technical folks and management alike, it's about understanding.
What are the requirements from those and what product you create personas, right? And so those, those folks that I just described, there's a persona for them. And so now that you have that, you know what it is, each one of those personas would like to get out of it. So you have conversations with board members and with folks who are, who perform vulnerability management detection and who run and manage security technologies, because.
They often have to provide some level of metrics and reporting up to their management that shows how good they are at doing their job, or how strong is the security posture and all those things. And at the management level, they've got a view of what they need to see, whether it's monthly reporting, quarterly reporting, things of that nature, and, and what are the requirements they have that they're trying to meet.
Those become requirements as part of building out this product approach. And, you know, there, there isn't a given product on the market, uh, today and not a single product anyway. And, you know, we've heard for decades, people talk about, or at least for the last decade and a half or two, um, single pane of glass.
I'm not trying to create a single pane of glass. Uh, when I, when I talk about this, it's about developing a common pane of glass, one through which each one of those personas can look at. This, this pane of glass and get the information they need that is near real time. So that because the, the, the, the threat landscape is ever evolving, the attacks more, you know, almost, you know, minute by minute.
And it's how, how quickly are we able to respond to that based on the information we have? Because that our priorities have to change. Based on the change in the threat landscape. And so in order to do that, you have to have information that is accurate to be able to make a decision to, to adjust those priorities.
So it's, it's really, as, as you think about product, it's the outcomes, the values, uh, the requirements and the personas, and to be able to deliver that because we were talking about the, I've worked in retail manufacturing. Uh, telecom, uh, health insurance, uh, health software, uh, you, you name it, uh, you know, hospitality, retail, and yes, they, they all manage their business, business very differently.
Their margins are very different. But the problem is the same across whatever the industry is, you know, JBS manufacturing learned that, uh, not that long ago that, you know, nobody is safe. Nobody's under the radar. They're, they're a meat packing plant. Why would anybody want to attack them? Well, attackers don't care.
It's about what can they gain by disrupting, uh, a business. And, you know, it's, it's about them achieving their, their motives and they move on to the next, but it is. How do we present the information so that folks can make consistent and accurate decisions that, that they can defend with? Because when we, you know, again, whether, whether you're subject to, subjective, subjected to the SEC governance regulations or not, you still should prepare an effective, a cyber risk governance approach.
That achieves the same things that they're asking you to be able to present. And that is just as effective to your board as it is to your cyber insurance carrier. You know, we've, we achieved this year, uh, 10 percent reduction in, in our, uh, cyber insurance premium, based on the strength of our cyber risk program, how well we identify risk, how we're managing it, but just being able to demonstrate.
To that carrier that we know what our risk is. So don't lump us in with general financial services or insurance. We're different. And here's why.
[00:21:02] Sean Martin: Yeah. And I've heard, I've heard, uh, many stories actually where. Yes, a premium reduction. Thank you. Right. But also coverage, uh, uh, increase in the policy. So you actually have better protections if something does happen, presuming that it won't.
There's a bit of a gamble there.
[00:21:22] John Sapp: Yeah. And, you know, it's, we, we're able to get a premium reduction while retaining. The maximum level of coverage, and that to me is one of those values that I can identify as by achieving effective cyber risk governance and the supporting cyber risk management capability within it.
Those are some of the things that the value that you get out of it.
[00:21:43] Sean Martin: I want to talk to you about what I'm picturing. This is the easy button that I think a lot of I'm sorry if I generalize a lot here, but I talked to a lot of people the easy button of all right. We have a program. We put a tool together.
We run these reports and generate this thing and we make some decisions. Maybe that's possible. Um, but what I want to get to is. This idea that, and you mentioned it earlier, the CISO doesn't own this, right? Um, and a single pane of glass might try to put everything in a single way for everybody to view the same way.
But I believe, and I'm interested in your thoughts on this, that It's not about presenting some information and giving somebody the responsibility to make a decision. I believe that there's a need to present information in different ways to all the different personas to spur a conversation. So that the team, however many people it is, whomever's involved, different things, different risks might include different folks, but that the group determines the best path forward, because I've had some conversations this week around creating a business and building products, and you might have a great idea.
You take it step one, step two, step three. And then somebody says, yeah, but as soon as we reach step four, we're off the cliff. All right. We got to back it up, right? And yeah, that's a conversation. And if somebody makes all those decisions on their own and doesn't recognize that step four is the cliff, um, you can very well end up at step four and not realize it.
[00:23:28] John Sapp: Well, that, well, you're, you're, you're spot on. Number one is that it's about. Getting all of the data together and align so that you can have a conversation and express why a one risk is greater than the other or why it's a risk at all.
Because some folks may not understand it to be a risk. They think, oh, well, you know what. From a risk standpoint, you know, our risk is low there, so I don't really, you know, I'm not really worried about that. The conversation does need to happen. Across those different levels, and, you know, it starts with. a conversation.
I think that the information starts the conversation at the operational technical level. And, you know, part of it is technical folks having to continue to evolve their ability to put things into business risk context. Because that's where the conversation goes then with the management layer. Because now you have to have that management layer understand why it's a risk, what the impact could be, and, and again, a decision is not being made there.
So it's almost, it is a bit of a bottom up approach in that starting with the data that's at the very bottom of this and starting to summarize that in a way that you can have the conversations as you go up the ladder. And be able to, uh, then drive that conversation. But then when you get to the top of the ladder, because, you know, we all, even at, you know, a CISO level, or even, you know, at, you know, CIO or some of those other levels, they don't make those decisions unilaterally or, or, um, on their own, there's a conversation to be had with, um, an enterprise risk management group to understand, okay, so what it, what should the decision be based on the information that's been provided?
And, and that's just it, it does require conversations at all three of those levels that we've talked about in order to reach that decision, because now everyone is involved in the decision. Everyone understands why that decision was made. So now if something occurs, you don't have to worry about, Oh, we got to get our story together before, um, the time expires and we have to get this to a regulator.
And give them what we know, because now what you've built is a system and a capability that keeps everyone informed. So now it's everyone's in the loop at the time that something occurs, or at the time something is discovered that is of concern so that decisions can be made. And now you, you don't, um, you don't end up with the unfortunate situation of, of like a solar winds right now.
You know, Tim Brown is a friend that lives here in the Austin area. And, you know, I've seen him around and, you know, we, we all feel terrible about what's happening to him right now. And, you know, being, you know, suggested that, you know, there was fraud in some way or whatever it may be. And, you know, so now we're all, uh, at least from, in the CISO, uh, circles, we're all trying to figure out, okay, Hey, how do I protect myself, but.
We can't get caught up in, in a CYA type approach because we're hired to protect the organization. And so we have to continue to press forward in those conversations to, to drive that decision making and inform for those decision makers for those decisions to be made so that now we can all protect ourselves as best we can, and we can at least prove that we applied.
[00:27:12] Sean Martin: Yeah. And I had the pleasure of speaking with Jill Sullivan, uh, former Uber CISO was convicted as well. And he and I talked about icing the roll where if, if you're afraid to do your job or if it becomes about CYA, you're not really doing it properly as you just described. Right. Um, and it, it, it, that connects to what I was thinking about earlier as well.
Um, in terms of my experience presenting to the board is presenting or even, even, even the executive leadership team. It's come in, take your 5 minutes. You have 10, but you're only going to get 5, right? Show us your deck. We want to get to the last slide. Because that's the 1 that everybody wants to see.
Forget about the previous slides and. Yes, there might be some conversation, but not a real discussion. Um, yeah. So have, have you seen a shift where, or have you seen a way that those conversations or discussions take place outside of the presentation? ? Um, I'm just wondering, are we doing any better there?
[00:28:25] John Sapp: Yeah. You know, what you just described, I, I think still got a long way to go. Because it, it is still very much a put together a deck, um, to your point, you, you get 10 minutes, but it ends up being a seven minute conversation at best, um, unless you've, uh, got a board that's comprised of someone who has a specific interest in, in technology and cyber and, and really is looking to understand it because it's, I think part of the concern is as CISOs, we don't, we, we report into another C level.
So I don't, I don't think we are, we, we have this, the same level of accountability as the upper sea levels, but we don't have the same opportunity as the upper sea levels. And therefore it's sometimes your, your message gets filtered and, you know, so it's someone who wants to. Whoever you're reporting into may want to see that presentation and, and tweak it to, um, what the perception of the audience is, and, and then, you know, so now you've, you've stuck the messages started to be filtered.
It's not the impact that you want, because it's the concern is, you don't want to, you don't want to rock the boat. Well, we, we have to rock the boat and we have to push for that message to be delivered unfiltered and to encourage a conversation. And the way I like to put together my presentations is to, and in a way that it, it sparks the conversation and it creates the conversations.
And I've, I've had really great success here, um, over the last two and a half years here, because it's become conversations. You know, I've had the, uh, opportunity to not just present at the audit committee, but at the full board meeting and, and that turned into, you know, lots of great conversations and they're, they're very interested in, in the roadmap and the path, uh, in terms of where I say we are in maturity today.
And where we're going and why we're trying to achieve that particular level. So it's, it's about really taking, taking hold of it and saying, you know, to whoever it is you're reporting to, we need to educate our board. It's, it's not enough for us to wait for them to find someone who is educated on, on the matter or to, uh, get a CISO on, on a board.
It is to whoever is there, let's educate them. Let's let's not tiptoe around the subject, but let's pursue educating and teaching.
[00:31:08] Sean Martin: Yeah, and I think, uh, you talked about user personas, guess what those personas are?
These people, they have absolutely, they have a, a character in these stories. We didn't touch on user stories, but you have a user persona or a persona that guess what they're, they're part of the story. . If you can help connect, connect their mind to, Hey, I'm part of this story, you have a much better chance of.
Having a more meaningful conversation. John, I could talk to you for hours, um, about the whole product thing. Maybe we, we have another chat digging deeper into that because I, I love that kind of stuff. I want to give you a moment, uh, to maybe share some thoughts on what folks can expect from you.
December 6th is, uh, is the Layer 8 Masters Planet Cybersec CISO forum that you're speaking at. Um, what, uh, what can folks expect to hear from you there?
[00:32:03] John Sapp: Well, you know, I, I will say this, they can expect to hear a very impassioned talk, uh, about cyber risk governance, but it's, I'm, I'm not doing it to just, uh, to, to talk and to, uh, stand up in front of people, but it's, I want a conversation.
It's going to be a very interactive discussion. Um, you know, the key takeaways are, are really just a framework for the conversation and the types of things that I want, uh, folks to come and be prepared to participate in a, in a discussion around, because I, you know, I certainly have, have, uh, my, my viewpoints and my thoughts and nobody's ever accused me of being short on words, but I'm there also to be an active listener and to see how, what can I take away from it to be able to continue to.
Evolve this, this product idea and, and, and really make it more about a revolution than an evolution, because I think there, there needs to be a, a, you know, we, we've been trying to get to these, you know, a set of what do you report to the board and how do you report it and all that. And, you know, that those topics are everywhere.
It was, uh, that was one of the topics that AWS reinvent this week. You know, every, every conference you go to, somebody's talking about how to report to the board, how to talk to the board. Well, this is helping to, I, I want people to be prepared to expand that conversation because, you know, not everybody gets an opportunity to talk to the board, but being prepared on how to prepare information for that level, but also the other levels that you do interact with on a daily, weekly, or monthly basis.
Mm-Hmm. .
[00:33:46] Sean Martin: Yeah. And I, I, I'd love this idea of the product. I mean, the word program is in security programs, . So I think generally we, we look at things like my, my, my brain looks like a. Program. I have a Gantt chart stamped in the back of my brain, but, uh, so it's easy to look at things as a program, maybe a little out of most folks comfort zone to look at things as a product.
Um, and I, I'm, I'm really intrigued by this. I'm excited to hear, hopefully you'll be back. We can talk more about that and I'm excited to hear what people, uh, say and, and take away from you when you, when you chat with him about this, uh, in La Jolla. Um, yeah, it's always great, John, to catch up with you and, uh, appreciate you.
Thinking like this and getting people to help think differently, uh, for their own, their own CISO role and the security program in their organization.
[00:34:42] John Sapp: Absolutely. Sean, as always, it's great talking to you, um, thoroughly enjoy the conversation and, uh, I'm, I'm always available to, to come back and continue the conversation as, as this, uh, evolves.
[00:34:56] Sean Martin: Love it. All right, John. Thanks again. And thanks, everybody, for listening and watching. I'm pretty certain you took something, something fun and cool and meaningful away from this conversation. I certainly did. And we'll include links to a post that Prompted this conversation, which also happens to be a link to John's presentation at the conference and Of course ways to get in touch with John there as well.
So thanks everybody for Watching and listening be sure to subscribe share with your friends and enemies and we'll see you on the next one Thanks again, John.
[00:35:35] John Sapp: All right.
Thanks John greatly appreciate it