In this episode, Brian Penders, Chief Information Security Officer, at the University of North Carolina Chapel Hill Medical School, shares his exciting but challenging journey from working as an engineering lab technician in the US nuclear submarine to being a law enforcement officer with the Vermont State Police and then gravitating to his current role of Chief Information Security Officer at a major academic institution. He sheds light on the principles driving the high-reliability organizational culture in the US Nuclear Navy Propulsion Program and how those experiences influenced and shaped his growth as a cybersecurity leader.

Time Stamps

02:24 — Take us behind the scenes and share some highlights. What were the drivers? What were the motivators? What can listeners take away from your experience?

09:02 -- Let me first focus on that high-reliability, organizational culture that was established in the US nuclear Navy, and you have lived in that culture. Share a bit about what it is like and what could be some takeaways that are relatable or applicable in the world of cybersecurity governance?

16:08 — Are there any unique challenges that a medical school faces compared to the other units? And if so, how do you go about dealing with them?

19:34 — Research finds that in general, organizations don't do a very good job of rehearsing their incident response plan, sometimes they don't even have a good plan in place. Brian, as a practitioner, what's feasible and what's ideal?

21:36 — Is it fair to assume that institutions are rehearsing how to recover from a ransomware attack?

22:20 -- Is this rehearsal of proactively or reactively, responding to ransomware attacks, taking place at only certain levels, and not at all organizational levels?

23:48 -- So moving on to cybersecurity governance, best practices, there are several out there, would you like to highlight a few that you are really big on?

27:03 -- What's the reality around passwordless authentication?

28:58 -- I'd like to give you the opportunity to share some final thoughts with the listeners.

Memorable Brian Penders Quotes/Statements

"The Navy taught me how to learn, and that was more valuable to me at the time than anything I learned about nuclear engineering."

"Incident response is really a great way to learn the environment and build partnerships across an organization."

"The Navy taught me how to learn. The way admiral Rickover thought through individuals gaining technical knowledge was really amazing. It was based on if you could not draw and explain something to a group of experts sufficiently, then you are not going to move forward."

"If I had 30 seconds with a group, I would tell them to keep their software updated."

"We need to get out of the business of the shared secret. Passwordless authentication is the new and up-and-coming defense to credential theft."

"We have found that folks from liberal arts and humanities can be extremely valuable to supplement and sometimes lead our cybersecurity teams. I'm generalizing, but they're good problem-solvers. They're able to see the big picture, and they're excellent communicators, all amazing skills."

Connect with Host Dr. Dave Chatterjee and Subscribe to the Podcast

Please subscribe to the podcast, so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks.

Connect with Dr. Chatterjee on these platforms:

LinkedIn: https://www.linkedin.com/in/dchatte/

Website: https://dchatte.com/

Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338

https://us.sagepub.com/en-us/nam/cybersecurity-readiness/book275712

Latest Publication: https://www.imd.org/ibyimd/magazine/preventing-security-breaches-must-start-at-the-top/

Welcome to the Cybersecurity Readiness Podcast

Series with Dr. Dave Chatterjee. Dr. Chatterjee is the author of

the book Cybersecurity Readiness: A Holistic and

High-Performance Approach, a SAGE publication. He has been

studying cybersecurity for over a decade, authored and edited

scholarly papers, delivered talks, conducted webinars and

workshops, consulted with companies, and served on a

cybersecurity SWAT team with Chief Information Security

officers. Dr. Chatterjee is Associate Professor of

Management Information Systems at the Terry College of

Business, the University of Georgia. As a Duke University

Visiting Scholar, Dr. Chatterjee has taught in the Master of

Engineering in Cybersecurity program at the Pratt School of

Engineering.

Hello, everyone, I'm delighted to

welcome you to this episode of the Cybersecurity Readiness

Podcast series. Today, I have as my guest, Brian Penders, Chief

Information Security Officer of the School of Medicine at the

University of North Carolina, Chapel Hill. I had the pleasure

of meeting Brian at a cybersecurity conference hosted

by UNC's World View program. And I really enjoyed his

presentation. So I felt that all of you would enjoy hearing what

Brian has to share by way of his experiences and perspectives in

cybersecurity. While I was learning about Brian, the

professional, I was super intrigued by his background, he

has a very interesting journey that began in law enforcement.

In fact, it began in the US Nuclear Navy. And today, he is a

senior information security governance officer, a leader.

It's a fascinating story, a story that he needs to share

himself, not me on his behalf. But bottom line, it's a great

honor and a privilege to have Brian on the show today. Brian,

welcome!

Thank you, Dave. It's great to be here. I really

appreciate the invite. And yes, it was. It was great meeting you

at the conference and having lunch and getting to know each

other.

It really was. So Brian, as I just

mentioned in my intro, you have a very interesting professional

background, you worked as a lab technician in the US Navy

Nuclear Submarine for six years, then you were a law enforcement

officer for 15 years before transitioning to incident

response and digital forensics. And now you are the chief

information security officer at UNC School of Medicine. Wow,

what a journey! Take us behind the scenes and share with us

some highlights. What were the drivers? What were the

motivators? What can listeners take away from your experience?

Yes, happy to do so. I know, you know many people

in the cybersecurity field as I do, I've been amazed at the

different backgrounds of these professionals, particularly

security leaders, I'm not sure if it's true in other fields,

but vast differences, no two are the same. And I love reading

about about background of these folks. And mine was like many

people in this field, I didn't think about getting into

cybersecurity way back. It was something where I wanted to I

when I was in college, I took liberal arts and humanities

courses. And I was interested in science, but I more read about

science on my own. I you know, didn't really do well in science

courses in universities, because it seemed a bit more a bit

abstract to me. And so after college, my father and my few

uncles were veterans, so that influence may. And so I went

into this program, I did some research, and I wanted to do

some traveling and really get into something that was

challenging academically and to serve served my country. And so

I looked into this program and went into the six year tour for

this naval nuclear propulsion. The first two years is in

schools, engineering schools, very challenging curriculums and

then went to my duty station, which was a fast attack

submarine out of Pearl Harbor. Hawaii. Wow. Very difficult

duty. Yeah, a gorgeous place to live no doubt but very difficult

duty, was at sea quite a bit. And the work life balance was

tough. That's why I can't really recommend this path, I should

say because some of these positions were very tough on on

the home life, as you can understand. So after the

military, I had an interest in law enforcement and you know,

people were scratching their heads. Why didn't you use this

training? Why didn't you get into civilian nuclear power. And

you know, I didn't really have an interest. And for me, and we

will talk about this a bit more later, for me, it was about the

Navy taught me how to learn. And that was more valuable to me at

the time than anything I learned about nuclear engineering. And

so that's really threaded through a lot of this journey.

And so I went and applied for and got a position with the

Vermont State Police after that, and like, like most like every

other person, you do patrol work for several years. And then I

did some executive protection with the governor's security

unit. And then I started to get the itch for technology and

something a little more intense and some training. And at first,

I looked at a polygraph examiner position, because that had

significant training, and was pretty complex and difficult job

that didn't work out. And then a Computer Crimes Unit position

opened up a very small unit. And keep in mind, this is in 2007,

which is when the iPhone came out. So this is when everybody

had computers at home. Everybody's got cell phones with

them. And as you can imagine, every crime just about had a had

a digital component to it. Huge demand for for expertise in this

area. So I was fortunate. And you and I talked about this

school last time we spoke to be able to go to this amazing

facility down in Hoover, Alabama, that's called the

National Computer forensics Institute, NCFI. It's literally

for state and local law enforcement to learn digital

forensics and prosecutors. It's run by the Department of

Homeland Security. The first course I was there for a total

of 11 weeks. The first course is five weeks where you learn from

the ground up about how computers work, how networks

operate, and then you get into forensic software and doing

forensic exams and writing reports. And then the great

thing about it is you go back to your department, with the

equipment and the software to get going from day one. And so

anyway, those first few years were were I can't say enough

about how steep learning curve was. And my biggest takeaway

from this position that I brought to North Carolina was

there's nothing more terrifying preparing for a trial where the

stakes are high. These are many of our victims were children,

heinous crimes, you need to get this right. And so it was a lot

of, you know, checking and double checking in reaching out

to anybody I could. To make sure I got this right, I needed to be

able to present data to an older jury, because I think keeping my

Vermont as an older state juries are older, a lot of them were

not familiar with technology, and then also be technical

enough so that the defense examiner, the defense attorney,

who also has a defense forensic examiner, you can survive that

cross examination. So it was really a way to not only learn

the material, but how do I document it? How do I present

this to different audiences. That was a really great takeaway

from me, when I moved on from Vermont to down here in North

Carolina, we had, we had wanted to move south for a couple of

years. And I wanted to stay in the field. But I didn't put the

work cases were pretty heavy and stressful. And so my wife had

always worked in higher education. So I had an interest

in trying to work at a university and this worked out

at Chapel Hill, like you said, I came down into a digital

forensics incident response team lead role, and I really found a

home here and it, there's, you know, I was, you know, one

flight of stairs away from experts in storage, and servers

and emails, Splunk pretty much everything. And incident

response is a really great way to learn and environment and

build partnerships across an organization. And then after

five years there, this position opened up in School of Medicine,

where I could do security more across across the board. And

it's been great. I've been here almost four years. So that's

kind of the journey in a nutshell.

Fascinating. Thank you for your service. I

have many former students who have been in the nuclear navy

vessels, and I've heard a lot of stories. So hats off to you

guys. I believe the training, the expectations are quite

steep. And it really gets everything out of you. So So

yes, you know, we all have our journeys. They're almost meant

to be and we learn. So this is fabulous that I'm able to talk

to you. The US Nuclear Navy Propulsion Program, which

Admiral Hyman Rickover launched, he's considered the founding

father. There was an article written about the culture that

he established, which enabled the program to avoid

catastrophic losses for a long period of time. And this culture

that Admiral Rickover established is characterized by

five or six principles. such as integrity, depth of knowledge,

procedural compliance, forceful backup, questioning attitude,

and formality in communications. So when I was reading this

article about the culture that he had established, and I was

learning about these principles, it dawned on me that why don't

we apply those principles in the private sector in the context of

cybersecurity governance, and try to execute them as best as

we can, as they did, or as they do in the nuclear Navy world.

And we in the private sector will do a lot better. So that

was almost the start of my journey into cybersecurity

research. And in fact that that framework helped me develop my

cybersecurity, holistic governance framework, which is

in my book. So I'm so glad that you are here, Brian, to talk to

us about your variety of experiences. But let me first

focus on that high-reliability, organizational culture that was

established in the US nuclear Navy, and you have lived in that

culture. Share a bit about what it is like and what could be

some takeaways that are relatable or applicable in the

world of cybersecurity governance?

Yes, I'll be honest, I had not really thought

about tying these principles to my current role until we spoke

about this. And you're right, these. First of all, it's

probably the least talked about success story. As you know,

this, the Nuclear Propulsion Program that was that began with

Admiral Rickover. And we're talking about this is now 40

years after he retired, and this program is still going strong,

as you said, accident free. It's really incredible. But you're

right, these principles could probably apply to many

industries, but they certainly can for this field. And I would

like to touch on a couple things that were a part of Admiral

Rickover principles and, and that I saw in my experience

there that I've that have stayed with me. One of them is depth of

knowledge. That is one thing that I mentioned, the Navy

taught me how to learn the way that Admiral Rickover thought

through individuals gaining technical knowledge was really

amazing it was it was based on if you could not draw and

explain something to a group of experts sufficiently, then you

are not going to move forward. And this is everything from the

micro to the macro, this is this could be drawn explain a

particular valve and up to a system, and then how systems

work together or an evolution like an engine room startup,

talk us through that. And that stays the same not just in the

two years of school. But when you get to your duty station,

you really are just beginning your training, it doesn't end

fact, I think I thought through all of the oral boards that I

went through before I was fully qualified as a essentially a

junior person in the engineering department and it was around 10.

Those are formal ones. That is something that I think he

doesn't want, he wanted you to move away from memorization to

understand, once you understand there was no need to memorize.

But that was a big one. And the other was his focus generally

just on people, I think he was the first military person to

this is post-WW II. So he's trying to move away from the

brawny warrior type to the thoughtful engineer type. I

don't think anyone had done that before. And how rank actually

took a backseat to knowledge. Many people may not know this,

when you stand a watch on a submarine, you may outrank

administratively people on that watch, and it seemed to work.

When you got off watch you were back in your administrative

rank. You didn't have as many privileges as that person but on

watch if, if you proved your superior knowledge and qualify

that watch station, you were over them operationally. So that

was that's fascinating. And then, lastly, another thing he

talked about was a preoccupation with failure, thinking about

failure, and this is where in cybersecurity, you get to this

idea of assume breach, and really zero-Trust is based on

having a failure already. So and then, you know, he stressed

people before the idea of people, process, and technology,

which we know today is very important in that order. And he

really stressed that early on.

Sure, sure. I'd like to share something that

was shared by one of my former students, and he said Dr.

Chatterjee in the nuclear Navy vessel when we were given a

command to do something we were required to repeat the command

verbatim, before we executed. And he said, it kind of felt

really awkward. We felt like we are really dumb people, as if we

don't follow, but you realized how much importance and emphasis

was given to communication accuracy, communication

integrity, and that stayed with me as well. When you talk about

cybersecurity governance, and you know it better than anybody

else, because you do it for a living, a lot of it is

communication, but effective communication. And one of the

hallmarks of effective communication is when if you are

communicating something, there has to be a mechanism whereby

you know, that your communication is being received

appropriately. And how do you do that? So that was one way of

doing it is just tell me what I told you. And now that you've

told me what I've told you, and I believe you get it, now go

ahead and execute it. I think that's fabulous.

I agree. 100%, it takes out of the equation, one

error that could be costly, for sure. Yeah,

exactly. Let's switch gears a little bit,

you are managing the security environment in a medical school

at a large institution, a very reputed medical school. That's

quite the responsibility. I've had CISOs on my podcast, who've

talked about the various challenges that academic

institutions face, and they have shared solutions, best

practices. There are many units within an academic institution,

and you focus on a particular unit, the medical school, are

there any unique challenges that medical school faces compared to

the other units? And if so, how do you go about dealing with

them?

Yes, there are. And there's a couple I'd like to

talk about. One is really true for all Health Affairs schools.

And it's something that a lot of people don't think about. And it

has to do with something simple that there are high earners in

Health Affairs. And what this means is, we're targeted for a

lot of these, what I'll call money grab type scams and

attacks. So specifically, years ago, there was a phishing

campaign around stealing W2s for tax fraud purposes, and a large

percentage of those accounts were from the School of

Medicine. Other attacks involving social engineering to

get into retirement accounts, we get, I think, we get a large

portion of the tech support scams, which really try to get a

credit card number, get a credit card number from a

doctor, it's different from others, and also just

credentials, or medical email credentials are more valuable,

frankly, on the dark web to sell. So that's something that

we talk to right from when students get here all the way

through is be careful, you may be caught up in this. And

honestly, those are really have really been the root cause for

our incidents that involve regulated data PHI, because

there really isn't an interest in the PHI. But because these

attacks happen, there may be an email, an exposure of email that

contains regulated data. So it's a real headache. It's very risky

for us. So we try to talk to our users, our faculty, staff and

students about that. The second big category is really around

governance risk. There's, if you can imagine the Venn diagram,

the School of Medicine is one of the HIPAA covered components of

the university. But we are also tied to UNC Health, our partners

there, and that's by statute, the Dean of the School of

Medicine is also the CEO of UNC Health. We are separate legal

organizations, but we share our clinical faculty. You're a

faculty members. Well, Dr. Chatterjee. So you know, as a

faculty member, you want to be available to people, you want

your work to be known. You want people to be able to get in

touch with you. And it's particularly easy in that

regard, because we're a public university. And when you add the

fact that these are also our clinicians who are working with

regulated data, they're doing research that involves health

information. It's very challenging when you get that

mix together. It takes a lot of communication with our faculty

to understand the differences and to be able to work with our

partners and UNC Health to make sure that there aren't any gaps

there that could expose data. So those are the two two big

differences here in School of Medicine.

Yeah, thanks for sharing. I'll take

this opportunity to share with the listeners some common

cybersecurity challenges that plague educational institutions.

I talked about these in my talk at UNC where I met Brian. One of

the challenges is dealing with legacy systems, numerous remote

endpoint devices is another challenge, securing students

student body lack of incident response plans, no budget line

item for cybersecurity. yhat's more true for the community

colleges difficulty keeping up with emerging threats. And

finally, the ability to hire and retain staff because

cybersecurity jobs can be exciting, but they can also

cause burnouts. So there can be a high turnover. You emphasize

incident response plans, and research finds that in general,

organizations don't do a very good job of rehearsing their

incident response plan, sometimes they don't even have a

good plan in place. I'm not going to ask you to speak

specifically to your organization. But generically,

Brian, as a practitioner, what's feasible and what's ideal? Yeah,

it's a good question. And you're right,

these things can slip away as everyone gets busy. But but

they're very important. I think the trick is to not think you

have to go to the nth degree with this, you know, ideally, we

would have something that involve the entire university,

UNC Health School of Medicine, and we would get all get

together, you don't have to go right there, you could just do

something as simple as when you actually have an incident, you

can actually use that as an example of checking it against

your plans. And when we work with third parties, that's their

recommendation to you know, take advantage when things come in to

run through your plan. And then honestly, working with third

parties to help with tabletops. And reviewing Incident Response

Plans, I think is is a great way to go that, you know, they can

provide some great expertise, they can sort of sit from the

outside and tell you what how you're doing and the direction

you need to go.

Okay, good to know ransomware attacks are a

threat to all organizations, academic institutions are no

exception. In fact, they are being hit very heavily. So is it

fair to assume that institutions engage in rehearsing how to

recover from a ransomware attack?

Yes, I think it's done under the umbrella of

disaster recovery generally, which isn't really specific to

ransomware, you usually your infrastructure teams are in

charge of developing your business continuity and disaster

recovery plans. And they periodically do test restores of

systems that would help with ransomware incident or after it.

Okay, that's good to know as well. So

as a faculty member, we get communication from the

Technology Office, the Security Office, from time to time, I

don't recollect any communication or guidance, where

they are proactively preparing us from a ransomware attack that

could freeze our systems, compromise our data. So what I'm

trying to understand is this rehearsal of proactively or

reactively, responding to ransomware attacks, is this

rehearsal taking place at a certain level, and not at all

levels. What would be, I'm just trying to get a better sense,

from your perspective,

right? It wouldn't be something that would

rise to the user level, it could certainly be an attack and

certainly start there. But it'd be more about when a ransomware

actors are looking at a large organization, they're not as

focused on doing a whole lot with individual users

workstations, they're going to use that as possibly an entry

point. But it would be taking some time using different

malware to move across an organization to get to something

that they want could be domain controllers, or could be bigger

servers and storage arrays, something that can really hamper

the organization such that a payment would be feasible, it

wouldn't be something that a user would really get involved

with in terms of testing those programs.

So moving on to cybersecurity governance,

best practices, there are several out there, would you

like to highlight a few that you are really big on?

Yes, I mean, considering I mentioned, we've,

we've had some incidents with phishing and social engineering,

our best practices, the last couple of years have focused in

those areas in what I'll call a good better best type scenario,

where in terms of, let's say passwords, we talked to our

users about strong and unique passwords. Now, some of their

university accounts are automatically done, but their

own accounts. And we focus on things like think about your

primary personal email account, and how important that is. You

need a strong and unique password. And you need multi

factor authentication, because that could be the key to all of

your other accounts, least the ones that don't have multi

factor authentication. And beyond that, we say now look at

your finance, banking, retirement, and then look at

your social media. And then if you can, make sure you do that

for all them, use passphrases and a lot of those general

password guidance but lay lately because of the nuances of the

attacks, especially in terms of multifactor workarounds, our

exact playbooks of guidance don't really work with our

users. So we've been talking to them about this idea of having

situational awareness in terms of are you already logged in,

you are going to you may get an email, you should look to see if

is an external from an external source. And if there is a link

there, and if there is you should have, you should be very

careful about that link. And if you do, click the link, and

you're asked to log in, why would you need to login. And so

we use two different MFA solutions here, but the one we

use for Microsoft, they should not have to log in as you know,

when you log in, you get a session token, it should last a

while. So you should really think through why you're being

asked to put your credentials in here. Because some of the ones

we've seen have been this attack where there's a credential turn

around where attackers take the credentials in real time log in,

and that will generate a push. So the advice to our users to

only accept push notifications that they expect, doesn't work,

because they did expect one. So that's when we have had to back

up and talk to them about situational awareness. So those

are some of the big ones around passwords and MFA, and the other

one is updating software, I'll say if I had 30 seconds with a

group, I would tell them to keep their software updated. And what

we're talking to our users about is they don't really know a lot

about the software release cycles and how the software is

likely a combination of security updates and new features. Our

users get lulled into thinking that it's only new features. And

they, you know, hit remind me tomorrow, and they don't quite

understand that the updates are security patches for the

previous update. And so again, it's a good better best, we

don't expect everyone to stop what they're doing. People are

busy, but we say as soon as possible. But if you can, within

a couple of weeks, get that new software installed, you're going

to have the security updates that you need. So those are just

a few of the big ones we've been talking about.

Absolutely makes sense. I'd like to react

to a couple of things. When you mentioned multifactor

authentication. Recently, I did an episode on multifactor

authentication fatigue, and that the guest was talking about how

developers detest having to authenticate time and again,

when they're working on 50 different applications that

they're having to go back and forth. And then there are human

beings who are also at times unwilling to have it have to

authenticate every time they are having to log into a system. I

will I will admit that initially, I belonged to that

camp. But I've changed since because I now recognize how

important that security feature is. I also wonder about these

passwords, you know, we're tired of remembering passwords, tired,

tired of trying to save passwords, password protection

managers don't work, they get hacked. We hear about them all

the time. So there's a huge push towards passwordless

authentication, I guess curious, what are your thoughts? What's

the reality around password less authentication?

when I think about the big defenses that have

come out around identity, certainly MFA years ago was one

and I think we're on the cusp of another with web auth. And and

using biometrics on your system to prevent this idea of a shared

secret, right, we need to get out of the business of the

shared secret. And so UNC is moving to offering passwordless

authentication this year, we have a strategy to roll it out.

And I think it's going to be well received. And we'll see how

it goes. But this is going to be attackers will pivot it'll be

they may go back to malware, or they may, you know, use malware

to grab session tokens. And so there might be a new thing. But

this I think is a big new defense to credential theft.

Excellent. Wonderful. So Brian, we are kind

of coming towards the end of our episode here. I wish we could

continue the conversation, but we will have to wrap it up. So

I'd like to give you the opportunity to share some final

thoughts with the listeners.

Yeah, I just wanted to spend a few minutes

talking a little bit about building teams. You and I

discussed this a bit. Last time we talked some of the things

that we look for in terms of when we're looking at someone

from IT, who's interested in coming to cyber security. We

look at Service Desk experience system and server administrators

and developers. But it's also important we have found in

addition to traditional diversity, diversity of

background, we have found that our folks from liberal arts and

humanities hat can be extremely valuable to supplement and

sometimes lead our cybersecurity teams. I'm generalizing but

they're good problem solvers. They're able to see the big

picture and they're excellent communicators, all amazing

skills. And if they have a propensity and an interest in

being technical, that just makes it all the better. And then the

other thing is for any folks who are trying to, to get into

cybersecurity, it can be really hard. It's easy for us to say,

well, you know, just take an entry level IT job and move from

there. But that's not feasible for some people. And so the only

advice I have is to bug your IT teams wherever you are. And if

you're in IT, bug, your security team, I'm, I'm surprised more

people don't come and talk to us just knock on our door and say,

can you tell us what you do? Show me, show me some of the

things that you all do. So I know a lot of my colleagues

would welcome would welcome that. So just a few tips for

anyone looking to get into cyber

fantastic. In fact, I'd like to reiterate

what you just said that even if you coming from a non technical

background, and there is no reason to shy away from a field

like cybersecurity because the field could benefit from people

bringing in different perspectives, different

expertise. And there are numerous instances of people

with liberal arts degrees. I had a subject matter expert on

another episode, she has a PhD in philosophy, phenomenology was

was the focus of her dissertation. She's a real

techie, she assessed cybersecurity technologies for

the government. So there's nothing that you can't learn,

even if you didn't have the traditional technical training

or technical foundation, it's all a matter of interest and

willing to be curious and being willing to adapt. So I think

there are several other skill sets that come into play,

Brian's own journey, where he himself mentioned coming from a

liberal arts background and how he literally stumbled into these

roles, and then he grew with them. I'm sure he'll be the

first person to agree that he didn't envision himself doing

what he is doing today, when he got out of college with a

liberal arts degree. So do keep that in mind. For those of you

who are aspiring to pursue a career in cybersecurity and

you're sitting on the sidelines, wondering if that would be a

good career move or not, I think it'll be a great career move.

More importantly, there is also the opportunity to secure the

enterprise secure the nation, there is the other aspect to

this job. That makes it very noble. I want to take this

opportunity to thank all the cybersecurity professionals out

there who do this job and they often are never recognized. They

do it behind the scenes. The purpose of podcasts like mine,

is to try to bring them out of their cubicles and share with

the world the realities behind cybersecurity governance, and

all the great things they do. So, Brian, thank you again for

your time. It has been a real pleasure.

Thank you very much. I enjoyed the

conversation.

A special thanks to Brian Penders for his

time and insights. If you liked what you heard, please leave the

podcast a rating and share it with your network. Also

subscribe to the show, so you don't miss any new episodes.

Thank you for listening, and I'll see you in the next

episode.

The information contained in this podcast is for

general guidance only. The discussants assume no

responsibility or liability for any errors or omissions in the

content of this podcast. The information contained in this

podcast is provided on an as-is basis with no guarantee of

completeness, accuracy, usefulness, or timeliness. The

opinions and recommendations expressed in this podcast are

those of the discussants and not of any organization.