Brian: For years I was fixing people's computers and doing things on the side, which was, you know, some of the things that gave me passion and want me to grow. So, if you were ever... you know, and I'm gonna say to any listener out there listening it, you know, if you feel you can't get into this, you know, you can, I'm gonna say. Anybody can get into this. These are fields that you can still learn. And if you don't have the degree, you can always get it. And, you know, it all depends on what you wanna do. Don't ever feel that you're not capable of just to go that route.
Caroline: From Cobalt at Home, this is "Humans of InfoSec," a show about real people, their work, and its impact on the information security industry. My name is Caroline Wong, and I've got two good friends here with me today on the podcast, Brian Camponatti, and Sanjay Deo. Brian is an IT Executive and Strategist with over 15 years of experience in system infrastructure, security compliance, vendor management, and service management. Brian combines deep technical expertise with a strong service management focus. Sanjay Deo is the President and Founder of 24By7Security, Inc. Sanjay holds a master's degree in computer science from Texas A&M. He is a CISSP, Healthcare Information Security and privacy practitioner, HCISPP, CISA, and PCI QSA, all of these acronyms. Sanjay is also a co-chair on the CISO Council and Technology Sector Chief at FBI InfraGard South Florida Chapter. Welcome. Welcome, and thank you both so much for joining me.
Sanjay: Thank you, Caroline. Glad to be here.
Brian: Thank you.
Caroline: So, how is it that you two know each other?
Sanjay: That's a long story, started somewhere. You know, whatever happened in cyber stays in cyber. So, we're gonna leave it at that, but we met six years ago. It was a good, good meeting. And we became good friends and we've been through a lot, thick and thin, you know. Friendship is defined when you're in the trenches and you have each other's backs and that's what happened to us in the last 24 to 48 months. So, it's been a good run. It's been a good run. What do you think, Brian?
Brian: I would say so. I would say so. We have done many good things for the organization and the industry, I think. I think we've spent quite a...we've had an interesting journey and I think the journey continues, you know, as they say. But I can say me and Sanjay, you know, six years ago we had a meeting and we started looking at...I think it all started with a gap assessment, I believe. And, you know, we were trying to see where we are. We were looking at maturity models and trying to see where our current stand was for where we're moving and the current organization I'm at. And we were trying to see how we're gonna get to the next level. And I think, you know, just going into that, I think it's something that many organizations are going through right now, right? Everybody feels they're strong on the technical side or so they think, and many people are not heavily focused on other aspects of the organization when it comes to policy procedures, the administrative side, that a lot of people don't really like to look at.
And I think that's where me and Sanjay came into play because not only are you trying to keep, you know, let's just say the bad guys out, you also need to keep it jotted down and documented of how you're keeping them out, because in the end, you know, you might have to stand up in front of somebody and say what was done? How was it done? What policies we had in play? What procedures were done? Sometimes I know during...and I'm gonna say from somebody who is in the trenches and, you know, I really enjoyed them, you sometimes don't look that way, right? We all are so focused on the big new brands and the new technology out there. Sometimes we forget just about the simple stuff that needs to be done.
Caroline: Yeah. I think there's a lot to be said forgetting the fundamentals right, and I think that's easier said than done. Now, it's clear to me that both of you...each of you wear a lot of different hats, and one hat that I'd like to kind of pick up and explore a little bit has to do with ransomware. Ransomware is the hot topic recently. And my understanding is that sometimes when folks find themselves in a terrifying situation and don't know what to do, sometimes what they do is they call you. I'd love to hear a little bit about some of your experiences, and hear some of your thoughts on the current state of ransomware.
Sanjay: So, I tell them to take a deep breath because, you know, in my mind it's like if they already have been infected with a ransomware, it's too late, but there is a whole process, right? So, steps and questions that ensue from when they tell me there's a ransom where I say, "Do you have cyber insurance? Do you have good backups?" You know, so with those two, you start to define what the next steps are. If they have good cyber insurance, you know, get them to call their cyber insurance company as soon as possible, make sure that they open a case, make sure they understand, and also get to know the scope. Is the insurance company gonna provide an outside council, a breach coach, a forensics company, a crisis management, and PR company? Will the cyber insurance company take care of Bitcoin wallet? So, those are some of the things that ensue immediately.
And then on the other side, on the technical side, you're talking to them and their IT folks and their infrastructure folks, and their server folks, "Hey, do you guys have good backups? When were the last good backups taken? How soon can the company be brought up?" I think some of those things happen when the call comes in. But now what we have learned over the last 24 months of being in this day in and day out, we are aggressively following up with our customers to do cybersecurity incident response tabletop exercise. Fast spreading ransomware, and things like that, you know, have you spoken to your cyber insurance company? Do you know if the MFAs are on?
So, the tabletop exercise from a proactive perspective has become very important. You know, we must have done probably 20 tabletop exercise in the last 60 days. It's like three to four tabletop exercises per day and with different departments. So, IT department, security department, operations call center, because how they react, what they communicate, what they're understanding it varies from department to department, user by user, how it impacts them. So, that's basically, what I think, you know, we are starting to move from reactive and trying to coach our clients to be proactive and be ready because guess what, it's gonna happen. So, let's practice for what we are gonna do when it happens, right?
As Vince Lombardi says, "It's not practice. It's perfect practice makes perfect." And that's what we are preaching to our clients. It's like, let's write the policy, write the procedure, create the tabletop exercise, coordinate with your cyber insurance company, get to know who to call from a cell phone perspective of the lawyer who's gonna help us, get to know who the forensics company is, what tools and technologies do the company uses so that you can start to synchronize your internal IT with the forensics and the incident and response guys. So that when this happens, it is like we have seen this before, we have done it, no need to panic, let's get on with business.
Caroline: Awesome. I am so happy actually to hear that you have been doing so many tabletop exercises and really driving the industry in that direction. I think it's almost perfect in terms of the arc of our conversation topics here, that Brian started out saying, "Look, there's a technology component and there's a policy and procedure component." And then Sanjay, you say the first two questions you ask folks are, what about the backups? That's the technology component. And what about the cyber insurance? And Sanjay, if you don't mind me asking, when you ask that question, how many folks that you speak to have cyber insurance? And how many folks that you speak to have properly working backups? And you don't have to answer. This podcast is a safe place where I don't want to out anyone.
Sanjay: No, no, no. So, I can share with you from a statistical perspective, right? So, over the last 24 months, we have handled about 20 incident response, cyber incident cases. Some were malware, some were ransomware. And off of the 20, I would say only two of them did not have cyber insurance or did not know what cyber insurance was. But that was about 18 months ago. I think the industry, the communication has matured that now almost every company that I work with has cyber insurance. So, that's answer to your first question. The second one is how many of them had good backups? I would say 40% had good backups, 60% had bad backups or no backups.
Caroline: Yeah, yeah. That unfortunately does not surprise me. And I think it's because, you know, when a technologist wakes up in the morning and thinks to themselves, "What am I excited about today?" You know, the answer's not always, "I'm gonna make sure these backups are working. You know, I'm gonna test these backups." That's not necessarily the fun or exciting or flashy thing to be working on. Sanjay, thank you so much for sharing some of your perspective. I have about 1 million more questions that I wanna ask about this. And first I wanna ask Brian. Brian, what does this ransomware thing look like to you?
Brian: And I was gonna just jump into right now when you were asking about the backups that one of the biggest things that I've seen is not that a lot of people don't have backups. It's they're not thinking that their backups are gonna get wiped during the event. And, you know, you'd be surprised how many other technologists I've spoken to in companies that have, you know, reached out and saying, "Brian, have you seen this happen?" And, you know, most vendors require a service account. And these service accounts, if they're compromised, just like your user, they get access to your backups many times and they will wipe your backups. You know, it is part of their scripting and their attack, you know, the attack procedures that they follow, they will try to impact your backups. They want you to pay that ransom. They don't want you to be able to restore. And the crazy thing is a lot of people have backups and they do testing, but they don't think about what happens if I lose my backups, right? So, you know, highly, you know, a lot of companies, are looking now and I highly recommend it, a lot of people are moving into a zero trust model of everybody is considered a threat at this point, even your own people. And, you know, I think you acting that way and treating the system that way kind of helps you from a backup perspective. That's one thing I would like to, you know, to definitely, you know, stress.
Caroline: So, let's talk about that, actually. Let's talk about zero trust. Brian, what does zero trust mean to you?
Brian: So, zero trust to me is...and I'm gonna more or less say, you're treating everyone in your organization as a possible threat, in my opinion. I'm treating it as you could be...today you do have access to my system, you're going to try to access the system. You're gonna have to verify who you are at all times. It's no more based on, "Hey, I just have a password I'm gonna log in." No. You're gonna have to verify and, you know, and kind show that you're the person that is allowed to access this system. Sometimes I've seen different systems that even have...and, you know, I just gotta think about this, but sometimes it's more or less like, hey, it even asks you at certain times you can log in, who's logging in? Can you verify by an MFA? It's almost like not using passwords at all and you're just have to prove who you are every time. Think about it like a credit check nowadays, right? Do you know a lot of times the answers for the credit check, but they're randomly picking up crazy things? "Hey, what color car do you drive?" This is that zero trust model that they don't believe. The system does not believe who you are and you need to prove yourself.
Sanjay: That's a great simple answer. I think I love that. Do not trust any object, right? So, user accessing a resource or an object, they both have to authenticate ID to each other, authenticate to each other before they can access and talk to each other. I think that's a very simple thing. So, I think, Brian that was a great simplified answer. I know it can get pretty complicated, you know, with encryption and all those kind of things but I think that's what the industry needs because now you can't trust anybody, right? If a payload has a packet in it that's claiming to be a tested packet, how do you trust that packet? Right? If it's trying to access a different resource or a different database. And so zero trust I think is sort of going to start to solve some of the problems that we are having in the industry.
Caroline: So, question for you, guys, because to me, it makes sense, you know, and I have a funny analogy, which is if you're familiar with the movie "Home Alone," there's a little boy, his family leaves for vacation without him, he's alone in the house, and there are some burglars who break into his house and the kid acts accordingly. He assumes that his house is compromised and he acts accordingly. So, I have this joke that I think a little bit, you know, Macaulay Caulkin and "Home Alone" this is like a zero trust thing. But tell me for an organization who's thinking, "Oh, should I, should I learn more about zero trust? Should I consider rearchitecting my environment to accommodate this idea?" What are the pros and cons of zero trust? How should folks be thinking through this decision-making process?
Sanjay: So, for moving towards zero trust, companies and CIOs and CISOs, they'll have to get very disciplined. Lots of companies have flat networks, lots of companies don't know how many assets do they have, lots of companies have never taken an inventory or not very sure how many assets do they have. I think, you know, in my mind, wherever I've been involved with zero trust it's a step-by-step long process. It's a very disciplined process. You need to get to know your infrastructure. You need to get to know all your users, where are the users coming from? How many users do we have? What are they accessing? And so, that's basically, for me, starts the whole zero trust journey. And it's a long journey, trust me. It's very expensive and it's long.
Caroline: So, Sanjay, I have a follow-up question before...I really wanna hear what Brian has to say as well. So, asset inventory. To me, it's this interesting thing in a way it sounds simple, right? If I have house plants and I wanna keep these house plants alive, I have to know which house plants I have, I have to know where they are, I have to know what sort of watering and, you know, care and sunshine schedule they need, you know. But as technologists, it's like we don't even know where our plants are. How can we possibly take care of our house plants if we don't even know that they exist, or that I am responsible for them? Why is this such a hard thing to do?
Sanjay: You know, it's mind-boggling. It sounds very simple and every framework, every cybersecurity strategy, all stems from the basic, do you have a good inventory of your hardware and software? Software, I can still understand it's difficult, but hardware. I believe and again, nothing against corporate IT, and Brian, don't take it the wrong way. I believe...
Brian: Never will. Never will.
Sanjay: ...the IT departments make it very difficult for them. I've seen IT departments that have one, two, three, four different asset management inventory going and they can't reconcile it. And I ask them, "Hey, why do you have four?" "Oh, you know, one is from a security perspective. One is from..." I'm like, you know, just throw everything out and pick one and try to reconcile just one of these that does a good set of inventory of all. How many laptops, how many desktops, how many printers, how many routers, how many switches do you have? That's it. It's very simple. But, you know, I don't know some folks want to reconcile, "Hey, I don't trust this. So, I'm gonna bring one more." And I have no idea why. So, I'm gonna shut up because I don't know where this, you know, where this podcast is going to go. And I don't want some of my customers to listen to, you know, my rant. So, I'm gonna say...
Caroline: We're not trying to get anyone in trouble here. However, we wanna acknowledge the real problems, right? We wanna acknowledge the real pain points. We wanna have compassion for these folks, right? This is not a blame game. This is not saying, "Hey, you should have been looking after your house plants better." This is saying like, why is this so hard? Because it is. It is hard. And it is hard across the board. It is not hard because you did something wrong. It is hard because of the organic nature of how hardware and software accumulates and how technical debt is a real thing. Brian, what do you think about all this?
Brian: So, as I put my weapons away so I don't have to go after Sanjay, I will say from the operations perspective. There's a lot of tools out there and I'm gonna say not all of them do it well. And this is what happens and I'm gonna say it's asset management paralysis. We start looking at how we're going to track every system out there, and we start focusing on technology. And we put behind us, sometimes we forget about the basic principles of any inventory, right? You need to have a few things, serial numbers, device location. And we start focusing on the technology and then the technology doesn't meet our requirements. And instead of looking at the root problem, we start focusing on the next technology. It's the same thing that happens with everything. We don't look at the current problem and say, how can we solve it? We just start throwing software at it or applica... you know, any type of something new and what the other person is doing instead of saying, "What's our root problem? Hey, we're not capturing monitors." Why can't you capture a monitor? Well, because you can't install an agent on it. That's interesting.
So, you know, these are the little things that sometimes we go when we're looking at it and you start seeing the challenges in corporate IT and even in security. You know, you kind of look at it and go, why did they get to that level? You know, I can tell you instantly right off the top of my head, "Hey, you know, I have 4,000 or 5,000 nodes on my system, just in my environment, just from looking at my MBM solution. But sometimes if they tell you how many monitors do you have out there? What if we're doing...how many, Brian, how many scanners do you have out there? Hey, you know, there's no real asset, there's no agent on there. So then you kind of pause back and then you start scratching your head on how I'm gonna run reports and do this. And it becomes challenging. And then everybody gets frustrated and it stays. And I'm gonna say sometimes that's where the problems are, that we focus so much on the technology that we forget none of these, let's just say these agencies or these requirements, how you have to track them. They just say they need to be tracked, right? And for you as a good security person, you need to know what you have from a sec ops perspective, you know, from an administrative perspective.
So, a lot of the times I think our challenges come down to not really looking at the real problem and then looking...and sometimes looking at the problem and saying, "Man, this is gonna take months." And then you freeze. And then Sanjay walks in there and goes, "Can I get that asset inventory?" And you look at him and go, "Well, I can give you, 80%," right? I mean, what do you mean? And then, you know, and it becomes that. And this is that difference that I always say when I put on a security hat or I put on an operations hat, it looks very... you know, you kind of look at it from different perspectives and I'm not gonna say you're wrong, but I get it. We're all going through a lot. We all have a million things on our plate. You know, knowing that you have an asset sitting in the, you know, on the back corner of the office is not something you really wanna care about from an IT perspective. But from a security perspective, you need to know it's there because when it's not on that back corner, you wanna go, "Where did my plant go?"
Caroline: Yeah. You know, guys, I wanna first just acknowledge how innate you are, what strong practitioners you are, the fact that you've been through this over and over again. You're helping people to solve these problems. Now, I wanna actually take the conversation in a different and ask you a little bit about yourselves and about your stories. You know, our listeners, are here and probably thinking of themselves, "Wow, you know, Brian and Sanjay, these guys, they really know what they're doing and I appreciate, you know, their efforts and what they're trying to do to help folks in this industry." How did they get to where they are? And so I wonder if each of you, you know, and, maybe Brian, I'll ask you to go first. If you can tell me the story of your career. What were you like as a young person? What did you decide to study in school? What happened after that? If you would share your story with us?
Brian: So, I'm a different...I think I'm gonna be a complete opposite of Sanjay on this. And I think it's good because you're gonna see different perspectives. Early in my career, I've always been into technology. Started off young. I mean, you're talking in the '80s. My parents weren't very wealthy. We didn't have, you know, the latest and greatest systems at that time. And my mother, you know, had signed me up for a program and started bringing in those days old max. And I think my first computer was like a Tandy 386 and it was like an old system and I used to go and...I remember she bought it at Radio Shack and I became really close with the owner over there. And he would show me how to do... you know, how to use DOS in those days. And I loved it. And honestly, you know, I had a good friend in the block that he was really into it and he had an, you know, an old IBM Commodore and we would sit there and write like 200 lines of code to play [inaudible 00:25:59] and it wouldn't work and we would have to debug for days. And I really got into it that way.
And, you know, I kind of started...my view was like, okay, how can I get into IT? So, I would always try to mix heavily with IT. And, you know, in those days there wasn't a lot like there is today. I lived in a small area, I'm gonna say South Miami Dade and it's called Homestead. And, you know, it was a big...it was more farming and, you know, there wasn't a huge...I'm not gonna say like I lived in a Silicone Valley type of area that I met tons of technologists in those areas. So, you know, it was very hard for me to kind of get into the tech world. And especially in those days, security did not really...it wasn't a big thing at that time, right? Security for me was like everybody I knew that was, like, heavily in security were like former military as I grew up and it was interesting. So, then, you know, over the years, I started... you know, I was always in school. I was always kind of like in the art world, and if I wasn't doing art, I was doing computers. And I kind of went back and forth until I started, Miami-Dade college here in Miami. And well, I'm gonna say, you know, before that I started at a technical school in my last years of high school called Robert Morgan and I started doing...they had an IT program. It was kind of like system. It was more in the computer science world.
So, I started writing, you know, did a little bit of cobalt in those days. They had old programs, RPG II C and I moved into Miami, Dade and I started taking...I remember my first classes, I was doing a remedial class. I remember in math and I go, "I wanna take C++." And they were like, "Well, if you can, pass the remedial." I go, "No, just hate tests. I'm horrible at tests, but I'll do fine." And I took C++ and I flew through it. And the professor used to call me in all the time to come help the class. And then I took visual basic. And then I was like, you know, I was doing at that time, manage information systems and Miami Dade put me up, I started helping so much. They put me up for an award for like a competition. And out of nowhere I won. I won Terry O'Brien Technology Award in 2002. And I think that opened...that kind of like gave me such a confidence boost that I said, "Man, I can keep going." And I kept going. I finished off MY AAA, I finished off my AAS. I jumped into FIU. I was there. I was on my junior year. I was doing CIS and I got bored. Honestly, I got super bored. I felt like I was not learning technology. In those days, everything was programming and I'm talking early 2000s. And I was like, "I'm gonna go into IT the way I want."
And I was already working in a travel and tourism company doing, you know, basic IT, I was working at Miami Dade College, you know, as a tutor part-time and helping with the IT courses and so forth. And I jumped and everybody's like, "You left college?" I'm like, "Yeah." I went, I did some certifications. I did my A+, my network+. I started with the foundations. I did an, at that time it was the Microsoft, I think the MCP, I think it was. And I started working in the tech field. And I have been going that route ever since. I wanted to get my hands in it. Nowadays, things have changed. You know, technologies is everywhere. There's certification courses. Kids are coming out with, you know, certifications right outta high school. I did not have that...I'm gonna say that benefit at that time. But I have made it quite some ways, you know, I've made it across the river, I'm gonna say, and into the tech field. So, you know, I'm gonna say, I have continued to keep my face in the books. Technology changes on a daily basis. It's very hard to keep up with. I mean, I was handling...right now I currently handle...we have our own private cloud, we have hybrid, we're in, you know, we're on Microsoft, we're doing everything from with VMware to, you know, different parts of the stack, networking. I have mixed my hands in everything over the last 14, 15 years.
And, you know, when I say 15 years when I hit the higher level. You know, for years I was fixing people's computers and doing things on the side, which was, you know, some of the things that gave me passion and want me to grow. So, if you ever... you know, and I'm gonna say to any listener out there listening, you know, if you feel you can't get into this, you know, you can, I'm just gonna say, anybody can get into this. These are fields that you can still learn. And if you don't have the degree, you can always get it. And, you know, it all depends on what you wanna do. Don't ever feel that you're capable of just to go that route. So, you know, if you wanna ask a few more questions, I can jump in as you want.
Caroline: I appreciate you sharing your story with us so much, you know, Brian. You and I have become close friends over the past several months. And one of the things that has always impressed me about you and that I just know is so fundamental to who you are is that you love to learn. You are constantly learning. Literally, every time I speak with you, you're like "Caroline, you gotta check out this book. You gotta check out [inaudible 00:31:35], you gotta check out this course." I mean, it is just amazing to me the velocity at which you crave and consume learning. Thank you so much for sharing your story with us. Sanjay, what about you? That's not an easy one to follow.
Sanjay: So, as Brian caveated, I think he's known me for a long time. I think my story is very different. I spent the first 25 years of my life in India and my degrees in bachelor of computer engineering, I was pretty hardcore. My father was electrical engineer, rose to a pretty high position in the government. And he was my role model and, you know, I had to, if not, be the same, but [inaudible 00:32:27]. And so I chose...I started with electrical engineering and I ended up with computer engineering with PCP and breadboards and stuff like that. And, you know, I'm gonna date myself probably both of you were not even born. This is going back to 1980, '81, '82, '83. So, I graduated from the University of Bombay with a bachelor of computer engineering, came to the U.S., got my master's in computer science from Texas A&M. So, I'm an Aggie. Go Aggies.
And that's where I got exposed to IT security. My professor had DoD funding to do some research, and I got a chance to work on internet protocols. So, you know, ripping open Telenet and FTP and SMTP and taking a look at how the packets were handled, what is TCP? My favorite question in an interview when I'm interviewing for a computer analyst or incident response analyst is, you know, what's the difference between TCP and IP and how big is the TCP payload, right? One packet. And it's fun to see them wriggle, right? Some of the CISSPs who claim to have CISSPs don't know the difference between TCP and IP, don't know what a packet length is, what is the header of a TCP packet? What is 3-way handshake in a TCP? And so, you know, when I graduated, I started working for a defense contractor. And I have rewritten the C library twice over, over a eight-year period. And we were building the first firewalls.
This is again, you know, '91, '92, '93. And I worked at the defense contractor supporting a project that basically was building systems to DoD spec. And I don't know how many of you have heard of the Rainbow Series, but Rainbow Series consists of 22 booklets that actually go through trusted security at the keyboard level, at the screen level, at the packet level. And that's what we were doing. So, security, you know, has been, sort of a part of my career from the very start. My thesis has been in...my master's thesis was in transporting a packet from point A to point B using public key private key encryption. I use Diffie-Hellman...actually, I have, interestingly I have met Diffie and Hellman both, the father of public key, private key up in Maryland at a conference.
You know, the originators of RSA, I met two of them Rivest and Shamir, I met both of them at again, another conference in Maryland... security conferences in Maryland. And so, you know, I have understand TCP/IP, understand that the simplicity of the internet, you have to step back and wonder how 4.5 billion people on the face of this earth are using internet. It's a very simple protocol. And the simplicity which lends to the usage and the pervasiveness across so many users using it also is the biggest con for internet. The TCP/IP protocol is so simple that it can easily be spoofed, breached, hacked. And I think that's what we are facing right now. The tsunami of the ransomware and hacking and the malware and APTs that is coming, I don't think we have seen anything. I think this is just the start of the hockey stick, the proverbial hockey stick, because the magnitude of what's about to come and what's about to hit us, I don't think a human can understand. You know, we are using AI, the hackers are using AI and they're using AI on a much better level than we can use AI. We are talking about model implications of AI, aesthetic implications of AI, ethical implications of AI. They don't care. If AI gets them the result, then they are using it and they're coming after us.
So, I saw my first hack, and you're gonna laugh, at this Christmas Eve, 1990, when my university fellow students from another university and those universities will remain nameless, were trying to get into our admissions supercomputer. And there were a group of about eight people who built a firewall. You could call it a firewall. We called it Drawbridge. It was called a Texas A&M University Drawbridge. You can Google it and I think you can still find the packet. It was basically using[inaudible 00:38:18] OS systems. We built that, and it was the Drawbridge, you know, in the old mode, you know, [inaudible 00:38:27] it was a Drawbridge. And we were able to sort of withdraw the bridge, to disconnect the network to see, you know, what was going on to protect ourselves. And so, that Drawbridge was the start of my security career. And here I am, you know, probably 30 years later and I'm still doing. It baffles me how simple it is, but how complicated it is, and how complicated we make it.
So, you know, I can go on and on and on as you can make out, I'm very passionate about this. And, as I say, things are gonna change and things are changing as we speak. You know, log4j, I don't know if you've seen the latest CISA notice, but CISA is collecting and building a list of all applications that use the Apache server. And if you start seeing the list, you're like, "Oh my God, how are we even surviving?" So, you know, if you go to CISA's website, they have a GitHub...
Brian: I was about to say, I think it's everybody. It's like...
Sanjay: It's mind-blowing.
Brian: And you were asking about the plants a few minutes ago, and are talking about plants and asset management. I mean, you're talking, you know, some IT departments are five or six strong, right? Some have more, some have less, but you know, everybody's running lean. And when you have to go through 100, 200 systems and try to figure out what's there, how we're gonna update them all at one time, it's not an easy task for anybody. And a lot of people say, "Oh, you need to update," but it's like you have operations. You know, some companies are making millions, they can't just be updated in...or they're saying they have millions of different systems running that one system going down and being updated impacts another, and it has to be strategic. So, it becomes complex, unfortunately.
Caroline: That's right. How do you change a tire when you're going 60 miles an hour on the freeway? Guys, I just wanna say thank you so much, you know, I love hearing your stories, thank you for your generosity and sharing them with me and with our listeners. I could talk to you guys for hours and hours, and I expect that we will just, maybe not on this podcast. I wanna say thank you. Thank you for being with me today. Thank you for your time. And most of all, thanks for what you're doing in this industry. You know, I see you two fighting every day to make things better. So, thank you. Thank you so much.
Sanjay: Hey, Caroline, one quick question. We are gonna do a podcast where you will have to answer all the questions you asked us. So, what's your story?
Caroline: Sounds good. Let's do it.
Sanjay: Where have you been? Right?
Caroline: We'll do that. That'll be fun. That'll be really fun. I would love that.
Sanjay: Absolutely. Thank you so much. Thank you so much for what you do for the community. Appreciate it very much.
Caroline: My pleasure. Thanks, both. "Humans of InfoSec" is brought to you by Cobalt, a Pentest as a Service Company. You can find us on Twitter @humansofinfosec.