Security Masterminds

On the Front Lines, Protecting Critical Infrastructure

Spencer Wilcox Season 1 Episode 6

Send us a text

With current events, there is a strong focus on the critical infrastructure sector that provide fuel, water and electricity to our homes and office buildings. 

In today's episode we hear from Spencer Wilcox, who is a cybersecurity leader at a large power utility working to ensure that power is always available and protected against cybercriminals. He shares with us his insights to the energy industry, the supply chain, cyber resiliency and the threats the industry is facing in the next ten years.

Spencer Wilcox has worked in the cybersecurity and physical space of the energy sector for almost twenty years, where previously he was in law enforcement.

Don't miss out on 

  • The transition from a law enforcement to cyber security
  • How important privacy is to security
  • The importance of supply chain to availability

Discussed Links & Follow-up

About Spencer Wilcox
Spencer Wilcox is Executive Director of Technology and Chief Security Officer at PNM Resources, an investor owned utility headquartered in Albuquerque, NM. Spencer is accountable for the secure operations of enterprise IT and OT Infrastructure, Network and Telecommunications, Technology Innovation and the Cyber and Physical Security of the enterprise and the electric grid. In this role he strategically leads leaders to continuously improve operational effectiveness using a risk based approach to technology and security.

Spencer is a nationally recognized speaker, and regular contributor to (ISC)2, ASIS, and SC Congress events. He regularly serves in volunteer capacities to improve cyber security, technology innovation and economic development. He currently serves as Vice Chair of the ICCS committee for the Electric Power Research Institute, and as co-chair of the Security and Technology Policy Executive Advisory Committee for the Edison Electric Institute. 

He has previously served as a judge in the SC awards, and Maryland Cyber awards and as a volunteer on the boards of directors for the Virginia Crime Prevention Association, the Cybersecurity Association of Maryland, Inc, and the Fort Meade Alliance. 

SpencerWilcox:

I'm really gonna say that the biggest security threat to organizations is an unwillingness to adapt to change. We have to be able to be agile in the face of an ever evolving adversary. the bad guys do new things every single day, we gotta keep up. How do we keep up? We're never gonna close the gap. We're never gonna get ahead of 'em. We have to keep the gap at a reasonable pace. I'm Spencer Wilcox. I am the chief security officer and chief technology officer. at PNM resources. Which is a utility in central New Mexico and we provide electricity. So my job is to keep the lights on and the beer cold.

Announcer:

Welcome to the security masterminds podcast. This podcast brings you the very best in all things, cybersecurity, taking an in-depth look at the most pressing issues and trends across the industry.

Jelle Wieringa:

Imagine losing power or not being able to keep using your computer, watch TV or keep your beer cold. Today society relies on various critical infrastructures to always be available.

Erich:

Spencer Wilcox, a cyber security professional shares with us his experience of what it takes to secure electrical power plants and to prevent cyber criminals from disrupting the power to our homes and our businesses.

Announcer:

This is episode six on the front lines, protecting critical infrastructure with our special guest Spencer Wilcox.

, Erich Kron:

You know, Jelle, I have so far I've enjoyed all of the discussions we've had on security masterminds. And this is no exception. He had some great information to put out there.

Jelle Wieringa:

Well, he's coming from the OT /IT sector. And that was really interesting. It's really cool to hear what his take on security is. And now he actually makes sure that the power company he works for is more secure everyday.

Erich Kron:

that's such a big sector here. The critical infrastructure anywhere on the globe is a big issue these days., Now one of the cool things we, tend to ask people on this show and it's always fascinating to me how did you end up in this industry of cyber security and the answers here again are always a little bit fun.

SpencerWilcox:

So it's a great question. So I started out back in the nineties in law enforcement I was just a local police officer and I got really interested working on this new fangled thing the internet, was TELNETing into stuff and having a good time. And the next thing I know my chief of police came to me and said, Hey, would you like to go to this FBI class called computer search, seizure and analysis? And I went sure what's that about? He said computer forensics. I was like, you can do forensics on a computer where you gonna lift fingerprints from motherboards? How's that work? So we started talking about it and I finally went to the class. It was fantastic. I mean, I learned a whole lot about, carving memory and, doing interesting things like using Norton Disk Doctor and Hex Editor to, lift something off of a DOS drive, And then over the next several years, I went through the national infrastructure protection center program through the FBI. And it was a lot of fun. It was really interesting learn things like, you know, how to be a Solaris admin amongst other things. And on one hand building web pages for my police department. On the other hand, I was also learning how to go Investigate computer crimes. And it was fun. I had a really good time doing it. Then September 11th happened and it just stopped everything. So we turned to, counter terror and I was a crime prevention guy as well. So I had this niche for computers and prevention and I was given the opportunity to go to the energy industry and the best thing that ever happened to me really love what I do went to work for constellation energy as a computer forensics person ended up doing just about over the course of the next 19 years now did just about everything there is to do in information and physical security capacity in a corporation. So it's been a lot of fun. I've really enjoyed it.

Erich Kron:

This new fangled thing called the internet. Now Jelle I remember that, you know, and I'm, I'm old enough to remember the first time I saw the internet, and it was, it was all command line interface at the time. It was between colleges and universities and such, but it's amazing how it's kind of grown. And it's interesting to come from a law enforcement background.

Jelle Wieringa:

IT has developed in, in some really cool and curious ways. you're right. Cybersecurity is a niche. It's a proper profession. It's really cool. This is by the way, the most, the best question we have on the show, I always enjoy listening to people how they stumbled into cybersecurity, because none of us, it seems other than a proper education for something else, we all stumbled into cybersecurity. I studied to be a teacher, somebody totally different, and then slowly roll in the past 20 years of my career, slowly roll into cybersecurity, the same with him. But his career has been really, really interesting. How do you get from a cop go into the FBI, getting taught everything about security and him moving into well, being really good cybersecurity expert or practitioner. It's amazing how these things pan out.

Erich Kron:

Yep. I agree. A hundred percent , but it has really developed into a very, very specific thing in a lot of cases, like you can really focus a lot on very specific pieces like forensics and stuff like that, which is interesting for me, because as you get further, along in your career, we all, well, we don't all, but many of us aspire towards leadership. And so that brings in this role called the CISO these days. And one of these arguments that goes back and forth has to do with, do you really need to be technical to be a CISO?

SpencerWilcox:

Let's talk about, what's a technical background nowadays, Do I know how to be a Unix admin? Yes. Can I troubleshoot a Unix box? Yes. Can I design a webpage, in HTML three, Yes. Object oriented programming is a problem for me. I don't get it. Can I network, yeah. Do I do it well? No, I mean, nowadays I just program in PowerPoint. So when I took this job, I was given the opportunity to come here in and to do something that security people almost never get the opportunity to do, which is to fix the problem. I had to manage infrastructure and networks as well as cyber and physical security. That was a really cool concept to me because it was like, Hey, look as a security person, I get to go in and say security first. And then I also had to figure out how to balance availability with confidentiality or balance availability with integrity or balance availability with patching and figure out what all of my infrastructure comrades have been telling me for years. But people had been given me a hard time about I just said, you need to patch, And they'd say well, that's easier said than done. Now I have a little bit better appreciation for that, but honestly I can still say, and you need to patch anyway. Which, has been very important because we've actually made changes and we've made changes that have allowed our infrastructure team and our cybersecurity team to actually become the best friends in the organization, which you never see that. The infrastructure guy and the cyber guy are natural enemies. We've corrected that and made him codependent upon one another, I don't know if that's a better relationship, but it's certainly one that's fulfilling as far as achieving your mission.

Erich Kron:

Yep. That's very interesting. You know, we had such a great conversation with Tom Langford on the previous episode of Security Masterminds. I always think it's interesting to hear these things from everybody's standpoint, because I don't know that there's a perfect answer for whether or not a CISO needs to be technical or not, but he definitely gives some good insight to this.

Jelle Wieringa:

Well, I like his approach to the CIA model. Like as a security guy you have the responsibility you have to balance the three and you organization. It really talks about operations, being a team effort between the security team and the IT team. I like that a lot because good security is all about collaboration. It might be difficult sometimes, and there might be some friction, but as long as everybody has his eye on the ball and understands that what they're doing is to help the organization move forward. Spencer shows us it's possible. It's doable.

Erich Kron:

Yeah. And I like his statement about the infrastructure in cyber guys being natural enemies because in a lot of places that it's been that way, but I think as we start to mature a little bit more in the cyber realm that we're realizing how important operations are, and it's no longer just, we come in and we say, no, this has to happen no matter what and that's changing a little bit and I like to see that. Now, nowhere, is it going to be more important in something like where he works, which is, delivering power to homes and businesses. You can't really just say no, shut it all down until we apply this patch. It's a really important thing to make sure that we know is going on. So as security people, we've come across the CIA triad many times that is confidentiality, integrity, and availability. I got to say the CIA triad is kind of a key cornerstone here and that, confidentiality piece rolls into privacy as well. Sometimes we feel like security and privacy are the same thing, but they, they really are kind of a separate deal. So we asked him how important is the privacy piece when it comes to security,

SpencerWilcox:

So privacy is an interesting one. It's important. I have customers, now is it as important as that keep the lights on in the beer cold mission?, the answer is yes, but from a totally different perspective? So I have to balance out, those two functions and make sure that what we are doing at the end of the day is achieving both goals and both objectives. My customers are incredibly important., it's not just that they're my customers. I mean, quite frankly, , they are the reason that we exist. We sell electrons, and we sell them well. We ensure that the, the power stays on the water keeps flowing in the desert because without power, you don't have water. And, my customers demand and expect privacy, just like they demand and expect that when they flip the switch, the lights come on. So it's my mission to do both. If I had to rate it as what's more important, while I have an operational mission, I also have a privacy mission. So I just look at this as the CIA triad, but it's about availability, integrity, and confidentiality in that order. So availability first, we have to be able to exist in a hostile and contested environment, no matter what. Every system needs to remain functioning. How do we do that? Well, we build resilient systems. We bake redundancy into the, tool sets that we use and we use encryption. We use good business process to make sure that we are ensuring not only the integrity of every transaction, but also the confidentiality of both the transaction and the person on the other end of it. So confidentiality enables integrity, which sounds strange. But when you're using encryption technologies appropriately, that's helping you to, ensure that not only is the information confidential, but that the messaging integrity is there as well. So now I've got both of those and those two things together help me to ensure that availability. Is always achieved. When you really think about it, think of it like a building block availability is my first goal. I have to keep things up and running, but the things that allow it to happen are that confidentiality and integrity component and integrity is not just , the word that we use from an information systems perspective. It's also about personal integrity. It's about making sure that what we commit to we do, it's about making sure that we are delivering on our promise, , not just to our customers, but to our partners within the business. What are our promises? Well, our promises are, we're going to deliver you accurate messaging at the right time when you need it to keep your systems up and running so that you can deliver those electrons. Whether you're generating them distributing them are transmitting them across state lines.

Jelle Wieringa:

He very much has a business perspective on security. So their customers are their number one priority without customers there simply isn't the business in the first place. That it's important for everyone, no matter your role in your organization to really notice, but the cool thing with Spencer is that he doesn't only notice, he really understands what this means as well. So he gets it. He weaves it into this security decision-making process. And I also like that he prioritizes the CIA triads. It's smart to take a minute and just consider this for your own business. Where does the real priority of your business lie and how should you act accordingly

Erich Kron:

Yeah, I liked your point about the reprioritizing of the CIA triad, because it does apply, to security overall, but depending on your organization, depending on your industry, one may be more important than the other. So one of the things with his role and the industry that he's in, obviously, as we've mentioned, has to do with the fact that it's critical infrastructure and what we've seen in the last year or so is some pretty interesting supply chain issues. And I'm sure these also scare the folks in critical infrastructure, especially when you have very little control over what happens in the supply chain. How do you ensure your third party and supply chain vendors are meeting the level of security culture that you have at your organization?

SpencerWilcox:

Oh, it changes everything, when we look at what's going on right now, so let's, break this down into a couple of different components. So supply chain, third party all of those things are interrelated, but so is availability. We talked about availability, integrity, and confidentiality let's add that into third party risk and how do we deal with it and what are those third party risk areas that we really need to be thinking about? Well, there's the risk that somebody else is going to be breached and that results in a breach of my organization. But when we start talking about availability, there's the risk that a third party simply doesn't shipment in time. And then that means that I don't get a shipment in time. So whether it's a transformer, whether it's, an RTU, whether it's a programmable logic controller, whether it's a server, or even the laptops that we use every day. All of these, , it's such a delicate balance and it's such a huge and globally distributed supply chain that when you start to think about the real risks that we have, those risks go all the way down to the silicon through the BIOS through that motherboard that's been put on there through every card, through every driver that's been added all the way up through the OS what else do we have? I mean, what about those UNIX boxes or those Linux boxes that we deal with and those open source components , that are included. And now let's add to it, the third party pieces of software that we're putting onto these systems, those applications, you can look at this thing all the way up the OSI stack and then beyond. You can also look at it through the Purdue model and you can say, okay, look it up at all these operational technologies that, they're special, it's engineering, et cetera, et cetera, but you know what? It's still running on an OS. It's still dependent on some piece of BIOS or firmware that somebody installed on the box. The reality is every one of those was touched by a nearly infinite number. The point of this whole thing is how many people could have made a change in any one of the systems that we're using today. And how many of those changes were documented?. So here in the states, you know, they came up with this idea called SBOM and it's all about the software bill of materials and it's kind of like nutrition facts for software, it's more like here's everybody who touched your piece of software. And what's interesting about that concept is it's great except how granular do you go?. And so when we start talking about supply chain cybersecurity, I liken it to the hem of the Great A’Tuin. So the hem of the Great A’Tuin is this concept that the world is the back of a giant turtle and the giant turtle rests upon the backs of four elephants. When somebody asks, well, what's beneath the elephants, what are the elephants standing on? Well, it's elephants all the way down. And that's what we have with supply chain. It's elephants all the way down. Now here's the problem with the elephant. You can do the blind men in the elephant story. One person walks up and the elephant is very like a wall. The next person walks up the elephant is very like a rope. The next person walks up. The elephant is very like a snake. The next person walks up and says, the elephant is very like a tree they're touching its side it's tail it's trunk and it's leg. And each one of them has a different perspective of what the problem is. Supply chain is very like that. Now we've got an infinite number of elephants that are included in this mess. Okay. And that that's the one I'm gonna call it a mess, because then you add in some conflict to the situation, it works really well. You can come up with some measurable and manageable method of risk, understanding that you may have some intelligence risks and over the course of the last year, we've seen war like intent added to our real problem set.

Erich Kron:

So, yeah, supply chain is always a challenge and I love the idea of the SBOM, the software bill of materials, giving you an idea of what's in there. And especially in these days where it's hard to figure out where all of your coding comes from, where we're reusing libraries and , we're doing all this kind of stuff.,The nutrition facts for software I thought was pretty cool., but you know, we've seen some interesting things. But dealing with this whole supply chain issue from the hardware to the software, like he said, you know, there's infinite number of people that could have touched this thing along the line. How do you keep track of that? And that's a huge challenge.

Jelle Wieringa:

Before I go into my answer, just a small little quote by Rince Wind.." Luck is my middle name said Rince Wind, indiscriminately. Mind you? My first name is bad." so we can do a whole episode just on the challenges of supply chain security. So it's such a huge topic with all those things going around us in the world today. And out of all the things that he spoke about, I really do like the concept of software, bill of materials. We get something similar with hardware shipments. When we get a box, look at the bill, Hey, we can see what's in it. So why not include it for software as well? As much as I like this concept, think it can be very hard to understand everything that's on there. Like those nutrition foods from food, right? Definitely those nutrition facts on food. Do you understand what all those ingredients with those complex things actually. How can you as a generic security or IT practitioner possibly oversee all the implications that you get through as SBOM?. They can let you know what's included in software, but that doesn't always tell you what risk you're really running by using that piece of software. I think the concept in itself is great but we have a while to go before actually comes to fruitition.

Erich Kron:

Great point Jelle. You know, Critical infrastructure is one of these things and it's so visible when it goes bad. Like we saw the colonial pipeline and it definitely makes the news, but there's also this kind of aura that all of critical infrastructure is just a hot mess right now, it's a house of cards waiting to come down. And so, as somebody who worked in this industry or works in this industry actively, I wanted to find out is the problem as bad as we hear it is like, are we all doomed or what?

SpencerWilcox:

So the reality is though that those OT environments, 20 years ago, they're hyper specialized antiques that you can't touch. We've reached a point where the majority of OT vendors are no longer looking at things that way. But it also comes down to an excuse that was being used for years, which was oh no, we can't possibly update it. It'll break everything. Okay. That was true. So when I first came to work here one of my peers, got really angry. I tipped over, his HR recruiting application, with vulnerability scan. I say, I, it was my team, but I'll take the full accountability for it. And he goes, you can't do that. You tipped over the box, took it offline, took us down. I said, was there a ticket? He goes for what? For the scan? Yeah. So it wasn't an unexpected. I don't understand your point. You took it offline that's avail. Nope. Nope. There was a ticket, right? Just like standard maintenance. That's one. Two, it came offline. So you really wanna have that thing facing the world? You're more concerned about my scanner than you are about a bad guy knocking that thing down easy. I mean, cuz if I can do it with a scanner, what could he do? Now, I learned this and this would've sudden, in August our first test to this system, we run this Christmas tree scan across the network, trying to learn, figure out what's going on and all of a sudden, a peaker plant at peak generation time, so it's like three o'clock in the afternoon in August and Baltimore. It's hot, and demand is super high. And the cost to knock off generation at that point in time is gonna be like astronomical. Drop the plant, drop the peaker plant. We have had some chewings as a result of it. But the reality was after we got done with the getting chewed out and then said, if we can do this, what could a bad guy do? Everybody went, oh, what were you doing? Oh yeah, no, seriously, this is just like a package. You can buy this free, you know, anybody can do it. Hey, let me show your kid how to run this. And that's all it took. The next thing, you know, we were taking cybersecurity very seriously. So you say anything that you want about vulnerability scanning about OT being special, but the reality is it has to be resilient. It has to be reliable. Otherwise . The power that it is transmitting, the process that it's maintaining it, can't be safe or reliable. And that's where the key is. Once you start talking to 'em about safety and reliability then the engineers start to understand and they start to work with you. and When we start looking at, vulnerabilities, everybody has vulnerabilities. If you say that you don't have vulnerabilities, you're probably lying. So , how would I rate the security of our critical infrastructure? Well, here's, the way I would do it. First I would say we have a mandatory compliance frame work that is a 100% requirement. In the nuclear industry, you have the same exact thing. Plus you, use the physics of light to ensure that there's no inbound communications into nuclear plants. These are hard and fast rules. Okay. Now on for NERC CIP here in the United States, we have, again, a 100% requirement that we hit every single target within the 14 CIP standards. There is no deviation from that because if, if deviate from a compliance perspective, the fines are significant. Now I'd say it's a lot better than you might think. We are right behind banking and Department of Defense, as far as the quality of security controls, across our industry. Can individual organizations be taken out? Yeah, absolutely. I mean the reality is when we start thinking about cyber security, we only have to be right a hundred percent of the time, whereas the adversary has to be right once. And so what do we possibly up against? There are two quotes that I like to use. Number one is the good old fashioned,, Sun Solaris systems, administrators manual that said there is no lock that can't be picked with a large enough hammer. The second one was there is no wall that can be built for which I cannot build a taller ladder. I can't guarantee security. I can guarantee recoverability. And that my friends is where the utility industry has really looked. One of the things that is great about this industry is we build to N minus one resilience. We build our transmission and distribution systems to ensure that we can sustain losses and restore from those losses. What's the difference from a cybersecurity perspective? Now, granted from a confidentiality perspective, once it's out, it's out. But from an availability perspective, I have to be able to survive in a hostile and contested environment and keep the lights on the beer cold, no matter what. Whether that's because of a hurricane in the Gulf coast or whether that's a sandstorm here in Albuquerque, or if it's a packet storm coming outta Russia, I gotta be able to keep the lights on and the beer cold. And if something goes down, I need to be able to replace it. I need to ensure that I have high availability on critical systems. I need to be sure that I have those systems up and running and ready to go. To sustain that attack. And if I lose something, I need to be able to replace it, which means restore from backup, have a good D.R. plan and a great business continuity program. Crisis management is a single part of my function that I've added since I've been here that I thought was the most valuable thing that I could possibly do for this organization. The crises are all the same. It doesn't matter whether the outage was caused by weather or a wildfire, a ransomware attack. It's still an outage.

Erich Kron:

So this is really interesting. My heart goes out to is these folks that are in the critical infrastructure area because they do, they have to fight this battle with extremely limited resources. We spend all this money in and why, because these attacks never really happened when in fact they do. That's a big challenge here and that's a big issue in the sectors that I see.

Jelle Wieringa:

I think that whatever type of company you're in. You're you never have the correct means battle everything that's coming against. You that's that's any critical, critical infrastructure. Sure. You have the same issue, but then you also have all of those regulations you have to maintain all of those things you have to do on top of just your security that every other company has to do as well. That makes it extra difficult. And he's right. There's no such thing as 100% security, it doesn't exist. And the problem with that is businesses often expect security teams provide 100% security. them to do well everything right and there isn't an attack because our security team has protected us. Doesn't work that way and critical infrastructure has come a long, long way in the last two decades or so. To me, it's actually something where other businesses can learn from their perspective on trying to prevent outage, but also making sure that you can get back from possible. That's something that should inspire other organizations that is something that they have to rethink their approach to security because we're spending so much money on technology to prevent everything. We're spending so much money on mitigative technologies. But in essence, we all will have outage sometime. It's just something that's there since here's 100% security, make sure that if you do, you look at your security pulse, you also look at your disaster recovery plan. You also make sure that you assume you're going to be hit. And you're assuming that is going to be a successful hit. You will be down, make sure that you can recover from it quickly enough. I think it's something that we can all learn from from critical infrastructure organizations.

Erich Kron:

Yeah. You know, and that's a very fine line that you have to walk. Now, I've been in manufacturing before and when the line goes down, the production line, that's a big deal and outage is a big deal when you're creating widgets. And that's how you keep your doors open. But in those instances, it's far less public than let's say a neighborhood or half of a town doesn't get electricity anymore. One of the other things we asked that was very fascinating was what is the biggest security threat to organizations for the next decade?

SpencerWilcox:

I wanna immediately jump into nation state attackers and and all the things that, that we all say every day and you hear on the news and, and everything. I'm really gonna say that the biggest threat, the biggest security threat to organizations is an unwillingness to adapt to change. And when I say that what I really mean is we have to be able to be agile in the face of an ever evolving adversary. The bad guys do new things every single day, we gotta keep up. How do we keep up? We're never gonna close the gap. We're never gonna get ahead of 'em. We have to keep the gap, at a reasonable pace. But the other pieces, I really think 10 years from now, we're all gonna be doing chaos engineering like Netflix does. We're gonna be introducing bugs into our systems and designing around those so that we can continue to be resilient. I think that, you know, that if we want to be successful, if we wanna win the cyber war quote, unquote, we need to stop thinking about confidentiality is something that is, is a real thing because quite frankly, everybody's stuff is gone anyway. In the EU, you've got the right to be forgotten by every legitimate company, but the bad guys get to keep all your stuff forever. So, you know, Hey, they didn't forget you. so what do we really need to be doing? We need to stop thinking about 20 years ago's problem, because we already lost that war. We need to start thinking about the problem for today and the next 10 years, which is resilience and that means that we have to engineer for resilience, which means we have to keep up with chaos. Really hard to do so to that end our job is to encircle it and that's what we do.

Erich Kron:

Okay., talking about resilience and how to be resilient. And, and I love that. He mentioned like chaos, we'll all be dealing with chaos and Netflix, you know, they have a tool called chaos monkey, which wreaks havoc on the network to see what goes on and chaos is a part of real life. You know, we talked about earlier,, doing a simple scan that takes down a machine or takes down a system. That's the opposite of throwing chaos monkey into the mix. So I think that's very interesting dealing with the resilience piece of this.

Jelle Wieringa:

We often talk about change as the only constant in our line of business chaos is the only constant as well. it happens all the time and resilience is a really important part of cyber security. And I really truly feel that there's not enough people that really understand what resilience means. What I see happening there's a lot of IT guys out there simply look at the IT domain as their whole world. They don't look outside of it. So when you ask them about resilience, they go on about, okay, well, how can I get that server backup running? Or how can I get that network switch up and go in again? How can I make sure it's hardened and et cetera, cetera. But in IT, in cybersecurity, we work to support the entire organization. Resilience is a business topic. It's not an IT topic. It's not a cyber security topic. Sure. We have to think about it as well, but we're part of a larger whole in this. I think that's really important. Resilience something that, especially if you look at critical infrastructure and supply chain management is key to making sure that you survive.

Erich Kron:

Yeah. You know, and, and he said, he thinks his biggest threat is the unwillingness to adapt to change, and resilience is the answer to that. We have to be able to do that. Things are ever changing out there all the time. There's always something going on and we do have to be ready to adapt to this change as they change their tactics and things like that and just really drives that point home Well, I want to thank everybody for joining us again for this episode of Security Masterminds with Spencer Wilcox, this was a great chat, it really opened my eyes to a lot of the things that are out there. I've never been part of the critical infrastructure side of the house, but certainly we've heard the rumors about it. So if you want to hear about other industries, you want to hear insights from other people that are really taking on the security issue and see things from different angles. I invite you to continue to listen to us here, like us subscribe, and you'll hear more of this on security masterminds.

Announcer:

You've been listening to the Security Masterminds podcast sponsored by KnowBe4. For more information, please visit KnowBe4.com. This podcast is produced by James McQuiggan and Javvad Malik. We invite you to subscribe to the podcast on your favorite platform and listen to our new guests each month. And also please share with everyone.

Erich Kron:

Jelle you want to throw in a good-bye in there?

Jelle Wieringa:

Dank u wel, en tot de volgende keer.

People on this episode