April 13, 2020

You’re responsible for information security at your SMB, and you need a better, faster and cheaper way to demonstrate your own security (or the security of a key third party).

Is there really a better, faster & cheaper option?

Yes, yes there is…

In this episode, I interview Tom Garrubba, VP and CISO at The Shared Assessments Program, about applications for the Standardized Control Assessment (SCA).

What we talked about:

  • SCA application
  • Resilience Guidance and the SCA
  • 3 ways for SMBs to use the SCA
  • How the SCA compares to SOC 2 and ISO 27001

To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here.

If you don’t use Apple Podcasts, you can find all our episodes here.

Time-Stamped Transcript

This transcript was generated primarily by an automated voice recognition tool. Although the accuracy of the tool is 99% effective you may find some small discrepancies between the written content and the native audio file.

Speaker 1 (00:06):

You’re listening to the Virtual CISO podcast, a frank discussion providing the best information security advice and insights for security, IT, and business leaders. If you’re looking for no BS answers to your biggest security questions or simply want to stay informed and proactive, welcome to the show.

John Verry (00:25):

Hey there and welcome to another episode of the Virtual CISO podcast. I’m your host, John Verry, and with me as always, the Spock to my Captain Kirk, Jeremy Sporn. Hey Jeremy.

Jeremy Sporn (00:35):

Hello, everyone. Captain.

John Verry (00:38):

So what’d you think of the conversation I had with Tom?

Jeremy Sporn (00:42):

So can I be honest, Captain Kirk?

John Verry (00:45):

No.

Jeremy Sporn (00:46):

No. I know Spock isn’t supposed to show emotion, but I feel like this is a safe space to share some feelings. So how do we feel about that?

John Verry (00:57):

Speak freely, officer Spock.

Jeremy Sporn (01:00):

So there was some significant bromance thing going on between the two of you. And I’ll be honest, I got a little jealous. You both really enjoy dark beers. You both enjoy bourbon. You’re huge fans of this shared assessments SCA. I mean, if this is a first date, I would say you guys really hit it off.

John Verry (01:19):

Yeah. His dark beer choices were not quite nearly as good as mine, but actually I’ve known Tom quite a bit. Tom and I go back probably five or six years and he actually did some CTPRP training when I got that certification. So he’s a good guy. I’m glad you enjoyed the conversation.

Jeremy Sporn (01:37):

It was really well done. And so for everyone, if you’re still with us, if you’re excited about a bromance, expect to walk away with a clear understanding of what the shared assessments standardized control assessment is, as well as its three main use cases. Also, it has been said that if you want something better, faster and cheaper, you have to pick two. When it comes to third party risk attestation, you will discover with the SCA, all three are possible to have at the same time.

John Verry (02:07):

Yeah, it’s a great standard. Thanks. Let’s get to the show.

John Verry (02:15):

Mr. Garrubba, good to see you again.

Tom Garrubba (02:17):

Good to see you, John. How have you been?

John Verry (02:18):

I’ve been pretty well. I’ve been pretty well. It’s been awhile.

Tom Garrubba (02:21):

Yes, it has. Good to touch base again.

John Verry (02:23):

Yeah, I was trying to think. I know we’ve chatted and traded emails a number of times. I was trying to think of the last time that we were in person together and I suspect it was in Pittsburgh at a CTPRP training session would be my guess.

Tom Garrubba (02:36):

Actually, I think you and I did a presentation at a security conference out in San Francisco. Do you remember that one?

John Verry (02:42):

Oh, Yeah, yeah, yeah, I do. You’re right. You’re right. Although I will tell you I prefer the Pittsburgh meeting because I ended up at that place I told you about, The Butcher And The Rye, which is one of the better bourbon whiskey bars I’ve ever been in. And I’ll encourage anyone who goes to Pittsburgh to visit the Butcher In The Rye. It’s a great place.

Tom Garrubba (02:58):

It’s a great place. Whenever you make your way back to Pittsburgh, we’ll have to go.

John Verry (03:02):

All right, you got a deal. So we always like to start easy. So tell us a little bit about who you are and what you do.

Tom Garrubba (03:10):

Sure. I’m the vice president and CISO for the Shared Assessments Program. The Shared Assessments Program is a member driven organization that focuses on bringing assessment firms and licensees and various members from various industries together to address the challenges on third party risk. We have assessment members ranging from global 2000 outsourcers to content licensees like I mentioned, who are all working together to tackle this thing called third party risk. We’ve been around for over 15 years. Yeah, as I mentioned, we’re a member driven organization, so it’s those members that come to us and we help to provide that thought leadership into the various components of third party risk. Everything from procurement, business resilience to information security and compliance and privacy and all of those other components in between.

John Verry (04:06):

Right. So I think most people would probably know you guys through, if you’ve ever gotten [inaudible 00:04:12] called a SIG or a standardized information gathering questionnaire. Right? I mean, that’s probably what you’re most famous for. Right?

Tom Garrubba (04:19):

Right, right.

John Verry (04:21):

And that stems all the way back to the BITS shared assessment, going back to what? 15, 20 years ago?

Tom Garrubba (04:29):

Yes, we were part of the BITS a framework and then we separated from the framework, from BITS because as you would know, third party risk is industry agnostic. It’s focused strictly on financial services. So with that, getting into everything from pure supply chain in terms of manufacturing companies to healthcare and retail and IT, really addressing the needs of the third party risk framework and the management of that through the framework, really from start to finish. So it’s great to be a part of that. So we separated from BITS and we’re just now known as the Shared Assessments Program. And I’ve been with them for about five years now. Prior to that I was at-

John Verry (05:17):

Hey Tom, people don’t care where you were. They just want to know what you can do for them now. I’m going to cut you off there because I don’t really care where you were. I just know you as being a really smart guy who can help people. And a full disclosure, Pivot Point has been a member of the Shared Assessments Program for, I don’t know, five or six years or something of that nature. And frankly, we’re fans of the content you put out and the tools and techniques and things that you put out for people. So that was one of the reasons I was excited to have you on today.

John Verry (05:51):

So what we always also like to do is before we get down to business, learn a little bit about you personally. Whatever it might be, what’s your drink of choice?

Tom Garrubba (06:00):

Well, this is water right now, but off hours I’m a dark beer guy. So I have a craving. In my bar, I have a stock of Modelo Negra. I really like Modelo Negra. But I like-

John Verry (06:17):

Mexican, right?

Tom Garrubba (06:17):

Yes that’s a Mexican beer. I also like other types of dark bear. I’m a fan of the Brooklyn Brewery’s dark chocolate stout, which is really, really good. And I also like some bourbon. I know you’re a bourbon guy. Angel’s Envy is my bourbon of choice. I’m a fan of Angels Envy because they age it in those Sherry casks, which is really, really cool. So it has a nice flavor to it. Knob Creek, both the rye and I had the maple. Liked the maple for a while, but it’s starting to get a little too sweet for me. So I try to get back off that.

John Verry (06:48):

Yeah. On the Knob, although it’s not inexpensive, the 125th anniversary … I’m a Knob Creek guy. That’s one of my favorite bourbons. But the 125th anniversary is about one of the best bourbons I’ve ever had. And I happen to have a friend who’s got literally 100+ bottles in his house. I mean, there’s not a bottle that he doesn’t have that I haven’t had. So I’ve drank a lot of great bourbons and that’s right up there with them. And also it’s funny you should mention it, I’m also really a dark beer guy. Mostly stouts and porters.

Tom Garrubba (07:21):

Look at that. Yeah.

John Verry (07:21):

But if you’ve ever had Victory At Sea is a wonderful, that’s from ballast point out in San Diego. Speaking of San Diego, if you ever get out that way, there’s a place called The Belching Beaver. It’s a tiny little microbrewery that does a chocolate peanut butter stout that is to die for it. And you said you like chocolate stouts. There’s a chocolate stout, Young’s, that does a great chocolate stout. In fact, it’s a really nice restaurant by my house that does this fantastic Young’s ice cream float. So you get a Young’s chocolate stout with vanilla ice cream in it and like a root beer float. And it’s ridonculous.

Tom Garrubba (08:00):

Oh my gosh. [crosstalk 00:08:03] So where are you at so I can-

John Verry (08:05):

Now we can [crosstalk 00:08:05] beer and a bourbon.

Tom Garrubba (08:07):

I’ve got to make my way out towards your woods then.

John Verry (08:10):

Yeah, there’s some good places. All right, so let’s get to the real reason that you’re here and that’s to talk a little bit about what you guys do over there. And specifically there is a tool in your toolbox that I’m increasingly a fan of. You had a tool called the AUP, or agreed upon procedures, that was relabeled last year as the SCA, or standardized control assessment. Tell us a little bit about the standardized control assessment and what it covers.

Tom Garrubba (08:34):

Sure. The standardized control assessment really has been developed to assist risk professionals in performing onsite and virtual assessments. This is the verified portion of a third party risk program. It mirrors the 18 critical risk domains that are covered already in the SIG. These are the test steps so to speak, and these can be scoped to the individual needs for the organization. There’s actually an SCA package as you’re familiar with and it includes the SCA report template. It provides the standardized approach to collecting and reporting your assessment results. The features include the implementation guide. It helps to provide standards such as [inaudible 00:09:20] an assessment form. There’s reporting templates, best practices checklist for planning and execution of an actual SCA engagement. There’s summary templates for executives when they only need to see the executive summary from those reports. And we even provide those templates. So we really try to make it a package that’s quick and easy to use for assessors to be able to go and to perform an onsite assessment.

John Verry (09:49):

Got you. Quick question there. So when you think about the SCA, do you see it as being something that after you’ve received a SIG back, and let’s say they’re either high risk vendor or you don’t like the answers to the SIG, then you would schedule an SCA? Do you see it as being something that would happen independent of an SCA? So perhaps it’s your onsite audit program. How do you see people using it?

Tom Garrubba (10:14):

I see people using it multiple fashions. For their critical vendors, they may want to execute certain test steps right off the bat. For other organizations, if there’s not satisfied with the results that they’re getting or suspect of the answers that they’re getting, they might say, “You know what? I’m going to execute these test steps to really see if they’re telling me what they say they’re doing. They’re really doing that. I’ve also seen organizations take the SCA and use it on themselves internally to get a gut check as to how do we look internally for our customers. It’s almost like the answers to the test. If somebody is going to be assessing us, what should we be prepared for?

John Verry (10:55):

Right.

Tom Garrubba (10:56):

What are they going to be looking for? And it helps to actually … I’ve had quite a few organizations that have actually come back and said practically thank you for this wonderful tool because it helps them to work with their security folks. In some cases, even their auditors are able to take that tool and utilize it almost like a test script to be able to-

John Verry (11:17):

Hey Tom? Do me a favor.

Tom Garrubba (11:18):

Yeah, sorry.

John Verry (11:18):

Flip your microphone up a little bit just because I think it’s occasionally hitting your collar there and I’m getting a little [inaudible 00:11:25].

Tom Garrubba (11:24):

Sorry about that.

John Verry (11:27):

We want to hear your melodious voice. We don’t want to hear the … That or just stop dancing in your seat. You got a little shake going on that’s moving the mic around.

Tom Garrubba (11:35):

John, I’m Italian. You know what happens?

John Verry (11:38):

Put your hands in your pockets. I happen to be married to an Italian. I know about Italians.

Tom Garrubba (11:43):

An Italian with a speech impediment is somebody who only has one hand.

John Verry (11:51):

So one of the things that I thought was really good about the SCA is that it’s advanced quite a bit over the last couple of years. You’ve added some really good content to I think address what I would refer as emerging risk, privacy, a little bit more on cloud, a little bit more in the software development life cycle methodology. Tell me a little bit about those advances and what drove those.

Tom Garrubba (12:15):

Absolutely. When we get word of new regulations or consultation papers or organizations, whether it’s [inaudible 00:12:24] puts out something for comments … I’ll hold it this way. Or some other regulatory body puts things out for comment. It helps to get us a jump as to what should be included in the latest release of the tools. It’s our members that drive it. We’ve had banking members that came up with it years ago. We’ve had many of our largest banking members say to us, “We need to be aligned or tied into say the monetary authority of Singapore.” So we bake that into the program as part of our alignment and part of our mapping. And we do that constantly. We actually have a team of mappers. We have a SIG committee that gathers this information from members and other folks who say, “Hey, here’s something we’d like to see.”

Tom Garrubba (13:15):

We’re starting to see a lot of growth and a lot of use, particularly in the UK, in the European community. And so we’re going through routines right now to map the EBA guidelines, which is the European Bankers Association. They’ve recently released guidance with respect to outsourcing. So we’re baking that in. We’re baking other financial conduct authority, which is kind of like the federal reserve of the UK banking system. And because that’s what is … If you put this in up front, that’s what helps people. Because usually when you get into a regulated environment, they’re coming off right at you and saying, “Why am I asking these questions? Oh, this is mapped to this particular regulation? Great. This is what I need to, because that’s what the regulators are going to want to see. That’s what my auditors are going to want to see.”

John Verry (14:11):

Right. And how that applies to … Yeah, and how that applies to a lot of the folks that might be listening now, the SMBs and SMEs, is the fact that you’re benefiting from that good guidance. So as the OCC comes out, or SCC comes out with guidance and you probably are tying into some of their new resilience guidance, right? That’s the big buzzword that you hear in the financial community, which is about more than just business continuity and continuity of operations. It’s more business resilience and overall resilience of the information security program. The beautiful thing about if you’re using a tool like yours as the basis of your vendor risk management program is that all comes along for free. It’s not like you need to keep up on what I should be asking somebody. What are the emerging risks? What are the emerging regulations that I need to be cognizant of? You guys are taking care of that for them, right?

Tom Garrubba (14:56):

Correct. Correct. Because some of the questions even early on were, “Okay, show me evidence that your mapped to this.” PCI for instance. We had a member, a payments member that came to us once and said, “I need to assess all my vendors that are touching credit card information.” And back then we would take the SIG and we’d actually be able to pare it down and say, “Here are all the questions in the SIG that touch on the PCI.” And they said, “Thank you. That’s my questionnaire.”

Tom Garrubba (15:28):

It really helps them to scope it. And that’s the common issue that I see with most organizations is scoping and assessment properly.

John Verry (15:36):

Absolutely. No question about it. One of the things which I also like about the SCA is, and you touched on this earlier, is by virtue of the fact that it’s a set of agreed upon procedures, it is an audit program. Very specific. You establish the sampling rates and things of that nature. So what it does is it gives someone an absolute understanding of what was done, how it was done and there’s a consistency to getting a report of that nature back, which I think is a great way. In fact, we’re starting to see, and I’m curious as to your thoughts on this, we’re starting to see people use the SCA as its own version of attestation. Because if you think about it, an SCA report is an awful lot like a SOC 2 report in the sense of the, call it the intensity of the actual audit program itself.

Tom Garrubba (16:29):

Yes. How can I say this being politically correct? A lot of organizations will go with a SOC 2 report because they’re paying for the big name that goes on the report, right? They’re paying for the opinion. This dives more into what you need to know, what is in black and white for you, for your management to be able to look at and digest and start to develop next steps to addressing issues that they find at, I don’t want to say a fraction of the cost, but at a significant reduction in costs. And we’re seeing a lot of internal audit and compliance organizations use this as well as assessment firms going in and executing this for their clients in lieu of having to do a SOC 2. And we’re seeing smaller organizations have been doing that because they don’t have the money that it costs to go [crosstalk 00:17:22]-

John Verry (17:22):

Listen, especially after the 2017 update to the SOC guidance. It’s not an inexpensive proposition. If you get to a reasonably mainstream, call it a regional named CPA firm, you’re probably looking at $40,000, $45,000 for a traditional security and availability SOC 2 attestation, type two service owners report. So yeah, I agree with you. It has become expensive to get there. And I think that the SCA is an interesting alternative. It’s funny you should mention the internal audit programs being used, using it. We’ve actually got some customers … So you know that we do a lot of work with the ISO 27001 standard. And I’m a huge fan of ISO 27001. I think it’s a great framework for effectively managing information related risk.

John Verry (18:10):

One potential negative to the ISO program is that you get a certificate. Basically it’s a single page and I hand it to you and there’s not a lot of meat to it. And there’s some auditors who like a little bit more meat on whatever they’re getting. So they prefer a SOC 2 for that reason. A vendor risk management auditor when I use that term. So the vendor risk manager will say, “Hey, I’d like to see a little bit more. Do you have a SOC 2 report?” What we’ve been doing now is doing some of the ISMS internal audits, the ISO 27001 internal audits using the SCA program. So now what happens when you get a hand off is an ISO certificate and an SCA report. So you kind of have the best of both worlds.

Tom Garrubba (18:50):

Yeah. Yeah. And that’s a great point. We’ve had some organizations … It’s funny that I have to say this. I had to once school a CISO on a call who said, “Well, we’re SOC 2 certified.” I’m like, “SOC 2’s not a certification. Okay.” “Well, yes it is.” “No, it’s not. I was on the dark side of the forest. I can tell you it’s not a certification.” That’s another reason why they moved away from SAS 70 and called it a SOC 2 was because people were treating it like it’s a certification. “I’m fine. Look right here.” No, it’s not.

Tom Garrubba (19:26):

And that’s the purpose. And that was one of the additional reasons that we moved towards calling it the standardized control assessment was to get away from the term AT201, which is the governing components over a SOC 2, over sock reports. We didn’t want people to think that this was an AUP under the AT201.

John Verry (19:50):

Yeah, yeah, yeah.

Tom Garrubba (19:52):

Yeah. I’m not trying to pick fly crap out of pepper here. I’m just trying to help provide how that progression went from the AT to the SCA.

John Verry (20:00):

Yeah, I think that’s important. And to be blunt with you, I actually wondered why you did change the name. That does actually make sense because that term AUP was a term, agreed upon procedures is a formal term in the AICPA space that you can conduct a set, an agreed upon procedure, a set of defined procedures as an audit program. So that’s why you differentiated it was just to make sure that people weren’t confusing it with the AICPA version of the equivalent.

Tom Garrubba (20:29):

Correct. And the other thing, John, is people thought by using the shared assessments AUP at the time, they felt that, “Oh, that means that I still have to utilize a CPA firm to execute this.” We said, “No, anybody can execute the SCA.” Again, whether it’s a firm such as Pivot Point or whether you want to do it internally, anybody can execute the SCA.

John Verry (20:53):

So one point of clarification there. So my understanding was that there was going to be some guidance or there is some guidance out there, I thought it was already public, that the SCA needed to be conducted by a certified third party risk auditor, CTPRA. You have a new certification?

Tom Garrubba (21:10):

That is correct, yes.

John Verry (21:11):

Okay. Has that come into effect or is that going to go into effect soon? Because that was my understanding is that that was a requirement now to issue a SCA.

Tom Garrubba (21:22):

Okay. John, that’s a great question. I’d have to get back to you on that.

John Verry (21:26):

That’s okay. That’s okay. I know it wasn’t a requirement, but we were told it was in the, and that’s why we ended up sending some people to get that new certification.

Tom Garrubba (21:33):

They were going that way and I just have to be frank, I’d have to check on that. I don’t want to misspeak.

John Verry (21:39):

That’s okay. Not a problem. No problem. We’ll throw … Hey Jeremy, if we could, when we publish this, if we could insert that into the transcript and into the notes on the show, that would be good. That way people have that clarity. Either way it doesn’t change the fact of what we’re talking about, right? That the SCA is an excellent way to assess the appropriateness and maturity of your information security controls from many different perspectives. You can use it for vendor risk management, you can use it as a self assessment. You can have a third party do the assessment on your behalf and then you can use that as evidence for other third parties that you guys are doing the right thing.

Tom Garrubba (22:14):

Correct.

John Verry (22:14):

Cool. So I think we covered the SCA pretty well. Any additional thoughts that you want to share on the SCA?

Tom Garrubba (22:21):

No, I think it’s a great tool and I’m starting to see auditors, actual auditing firms, use it more and more, internal audit organizations using it as a basis to execute certain test steps, whether they need to get verification and validation over certain programs or over actual technical components. They’re utilizing that. We have an SCA committee that reviews constantly the content that goes into it and makes sure that it aligns not only to the SIG, but to the other components that tie into it including, as I mentioned earlier, the guidance points that go in. That’s part of what we do to make sure that we put out a quality tool for anybody to use and we do it on a consistent basis.

John Verry (23:09):

Cool. So most of the people listen to this are probably from what I would refer to small to medium size enterprises. So I think the takeaway for them is that it’s a great tool and it can be used probably in three distinct ways, right? That first is if they don’t have a vendor risk management program or a third party risk management program, looking what the shared assessments does and considering the shared assessment as the basis of your program is a great idea. The second thing is is that to use it as a internal tool, a self assessment if they are subject to a lot of vendor risk management, because many of the larger firms that are asking them to prove they’re secure are using the SIG and/or are using the SCA. So if you can self pass an SCA assessment, you’re going to be in pretty good shape to pass an assessment that’s done by one of these third parties. Right?

John Verry (23:53):

And then that last part of that would be to have a third party audit you using the SCA and then be able to present that SCA as evidence of your security posture perhaps in addition to or in lieu of a SOC 2 or a ISO 27001 certificate or something of that nature.

Tom Garrubba (24:08):

Correct.

John Verry (24:09):

Cool.

Tom Garrubba (24:09):

The only component that I just want to make sure that people understand again is with the SCA, you do not get an opinion. Purpose of that is to have it black and white and to be able for you to present to your management what you have done and the results of your analysis.

John Verry (24:25):

Right. And the results in and of themselves to some extent are an opinion.

Tom Garrubba (24:29):

Yes.

John Verry (24:29):

But I agree with what you’re saying, just for that clarity. Cool. So I always like to ask one other question just to have a little bit of fun. So think about either a fictional or real character or person that you might know that you think would make either just an absolutely amazing or an absolutely horrible CISO. And tell us who that would be and why you’re saying that.

Tom Garrubba (24:48):

How about if I give you a fictional and a real person?

John Verry (24:52):

Two for one?

Tom Garrubba (24:52):

Two for one.

John Verry (24:53):

If it’s good. If not, Jeremy will just cut one of them out and we’ll-

Tom Garrubba (24:57):

Sure.

John Verry (24:58):

We’ll have to lip dub you in saying we have …

Tom Garrubba (25:00):

All right. Well, a real person, the more I think about it, Andy Reid, who was-

John Verry (25:06):

Very timely, very timely, not long after the Superbowl.

Tom Garrubba (25:09):

That’s right. I mean, and then if you take a look at him, he’s had his faults and failures with the Eagles. A lot of that also probably took a toll on him from some of the personal challenges he’s had.

John Verry (25:21):

Oh yeah, he’s had some family tragedies. That’s for sure.

Tom Garrubba (25:24):

Exactly. So family tragedies coupled on the pressures of losing one Superbowl as the Eagle’s head coach. And then trying to take them again. Then he renews himself and he goes down, he gets the team to believe in him. He gets the management to believe in him. And that’s what a CISO does, right? A CISO gets management on board, it gets the people on board, he’s able to show them this is what our strategy is going to be, here’s the end goal, let’s achieve it. And it was a Superbowl victory. So I look at that. Andy Reid I think would make a great CISO.

John Verry (25:55):

So Sean on our team, who is a mad Eagles fan, is going to be very happy with you. Now I will point out that Jeremy, who does direct the editor of this, is not. In fact, he’s a Giant fan, so it may not make it into the podcast. We’ll have to see who’s got more sway here, Sean or Jeremy.

Tom Garrubba (26:13):

Well, hey, I’m happy to see Eli Manning retire. He was a great quarterback and hey, he took out the Patriots twice. As a Steelers fan-

John Verry (26:23):

He’s pandering to Jeremy. Well done. Well done. All right. Get to the second person already.

Tom Garrubba (26:26):

Second … You know what? I’ve joked about this and I said, “You know what? I think Tony Soprano would make a good one.”

John Verry (26:32):

I love that show.

Tom Garrubba (26:33):

And I say Tony Soprano because he delegates, he knows what to expect, he expects the most from his team and he supports them. And if something goes bad, he rubs their face in it, but he helps to fix it. And he’s not afraid to challenge other bosses. As you’ve probably seen during the other episodes, the family bosses, he knows how to let them know, “We can work together on some things. And if we don’t see eye to eye on others, hey, let’s just go our separate ways.”

John Verry (27:03):

I actually give you credit. I like both of those. All right, so if we’re going to go Tony Soprano, you have to answer. You know the question I’m going to ask, right?

Tom Garrubba (27:09):

Go ahead.

John Verry (27:12):

So the Journey comes on, the door opens in the diner, the screen goes black. What happens?

Tom Garrubba (27:20):

He’s dead.

John Verry (27:23):

Damn. I was hoping you weren’t going to say that.

Tom Garrubba (27:26):

Well, if you go back to the episode when he was in the boat with Bobby Baccalieri.

John Verry (27:30):

Oh, yeah, yeah.

Tom Garrubba (27:31):

Bobby Baccalieri says, “I think everything just goes black.”

John Verry (27:35):

Did he say that?

Tom Garrubba (27:36):

“Do you know what happens if you get killed?” Yeah.

John Verry (27:37):

That’s kind of cool.

Tom Garrubba (27:38):

He said everything goes black. That’s why I think David Chase wrote it that way.

John Verry (27:43):

So he precised what was going to happen. That’s pretty cool. Well, excellent. Well, listen, this has been great. Before I say farewell, if somebody wants to get in touch with you or the good folks at Shared Assessment and talk about SCA or talk about the SIG or talk about the program, what’s the best way to do that?

Tom Garrubba (27:58):

They could certainly go to the sharedassessments.org website to get more information. We have our annual conference coming up in Washington DC at the end of April. It’s a resounding success. We’ve had over 300 people attend that last year. It’s a great conference. We have that coming up. You could reach out to me directly. I’m always willing to talk to people to help them in their challenges. I can be reached at [email protected] and just reach out and say that, “Hey, I got this from the Pivot Point podcast,” and I’ll make sure that I get that on the top of my list.

John Verry (28:36):

Sounds good. Tom, thanks man. Appreciate you [crosstalk 00:28:38]-

Tom Garrubba (28:41):

John, thank you very much. You have a great one.

John Verry (28:41):

You’ve been listening to the Virtual CISO podcast. As you probably figured out, we really enjoy information security, so if there’s a question we haven’t yet answered or you need some help, you can reach us at [email protected]. And to ensure you never miss an episode, subscribe to the show in your favorite podcast player. Until next time, let’s be careful out there.