Security Certifications: Lessons from the Trenches

Subscribe on your favorite platform:

About the Podcast: The CyberPHIx is a regular audio podcast series that reports and presents expert viewpoints on data security strategy for organizations handling patient health or personal information in the delivery of health-related services. These timely programs cover trends and data security management issues such as cybersecurity risk management, HIPAA and OCR compliance strategy and vendor risk management. Meditology Services, the healthcare industry's leading security and compliance firm, moderates the discussions with leaders in healthcare data security.

In this episode of CyberPHIx Derek Vorpahl, VP and CISO at Davis Vision, discusses security certifications such as HITRUST and SOC 2. Davis Vision is a provider of managed vision care plans nationally.

Derek and Brian Selfridge, Meditology Services Partner, hold a candid conversation about where certifications fit into the overall spectrum of information security risk management tools for healthcare organizations.

Listen as Derek answers the following questions:

  • Do security certifications reduce the number of audit inquiries?
  • Can certification requirements be useful in managing day-to-day information security risk management?
  • What advice do you have for organizations in the early stages of the certification process?
  • What staffing resources do you need to complete the certification process?


Brian Selfridge: [00:00:03] All right, hello, everybody, this is Brian Selfridge with the CyberPHIx Health Care, Information Security, and Privacy Podcast. I'm thrilled to be joined today by my guest, Derek for Paul, who, the director of Information Security and information risk management at Davis Vision. Derek, thanks so much for joining us. Really excited to speak with you today. 

Derek Vorpahl: [00:00:24] Great, Brian. You know, it's a pleasure to be here.

Brian Selfridge: [00:00:29] Well, Derek, we have a lot we could talk about, given your depth and breadth of experience and never a dull moment going on in your world, I suspect. We've got a couple of topics to run across you. I wanted to start with the one that I think a lot of organizations are challenged with addressing, and that's around audits and certifications, especially these kinds of annual repeat audits and assessments that continue to kind of churn through the environment year over year, sometimes week over week. Hopefully not. I wanted to get your sense of particularly on the certification side, kind of what you've seen. Do you see organizations moving toward getting certified with some of these, these kinds of typical certifications like HITRUST or SOC2? And what do you think is motivating organizations to kind of go that route versus just building their security programs otherwise? 

Derek Vorpahl: [00:01:22] Well, Brian, I kind of think it's a combination of a lot of things that are coming down the pike. Of course, the security and risk compliance type of, you know, what's the best way to put it? The landscape that you see now people are a lot more aware of it, especially with the big health care breaches and things like that. A lot of clients that we see now stipulate these types of accreditations or certifications within their contractual obligations. We also see a lot of it in RFP, especially when you're going out to do work for state or federal or things of those sorts. You see a lot of a move towards a unified compliance type of program, especially from Blue Cross Blue Shield Association, some of the other large players where they're looking to standardize and stand on something that is really kind of an industry and widely accepted platform versus the older way of kind of doing stuff where everyone can go out and be looking at Saquon or SOC2 and creating their own controls. But at the end of the day, is it really able to compare apples to apples on one company to another because the controls may be different, or they may be based on different standards or anything like that? So that's really kind of what we're seeing as the direction of both the client and the regulatory. 

Brian Selfridge: [00:02:55] Well, given that the organizations are moving that way towards certifications kind of, driving security maturity that way, are you seeing any kind of, you know, internally within the organization, any kind of fatigue, audit, fatigue of having to continually go through these? Is it just part of the way of life now? Or how do you keep morale up? I guess internally as you're constantly kind of asking and re-asking for information for these types of things? 

Derek Vorpahl: [00:03:22] Um yeah, there's quite a bit of auto fatigue and there's a little bit of complaint of, Hey, didn't we just do this or why are we going through this again? What we've been trying to do as an organization is get as much overlap and get as many things in alignment as we can. So, for instance, the high trust certification, it's something that we're using for our SOC2. And then we've also tried to kind of bend those TORC1 controls that we may have into alignment with it as well. What we're doing from a management or an auto management standpoint is really trying to leverage as many of the, you know, requests for information, evidence interviews to be able to apply them across a wider breadth of audit kind of parameters, if you will. In the past, we had done the stock one Interview and a SOC2 Interview, and a HITRUST Interview in the hip interview. And what we found is not only is that really kind of a morale killer for a lot of especially the technical guys or people that have a responsibility in the direct physical security, but it's really an inefficient way to manage internal resources that takes a lot of time out of their days or, in some cases, weeks. And what it's shown us is that we answer the same questions over and over so if we could get to a good cycle and get to a consistent set of questions and, evidence and things like that that it's really good to kind of limit that fatigue for the end-users.  We've made some internal changes, you know, with the way we manage audits we're very much focused more on who does the performance, how we do it. We're taking more of a big company looking to use that term, something that you would see in the Sarbanes-Oxley Audit side of the house or in a company that has a very mature internal audit function. We're trying to kind of standardize and ramp ourselves up that way so that we can eliminate the fatigue and the morale busting and all those bad things that you hear. 

Brian Selfridge: [00:05:50] Now, did the certifications by the act of getting certified, does that reduce the number of audits you have to worry about from an external perspective, clients asking you to prove you're doing the right thing and all that stuff? Or is it still just as many to feel like just as many audits? Like does that help at all, I guess? 

Derek Vorpahl: [00:06:06] You know, yes and no. And the reason I answer that is kind of ambivalent. It's helped in terms of help generate business from an RFP standpoint, and it's also given the customers a level of comfort, especially let's talk about the HITRUST certification that has been a very big door opener for us with a lot of clients that they're like, Wow, you've gone through this, you're certified with it. You know that that shows that you have a commitment to organizational security and information management. You know that you don't see from a lot of companies. A lot of times we don't have the ability just to hand someone a HITRUST Certification or just a stock to report or SOC2 one report and say, here you go. This answers all your questions. 

Derek Vorpahl: [00:06:56] We've seen a lot of our clients moving to more standardized vendor risk assessment, more standardized questionnaires, especially in alignment with the C18 18 requirement that came into effect here in May. That portion on third-party risk management has actually changed the way a lot of our clients or potential clients address what I guess I should say, accept or consider when they're we're looking at a certification or a security posture or anything like that. 

Brian Selfridge: [00:07:40] So if you're going through these audits and getting the certifications, you know, at the same time, I suspect you're trying to build out an 

Brian Selfridge: [00:07:47] Effective security risk management program apart from just demonstrating that to your clients or your customer base or whomever else. Do you find the certifications themselves? Do they support that vision of kind of building out all the right things to do from a security perspective? Or are they or are they more of a check the box? We just need to pass the test and move on. And then, by the way, managing risk and actually running the information security function. Is this another thing over here that we need to do as a side job? Do you find the two overlapping very much, or do you think there's still some gap there? Potentially. 

Derek Vorpahl: [00:08:22] I think it's all about how you approach it. There's a lot of people that will go through and hit it at the checkbox kind of stuff. And, you know, does that help? Improve a security posture and audit posture by the very fact of doing it, yes, it does. Is it good for sustaining the long-term and mature information security risk management? Your posture. I tend to disagree with that one. I think the certification and everything else is an excellent baseline, and you can apply it across, you know, several different areas and different domains. I shudder to think that people would just rely on it as, you know, guidance or framework for security operations or risk management operations because nothing ever fits the way. It is in the book, right? Things always change. And no matter how well you can check off a box or be compliant unless you're adapting to information security and the ever-changing risk profile, then you're kind of doing a disservice to yourself. 

Derek Vorpahl: [00:09:29] And to whatever you're attempting to protect. You know, your company or your personal data or anything like that. The important thing that I've found with the frameworks and especially with HITRUST or, the NIST standards is boiling that that huge morass that you find of, you know, everyone in their dog has a framework or a requirement or I mean, you've got IRS, you've got NIST, you've got FSMA, you've got Covid, you name it. They're out there, right? And bringing those into a more consolidated framework has been really beneficial to us. We're able to apply, you know, risk management ideas and security ideas within that framework. And then kind of, you know, take it to a higher level because we really know how our business operates. I think it's really one of those things that you have to have a good measure of the ability to understand what the framework is, therefore, but also how you operate and implement a framework so that it's an effective, Corl effective program. 

Brian Selfridge: [00:10:39] Well, here you are standing on top of the mountain, holding your certifications above your head in victory, I suspect. But many, I suspect many of our listeners also are kind of on the early end of this journey. Maybe having are just exploring what is a sock to certification, HITRUST certification, which do I do? I do. I do it. How do I go about it? Do you have any advice for organizations and security leaders that are kind of on the early end of this journey of things that you might recommend keeping an eye out for some things to take into consideration as they kind of begin this journey? 

Derek Vorpahl: [00:11:15] Yeah. Um, you know, I've worked in a lot of different industries, you know, regulated unregulated financial, non-financial. And what I really would suggest to everyone that's going to go down this road is to really know. Internally, how things worked and how your systems are put together for a smaller program or something, you know, a smaller shop or smaller IoT group, that's that might be an easier thing to do. But the larger your scale is, the further out you know your scale sideways or vertically. You really have to have the knowledge of what your systems do in the knowledge of what your business does in order to, you know, effectively look at how these controls would apply to you. One thing that we've noticed and I've noticed as we go through this is a lot of times if you have third parties such as consultants are you rely on outsources and everything else, you need to be very cognizant of what they're doing for you and how they put things together. 

Derek Vorpahl: [00:12:27] When you come through and you attempt to put something like HITRUST or SoC to or SoC one and wrap around that, you know, a lot of times you may ride control in the SoC and talk to the world that makes sense to you. But it isn't really how the entire business or the application stack works with HITRUST. You know you're operating within a pretty prescribed set of language and prescribed set of, you know, checkboxes if you will, but not really checkboxes, but guiding principles in that framework. So the thing that you really have to understand is what it is that you're protecting and what it is that you're trying to apply these frameworks or our accreditations or auditing to, if not very quickly becomes a very daunting process. You know, things come up that you don't know how to deal with them or it's hard to hit those audit targets. And it can be very stressful for, you know, companies or first-time person going through a lot of these things, especially if you're just starting the program. It takes a little bit of a different type of lens to kind of look through and sees your intents and purposes at the end. 

Brian Selfridge: [00:13:53] Sorry, I get a little background noise here, Derek, that that out in a moment. Curious, you know, how about in terms of your team? So if you've mentioned it takes a sort of a special sort of mindset and lens to get through the certification process. When you look at your own team internally, what type of skills would you recommend or organizations make sure they have on the team when they're going through the certification process? Is it? Is it project management skills is a technical acronym acumen. Is audit skills anything that you think would be more important than others? 

Derek Vorpahl: [00:14:28] You know, um. So having someone that's well rounded and a lot of things is, you know, the holy grail of doing it if you have someone that's really, really good at audit or audit themselves and everything else, sometimes they tend to be a little weaker in technical skillsets and that type of stuff. Same way, a technical person, they have a ton of technical skill, but they don't always realize how it fits or why the compliance side of the house is as important as it is. I've been very fortunate that I got to build the team that works for me now from the ground up. When I came in, I had a pretty good idea of what the requirements were going to be from an audit standpoint, what the requirements were going to be from progressing and maturing the security program. So what I've done is I've built a team that seems to span a very broad section of skill sets. I have IT risk  Analysts that are very good at compliance and figuring out what evidence goes, where, and how you put the information in the hands of, you know, auditors be internal or external auditors. And then, you know, they have reasonably good technology skills. Some of them have really good technology skills. So it kind of gives you the ability to, span a little bit more control. My engineering group and everything else, they're very technical. They know exactly how things work. They're very good at providing exactly what you ask for. And so they work pretty well, hand in hand with those, those risk analysts or those that are kind of, handling the front side of the audit engagement portion, right? The person that talks to the auditor or the person that's dealing with the standard or the certifying body. And so they're very good at getting what needs to be done there, and they're very good at remediation. If there are gaps that are found or there's corrective action plan that needs to be issued or something like that, they're very good at implementing. 

Derek Vorpahl: [00:16:40] So we've built within the Information security and Risk management, a broad gamut of skill sets. Some are focused on Audit, some are focused on, the security operations side of the house, and some are really focused on engineering. I'm also fortunate here that I have the ability to utilize other departments, so I have a project manager that works for me within the IoT stack. I'm sorry about the IoT security stack. So he is dedicated to that project and he's dedicated to the security vertical. I also have the ability to leverage.  People from our administrative operations, type of departments, and administrative services types are part of departments. The guys that do  Document retention, fiscal document retention, the ones that manage physical security, the ones that are constantly out doing both evidence for financial audit, as well as the types of audit that we find for client audit when our clients come in and exercise the right to audit every year. 

Derek Vorpahl: [00:17:56] So what we've done is we've done a very broad team that has the ability to do IT for people starting out and everything else. I am going to always say. The person that I would look for, the person that may really give you the best bang for the buck is someone like a certified information security auditor, someone who knows, you know, our certified information systems auditor, someone that knows how those work and are how different compliance and regulatory things apply to it. It always has a different nuance than, say, a financial audit. I also would always tell anyone that if they have the opportunity to hire someone internally that has internal or external audit experience to help drive a compliance or certification program that's always going to probably give you a leg up on, you know, getting there quicker than you would have if you were starting just completely from zero. 

Brian Selfridge: [00:19:08] And Tarik, what do you think about these, you know, a lot of the entry-level resources I've noticed coming into this, this market and it's a tight market, right? We need lots of cybersecurity professionals. A lot are getting attracted to some of the more exciting aspects of the field of ethical hacking, penetration testing, forensics work. I don't know if you if you've seen that as well, but how do you find the right fit for those types of folks or maybe kind of steer other ones off that path if because if the demand in the U.S. is more to have these auditor type background resources, how do you get people excited about the audit, I guess, as compared to hacking and forensics and all this cool stuff? 

Derek Vorpahl: [00:19:51] Yeah. Um, that's an interesting, you know, question, and it's it always is kind of a. A weird type of, a quandary that you find yourselves in. I do find with a lot of people that are coming out of degree programs or just starting their career, they do want to do that cool stuff that, you know, it's sexy. I want to be a pin tester or I want to go do digital forensics or, I want to write tool sets or something of that nature that does have a place within the enterprise and within the environment. A lot of those. Types of jobs and a lot of that type of kind of enthusiasm for the sexy part is tamped down a lot in my market. As you know, I'm down in San Antonio, we have three cybersecurity universities here. We have a very big DOD presence in a very big governmental presence. So I have the pick to kind of go for people that are a little bit more seasoned. They may have spent a couple of years in the Air Force, or they may have spent a couple of years with a government agency or that kind of deal. So, you know, we have the luxury of finding people that are a little bit more in tune with. I hate to say it, but the realities of cybersecurity, it's not as sexy as all the stuff you know that you see in the newspapers or the video or the recruiting posters for a couple of the big security houses and. That is that's really not what we as a company would really be looking for. And we have a very different mix. You know, we both have insurance and retail. But the. Then CORL does pen testing or red team or monitor. The toolset and stuff like that. I like to think that those types of people who are looking for that, they're going to be much happier in a consulting type environment or they're going to be much happier working for teams that want to go out and do a services model or continually hack Big Fortune 500 that runs red team or blue team governmental where that's constantly going on in the private sector here, especially in the mid-market where we are. There's just not that type of requirement for the skill set. We are more responsible, licensed, responsible, but we are more responsible for the compliance standpoint, figuring out where all that you know how we can ensure that our clients and our vendors and everyone they know that we're doing safe things, there's some of the sexy in the industry. There where we do internal vulnerability testing, we do external vulnerability testing, you know, we work through a lot of cool toolsets. We definitely, consume cyber threat intelligence. You know, we watch the darknet. We do a lot of that, but we are probably a little bit more mature. Those areas than some others would be. The whole getting them excited about audit and compliance is a long-term game. This one isn't a short-term contest or go and find a new CORL zero-day or something else. There's so much technology and there's so much ability to do that by machine or start utilizing data or third parties to get that that the long game for the guys that come in for me, if I say, "Hey, look, the one thing that doesn't go away ever is regulatory and compliance, information security isn't going to go away anytime soon. It is going to change a lot more over the years than they risk management and compliance and regulatory will." So I like to sell them on the long game and the fact that it's a little bit more stable and doesn't change as much and maybe They won't be replaced by a bot in the future.  

Brian Selfridge: [00:24:49] That's great. And, you know, this topic of artificial intelligence comes up a lot around, you know what? That's what kind of game-changer that's going to be for a lot of industries and information security kind of be a niche of that, since it sounds like you guys have some internal capabilities for doing intrusion detection, some degree of penetration testing, some degree of monitoring that kind of thing. Have you seen or participated in any of these cyber threat intelligence sharing organizations or activities like, I think, any? Sec. The federal coalition has a thing in high trust as a thing, and there's a bunch of them out there. Curious if you've plugged into those at all and if you see those as kind of playing a part in that automation of security, you know, going forward and whether you think the value is there now or will be there just any reflections you have on that world? 

Derek Vorpahl: [00:25:48] Um, the sharing and everything else. The Issak, we do some work with the retail side of the house for that HITRUST and a few of the other health care ones are good. I have a tendency to be more of a fan of consuming. The data that we get, we do pay for threat intelligence feeds, we do pay for, you know, the ability to get our hands on unfettered. Dark Web data for lack of a better word. And we do consume a whole lot of different threat intelligence feeds. We don't feedback a whole lot just for the general fact that we haven't had a whole lot of data to a feedback. I think the concept is really good. I'll give you an example of why I've got this, this feeling about it.  I watched the Petra attack. Ah, yeah. However, you Pronounce it, not WannaCry, WannaCry, whatever it was. Um, and I watched how the OCR and HHS and everyone else, we were feeding intelligence back and forth, and I kind of got the impression that a lot of people are over-dependent on it. It's very good data. It gives you excellent points to  Correlate. It gives you a lot of information that you may not have had access to. The problem is that's not kind of an end-all, be-all you really need to know is what you're looking at and what that data says to you about your own operations. I alluded to it earlier about knowing really where everything is, knowing how the business processes work and everything. It's very easy to get caught in the fire hose of threat feeds or threat until threat exchange. They all have a great, great place within the information security world. But I think as you see AI and as you see things that can start applying algorithms and heuristics and that type of data to it, I'm interested to see if the false positive rate goes up or the false-negative rate goes up, although there's a whole lot of data floating around out there, I'm afraid that unless there's the exposure to how the data gets curated, then you may be getting information that really you think is applicable to you. But at the end of the day, just as giving you a lot more noise in the signal than the actual fidelity that you're looking for. 

Brian Selfridge: [00:28:40] Do you advise organizations kind of continue down this path, given that it sounds like there's some benefit coming out of the sharing of the threat intelligence and the indicators compromising things, but maybe not. Maybe it might be a little over-reliance on it. Do you think it's still worth it for your peers out there to continue to invest in at least keeping an eye on it or getting the feeds in and incorporating them? Or just kind of focus more your energies on your own internal capabilities and your team's ability to read what you have? 

Derek Vorpahl: [00:29:09] No, I think there's there's continued value, and I would love to see it mature and go further as you know, as the abilities of technology and people get better. The only thing I would caution and this is just based on a lot of time in the industry and a lot of time doing this is don't over, rely on that to tell you about all the threats that are coming towards you. The data is only going to be as good as how it applies to your environment. So if you have a Russian banking Trojan that's going after you, but you don't have anything to do with a banking platform or anything like that, don't let that kind of threat intelligence and data that you're getting, you know, distract you from your core, your core requirement of what it is that you're protecting. 

Brian Selfridge: [00:30:06] Well, Derek, I'd love to ask you a little bit of a different angle to the challenges we've been talking about so far, and that's more from a regulatory compliance standpoint. We've seen the Office for Civil Rights, the OCR continues with these kinds of annual proactive audits, we see the breaches are happening and then the OCR flies in and opens an investigation and requires organizations to kind of respond in that front. Have you spent energy specifically? I know you're spending time getting certified and building your security program. Have you spent time kind of preparing for these, the potential of these audits? And if so, is there anything you would share from your experience that are some ways to start to get ahead of that, that regulatory threat that looms over a lot of health care entities? 

Derek Vorpahl: [00:30:55] Um, I've been very kind of involved on the vendor risk assessment side, making sure that the current bars are in place, making sure that the documentation and we've done all that. I don't spend a whole lot of time dealing with OCR. Luckily, we have a very good compliance and privacy department and they really take the lead on OCR. I think that. As the world progresses and we find that everyone's data is very important and the health care industry and the issues that you see with, again, WannaCry and The NHS, that kind of stuff in Britain. I think OCR and Compliance and really looking at that through the regulatory, you know, myopic is going to be important. I cannot under-emphasize enough how important it is to make sure that you're prepared for OCR and you're prepared from an information security standpoint to be, you know, prepared for potential OCR activity. You know, those kinds of things. It's the nature of the business and as we all have, you know. Progressed through the information security field, and he's looking for what and what, what the big value is now. I really see that the government and OCR, the regulatory side of the house, it's going to be very much an important portion of any information security program. You know, 47 States and three territories have breached notification laws. We are now going through, you know, looking at how even EU GDPR relates to us. I really think that the OCR is a great primer. And if you're prepared for that, it gives you kind of a leg up on the other things that may impact you as you navigate the health care and information security requirements of that. 

Brian Selfridge: [00:33:10] Well, Derek, I'd like to pick your brain on a topic that I think a lot of our listeners are struggling with and one that I think you might be able to write a book on if we took it to give you the opportunity and that's around some of the merger and acquisitions and kind of changes that are happening with the various financial drivers that are driving consolidation of organizations and the selling, emerging and cutting off and combining and squishing and everything else. If you've had, I think you've had experience in one-way shape, or form. With that, I wonder, how does that change the way you look at building out a security program or a compliance program for that matter? Do you look at it any differently with that kind of potential looming? We might be part of an M&A merger and acquisition type of event at some point. Is there anything you recommend your organizations kind of think about, at least in preparing for the potential eventuality of such an event? 

Derek Vorpahl: [00:34:10] Sure, throughout the years, I've been through a lot of M&A and reverse IPO and all the good stuff that happens. I think it's important, especially in healthcare, is to remember that a lot of times you hear about the big plays, a CVS and Aetna or you see a couple of big health care plans trying to merge, Highmark had acquired an agent and a couple of other different ones. I think the big thing around M&A activity and the big thing in consolidation is you really have to be prepared for the eventuality you'll be sold. And I know that's kind of a cynical way to look at it. But if you design an information security program and it's designed. Correctly, from compliance, how it works for your company, but you plan for the eventuality that maybe that company will either merge with another one or be sold to another one or acquire another one. It changes kind of the way you look at. That's the specificity, I guess, is the way to look at it. You can't apply everything that works in your company, to the company that you would be acquiring or would be emerging with. And you definitely will not have the same security controls or anything else if you have another company that's acquiring. So in terms of M&A, in that kind of stuff, it's always better to look at building a dynamic, risk-based security approach to how you guys do stuff or how a person would design that versus getting down in the weeds and being so specific around what you are that it makes a sale or merger or an acquisition of another company, you know, difficult. It's all well and good to go out and do those activities. I think a lot of people don't think past the actual transaction to what integration looks like unless it's just strictly. You know, an asset sale or an information sale. There's got to be some kind of integration or some kind of continuing operations after the closed date that, you know, still some subject to you to the same regulatory, the same legal, everything else. So you actually have to plan out what happens after the dotted line is flight. And a lot of people build a great program and then they go out pulling another company and they struggle with how to integrate that into their risk management program. If there is a way to do that easily in the way to integrate that is being able to use a common framework, something HITRUST and then do your due diligence when you're bringing it in or are selling it off. Just make sure that you know you've gone through and looked at everything. Not only will your buyers thank you for that, but if there are financiers or lenders or private equity or anything involved with it makes the whole transaction a lot smoother. And from information security and risk management, it helps keep the company safe and during those times of integration or sale or anything like that. 

Brian Selfridge: [00:38:06] How about during those times when the ink has been put to paper and you're, you know, the merger is going forward?  I know that can create I suspect I can create a lot of fear, uncertainty and doubt within within the organizations as a whole, maybe even the security and compliance team. Since you've been through this a few times, is there anything that you think security leaders can focus on during those times of of uncertainty to kind of reassure or to make sure your team sticks around and is doing the best they can to move the program forward and in the midst of that uncertainty? 

Derek Vorpahl: [00:38:42] Yeah, I mean, there's a couple of ways to look at it. I can use the old axiom of under-promise and overdeliver. And then also a lot of people get stressed out during compliances and mergers and everything. And it's true, sometimes personnel changes, sometimes you get different jobs, sometimes you have a surplus.  The important thing is to be committed to the job at hand, which is protecting the information security of the company that you're working for. You were hired to do that. That doesn't change and I know there's fear, uncertainty, and doubt. It's happened, you know, throughout the years. But I've also found that if you are competent and capable and you can deliver on those things that have been part of a good information security plan, it also works out in the end. And I'm not going to say it's bad, or it's good I'm not going to say you don't jettison people or you don't have to hire people or anything else, but you know. If there's a good program, you've done a good job and you're within the program, there's always the ability, especially in cybersecurity, to either continue down the road that you're doing or get blessed with a whole lot of other opportunities. 

Brian Selfridge: [00:40:19] Derek, I want to thank you so much for this insightful commentary, I've really enjoyed the conversation. We've covered a range of topics and appreciate your rolling with the many and varied topics we discussed, as well as sharing your insight and experience across those. So I want to thank my guests. Derek for Paul for joining me today is the director of Information Security and Information Risk Management for Davis Vision and Derek. Any closing thoughts or anything else you'd like to share with our listeners as we sign off for this session? 

Derek Vorpahl: [00:40:52] You know, Brian, it's been great talking to you. I thank you so much for the opportunity. There are a lot of different things to do here in information security and our way of doing it or what we've done or the way I do. It isn't the only way. It's just my perspective on it and hopefully, someone out there finds some value of it. And if I help you out, great, it's always good to give back to the community. 

Brian Selfridge: [00:41:19] Excellent. Thanks so much, Derek. We'll give everyone your personal cell phone following this as you've offered to help support. No, I'm kidding. Thank you so much. Thanks so much, Derek. I really appreciate it. 

Derek Vorpahl: [00:41:31] Thanks, Brian. We'll talk to you later.