Who’s the new guy??

Subscribe on your favorite platform:

About the Podcast: The CyberPHIx is a regular audio podcast series that reports and presents expert viewpoints on data security strategy for organizations handling patient health or personal information in the delivery of health-related services. These timely programs cover trends and data security management issues such as cybersecurity risk management, HIPAA and OCR compliance strategy and vendor risk management. Meditology Services, the healthcare industry's leading security and compliance firm, moderates the discussions with leaders in healthcare data security.

Change is on the horizon for The CyberPHIx! Join us as your new host, Britton Burton, interviews your favorite host, Brian Selfridge to discuss it.  

This episode is a little different flavor than normal as your beloved host takes some time to explain what’s next for him and to reflect on some really interesting experiences he’s enjoyed in his cybersecurity career. 

Topics covered in this session include:  

-

  • The transition of the podcast hosting duties from Brian to Britton  
  • What it actually means to be an OCR HIPAA expert witness 
  • What interesting trends Brian has seen and knowledge he’s gained serving in that role 
  • Awesome advice and lessons he’s learned from a multi-faceted cybersecurity career journey  

PODCAST TRANSCRIPT

Britton: [00:00:19] Hello and welcome to The CyberPHIx your audio resource for cybersecurity, privacy risk, and compliance for the healthcare industry. I am your new host, Britton Burton. You may be surprised to hear a different voice starting off today's podcast, and I promise that I will explain why you're hearing from me instead of Brian. As we go through today's podcast. Once a month, we try to bring pertinent information from thought leaders in health care, cybersecurity, and risk roles. And in today's episode, we will be speaking to none other than Brian Selfridge. You all know Brian as the beloved host of the CyberPHIx, but he's also had a fascinating career from cybersecurity consultant and pen tester to CISO, to entrepreneur, to thought leader, to OCR expert witness, all within the healthcare cybersecurity industry. He's normally the host, but he's actually the perfect type of guest that we like to book for the podcast, given his range of experiences and his perspective on the industry. So in today's conversation, Brian and I will discuss the transition of the podcast hosting duties. To me, what being an OCR expert witness actually entails and what interesting trends he's seen, and knowledge he's gained serving in that role. The lessons he's learned from a multifaceted journey through his cybersecurity career, and some insight into what it takes in Brian's perspective to build a cybersecurity business and teams. I'm really excited to talk to Brian and learn from him as I do nearly every day. So let's dive into another great conversation with the best guest of all. Brian Selfridge. Hello and welcome to CyberPHIx, the leading podcast for cybersecurity risk and compliance, specifically for the healthcare industry. I would like to welcome my very special guest, the most special guest of all. Brian Selfridge. Brian, thanks for joining today. 

Brian: [00:02:10] Yeah. Britton, Thanks so much for having me. It's a bit surreal being on this side of the interview table, so to speak, but I'm really excited to talk with you today. 

Britton: [00:02:18] Yeah. Very excited to have you. It's surreal for me too, as a long-time listener. And now the new host with you as my first guest. So let's start there with our first topic. You are normally sitting, as you said, on the opposite side of the mic here from where you are today. After five-plus years, you're handing the podcast off to someone else. Let's just start there because I'm sure it will catch many listeners by surprise. Why are you making this change right now? 

Brian: [00:02:47] That is a great and very fair question. I think one that we owe an explanation to the audience at a minimum. But I do want to thank you for the kind words in the intro and all that. I'm truly, truly thrilled to be able to hand over the reins of the podcast to you. And this is the part where I make a concerted effort to to make you blush. The audience won't be able to see whether I'm successful in that or not. But this is the truth. In Britain, you're one of the most impressive professionals I've had the chance to work with and the privilege to work with over the years as initially as a client and now as a colleague here at Meditology and CORL. And for those that listen to my interview with Cliff Baker a few weeks ago, I, I provided some more of your background, actually, some of the reasons why I'm excited to have you as the host. So I won't I won't double down on that too much. You can check that out if you if you haven't listened to it for the listeners. But there are really a couple of reasons why we're making this change. I've always felt that the CyberPHIx should be representative of a variety of voices from the top leaders and experts in our field and really be able to share that kind of unfiltered perspective and support one another, really in our shared mission here and our shared challenges. 

Brian: [00:03:59] And that's why, you know, initially when we set this up, we didn't call it the Bryan Selfridge Show for a lot of reasons, but that's one of them or something like that. And I wanted to be able to really amplify the voices of the many, many, many talented leaders and folks that we have in our field and in those different perspectives. So I think in the spirit of that, bringing in a new voice and perspective to host the show, I think will really shake things up in a good way to give our listeners just a different lens on the issues of the day. And I really, truly can't think of a better voice or perspective to bring to the table than yours since you have so much experience as a cybersecurity leader and practitioner in health care. You've been there, you've been in the shoes of a lot of our listeners and in their seats in those tough situations at HCA and in other places that you've been. So that's one motivator in terms of some other motivations. 

Brian: [00:04:50] There's a part of me, and this may be true or not, but it's everybody's got their insecurities. I feel like I may be at a stage of five years of doing this where I'm starting to kind of repeat myself a little bit, you know, and deliver the same types of analysis and the trends in the industry. You know, like, have you ever had a close relative or a friend that's super interesting, but once you've lived with them long enough, you kind of hear the same jokes and the same stories over and over again. And I just worry about becoming that person. And I just don't want to be that for our listeners. And, I think the last thing I want to do is bore you all to death with perspectives and opinions that you've heard many times over and over for me. So I think I think getting a different perspective really, really helps just shake things up a little bit, a little bit in that direction. And, you know, all of that has definitely contributed to this change. And there's also maybe one-third and final kind of reason. And that's, you know, maybe a little more business oriented where our companies Meditology services and CORL technologies have been just growing and scaling rapidly. 

Brian: [00:05:53] And it's just a tremendously fun time to be doing what we're doing. It always has been fun, but we're doing a lot more of exciting things. We have an amazing team with hundreds of employees now and some incredible new capital partners we're working with that are helping to fuel some really game-changing innovations that we have coming up for the market. So it's everybody get excited about that. But in order to to make that all work, frankly, I think I need to just spend a little bit more time on strategic initiatives and kind of pull back a little bit more from some of the activities on the podcast. As much as this is my labor of love. It does take some time, as you know, as you've been involved in helping produce these in recent history. So all in all, I'm super excited to have you as the host. I truly can't wait to listen to your take on the issues as we settle in, as you settle into the role and we get into the next iteration of The CyberPHIx, which I'm really excited about. 

Britton: [00:06:45] That all makes total sense. And I appreciate your candor and letting folks know what's going on. So before we switch gears, doing this for five years, monitoring the industry, trying to keep up with trends and boiling a month's worth of huge headlines into a 30 or 40-minute podcast and interviewing outstanding people like you've mentioned, Is there a particular favorite story or lesson you've learned about cybersecurity or maybe even about hosting a podcast over the years of doing this that you'd like to share with the folks that listen? 

Brian: [00:07:22] Oh, man, that's a tough one. I mean, we've done it's a great question, but we've done over 100 plus episodes and interviewed so many amazing people. It's really tough to narrow down to a to a single lesson learned. But I'll try and maybe one is when you start your podcast, don't have a helicopter hovering. I think they're doing traffic analysis or something, but I apologize to the listeners that you can never kind of make this stuff up. But I've had several helicopters that keep circling around me, but I maybe I'll talk about podcasting, hosting, since maybe some folks don't all have insight into that and we can kind of start there. I've learned with podcasting, much like really any entrepreneurial endeavor that you're taking on, no matter how uncertain you are about how it's going to go or how to do the new thing. Podcasting, in this case, when we started up five years ago, I think you just need to get started. I think that's a big lesson for me is like not waiting for perfection, not waiting to feel like you've got it all figured out, but just focus on getting going. Focus on the idea that you're going to be continually learning and improving and evolving as you go. And as long as you kind of take that mindset into really anything but podcasting. In this case, you know, I think you can you can end up with a good quality product over time.

Brian: [00:08:40] And I'm I think we still have more ways to go. And I know you're going to improve on what we've done so far. But like if you go back and listen to the earliest episodes of this podcast, you're here like, we don't have the greatest audio quality, we don't have the best gear and production skills and kind of is flying by our seat of our pants a little bit. And but we were flying, you know, and it was going and we were getting the voices of, of our of the leaders in the market out there, albeit not as crisp and as clean as it is these days. So not obviously not everyone's going to start a podcast, but I think that lesson is a lot more transferable than you think. If you're going to start a new business or if you're just building a cybersecurity program or whatever, your function is taking on something new and having to create, you know, let those failures and missteps be the learning opportunities and focus on being persistent and the idea of continual improvement that gets good results over time. I think that I found that to be true in so many different business in other settings, including podcasts. I feel like that might have been a cop-out of an answer to your question. So maybe I'll think about ones that I've had actual. Lessons learned from guests on the podcast. 

Brian: [00:09:53] And I'll say that I'll say this and it's a bit of a generic comment because again, there's just been so much good content that our guests have brought. I think I've learned a lot more about the power of community and sharing our stories as security practitioners. When I was a security officer, Chief Security officer, I always felt a little bit isolated because anything that kind of had the word cybersecurity or security in it would hit my desk. And I was the guru for the company that I had to kind of think on the fly and come up with answers and be the one in the meeting to figure it all out and to, you know, that's stressful. So hopefully some folks are, you know, commiserating with that in your own experiences. But so know in looking at the value of when I got out and actually started talking to my peers and colleagues and getting that network available, just not as not only sort of supportive from an emotional perspective and a psychological perspective, but really understanding that I'm not the only one dealing with these challenges and that there's others going through it. And some people have come up with better solutions and the wheel has been invented many times over. And I don't need to always be reinventing it. So I think I learned in doing this podcast that there's real it's really a pretty common trend of CISOs and leaders. 

Brian: [00:11:09] They do stay out in their islands a lot more than they need to and feel like they need to be the ones to figure this out and they're the subject matter experts in those things. So I think creating allows us to create a mechanism here for us to share our stories and reactions and experiences. So just by our listeners here, by the fact that you're tuning into this stuff and listening, you're already just doing such great value for yourself and your career and others by just expanding your knowledge base and understanding that there's more out there. So, you know, the advice and counsel that I've been able to provide to my clients over the years has been really heavily informed and influenced by discussions I've had on this podcast. I mean, it's not like I'm learning along with you all, you know what, I'm doing this stuff and I've learned just that's a tremendous value and we just simply can't do this stuff alone. So I recommend to everybody, you know, make sure you're investing in your cybersecurity community, not just listen to this podcast, although I want you to do that because Britain's amazing. You're going to learn from him and his guests. But getting out to the conferences, getting connected, and staying connected to your peers is just so useful. So I'll say that's maybe the one lesson I would take away from this, this whole thing if nothing else. 

Britton: [00:12:18] Those all totally resonate with me. And some of those are reasons that I'm excited to take over as we do this transition. 

Brian: [00:12:28] So now, wait. Now, Britton, I've answered your questions here. This is totally flipping the script on you. But I wonder, like, what's your perspective on taking this over? You did this voluntarily. For the record, he has not been coerced and is required to do this. Britain. Britain actually wants to do this. So. So why are you doing it? What's your motivation? If I could flip it on you a little bit here. 

Britton: [00:12:50] Yeah, absolutely. I so I am excited to do it for several reasons. One being just kind of starting with my base of experience. As you mentioned, I have ten years in leadership roles and building security and risk programs at a very, very large health system. So I've certainly walked in the shoes, I've lived the life. I think I can commiserate. And also, you know, just kind of speak the language with most of who our listeners are. I've also always been I've always enjoyed the aspect of the job in my roles in cybersecurity that required me to keep up with news and trends and new frameworks and so on and so forth. But I never felt like I had the time because I was leading a program. And like you said, you're in a meeting and you're being asked to provide a solution and you're just you're consumed by that. So I always just kind of felt overwhelmed by I know I should have my eye on the ball on this thing, but I don't have time to read about it. That's actually part of what I loved listening to your podcast for, because it just kind of distilled it all into a, you know, a quick if I'm driving to and from work one day, I can probably knock it out. And so to have certainly it's not my full day job. I have another day job related to our product strategy and how we're going to hopefully solve some problems for folks. But for it to be at least a part of my job to actually just stay dedicated to keeping up with that news and then being the vehicle who can hopefully distill it into something useful for people who are in CISO and leadership roles. 

Britton: [00:14:30] I really am intrigued by that and excited to be a part of hopefully a solution for people. Also a small part of my background, a very small part of my background. I spent about two years in my late twenties doing a college football podcast with some buddies and kind of got the itch for it. And we all started getting different jobs and moving around the country and going to grad school and getting married and having kids. And all of a sudden there was a lot harder to do that. So it kind of fell by the wayside, but always said, you know, if there's any ever an opportunity to do that again, I certainly wouldn't mind. And so, you know, this is obviously not a college football podcast, but I may work in a reference here and there when Alabama's doing well, especially so not this year. But yeah, the thing that I'm really excited about is you actually referenced it is, is that network effect. I mean I am to a point in my career kind of leaving being in security leadership and I felt that island I felt that silo. And one of the attractive things about coming here, the podcast just happened to be a way to make it happen was the ability to build that network and to learn from people who are way smarter than me all the time. And this gives the perfect avenue to talk to those to those folks. And I just I'm really, really excited about that part. And overall, I just think this is an interesting fit for my style, my strengths, and really, really excited to do it. 

Brian: [00:16:00] What we're excited to have you I can't wait to tap into all that experience you have. 

Britton: [00:16:06] Absolutely. Okay, so that's enough about me. Let's get back to the guest of honor today. So from my perspective, one of the most fascinating things that you've done in your career serves as the expert witness for Office of Civil Rights. The first time I still remember the first time seeing your bio and a meeting. You know, the vision I had as you walking into these fancy courtrooms with your suit on and delivering these impassioned speeches that bring the gallery to its feet. I'm sure it's probably not always quite that sexy, but if you've ever watched TV, that's what happens with, like expert witnesses, Right? So I remember years ago seeing it and going, I wonder what that means Exactly. And I would imagine there's a lot of even really seasoned professionals that listen to this that probably wonder a little bit about that as well. What does that really mean? So I'd love to pull back the curtain on that a little bit. So for starters, can you just tell us what it means for you to serve in that role of expert witness for Office of Civil Rights? And what do you actually do in that role? 

Brian: [00:17:16] Yeah, absolutely. And it's first off, it's there's very little strutting around and impassioned speeches and thumping down the book and the table. I don't know what Matlock these guys would do. That's a pretty old reference. I could probably update that to something more, more compelling, more contemporary. So let's just dispel that, that myth right off the bat. It's way less sexy as I think I think you said, than perhaps folks will think. There's a ton of reading and analysis and troves of legal documents and evidence that need to be reviewed. And a lot of writing, frankly, it's probably more writing than anything in terms of what I actually do. So I'm brought in when OCR has usually spent months and sometimes years working with a health care entity to investigate, collect information, understand their compliance or lack thereof, frankly, with the HIPAA security rule. And so I'm also brought in after many attempts at settlement have been made where there's been a lot of discussions and they just can't there's an impasse. The covered entity or whoever is just not willing to budge on on their admission of any sort of accountability for the situation or they don't agree with OCR investigation. So that's when I'm brought in. So it's kind of important to understand why and when I'm brought in and what happens is I'm presenting with loads of documentation from OCR. They've already done all the legal discovery and pulled everything out. I get documents from legal counsel on both sides. 

Brian: [00:18:42] Again, lots of evidence from the defendant, in this case, demonstrating their compliance with the law of the lands and the laws and question HIPAA security rules is pretty typically where they'll bring me in. So there's a lot of upfront work I do in analyzing everything that's presented to me and then formulating an opinion, a professional opinion. That opinion is crafted into a written format. Usually, we'll have a discussion with the lawyers on sort of frame out, Hey, here's what I'm seeing and just make sure that there's continuity there and there's no sort of questions. But then it'll be put into a written format which can end up being as long as 100 pages sometimes, which sounds like crazy. And that's not, that's not the double-spaced loose leaf kind that you do when you're a kid. It's 100 pages of like text. It's, it's huge because what happens is not only do I need to present my opinion, but I also need to do a lot of common sense explanation of the law and what's expected and what's normal so that judges, lawyers, other lay people in the legal system can understand what the heck we're talking about when we talk about HIPA security rule and encryption and risk analysis. And you can just pick any part of the HIPAA security rule and think if your parents would understand what it is, and the answer is probably no. So I have to do a lot of sort of explanation and that that written opinion becomes the foundation for my expert witness testimony. 

Brian: [00:20:04] So it actually is testimony. The written opinion is the primary piece of testimony. In some cases, my support ends with written testimony only. They just don't go farther than that. That's enough for the judge to know, to make a decision around or for them to settle around, whatever it may be. And this stuff takes months and often years to play out, which shouldn't surprise you. But it does surprise some folks. So that's just how our federal judicial system works. Now, there is some in-person testimony that does happen, and it's actually a very small part of the expert witnesses job. It seems like it's the most exciting parts for some. For me, it's not necessarily I don't love getting grilled by opposing counsel in cross-examination. It's not the most enjoyable thing you can do, even when you know what you're talking about. You know the case. It's still they're trying to pick at you and find some weakness in your delivery or your personality or usually the facts are pretty clear. But it's that's what makes for the best TV and entertainment value. You know, it's funny, my dad was actually a lawyer before he ended up going back and teaching high school. So I saw I saw growing up that most legal work is pretty dry and a lot of grunt work. 

Brian: [00:21:15] You know, it's documented, there's depositions there. There is the courtroom drama. And I saw my dad go through some of that, which was interesting. I've got a lot of stories, and separate podcasts for courtroom drama conversations. But, you know, so that's in a nutshell kind of what it's like. I can tell you that this role with OCR has been one of the most fulfilling roles in my career, but also one of the most frustrating ones in a lot of ways. Like and I suppose I should explain that the fulfilling part is that I have the honor of being able to support the federal government and our health care ecosystem and in providing an impartial, hopefully as impartial as possible perspective on, you know, an area where I've had the good fortune to build a ton of expertise and a career around and I love this, this work. And so that's fun to be able to take that knowledge and apply it in a useful way. And I enjoy being able to call the balls and strikes, so to speak, as we're talking. We'll this is not a college football podcast. It will bring sports analogies in as much as possible to make you feel comfortable. So, you know, that's a lot of fun to be able to call it, like I see it, so to speak. And, you know, I have a deep allegiance to my clients and health care entities, covered entities. 

Brian: [00:22:28] I mean, that's who I serve every day. So, you know, I have this sort of responsibility to that constituency. And then when I work for and with OCR, I have a responsibility to make sure that the deep respect I have for the laws of our land, HIPAA security rule, and other pieces are enacted. And ultimately it's all the same stuff. We're trying to protect patients in ways that they can't protect themselves, right? And that's why we have the laws, that's why we have this system. And I really appreciate that opportunity. So that's the good part. The frustrating part is that you know, a lot of times when it gets to me, I'm up evaluating healthcare entities that I've chosen. And I said deliberately chosen maybe not to do the right thing. I'll sort of put it in those simplistic terms and are sometimes using the legal system as a way to deflect or shirk their responsibility or their accountability. And that's pretty frustrating for me when we're spending all this time and money and energy just saying, look, you knew what the law was like. This is not I know we're doing all our legal trickery. It's not always the case that that's what happens. But when it does, it can be kind of a frustrating thing. And I found OCR to be super reasonable over the years in the way they work with healthcare entities. 

Brian: [00:23:45] And that's not just again, I work on both sides of the fence, I understand it. But they really do work in, in trying to make sure organizations that are doing their best good faith effort to comply with the law and are generally meeting it they'll go through investigations and it won't often result in settlements. But in fact, most of OCR investigations don't even go to any kind of settlement or trial. And I think that's a misunderstanding. People think OCR shows up and they're going to whack you with a penalty. It's it's actually the vast majority of cases, they go away once they see you're trying to do the right thing, you're doing well enough. So, you know, OCR doesn't usually bring a case to trial unless they have a real compelling situation of non-compliance. And you know, ultimately there's the federal law, the HIPA Security Rule, high tech Act that have been on the books for years. And again, it's just a little frustrating to see organizations that haven't picked up on that and haven't made the investments and haven't made the compliance efforts along the time. So that was a very, very long answer to your very simple question. But I'm already feeling like I'm being a terrible guest for you. But this will put you through your paces with a difficult interview first, and then maybe the next ones will be easier. So I'll leave my answer there for now. 

Britton: [00:24:59] No, that's great. That's what being a host is. Let the guest do all the work. Right. If you talk the whole time, I don't have to. You know, that's. I had not ever really heard the most cases kind of settle and go away. You know, I think having been only on the other side, you know, I have the OCR is the boogeyman. I better make sure my program's in order. And that's an interesting perspective to hear from someone who gets more into the weeds of the day-to-day one. Kind of quick question on that is just logistically, do you have sort of an expected number of cases you might get involved in in a given year? Is it completely unpredictable? It's just something pops up and they holler at you or how does that part work? 

Brian: [00:25:43] It's really unpredictable. These cases take years to play out. I mean, I don't know, one that has been less than a year, let me put it that way. Most of them run in like 1 to 3 years in some cases. And so there's usually a handful of cases that I have in play at any given time. And again, there aren't that many organizations that will get through the investigative process, refuse to settle, sort of just dig their line in the sand and just go to battle with OCR. It just doesn't happen that often because it's not really a great strategy in my view. That's you want to take away is like it's going to be super expensive and painful and you know, if you're not complying with the law, ultimately the judges and the process are going to suss that out. But yeah, it's usually just a handful at a time, sometimes just one or two or maybe just one. Sometimes it's a little more they'll come and go and they have fits and starts where they'll, you know, they'll it'll be all this action to create your opinion and write everything up. And then, like, it pauses while you wait to get a federal judge slot for eight months. The lawyers will tell me that like, they're like, okay, so it's January now. And good news. We got approved in September for a court date with the judges. So it just takes a long time to play out, but usually a handful at a time at most. 

Britton: [00:26:58] So obviously, I won't ask you to get into specific details of the individual cases you've touched, but I think listeners would maybe love to gain some general knowledge from your time serve. So what are some of the interesting trends and lessons learned you picked up by getting involved in OCR cases over the years? 

Brian: [00:27:19] Yeah, I mean, it's actually pretty repetitive in some ways, right? I mean, the law hasn't changed. So if you understand the HIPA security rule and what's, what's what it entails, it's a lot of the same types of cases. So for those that have been sort of following this, I'll sort of reiterate that or I'll sum it up in the last, let's say ten years, maybe ten, 15 years, the biggest trend I've seen is OCR is just continued focus on risk analysis and encryption as their primary areas that they're going to go after organizations that are noncompliant because they have such a big impact. If you're not encrypting, it's an instant breach if you lose a laptop or whatever. So that's just an easy thing for them to go after. And it's also pretty clear when you're not doing it or are doing encryption risk analysis is a little tricky, trickier to figure out whether you're doing it the right way or not, but it just underpins the entire risk management. The whole purpose of HIPAA is to make sure covered entities and business associates are making investments to protect patient information. And that risk analysis is a way to say, hey, let's make sure you're looking at the right things on a routine basis, annual basis, whatever, and you're looking everywhere that he is and that you're making corrective action plans and all that stuff. So that's why they I believe that's why they've chosen those areas to focus on. 

Brian: [00:28:34] So they OCR really picks their battles and focus areas and been consistent with that over the last again, decade or so. That may be shifting. So I want to just be clear about that. I think things are starting to move a little bit as we head into 2023, just based on a bunch of different factors. But I would recommend at a minimum any organizations that don't have annual risk assessments in place that are accurate and thorough and cover everywhere that PHI is, you know, you've got to get on that right away. That's definitely is an area that will continue to be a focus for OCR. I think the same applies for encryption, encrypting your laptops and portable media in particular. I think OCR may be pivoting a little bit away from the encryption topic, just as that tends to be resolving in the industry a little bit. And there's been some weird court precedents set in the last year or two that just make it weirder. So so I think that may change. But, you know, one thing that I have learned in terms of trends with OCR is that there you have to remember or be aware of, OCR is going to go back multiple years and look at your compliance over time. So even if you had a breach or a couple of breaches that triggers an OCR investigation. They come in and start looking around. 

Brian: [00:29:50] They're going to certainly want to understand this situation, that incident. But then if they deem that you're not compliant with, again, risk analysis or whatever they may look at. Focus on. They're going to go back to ten, 15 years, whatever that limitation is. And they do have a limitation of how far back they can go, but they're going to use that as a multiplier and say, Hey, you've been compliant with this for 12 years and that equals X amount of dollars times 12 years, and that's what they usually use to settle. So just being aware that you don't wait until you have OCR at your doorstep to think that, okay, now you've got compliance exposure. If you're not doing this stuff now you have compliance exposure now and the clock is ticking and it's adding up. There's like a little money counter going on of how much exposure you have if you don't get those areas buttoned up sooner than later. So I think those are just some of the general themes I've learned a ton from working, with OCR and the investigations. And by the way, we've been as part of Meditology, I've been involved in responding to OCR investigations and helping my clients through that process. So that's been interesting too, and I've learned a lot about ways to position things effectively so that OCR goes away for lack of a better term. So yeah, it's been, it's been super interesting. 

Britton: [00:31:05] Yeah. And I think as, as we cover every month in the Roundup podcast, the breaches and especially ransomware events are accelerating and I think maybe what your what's your opinion is on this since you're more embedded on, on the OCR side of things, You know, at this point in time I think we all expect that the bad day is going to happen. But if you have, especially on the SRE front, the risk analysis front, if you have done that, it doesn't mean you're never going to get breached, but you can at least have sort of that safe harbor is probably not the right word, but at least have that defense ability of like it's not like we're asleep at the wheel, guys. We're doing good things, but no one can plug every hole in the dam. Do you find that to be true? For the most. 

Brian: [00:31:52] Part, I do. I do. I think I think OCR wants to see that you're doing the risk assessment, and wants to see that you are prioritizing. And the other thing is documenting your decisions. That's the one where a lot of folks slip up on like we decided not to invest in mitigating this control area or this compliance requirement because we're not compliant. That's not the right way to put it. This risk area, let's say we decided to not focus on encrypting our epic environment because we're going to switch to Cerner in three months, you know, So but you've got to document that decision and say, but then we're going to go fix it. In the meantime, we're going to focus on these other high-risk areas. And there's a whole lot of business justification and reasons to make different risk decisions as the year progresses or whatever. Ocr understands that they've baked in a process to reflect that, but you have to have legitimate reasoning, and business justification. You need to document that either through your risk analysis process or some other way. And I will make a quick plug for this immediate moment in time. 

Brian: [00:32:54] There is this there's not they're not calling them safe harbors, but there is this OCR recognized security practices thing that came out in law last year but is now getting has now gotten finalized where if you're aligned with NIST and you're doing security risk assessments and you're doing these handful of recognized security practices that OCR talks about, they're now required by law to consider that in any kind of civil money penalties that they issue or whether they even continue with the investigation. So it's now not only just like, hey, this is how OCR does things are pretty reasonable people. There's now a law that says if you're doing this stuff, they have to consider that in your, you know, the degree to which they hold you accountable for, for any violations. With the HIPAA security, it doesn't mean that you're off the hook. You don't get a safe harbor in that sense. But those recognized security practices are pretty cool, and I think that's a great direction that OCR is taking this whole conversation to help be more reasonable for covered entities and business associates, I think. 

Britton: [00:33:55] Yeah, yeah, I agree with that. I mean, you talk about being in the silo and feeling like you're on an island sometimes as a security leader and benchmarking any, any tools, any surveys or whatever that give you some level of benchmarking and understanding of what your peers are doing I think is valuable. And this is sort of like a federally sponsored version of that to kind of go at least do these things and bump that up against the program you're running knowing you have a million different risks to solve and control gaps to close. You know, if you have sort of this baseline of things like that, I think that at least makes you sleep easier at night as the head of security for an organization. Right. So switching gears a little bit, as I covered in the intro, you've had a really fascinating career journey. You know, you've made your way up the through the ranks from entry-level to so you've built two companies now that employ over 300 people. You served as a trusted consultant with healthcare companies, both large and small. You've hired and grown. Cyber teams for almost 20 years now. So starting generally, what have you learned about best practices and pitfalls for navigating a career in this very, very complex field of cybersecurity that we reside in? 

Brian: [00:35:14] Yeah. It's so funny you're asking about this, Britton, because I actually just got asked by one of my members of the leadership team too, to basically kind of deliver a conversation with our team about just this exact question of because we've got a lot of folks there are different points in their career. They're trying to figure out how to guess it, how to navigate it, where do I go, what's how do I prioritize and what are some lessons learned and pitfalls. So actually, I have notes. I'm going to bring them up here. Actually, this is super convenient. They're going to think we're in, our listeners will think we're in cahoots and that we've scripted this. We really, really didn't. I had this all ready to go. So let me try to give you a sense of some of the talking points that I've delivered. Actually haven't delivered it to our team yet. You guys will be the first to hear it, so maybe they'll hear it through this format before I actually get in front of them. But some of the big themes like one is just a recognition that there's no such thing as a single career path, that that is a fallacy. Even if you work in companies where there's a career ladder and there's a structure and you move from level 1 to 2 and three, and then your manager, director and owner and chief potentate or whatever, you know, you end up getting up to there's really no one path. 

Brian: [00:36:24] And I think career guidance and programs and models and those types of structures can only ever really be a guidance for you and a reference there, not a prescription. You know, if you what I recommend is folks talk to mentors and people that they respect and admire and that they want to emulate their careers. I think when you talk to those folks, you'll see they all have very, very different paths and everybody's gotten there through a different windy way. And they never imagined that maybe they were planning to do a college football podcast and eventually they ended up doing a healthcare cybersecurity podcast. But, you know, they got there one way or the other. So I think a pitfall I see that's associated with that is folks getting a little too invested in their imagination and their narrative of what they think their career path should be and should look like. And when that comes up against at odds with reality, where they didn't get that promotion or they didn't quite go the direction they won, they feel like they failed or they get upset with their employers. It's like you need to kind of let your career be more of an exercise in navigating and steering in a general direction rather than a playbook that you need to specifically follow. I think I think rigid career models are a fantasy even for those that are the best type A, go get them type people. 

Brian: [00:37:45] It's not it's not reality. It's your imagination. And you could miss really, really awesome opportunities if you're not open to them because you think you're supposed to be on one specific track or whatever. So I think I think that's one big one. Another big theme that I see is just having, especially for folks younger in their career, earlier in their career. It's not always an age thing, but earlier in their sort of career development, understanding that careers are not academia. And what I mean by that is you spend your life up until you enter the workforce in an academic setting where there's a teacher, there's a test, you study, you check the boxes and you pass or you fail. And that's how you progress. You graduate, you literally graduate, you pass some big tests, you graduate, and then you're off to the next thing. Careers are not that way at all. And I think hopefully most folks listening to this that are somewhere down the line of their career can empathize with this. You know, it's not a game. It's not a situation where you win in your career and others lose. It's not like that when done correctly. Actually, everyone around you can win when you're succeeding and when your career is going well. So, you know, if you're trying to prove to your teacher or boss that you're that you've checked all the boxes and you're ready for promotion, you're just wasting your time. 

Brian: [00:39:08] I think it's it's all about positioning yourself for career advancement. And what I mean by that is it's less about sort of climbing this ladder, but more building the relationships, getting the experience, especially, I mean, at all levels. It's not just an early career thing. I still feel that way, like these podcast interviews I do every time I'm learning something, I'm improving my career, and because I now know something, I've built a relationship, I've learned something new I didn't know. And that accumulates over time. And I think folks fail to realize that that stuff is so much more important than whether you got to level two within one year or two years or you got promoted like, that's man, that's just such a short-term thing. And you know, you do have to play that game to some extent in certain cases, but it shouldn't be what's driving you. So, you know, when I recommend people positioning themselves in their career, you know, just make sure you're delivering value to everybody you interact with. And that can be your not just delivering value up to your bosses, but that. Can be yours. In our case, we have customers and clients. I do have bosses and I have I've had bosses in the past less so recently. 

Brian: [00:40:21] You have peers, you have less experienced staff, you have operations people that support you deliver value for everybody you interact with and that is a career accelerator. And then you still got to work your tail off, right? I mean, there's no getting around hard work. And what I don't mean, I don't mean obsessive, you know, kind of working to the exclusion of everything else in your life. But, you know, when I always say when you shoot a suit up, you put the uniform on. Let's bring it back to sports here. The college football team, you know, when you put that helmet on and that you're Alabama, I guess I'm Penn State. But you put that I'll say put that Penn State outfit on. Go in to play the game and be the best that you can be in that game at the time. But when you're done, you take it off like go be doing other things so you can recharge. And I think that that's that hard work mentality when you're suited up is really important. Careers don't just come to people. Sometimes they do. Some of us, and there's certainly been many moments in my career have been very lucky and fortunate. So that's part of it. Be open to good fortune and don't sweat the bad fortune quite so much. But if you're working hard, building relationships, and adding value, the train will come and it will take you to good places. 

Brian: [00:41:33] And then I guess the last thing that I'll mention, because I can kind of go for hours on this, you know, ask for guidance just and listen to the guidance that you get. Don't ask people just to hear them talk like listen to people that have been there and they may tell you this is the way to do it. It's almost like parenting, right? You get parenting advice. Everybody's got their own way of they parented. But listen to it. Take it in and take the bits that you think are good for you and get your ego out of the equation as quickly as possible. It sounds kind of like a weird thing, right? Like, if you're building your career, it's all about you and your advancement. If you're worried about like other people getting promoted in front of you or that you're not getting recognized for your event, like just get over that stuff, work hard, put in value, People recognize eventually it'll get there, and just don't get hung up. On whether you are top dog. And the most important, like all that stuff is just a distraction from building relationships, adding value, and getting the work done. So I think I'll leave it there. I could, man, I could go on and on for this, but those are a few anyway. 

Britton: [00:42:44] Well, I've got some follow-up questions, so I'll let you keep going a little bit. So I think having for you, having served in so many unique roles from technical specialists like a pen tester to Cisco, to consulting to thought leader and podcast host, you've kind of been touched so many different aspects of the industry. I think you have a unique perspective on the different actual possibilities that exist within the cybersecurity industry from a career standpoint. And I think certainly I did this. I think a lot of us kind of think when you start your career probably in whatever field it is, but we happen to be cybersecurity folks. You think of it in this linear track on the industry side, and I'm going to work my way up from analyst to engineer to manager to director to CISO. And that's just that's the track. But there's so much more out there. So I think you've already you already mentioned several things I was going to ask about just kind of ways to find contentment in your day-to-day. I think you've touched on that a lot, but can you expand maybe a little bit more on how you'd advise people to seek out that slice of the industry that best suits them, whether it be being a podcast host and a director of product strategy, or working towards being a CSO or being a SOC analyst. You know, what are some tips you can give for finding that slice that suits them best? 

Brian: [00:44:13] Yeah, I think that's a fantastic question because there are a lot of choices, right? It's almost like when if you and I went to a big, big college, Penn State, it's been referenced already. But, you know, when you go to a big school, there's all these majors and all these things you can do and you sort of understand a little bit about your interest, but you don't really know, right? Especially when you're younger. I think the careers pan out that way, too, right? Like, well, I'm some people may feel like early in their career or I'm more technical or I'm less technical and I want to go this way or that way, I think and I've found that be open to things that you don't define yourself as currently and be open to, to sort of growing and just trying stuff out. And maybe it's back to that podcast sort of conversation I had earlier like just jump in and try it a little bit, try to learn something. And the only way you're really going to know of whether it's making, your soul sing or whatever is doing it and then just getting lost in it. If you get lost in it, you get in that flow state and you start finding you really enjoying a certain career in this direction or that direction, then sort of let that be your gravity that takes you wherever you're going to go. 

Brian: [00:45:21] So I don't think there's as much that you can really prescribe. And a lot of times you take a job and you're not going to have a whole lot of choice, especially early in your career. You're going to get kind of deployed and be like, You need to go do this now and do this risk assessment or this audit work or this, you know, pen testing, whatever it is like. But embrace whatever you're given in front of you, do the best you can, and learn. And I think that not only are you learning in ways that you'll take skills that even if you don't end up in that niche, if you don't end up as a pen tester or something, for example, that knowledge, when you go to become a CSO or you become a GRC specialist, whatever you learn there, I promise you will be useful, you know, even if it's not your major anymore. So it's almost like you collect a bunch of little minor experiences and then you learn from that and you start to kind of, you know, find that gravity in your career to to where you want to go. 

Brian: [00:46:16] So I don't think there's any single answer and I don't think you can prescribe it. I think you've got to just get out there and start doing and be, you know, and stick with it a little bit, even if it's like, well, I didn't choose to do this particular job in task. Don't fight it, you know, just embrace it, learn from it, and I guarantee it'll be useful for you down the line wherever you do end up, either as something like, I never want to do this again, or something like that, You can apply, apply somewhere else in whatever role you end up in. And by the way, you're not going to end up in just one role in the future. You're not going to like make it to see so and be done. Like I mean, I can definitely speak to that. I, I got there and that was the beginning of my career and I'm very fortunate of that. But a lot of the most rewarding and interesting things I've done have been after that, and I had so much more growing to do after that role and still have growing to do so. I think just it's a mindset thing in a lot of ways. 

Britton: [00:47:04] Yeah, I believe any of us who are kind of well established in our cyber careers get asked fairly often by people not in cyber, you know, how do I break into the cyber security field? So this will be sort of a meta version of this question because probably anyone listening to this is in the cyber field. There may be a few that are maybe more on the IT side or whatever, but I would imagine 95% of our listeners are actively in the cybersecurity field. So I think we could all do a better job of answering that question. I know I've at various times done a great job answering it, and at other times maybe I was busy and distracted, and probably didn't do such a great job. So it's still the basic question, but. Maybe a little spin towards helping those of us that get asked provide a better answer. But what would be some of the ways you would respond to that question? 

Brian: [00:47:54] Yeah, I think for folks that are trying to get into cyber, so to speak, let's just maybe I'll frame it sort of that simplistically. They might be career switchers or they might be entry-level type folks and say, Hey, this looks really cool. How do I get there? And I do get that question a lot. We've had a lot of entry-level hires over the years as a model, and so I've definitely had that coaching conversation many times over. So I would boil it down to one, you know, show me. Make some concrete investment in more than just saying, I want to get into cybersecurity, like do something about it, get us a certification, get a degree. If you want to get really big about it, make the investments. But as a hiring entity, somebody says they want to get into it. And we've hired X nurses. We've hired people that have been all kinds of career shifters, and they're my favorite people to bring in, by the way, that that that have a passion for this and want to get into it. But you've got to show me you've got to show your prospective employers that you take this seriously. And it's not just this like whim that you had a New Year's resolution of like, Hey, I don't like my current job. I want to get into cybersecurity. So take that first step, make an investment, show that you're committed to it. And I think that that first step goes a long way to getting you kind of in the door or getting the conversation open and then learn as much as you can passively, actively. You could listen to the CyberPHIx podcast is a good way to sort of learn a little bit from the insider view of what's going on. 

Brian: [00:49:23] You can watch webinars, you can read up. There's no shortage of material out there. So, you know, consume that and consume it, even if it has to be in your free time when you're career switching or getting out of college and trying to get a career going, consume that stuff. And you don't have to be the best curator and consume all the right things. But just by getting out there and listening and learning, it's going to make you much better position to be able to get into this field and be successful at it. I would also recommend building relationships. I mean, that's just to me, that's the core DNA of everything I've ever. Valued in professional life is relationships. And that may not be the only way to get there. But sure, man, I can't imagine a way to build a career and get into a field without building relationships in some way or another. So see if you can get some folks in the field to have coffee with you or lunch or have a quick these days, just a quick virtual conversation. Prepare some questions. Don't just show up and be like, well, I want to get into cyber. Like, don't have that be the only question you asked. Show that you've thought about things and you're like, well, what do you think about this role versus that? Really like come to the table with something? But even if it's just asking for advice people love that have been in the field like you and I love having those conversations. 

Brian: [00:50:46] We'd love to be able to share the insights and it's good for us and it's good for us to give back and all those things and help somebody get their start. The way that I'm sure with you it's been for me, so many people have helped me along the way that it's just a no brainer to do that. But get out there, meet, meet folks, get out in the community, get out some conferences. If you can find those. They're not always very expensive. You know, it's not a money thing. It's a time thing. And prioritize that. Meet some people and have an answer of a clear sense of why you want to get into this field. Like not just like I see that it's really lucrative and a lot of there's a big need, there's a lot of like, but have a reason in your heart why you want to do this and be able to articulate that. And when you build these relationships, I think that's huge. And other than if folks come to me in their like graduating and I just cyber seems interesting or my mom told me I should check it out. You know, this stuff that I get, I'm like, well, yeah, but why do you why is this about you? And if you can't answer that, your heart's not in it, and I don't think you're going to make it. You know, that's or I'm not willing to invest in somebody that hasn't articulated why they want to do this and why I should help them out. So those are some thoughts that I have. 

Britton: [00:51:56] Can definitely vouch for the. Coffee, lunch or happy hour are pretty much the root of any meaningful career move I've made. So that's a lot of really good advice there. But obviously the people part of it, a lot of times it just comes down to that. So totally, totally want to echo that. A couple of lighter questions to wrap up here before we call it an interview. If you weren't working in cyber security, what have you, what would you have been doing professionally for the last 20 or so years? 

Brian: [00:52:29] That's fascinating. I mean, that's there's a version of that question that is almost like, what would you and I have been doing 30 years from now when this stuff didn't exist? You know what? We have this skill set. I mean, I love this work and it's so wonderful and I love everything about it. But it hasn't existed for very long, right? We're sort of on the front end of it in a lot of ways. So. So I'll kind of I might have to answer it sort of in that vein as well. Look, I've got a lot of this is getting on the personal side, but this is kind of fun. So so I don't mind. I've got a lot of interests and they are many and varied and cybersecurity, health care. Cybersecurity is a big one, but it's not the only one I'm a musician, so I write music, I play in a band and, and that whole world. I could definitely see a part of me that would do that professionally, given the time, resources, and energy, you know, it doesn't pay very well. And I saw that early on working in a bar and watching the musicians. 

Brian: [00:53:29] I was like, Man, I don't I don't think this is a good job, but it sure is a lot of fun. So maybe there's some of that. I like writing. I've been a writer, I've published a book on philosophy in the last couple of years, and so I'd I'd probably do some form of writing, and that's what I get this OCR case and stuff we talked about. I love writing, I love narrative prose, I love distilling complex things into. Hopefully more simple concepts in written formats. So I probably do some form of writing. Who knows what kind? I like to brew beer. I might brew my might be a beer brewer and restaurateur in another life somewhere. Not this one, but so probably one of those. And I don't think I can professionally raise my kids. I could be a homemaker. I think that's the other. That's the other aspiration that I would have would be just to be home with my four kids and taking care of them. So that's that is the hardest career of all and probably one that I would embrace gladly if given the opportunity. 

Britton: [00:54:29] I can vouch for that one, too. Definitely, the hardest that's my second career is raising children. I have always wanted to get into brewing, have not been able to devote the time to it, I do enjoy drinking the beer. So maybe there can be a future podcast where I drink your beer and we host the podcast about bands and football and a little bit of cybersecurity. We'll have to see how that goes. 

Brian: [00:54:50] I have some B-sides or something. Yeah. 

Britton: [00:54:54] And then the final one. You've been an executive leader in cyber for many years and of course, worked alongside or advised many, many others, interviewed many, many others. What are some of the best qualities or personality traits that you've seen in strong cybersecurity leaders? 

Brian: [00:55:11] Man. That's a good that's a good one. I mean, it's like I've learned from so many different leaders. And one of the things I'll get specific. I'll actually answer your question, I promise. But more generically, I think there's so many different ways to be a good leader. You see different styles. It's almost like different management styles and different leadership styles. You got the best leaders tap into who they are, the whole nature versus nurture thing, like what makes you tick? What makes you enjoy life and be a good professional. If you can tap into that as a leader. And when I've worked with folks that are truly themselves but also incredible professionals, they're the best because they don't have to spend so much time pretending to be anything and pretending to be something else or trying to put on airs to be the leader that they think people need or want them to be. And I think those that are genuine in themselves and authentic first and foremost, and then they build the professional skills on top of that I think are the best. I think so. More specifically, I think folks that are leaders that are humble, I find to be the best. I mean, I just have real trouble working with leaders and or anybody that thinks they know it all. You know, I it's so obvious to me that I don't know hardly a speck of what there is to know, even in our field where we're experts and I can be the expert witness and all these things we've talked about, but there's so much more I need to know and can know and want to know. 

Brian: [00:56:38] And I find folks that are humble and curious and willing to recognize that they don't have all the answers, want to learn from everybody, whether they're their peers or their teammates or their or just somebody they meet in a conference or something. They just want to learn and genuinely want to do that. I think those types of leaders for me resonate really well because they're more like shepherds and less dictators, you know, kind of things. Like they're more, more kind of not doing it themselves and pushing down and knowing all the answers and all that stuff. So another characteristic, I guess, is consistent with what we've talked about already. So keep it brief is is the relationship builders, the ones that want to get to know everybody on a personal basis, not not to extremes, but that build meaningful relationships. And then the work is sort of secondary to that. I think that makes fantastic leaders. I like leaders that are in our field that are calm in the face of craziness. Like there's a lot of legitimate reasons to panic in cybersecurity, right. Especially if you've been on the operational side, as you and I both have. It's very easy to fall into that sky is falling, fear, uncertainty and doubt, panic type of modes. But I think I think to be a good leader in this space, you need a demeanor that can take it all in stride and focus on how to best respond and control the damage, protect the organization, manage risk, prioritize, understand you can't do it all and just take a deep breath. 

Brian: [00:58:13] Everybody calm others down, Calm yourself down and we can panic on the inside like I do that all the time, you know? So there's nothing wrong with that. But just as a leader, you got to kind of put some boundaries around that and then, you know, and otherwise just professional skills leaders that know how to. How to communicate professionally, but also have that personal touch of being caring and supportive of their team and being somebody that can be you can a good leader of somebody. You can bring the problems that you're taking, you're having at home, just as you can bring the problems that you're having with your peers or colleagues or the work situation at hand. I think it's just somebody that takes that mentorship sort of approach, not in a pedagogical way is that the right word? Isn't the right word. You know what I mean? Not in like a parental way, but more in like truly caring, supporting, and guiding. I think those are the best. But man, there are so many different ways to do it. It's like career paths. There's no one path to being a great leader. For those that I've worked with, I've met so many great security leaders in this space, and those are some of the characteristics I think have consistently been the ones that I've been like, Yeah, that's what I want to be. I want to grow up to be like that person. 

Britton: [00:59:27] So we're going to wrap up now. I think normally, you know, with a regular, quote unquote regular guest, we would say, you know, any closing thoughts on the things we've talked about today. I think certainly if you want to close thought on being an OCR witness, you can do that. But I think I would I would love to actually just open the floor to you. I believe starting next month, I'll be the actual host of the Roundup. So this might be your second-to-last kind of chance at the mic as the host. So if there are just any kind of closing thoughts or bits of information about your next chapter or whatever, I will see the floor to you before I come back in and sign it off. 

Brian: [01:00:09] Yeah, I appreciate it. I mean, I don't have any great words of wisdom to close out other than to say I just feel a profound sense of appreciation and gratitude for a lot of things. But for this journey that we've had with the podcast, for the listeners, for the fact that you all are tuning into this and participating and being part of this community, and I know it can feel like a one-way conversation sometimes, certainly for me as I'm, you know, chuckling and making jokes to myself, I'm like, I don't think anybody's going to hear this and just, you know, in this roundup and stuff. But I'm so appreciative that you're all tuning in. And it makes me feel so great when I hear somebody come to me and say, Hey, you know, that really helped me, that thing that's, you know, you had a guest on and they were dealing with something I was dealing with, or just the fact that you're all taking the time to be a part of this. And I encourage everybody to, you know, to not just have it end there of just consuming and listening and and and educating yourself, which you should do. But pay that back. Pay it for whatever you want to say and get out there and help others to get the message out in any way you can. 

Brian: [01:01:18] You don't all need to start podcasts you can Britton will interview you if you want to be a guest and you want to get your word out there, I'm sure he'll talk to you. But I just feel so appreciative. I still feel so appreciative to have you, Britain, being able to take over this, and I'm so excited like I know you so much better than the audience does at this point. But I promise you, audience, when you get to know Britton, you're going to love his perspective. You're going to love hearing from him. And I think you're going to learn so much more from him and from you in this case. Britton, So I'm very, very excited about the next generation of this, this podcast. I'm very appreciative of where we've come from, and I'm very excited about where Meditology and Coral and cybersecurity, in general, are going. There's just a lot more work to be done and I'm excited to. Have this small part in this community and be a part of everybody's journey to help us do it better. And it's exciting. So so just most of mostly a thank you would be my closing remark. 

Britton: [01:02:19] Outstanding Will. Thank you for the kind words to me. I would definitely like to thank my guest, Brian Selfridge, for a great conversation today. Brian, thanks so much for taking the time to share your insights with our listeners. And then on behalf of our listeners, thanks for starting The CyberPHIx and for all the work you've done to keep it going over the years. You'll be sorely missed as the host. I will do my best to match your professionalism, perspective, and quality, and I don't think I'll fill up the shoes all the way. Right. But I'll do my best and hopefully we can have you back on maybe from time to time as a guest to set me straight or give a different perspective on a topic that matters to the folks that listen to us. So thanks again, Brian, for being on. 

Brian: [01:03:07] My pleasure. Thank you. 

Britton: [01:03:16] Again, I would like to thank my guest Brian Selfridge, Cyber Security risk executive and podcast host extraordinaire at Meditology. I really appreciated Brian's insights on cybersecurity careers and what it really means to be an OCR expert witness. But most of all, I want to thank Brian for explaining why we're making this transition of hosting duties right now and also for how gracious he's been and preparing me to take over the role. I can't promise to be as good as Brian was at this, but I will definitely do my best. As always, we would love to hear feedback from you on this episode. Feel free to drop us a note about what topic you would like to hear about or what thought leader you would like to hear from. Our email address is [email protected]. Thanks again for joining us for this episode of The CyberPHIx and we look forward to having you join us for the next one coming up soon.