90: Entitle with Ron Nissim

This episode has been automatically transcribed by AI, please excuse any typos or grammatical errors.

Chris: Ron Nissim is co-founder and CEO of Entitle IO, a cloud permission management platform that automates how access is requested, granted, and audited.

Chris: Ron, thanks for joining me, man. So let’s talk about identity and access management in the cloud, if you don’t mind. Let’s start with just understanding how it’s fundamentally different from what we are used to thinking with traditional IAM.

Ron: Tough question to answer. I think that the fundamentals have remained, right? Like if we go back to first principles, to basics, like what is identity Access management? It’s controlling who has access to what in the environment. Now, that’s really no different in the cloud than it is to on prem systems. I think a few things has changed. First of all, the ownership of the policy engine and the ownership of what is going on inside the apps has shifted, right? If I’m using third party applications, the ability to control who has access to what inside that application, even things as simple as Dropbox, you have to adapt yourself to whatever that ACL access control model is inside that core application.

Ron: And different applications have different approaches to it. I think kind of in the on prem world, honestly, like in a lot of places, you didn’t even have that granularity, right? A lot of systems had a username password. That’s kind of where PAMs kicked in, but it’s just username password and you go in and then there are not even any roles, or maybe there’s one or two roles and what you can do inside the app. And as the companies, the products matured, they enabled more granular permission models inside the app. So I’d say a few things to recap, a few things that have changed. A) The applications themselves have enabled a more granular model.

Ron: B) You no longer necessarily own or have created that permission model. That model is created by a third party SaaS vendor. And C) You don’t own the perimeter. If I am connecting to a SaaS application, that’s not going through me. And so a lot of the ways that it used to be that you would manage identity access management was just simply like closing the way that you could exit into this environment, like a database, right? You’d segment it off in a different VPC or a different lamb. You couldn’t access that.

Ron: You do identity access manage based off of Lans, and those things are just not possible anymore. And so there are other tools out there, right? You have like, zero trust network access tools, and you have different cloud providers have their own internal system. So it’s not that there isn’t a solution. It’s just that the way that they’re solved is very different. Another thing I’d say now that I’m thinking about, another thing that I think is different, is it’s easier to compare notes, right?

Ron: Permission management is very business specific. It’s hard to look at your peers. I think a lot of things in security, it’s the reason we love trade shows, right, is we get to meet our peers and we get to ask them, so how have you tackled this problem? What have you seen? And it used to be that identity access management was one of those things that was kind of harder to compare notes on because the way that bank of America manages permissions and Citibank manages permissions just so different. The applications are system, they’re different, the business is different.

Ron: And I think that in cloud adoption, I mean, this is kind of just the proliferation of SaaS, is that the problems are more widespread and they’re shared by a wider audience. And so if I go to my peer and say, hello, how do you manage access to AWS? It’s safe to assume that the problems that they’re facing are similar to the problems I’m facing, which is not necessarily true, again in an on prem environment.

Chris: Yeah, great point. I do want to talk about the problem that sparked the idea. Can you share a specific experience or specific incident that made you realize the need for cloud IAM?

Ron: I think when Navi and I started our journey, we realized that we really wanted to focus on something that was really the core of the problem, right? Not a fear, uncertainty, and doubt type sale, but right, something that actually solved the problem. And I think we were kind of disgruntled when we looked at left and right and we saw what companies startups were focusing on, and we saw this next gen, super cool, zero day preventing tools.

Ron: And when we looked at where the risk was and what companies were getting compromised for, it was still boring old stuff. It was some It girl that still had access to domain admin and was compromised. Or some customer success dude that had access to everyone’s environment that was compromised, right? Like customer success guy had access to almost all the customers. Boom. All it took was one person to get compromised and they were popped in. And it’s that same story. It’s that same story of, like, boring old stuff. It’s 2023, and that still remains the biggest risk. The issue was it’s just not sexy, right?

Ron: As an It leader or a security leader, and you want to undertake now revamp your security processes. I’ve yet to hear of the CISO that was excited to take on IAM. It’s like, yeah, this is what I want to do, right? 2023. These are my goals. This is how I want to finish the year. This is what I want my and especially, by the way, I’m going to shoot myself in the foot here for a second. But especially since everyone was so used to IAM projects never succeeding, they would take a ton of budget, they would drag on for years.

Ron: There would never be like a defined success. And that’s kind of what companies were used to. So I think it was a combination of A and realizing that the biggest risk was still there. And so it didn’t matter how much VCs told us, oh, this is a solved issue. We don’t believe you. We see what companies are getting compromised for. It’s not a solved issue. So that was kind of the inherent understanding, but then in speaking to customers, realized that there was a huge issue in the IAM space and that no one was really happy with the tools that are in place and the time to value and how much time it takes to succeed in these projects. And honestly, that might have worked a decade ago, these multimillion dollar projects where you bring in Deloitte and it takes three years to see success.

Ron: But that’s not how cloud companies work, right? That’s not how Amazon made their billions, and that’s not how all these other cloud companies which have been super agile and have been very successful, they didn’t do that by using these old norms of operation. And so basically, we realized that we had an inherent understanding that there had to be something done in permission management in that IAM was still unsolved. And I think the open question was what was still to be done?

Ron: And that’s kind of where by focusing on cloud resources, we realized that what I mentioned earlier, just the breadth of issues. If we really focus on AWS and databases and SaaS applications, these are a core set of issues that are shared by a wide audience, and so we can provide out of the box value very quickly where in the past that wasn’t possible. Yeah.

Chris: Okay, so throughout your journey, what were some of the pain points that you’ve seen that organizations are commonly faced with in terms of traditional access requests and approval processes?

Ron: That’s a really good question, and honestly, one that we’re constantly researching and trying to understand, because someone once told me, access management is not a subset of security. It’s like its own beast. And there’s a good reason for that, because just in those three examples, the rest of the conversation, we could sit and name examples of IAM issues. It’s contractors, it’s lifecycle management, it’s onboarding, it’s offboarding, it’s change management, it’s requests, it’s PAM, it’s just in time.

Ron: There’s so many use cases, it’s governance, it’s compliance, it’s incident response. There’s so many aspects that touch into access management. And so I feel like the cop out answer is saying, oh, it’s all an issue, everything is a problem. But I will say that I think that we’ve identified a core set of issues that can be resolved quickly. I was talking actually about this yesterday with a friend that in life you kind of want to be very efficient with your time. Right? And so what I was saying that in reference to yesterday just sauna conversation was you want to do things that are minimal effort, maximum return.

Ron: And there are things that are high effort, high return, that’s like medium efficiency, that’s good. There are things that are high effort, low return, that’s bad. You don’t want to do those types of things. And there’s things that are low effort, high return, those are good. Those are the first things you want to start off with. And as a CISO, there’s just so many things that you want to tackle and so many problems to be done. And budget is always, never enough for what you need.

Ron: And so basically when looking at permission management, naturally you want to focus on your more sensitive resources, right? That’s where you really care about permissions at their core. And then there’s kind of a long tail, right? There are a core set of apps that are super sensitive. That’s the core of the business. These are things that if they get compromised, the company’s done for. But then there’s kind of a long tail of do you really care who has access to zoom?

Ron: Maybe the CFO does, but also, do they really? And so basically realized that when you look at what companies are trying to tackle from an IAM perspective, privileged access is a very good place to start. It’s a place where you can see a lot of value very quickly by reducing the amount of administrators. And so that’s kind of a core use case that I think companies have found success in being able to show progress very quickly and then capitalize on that progress to continue in their IAM program to tackle the other things that we were talking about contractor access, onboarding, offboarding, just general change management, lifecycle. These are all things that are important. I’m not trying to take away from the importance, but you want to see success along the journey.

Chris: Yeah, absolutely. So that is a great segue into this next question in terms of looking at the real world impact that you provide. So can you share an example of an organization? You don’t need to name them specifically, but an organization that faced significant improvements after implementing Entitle IO?

Ron: Totally. Yeah. So we recently onboarded a company that’s a few thousand employees and they were, like, our favorite example. They were fairly recent, as you might imagine. The newer the companies are, the customers that join us, the better the experience they get, right? Because the company gets better, the product gets better. And so this was like a really cool milestone in the progress of the company because they had fully rolled out Entitle to their whole within a week and a half.

Ron: I say a week and a half. I usually say a week. I’ll say a week and a half, just to be on the safe side. Fully rolled out. I think that is unheard of when it comes to access management tools, to have a tool deployed within a week and a half. And this was like, we’d already integrated a lot of their tools, and their whole was already used to using it. We were so proud of that. When they had used that.

Ron: That was what we judged internally, is, like, how quickly did the company see value? Because that’s really where a cloud native approach provides value to the customer, right? Because technically, they can sit and integrate and do all this hard work with even spreadsheets, but just the time saver of a cloud native tool. So that was internally what the company was looking at, the customer CISO’s perspective. What they were most proud of is they had removed 95, 96% of standing administrative privileges, access to customer environments, access to administrative roles, again, also within that week, and app unprecedented. Like, all this risk on who had access to the core of the system, the customer environments. The most sensitive things of the company no longer had that access.

Ron: You saw the adoption of that by the just in time model they had really committed to, and just saw the sheer amount of change of permissions escalating and elevating and deescalating. So that was kind of the big part of there. One is the time to value where you rolled out the tool world quickly. And tool two was reducing the amount of administrative privileges drastically and very quickly.

Chris: And that’s immediate ROI.

Ron: Totally. I mean, there’s always a question of, like, how do you calculate ROI in security? By the way, if someone listening to this podcast has pointers and ideas on how to do that, because that’s always what’s important as a CISO to show to the board, right? Someone I met I met a CISO yesterday, a really cool guy, like ex-military. He said, you grew up doing incident response. Today I’m a politician. I didn’t think growing up, I want to be a politician. He’s a CISO. He calls himself a politician because it’s ableling with the board and presenting risk and how do you show where the risk is? It’s a hard job.

Ron: And so being able to articulate what the ROI is of reduced risk, I think, is a question that we all struggle with and everyone’s looking to show their boards. I think that the easier part of access management is that it’s one of those things that’s easier to explain why people not having access to a sensitive system reduces risk, which has a direct impact on the business. We had a company come to us inbound because they were an insurance company, and it wasn’t a breach. It was a developer engineer that had access to systems that had nothing to do with him.

Ron: He made a mistake, and they sent out $10 million of checks automatically in the mail. It kicked off a process that just sent $10 million of return checks to reimbursement checks in the mail. And it wasn’t a breach. It was just like misconfigured permissions that led to a mistake that led to real business impact. And so I guess in that case, it was much easier to articulate the ROI because there were checks that went out. But I don’t think most businesses have something an example like that.

Chris: It’s a great example that puts it in perspective.

Ron: Totally.

Chris: So a challenge that I see and you’ll need to validate this, is overcoming resistance to change. And that’s an organization just transitioning from their automated processes and implementing something new. And it’s often met with resistance. So how have you seen companies adapt to this shift?

Ron: Yeah, I think that question can be divided into two or maybe even three. One is, how do you transition from a somewhat manual process to an automated process? B is once you’ve committed yourself to an automated process, how do you make it as seamless as possible to the end user? Right. Because you don’t want to interrupt business flows. And frankly, I’ll give a very naive example. You know how when you call United and they ask you, like, ten there’s, like, a voice machine that asks you, like, ten questions do you have this? Do you have that? Do you have this? Do you have that? And you’re like, Damn it, just let me talk to a human being.

Ron: And so the same could be said about any automation that’s done in it and DevOps. Right. I don’t want to be talking to a machine. I want a human to take care of it. I think to address that note, I think that we found that companies and the customer inside the company, the developer, the engineer, the average employee, the lawyer, whatever, they’re actually really thirsty for automation. And the reason is because not to it not because of anything wrong that it is doing. But SLAs are really slow.

Ron: It has a lot of work. It’s really hard to get access to your need. We’ve all been in that situation. We join a company, it takes us two months to become efficient and effective because we just don’t have access to systems that we need or product. Person needs access to something in engineering. Boom. Now he gets stuck for a full day, can’t work. And so we’ve all heard of these things. They’ve just become like a natural part of life. And so I think that if anything, the consumer inside the company is thirsty for that automation because they get a much better experience.

Ron: Now, the other side of that is you have to meet them where they’re at. You can’t force them into a new process. If they’re used to opening slack and chatting up Chad from DevOps they have to keep opening slack and chatting up. In this case, in title. Right. So that’s kind of one of the things that we did. We called it front end agnostic meaning we integrate into wherever the flows are. If it’s a ticketing system, put in a request in Jira.

Ron: If it’s teams, put in a request in teams. So meeting that end employee where they’re at. And that’s kind of the other part is making sure that we’re making it really easy on the employee, not adding burden.

Chris: Yeah. That leads me to ask then what specific strategies would you recommend to organizations that are hesitant to let go of that traditional methodology? Talk to me about the migration process and what that would entail for an organization that does decide to make that transition.

Ron: Totally. I would say this I’ll divide my answer into two types of organizations that I think should be looking at this or experiencing the challenge very differently. You have kind of those tech forward companies, right? Companies that are few thousand employees have a cloud native stack for them, it’s often replacing the status quo. There is some sort of process in place, a Jira ticket, a whatever as we mentioned already.

Ron: And the idea is how do you automate that process and that’s an easier sale internally because you don’t have any real or maybe it’s like internal development that’s already done. And so you just want to make it as seamless as possible for the end user. You want to make it where they don’t even feel like if you’re requesting access, you don’t care again if it’s Chad from It that’s fulfilling the request or if it’s entitled it’s not your problem and it shouldn’t feel like your problem.

Ron: It should be totally seamless. So that’s one part of the adoption is how do you roll this out in a way that doesn’t hurt the end user experience. And there are ways to mitigate that. There are policies that you can configure that make it easier to get that access and things like that. The other aspect, I would say for the larger companies, I’ve noticed that you have parts of the business that are underserved by the current automation processes. The current automation processes were focused on corporate It, on salesforce, on NetSuite, on all these the systems that have been around for 30 years.

Ron: Which makes sense because you just had a longer time to address those issues. But when it comes to the infrastructure of these larger companies, often there’s ironically less automation in place. It’s newer technology, there’s more room to automate those processes, but they’re just newer to the company, company that’s been using AWS for five years or even ten years. Frankly, that takes time to fully roll that out and get that automation in place. And so I think a lot of companies, the way to tackle this in the cloud world is just focus on the lowest hanging fruit. You want to focus on, again, places where our lowest effort, highest return, and where you see that is often in the dev world where there’s a lot of entropy, there’s a lot of change, there’s a lot of onboarding offboarding, there’s a lot of new systems being spun up, new servers, new databases.

Ron: And so creating automation around that is a very good trampoline to then expanding to other business processes.

Chris: In your own words, would you mind just discussing the specific features and differentiators that make Entitle IO that innovative solution?

Ron: Totally. And I’ll start with kind of the abstract and then we can get into the actual product details a bit more. But I’d say that permission management has two sides to it has governance, as we mentioned, we’ll simplify for the sakes of the conversation, we have governance, which is the more visibility, insights, compliance, user accessories, I put all those in the same bucket. Then you have provisioning. Provisioning is the operational day to day of onboarding offboarding, as we’ve already mentioned.

Ron: And I think that a lot of IAM projects have focused on compliance. So you start with wanting to be Sox compliant, that’s your most pressing need. And then you kind of segue into actually automating the processes. And I think that what we’ve found a lot of success in is, again, we really want to improve the business. And permission management is not only a security problem, but also not a compliance problem, it’s a business problem.

Ron: And so being able to create a process, a policy that the organization embraces, the business will be better. Like as CISOs security leaders, we’re so used to introducing products that are a burden on the business, it feels like being the bad cop, right? No one likes the court martial that’s walking around on base all day. To finally see a place where you can improve the business through a tool that you’re implementing, I think that’s very powerful. And that’s why I think that one of those first steps is focusing on provisioning as the backbone of your IAM project and then expanding that into governance, compliance, visibility, all these other insights that you want on top of that core aspect. But you’ve got to get this first part, this automation part, right to begin with and then you expand from there. So that was one core part of how we focused on this. The other is, as I mentioned, just the breadth of research that we’ve done into in depth, frankly, into how permission management should be done. And we just have a lot of experience working with plenty of other cloud companies. And so even if it’s a more conservative old school company that has a cloud side of the that’s a business unit that you want that business unit to work and function like a cloud forward organization. And so making sure that you’re adopting tools that are a fit for the future of what would access cloud access management look like in ten years and not adopting those same old tools that you’ve been using.

Ron: So just to reiterate, one is focusing automation, the other is understanding what cloud permission models should look like. And that’s research that we’ve already done into these models, what does that actually mean de facto? What does the product look like? I divide it into kind of four or five core aspects. First is the self-service aspect. This is how employees request access. And this is what I mentioned earlier. Being front end agnostic, right, doesn’t matter if it’s slack team ServiceNow, you put in that request and it’s processed by the second part, which is the policy engine. And policy Engine is a very, very flexible tool that enables organizations to define how their business processes work.

Ron: And what we’ve seen is we’re starting to see these use cases that companies plug in. And I can give concrete examples. I could say, you could create a policy that says if you are on call and pager duty, you’re allowed to get access to the production, but if you’re no longer on call, that access gets removed. Or if you are a customer success rep and you want access to a customer’s environment, you have to have a ticket assigned to you. And when that ticket is resolved, your access expires as well.

Ron: Making access to PII information contingent on PII training. If that training expires, you no longer have that access. That’s an example, by the way, of compliance being a byproduct of an automated policy. Instead of going and creating spreadsheets and saying like, who are the people that have Pi access but haven’t gone through training? Creating that in the day to day so that when it comes audit season, you don’t have to do any cleanup.

Ron: It’s in the code. So that’s the change management policy. The second part of the policy is an attribute based model, right? It’s automatically provisioning. Sometimes you don’t want people to put in a request, you want to just automatically provision that access. And creating a very flexible tool that enables the Granular permission policies. Assigning access to a snowflake table, AWS policy, and a NetSuite role all at the same time is something that’s fairly hard to define in a central tool. And that’s what we’ve got you covered. You’ll notice, by the way, that through these policies you can define what we call the just in time ephemeral approach, where people only get access to the sensitive resources when they need them, which is a use case often attributed to Pan privileged access management so those are the two policy engines. I’d say once you have all that automated natural byproduct is governance, right, you now get the ability to see exactly who got how they got, when they got all this information. That’s often very hard to categorize. You don’t really know who got how they got because these are ServiceNow tickets that are free text messages.

Ron: You don’t get those insights. And so being able to create a stream that you can put into your SEIM and now overlay that with many other security events, someone got an admin role in Okta, but also got these other permissions and these other things happened inside a tool that’s a very powerful information to overlay again, whether it’s incident response or just threat detection. And then that was the fourth last part.

Ron: That was the fourth part. So I get to reiterate the front end for the request change management, policy, attribute based model and governance as the last part.

Chris: So you spoke on the topic of future proofing IAM efforts today to prepare for the future. You mentioned that several times. So in regards to the future, can you speak to what’s on the horizon for Entitle IO? Are there any upcoming features or developments that you’re particularly excited about?

Ron: Totally. Like a good politician, I’ll say the real question that you’re looking to ask is I’ll start with because we’re focusing the development and a title around how we think the industry is evolving. And I think one of the really interesting things that are happening is that Pam for cloud resources looks very different than it did for on Prem. And the future of Pam, I think is very interesting in that the reality is there’s no real difference between granular access management for boring stuff like zoom, no offense, zoom, but you get the idea and super privileged stuff like databases in MongoDB. The reality is it’s the same question. It’s who can access what inside the environment.

Ron: And Pam itself included a few other core aspects that are kind of getting eroded away when it comes to cloud resources. The first is the connectivity is how do you actually connect to the Sense system? I have a database that’s sitting behind some private VPC. How do I access that system? That’s the actual connectivity. The second part is the authentication, right? I want to connect to a database. That database only accepts a username password connection string.

Ron: That’s not good, right? That’s not how the industry is evolving. Rather you want everything to be SSO based and you want people to authenticate using your Okta, your Azure ad, it doesn’t matter. So that’s that second part is the authentication aspect. The third part is authorization. So this is the granular control of who has access to what. And this is where I mentioned, is no different than just IGA authorization.

Ron: And the last part is session recording or auditability as to what happened inside the applications. And that used. To be a problem for two reasons. One is you would have shared secrets. And so the audit log, if I were to know if Chris, you and I were both connecting through CyberArk to some database, that database can’t differentiate between your connection and my connection because we’re both going through CyberArk as a middleman and CyberArk is the one that’s managing that connection.

Ron: And so once you’ve solved the authentication part where everyone’s using their own user, if you look at the audit log of the End database, that database can tell you exactly what I did . So basically all to say that authentication is getting solved by the cloud providers, by the databases themselves, are starting to enable authentication via the SSO. And you have other startups doing that. Teleport is wrapping authentication methods and you have other innovative products in space.

Ron: The authorization is the same. Authorization audit logs is no longer in a new session recording because you can just pull that from the end system. And so one of the main parts that’s still left is the whole connectivity. And again, that’s also getting solved by a combination of what the cloud providers already have. GCP, Azure, AWS already have done a lot of this work, just not very accessible. And so what we’ve done is we’re soon to release an open source project that enables solving that whole aspect of connectivity and authentication just using the current tools that are in play that are not very user friendly. So we’ve kind of wrapped that in a user friendly mode that enables any developer to access behind the scenes custom environments through just whatever the cloud providers offer.

Ron: And that’ll be super powerful because that solves a lot of the pan issues that companies are facing in their cloud environments, basically just for free, right? And then the part that’s still left is the authorization aspect, which we’ve touched on plenty.

Chris: Exciting times, man, I really love the passion and I appreciate the forward thinking mindset that you have and the innovative drive.

Ron: I’ll say that I have to say we would never have gotten here, and this might sound cheesy, but I believe it wholeheartedly. When we started our journey, we reached out to a ton of heads of It, heads of security, security professionals on LinkedIn, and just said, hey, we’re two young guys. Can you share your thoughts with us? What are you thinking? And we met plenty of boring people, but we met a ton of very passionate people that were so focused on what could be done and what does the future hold, and really wanted to see the industry progress. And we would never have gotten here without people like that. That really gave us that drive early on, showed us that there was still a lot to be done. And we’re passionate about what the future holds for access management, which again, I think was kind of not very spoken about. I guess today it’s getting a lot more attention, but a few years back, it kind of wasn’t very spoken about. One of the first people we spoke with, and maybe I’ll even name drop him, his name Manuel. He was the head of IT.

Ron: One of the smartest booking.com, one of the smartest IAM guys we’ve gotten to know. This guy pro bono met with us tens of times to talk through ideas and what he was doing at booking and what the issues were and what the challenges were. And it’s through people like that that we were able to really enable. And by the way, I’ll hold this out and saying anyone that’s willing to share their thoughts with me on what they think should be done and where they’re seeing their challenges, I’m always super excited to hold those conversations still today.

Chris: So you mentioned LinkedIn. So where can folks find you and connect with you, as well as Entitle IO on LinkedIn or other social media accounts?

Ron: Totally. Well, I’m Ron Nissim. Feel free to drop me a message on LinkedIn website is Entitle IO. Fairly straightforward, and feel free to drop a note there. Someone from our team will reach out, make sure that we schedule conversation. But also we’ve been pretty active in releasing some content around how we think the industry is evolving and the different things that we’re doing. The Open Source is releasing now, and feel free to check that out and looking forward to hearing your feedback on where do you think this helps you? This doesn’t help you excited. Honestly, even negative feedback is probably even better, helps us improve. And it’s open source. You can contribute yourself on Git as well.

Chris: Awesome. So, Ron, I’m on your LinkedIn now, and it says that you are based in New York. Is that correct?

Ron: I moved to New York a month ago. Exactly. It’s September 1. I moved August 1 to New York? Yes. From Tel Aviv.

Chris: So you’ve only been there a month, but for the nights that you aren’t focusing on Entitle or you’re not focusing on cloud IAM, or even maybe the nights that you are focusing on cloud IAM, give me a good bar there that you like to go.

Ron: Chris, I actually have been making a point. I still have the New York FOMO. Right? I’ve been every day I’ve been trying to go to a new spot. New spot. New spot. Got to say, yesterday I took the team out. There’s an Israeli restaurant called Port Saeed. It was one of my favorite restaurants in Tel Aviv. It was pretty close to my apartment, and I’d go there with friends, and there’s a Port Saeed that opened in New York about a month ago, and I was super excited for that. It was an amazing experience.

Ron: We took the team out. First of all, Israelis, they’re always fun people. And it was just such a good vibe, such amazing food. Kind of reminded me of Mediterranean styles, really good food. But I also I gotta say, Chris, I’m a fan of the low key lower east Side hole in the wall bars. You meet the most fun people and New York is such an open city. Everyone’s just so communicative and it’s really easy to make new friends, and I think it’s one of the benefits or the powers of being an immigrant city. I think it’s like someone told me, like, 60 or 70% of people that live in New York weren’t born in New York, and that can’t be said for a lot of places. And it just makes people very open and accepting and really a no judgment zone, which is just you see people of all walks of life and things that you just don’t see anywhere else. And I think that’s just been an amazing experience.

Chris: All right, so I just heard last call here. Do you have time for one more?

Ron: Yeah, go ahead.

Chris: All right, if you opened a cybersecurity themed bar, what would the name be and what would your signature drink be called?

Ron: Wow, that is a tough question. If I were to open a cybersecurity bar, maybe I’d call it I do some sort of play on words around port and the whole ethernet ports and ports in the wall and maybe serving port like the fortified wine. I think you can do like a whole scene around that.

Chris: You definitely can. Oh, man. All right, well, great, man. Well, listen, Ron, thanks so much for stopping by. I’ll get the show notes up with the links to your page. Yeah, appreciate you stopping by, man. This has been great.

Ron: Yeah, Chris, I had a blast, and as I mentioned, happy to continue the conversation with all security professionals on why they think if you want to call BS on something that I said, I’m really looking forward to hearing it. That’s the best types of conversations and so, yeah, Chris, thanks for the opportunity to talk here and looking forward to our next meeting.

Chris: Thanks, man. Take care.