In this episode of Threat Vector, host David Moulton speaks with Sam Ainscow, Group Chief Security Officer at Hill & Smith PLC. With over 20 years in cybersecurity, Sam shares his deep insights into cyber resilience, risk assessment, and incident response. He explains why a business must prepare through practical training, testing, and honest post-incident reviews. From tailored security awareness programs to the overlooked risks in open source software, this conversation helps security leaders understand how to build stronger, smarter defenses. Learn how to shift from reactive to proactive strategies that drive long-term resilience.
Protect yourself from the evolving threat landscape - more episodes of Threat Vector are a click away
Transcript
[ Music ]
Sam Ainscow: If you understand your people, your assets, your data, your business process, or threats, you know, what vulnerabilities, you know, is that going to lead to; and are you mitigating them, do you have a process in place to deal with them? And then the key one for -- the real key one for me is the lessons learned, is that every single incident, every single test, every single exercise should be followed by a lessons learned where people are open, and honest, and truthful. And you know, there's no -- you know, there's no blame. It's all about making us all stronger and making us all better. [ Music ]
David Moulton: Welcome to "Threat Vector", the Palo Alto Network's podcast where we discuss pressing cybersecurity threats and resilience, and uncover insights into the latest industry trends. I'm your host, David Moulton, Director of Thought Leadership for Unit 42. Today I'm speaking with Sam Ainscow, Group Chief Security Officer at Hill & Smith PLC, and a member of the CISO Advisory Board at Dune Security. Sam is a passionate information security advocate, with over two decades of experience in the industry. His career spans various leadership roles, from Head of IT Operations in CISO at Barrett Steel Limited, to his current role at Hill & Smith PLC. He is known for bridging the gap between senior management and technical teams, helping organizations build robust cybersecurity strategies that align with business goals. Today we're going to talk about cyber resilience and cyber risk, a topic that has never been more critical. With organizations facing an ever-growing number of cyber threats, the ability to anticipate, withstand, and recover from incidence has become essential. [ Music ] Sam, welcome to "Threat Vector". Really excited to have you here today.
Sam Ainscow: Thank you for having me.
David Moulton: Talk to me a little bit about your LinkedIn profile photo, the one that says, "Be brave enough to suck at something new." When I saw that when I looked at your LinkedIn profile, that really stood out, and I'm curious, what's the story behind that, and has that influenced your journey in cybersecurity?
Sam Ainscow: So I started off in cyber well before the word "cyber" came along. So I've been doing this for many, many, many years now. And I guess it's that -- you know, it's that age-old chart of, you know, as you get more skilled, you know how well your confidence is, you know? And I got to a point where I really thought I was quite a good cyber guy. And then I kind of -- and I've been and done a couple of bits of training and stuff like that, and I had worked with some really quite -- you know, quite credentialed individuals. And I will say, I was starting to think, "You know, well I'm -- yes, I'm pretty good at this." And then I went on a training class and realized that I absolutely sucked. And I was really, really terrible. It was that realization in the first morning of the training I just realized what the world was out there that I just didn't know anything about. And that's kind of where it came from, really, was dropping yourself into an area where you realize that you're not very good at this, but you're going to work really hard to get better. And that's really where it came from was that, you know, don't be afraid to drop yourself into a technical area, a management area, wherever it is, you know, be it speaking onstage, whatever it is, just go and do it. Don't expect that they're going to be great to start with, just go and do it. And you know, very few people are good right at the start of these things. You know, you need to hone your craft. You know, you need to, you know, gain your skills during that process. You know, and that's where it did -- that's where it came from.
David Moulton: I find that sometimes once I know how to do something really well, I get bored of it and want to seek out the thing that's next, seek out something new and novel. But when you make that commitment, there's this anxiety, there's this moment of doubt, and to be able to redirect that energy from fear and something that stops you to something that motivates you and gets you going. Have you found a technique that allows you to pull that off?
Sam Ainscow: I basically almost give myself a yes day, really, when those things come along; because I used to give -- it was -- I will just say it very much used to be a no from me that when something came on that frightened me, I would go, "Oh, no, no., I'll -- " you know, "I'll stay away from whatever it is. But now I deliberately challenge myself and just say yes; because at the end of the day, you know, everybody -- you have to remember that everybody started somewhere. And yes fair enough you may be a leader in whatever it is, you know, within your company, within whatever technical field it is, whatever it -- you know, you may be a leader in those, but you don't know -- nobody knows everything. And there is nothing wrong with pushing yourself and wanting to broaden, you know, your horizons and broaden your skill set. You know, there's nothing wrong with that. So once you embrace the fact that you may fail, but that's okay, that kind of frees you up to really go for it.
David Moulton: Years ago I gave myself a challenge of year of yes. I said yes to every challenge, every opportunity, everything. It was unbelievably exhausting, but it was a pinnacle year in my career where I took off, because all the failures didn't matter so much.
Sam Ainscow: Mm-hmm.
David Moulton: I worked through them. And the wins that came out of saying yes to all those opportunities was unlike anything I had ever done before. So I can really appreciate it. I think that's what got my attention when I read that picture, you know, as profile on your LinkedIn and I felt like we were kindred spirits there. So today we're going to talk about cyber resilience and cyber risk and what they really mean. Let's just start with how do you define "cyber resilience", and why do you think it's critical for businesses today?
Sam Ainscow: We invest very, very heavily in tooling, in people, in processes to try and prevent as many incidents as possible. But they will happen. And the business needs to be -- needs to be, you know, cognizant to the fact that they're going to have to deal with these periodically. And just like anything in life, you are only prepared for it if you've practiced it. You know, no one picks up a violin and plays a violin. You know, no one steps on a tennis court and beats Roger Federer. You know, there is an awful lot of practice that goes into being good at these things. And cyber resilience is the same, you know, we need to prepare appropriately. So for me it's a case of, you know, making sure that we are preventing as many attacks as we can. Well, then, you know, the ones that do get through our defenses, detecting them as quickly as possible, responding to them not just technically but also from a business perspective to make sure that we are responding, you know, containing and eradicating that -- you know, that incident as quickly as possible, and then helping the business to recover with the least impact, you know, suffered. And then probably most importantly to answer this is then having a feedback loop at the end. That's where we take that incident and we use it as a learning opportunity to inform how we're going to respond to the next one when it comes along, and making sure that we're not going to get bitten by any of the things that we did the first time around; you know, that we've ironed out any bumps that we've seen in the process and that we've closed any vulnerabilities gaps and mitigated everything that we can. We've learned everything we can from the incident and then we apply it going forward.
David Moulton: So let's shift gears a little bit and talk about assessing cyber risk. What, in your opinion, are the key components of a really comprehensive cyber risk assessment?
Sam Ainscow: Everything we do boils down to risk. You know, every single control that we put in place should be because of an identified risk. We should be trying to mitigating that risk in the -- you know, in the best way, the most effective way, while bringing the least amount of friction to the business. And that really should be what guides everything that we do. So when it comes to things like a cyber risk assessment, you know, I'm looking for things like, say, "I want to understand the threats," because the threat for a financial services business is very a different to the threat for us. You know, a threat for a defense contractor is very, very different to the threat for a manufacturing business, you know, and so really understanding that threat model. And do you understand your threat landscape? You know, do you -- you know, do you understand, you know, the business processes, the -- you know, the processes that support your business? Understanding your people is another key factor for me. You know, do you have, say, highly-skilled users? You know, we've -- you've probably heard the stories of, you know, highly-skilled security people working in high-security environments that are, you know, tunneling music streaming services through into the SOCKS so they can listen to it on the night shift; you know, those sorts of things. If you are contending with those kinds of people, you know, with that kind of level of skill, your threat profile is very different. Do you have a lot of shadow IT out there? Do you have people use -- consume a lot of different SaaS applications? Do you have a -- you know, a well-curated set of applications that you run, or is it basically a free-for-all where everyone can just sign up for anything? You know, where are your assets? You know, do you have an asset inventory. Because if you don't know what you've got, you probably aren't securing it. You know, so --
David Moulton: Being -- yes, yes.
Sam Ainscow: -- what assets have you got? Where are there? What state are they in; you know, are they patched, are they up-to-date, are they -- you know, are they riddled with ransomware? You know, you don't know. You know, what is the risk? You know, can you quantify the risk of that device, you know, of that person, of them operating a particular time of day doing a particular thing? You know, can you build a picture of risk for somebody? You know, where is your data? And not just where is it, but do you have any understanding of the differentiation in sensitivity of data that you hold? You know, do you have personnel data that's protected in a particular way, or is there just a general pool of data that everybody has access to, and those sorts of things. You know, what vulnerabilities do you have? So you know, if you understand your people, your assets, your data, your business process, what threats, you know, what vulnerabilities, you know, is that going to lead to? And are you mitigating them? Do you have a process in place to deal with them? And are you closing them out in a -- you know, in an effective way? And then are your controls effective? So you've got all of the risks and threats there. Are your controls effective for mitigating all the things that we have just talked about? You know, and are you doing it in an effective way? Like I said earlier on, you know, are you introducing the least amount of friction possible to the business to achieve the goal?
David Moulton: Can you walk us through some of the key steps for an effective incidence response and recovery?
Sam Ainscow: During the incidence, you then move into identification, so making sure that you can -- you know, that you can quickly identify an incident, and that you can communicate it appropriately; because if someone's bossy then doesn't tell anybody, then that's not really helping you, and if someone's bossy and then runs around ringing alarm bells but not following the actual correct procedure for escalation, again, that's not really helping anyone. So making sure that people are trained appropriately. If they identified it, you know, do they know the process to follow, do they know the people to talk to, and do you have resilience in that process? So if someone's on holiday, if someone's in meetings, whatever it is, then, you know, do you have a process you can follow; is this resilient? Then you move into containment. So can we -- you know, can we contain the incident? Can we stop it from getting any worse? And do we understand exactly what's happened? You know, have we got a full scope of you of what's happened during this incident? And you know, we want to make sure that during this process that we're not going to end up cleaning up part of the environment but then leaving the attacker in an entirely piece of the environment because she didn't have a full view of what happened. Then you move into eradication. So how do we -- you know, how do we eliminate the attacker from the environment cleanly and make sure that we're not going to restore -- you know, arbitrarily restore backup from two days ago while the attacker was actually still dwelling in the environment and just giving them the keys to the kingdom once again; you know, things like that. Then you move into the recovery phase, so making sure we've eradicated it from the environment, but now how do we get back to normal? How do we get away from that DR-as-a-service environment? How do we get away from -- you know, from the workarounds of things that we've put in place during the incident and get the business back to normal with the least disruption possible? And then the key one for -- the real key one for me is the lessons learned, is that every single incident, every single test, every single exercise should be followed by a lessons learned where people are open, and honest, and truthful. And you know, there's no -- you know, there's no blame. It's all about making us all stronger and making us all better. And if anyone can identify any within during that process where we can -- you know, where we can save a bit of time here, we can save some disruption there, then we should absolutely be building that into the process going forward and potentially refining our process, refining our policies, you know, so that next time it happens that we've learned all those lessons and we make it as -- you know, as painless as possible for the business.
David Moulton: And it seemed to me that you were talking about how critical, clear, crisp intentional communication is; not saying something, that's a problem. Lighting up everybody in the organization without intention, also a problem. I've not heard anyone put it in such a clear manner, but it strikes me that either one of those, the mute or the, you know, running around making everyone active on it but not in the right way, both of those waste time, right?
Sam Ainscow: Mm-hmm.
David Moulton: Both of those put you at risk. Sam, one of the things that you talked about was the planning that needs to be done, the preparation that needs to be done ahead of time. And employee training and awareness I think falls into that category. How critical is it to have employee training to building a resilient organization?
Sam Ainscow: It is really important. You know, the way that I phrase is it I see this as no different to, you know, PP, personal protective equipment, on a -- you know, in a manufacturing environment. You wouldn't dream of allowing an operative into a manufacturing environment without the, you know, safety shoes, hardhat, potentially face visor, goggles, whatever it is they need, you know, ear defenders. You wouldn't dream of allowing them to do that without them being appropriately trained on how to use the crane, and how to use the forklift, and having a forklift license, and all the other things that go with that. You know, cyber training should be the same. It should be viewed in the same way. It is just as critical. The problem is that training is fundamentally broken. So you know, unlike in the manufacturing context where someone walks through the door, and then you, you know, check their forklift license and you do these -- you know, that works well. But cyber training, unfortunately, is broken; because what we do with cyber training is we give the same training to everybody. Everything we do should be based on risk. And if that's the case, then we cannot train people the same way every time. You know, your chief exec is not -- you know, is not the same risk profile as a shop floor operative. An accounts payable clerk probably has a higher risk profile than the chief exec; because the accounts payable clerk he's potentially keying things in and sending money to suppliers. And that's really what's not working, you know, with the solutions that are out there, unfortunately. You know, there's -- you know, and you don't have a proper feedback loop. So if you don't do very well on the training, you don't -- we don't then adjust our -- you know, our strategy as a result of that; we don't then do things in a different way for you. We don't think about your learning styles, and maybe giving you a video isn't really the thing that's going to click for you. You know, we don't do any of those things. So really, what we should be doing is we should be taking risk in our signals from across the business. And I'm thinking things like, say, your role. You know, we should factor your role in there. We should factor your tenure into there, you know, into the calculation. We should be looking at your location. We should be looking at your level of IT literacy; because a low level of IT literacy may present a higher risk, but also, a very high level of IT literacy may present a higher risk as well.
David Moulton: That whole total of things.
Sam Ainscow: You know, we should be looking at your -- at, you know, your behavioral characteristics; you know, how risk-averse are you, you know, are you someone who will quite happily click on things, or are you someone who takes a more, you know, measured approach to your work? You know, we should be looking at the training outcomes. So we should be looking at how are you doing your training and tailoring things going forward. We should be looking at phishing tests. Well, and I know there's a lot of discussion about the effectiveness of phishing tests, but we shouldn't be using them as a stick to hit somebody with, it should be something that flies under the radar in the background. So they don't know that they've failed something, they just -- it just gives a different screen or whatever. But there's no enforcements of, "Oh, well, you've done this badly." But we use that, again, as another risk signal that we factor into the mix; and the threat landscape as a whole. So if your -- again, you know, I've used the example a few times, well, if your financial services defense secs give them something like that, you know, we should be taking those signals and building that into the program as well. And then, overall, if that means that, you know, David Moulton is not a risk, why are we giving you training every month? Maybe we only give you training every three months. And maybe we just send something that's topical at the time. Maybe, you know, when ChatGPT and, you know, the AI chat apps come along, we maybe give you some spot training on that one. Maybe this one is for intel that comes through, that's because we know that you travel to China or somewhere. Maybe we're going to give you -- you know, some training because of that, you know, because you're a frequent traveler. You know, those are the things that should inform. If that means that -- and then we give the right amount of training, at the right way, to the right people, and not just the sheep dip approach we do at the moment.
David Moulton: When I was a designer, we called Kairos, the god of opportunity, the name of good UI design, when we could put something together that nudged your behavior in the right direction at the right moment. And in London, there's a sign on the pavement that says, "Look right." It's useful as you're about to step out into traffic. It's not useful being told, "Look right," when you're planning your trip, it's not useful on the flight over, or at customs, it's useful for when you're about to step out. And I wonder if there is innovative software out there, innovative programs that are leaning into this idea of how to effectively deliver security training.
Sam Ainscow: So I think one company that is -- that's doing something very interesting in this space is Dune Security; so that's the D-U-N-E Security. They're doing some really interesting stuff in this space. And they're trying to do exactly what -- you know, what I've talked about and deliver the right training in the right way. You know, even if you've got two people doing the same role, maybe they don't need the same training, because maybe they are operating in a different way. So to be able to bring all those -- you know, those risk signals and then calculate that and ultimately give people a risk score that then determines the training that they -- you know, that they're going to receive. You know, those guys, they're -- you know, they're still relatively small developments. But I think if I was one of the established security awareness training vendors, I would be getting worried, because I think -- you know, that there is about to be a paradigm shift in this market, I think. [ Music ]
David Moulton: Sam, let's get into supply chain resilience. How can businesses build resilience into their supply chain to mitigate those cyber risks they face?
Sam Ainscow: This -- I think this is actually very, very difficult. You know, they're -- because of the number of -- well, the small number of hyperscalers out there, I think it is actually very, very difficult. You know, because you can take solutions from tech companies, but you never know where that tech company is hosting. You know, so and, you know, in Palo's world, most of your stuff is in GCP, you know, and you've got the likes of, say, Netflix are on AWS, you know, all the other God knows how many companies there are on AWS. You know, Azure obviously is a big platform as well. So I think it's very, very difficult to really quantify that. We don't try and, you know, build our own solutions. You know, we go and we take best of breed or we take, you know, a platform approach, however we're going to do, it and we put an awful lot of faith and trust in these organizations to deliver for us. And I wonder how many -- you know, how many organizations out there truly do the due diligence to understand where the dependencies are and how open some -- you know, of our tech providers are about the dependencies that they have. You know, yes, we -- you know, we can, you know, scrutinize data protection, you know, data processing statements and contracts and things like that and try and understand who their processes are. But even if it turns out, you know, if you were to look at your whole estate and if you were to say, "Most of them are using AWS," or, "Most of them are using GCP," or whatever it is, would that genuinely change your approach?" You know, would you genuinely look to a different provider that was maybe hosted in AWS or hosted in its own data center, which is unlikely these days? You know, what do you do? I don't know. I really don't know how you would do that. I think making sure that you understand the risk is the important thing. I'm not entirely sure that you're going to be able to do a huge amount about it these days.
David Moulton: So you've mentioned some of the hyperscalers. I'm wondering are there other technologies that you see as often overlooked because of their vulnerabilities; and are those the ones that we should be focused on because we have more of a chance to mitigate those risks?
Sam Ainscow: Yes, I think open-source -- you know, open-source projects is probably one of those areas that whilst it's been discussed a lot in the information security community over the last few years, I don't really see a huge amount of progress in a lot of areas. I think, you know, if you were to go through a, you know, software bill of materials with all of the products, you know, even just all of the enterprise products in your portfolio, I think we would honestly be horrified to see how many of them are supported or are dependent by an open-source approach yet that's maybe got three contributors and maybe one of them is looking to retire and really doesn't want to continue contributing to it anymore. You know, those sorts of things I think is -- that's probably the biggest issue I see that people aren't -- I think aren't talking loudly enough about. Yes, I think this is going to continue to be the thing that bites us in the ass. You know, there are so many -- you know, as we've seen the last couple of weeks, there's some more research done around, you know, the number of GitHub repos that are hosting things that, you know, may be rather undesirable. You know, and I think there needs to be some real effort to try and clean that up and for software developers to understand, you know, to genuinely think about where they are taking, you know, some of the code that they're then deploying in their -- you know, in their solutions, I don't think most companies have got a real good answer to this yet. You know, if we were very open about it and, you know, are there are many businesses out there that are really -- have been very, very careful and vetting the open-source projects that their developers are allowed to use, I'm going to say probably not. So I can imagine this one is -- and I hope this one is going to start generating more and more noise as we go forth. And hopefully, you know, collectively, we will come up with a solution to this where, you know, the really important projects are properly support it are not just by, you know, three people who has a full-time day job but then try and do the best they can on the weekend.
David Moulton: As you were talking, Sam, you reminded me of some -- this is a strange one, are you familiar with the COBOL Cowboys here in Texas?
Sam Ainscow: No.
David Moulton: All right. So end of life language --
Sam Ainscow: Oh, yes.
David Moulton: -- nobody's developing in this, right? During COVID, a bunch of unemployment needed to go out and systems with web frontends were getting just destroyed, a lot of unemployment requests. And nobody knew how to build or update the backends. It was just wild to me that so many states were reliant on a technology that they didn't have anyone, no one that could work on it, and were forced to bid against one another to get their systems. So New Jersey was trying to outbid Connecticut, which was trying to outbid Texas, which was trying to outbid -- just run it. I mean, the idea of bubblegum and duct tape putting our IT world together was introduced to me years ago. And when I see stuff like this and it's still going, there are moments where I'm like, "It's amazing it works as well as it does." But back to your whole risk thing, I don't even know how you assess and quantify how long will Bill -- God bless the guy, hope he hits -- sticks around for a long, long life, be able to do what he's doing if New Jersey is counting on getting unemployment checks out, you know, fortunately not during a global pandemic anymore. But it just -- it blew my mind that that was what was going on. And it carries, it comes across my desk and I went, "That's probably not good," so --
Sam Ainscow: Yes, I think this -- I mean, the other area that's heading that way has got to be the -- well what used to be AS40 well is now iSeries. You know, that's that midrange platform from IBM. It's only a matter of time before -- you know, because, you know, businesses, you know, here in the UK are struggling to find developers who work on -- you know, on the -- with those languages. Because let's face it --
David Moulton: Mm-hmm.
Sam Ainscow: -- no -- you know, no computer science graduate comes out of university and thinks, "Woo-hoo, I know what I'm going to -- I'm going to let [inaudible 00:28:13]," you know? [Laughs]
David Moulton: And maybe that's the zig strategy, when everyone else zags, is you're going and looking at things that are end of life and dead because then you are the choice.
Sam Ainscow: Yes.
David Moulton: Are you the best, yes; are you the worst, probably. Doesn't matter, you're the choice. You're the answer to the problem today because you are the only one that exists. All right, well, we didn't get on this podcast to talk about career advice for brand new computer science grads, but maybe this is an unusual strategy for some to consider.
Sam Ainscow: Mm-hmm.
David Moulton: So Sam, let's wrap up the conversation and talk about business continuity for a minute. Are there strategies that businesses should employ to maintain their operations during a cyberattack?
Sam Ainscow: Yes, I think for me this one comes down to preparedness is the key. You know, you -- there will be -- during an incidence, there are going to be problems that you have to solve. But if you kind of already solved most of those problems in a -- you know, in a scenario in a tabletop exercise, things like that, it's going to make the whole process so much smoother for you; because not only have you thought about how you're going to -- how are you going to fix it, but hopefully you've also then put the necessary steps in place so that you're not having to invent it on the fly during the incident. Because let's face it, it's going to be difficult enough as it is; so making sure that you're -- you know, that you're prepared, that is absolutely the number one thing you can do. You know, know who needs to do things, how are they going to do it, where they're going to do it, and when they're going to do it; you know, making sure that you're communicating, you know, effectively across the teams. You know, because communication is absolutely key during the incident. You know --
David Moulton: Yes.
Sam Ainscow: -- who knows -- you know, do you know how to invoke the plan? Who's allowed to invoke the plan? You know, do you know who you need to communicate with; you know, how are you communicating just within the crisis management team? You know, have you solved how are you going to do that? And if your primary method of communication isn't available because of the incident, do you have a backup method of communication? Do you have something to fall back to? Are they lined up? Have they got a playbook of how to do that? Because you cannot wheel a normal chief executive or, you know, out to talk to the media. They need to be trained. They need to be schooled on how to do this effectively, you know, that they're -- so that they can convey the right message in the right way.
David Moulton: I remember having a conversation with Caleb Barlow years ago about this very thing where everyone has an idea of what the playbook is, where the playbook's kept on a shelf, and they go to open up at the time a Webex call and nobody had the password to get into the Webex. So their tabletop revealed that at step one, join call, everything fell apart. And it just struck me of like the littlest thing can be the Achilles heel. And if you've not done the preparation and run it through as a test to make sure you know how to run your playbook during a crisis, you're going to find that you really wish you had when it wasn't a high-stress live act, it was why you could go back and make that update. He also talked a little bit about the number of executives that would come in and with the training somebody would come in as a part of the press and stick a camera in their face and ask questions. And even though they knew it wasn't a real event, their emotion, their panic would kick in and they couldn't handle a fake interview in practice. And it just showed the value of bringing the executives, bringing some of the other portions of the business into that response and making sure that it wasn't just the security team that fully understood what the playbook was, but the whole of business understood how to respond. And I think that's what you're getting to is that in that response, it's not just the security team that's going to get you through it, it's the entire business.
Sam Ainscow: Oh, absolutely. I mean, I'm very clear with the -- you know, the businesses, that it is their business and it is their incident. I am here to help, you know, and I will manage the technical sides of that incident. But also, you've got a business to run. And that's what -- you know, when we run tabletop exercises, we ask for all of the people who would be involved in an incident, you know, in real life, bring all of those people into that room and give all of them an experience of what it's going to be like. It's not the same as, you know -- and we do it as a, you know, a training exercise as if, you know, it's not an assessment or something like that; but you know, letting them go through that process, and ask those questions, and think about what they're going to do, you know, in a -- you know, in a training environment is -- you know, it's absolutely invaluable.
David Moulton: Sam, what's the most important thing that a listener should remember from today's conversation?
Sam Ainscow: Preparedness is the number one thing. You know, you are not ready for an incident unless you have prepared appropriately. And preparing doesn't mean making sure that you've got a load of policies in place. You know, it means have those policies been trained out to the organization? Do they know how to execute against them? How can you execute it against them? And then have you made updates as a result of those bills' executions. You know, is everybody ready to assume the roles that you think they're going to assume during an actual incident? And do you have a -- you know, a feedback loop in place so that when you have exercises, when you have any kind of reviews, when you have government incidents itself, do you have a feedback loop in place that will allow you to get better as an organization? Can you take the learnings and make sure that next time you're not going to suffer the same issues you did the first time around? [ Music ]
David Moulton: Sam, thank you for being on "Threat Vector" today, and for this really fascinating conversation on both cyber resilience and for sharing your personal philosophy on growth and continuing to learn, putting yourself in those scary situations where you know you may suck but you're going to come out better for it.
Sam Ainscow: Well, thank you very much for having me.
David Moulton: That's it for today. If you like what you heard, please subscribe wherever you listen, and leave us a review on Apple Podcast or Spotify. Your reviews and feedback really do help us understand what you want to hear about. If you want to reach out to me directly about the show, email me at threatvector @paltoaltonetworks.com. I want to thank our executive producer Michael Heller, our content and production teams, which include Kenne Miller, Joe Bettencourt, and Virginia Tran. Elliott Peltzman edits the show and mixes the audio. We'll be back next week. Until then, stay secure, stay vigilant. Goodbye for now. [ Music ]
