Unlock the Secrets to Successful Cloud Security with Andre Rall

Host: Hi, everyone. This is Purusottam, and thanks for tuning into Scaletozero podcast. Today's episode is with Andre Rall. He's the Director of Cloud Security at Optics. He spearheads the Offensive Cloud Security Research Team. And before joining Optics, he has worked at AWS for over five years, and particularly leading the Account Takeover Division. Andre, thank you so much for joining with us in this episode. For our audience, Do you want to briefly share about your journey?

Andre Rall: Yeah, thanks. And thanks for having me on the podcast, Puru. Yeah. So, I'm going to work backwards from where I am today. So as you mentioned, currently work at Optics, I oversee the offensive security research, but being a startup, there's multiple heads that we, I wear within sales, sales engineering, marketing. But before Uptycs, I was at AWS for five and a half years, where I led their account takeover division.

A lot of folks don't know that AWS actually has an account takeover division. And really what they're doing is they're protecting not only the platform, but the customer experience by detecting account takeovers, mostly threat actors, you know, spinning up resources to mine cryptocurrency. Prior to AWS, I was with Rackspace for just over seven years. At Rackspace, I oversaw their AWS support offering.

So AWS managed, excuse me, shifted from a on-prem service provider to becoming an MSP. So managing other CSPs. And that's really what got me intrigued within AWS. Prior to Rackspace, I was at Rapid7 where I was a security sales engineer. So overall, I have just over 15 years of InfoSec operational experience.

And I'd say in the last probably six years, became really intrigued with cybersecurity just because of the exposure I received within AWS.

Host: Love the journey and one of the things that you highlighted, right? Like you were leading the account takeover division at AWS. We have had a few guests who were like ethical hackers who were trying to take over, let's say their own organizations account or like they were doing red teaming and they were explaining how AWS sort of blocks them, right? When it comes to invalid requests, rate limiting. So there are many ways that AWS takes to block them. So, I mean, I can relate to your side of the work at AWS, right? Like how you were keeping them away from taking over the accounts.

Andre Rall: Yeah, exactly. So that was my old team's responsibility. Exactly that, detecting, blocking, mitigating. And it's a very fine line because, you know, you wanna get right the legitimate use cases, and then the threat actors or the ethical hackers who are trying to test the systems, reverse engineer the systems like your previous guests were doing.

Host: True, true. So before we start, I generally ask this question to all of our guests and we get different answers depending on the role and the experience level and stuff like that. So

What does a day in your life look like?

Andre Rall: Good question. You know, I think it's like most people in this, you know, security world is wake up, uh, you know, we start off by looking at our Slack messages, uh, seeing if there's anything immediate that requires attention, uh, from there, you know, get the day going, get into emails, get into a couple of first meetings, uh, you know, for me personally, it's looking at, uh, you know, uh, blogs reading mailing lists that I've subscribed to that focus on cloud security, trying to find any attack vectors, trying to find any noteworthy news pieces that I can go and research a little more that I can use and potentially help with our product team integrate into our product. So what I'll try to do is reverse engineer. My team will take a particular threat. We will try and replicate that threat in an environment. And if we can.

We'll figure out, hey, can our customers benefit from this in terms of detecting it? And then we'll work with engineering to come up with the engineering requirements that they can use to integrate it into our product.

But as I mentioned, being in a startup, you wear many hats. So on the marketing side, I'll help with webinars, I'll help with blogs, I'll help validate certain blogs that other folks on the team are writing for consistency and accuracy.

But yeah, that's a small window into my day. But like I said, any startup, it could change from day to day.

Host: Yeah, I mean, I can, I can relate to it. But one of the things that I really liked from your day is reading blogs and newsletters often what happens is once you get into Slack, you get distracted and you get into some other areas and then you often end up not reading on a daily basis, but I really like that you. It is a good read blogs and newsletters to stay up to date in terms of what's going on, right? Any new attack vectors and stuff.

So that's a very good habit of yours, I can see. Right, so today we'll talk about cloud security primarily. So let's get into it, right?

In June this year, you presented a talk at Forward CloudSec on the topic like the unholy marriage of AWS IAM roles and instance profiles. And one of the things that comes to my mind is IAM has been in our lives for over a decade, right?

Why do you think it still needs attention? Shouldn't it be solved by now?

Andre Rall: Yeah, good question. You know, I think for a couple of reasons it hasn't been solved by now. You know, first of all, I think the complexity, right? It's a very complex field and it's not easily perfected. You know, especially considering the intricacies of cloud structures. You know, for example, look at the different CSPs, right? From the get-go, you have access to thousands of permissions, thousands of APIs and hundreds of services.

To try and get that right is a daunting task, even for the best security teams out there. And those permissions, APIs, and services are growing at a rapid, rapid place. I think the cloud brings some challenges in that there's a shift towards cloud-based solutions which introduces a new dynamic.

For example, IAM on-prem is very different to cloud-based IAM. As organizations grow their cloud presence, they have to integrate new services, technologies, which further complicates management of access and the identities.

There's a dynamic shift that's happening. There was a cyber arc report that came out on the threat landscape that highlighted certain key trends. And one of the notable call outs is that machine identities now outnumber human identities by 45 to one, right?

So… Historically, IAM has focused on human identities primarily. So it kind of raises the question,

How can we evolve IAM to give equal priority to these machine identities?

If we think about identity management, the IT landscape is constantly evolving. Terms and trades are regularly changing. IAM needs to adapt to these shifts. As an example, look at Zero Trust. Zero Trust has been around since I believe the early 2010s, but only recently started gaining a lot of traction.

But that being said, trying to implement Zero Trust is extremely challenging. You go from the shift from relying on a network edge as a security perimeter to a model where you now have to continuously verify every user and machine interaction in your environment.

Easier said than done. So it's not an easy concept to implement. So here are some of the reasons why IAM is this constant moving target and hasn't been solved yet.

Host: So there are two things which I really liked from your answer. Like one thing that you highlighted is like as soon as you get access to cloud, let's say as a developer, you get access to the cloud. It's often we want to move fast. So we give them not unlimited permissions, but we overly provide overly permissions to developers, right? So that we can move fast. We do not do like a right sizing at the very beginning and that often is a challenge.

And the other thing which was very interesting from the study you highlighted is, human, ideally IAM was supposed to, was designed for let's say users, human users, but now machine identities are sort of overtaking the human users. So, a follow up question to that is, like

Earlier a lot of folks used to talk about network as one of the parameters, right, when it comes to cloud. Now they talk about IAM as the new perimeter.

What do you think has changed recently?

Andre Rall: Yeah, you know, this is a very, um, evolving topic and I think more and more entities, organizations are starting to, uh, understand this, but you know, essentially in the past network edge symbolize the firewall, you know, served as a default security perimeter. So having network experts on your team meant a sense of security is they basically control what entered or left the network through the firewall. Uh, how.

As we get into the rise of cloud computing, the scenarios change dramatically. In a cloud environment, you're dealing with those APIs, those permissions that I mentioned earlier.

And from day one, it creates countless ways to access quote unquote your network. The analogy I give is, imagine a large house with thousands of doors and thousands of windows. Each represents a potential entry point for attackers and a defense point for the security teams. You know, I think if you think about business needs, right, modern businesses, evolving requirements also play a significant role.

You know, the advent of remote work, global access, SaaS applications, IAM becomes this crucial focal point. You know, it controls not only the access to your network, but to your resources too. I mentioned this earlier, but you have these diverse identities. You know, in the realm of IAM, you have human, you have machine, you have software identities.

You know, each of these requires thorough measurements, monitoring, and control. And then, you know, what I like to tell customers is, you know, I often compare an enterprise without a clear identity strategy to a body without a functioning nervous system. It's uncoordinated and vulnerable. So focusing on identity is paramount to being safe and secure in the cloud world.

Host: Yeah, that makes a lot of sense, right? Because any workload that you deploy needs some sort of access or some sort of permissions. Any developers or DevOps or any human who needs access, they also need to look at what permissions they are looking for and stuff like that. So that's where IM becomes one of the key areas. Now, let's say when talking about the cloud, right? Each cloud provides a shared responsibility model. And as part of that, they take care of some components, like infrastructure, core infrastructure, like hardware or network. And as a customer, we have to take care of,

let's say, IAM or configuring the compute instances properly. And as you highlighted earlier, like every month there are many services which are offered by the cloud providers. Like this week, last week we had reinvented and there were many more services launched.

So in that case, how has the complexity of cloud security evolved with the growth of adoption?

Andre Rall: Yeah, it goes back to what I mentioned earlier, right? The APIs, the permissions, the services that is constantly growing, constantly changing, and trying to get those right is a very difficult challenge.

Trying to understand, for example, AWS policy statements, it can become very confusing, very quick if you don't know what you're looking at and what you're doing. Secondly, I'd say the ephemeral nature.

You know, the clouds ephemeral nature complicates monitoring and adapting to constant changes. So trying to keep up with these rapid developments isn't an easy task. I find that you also have this increased risks, right? The rising cloud adoption has escalated cyber security risks significantly. The threat landscape, which is evolving daily, requires continuous vigilance adaptation in cloud security strategies. You know, some people will think that a cloud security strategy is kind of a set and forget, but it's a constant evolution over time that I feel will never, never end.

You have incident response challenges, right? So traditional incident response tools are often inadequate in these dynamic cloud environments. The inadequacy becomes more pronounced in multi-cloud and these ephemeral natures, environments where traditional tools will just struggle to keep pace.

And then, you know, one topic that everyone talks about is the cyber security skills gap, right? So we've had the swift transition to cloud security operations, which has spurred a demand for security professionals with deep cloud knowledge.

Unfortunately, it's few and far between that finding these folks that have the right knowledge, skills, expertise is, is taking a long time. Or if you find them, they become very, very expensive.

And then I think, you know, just adapting to new threats, right? Attackers are continually updating their tactics to exploit new cloud services. You know, a while back, I think it was this year, we saw malware targeting specific services like AWS, excuse me, like Lambda, right? So before we weren't really dealing with malware on Lambda, it was more on endpoints. Excuse me.

So, you know, this necessitates a constant evaluation of just the security that counteract advanced cloud specific threats. And then lastly, I would say is the multi-cloud complexities. So, the adoption of multi-cloud infrastructure as complexities such as data silos. This complexity makes it challenging to manage incident data and security risks across the various platforms. So ensuring that you have visibility across these silos in a consistent view that normalizes the data is paramount to successful cloud security strategy.

Host: One of the things that you touched on is multi-cloud, right? Like when you are in a single cloud, let's say migrated from a data center on-prem to a cloud, then let's say you are expanding to multi-cloud for various reasons, could be regulations, data residency, or capabilities, or even like you've acquired a company or something else. It brings in new opportunities, but at the same time it brings in complexity as well, right? So

how do you...generally keep a balance between them, like bringing multi-cloud for capability versus security challenges.

Andre Rall: Yeah, I would say, you know, there's probably three things that I'd look at, right, is having a strategic approach. So, you know, companies often find themselves in these multi cloud environments by chance, you know, which leads to complexity, which is maintaining multiple security configurations and data repositories.

A strategic approach is crucial to manage these complexities effectively. You know, this approach I think helps in realizing the potential operational efficiencies and costs.

Secondly, it has to do with visibility. It's essential to ensure visibility across all resources in all the CSPs. The visibility should be consistent like I mentioned earlier. If your dashboards do not normalize the views, you're spending more time trying to understand how resources in different clouds are related and or communicate with each other.

And then thirdly, I'd say staffing. So, make sure to have staff members who specialize in a single cloud. Uh, attempting to have one person specialize in multi-cloud is extremely challenging. I personally don't agree with companies who say they require one person to be an expert in at least two CSPs.

You know, CSPs are constantly changing their services, APIs and permissions, like I mentioned earlier. So it requires a dedicated person to deeply understand each specific cloud.

Host: That makes a lot of sense like on the staffing. I also agree on your point, right? Like it's very much like having a full stack engineer who understands all the way from back end to front end to all of that.

And while that helps to scale, but at the same time, you do not get the expertise because as you rightly pointed out, right? Each CSPs are spinning like deploying new services, attackers are exploiting them. So there is a lot to keep up with. So if you are bringing in a multi-cloud expert, it could be challenging in that case, where like your advice makes sense, right?

Like you have one person focusing on, let's say AWS, one person focusing on Azure so that they can go deep and help with your overall security roadmap.

A follow-up question to that is, let's say you go into an environment where there is multi cloud.

What are the top five things that you would see like you would incorporate in as part of your multi cloud security strategy? Top five or top three things, let's say.

Andre Rall: Yeah, so, and I've kind of touched on these, but I'll go into a little more detail, but I think the first and foremost is visibility and responsibility, right?

So prioritize visibility across your cloud providers. You don't know what your risk is until you know what resources you have in your environment.

So understand the shared responsibility model, which dictates that the provider is responsible for the cloud infrastructure, while you're responsible for everything in the cloud, including workload protection and… data compliance.

Secondly, monitoring strategy. So implement a comprehensive multi-cloud monitoring strategy. Now that you know your resources, now you can monitor against those resources. The strategy should integrate tasks across different platforms to provide this holistic view of your infrastructure. You know, utilize tools for automated alerts, self-healing methods, just to really enhance that efficiency.

Thirdly, it would be automation and DevSecOps. So what I mean by that is, Leverage automation for tasks such as security upgrades, application deployments, incorporate the DevSecOps mythology, which involves security testing at every stage of the software development process. This approach will minimize human risks and ensure the consistency across your operations.

For companies who live and breathe by compliance, you should identify an idea to relevant regulations for your industry across the different cloud platforms. So, utilize automated platforms to monitor and ensure continuous compliance. And then finally, I would say regularly backup cloud data and systems. So, develop a zero data loss disaster recovery plan to ensure operational resilience.

One thing that I notice a lot is when it comes to… you know, BCP business continuity plan or DR disaster recovery, many organizations forget to take into account their cloud presence. And when they get breached, when they get attacked, or if they have a ransomware occur, what is the BCP and DR plan which encompasses backup and recovery?

Host: Yeah, I really like the top five that you highlighted. So we spoke about some of the best practices, what organizations should follow.

Now, when it comes to the actual implementation, do you often see that organizations follow them accurately?

Or there is a mindset shift needed. Let's say there is a CISO who was working with on-prem or data centers privately. Now they need to move into the cloud or even multi-cloud to that matter.

Do you see that there should be a mindset change in terms of deploying workloads in a data center versus a cloud environment?

And how would you address that if there is a mindset gap?

Andre Rall: Yeah, I think there definitely needs to be a different mindset. And this is something I see quite a lot of is that, you know, CISOs who have a repeatable strategy in on-prem try and bring that same security strategy to the cloud, and that just doesn't work, right? It's like mixing oil and water.

Um, Secondly, you know, I think as folks organizations start deploying into the cloud, one of the biggest pitfalls that I notice or see is they're not looking at the resources connecting into the cloud. So what do I mean by that? Developer laptops, right?

They're always very focused on the cloud and the perimeter of the cloud and what's inside the cloud, but looking tangently outside of the cloud as one of those connection points is very, very important.

You know, if you look at 2023 and look at some of the high profile cloud breaches that have occurred, almost all of them have started from a developer's laptop. They downloaded malware, created a reverse shell, they found access keys, SSH keys, and were able to access the cloud resources through that way.

The second piece of advice, I think, or the pitfall that I've noticed is, the cloud has an ephemeral nature, which we spoke about, right? It's very dynamic, it's constantly changing. There are things spinning up, spinning down, and that's the intent of the cloud, is to… be ephemeral so that you can have a bigger and better return of investment.

But knowing that there needs to be a strategy that focuses on this ephemeral nature. And I mentioned this in the beginning, but a set it and forget it cloud strategy is something that doesn't exist or shouldn't exist because of the ephemeral nature, right?

There needs to be these mechanisms that continuously detect and monitor for a cloud strategy. And then there needs to be a strategy on how to evolve the existing strategy, cloud security strategy.

And then finally, I would say is IAM. Absolutely prioritize IAM. You know, we already touched on IAM as a new perimeter, but as CISOs go into the cloud and deploy in the cloud, you know, it's not as simple as deploying an AD server and that's it. Times have changed, environments have changed, architectures have changed.

Andre Rall: IAM has to be the front and center of any cloud security strategy as they move into the cloud.

Host: Yeah, love the top three. And I think the first one is often overlooked, like the dev machines or the endpoint security of that. So I hope that our audience, when they listen to it, they also pay attention to the dev machines as well or the endpoints as well. One of the things that you highlighted earlier is that skill gap between.

let's say, how many positions are open versus how many cybersecurity experts are available.

So how can security professionals fill in these cybersecurity needs?

Do you think it's more of upskilling or do you think it's more of like new cybersecurity experts?

Like how do you see cybersecurity professionals filling in these needs?

Andre Rall: Yeah, so I think, you know, one of the biggest traps many organizations will fall into again, and they're coming from this on-prem world, and they have a principal security architect. And the principal security architect is now being tasked with becoming a principal security architect in cloud.

It is very challenging to transfer that skill set into the cloud. I recommend that, you know, what folks need to do who are well-versed in security on-prem to focus and look and assess themselves and say, where are my security knowledge gaps in the cloud?

Put pride aside, clearly identify where your gaps are, and then figure out how do you bridge the gap with that knowledge? Because again, the cloud is a very unique environment in how it works. Security is very complex in the cloud environments, going back to the permissions, the APIs. It's extremely difficult to get it right every single time.

And then thirdly, I would say getting hands on, right? So using a sandbox environment, hopefully, and deploying resources, understanding how they're connected, communicate, understanding, for example, AWS, the roles, how they work, how they get their tokens, how long those tokens are valid for.

You know, nowadays it's actually easy to do that because you can even deploy vulnerable by design environments, which is another great way to identify resources and how they're insecurely interconnected. So hands-on deploying testing is a very good way to get a security professional up to speed in cloud security. And then lastly, I would say is a third party tool like a CNAP, right?

Cloud Native Application Protector Platform, which is a single platform that enables you to get a single holistic view of resources, all your data that's normalized across one or more CSPs.

Host: I really like the hands-on recommendation that you have, because often what happens is, let's say as you highlighted, an on-prem security engineer is tasked with a cloud security engineering and they have that gap.

Unless you do hands-on in a sandbox, it's very difficult just by reading things on the, let's say internet. So a follow-up question to that would be,

In this scenario, how do you see the security professional upscale and stay up to date?

Is it more like certifications or is it more like hands-on trainings?

What would you recommend? Let's say if somebody in your team needs that upskilling.

Andre Rall: Yeah, first of all, what I'll do is I wouldn't start with certifications, right? Everyone, the biggest misconception is get a certification and you now have this, you know, expertise. The challenge is that you now have the theoretical expertise, but you don't have the practicality. And going back to what I mentioned just before this is getting hands on, right?

Looking and trying to build out certain architectures is the best and the quickest way to learn the cloud.

Secondly to that is find cloud security webinars, find cloud security conferences, listen to the speakers, understand what they're talking about. Do you understand it? Can you take it back? Can you research it? Can you replicate that in an environment?

Again, go back to the hands-on, that will very quickly validate or invalidate your understanding but also allow you to ramp up in gaining that skill and gaining that understanding as it relates to cloud security.

And then the last thing that I would say, or second to last thing is there is several tools out there. Some that are used by a blue team, some that are used by a red team to defend or exploit environments. Get to know these tools, use them, practice them, because… I personally find the biggest benefit is using Red Team tools, because as I use it, I understand what the outcome is trying to drive. And once I understand that outcome, I look at it and say, why is this useful for a threat actor?

I then look at that and say, oh, this is why it's useful. And then I can reverse engineer a detection. I can reverse engineer some kind of mitigation for that particular outcome. So and then finally, go get the cert.

Right. So search should be, in my opinion, somewhere at the bottom, um, just because it's will validate your previous work of getting hands on and getting into the environment, testing it and playing with it. The search will actually be easier to take in my opinion, uh, at the end, rather than trying to do the search.

Host: Yeah, I love that suggestion. Often what happens is folks focus on certification as a way to upskill, but it makes sense that you start with hands-on, and then once you have a good understanding, validate sort of your learning using a certification.

And another thing that I really liked is the conferences, like cloud security conferences, right? Like...conferences like Forward Cloud Sec, where a lot of security experts come in and present what they have been doing, what they have learned, like their hands-on experience. So that also sort of helps you learn from their experience. So yeah, that was spot on.

So last question that I have is, so let's say as an engineer, I learn, I have some cloud security skills. How does it help me build trust with my customers or partners in the business world?

Andre Rall: Yeah, having a competent cloud security engineer as part of your organization, it, it validates your organization's commitment to being secure and taking on customers. And what I mean by that is, you know, if you think about your personal life or your day to day, when you go to a doctor, when you go to a dentist, when you take your vehicle in for repair, you want to go to a trusted person or entity that's been validated, because you feel safe and secure.

Same goes with gaining these cloud security skills, right? A organization who's looking to partner with third parties, they want to ensure that the entity, the third party, that they're giving their trust to, has the expertise, has the knowledge to be responsible with that.

The last thing you want to do is take on a third party security vendor who doesn't have the expertise, who doesn't have the skills, doesn't know what they're doing and potentially set you up in a vulnerable position to where you're now being compromised.

So it, and again to sum it off, it's just giving that validity to an organization that they take cloud security seriously and that's done through the team, the employees who are part of that entity organization, who have gained those cloud security skills.

Host: Yeah, so it gives confidence to customers or partners that, hey, we are working with security experts who know what's going on in the security world, right? So yeah, that's a great way to sort of end the security question section.

Summary

Thanks Andre for the engaging conversation. Here are a few important points which stood out for me:

• IAM is the critical component when moving workloads from On-Prem to Cloud. Special attention should be paid to Right Sizing of Permissions early on as part of Cloud Security strategy.
• Visibility of Cloud Assets is important. Implement Automation for workloads and follow DevSecOps best practices to ensure Security is incorporated in all phases of SDLC.
• When it comes to filling Cyber Security skill gap, start with Hands on Webinars, Workshops, attend Cloud Security conferences and go for Certifications to validate your learnings.

So the next section is around rating security practices.

Rating Security Practices

And generally what we do is, I'll share a security practice. You need to rate them one through five. one being the worst and five being the best. And you can add context to why you think it's a one or a five or anything in between.

So the first security practices, provide training and awareness programs to employees to help them identify and respond to potential security threats.

Andre Rall: Yeah, one being the worst, five being the best. I would say three, it's necessary, first of all. I know there's a lot of compliance programs that require it, but I've seen so many employees either just click, or put the video on the side of the screen, go and do something. And then once it's finished, hit next. So employees are not taking it seriously enough. Because security is not in their top three priorities, right? So if you think about a salesperson, they don't, security is not their priority, even though it should be, it's not. So I feel like it's needed, but it isn't as effective as we really want it to be.

Host: OK, effective or engagement, maybe engagement-driven training would be better than just videos where you can just click, like as you highlighted, and you can skip to the end, right? In a way, just to show that you have completed it. Makes sense.

The next one is use strong passwords that contain a mix of uppercase, lowercase letters, numbers, and symbols, and change them frequently to avoid using the same password for multiple.

Andre Rall: Yeah. Oh, definitely a five. Uh, you know, I think one of the biggest culprits for account takeover is still, uh, reuse passwords that happens in the wild, right?

So a potential, uh, company gets breached, a bunch of data gets taken, gets sold on the dark web, and then, uh, threat actors will go and purchase that and then use spray, uh, password spraying, uh, tools to see how many of those passwords, uh, active in other entities like AWS, their bank accounts, etc.

I recommend using a password manager. The first time I went to use a password manager, it was a big leap of faith, just because I wasn't used to not knowing all my passwords. But once you use a password manager, A, it's more secure, but B, it's a weight off your shoulders. You don't have to try and remember some variation of your password.

Host: Yeah, totally in agreement. Like I use Bitwarden everywhere, and I don't have to remember anything now. Right. I just have Bitwarden plugin everywhere and it just fills in the password. So yeah, absolutely. Makes sense.

The last one is DevOps practices are needed to move fast and deploy code to production. Security practices are not the most important, right?

Andre Rall: Definitely a one. If I could write lower, I'd write lower. But this is important because as we think about DevOps pushing code and deploying to production, the last thing you want to do is push a vulnerability, push a misconfiguration into an environment.

Because then A, it leaves you susceptible to an attack.

B, it causes toil in terms of having to go back a redo or re push code or deploy a emergency patch because you have a security team coming to you and saying, Hey, we're open. There's an attack path available here. I need you to deploy this redeployer to, to close this potential attack part.

So it just causes more work. Now it may seem in the beginning for developers that it's slowing them down in the beginning, but in the long run, it's actually speeding up the process, keeping them more secure, reducing that toil that will await them when the security team comes to them and says, hey, I need you to push an urgent PESH yesterday.

Host: Yeah, that makes a lot of sense. The sooner you incorporate security, the less pain you have to go through at a later stage. So yeah, I love that.

So last question before we end the episode, I ask this to all the guests is, if you have to give one reading recommendation, blog or a book or a podcast or anything, what would you recommend to our audience?

Andre Rall: Yeah, I'm going to go with a colleague of mine at Uptix. Her name is Bronwyn Hudson. She has just started getting her podcast up and running. It's called Cybersecurity Standup. You can find it on Spotify, Apple. So I'm going to help her and say, hey, go to check it out.

I was a guest on there several weeks ago. She has some very unique guests. But it's really focusing on those who want to get into the cybersecurity world who either never been exposed to it, or have very entry-level experience in cybersecurity.

So it's a very good podcast to get validation on which direction a person should go if they really wanna get more involved in cybersecurity.

Host: Okay, thank you. And I really like the name Cybersecurity Standup, which sort of gives an impression that it's not a lengthy like two hour recording, rather like short, small bites, right? Which you can consume. And the segment that she's doing also, like for folks who want to get into cybersecurity space, it's an avenue to learn.

So yeah, we are at the end of the episode. Thank you so much, Andre, for joining us and sharing your learning and insights with us.

Andre Rall: To be honoured and thanks for having me.

Host: Absolutely and thank you to our audience as well. Thank you for watching and see you in our next episode. Thank you.