Eric Evans with HanaByte

Intro: [00:00:07] Broadcasting live from the Business RadioX studios in Sandy Springs, Georgia. It’s time for Sandy Springs Business Radio. Now, here’s your host.

Lee Kantor: [00:00:24] This episode of Sandy Springs Business Radio is brought to you by mere ability, providing unique IT solutions, leveraging cloud, AI and more to solve business problems. Here’s your host, Erik Boemanns.

Erik Boemanns: [00:00:38] All right. Thank you. Today we have a special guest with us. His name is Eric Evans and he is CTO of HanaByte, a cybersecurity company. So similar business to us, but more on the cybersecurity side than than on the consulting. So maybe tell us a little bit about yourself.

Eric Evans: [00:00:52] Yeah, absolutely. So I’ve been in the IT world for about 15 years now. I traditionally started off in helpdesk support and did that for about a year, moved into software development and engineering. Um, kind of started doing DevOps before it was called DevOps. So the fact that I can, um, deploy code pretty quickly into cloud environments and everything, uh, was a kind of a, um, starting that, uh, aspect of things and then became a full time DevOps engineer here in the Atlanta area, uh, helped start a couple of infrastructure and security programs for some local startups. So experience LLC, which is now part of Cox Enterprises, Where to Go, which is a UPS company, or some of the examples of companies that I’ve helped with security before. And then I’m, uh, did consulting for three and a half years, and now I’ve started my own consultancy.

Erik Boemanns: [00:01:52] So very cool. So tell us more about Hannah Bite, then. Yeah.

Eric Evans: [00:01:56] Uh, so Hannah Bite is a boutique cybersecurity consultancy that specializes in cloud security, compliance, automation. So what we do is we learn more about an organization’s environment. We do an assessment of where they’re at. We find out what their goals are and then we help them achieve those goals. Uh, we started peak pandemic around 2020 or so as. As a businesses were moving towards remote work. As they were doing cloud migrations, there was a very ripe opportunity to help with security, help with compliance whenever it comes to the cybersecurity field. And so we typically like to target industries that are very highly regulated, such as health care, uh, government financial services. That’s really where our sweet spot is, because these industries in the past have been very, um, stringent with security requirements. It’s really difficult to get things done. And I co-founded the company with me, um, with, uh, another employee. His name is Michael Greenlaw. He’s one of the, um, uh, DevOps engineers that I worked with here in the Atlanta area. And, um, and my wife, uh, Cat Evans. And we always have a DevOps first mindset. So we brought this into a area that desperately needs it. And doing that in cybersecurity, we’ve now unlocked a lot of possibilities. And uh, especially with, you know, the AI and everything like that coming here, there’s a lot of opportunity. And I feel like we’re just getting started.

Erik Boemanns: [00:03:51] Yeah, absolutely. And you mentioned 2020. And just circle back to that real quick because I think. Work from home became a very big thing obviously that year, and that brought a whole new, um, bundle of cybersecurity challenges to businesses. So maybe is that something that helped you spur the growth or the idea to to form the company or.

Eric Evans: [00:04:12] Oh, absolutely. Yes. So businesses had some additional, uh. Uh, security requirements whenever you are now transitioning to a remote workspace. A lot of times your endpoints, that is, the laptops you’re working with. Uh, VPN connections, all these types of things need to be set up in a secure manner. But where we saw the most help was when we had businesses who are traditionally data center have a lot of, um, uh, hardware in their data closets. Maybe they’re renting out co-location spaces and everything. And as they’re transitioning to remote work, they’re now moving a lot of their workloads into public cloud services like Amazon Web Services, Google Cloud Platform, Microsoft Azure. And I’ve had a lot of background in that with my DevOps and security consulting space and so on. Uh, so a lot of times it was, okay, well, let’s take a look at your, your workloads. Uh, what kind of workloads are you running and how can we adopt those to the cloud in a secure fashion? That’s an important part. Is the security portion of that. Because health care, financial services, government, other nonprofits, those types of companies, all are highly regulated. And so they need special folks who have a security specialty that can help them out.

Erik Boemanns: [00:05:38] Do businesses misunderstand the cloud and think that it provides security for them or all the time?

Eric Evans: [00:05:43] Yes. So there’s a shared responsibility model. And that’s usually where we open up with our workshops, is making sure that they understand where the cloud provider security stops and what the customer is then responsible for, and how we can help them achieve that goal.

Erik Boemanns: [00:06:00] Yes, absolutely. And I think a lot of people have heard now the cloud is described as somebody else’s computer. Yeah. Does that make it inherently less secure or what. What’s your take on cloud as a secure platform? Obviously they don’t do it for you, but are they less secure?

Eric Evans: [00:06:14] I actually believe they’re more secure. And the reason why is you have a lot of the inherited controls from the shared responsibility model. Now you have folks who are audited regularly, who have expertise in their fields and so on. These are all contractual obligations, um, especially with public cloud providers, that they have to adhere to certain standards. They must show specific certifications and all this, and having folks be able to do that for you takes gets rid of a lot of the undifferentiated heavy lifting of setting up servers and, uh, essentially causing misconfigurations within the environment, perhaps, uh, exposing your workloads to unnecessary risk. And you actually mitigate a lot of that just by using a public cloud provider. And the more you can offload to the public cloud provider, the more secure you can be. And I and I use that secure firm with italics on purpose, because there’s still a lot of implications on data and, uh, networking and, and so on that also come into play with that. But again, at least you’re not starting from scratch.

Erik Boemanns: [00:07:29] Yeah, I think that’s a great point that the cloud provider is going to bring a lot of security options. Whether you choose to use them is something that you have to work through. Uh, and I think you can obviously work with a company like yourself to help figure out which of those you need to have. Absolutely. Um, so the story began with 2020 and work from home, and a lot of the challenges that businesses probably rushed into then. Now, almost four years later, where are the challenges developing now? How are they cleaning up from the the rust into the cloud, the rust into work from home? Or has that stabilized? What are today’s challenges compared to where you started?

Eric Evans: [00:08:03] So there’s this phrase that I learned while I was at Reinvent last year. It’s called mom. You have modernize, optimize and then monetize. And what we’re seeing is a lot of the companies in 2020 modernized their workloads to leverage a lot of the capabilities of the cloud. And, you know, it wasn’t just 2020. I mean, you kick off at 2020, you know, these are ongoing engagements for 2021, 2022. And still moving on, right? I have customers that have been working for for years that were still within the process of, of modernizing and optimizing their workloads. So secondly is once you get it to the cloud, a lot of times it’s a lift and shift because, you know, we’re in pandemic mode, we’re in panic mode. We have to get there quick. We have to rush to the cloud, so to speak. And in doing so, we don’t always do it as optimally as it can be. So optimizing infrastructure so on, I would say is definitely in the middle here. Now I’m seeing a lot of companies make good use of their data, and especially with the proliferation of AI, Jen, AI, those types of technologies, we’re seeing new security threats that are specifically related to, um, data poisoning to, um, large. Language models and so on that have been new to folks like myself who have always been cloud practitioners. We’ve never really encountered a lot of these items. So it’s it’s staying on top of now, the last part of that, that the monetization part where we are now helping businesses adopt these new technologies so that they can make brand new products and go out to business and everything. But we still, um, need to kind of keep it in a secure fashion as well.

Erik Boemanns: [00:09:48] Yeah. And I think that you bring up optimization is a great point in the sense that a lot of people think that the cloud might be cheaper as well than the traditional infrastructure they used to have, and then they get their bill and they discover it is not at all cheaper. And a lot of that does come exactly where you said they may have lifted and shifted their traditional workloads straight to the cloud. Yeah. Now they’re running what used to be on computers they owned to someone else’s computer, so they’re paying basically double. And so that optimization I think is important aspect that you brought up there. What what else. So optimization for sure help help reduce that cost bill. Mhm. Um but then we bring in security I think opportunities there as well. So perhaps the bill doesn’t go down but the platform becomes more resilient, more secure. Yeah it’s.

Eric Evans: [00:10:33] Interesting. So a big part of security is also availability and making sure that the business is viable. Right. Without being able to reduce those types of risks you still have well risk essentially a residual risk. And we actually do FinOps at Hana Bite. And one would be like, well, you know, you’re a security consultancy. What are you doing in FinOps? We find this to be important one for cloud adoption, because ultimately, if you’re adopting more of the cloud, you’re becoming more secure because you’re inheriting those controls. You’re exposing APIs, you’re increasing visibility. Um, that’s all very good security things. And if we can help you save money in the process and optimize your workloads, that in itself achieves security goals or even opens up possibilities for new security goals. For example, if you’re running an on prem system that is doing security monitoring, um, controls and so on, and we reduce your cost, the cloud cost, where then you can make or take advantage of serverless functions, event driven architecture, those types of patterns, uh, you actually get a more robust system that can react to threats in near real time versus having a SoC analyst team who must constantly monitor workloads and then have kick off an incident response process and so on.

Eric Evans: [00:12:08] So having a lot of this automation actually helps a lot with with security as well. So so we do a lot of what a traditional cloud security consultancy or cloud consultancy would. But we definitely put a security spin on things. And then the second part to that is achieving a compliance goal. So a lot of times a business well has to achieve a specific compliance in order to get more business. And that in itself we actually categorize and as monetization. There’s we actually separate out security and compliance within a barnabite. Um, not not in the way that we staff them separately, because a lot of our security consultants also do compliance and so on. But in the way that we think about it, we see compliance as a demonstration that you’ve met specific controls within your environment and you’ve had an attestation, an audit, a certification to then achieve that compliance goal. But we can’t just automate compliance and expect security to be automated as well. One doesn’t always mean the other. And that’s something else that we’re also helping out with.

Erik Boemanns: [00:13:22] Makes sense. And I think it’s important. Yeah, because compliance is something that is some companies will feel is check the box. Right, right. I have to do these ten things and now I’m compliant. Right. Those ten things may not be to protecting them from all the risks though that are coming to their business. Right. And I like that you brought up risk, because I think that’s a key element of thinking about cybersecurity or thinking about cloud, because there’s risk to my business when I’m in the cloud. Right. It could be through threat actors who are trying to hack into my systems. Or it could just be a thunderstorm in Texas that drops the power to the data center that my servers in. Either way, my business is down for a period of time. And so the resiliency plan that you’re going to help put in place, I think is same, whether it’s a cyber attack or a natural disaster.

Eric Evans: [00:14:06] Right? Yeah, absolutely. It would be um, a lot of the security principles actually translate very well into the cloud. And a lot of the business continuity, uh, situations that you just mentioned are actually very much translatable into the cloud as well. And we always take that sort of approach of risk mitigation. Um, you know, we again, like to automate wherever possible. And the more you’re in the cloud and the more we can take advantage of these APIs, the more automation we can do to do a lot of the heavy lifting that is traditionally been done, um, you know, by security analysts and so on.

Erik Boemanns: [00:14:44] Gotcha. So automation, I’ve talked to a lot about that. You mentioned. Devops DevOps is, I think, the backbone of DevOps automation. That’s your background as well? The. What are some of the other advantages that automation is going to bring to you? You mentioned having fewer analysts. So if maybe talk a little bit about what those analysts would be doing and how automation helps. Yeah, for.

Eric Evans: [00:15:04] Sure. So a lot of times, in addition to reduction of resources that you’ll have to invest within a company in order to achieve security, uh, automation also improves time to market for your applications and everything. Um, how this fits in a security context is actually more so within DevSecOps, where we integrate security into these pipelines. And again, that’s what I’ve been doing for almost well over actually over a decade now. And, uh, and in this faster time to market, you also want to ensure that your security scanning is occurring within pipelines, that you are doing validation and testing, uh, within the pipelines as well, that aren’t just a whole bunch of humans that are doing regression testing, but you have robust solutions in place that are performing tests that would usually take whole teams to do. Um, this improves time to market. This improves security to market. Um, this improves how you can demonstrate security by generating software builds and material provenance. Uh, a lot of the supply chain security things that have come up recently as well, um, or I should say skyrocketed. It’s always been there, but it’s really the threat has been skyrocketing in the past few years. Um, but all of these items within DevSecOps also helps improved, uh, visibility, time to market. So you get a lot more than just, uh, reduction of resources and so on to that extent, or I should say optimization of resources. Because even though you may not have security SoC analysts watching Splunk all day as an example. Right. Um, they are now doing other items like, uh, maybe they’re performing code reviews on infrastructure as code. Uh, perhaps they’re, um, looking at workload reports from workloads, finding ways to optimize, uh, them. Perhaps there’s some security, um, uh, posture review that’s occurred, and they can perform some additional items there that are a lot more impactful, um, in my opinion. Um, you know, granted, if you don’t have anything in place, a good stock analyst is very impactful. Right. Um, but, you know, having those safeguards in place and so on at least helps kind of reduce the burden. Yeah.

Erik Boemanns: [00:17:20] So automate the routine, the boring, the things that people are kind of bad at to begin with because we get bored and allow the people on the team to do the more elevated tasks absolutely requires the more creative thinking, if you will.

Eric Evans: [00:17:31] Yeah, yeah, toil away the menial tasks sre for sure.

Erik Boemanns: [00:17:36] Uh, and so for those I know, those who are likely listening are familiar with a lot of what we talked about. But I just want to take a step back. We’ve talked about DevOps and DevSecOps, which if you’re in the software development business, you know what those are. But there’s probably a few people who aren’t as familiar with those terms. Do you want to spend just a few quick seconds making sure? Yeah, that we’ve defined those for folks for sure.

Eric Evans: [00:17:56] So classically, when building software, you would have a software team and you have an operations team. And I say classically, but a lot of enterprises still do this. And when a software team would finish their software, they would throw it over the wall, so to speak, to the operations team to run. The software team doesn’t know how to deploy software. They know how to make and run it on their machines, so to speak. Right? Whereas the operations team, very good at deploying software, doesn’t really engineer it. So what DevOps does, it blends the two capabilities or bridges them in many ways. And you would introduce a system that would allow software developers to check in their code, automatically, have it integrated into an environment, and then monitored through from the operations team side of things. So that’s essentially what DevOps is doing is again, increasing that time to market and so on, kind of, you know, tying in a few of those things that I mentioned in the past, um, it ensures that there is a, a bridge between the classic development and operations teams. And then when we mentioned DevSecOps, in addition to that continuous integration, continuous deployment, sometimes it’s not always continuous. It’s a, it’s a, um, you know, a process that that still occurs. Um, with DevSecOps, the security team is also involved in bringing in static code analysis, dynamic code analysis, um, and, and doing security checks rather than classically how it would go from development to operations. And then the security team would audit it. And then if you find something happening, you know, to the right of, of development, then a lot of times the software gets kicked back at you and that feedback loop is longer and now it takes it longer. For software to to actually be in production. So that’s the way I like to explain DevOps and DevSecOps.

Erik Boemanns: [00:20:02] Yeah. No great great definitions. Thank you. And like I said hopefully everybody is familiar with those. But just in case it helps. And so if we’re thinking about DevSecOps or if we’re just thinking about a company that’s in the cloud today trying to become more successful, um, trying to build their build their technology stack, right. They also wanna do it securely. What are some of the things that they need to be looking at to measure success in the cybersecurity space in particular?

Eric Evans: [00:20:24] Yeah, this is a really good question. It’s important to have a conversation, have the CISO there as well on what KPIs and organizations should be looking for in a healthy cybersecurity program. Um, the first obvious one, to me at least, is the number of security incidents, how many security incidents have occurred, what were the severity of those incidents? That is, how has it impacted the business? Was there monetary impact? Was it reputational impact? Um, some of those could be qualitative and quantitative of course, but being able to at least document and then look back in retrospect, those security incidents is a very good first step in, well, formalizing a security program and getting some, some useful, um, indicators of the success of that security program. Uh, another thing is the mean time to recover, the mean time to, um, to actually find the threat as well. And those, again, are very conductive in the cloud when you have event oriented architectures, when you have alerting and monitoring systems in place. And of course this happens on prem as well. Um, so that is also important indicators because you wouldn’t want a threat actor staying within your environment any longer than they should be, and having some metrics to back up that threats do not occur within the environment for a very long period of time is a great key indicator of a security program as well.

Eric Evans: [00:21:55] And finally, and this is where I kind of blur the two lines between compliance and security. Your compliance scores can a lot of times give you an indicator of how well your your security program is going, as well as a whole, because the compliance frameworks do have lineage back to, well, research standards like, uh, NIST, which is the National Institute for Standards and Technology in the United States, and they have done a lot of research on how threats occur. And, um, what are some ways to mitigate these and so on. And so a lot of those standards come back and, and then get incorporated to larger standards. So I’m taking this as an example. But um, other frameworks as well ISO 27, K, PCI and so on have similar similar type of lineages that will give a good score. But I would not rely on compliance scores for a security program. I would definitely take those other factors into consideration. The ones I mentioned before first and then from there kind of say, okay, from a compliance score perspective, how are we, how are we tracking and so on.

Erik Boemanns: [00:23:02] Sure. Because the the compliance score is probably once a year, right, that you get that audit and that you get that report. And if it’s bad, that means it’s been bad for the last year as opposed to. So it’s a very lagging indicator as opposed to helping you make any decisions about what’s happening today.

Eric Evans: [00:23:18] Yeah, that’s a very good point. Um, there is this concept now of continuous compliance. There’s a lot of solutions out there that kind of help with that and constantly assess what the scores are in an environment. Um, those are also really good as well. Yeah.

Erik Boemanns: [00:23:33] So. Kind of define some of the the KPIs. The key performance indicators for measuring success in your cybersecurity program. Let’s say you have a new client and. You’ve gone through that process with what what’s an onboarding look like? What do you start with? How do you approach the program and get things kicked off? Yeah.

Eric Evans: [00:23:53] So at Hannah Bite we take a warm approach. We want to make sure that we meet the customer where they’re at, and we acknowledge there’s no one size fits all solution for any type of organization. So starting off with an assessment, which essentially would be conversations around the security program, some of the things that we like to hit on first are how are your security policies, our employees actually acknowledging these security policies? How about training? How about workshops, any kind of, um, continuous improvement going on. And once we get those fundamentals down, then we start looking at how are you gathering metrics? How are those metrics feeding into KPIs? How are, um, a lot of the incidents being handled. And then from there having further discussions. So we kind of start with that, that assess and figure out from there where, um, a company would, uh, would best use our services basically. So what would the remediation plan look like? And that’s typically what a onboarding process would look like for a customer.

Erik Boemanns: [00:25:03] Gotcha. All right. So let’s say a customer has gotten the ransom note that it’s in their inbox. It’s on their computer screen, whatever it is, or some sort of indication that something bad has happened. Who are they reaching out to first? Are they calling you or are they calling? Who are they calling first?

Eric Evans: [00:25:18] Uh, a lot of times they would call in, uh, companies that specialize in incident response, and then those companies that specialize in incident response will go ahead and do what they can to, you know, respond to the incident. Our company typically comes in after them to help with the remediations. So for example, if they weren’t taking regular backups, we would come in and help take regular backups for ransomware. That’s like the number one mitigation that you could do is have a full backup of your environment. Um, uh, maybe there’s some other holes that need to be filled in terms of risk and security and so on. We also come in and help out with that. But as far as incident response, we don’t have like a hotline. You can you can call or anything like that. We’ll try our best for sure. But I don’t think we’ve had any customers actually reach out to us as soon as an incident happens.

Erik Boemanns: [00:26:10] Yeah, and it’s a great point. There’s companies that that’s their specialty is to to deal with that immediate emergency. And yeah. And and hopefully if they had called you beforehand then they may already have done things to prevent the need for that call.

Eric Evans: [00:26:23] Oh absolutely. Yeah. That’s what we always let folks know is you don’t want to be the next headline in the newspaper for the wrong reasons. We definitely want your product, your your company to succeed, but we definitely don’t want you to be there because of a security breach.

Erik Boemanns: [00:26:39] So what are some things that businesses or technology leaders either way, are often forgetting to consider as they’re thinking about their IT program, as they’re thinking about a new product? Whatever it is their plan is, what are they forgetting?

Eric Evans: [00:26:52] Yeah, well, it always comes down to people process and technology and in that order as well. So having the right people is a key factor. And that doesn’t mean you have to hire on full time security teams for your three person startup. It usually means maybe you have a security partner that kind of goes in and just gives a sanity check in your environment to make sure that you are following security best practices. You have the right seeds in place to grow a security program, or enterprises that have new products being launched and haven’t had those, um, reviewed. Or maybe they’re having them reviewed, but it’s the same company they’ve been using for the past ten years, and they need new perspective. Um, those are items that I’ve seen. Uh. Customers actually struggle with a lot. Is there like, oh yeah, we’ve been using the same security company for ten, 15 years now. I’m like, have have you ever audited them? Like, have you ever made sure that their work is is is okay? Have you gotten a second opinion? And like, no, no, we trust them. And a lot of times we would come in there and we would find new things. Um, so that is another thing. So there’s the people part of the process part. So it’s easy enough as a CISO to kind of look at the security of an organization, say, okay, these controls have been followed. We’re mitigating risks by introducing a lot of this process, by introducing multiple different checks and so on.

Eric Evans: [00:28:22] But there also needs to be some consideration in how this can be optimized and so on. So that kind of leads back to the security and optimization discussion we were having. Um, a lot of times a a security. Quote unquote secure process isn’t fully optimized. And businesses can last years without having that optimized security process. And that leads to slower time to market, um, more frustrated developers. Um, a lot of things getting lost in the middle and a lot of inefficiencies. So that’s another thing that really comes out. And then this when I hear about a lot and I’ve witnessed a lot, is technology. Buying a new solution just for the sake of having another solution. Um, there are so many times where I’ve went to an organization and they give me a list pages long of all of the security services, um, products that they’re using that they’ve deployed within their environment. And I always wonder, why do you have three things that are doing the exact same thing on this agent or on this host? Um, why do you have several different firewalls that are, you know, blocking each other in many ways? Um, and they’re like, well, you know, the salespeople kind of sold me on this, and they created that fear, uncertainty and doubt. And I am really wanting to make sure we don’t, you know, have a blind spot, their good intentions, but also a waste of resources. That’s, uh, some of the things that businesses have kept in mind, for sure.

Erik Boemanns: [00:29:54] Absolutely. I was at an event recently, and some CSOs were sharing the number of security products their company had was measured in the hundreds, if not like close to 1000 products that are in their environment. And at the time, I was counting the ones that I was dealing with with a particular organization. And I think we were around 40, actually, which really surprised me too, because I kept adding in my own mind that that list. And so, yeah, you will quickly get to that, a number that doesn’t make a lot of sense no matter what size organization you are.

Eric Evans: [00:30:24] Yeah. For sure.

Erik Boemanns: [00:30:26] Um. So I think the. The other thing. So sorry. I had a thought and then it escaped me. So my apologies. The. That list of products just overwhelmed me. Um, so maybe let’s just talk about. And what do you have a key message that you want to make sure people hear before if they’ve listened to this long? And what’s the message you want to kind of leave as a parting word?

Eric Evans: [00:30:56] Yeah, for sure. So I think it’s very important to have someone alongside you in the security journey along along the way. And of course, you know, as I mentioned just a few minutes ago, don’t put all your eggs in one basket. But at the same time, not having a security partner is, is is kind of. Not, not wise. And so what we’d recommend is just finding a good security journey partner. Someone who can take you end to end, or at least find the right people who can take you in the end. Um, who can help give more perspective to your security team? Who can bring in a or I should say, optimize a lot of the processes and, and technology that you’re using. And, um. Yeah, I would say just find your good security partner. If you’ve listened to this long, take everything we’ve put into consideration here, all the metrics we’ve laid out, the security versus compliance questions, all of that. And make sure you have someone who can kind of work through those with you. Yeah.

Erik Boemanns: [00:32:01] And I do want to just tail on to that. Even if you’re working with a managed service provider, a company that’s managing your IT, often they will appreciate having that third party review as well. Yeah. So even though they might say that they offer security, they often like to hear what the third party will tell their client as well, because more often than not, it’s going to reinforce the message they’ve been giving their client, assuming that they’re a good MSP and so they don’t actually mind. The first instinct might be why I’ve got this company, they’re going to get mad if I hire a security company to come look at what they’re doing. They probably aren’t. They’re probably going to actually appreciate having that. That second voice saying, no, you really do need to have better backups. You know, you really do need to have a better security program. Yeah, partly because it’s opportunity for them as well.

Eric Evans: [00:32:44] Yeah. That reminds me of a couple things. One, when we do engagements and then another security company comes to check our work, it’s it’s always validation to make sure that we’re on the right track. So absolutely agree on that cinnamon. But another thing is we help achieve compliance. But we’re not auditors. And we always love our auditor friends because they check our work. And then when we come back, you know, a few months later after a third party has audited it, you know, like, for example, in FedRAMP, like a three Pal organization comes in and, you know, then they bigger, much bigger company, like a shelman or a coal fire or something like that comes in and validates. Oh yeah, Hannah Bite actually implemented your controls, you know, and they’ve written the SSP and everything. That’s always really good validation. So yes. Um, additional security folks. Auditors. We love them. Yeah.

Erik Boemanns: [00:33:39] More the merrier because we know we’re going to miss something. Right. And it’s just human nature. So yeah, it doesn’t hurt to have that.

Eric Evans: [00:33:45] Don’t go overboard. Don’t have the hundreds of service providers. No, but a few. Absolutely. Yep.

Erik Boemanns: [00:33:52] All right. So I think. Yeah. Thank you for joining us today. I appreciate the time. You coming down and yeah, unless there’s anything else that you wanted to share I think we are good for today.

Eric Evans: [00:34:02] Thank you very much. I really appreciate it.