Legislation Meets Reality in Cybersecurity

00:05 - Steve Kenny (Host)

Hi, and welcome to today's episode of Security Tech Talk, where I'm joined by Mike Gillespie. Mike has an extensive career spanning over 35 years in the security industry, where it all started back in the British military, back in the army and then, for the past 25 years, has focused his attentions around cyber security, where later Mike set up and is the founder of Advent IM, and he has currently, well many roles. So we have the Security Institute, where you take a director's role. You're the vice president of the Center for Strategic Cyberspace and security science, and Mike and I have personally had the privilege of working together for the UK Surveillance Camera Commissioner, where Mike led a steering group that was looking at the secure by design, secure by default certification, and there is no one better qualified today to look at the cybersecurity challenges that we see across the market and the industry as a whole, but specifically focused in terms of the physical and electronic security domain. So, Mike, welcome and thank you for joining today's episode of Security Tech Talk.

01:15 - Mike Gillespie (Guest)

It's a pleasure and thank you for aging me there, 35 years.

01:20 - Steve Kenny (Host)

The bio is extensive and I was trying to pin down all of the different roles that you've done and all of the different volunteers and I thought to myself when you take on volunteering roles there are so many, they're so time consuming I just genuinely don't know where you find the time to fit it all in it's the benefit of having chosen a hobby as a career is that none of it ever feels like work.

01:47 - Mike Gillespie (Guest)

So you just find time to do all these things all of the time. And actually I'm just about to commence a new role as part of a brand new think tank that's being launched as a collaboration between government and industry, which is the Cyber Security and Business Resilience Think Tank, which is being chaired by an all-party parliamentary group and the idea there is for both government and industry to come together to shape future cyber policy and cyber legislation. So really exciting new venture there coming through.

02:22 - Steve Kenny (Host)

And is that going to be focused from a European? Or is that going to be local to sort of UK requirements?

02:28 - Mike Gillespie (Guest)

It's predominantly UK requirements and very much seeking to influence UK politicians and the legislation and regulation of the future, to make sure that we stay current and capable, but also to make sure that UK government don't do anything too silly or drastic with legislation.

02:47 - Steve Kenny (Host)

It's interesting that we talk around sort of legislation and the motivations of why we need to sort of legislate, build different standards, regulations, different directives in terms of what is required. On an earlier podcast we've even spoken around the likes of UNIS2, cyber Resilience Act, the UK's Product Security, telecommunications Infrastructure Act and things like that, and there has always been a balancing act on whether or not it's needed or whether or not it was sufficient. And, depending on who we speak to, we see some individuals, we see some organizations saying it's over the top, we see different businesses saying it's not enough. And what's your view on that?

03:30 - Mike Gillespie (Guest)

I think we have several challenges. The first is that sometimes the legislators aren't sufficiently well educated, don't have the expertise to produce legislation that is fit for purpose, and particularly when we're talking about things like security and cyber security, it's a very niche and specialist area and if you don't have people contributing to that who have real specialisms, then you can end up with, with. The online safety act is a perfect example of this. It's a piece of legislation that actually, in reality, is delivering nothing. It doesn't deliver online safety at all. It's an absolutely pointless piece of legislation.

04:12

Equally, at the launch of the CSBR, the comment was made by one of the founders as part of their introduction, that the government was looking at changes to data protection legislation because currently GDPR stroke data protection act doesn't work, and I made the point back that the data protection act works perfectly fine if it's applied in a sensible way and in a way that understands the business.

04:39

So we have a combination of factors of legislators not always understanding the subject matter and not having enough subject matter experts involved, combined with those who try to implement it, not always implementing it in a way that understands the need to do it in a way that's business centric. So, we have a tendency in the UK historically that our approach to legislation is everything is permissible except that which is against the law. And that's the exact opposite way to the way that the EU works, which is very much based on the Napoleonic principles, which is, you're only allowed to do that which is enabled in law, which is why within the EU there is so much more legislation than there is here in the UK.

05:30 - Steve Kenny (Host)

So, if we understand that obviously there is legislation that's going to be driving business behaviour, do you think that businesses are doing enough? And had they have been doing enough, would this piece of legislation have been required? Or is this a means of punishment to try and motivate businesses to do the right thing?

05:51 - Mike Gillespie (Guest)

I think that's a great question. I think again if you look at data protection as a perfect example of this. Actually, it is not difficult to do data protection well, and it is not difficult to respect the rights and freedoms of data subjects. So why have we had to have increasingly complex data protection legislation with escalating and punitive punishments for not doing it properly? Why wasn't half a million pound as a maximum fine enough to convince organisations to do the right thing? No, I don't think organisations are doing enough. I think there is a consistent approach of doing the bare minimum, but I think that is mirrored across industry and government. If you think about cyber essentials, every supplier to the UK government has to have cyber essentials as a minimum, but no department, no government department has to have cyber essentials. So why aren't they expected to do the bare minimum?

06:53 - Steve Kenny (Host)

Yeah, it's an interesting point there. It's a sort of expecting your supply chain to provide the security and the processes and the policies that, in theory, you should be looking to adopt yourself.

07:06 - Mike Gillespie (Guest)

e through Computer Misuse Act: 1998

07:29 - Steve Kenny (Host)

I remember I've seen you present at a conference where you were talking around the proliferation of different technologies and how they've been pushed out across the market.

07:39

And when you think about a piece of legislation that might have been written 26 years ago in order to try and legislate that technology, they are so different in terms of what they are, how they've been built, the technology that's inside them, how they're being used, what they're being used for.

07:55

So, yeah, I agree, it's almost impossible to try and use a piece of outdated legislation to govern what is being delivered across the market today. I want to investigate a little bit more because I can imagine some 25 years ago and apologies for bringing how long you've had Advent IM. When you think about when you set that up, did you ever think that you would take a director's role in the Security Institute that was looking at traditional physical and electronic type security environments when you've come from a cybersecurity? Because I know that you've been brought into this domain to try and add some level of subject matter expert, because the market has fundamentally changed and the technology that people are looking at adopting and deploying today is no longer the same as it was five well, certainly not 25 years ago and how do you see that mapping out against where you were to where you are today?

08:54 - Mike Gillespie (Guest)

Oh, it's changed enormously. So when we first started talking cyber physical, when we first started talking convergence and when we first started talking converge threat, some people in the industry accused us of being hysterical and of scaremongering. When we first started talking about cyber threat to the built estate, we were told that we were being preposterous, and so there was a lot of resistance and lack of understanding, but we had an industry that had never had to worry about connectivity because everything was always offline. The biggest challenge that I see today is that in the physical security world, we're still trying to manage our security systems in the same segregated offline manner. So we air gap networks, and we believe that somehow keeps us safe from cyber threat, but it doesn't. In the last six months alone, an advanced persistent threat actor group linked to Russian state have developed not one but two tool sets specifically designed to attack air gap networks and exfiltrate data from them.

10:11 - Steve Kenny (Host)

I'm really glad that you brought this up because a couple of months ago I wrote an article around closed networks and why you can't assume or even hide behind a closed network with the assumption that it's secure, because that was. I spoke at a conference and someone said, “I like all the stuff you've been speaking about, but that's irrelevant to me because my technology sits in a closed network.” There was no sort of consideration around insider threats. There was no in, there's no consideration to the true capabilities of organizations and when I wrote this article, the amount of people said, “Steve, we've moved on from this.” You know this is a conversation that is five plus years old, but we are having these conversations still.

10:55 - Mike Gillespie (Guest)

We are and we haven't moved on from it.

10:57

And only last week I was speaking at a conference exactly about this and the number of show of hands I got when I asked who, who is currently managing a building management system or a physical security management system that is on an air gap network? It was the majority of people in the room, but that doesn't make it safe. And then actually what we then hear is, I don't need to patch because I'm on an air gap network, which is folly. How do you get software updates into your systems? How do you get firmware updates into your systems? Half of these networks aren't even running anti-malware. So when malware is introduced into these systems because you're using an insecure USB stick to introduce a firmware update which actually happened, I know happened into a critical infrastructure site, where an engineer from a supplier turned up with a USB stick to install an update and infected it with malware.

12:00 - Steve Kenny (Host)

The question is do we find that the technology vendors, so the axis of this world, you know is there room for improvement? And I speak on behalf of all the vendors Is it an educational point of view from a systems integrator that are installing, commissioning, maintaining these systems? And is it an end user? Because there is obviously a lack of true understanding of the risk when people are making comments like this that no, we're fine, we're secure. How do you find that from, from your discussion points, because I know that there's one side of the business as well you obviously do a lot of training for these organizations. So you find that when you're training different organizations, some are quite at a mature level, or is the majority of the industry is there must do better on the report card?

12:45 - Mike Gillespie (Guest)

Yes, there is a range of levels of maturity, but I would say we're still at the lower end of the maturity scale as an industry. Now you will recall that when we were engaged with the Surveillance Camera Commission, we started the process of developing secure by default for video surveillance systems. In the very early days of that, most manufacturers were kicking back at me saying security was an end user problem, even though some of them were making systems that were inherently insecure coming out of the box. But that only worked. Having a system that's secure by default when you take it out of the box, only then works if the installer does the right thing and it only continues to work if whoever's maintaining the system whether that's the end user or system integrator or an FM maintenance contractor or whoever, is continuing to do the right things as well. So it has to be an end-to-end approach and we need to educate the whole community.

13:45

It was very disappointing to me that after Tony Porter left his post, that the role of Surveillance Camera Commissioner didn't continue to see the driving of standards as being a priority, and so much of the infrastructure that Tony put together. The 14 work streams that were convened under him and produced such great work were effectively dismantled and seen as having no further value. Again, as you know, the whole desire was to have secure by default that had standards that ran across from manufacturers to installers, to consultants, to end users. So we had an end-to-end approach to secure by default.

14:33 - Steve Kenny (Host)

Which I think had that have worked, that could have been the gold standard for the industry. That could have been picked up and it could have been replicated in lots of different countries, because for the first time, there was cyber security best practice built into the video surveillance market. We see standards all over the world that influence how systems need to be designed in terms of pixel density, resolution, how many cameras you need, but there's nothing that actually truly embraces the importance of cyber security.

15:05 - Mike Gillespie (Guest)

And that's just one small facet of the security landscape. And if you take a really good quality and properly secured video surveillance system and integrate it with a wide, open access control perimeter, you still got a vulnerable network. Or you know, a perimeter protection system that hasn’t been properly secured. Or you start putting Axis control systems on the edge of your secure perimeter, you've actually got an interface that sits on the outside of your security. You've introduced vulnerabilities. So unless we start looking at this in its totality and we can have assurance that every component that goes into our physical security system has got the same level of assurance, then we're always going to have weak points that we're going to have to manage.

15:53 - Steve Kenny (Host)

So how do you find then, understanding that we need to manage the weak points? How do you find the lack of transparency in terms of actually who's manufacturing equipment? If we look at an ODM or an OEM type model, where someone manufactures for someone else, they will put their branding on that box and on that device and even the ultimate the ownership of these companies. What level of risk is that? So if you've done your due diligence on company A and then you find out that when you've deployed tens of thousands of devices actually other than a logo on the box, it is someone else's technology, where do you see the challenges there?

16:36 - Mike Gillespie (Guest)

Yeah, it is a big challenge because there's so much grey importing that goes on, and having a genuine understanding, end-to-end where every component in your security system has come from has become increasingly challenging. And that transparency is incredibly lacking sometimes in the reseller community, because we typically operate in a channel market. That's where that opportunity for grayness comes from, because you don't have a relationship with the manufacturer so you don't know who's made your kit. You maybe don't even have a relationship with the importer. Your relationship is three steps down the line with a system integrator who themselves might not know where the kit has originated from. And actually there's a massive challenge that we're facing at the moment in the world of counterfeiting, because there's a huge amount you know we're talking billions of pounds worth of imports every year into the UK that are counterfeit. And if we're putting counterfeit chipsets and counterfeit electronics into our security systems and we're trusting those security systems to go into our critical infrastructure, well, where does most counterfeit electronics come from?

18:00 - Steve Kenny (Host)

I'll allow you to answer that, Mike.

18:03 - Mike Gillespie (Guest)

They come from countries like China where they're mass produced. So, on the hand, we have had previously a government that were on an anti-China tirade and effectively saying you can't buy from this company or that company, and on the other hand, the market is being flooded by cheap Chinese counterfeits. So how do you control that? We've got to get more transparency into the supply chain.

18:31 - Steve Kenny (Host)

So the counterfeiting of the hardware is one thing, but actually the counterfeiting of the operating system and the software that sits in it, that's where you get like signed firmware, things like that, that can do some form of authentication on the technology. And I think that's where actually governments might start to say no, you need to start adding these levels of security into the software because that's the easiest way that we can actually validate that it is authentic. But also when we, I think as a leading question.

19:08

We've seen the UK government, we've seen governments around the world start to influence what technologies can and can't be bought, even outside of government contracts. And obviously in the US you've got the National Defence Authorisation Act which interestingly, specifically named certain technology companies that were on the list. But even more recently they've started to drill down into a semiconductor component level. Is that the right thing for governments to do in terms of influencing that? Because I'd assume that they've done that to protect critical infrastructure, they've done that to protect the data of their citizens. What's your views on that?

19:51 - Mike Gillespie (Guest)

I think that very much depends on who you're referring to when you use the term government. So I do think that we have to be very careful that we don’t conflate the need for nation security with political aspirations. And politicians do not always have the needs of the whole of the country at heart. They have at heart their ideology and their politics and that drives their decision making. Now, if we're talking about government in terms of organisations like NPSA, NCSC, GCHQ, then yes, these are organisations who have a specific remit to advise and guide on security and best practice, and that's great. When we start having governments and by that I mean politicians interfering in subjects they don't truly understand, then we end up with decisions being made that are political, not necessarily the right decisions for the country.

21:09

I think we also have to be careful that, and we have seen this before, so I can remember back in the heady days of there used to be a scheme called the CSG listed advisor scheme. These were consultants that had been vetted by CSG and were considered to be suitable for doing high-end government security, cyber security. Now, if you're operating in that world, you were also told that you should only use security products that had been through the CSG assured product scheme. At that point in time, CSG were not resourced or funded to be agile enough to be able to cope with the rapid evolution of security products. So you would be forced to install an out-of-date or end-of-life firewall because that was the assured product, rather than the most up-to-date and most secure product.

22:02 - Steve Kenny (Host)

Yeah, that's not unique, is it? We've seen that in lots of certification type organizations and we've got to be mindful that they are there to make money. But you actually find exactly what you've just said in that all of a sudden, someone is installing a piece of out-of-date technology because their latest, which has been patched, bugs have been addressed, stability it's addressed, whatever vulnerabilities are there. That's not got the certification because that might take six months to come. So people are installing out-of-date technologies in order to maintain the certification, get the compliance. Yet that's not best practice. There's a balancing act there, isn’t it.

22:40 - Mike Gillespie (Guest)

And we're seeing that a little bit at the moment with the new cap scheme for things like high-end security access control systems, things like that. Now I do know, having spoken to people in the last few weeks, that the next iteration of this, the intention, is to have more involvement from industry, so having testing labs using organisations like British Standards Institute, creating more resilience, more agility and more bandwidth within the system to allow those products to be streamlined through that assurance process, so that we don't keep having that situation. If governments want to get involved beyond advice and setting guiding principles, then they have to be resourced and they have to have sufficient subject matter expertise to be able to soak up the demand from industry.

23:40 - Steve Kenny (Host)

It's an interesting one because, obviously, sat where I am, we've explored how we would, you know, work within that framework and one of the things that we've obviously struggled with is for an organisation like Axis. We've got like several hundred different types of technologies and different devices and they all have a very consistent operating system and firmware. But we find that actually, in order to go and get these approvals put in place, like CAPS, that they would want to do a product range and that product range might cover 5% of your portfolio. So if you want to go and get you know a handful of different products approved, they might be out of date within a year, two years, because we've brought brand new and it just becomes very, very expensive. So I think that is something that that we would certainly benefit from sort of streamlining that process and getting a bit of a consistent sort of framework in place that would support the compliance of that.

24:34 - Mike Gillespie (Guest)

Yeah, and assurance has to be agile enough to keep up with the rate of change. And if you think the acceleration of technological change from when I started 25 years ago to today, you know I could not have envisaged some of the things that we're talking about today. Things like large language models and AI and even machine learning were still very much experimental and almost a thing of science fiction, and yet today they've become mainstream.

25:08 - Steve Kenny (Host)

It is a very, very interesting discussion in terms of AI and cybersecurity and we see people talking, you know, is it friend or is it foe? And how do we manage that? Because it is so new and we've obviously seen the European Union come out with the new AI Act and just seeing how that will start to sort of manifest into the marketplace, because actually I don't looking at it. I think there's a lot of rules and regulations for businesses comply with, but I'm not even sure that heavily focuses on the importance of cyber security, which I think is business critical, because that is probably one of the areas that will either benefit or will suffer the most from artificial intelligence.

25:48 - Mike Gillespie (Guest)

One of the things that I discussed at the launch of the CSBR a couple of weeks ago was exactly this, that we insist on developing specific legislation for cybersecurity instead of understanding that cybersecurity is everywhere and has to be an embedded part of every piece of legislation we introduce going forward. And cybersecurity has to be part of every discussion we have at every level, within every business, because it's no longer a niche thing that you can carve out and put over there on the shelf. It has to sit across every discussion we have, every standard we produce, every piece of legislation we produce should have some nod towards cybersecurity going forward.

26:33 - Steve Kenny (Host)

So what is an interesting statistic? We did some work with a construction planning portal organization. So for every new construction infrastructure project that was released, obviously you've got to go through the planning applications and before it goes out to the market, people will bid against that in order to actually work out okay, how much is it going to cost to build this building? We invested in some research and development that actually would evaluate all of the different construction and infrastructure projects and what the specifications looked like and, in a very worrying way, only 11% of them had any form of cybersecurity written into that specification. So what about the other 89%? Is cyber security not important to them? Is it an afterthought? And that was quite worrying and I think, as you said, it would be nice if it was in every single element of procurement standards regulation. It went right through the board.

27:28 - Mike Gillespie (Guest)

I was talking to somebody about this in relation to smart buildings and smart cities recently, and for me, when we have conversations about smart buildings, the conversation about cyber is the equivalent of having built a skyscraper and then, at the 11th hour, saying now put a lift in it. That's how late an afterthought cyber is at the moment when it comes to these buildings.

27:54 - Steve Kenny (Host)

And when you talk, I know you've been a big advocate and you've spoken around sort of convergence for a very, very long time. I guess that is the only logical way that we can actually increase and improve the profile and the importance of it, by getting all of these different stakeholders within an organisation to sort of sit down and have mature conversations.

28:14 - Mike Gillespie (Guest)

Well, I think also it goes beyond that and it comes back to business efficiency and business capability, because actually, if we get cyber right, we can do so much more with these systems. We've talked about the prevailing approach of air gapping networks, actually means it's harder for us to get management intelligence out of these networks. It's harder for us to use these networks as anything more than just security tools, when they should be critical business tools. We should be getting management intelligence out of these systems that allows us to run our buildings in a more effective and efficient manner. We should be getting intelligence out of these systems that allows us to manage our people more efficiently and more effectively. But we can't, and so they're a cost centre because they're just security. When they actually run well, they can be health and safety, they could be marketing, they could be customer service, they could be a whole range of things. They can be a massive support tool for facilities management. If we get the cyber right, we can open these networks up and exploit that data to its maximum potential.

29:22 - Steve Kenny (Host)

But you cannot believe the journey that we've spoken about in terms of digital transformation and how we need the industry to stop speaking CCTV and truly benefit from the capabilities of technology, and the only way to do that is exactly what you've just said. We need to to maintain and make sure that the technology can be used in the correct manner. The data can be collected, we can share that information, but it can only be done when people trust that the devices are connected to networks are secure, and that's why we're here and we see a lot of discussions around sort of zero trust security models and things like that.

29:58 - Mike Gillespie (Guest)

This goes beyond just physical security, though, Steven, because in the last couple of weeks I must have read a dozen articles talking about lack of government efficiencies because of siloized data sets, because of segregation of networks, because of lack of joining up.

30:15

If you think about the government and you know that's an amorphous blob that you have to just sort of accept as the government. But think about the government. Think how many departments there are in the government and think how many of them hold exactly the same amount of data about each citizen and every one of them running servers to process the same piece of data, and think about the greening effect of that. Think about the lack of efficiency in that. Think about the time and effort that goes into maintaining all of those data sets rather than us having centralized databases. Now there's a whole trust thing here about do we trust government to have these massive centralized databases? That's a totally different discussion that I could spend another whole podcast talking about, but let's park that for a moment and assume that we can trust government with our data. Imagine the efficiencies that you could have if we had government departments collecting wants, using it many, and managing information from a centralized repository that had one golden nominal and then multiply that up across the whole of the public sector.

31:30 - Steve Kenny (Host)

I live and breathe that here in the Middle East, so I get it. I understand both arguments. I understand the government efficiencies, the value it brings to individuals, and I also understand why people are worried about that, whereas I don't get to say it is what it is and you buy into that. I'd just like to get your final thoughts on.

31:53 - Mike Gillespie (Guest)

Just to finish that off, though, Steven, the reason why that's a really important subject and sooner or later it is going to have to be grasped and dealt with is because just in this last week, I've read stories that are saying patients are being hurt and in some cases dying whilst being treated by the NHS because of lack of joined up data, because of failures to share data, because of the data existing in multiple silos and not being accessible. Every single public inquiry that you can point to in the last 20 years where somebody has been let down, a major incident hasn't been prevented. Even looking at the latest report into the Manchester Arena bombing, they all say we have to get better at sharing data and making it accessible at the point of need. So we have to sooner or later grasp that, because actually, it's people like us, real people, who are getting let down by this segregation of networks and this failure to open up and manage data effectively. So it goes beyond just physical security systems. Actually, this is a mentality that's proliferated across all sorts of industries.

33:10 - Steve Kenny (Host)

So, understanding there are undoubtedly great opportunities in order to make these systems work more efficiently. Just as we're going to wrap up, I'd like to see, or get your views on do you think the likes of the NIS2 directive and the Cyber Resilience Act, do you think that is going to support what we've just discussed in terms of we can guarantee that the software and hardware technologies are more secure, of we can guarantee that the software and hardware technologies are more secure? Do you think that will help and improve what we've just been discussing?

33:43 - Mike Gillespie (Guest)

If they're adopted and embraced in the spirit in which they're meant, then it can. I think there is a danger that by having NIS 2 for operators of critical infrastructure, for having DORA, for having this, for having that, that actually all we're doing is further fragmenting sectors down, and those sectors that aren't covered by that just sit back and go happy days, I don't have to do anything, when really what we need is a common approach to cyber security and then encouraging industry and organisations of all sizes to start doing the right thing. And maybe legislation and regulation isn't what's needed. Maybe what we need is a re-education of industry as to why, for organisations, for businesses and for people generally, this is the right thing to do.

34:36 - Steve Kenny (Host)

And I think if we're being optimistic, that is absolutely the best approach, but if I'm being pessimistic, we would have been there already, had people have bought into that. So just to wrap up.

34:49 - Mike Gillespie (Guest)

After 35 years, I'm still a dreamer, Steven, what can I say?

34:51 - Steve Kenny (Host)

Well, someone has to be Mike, someone has to be so, just being mindful of our market. Wrapping up, what would you give as a key takeaway for organizations that work within physical security and what they should really focus on over the short to long term in terms of their cybersecurity strategy, because it is something we all need to be better at?

35:12 - Mike Gillespie (Guest)

So convergence isn't something that is on the horizon, it isn't something that's happening, it's something that happened and we need to catch up with that. Every system you buy and implement into your organization now whether it's access control or video surveillance or perimeter intrusion or even, dare I say it, rising bollards has a connectivity somewhere and that makes it potentially vulnerable. And if you don't know if you, if you don't know how vulnerable you are, then that's the worst possible situation to be in. Not having evidence of having had a breach is not the same as evidence of a breach not having happened.

36:01 - Steve Kenny (Host)

Very true.

36:03 - Mike Gillespie (Guest)

The number of physical security managers who still do not regularly penetration test, IT penetration test their physical security systems, is phenomenal. If you're not pen testing your systems, if you're not having those IT health checks, then you do not know how vulnerable you are and you cannot therefore be managing them. And therefore don't be talking to me about risk management, because you're not doing risk management at all.

36:26 - Steve Kenny (Host)

That is a great final point, because when I talk around security risk management and we look at what is the greatest risk to businesses today and there's a load of evidence to suggest it's cyber security, why is it that cyber security is the point or the final area that people have missed out? So, Mike, thank you so much for taking the time to share your valuable experiences with us today. Apologies for reminding you how long you've been in the industry, but it is invaluable. And thank you so much, and I encourage our listeners today to take a look at Mike online and I'm sure there's some great articles and content that they would benefit from picking up on. Thank you, Mike.

37:04 - Mike Gillespie (Guest)

It's been a pleasure. Thank you, Steven.

37:10 - Steve Kenny (Host)

Thanks for tuning in to Security Tech Talk. If you've enjoyed today's episode, be sure to check out the other episodes for more insightful discussion and expert perspectives. Don't forget to subscribe so you never miss an episode. This podcast is brought to you by Axis Communications. Axis enables a smarter and safer world by creating solutions for improving security and business performance.