FILED Podcast

Director of Third-Party Risk Management at UpGuard Aaron Spiteri discusses the challenges organizations face managing their third-party risk and offers suggestions for organizations to ensure vendors are maintaining a high level of security. 

Topics discussed
  • The landscape of supply-chain risk 
  • What does a third-party risk assessment involve? 
  • The common mistakes third-parties are making 
  • The evolution in attitudes toward security and risk, especially for those in leadership positions. 
  • Advice for organizations who want to control their vendor risk. 

Creators & Guests

Host
Anthony Woodward
CEO and Founder of RecordPoint
Host
Kris Brown
VP of Product at RecordPoint

What is FILED Podcast?

A regular conversation with those at the convergence of data privacy, data security, data regulation, records, and governance.

Anthony Woodward: [00:00:00] Welcome to file a monthly conversation with those at the convergence of data, privacy, data, security, data regulations, records, and governance. I'm Anthony, the CEO of record point. And with me today is my cohost, Chris Brown, record points, VP of product. Hey, Chris, how are you? I'm very

Kris Brown: good mate. And as it just would be perfect timing, we've got everybody here today ready to go, but we've got some neighbors who have decided that chainsaws are things that they want to play with right this second.

So if you do hear that during the podcast today, no, Anthony and I aren't fighting in the background with chainsaws. It's just my wonderful neighbors. How's things? Yeah, good,

Anthony Woodward: good, good. Although that chainsaw fighting sounds like fun. We should organize that at some point.

Kris Brown: Maybe we should introduce our guests and see whether they would like to be in there as well.

Anthony Woodward: So today, everybody, we have Aaron [00:01:00] Spiteri from UpGuard.

Aaron Spiteri: Hey, how are you Aaron? Yeah, good. Thanks. Thanks so much for having me here today. I

Anthony Woodward: know it's really great to have you along. And part of what we do on this podcast is try and get a lot of different views from different parts of the industry. Like. We said at the intro, we really see the industry as a whole bunch of convergence occurring across a bunch of different problem sectors.

And it's great to have someone from UpGuard on it. Would you mind giving us a little bit of background on UpGuard and the problems you solve and the things you do every day?

Aaron Spiteri: Yeah, awesome. No worries. So UpGuard itself is an all in one third party risk and attack surface management software that our customers are consuming within that piece of software that we have.

You can essentially use the UpGuard Vendor Risk area of the product that does allow you to continuously monitor your vendors, automate security questionnaires, and reduce your third and fourth party risk. We do also have area of the product called Breach Site, which does also allow you to monitor your attack surface management, prevent data [00:02:00] breaches, discover leaked credentials, and protect your customer data.

The final piece that we do have is our Managed Service, which is the area that I'm working in. So I'll sort of just give the leeway into that, but the managed services piece is where we essentially work with customers where customers want to do assessments on their vendors and third parties and customers would essentially request from our team of analysts to go and do that work for them, whereby we would communicate with our vendors on their behalf, send out security questionnaires and obtain information back on those vendors to give those customers information on those vendors and how risky they are.

Thank you. So to give you a bit of an intro there on UpGuard itself. So, yeah, I've worked in IT for several years across multiple different roles, so I've worn quite a few different hats. And I suppose that's given me a lot of good experience and exposure in different areas. I got really interested in cyber a few years ago when I worked as an IT manager.[00:03:00]

For a financial planning company. And that's where it really became evident to me that yes, security was a really important, you know, piece of the puzzle, especially in making sure that customer data was safe. Fast forward a little bit. I've now been working at UpGuard for just over four years now, starting in their customer success team as a technical account manager.

So I was the first technical account manager here in Australia, in the company, and then helped grow out that team. Of staffing customer success and worked my way up to the director of customer success of which not that long ago, I moved on to another position, which was the director of third party risk management, which is what we're going to be talking a bit more about today.

But yeah, that's how you find me today.

Anthony Woodward: No, that's really cool. I know Chris is the same, you know, but particularly ask you work in records and data management for a long time. Your stuff sounds really exciting. And also the records and data management is exciting. It's exciting too, but we certainly get [00:04:00] excited around the all that sort of upstream management elements.

And I guess that brings us to the, you know, a few questions. One of the things that we've been writing about and talking to our customers about, you know, the regulations coming from APRA as a regulator here in Australia, or obviously the regulator in Canada or the sec is really that third party supply chain risk and managing.

The supply chain elements. How do you see that world today around supply chain risk? You know, after the, the move at hacks and after the hacks that we've seen in a number of vendors out there, what's that landscape look like for you?

Aaron Spiteri: Yeah. So for us, you know, we see it all the time because we're working with customers that are essentially going and, and essentially using our product to manage and monitor their third parties.

Right. So it is really big and it's really important. Customers are getting audited on this all the time. And customers have a lot of interest in this now as well, given that there's been so much media around, you know, things are leaking or breaching, you know, there's a lot of reputation on the [00:05:00] line now, and our customers are putting a lot of trust in their 3rd parties.

So as soon as you do put that trust in a 3rd party. And you're giving them some of your data. Essentially, any of the risks that they might have now become some of the risks that you might have because you're working with them. So that's why this has grown so large because there are so many vendors and customers that are all working together now.

And there's data all over the place. People are sharing all different types of data, depending upon what service they've got for you. So if anything does get leaked out, if there is a security issue, anything like that with one particular company, if you can imagine, they've got multiple customers now, all those customers then become affected as well, which is why this is becoming such a big thing, because there's so much reputational damage, irreversible damage as well.

Once the data is actually available. It's next to impossible to get rid of that data once it does leak on the dark web, for example, and [00:06:00] we just see it continuously getting copied and duplicated all over the place. So it is quite a big deal.

Kris Brown: You, once you see that genie come out of the bottle, right? Like it's, it's out there.

It's very, very difficult to stuff it back in. You can try. I've watched the Disney movies. They do try very hard. Interesting for me and maybe something for the audience too, Aaron, to explain a little bit more about that third party risk. So. In the managed services thing, we've sort of spoken previously, but what are the things that you're doing?

You know, how does that provide value to your customers? So maybe some examples where we could be a little more specific for the customers.

Aaron Spiteri: Yeah, for sure. So one of the things that we do for our customers is a customer would let us know that they want to do a third party assessment and essentially what we would help them do is.

Work out what T that vendor is. So it might be a critical high risk, medium, low risk. All vendors have got essentially different tiers, depending upon what they're doing for the customer. And that's if they're holding a lot of data or a little bit of data. [00:07:00] What type of data it is, it all just depends, but we help the customer through that piece.

We then have a look at whatever the tier is for that particular vendor to then determine what type of security questionnaire we need to send them. So, you know, if they've got a customer that's trying to adhere to, you know, APRA, CPS 234, or also work with ISO 27, 001. With their vendors, we can essentially from the UpGuard product, send a questionnaire that's tailored to ISO 27001, for example, and we can send that out to a vendor.

So a vendor would receive that. They then log into the UpGuard product. They then complete that security questionnaire in our product and provide it back to us to then provide that back to our customer. My team specifically would go a little bit further. And what we do for customers is we get the questionnaire back and then we liaise with the vendor to go and get some additional evidence.

So if you can imagine, I asked you to just complete a questionnaire. You [00:08:00] could put in whatever you want. But when we get that back, we need to then validate it. So by validating it, we need to go and get some additional information such as pen tests or SOC 2 reports, things like that, that can help us validate and confirm all the things that that vendor put in a questionnaire.

Is that valid? Is there anything else that we need to look for? And have we got that Any compensated controls essentially that they might have come up with so that we can have a look at that and provide that back with that customer. So there's a bit of added work we do. And then we piece together a whole risk assessment where we write up a risk assessment report and give that back to any of our customers that essentially using that managed service.

Kris Brown: And what are some of the common mistakes? I think we were talking about the pen test stuff earlier as well. But what are some of the common mistakes that the third party, you know, does it while they might attest to a certain level of things? It's like, I think you were mentioning things like, you know, the pen test might be old or, you know, what are the common mistakes organizations are making in answering these?

Aaron Spiteri: Yeah, [00:09:00] definitely. So that, yeah, what you were talking about just before with the pen test, we see that often where, yeah, it costs quite a bit of money to get a pen test. We see that sometimes it might be a small company. They can't afford to do it every single year. So they might do one pen test every few years.

We have to mark them against that because the pen test is obsolete essentially. So they should be. Done every year, but if we get one that's over a year old, we've got to flag that with our customers to let them know that we found one, you know, that's exceeded that year period of time. And we see a lot of other things like vulnerable unpatched technology.

So specifically with software open ports, you know, it's one that you might not think about. You know, you're working at a company and, you know, staff are doing what they're doing, opening ports. They might not think anyone else can see it, but there are people out there that can see all those open ports that are constantly scanning.

So we see that all the time. We also see HTTPS and HTTP. So a lot of websites still might be available using HTTP instead of having [00:10:00] HTTPS. So we flag that as well. That's another common one. A lot of untrusted web certificates as well that we see. User behavior is actually a really big one as well. So human error is a really big cause of a lot of loopholes that we do see as well.

When we're doing some of these assessments, things that people have done and, you know, failure with their IT policies is really big as well. And then your compromised systems, they might not know that they've actually got something that's compromised. That's sitting there just waiting. They're quite a few of the things that we do come across.

Anthony Woodward: Yeah. Beautiful. Super interesting space. What do you see, you know, something that we certainly say, and as we talk to the industry is the realization of boards and the realization of people in more executive roles of, of trying to better manage these risks. You know, I think with UpGuard, we share a number of large customers and the reality in our space is the boards have seen this is something that you do to the side as opposed to something that's core to the operation of their business.[00:11:00]

And as a result, They've not treated it that way, but there's a real transition going on of how do you manage risk, data risk, be it cyber risk, be it other risks in the business. And then what are the controls around that? Is that consistent with what you're seeing in UpGarden in your roles?

Aaron Spiteri: Yeah, I, look, I feel like in the past there was a lot of ignorance towards IT and security specifically from leadership and management.

That's not to say everyone was doing that, but I would say that there was a Big piece of that. And I know that cost was probably another big thing that influenced that as well. And just not knowing what was going on there. I do feel like that has changed significantly. I know that a lot of the people that we work with, a lot of the vendors that we work with, they've actually got staff members there that know exactly what they're doing.

They're focusing on accreditation. The business is putting money into it. And the business is also putting money in from a leadership point of view to then make sure that they educate all their staff as well [00:12:00] on what they need to be doing for cyber as well. So. You know, again, thinking about it back in the day, I feel like it was always it's problem and it is going to protect you against or any of your cyber risks.

Whereas now, you know, you would see it and hear it that a lot of businesses now putting so much time and energy into also educating this staff so that the staff know exactly what to do, what to look for. And they're essentially living and breathing the values of the company to make sure they're all collectively helping to protect themselves.

I think that is really positive and I do see a lot more of this, which is really good. As I said, I didn't feel like that was such a big thing years ago, whereas I feel like now it is really at the forefront.

Kris Brown: So you were sort of saying, you know, very much, you can see it changing inside the organizations, but is the who changing?

So you sort of mentioned that it was very much IT's problem, and now there's others in the organization. Who's the who in this scenario? Who's, [00:13:00] who are we really talking to? Who are we really seeing as responsible? Who is really engaging? Like, you know, roles, obviously don't want names of individuals, but yeah, roles and what's being created in organizations that drives the So I need to buy an UpGuard or I need to do that security class.

These are the parts of what we're doing.

Aaron Spiteri: Yeah. Look, we speak to a lot of different people, you know, from chief information security officers, chief technology officers, cyber risk teams, that's definitely growing. IT managers, security and governance personnel and procurement teams getting involved as well.

So really where I see it with the cyber risk teams, that's definitely growing a lot more. There's a lot more businesses I work with now where there is actually a team that is looking after cyber risk. Years and years ago, I felt like it was more just risk and compliance and they kind of had a bit of overarching.

You know, gray areas into it, but it wasn't really their bread and butter. [00:14:00] Whereas now there's like a full cyber risk team looking into that, that then essentially reports into the chief information security officers, which then provide that straight back into the business. Right. And procurement as well is now getting a lot more involved, especially with those cyber risk teams where they're doing a procurement piece.

They're trying to come on board with a new vendor. And now there's all these assessments that have got to be run to actually confirm that particular vendor opposed to just bringing them on board and then telling I. T. Hey, yep, we've got this new vendor. You've got to set it up. That to me is what it used to be like, whereas I feel like now there's a lot more hoops that you've got to go through to make sure that cyber is team is happy.

And they are working very closely with procurement from what I can see to make sure that they're reporting that back to the business with these reports that they've got to provide. So like a risk assessment that I'm talking about, so a full assessment that explains any risks involved in working with any of those [00:15:00] particular vendors is something that now needs to be provided, not just, you know, the cost of how much it's going to cost to come on board with that vendor and and what they're specifically providing as well.

So that's definitely changed a lot.

Kris Brown: Yeah, and look, I think it's interesting. I'm sure for the, what would be maybe the core listeners who normally listen to us from a records or an information governance world, there would have been the act of, I will supply the information that's regularly gathered. It's available here.

A good vendor will have that information regularly managed. I'd even suggest that, you know, maybe UpGuard should be looking at how are they managing those documents, even just the reports, the assessments and the other things. I'm sure there's lots of processes related to that. But if I'm an organization listening to the podcast and you think that there might be more that can be done.

Other than run off and invest in your product in UpGuard, what's some advice? What's the first step that, you know, organizations can do that you see regularly, that that would help with making [00:16:00] sure that they've got good control of their risk? And maybe if I add to that the other side, like as a vendor, if you're a supplier, what are the things that you can be doing to make these processes more streamlined for your potential customers?

Aaron Spiteri: Yeah, awesome. I'll try and just rattle off a few in no particular order that come to mind. So encrypting data and definitely creating backups is important. Obviously making sure that you do protect any of your data. I see a lot of data that still is not encrypted. So that's that's a really big one to make sure you're keeping your data safe.

Making sure that you are conducting that employee training. I spoke a little bit about that today and how it's really important to make sure that you've got your data. The whole business involved. So making sure you actually have employee training is important because you need to make sure those employees know what to look for.

Otherwise, if you don't help them, they could potentially click on anything, download things and do the wrong thing, right? So you need them on board, really important to keep your systems and software updated. I still come across [00:17:00] some companies where. They didn't know a piece of software was installed and it's obsolete.

You can't get updates for it anymore, but it is sitting there and it is risky. So make sure that you understand what software is installed where, make sure it is updated as well. Enforce the use of strong passwords. So still people can use passwords that are not super strong. Really important to make sure that you're using strong passwords, complex passwords, even Making sure that you do have multi factor authentication with those is a must.

So I'd really focus on that. Discourage any staff members from sharing passwords. They shouldn't be doing that anymore. I still do see that sometimes with legacy applications, they just share passwords should not be doing that. You should definitely assess and monitor your vendors. We spoke a bit about that as well already.

Have a look at how you can reduce your attack surface yourself as a business. So what are the different, you know, like entry points that you could have? It's [00:18:00] anything. So if you've got like IOT devices, software, web applications, systems, anything that's really facing the internet could be an attack surface for you.

So making sure you do a bit of an assessment to understand what are all the things that are available. For your company on the internet, because you want to make sure that all those different areas are reviewed for any risks that you do have also your physical security too. I know we're talking a lot about cyber security, but your physical security in an office.

If someone did walk in there and. You know, they took a computer, how easy would that be for them to do that? And is there data on the computer or is there, are you still storing data on external drives that someone could just take off your desk? You know, you need to make sure all of this is protected as well.

Making sure you've got firewalls set up. And probably the last thing I'd say is really making sure you've got a clear cybersecurity policy for your staff members. So I spoke about training. [00:19:00] But making sure you've got a policy in place so they understand what they need to follow and what they should do in case of anything that pops up in relation to that.

So that's probably what I'd suggest for anyone that was wanting to try and do some things themselves as for vendors specifically. For you to make it easier as well, anyone that you want to work with and do business with, they're going to essentially want to do an assessment. They're going to want to understand, you know, how you would hear the things.

What are your different types of certifications that you might have or policies and procedures? Because you're going to receive that in the form of a questionnaire. One benefit of the UpGuard product as well is we've got a shared profile, so any vendor could essentially log into the UpGuard product, create a shared profile, and they could answer any of those questionnaires and save them.

So once they've answered them once, they can then just get them ready and provide them to any customer that wants to of their [00:20:00] security information. I do also see a lot of vendors put security packs together, which is awesome. So that's where they've got like their SOC report, pen tests. They might have all their attestations.

Everything's in a pack so that when you want to do an assessment, it's already ready to go. You can obtain it and then review all the information at ease. So that is also another thing that you can do. Just get it all pre prepared, ready to go so that then when. You might have a prospect that wants to work with you.

You can provide that type of information to them.

Anthony Woodward: No, cool. It is a super interesting space and I think we could talk for hours on it. I'm super, I'd really like to understand more around, you know, the way that you can benchmark different vendors within the supply chain then. Because it's, you know, not everything is equal.

And so when you look at, you know, I think some of the things you talked about, you know, which are quite legacy overhangs in terms of not having some of the basic kind of passwording through to [00:21:00] more advanced kind of cloud

services,

how do your customers, or how do you see people going and benchmarking?

So those different types of risk and how they then make those decisions about it, because ultimately we've still got to do business. We've still got to go and do the work and risk is just part of that process. So how does that mix in?

Aaron Spiteri: So one thing we've built into our product that we use specifically when we send a questionnaire to any of our vendors, right?

Or if you use our product to do an assessment on any of your vendors to have a look at anything that's facing on the internet, right? If we're going to have a look at any of the risks there, like open ports or vulnerable software. We essentially have a rating that we've got. So a risk rating out of 950 and we categorize all the different risks from informational all the way to critical.

So we've pre done that for our customers so that our customers don't. For example, receive a questionnaire back and look at a response and if it might say, you know, do you back up your data? And then the vendor says no. For example, [00:22:00] is that a high risk? Is it a critical risk? Is it a low risk? A lot of customers we work with might not have the time to go through all of these as well to work that out.

So we tried to make that very easy for them by pre putting in I Risks according to what vendors select and we've done the same thing in the product according to any risks that we find when we scan vendors as well. So we've got a team of staff that have then gone through industry standards and best practices according to what's available right now and how risky things look and we've tried to make it as easy as possible for our customers so that they then.

Can have a look at that and they've got a bit of a, I suppose, standard of what they look for because it's the same risk that's categorized across multiple vendors. opposed to them having to manually come up with how risky is that particular risk that we've seen. No, that makes perfect

Anthony Woodward: sense and sounds very logical.

In light of what we've seen happen across the globe in the privacy [00:23:00] area and, you know, the extension of the key risks associated with, you know, me as an individual sharing my data with

Aaron Spiteri: other suppliers, how do I as a

Anthony Woodward: customer know on the other side of all of that process

Aaron Spiteri: What these

Anthony Woodward: processes are, and I know that's not necessarily part of the up guard story, but I'm really interested in Aaron's view on that extension.

You know, I know a lot of your customers are using the services you've been working with a while to. understand and know what the risk is in their supply chain. How do I understand that as a customer and make sure my data is safe with insert bank telco

Aaron Spiteri: company here? Yeah. Look, Anthony, I think something that doesn't exist, which I think would be really awesome in relation to, you know, consumers specifically, when you go to the supermarket and you purchase certain types of food, you get like a health star rating, right?

And it's usually five stars. I feel like that's not something that applies at all when you're working with specific companies in relation to the security that they have, and I don't think it is easy for consumers to [00:24:00] understand that information for someone that knows what they're looking for, they could go on that particular website and they could have a look for, you know, different types of security documentation that that particular vendor that you might be working with has, and you could make your own assumptions based on that.

But it would be really good as well for consumers specifically that might not even have that knowledge and understanding if there was some sort of, yeah, universal practice where you could go and have a look and understand, you know, what was that particular vendor rated, you know, like the health star rating that I'm talking about.

I'm very familiar with that, but it'd be great if, you know, that was something that was available to consumers where they could understand, yeah, how risky is this if I'm going to go and start working with that particular. Vendor, what are my risks look like? What have they got? And look,

Kris Brown: you're welcome now that UpGuard can go and build that product and product ties it and you know, you're going to be doing shaving ads shortly.

You're welcome. I think it's a great idea. And certainly I think it's an

Anthony Woodward: interesting [00:25:00] space because it's always the product guy that claims the CEO's idea as his own, right? Sorry, Aaron, that you had to see that happen out loud, but look, I mean,

Kris Brown: if we're not having that argument. Here, Anthony, at least I've got some proof that I was there and being involved.

I want my 10 cents. That's all I'm looking for. I don't need much more than that. But I mean, Aaron, for me, I think the, the, yeah, it's, look, it's interesting. Right. There's one of the key things about talking to, you know, again, people like yourselves and these is to hear. Now there's, there is another side and while companies are able to do this, you know, it would be very, I would expect it would be very, very difficult for me as a, you know, a bank customer, a Telco customer to sort of ring up and go, Hey, I'd really love to understand your attestation around SOC and my data and where it's going on.

However, and I think this is probably a little bit where Anthony was going, soon in Australia there are going to be much more interesting policies and legislation around it. Certainly globally, if you look at GDPR, I have the right effectively to ask [00:26:00] those questions, not necessarily, hey, what are you doing around SOC 2 or all those other things?

What are your vulnerabilities? You know, obviously I can jump on and scan the ports myself, but, you know, GDPR allows me to say, well, what have you got on me? What do you know? And what, and more importantly, that if I'm so inclined, I can check that against what I've sent. So I can be in a position to say, well, no, I sent you this and this in this regards to these products.

I don't see that. So now. How are you, you know, and this is probably where we play more, is it helping organizations to sort of say, well, not only did I have it, I collected it, I managed it, I maintained it, and then I got rid of it according to this legislation. That's why I don't have it now. Yeah, that's almost the flip side of privacy in this instance, where it's like, I asked that of GDPR.

A right to understand the information that you've got on me and having the organization be able to say, well, I had it, but I got rid of it and he's the reasons why. And that builds trust, right? So, but yeah, that next level of how are you [00:27:00] operating, which is effectively what you're asking these suppliers isn't something that's there right now.

But if I tie into that crystal ball, you've got your magic wand. You're able to change one thing about, you know, what's happening in that space. What's the one thing that you'd change that would make either a difference to UpGuard, a difference to your customers, a difference to consumers? What's the one big thing that if you could wave a wand, ignoring how hard it might be, what would you change?

Aaron Spiteri: Yeah, I'd probably change, or I'd probably implement some sort of way for you to understand where your data is. I feel like that is something that you just can't get right now. You know, I might have a register myself of any website that I've ever registered for, and, you know, understanding what I might've put on those websites, which is great.

You know, if I ordered something.

Just

Kris Brown: so we're clear, if you're that guy, you're the only one, right?

Aaron Spiteri: Yeah, so yeah, I have been pretty stringent in terms of if I have registered for certain websites and, you know, what was [00:28:00] on those websites, but yeah, making it clear to consumers as well to understand that because, you know, like, yeah, you go to all these different websites, you use it for a certain reason, if it's learning something, purchasing something, anything along those lines, but then, When you're finished with that website or what you've already done there or what you've learned or what information they've got and you move on, do people just forget about that completely?

And then what happens to the data that was there? You know, you going back and actually canceling that and more or less like unsubscribing saying, I don't need it anymore. Cancel the records that you've got that you had with me and move on. I'd love to make that a lot easier. For people, because I do feel like people just sign up for anything and everything.

And then they might not understand how those websites were either tracking something that they had or what permissions you gave. If for example, you used a Google account or an Apple account. You just did the auto sign up and then it [00:29:00] had access to your Google account, for example, and it was getting your address book, contacts, et cetera.

How often are people actually understanding that it's got that information and how many websites have they got? And do they know if any of them have been breached? We'd love to make that easier for people. I feel like that's a confusing thing. I think that

Kris Brown: last piece to that is the real, the real gotcha, right?

Like, I think we all want the first one, the first part of that. But I actually think, I still want to be able to sign up, but I want the information to understand my level of risk, if I want to take it back to where you are. Like, it would be really, really cool if there was a universal way. to calculate the risk of me giving you the data.

Because, you know, that creates behavior. If I'm a business that has high risk, I should reduce those risks to bring that down. And if all, reverse, I can always make it cheaper. As a vendor, I can always go, well, you know what? Yes, I might be risky. But I'm also very well priced. So you're now Mr. Customer. You can make a more informed decision about things.[00:30:00]

I think that tie.

Anthony Woodward: Isn't there a Black Mirror episode with this, with the number above? That's it,

Kris Brown: my number? Yeah, I was, I was about to go there, right? Like again, if you pop culture it for a moment, Black Mirror sometimes is a little bit too prophetic, but it's, we are in that place where. Had I known that Telco X did, had certain practices, would I have bought a device from them, or a phone from them, or a plan from them?

Had I... Signed up for Music Plan X on, you know, Service Y. Do I really know what that means? And I kind of think that's where you're going there, which is, yeah, I think that's super interesting. And again, the convergence element of this, the privacy legislation is going to be driving some of that behavior.

Upguard and I said that that product process of I have to understand my vendors at a commercial level is starting to drive that behavior information governance and making sure that you have the proof of those things and you can control that data and you understand how long you're keeping it for is driving that behavior and as always, we'll [00:31:00] see things dribble down through commercial down to consumer.

But I think that convergence of all those is really where we all and again, you did it. You just you wave the magic wand and you went there too well. Thank you. This is who makes that product and what do we pay for that, or what's the value that we see in that, or is it something that should be legislated?

I think those are really interesting conversations.

Anthony Woodward: Yeah, cool. Look, and Aaron, it's been a fantastic conversation. I know we've taken you to some darker places and different places that I think you expected, and I really appreciate you being coming on the journey with us and making some time. Extremely interesting and I suspect we could sit here and talk again for another set of hours.

There are so many issues societal and drivers behind, you know, what the regulators are doing in APRA and ASIC for the banking sector, but that doesn't actually apply to what's happening in the telcos the same way there is this. Equilibrium of how our data is being treated differently in different institutions that needs to be resolved.

And then that comes back to the standards that are being applied in [00:32:00] processes that you're auditing. So I really thank you for the time. And it's been a great conversation.

Aaron Spiteri: Yeah, no worries. Thanks so much for having me. I really appreciate it was really fun having a chat with you

Anthony Woodward: both. No, thank you. And thank you all the audience for listening.

I'm Anthony Woodward. And I'm

Kris Brown: Chris Brown. And we'll see you next time on file.

Anthony Woodward: Thanks everybody for listening. Don't forget to follow us on LinkedIn, Twitter, and you can catch us on Facebook. Catch you next time. Thank you.