Garrett O’Hara is the Principal Technical Consultant at Mimecast having joined in 2015 with the opening of the Sydney office, leading the growth and development of the local team. With over 20 years of experience across development, UI/UX, technology communication, training development and mentoring, Garrett now works to help organisations understand and manage their cyber resilience strategies and is a regular industry commentator on the cyber security landscape, data assurance approaches and business continuity.
The Get Cyber Resilient Show Episode #30
This week Gar is joined by Joseph Carson, Thycotic’s Chief Security Scientist and Advisory CISO. He’s the architect behind some of the worlds largest cloud environments, has worked to digitally transform cyber security education to online delivery, and now based in Estonia he has been working in areas such as digital identity.
He’s won many awards and is driven by a desire to give back to the community. Joseph walks us through what cyber resilience looks like at a country level, including how Estonia has gone about building trust with their citizens. He speaks about education for cyber security, immigration policies, data resilience through data embassies, and Jospeh outlines the jaw dropping economic benefits that an advanced digital society can achieve through removing friction.
Connect with Joseph on LinkedIn:
Follow Joseph on Twitter:
Check out Jospehs books:
The Get Cyber Resilient Show Episode #30 Transcript
Garrett O'Hara: [00:00:00] Welcome to the Get Cyber Resilient podcast. I'm Garrett O'Hara, and this week I'm joined by Joseph Carson, [inaudible 00:00:13] [inaudible 00:00:13] chief security science and advisory CSSO. That's the kind of title I'd love to have on my business card one day. Joseph blends research, so ethical hacking, pen testing, what works to get access to systems at a technical level, and creates material and content to reduce the threats to podcasts like this, books, papers, webinars, and gets to deliver that content live also.
Then also works as a government advisor. He's architected some of the world's largest cloud environments, digitally transforming education to online, which is obviously timely, and based in Estonia, has worked on things like digital identity. He's won many awards, and ultimately is driven by a desire to give back, and to push his knowledge back to the community in a useful way.
For me, this was a ferocious conversation. Joseph walks us through what's cyber resilience looks like at a country level. Just let that sink in. We're gonna talk about what an entire country, that is a very advanced digital society, that as a result had to think about how to ensure cybersecurity, data resilience, repudiation, the stuff we talk about at an organization level, delivered cohesively at a national level. There is some amazing stuff in here: how Estonia has gone about building trust with its citizenry, and maybe there's some lessons for us. Education for cybersecurity, immigration policies, and data resilience through data embassies. You'll actually hear me pause at one point there as the light bulb goes off in my head at the economic outcomes an advanced digital society gets through removing friction. Joseph translates that to a UD, US GDP equivalent, and the number is a jaw dropper.
So this was a fascinating conversation for me. I really do hope you enjoy. Over to the interview.
Well everybody, to the Get Cyber Resilient podcast. Today I'm joined by Joseph Carson of Thycotic. How you going, Joseph, you well?
Joseph Carson: [00:02:08] I'm doing fantastic, thank you. It's a pleasure to be here, I'm looking forward to an exciting, uh, interesting conversation.
Garrett O'Hara: [00:02:13] So am I in our prep you, I have to say, you pulled a thread that I, uh, went in a rabbit hole over the last week of, uh, I'm not gonna steal your thunder of what we're gonna talk about, and, uh, I'm definitely looking forward to it. Um, you're, you're over in Estonia, right?
Joseph Carson: [00:02:27] That's correct, yes. Tallinn, Estonia. I've been here for I think it's [inaudible 00:02:32] 18 year, this will be going into my 18th year now in Estonia.
Garrett O'Hara: [00:02:34] Okay. That's a little hint for where we're gonna go, and, and we were both complaining about, well not complaining. I was complaining about the weather because it's actually hitting 29 degrees today, and I'm starting to melt, uh, where I'm recording. But, uh, such is life. Um, hey, Joseph, look, we normally start with a bit of an intro from the, the guest, and, um, and given your role in what you're doing, I thought it'd be great if you could just give us, you know, a couple of minutes of, uh, how you got to where you are today, and what you're doing.
Joseph Carson: [00:03:00] Sure, absolutely. So, so my, my job that I do today, is I'm a chief security scientist and advisor [inaudible 00:03:06] at Thycotic. And really, you know, what that means is when you kind of look at it, you know, from my day to day activity, is it's really about a third of my time is spent doing a lot of research. So really putting the hat on of hacker, of hacker out there. Doing e- ethical hacking, penetration testing, really getting to understand the techniques that work and are successful at being able to abuse people's trust and being able to get access to systems. So understanding the technical methods of attacks, and that's where I really spend a, a good amount of my time understanding, putting into process, um, and looking into how those techniques are done.
Then the other third part of my job is really then creating material and content that is actually really about reducing those threats, about whether it being digital or eBooks or whitepapers, or doing podcasts or webinars or digital events, and even sometimes speaking. So I create a lot of content that's using delivered a different kind of mechanisms of, of, of getting content in front of the people.
And then the third part is really then doing the traveling, and doing the interactions, and delivering it myself. So that's what kind of a lot, large bit of my time. And also in my role as well, and I'm advisor to several governments. Governments come to me for best practices or advice or architectural designs. Um, in my long career in the industry, I've been, you know, closely, over 25 years, getting close to 30, so I'm showing kind of a bit of my-
Garrett O'Hara: [00:04:26] [laughs]
Joseph Carson: [00:04:26] Uh, let's say retro side of things. Um, you know, but I've been in for, for a long time in industry, and I've been through a lot of different experiences. I've been architecting some of the world's largest cloud environments. I've done digital transformation in countries from education system being very traditional to doing online education., which has been very beneficial in today's world. And also being based in Estonia, um, Estonia's been very in the forefront of a digital society, with digital identity being one of the really core areas.
So you know, my kind of job has take me a lot of different places around the world. And a lot of different experiences, and multi award winner, as well as many different awards over the past couple of years, and, uh, can really, I- I- I like sharing my knowledge. I like giving back to the community as much as I can.
Garrett O'Hara: [00:05:14] Phenomenal. And, and that's what we're here for. So, uh, yeah, definitely looking forward to, to picking your brains on so many things. Um, when we were prepping for this, Estonia was the thing that came up. And, uh, obviously you're living there, and that was kind of the starting point, uh, for our conversation. And, uh, as I said, I- I kind of went down the rabbit hole based on, on some of the, the very kind of limited information that you gave me last week.
And I was kind of aware what Estonia was as a, you know, an advanced digital society. Um, ca- can you run us through where Estonia is today? You're living in a very, very interesting country.
Joseph Carson: [00:05:49] Absolutely, and one of the things, you know, we started the conversation is, I also do find very similarities between Estonia, Australia, New Zealand, and even Ireland. You know, we're both original from, from Ireland, me being from, from Belfast originally. And I also do find similarities between, uh, Estonia. Even though, you know, Australia, um, is, is an island in many regards. [laughs] Far away from, and, and has limited borders. With Estonia, we also, not an island, but we do basically, you know, have a proximity of very noisy neighbors.
Garrett O'Hara: [00:06:19] [laughs]
Joseph Carson: [00:06:20] Neighbors who-
Garrett O'Hara: [00:06:20] Yep.
Joseph Carson: [00:06:20] Who tend to be sometimes aggressive in a cyber perspective. So Estonia, you know, Estonia was part of, you know, former Soviet Union, back in, you know, most of the 19th century, or the 20th century as well. And what happened was, um, the breakup of the Soviet Union in 1991, 1990, I can't remember the exact year. But what happened was, it set forward Estonia to becoming, um, a really, at the time, they, uh, became independent, uh, what happened was it was the boom of the internet. So Estonia really kind of seen is that let's use this new medium in order to build a government and the services.
And at that time, it really wanted to go paperless. But one of the things that Estonia found was that when you're an occupied state or an occupied nation, you tend to lose a lot of your history, and a lot of your culture, and lot of your past. Whatever country's occupying you changes the textbooks, changes songs, controls the news and the medium. They have a very, very control over that, uh, kind of educational, um, content. And also what, what events happened in the past. We see that with a lot of countries that control the media and control education, that they really have the ability to, you know, manipulate, uh, history.
And Estonia, they said that as they were doing this paperless society, that they wanted to make sure that that could never happen again. Because one of the biggest problems in the early 90s was a lot of people were coming back to Estonia that had left, and that, you know, was its 50s, 60s, and 70s, you went off to even Australia, to Canada, to US, to UK. They started coming back. And as they came back, they found that their, you know, ancestors or history [inaudible 00:07:53] that they came to visit, all of a sudden they wanted to reclaim it back.
And now getting into, let's say the legal side of things where who owned what land became a major problem. And that ultimately then paved the way for making sure that in a digital world, they wanted to make sure that their history can never be erased. And this started basically Estonia's path to a digital society. And ultimately a lot of the innovations, they realized in order to do that, you needed to have a very strong digital [inaudible 00:08:19]. You needed to have the ability to do digital signatures. You needed to have the ability to do non-repudiation, which also got them into doing block chain innovation.
And in the early 2000s, when I came to Estonia, what happened was it was really that kind of starting point of this new society, of everything and services being delivered online from tax returns to banking to even, you know, voting in elections, all of that started to happen digitally online. And it wasn't, it's not the only method. There's other methods of doing it as well, but it was option you had. You had a choice of which way you wanted to, to interact with the government.
And this surely paved the way for Estonia's acceleration in a digital society. I mean, there's lessons to be learned over the years. Um, you know, so, you know in today's society, everything, you can open a business online within a, you know, couple of minutes. I can do my tax returns in about three or four minutes, depending on how much I need to fill in. Most cases, people just need to sign it. They look at it and say, "Yep, that's my tax returns," and sign it, and it's done.
Garrett O'Hara: [00:09:17] [laughs]
Joseph Carson: [00:09:17] There's very little, you know... And it's, and the purpose of this is it's an interaction, it's a both direction communication. It's not many mistakes in the past that other governments have tried when they do this digital society is it's a one way feed. It's, "We need all the information from the citizens." But we control it, we provide little transparency back. And it's important, what made it successful in Estonia is transparency. Its ability to provide that the citizen owns the data, we're just basically making services for you, and making it easy to interact with us, both directions where the government can provide proactive information to the citizen when they need to for example, renew license and so forth.
So today Estonia's very, very much in the forefront of the digital society, and the government has really evolved into what I refer to as, as a service provider to the citizens, and really making facilities easy for the citizens to interact with the government. To so much easier that, you know, doing online banking, got new, um, uh, [inaudible 00:10:13] ability for [inaudible 00:10:14] have, what we refer to e-residence. You can now become a citizen of Estonia electronically and use the services here.
So it's a really great place to be, um, but we also [inaudible 00:10:24] our location, that we do have a lot of noisy neighbors who do try to manipulate and target the society here.
Garrett O'Hara: [00:10:32] Yeah, absolutely. I was definitely, uh, thinking about the residency thing. I watched a few videos, and, uh, uh, read, read a bunch of stuff on Estonia, but, um, yeah, found it fascinating, that idea of attracting talents. Um, you know, I think the comments were made in, in many of the articles. It's, it's attracting the type of talent that probably makes sense in today's world. You know, growing, uh, internet companies, uh, we'll we'll probably get to this, but the number of unicorns over there is astonishing.
You know, the per capita, um, but one of the things I wanted to ask you about, and it kind of relates back to, uh, your comment on the kind of two way conversation between citizenry and the government. There's an implied level of trust there, and you're [inaudible 00:11:13] probably, uh, where things like the MyHealth records, uh, initiatives in Australia, uh, even the COVID safe app, you know, when, when that was pushed by the government here, uh, the sentiment was generally that there's a trust problem, for want of a better expression, and people pushed back, and opted out, and, um, you know, I've got mixed feelings about that as, uh, you know, as a citizen because I get the efficiencies, and you know, having read about Estonia now, I'm like, whoa, that, that just looks like an incredible way to live my life.
You know, and if it's five minutes [inaudible 00:11:41] tax, I'm on board. That's way better than, yeah, you know, 45 minutes sitting with somebody who doesn't care, um, doing the paperwork sort of thing. So, um, like it, it, it looks like utopia, but it feels like you can only get there when there's that trust built. Wha- what exactly was the road to get there?
Joseph Carson: [00:11:57] The road to get there, one of the things in the early years of Estonia's independence, um, throughout the 90s was that they realized, you know, they have a very diverse society. You know, just like many countries do right now is there's a very, almost a 50/50 split in different, um, let's say opinions, and, and whether you're left or right. So the real lie is that in Estonia there's also, there's a large Estonian, you know, uh, native population. There's also a large, um, Russian ethnic population still residing in Estonia in the post-Soviet era, and there's also larger kind of other ethnic groups, whether it be other European countries or expats like myself.
And what Estonia realized is that in order to provide stability, in order to provide you know, the, the government, to be a service provider, they need to basically make sure that they [inaudible 00:12:45] open and transparent to the citizens. That when they're doing an imitative, they have to make sure that the citizens is aware of basically what options you have and how it works. And ultimately that's one of the things that benefits the citizens, so when you get into really providing that digital society, let's take healthcare records for an example. Um, or we can, you know, even, even the COVID-19 apps that, you know, governments have been looking at methods of doing.
That Estonia kind of, and the leverage also kind of their innovations in block chain, which has also helped in this as well, which is all about, they're using it for the reason that it's actually was originally developed for, was about data integrity, non-repudiation of data, data authenticity. Um, um, and that's what Estonia kind of really innovated around which originally if you look back, it was the, um, miracle tree and hashing algorithms that make sure that files could transfer from one location to another without being corrupted. That was the ultimate reason that block, block chain and time stamping, uh, became really effective.
So in Estonia, what happened was if health records. I, basically, if I go to the doctor, or get a prescription, which you can do online today, that I own the data; the data's mine. And what happens is that I actually control who can see the data, and there's also transparency to when a doctor looks at my records. So for example, I can log into system, and actually self-audit the government of my own data, and I can see basically if a doctor, a nurse or you know, pharmacist looked at my records and actually gave me a prescription. I have that auditability. And that's what's really critical is that, you know, it's not, a- a- a- a- a kind of a black box where you don't know what's happening.
Garrett O'Hara: [00:14:19] Yeah.
Joseph Carson: [00:14:19] Your data goes in, [laughs] and you have no visibility. It's really important to provide that auditability to the citizen, so they can log in, and, and see what's happening. And also control. They can decide that, for example, when you're doing your tax returns, as another example. Rather than, I can go to the bank and say, "Transfer my, you know, financial details for the past year to the tax office," and make it easier for me to auto do the taxes. But I can also decide not to do that transfer, not the give the tax access to my bank account, and do it manually. So you've got options of doing it; you're in control of really basically who has access. You've got that auditability, uh, to the data as well.
And also you own the data. It's your data. It's not the government's data. So, and it gets into, and a lot of cases it's also a data rights management issue as well. Is that a- are governments going to- to profit from that data as well? By selling it on to, you know, let's say major pharmaceutical companies, uh, to, to leverage that. And getting into the COVID-19 as well, one of the things is, is that many governments took this initiative of collecting everything as much as possible from the phone, and then centralizing it, and not being transparent to the citizen about how long it's going to be used for, what are the purposes it's going to be used for, who has access to it, and also is that data going to be correlated with other data that has been collected through other means?
A lot of governments really went the centralized approach. And when I looked at it is that, that's basically, you know, it's a massive privacy issue, it's a massive data protection issue. It's a massive security issue if it, if it gets compromised. And I really liked, I liked when Google and Apple collaborated because when you get the massive tech vendors coming together, they really find a way in order to do this decentralized. And governments who are really promoting of the citizens and transparency, really leverage that Google/Apple approach that allowed you to decentralize that.
You know, an identifier can be collected. They're not collecting anything else other than basically who else you were with proximity with. And only basically, you know, when you, um, uh, either get verify that you've been infected, then you actually make a notify and other people can actually know that they were in proximity, not necessarily knowing who. And that really means that the data has been collected can only be used for one purpose, um-
Garrett O'Hara: [00:16:26] Yep.
Joseph Carson: [00:16:26] And also there's transparency with how long that data's been kept, what are the reasons it, you know, it can't be used for, and what it can be used for, and what it's been correlated with. So it all comes down to transparency, and you know, even, um, I think it's key, uh, for governments to be successful. 'Cause that's how you build trust. You know, building trust is about being transparent and honest to the citizens.
Garrett O'Hara: [00:16:47] Yup. And it, it takes some time as well, is probably my observation or comment. You know, you can't do the wrong thing, and the none day say, "Look, now you can trust us." Now, there, there has to be, maybe this is a question on, is there anything unique in Estonia around the citizenry where they're, they understand the, the questions to ask or the concepts in a way that allows them to be trusting, versus, uh, to use your words, even if it was explained, it's still a black box because as a, maybe as an average citizen, I actually don't understand what [inaudible 00:17:17] means or the implications of, you know, de-anonymization, or any of those things. So to me, it's just a scary thing because it's data, and it's, it's, it's away from me. Um, like, is there a level of understanding in Estonia that kind of allows for that trust?
Joseph Carson: [00:17:31] Um, I think you're absolutely right; it's not something that happens overnight. It's been built over time through different services. So you know, beginning off one of the earliest services that were done, uh, digitally, uh, was things like tax. And when you see the citizens benefiting from, uh, those services, and reducing the wasted time and be able to do things much more effectively and efficiently, that builds that trust over time. And then the government can add more services, you know, o- over the years that continually improve. And keeping that transparency, the auditability, which is key, that's what really crucial, is that you know that you have the ability to do the auditing side of things specific to your data.
And that's where really the trust is built. So it is providing it over time, and building that relationship with the government, but it's also by, you know, making a, uh, a mechanism available for you to go in and see how your data's been used.
Garrett O'Hara: [00:18:24] Yeah, no, I get you. And, and one of the videos I kind of watched, there was a guy who was quite fanatical about, uh, the, the, the safety of online data versus offline data. Um, and I say fanatical, that's probably a strong word, but you know, he made sense to me. But it was probably the opposite perspective that I'm, compared to what I'm used to hearing, which is, it's much safer for a piece of data to be sitting on a notepad in a filing cabinet.
And you know, his comment was, "Actually that's, that's really not true. You know, it's up to me. Then I can delete, I can change, modify, do all that stuff." Um, and then I kind of went on to read that there's actually a data embassy in Luxembourg, which is astonishing to me. Like, what an incredible thing.
Joseph Carson: [00:19:05] So I'll give you the history of that. That's an interesting, actually, there's an interesting background that all, how did that all happened. Um, so it goes back into, even this goes back into... The whole reason Estonia did this block chain initiative was to make sure data integrity. Just like you were saying, if it's on paper in a notepad, and somebody has access to it, have they can modify it, but if the problem is that the auditability of that mechanism is very difficult. Is that whoever has access to the room with the paper [laughs], and has access to, to be able to modify it, it's hard to do it on a mass scale.
So when you get into digital data, you've got ways in order to do auditability in digital data, that it can be much more effective. Of course, there's always risk associated with both, but it's understanding, it's understanding the risks, and you know, mitigating them where you possibly can. So Estonia realized this, and block chain was used for that, um, self, uh, kind of, I'd say auditability, and non-repudiation.
Some for example, in the voting system here, I can go and vote electronically or online. And then when my vote is- is- is, uh, signed by me, what happens is that signing is then going through basically a block chain, and then periodically that block chain, the root hash gets publicized, um, on the internet. And also it gets actually printed in the Financial Times each month. So after that date, government cannot change history.
Garrett O'Hara: [00:20:22] Right.
Joseph Carson: [00:20:22] They cannot go back and change digital data because now that root hash is publicly printed in the Financial Times. If the government wanted to change history, they would need to delete and burn all of those newspapers that was published on that day that including the root hash, which mathematically is very, very, you know, [laughs] unlikely and impossible.
Garrett O'Hara: [00:20:40] Starts to get tricky, yeah.
Joseph Carson: [00:20:41] So, so that was kind of, and, and things were working well, um, through the early 2000s. And then a major incident in 2007 happened, which was that Estonia became under a, a cyber attack from a nation state. And you know, when you get under a cyber attack, it's not just the government's that targeted, it's also the citizens that's get targeted, it's private businesses get targeted. We had things like government, uh, political parties were co- uh, targeted, you know, government offices, the, uh, banking system, the telecommunications, news agencies, all get targeted from these cyber attacks [inaudible 00:21:13] defacing the websites or [inaudible 00:21:15] attacks.
And what realized was, but during that time, um, a major kind of fear happened, 'cause, you know, one is that it was that the day that it was digitally safe. But what happened was, it was also a buildup of military exercises on the border of Estonia. And the threat and concern was, such as Georgia and Crimea that happened in the past. If there was ever a land invasion, that digital, uh, let's say, resilience that was set up in Estonia would not survive a land invasion attack. And that was the fear because that was what was considered a doomsday scenario, meaning that was it, if everything was in a block chain, that's great. But if your data centers were occupied and destroyed physically, then the block chain doesn't make any sense. The hashing of data doesn't make any sense, because the core data, the raw data that's associated to it can be destroyed through basically physical means if you have a land invasion.
So we looked up post, um, kind of 2007 scenario, Estonia set up the, uh, NATO Cyber Defense Center of Excellence in 2008. And there was a lot of discussions how we defend against, uh, let's say, the, you know, land invasion scenario. And what happened was, I was in a lot of those discussions, and we were looking at... I was in discussions around my experience in DDoS prevention, and I was saying that, you know, the best way to defend against DDoS attacks is for yourself to be centralized, that's one of the best mitigations, is there's no single place to attack, then it makes it more difficult for a DDoS to happen. Um, you end up having to target many different, you know, targets.
And ultimately that conversation then looked into well, okay, what about this land invasion scenario? The best way that Estonia can then defend against a, let's say, land invasion was to decentralizing the government's information systems and data repositories. And this got into the discussion, well, how can we do that? How we going to put data in data centers in other places around the world legally? And the problem was within the law, sovereign data was not possible to move beyond the land of a border of Estonia. It could, you couldn't put it in other countries.
So we looked at, well, let's set back and look beyond that. How can we kind of think outside the box? And this is one of the great things of Estonia, and that's why we got a lot of unicorns, is people think outside the box. People stand back, and they look at the bigger picture, and they understand it end to end. And that discussion then went from decentralized, to how we gonna get the data outside of Estonia? Well, the law says we can't. How can we get by that? And we end up saying, "Oh, well, data embassies. Let's, what about the embassies?" Embassies are still sovereign land of the country in other locations. What if we make the- the embassy a data center? And then decentralize the country in other, actually embassies in other countries?
And the optimum number at that time was five, uh, because that allowed it to do things like maintenance, full tolerance, and also need to have an odd number because of the way the voting system worked. When I talk about voting system, meaning the calculation of root hashing, um, you had to have an odd number. Because if you have an even number, you have a, a stalemate. So that was why three wasn't sufficient because you couldn't do maintenance. So five is the next optimum number in order to be able to have an odd number that also has scalability and, and maintenance capabilities.
So ultimately, Estonia then moved the data centers into embassies, which is then the concept of a data embassy. You've got your decentralized country, meaning that if there ever was a land invasion, your data is actually kept safe in other locations outside of your border. So it actually truly made Estonia the first cloud nation.
Garrett O'Hara: [00:24:43] Yeah.
Joseph Carson: [00:24:43] The first digital nation that really kind of moved into, uh, we refer, refer to it as eEstonia. Um, and that really meant that Estonia is no longer from a digital society dependent on the physical land itself. And, and [crosstalk 00:24:59]
Garrett O'Hara: [00:24:59] My mind has just been blown. [laughs]
Joseph Carson: [00:25:01] The Luxembourg piece is quite interesting, though. Originally it was meant to be UK. [laughs] That was the first choice, and then a little thing called Brexit happened, and that meant that it was a lot of what happens, you know, unknowns, because Estonia realized that the embassies themselves are not data centers. They're just places where they have connectivity, and therefore, didn't have a lot of the resiliency that data centers come with, and they knew that over time they would have to move these embassies, uh, data embassies into real data centers, um, in order to benefit from things like multiconnectivity, you know, higher resilience, DDoS, all of those additional things you get from a, a, a true data center.
So ultimately what end up happening was then, uh, they allocated a place within a, a data center in Luxembourg, as an embassy location of Estonia, and now the servers and, and racks are running from that embassy, uh, in a data center. That provides resiliency to the country, uh, so it really, truly brought Estonia into the clouds.
Garrett O'Hara: [00:25:57] And- and- and- it's an astonishing level of cyber resilience. You know, we talk about that on this podcast a lot, and it tends to be the- the sort of stuff that you're used to hearing. Like, you know, kind of resilience of, you know, backing up data from 0365, oops, somewhere else, and those kind of things. But an entire nation? Um, being as you say, cyber resilient and cloud based. It, it's astonishing me, uh, just a very, uh, yeah, my mind is literally, uh, blown. Um, I'm, I'm almost speechless, but, um, I'm sure we can find a way to keep going, [laughs] to keep on talking.
Um, one of the things you mentioned, uh, I think, hopefully when we recorded or maybe pre-recording was on the sort of e-residency side of things and some of those kind of, uh, initiatives from the, the government, a Nomad Visa was another one, um, where, you know, it's, it's being made much easier to go and, and first of all, start a business, um, in Estonia or to, to be there and working as a, you know, a working nomad. Has that affected, you know, Estonian culture in terms of, you know, the- the- the population, obviously, you know, we kind of mentioned already the unicorns per capitol, per capita, um, is I think it's the world number one, right, I'm, I'm right in that stat?
Joseph Carson: [00:27:03] It's around, I think it's number two or three regards to, per capita, it's up there. Um, you have countries like, uh, right now the sp- accelerating countries like Israel, uh, Sweden are also up there as well. And of course you still have US. Um, but in regards to- to- to the, the size of the country, um, it's definitely up there, uh, definitely in the top three. Um-
Garrett O'Hara: [00:27:32] Yep.
Joseph Carson: [00:27:32] And it's really kind of, you know, it's, because of that outside of the box thinking, it's also, Estonia, just from an education perspective is also one of the, you know, best educational, um, kind of, um, systems in, in the world as well. Very similar to that of the Finnish, um, which also benefits a country. Um, and, and, and, it does, you know, from that, leading digital society does attract a lot of top talent to come here and start a business, and, and to... It gets a lot of that attention, um, that, you know, it really, it's go- it's important for a country in order to, to develop digitally.
Garrett O'Hara: [00:27:56] Yeah, and there's a momentum there, right? I think talent attracts talent as well. So there is kind of an inertia that can sit up there.
Joseph Carson: [00:28:02] Absolutely. People want to, you know, at the end, it's not about, you know, uh, places, or, or, you know locations, and, and people like to work for great leaders. Great innovators. Um, you know, I, I've always followed people that I really enjoy working with. Um, and that's one of the key things, and Estonia's definitely one of those places that they have a lot of amazing leaders and innovations and talent, and it, it's working for those people, what attracts people that come to Estonia as well.
Um, and the benefit of not only, you know, coming to great leaders, but also having that digital society, that's important as well. And those leaders, you know, from the unicorns over the years developing, you know, major companies like, like Skype or, or TransferWise, um, even Pipedrive, and, and, uh, Verify. All of those coming and really, you know, showing the way. They also spend a lot of time putting back into the community as well. You know, giving events, and, and you know, also improving the systems and, and, uh, spending a lot of time in education as well. So they do see that, you know, they benefited from the society, and they do spend a lot of time giving back.
Garrett O'Hara: [00:29:06] Yeah, it's incredible. You mentioned Skype, and it's funny, I'm sort of pals with, um, some of the Kazaa, I don't know if you remember Kazaa from back in the day?
Joseph Carson: [00:29:13] Morpheus, [crosstalk 00:29:14] Morpheus was the, Morpheus was the, the original, um, so do you remember the, the, uh, file to file sharing, PDP, that's where it really, originally came from. Kazaa and Morpheus, Limewire, and all of those [crosstalk 00:29:26] based [inaudible 00:29:28].
Garrett O'Hara: [00:29:27] Which, which was used for, like, legitimate purposes, but I remember, uh, like I say, friends with a couple of those people. And, um, I believe they were, they were connected or sort of knew the Skype guys, the people who started Skype. And so we got a, myself and this other Irish guy, who was a, I was working as a developer at the time. We got this early preview of this thing called Skype. And we were blown away. We just could not believe you could actually do a voice call over the computer. It was just, uh, like, one of those moments where you think, "Oh, this, it's going to be different from now on. You know, this is a, this is going to be a big thing."
Joseph Carson: [00:30:00] Absolutely, so Stan, Stan, and those guys are, they're still really connected. I, I, I see them, we speak at events together often, so, um, and they really did innovate. They really did take it to the next phase, and, you know, Skype probably was, you know, that kind of leading Estonian unicorn that really also created a lot of the others. You know, a lot of these, these other co- the major companies. Um, that came out of that, really came out of, you know, the, the Skype, uh, kind of culture.
Garrett O'Hara: [00:30:28] Yeah. I'm going to wait till we stop recording, and so I don't dox anybody, but I might just, uh, tell you some names and see if your pals, uh, if, yeah, if they know each other. Um, you, look, we've mentioned, uh, education, or, uh, you, you've kind of mentioned it a couple of times, and one of the things I noticed was that, um, there is that focus, as you said. You know, the computers are in schools. That's kind of by default. Kids are coding, seven year olds are learning how to code, which is, I think amazing and incredibly useful thing to do, uh, today.
Um, but also this idea of educating the, the population, or at least a percentage of, and, um, seeing how that very strongly correlates to the adoption of internet usage. Um, astonishingly, like from, in 2029 percentage and usage rode up to 91% in 2016, and it's obviously, you know, we're four years later, so, I'm, I'm guessing that trajectory's continued?
Joseph Carson: [00:31:18] Yeah, it's, it's interesting, ev- because even the scale of things, Estonia does get a lot of negative things around, you know, in its, uh, um, [inaudible 00:31:27], I'd say landscape. We do get negative, uh, stats for things like having no, v- very few landlines. [laughs] So-
Garrett O'Hara: [00:31:35] Right.
Joseph Carson: [00:31:35] Which is an interesting, it's like, well we, we don't need them. [laughs] We've got 5G and 4G connectivity, and we've got, you know, in almost every areas of Estonia, even in the forest, and, and the swamps we have high connectivity. Why would you need a landline? Um, and that's kind of one of the things is that, you know, it's, is that sometimes we jump, and we, we leap forward.
And the weird thing is, you know, talking about education, Estonia's really also developing education system even beyond, is that we realize that in, in our kind of careers, you know, many people even, you know, my- my family, um, they tend to maybe have one or two or three jobs over the entire life, lifetime. They tend to focus on, on tho- those areas. And what we're seeing is, is that the new future generation will probably have changed jobs every five to 10 years. That because those jobs will become automated, and they have to re-skill.
And one of the things Estonia's realizing in the education side, and, and they're looking at this to the Finnish education as well, because they're also one of the leading in- innovators in the world in this, in this, in education as well. Is that they're looking at it from, not teaching the old industrial type of education, you know, just traditional science, maths, you know, was it, uh, geography, whatever it might be, and science. That what they really understand is that you need to teach people the relationship, the association, but also the important thing is also to teach them how to learn, what's the method of learning so that you can continually relearn and reteach yourself over time.
So doing this, what's called is, uh, project based learning, and immersive, uh, uh, also language learning as well. So they get taught in multiple languages. And they get taught in a project that actually associates all the curriculum into, um, a single kind of project that shows the association, and it also teaches them to continually learn over time. And that's amazing because it really is the, the way forward. [inaudible 00:33:20] children to really adapt quickly.
So when the pandemic happened here in Estonia, that one of the things is that Estonia was, we, our education continued. Kids came home, um, to, to, to, to work and do online schooling. And it was just getting the first two weeks to adopt, but after two weeks of online schooling, kids get up, and they naturally [inaudible 00:33:41] forward. They found different tools and different technologies that helped them accelerate it, um, and that's some of the things that we kind of benefited from, is that kids continued to learn, no matter whether they're in the classroom or at home. And we find ways also for them to socialize as well.
Garrett O'Hara: [00:33:55] Phenomenal. Yeah, it's definitely, um, yeah, impressive stuff. Do you think there's an element of agility, just given the size? We've sort of touched on this already, but you know, the size of Estonia maybe allows it to be more agile and, and nimble, in terms of change, than, and I'm specifically thinking of, well, Europe, if you wanted to see, yeah, or- or the US where there's states who are, everything is so different.
Joseph Carson: [00:34:19] Yeah, it's cultural, I- I believe, that it's, it's about the mindset. Um, um, and the willingness to change as well. I mean, there's, you know, there's some people in Estonia that don't like change, and there's many that do. So there's always that, you know, difference in, in, in being able to be agile and dynamic. Definitely, you know, I do see them as- as being very creative, and- and looking, not let, not kind of letting things be just as the way they are, um, they look to ways that, you know, to go beyond that, to break down the barriers.
And yes, Estonia being a small country, it allows them to do that at an accelerated rate. Um, it allows them to- to change quickly, and- and- and move forward. I think in other countries, you know, skill and, and also, you know if you look at the US, um, there's a difference between federal and state, and that's always some of the challenges, is that the states can do certain things, and federal can do certain things, and there's always that conflict of interest. I think that if they were to repeat this, something like in Australia or in, uh, the US, it might have to be starting at a state level. So a single state may have to take the initiative and say, "This is how we're gonna do it. Um, this is how we're gonna make success."
And you know, repeat something. I- I have a prediction, you know, if the US was to do something similar to a digital society, and as Estonia does. Estonia saves about six to seven days GDP per year, um, from basically its, using its digital society. Six to seven days GDP. That's [inaudible 00:35:42], you know, and if you put that into maths into the US. If they were actually able to reduce the wasted time, that may be one trillion dollar savings per year, if they got to the same stage that Estonia had for the entire country.
Um, so in looking at that, you know, there's a massive incentive to- to move forward. Um, but again, it's really important that you do it in such a way that it involves the citizen, that it actually shows them that this way is better, that this way is benefiting you, and it's a two way transparency and trust. It all starts with the trust side of things. So your scale and size is, is a factor, and also how you interact with citizens and how you verify identity, and is also crucial as well. Um, but there is ways you, you can find, there is mechanisms in other countries to make this successful.
It's a case of sitting down and understanding about how do you involve the citizen, how do you show them that, you know, doing it this way makes your life better, and will, will provide auditability to you.
Garrett O'Hara: [00:36:36] Yep. Uh, as you're talking through that, like, what my head goes to is the change management project that would be involved in, you know, discovering what data exists right now. I'm, I'm thinking of New South Wales, which is where I'm in Australia. Uh, where the data lives, uh, what format it's in, and I, I'm saying all that and wondering, are we too far along in some countries where, Estonia had the opportunity in a way almost to say, "Clean slate, awesome, and the internet exists, so we're gonna do it this way," whereas, you know, Australia's been federated for some time, and the US has been around for some time, so there's sort of a, call it technical debt, or you know, societal debt that's been built up because of how things have been done for so long?
Joseph Carson: [00:37:17] Well, if you keep going down that path, it just gets worse. [laughs]
Garrett O'Hara: [00:37:20] I totally agree with you, yeah, yeah.
Joseph Carson: [00:37:22] That's the, that's the challenge, is that you decide that-
Garrett O'Hara: [00:37:24] Yep.
Joseph Carson: [00:37:24] Oh, we're too far... You know, let's leave it, and you know, five, 10 years time, you're even further down. Um, sometimes you have to reset. And Estonia took a, took a approach, uh, a few years ago, which was, uh, around 2008, they made an approach saying that they have a life cycle of seven years, um, and they need to basically re- you know, refresh everything every seven years. And I consent to that mindset as well as that, let's not get into the legacy. Let's keep kind of pushing. Let's, let's move forward. Let's embrace the internet. Let's embrace the benefits of it.
Um, I think in- in- in places like New South Wales and Australia, some of [inaudible 00:37:57] need to really [inaudible 00:37:59] understand is the data risk itself. You need to do a data audit. That, I mean, that's, without a doubt, you need a data audit. You need to understand it, and also where your duplications are, and do those duplications need to exist, and can you cross reference by indexing? Simply just database, it's database maintenance, you know, i- in a kind of, a paper and digital world. It's, it's about understanding about, um, the health records might include my home address. Do they need to? They, my home address needs to be in the population registry. Can they create a linkage between the medical records and the population registry so that they can actually get a one time request on demand when need to, to get my address?
Uh, they don't need to store it, they just need to know where to find it. And this is where you really get into, you know, that de-duplication of data, the data becomes accurate, that it's all about transactional information, auditability of that data, so when you get into doing this data, let's say, analysis and data risk and understanding about where it's located, you also have to have the authorities that decided, this is the scheme, and this is the, um, let's say department in the government, or department in the private society, that is responsible for this data set. And it can't be duplicated anywhere else, and for the telephone company to get my address, they must be permitted the access to population registry.
For the bank to call me in my telephone, they must have to cooperate and get access to my telephone number in the telephone company. So you have all of these basically multiconnections, but it's all about de-duplicating of data, and making it facilitated that they're not allowed to store it or duplicate it, they're allowed to request it on demand in real time. Um, so this reduces this data collection challenge that many countries have, and also means it increases accuracy as well. Um, and it really kind of means more efficient, um, as well and better auditability.
Uh, so this is really key is, is the data audit is crucial to [inaudible 00:39:49] success, and then the finding a schema, uh, to make sure you can actually make it as- as- as- resilient and efficient going forward.
Garrett O'Hara: [00:39:57] And so in that schema, is there opportunity for private enterprise to access that, what really feels like government or citizenry data, and, and how do you kind of keep, keep a reign on that as well, so that you know, if they access it, you know they're not storing somewhere else. Like, what are the, what are the rails you can put around that?
Joseph Carson: [00:40:12] Yeah, it's probably, it's best to be part of the, uh, the auditability of what we refer to as [Axroad 00:40:16]. So Axroad is the, let's say the data exchange highway between all of those agencies, and, and they have to adhere to certain security standard in order to plug into it. So think about as plugging, you know, your power something into the wall, you agree that, um, you're gonna use so much, um, voltage or amps from it, and also supply so much back.
Um, so it's really getting into that agreement that when you plug into the, the, the network, that you'll have the security schema that permits you to request and you're agreeing not to store it. Um, and of course there's, you, there's cases where you can request, you know, the good thing is here we do have a framework of GDPR, [laughs] that requests, you know, that you have the ability to request access to data-
Garrett O'Hara: [00:40:57] Yep.
Joseph Carson: [00:40:57] And make sure they're not abusing it. So GDPR is also the legal framework that supports that as well. So it's really important that not only you do a data audit, but you also have a legal framework that supports, uh, the, you know, auditability and the regulation of the, of the data collection, and, and, and usage and processing.
Garrett O'Hara: [00:41:14] And, and is there Estonian national standards around that as well? Like, security standards, or you know, the equivalent of the Australian OSM, for example?
Joseph Carson: [00:41:22] There is Estonian specific laws around data retention. Um, and, and data usage, absolutely. Um, but those are typically related to things like tax or, you know, financial, uh, information, where it's really critical. Population registry, you can't erase yourself [laugh] from [crosstalk 00:41:38] what you can [crosstalk 00:41:39] yeah. So, um, there is laws around retention, and- and certain data types, um, that are specific to, for the government to- to maintain, uh, that, um, but, you know that's, that's basically where GDPR extends that to, to other types of data, data identifiers.
Garrett O'Hara: [00:42:02] Yeah, phenomenal. We're, I was thinking often in Australia when you rent a property, and sort of, you know, I've been through that, uh, I've been here 20 years. You end filling out the same form. I mean, there's so many things in life, but you know, rental is- is one of those ones that is particularly painful, um, because you know, if you see enough places, and there's enough demand, you end up literally writing the same stuff over and over and over again. But that shows up in so many places in the world, right? And, and it is, to your point, like, such an incredible waste of time when, you know, that information could just exist somewhere that you can access it, and, and yeah.
Joseph Carson: [00:42:26] Yeah, it's becoming data, data brokers is the future. It's really about where you... the, I mean, the idea of a data broker for me is that I can turn around, let's just take social media, for example, rather than me going to social media and signing up for an account, and saying, I then need my date of birth, I then need my home address, my telephone number, blah, blah, blah. You put all these things in social media. And then over time it becomes stale and inaccurate, and they keep pushing you to update it, and [inaudible 00:42:52] try to analyze it.
But wouldn't it be great that if you were able to say, "No, I'm not putting my data there. I'm giving you permission to access my data in a data broker." Which means that, what do you mean? My telephone number, it's here. My home address is here. My contacts are here. And therefore, they're allowed to read it but not store it.
Garrett O'Hara: [00:43:11] Yep.
Joseph Carson: [00:43:11] So it means the, you know, it gets into this data collection, data processing scenario, and it means you have better control over your data, and at some point in time, you can say, they're not allowed to read it anymore. So, and this really, data broker's the ability for you to have, let's say, transparency, and better visibility of, of all those places you've also actually made your data available to. And it allows you to keep it accurate. Maybe rather me going in across, you know, let's say 30, 40 different accounts on the internet, and saying, "I need to, I changed my telephone number. I need to update it in all these places."
Or you move address. I need to log into all these accounts and update it all these locations. Um, why don't you just update it in one location, being your data broker? We have password managers that does some of the things for passwords and accounts, why don't we do it for data as well? Um, and it allows you to be- better control and better visibility of, like, where do you supply different pieces of data for different accounts that you configure and set up?
Garrett O'Hara: [00:44:03] Yep. With the, with everything being digital, everything being online, you mentioned risks earlier on. Actually, I was writing the word risk as you- you mentioned this. You know, it obviously brings, uh, some risks and from a cybersecurity or cyber resilience perspective, with everything being online, everything stored digitally, how has Estonia kind of tackled that problem? Um, you know, it's a, it's a worldwide problem, but I'm guessing you're particularly sensitive to the, uh, the implications of a successful breech of a successful attack, especially at a, you know, kind of, uh, national level.
Joseph Carson: [00:44:34] The- there's a couple things that Estonia's done over the years. Definitely, you know, government and private sector work together to make the countries resilient. It's about collaboration. You know, going back to 2007, when, you know, it was under attack from, from, uh, uh, ne- basically a, a major DDoS and cyber attacks, it wasn't just the government targeted. It was private companies as well, and the realization that you could work together, and there was at that time, um, it was the kind of reintroduction or start of the cyber defense league here in Estonia, which is basically citizens now have a cyber defense league where they come together to protect the country, both government and private entities, from cyber attacks.
So the cyber defense league was really evolved from that time, and it provides additional kind of education, collaboration. So government and private company collaboration, both directions. [laughs] It shouldn't be just one way. Um, which I think some countries, I, I think, I was really happy to here in Australia that the update to the, I think the cyber strategy [inaudible 00:45:27] last year, reintroduced that collaboration between industry and, and government again. 'Cause it, it has to be a two way communication. You can't just rely on private companies to give you information for you to protect everyone. You have to work together, it's two directions.
Uh, so I, I was really even happy with the US, some of the new NSA and FBI reports actually making some of the attacks that's been happening in the last 12 months more visible, is actually great step forward, is also being transparent to those types of attacks. So it is that kind of industry, uh, both private and government cooperation, collaboration is key. [inaudible 00:46:00] is well, is, is understanding about the risk side. Is that one of the things is that looking at what is your risk?is it land invasion, is it cyber attacks? And then how do you de-risk it?
It's all about de-risking, and one of the benefits of having a digital society that Estonia did was as I mentioned, they actually don't duplicate data across multiple depositories. They de-risk that data repository, meaning that if and attacker is able to access, let's say, let's say a [Telco 00:46:25]. Well, they only have the Telco data schema. They don't have access to your financial details, your bank account details, you know, they don't have access to your, your home address. To don't have access to all of the other things that's kept in all the repositories.
So it means for an attacker, in order to be successful, they would have to attack all the repositories. Um, and that's much more difficult than it is in getting a single one. So it means that you're limiting the scope of an attack as well. And then giving it the block chain as well, that's [inaudible 00:46:53] making sure you don't have data poisoning efforts. You can actually go back and see when data's been modified and changed, so that also provides a non-repudiation.
And just becoming more aware as a society as well, in the society we're, we're, very, say vigilant, um, we can't always, it's always in the top of mind as well. So it's also that cultural and awareness, knowledge sharing. So it's, it's, it's a multiple things to become resilient. We know that, um, nothing's perfect, we know that there's always risks, and there's no 100% protection. So it's all about making sure that while you do become a target, that you can recover quickly and recover well.
Um, so that's one of the key things is that you know how to get back to operations as, as fast as possible, with as much efficiency as possible, much accuracy as possible, so resiliency is all about making sure that, you know, you will become a victim at some point in time. It's how do you continue after the point? And have your mechanisms put, been put in place in order to, to reduce that risk.
So just like in 2007, when they realized that if a land invasion did happen, how did we... You know, some countries could have said, "Let's put it in paper. Let's put it somewhere else. Let's go back the way it was because, you know, we can't find solutions for this." Estonia said, "No," we said, "Let's embrace it. Let's look for ways forward. Let's not go back to the old ways because the old, old ways actually had other risks and other challenges." Let's embrace the internet and find a way forward.
Garrett O'Hara: [00:48:19] Is there any version of, uh, what in Australia they're calling clean pipes? You know, the high level kind of sanitization of, you know, internet traffic? Is there any version of that?
Joseph Carson: [00:48:29] Not specifically here. Everything is, it's kind of like an open, uh, kind of mindset where, um, it's all about basically encrypting the data and putting the right measures in place, and letting it go through the pipes. So [inaudible 00:48:41]. So that's, that's like, getting into, you know, deciding on a good and bad internet. [laughs] It's a difficult thing to do. Um, and it, it provides collaboration. It ends up, you know, it's [inaudible 00:48:54].
I guess that's, you know, the difference between what we refer to as tour, [laughs] to, using encryption through existing pipes. I think that's the definite, the way forward, rather than building, uh, additional connections.
Garrett O'Hara: [00:49:07] Yep, I get you. Um, we're, we're very close to kind of closing out here. Just looking at the clock, um, I, I'm just wondering, is it Scotland or Wales that has the unicorn as their national emblem? I think it might be Scotland?
Joseph Carson: [00:49:19] [crosstalk 00:49:20] Scotland, yes, it is Scotland.
Garrett O'Hara: [00:49:21] Maybe it should be Estonia. I think you guys should steal that as, uh, as, as [laughs] your national emblem.
Joseph Carson: [00:49:26] I'm pretty sure we can find a way to, way to put it in somewhere. [laughs] So.
Garrett O'Hara: [00:49:30] Yeah. Kind of a, an Easter egg.
Joseph Carson: [00:49:33] Yeah, an ea- it is an in- interesting society for me even being here, you know, I- Ive become kind of one of the locals, I guess. You know, 'cause one of the longest places I've lived. Um, but I'm always impressed with the mindset, and, and the innovation and creativity. And looking at ways to embrace, and, and also you know, keeping an open mind as well. Um, I think that's what's crucial, you know, going forward.
And it, it, it's to, you know, ex- understand the risks and find ways to reduce them. That's ultimately what we're looking to do is when I look at my... My job and even being a security professional, is not to do security. That's just not to do it for the sake of security. It's not the full [inaudible 00:50:09] box, it's not... My job is to look at, you know, society, look at the risks, look at, you know, what things can do to reduce that risk.
So my job is to use my cybersecurity skills to help find a risk and reduce it where possible to an acceptable measure, and that's ultimately what our job in security is.
Garrett O'Hara: [00:50:27] Phenomenal. And, and with that mi- in mind, I think this is a good place to, to call it. And, but obviously you spent a lot of time doing webinars, you've got a lot of content that you put out there, um, you know, books and eBooks. It would be amazing, if you don't mind, just kind of running us through where we can find you, and you know, maybe connect with you if that's okay.
Joseph Carson: [00:50:44] Absolutely. So I mean, that, I'm always happy to share my, my content with as many people as possible. Um, educational wise. So the ways to find me, definitely the two predominantly places I'll spend a lot of my time sharing content is on LinkedIn. So you simply search for, you know, JO or Joseph Carson. You should see me there with a couple of pictures of my books. Um, and then also LinkedIn, Joe_Carson is my LinkedIn handle, so if you're interested in following my feeds, and thoughts, definitely look for me on Twitter as well.
Um, and also if you're interested in my content, for my books, which are free, you know, available to, to get and download, um, you can get at on thycotic.com and just, uh, look for under resources you'll find, um, I think I've got up to five books now I've authored. Um, all for different, uh, ranges of subjects, but, um, they have had you know, award winning books now, which has had, uh, amazing feedback from, from the audience.
Garrett O'Hara: [00:51:35] Phenomenal. We will, uh, include, uh links to those in the show notes also, and on the Get Cyber Resilient website, so, um, if anyone's listening, and, and I'm guessing many people will want to, to go check those out. We'll include those links. Uh, Joseph, really appreciate it. Um, phenomenally, uh, enjoyed this conversation. It's been excellent. Um, I know you've got a lot on, and you're probably maybe digitally fatigued, given how much time you spend on podcasts and, uh, webinars, and, and running, uh, um, shows and all that kind of stuff, so really appreciate it, and, yeah, very much, thank you.
Joseph Carson: [00:52:06] It's a pleasure being here. Thank you for having me on as a guest.
Garrett O'Hara: [00:52:13] Thanks again so much to Joseph for that conversation. I'll definitely be checking out his content, and, uh, webinars that he'll be delivering. In the show notes, you will find links to Joseph's online presence in Twitter, so it's, uh, joe_carson on Twitter, and then LinkedIn, the normal LinkedIn URL with Joseph Carson, but we'll, we'll add links to those in the show notes.
We'll also link to his books, Privilege, Access, Cloud Security for Dummies, and Cyber Security for Dummies. As always, thank you for listening to the Get Cyber Resilient podcast, the back catalog grows every week, so dip into those and subscribe, like, share, let your friends know, and let us know of people you want interviewed or topics you want us to cover. For now, keep safe, and I look forward to catching you on the next episode.