julio 10, 2024

EP 56 – Time as Attack Surface

In the latest episode of the Trust Issues podcast, the focus is on the criticality of time in organizational security. The conversation with host David Puner and guest Katherine Mowen, SVP of Information Security at Rate (formerly Guaranteed Rate), highlights the importance of swift decision-making and prompt threat response. They discuss the role of just-in-time (JIT) access and AI in accelerating response times, as well as the ever-evolving threat landscape that requires constant vigilance. The episode emphasizes the strategies and technologies shaping the future of cybersecurity, particularly at the intersection of time management and identity protection. 

Join us for a timely discussion that underscores the intersection of time management and identity protection.

David Puner: [00:00:00] You’re listening to the Trust Issues Podcast. I’m David Puner, a Senior Editorial Manager at CyberArk, the global leader in identity security. So much, if not everything, comes down to time. Estimated time. In time. On time. Out of time. Hey, that was a good time. Any time. Okay, time out. We want to be mindful of your time. We realize you don’t have anything but time and we thank you for taking time out of your busy day or night to listen to this podcast.

The point of all this time stuff is that in our world, the criticality of time emerges in the context of prioritizing and addressing threats promptly to reduce risks and keep organizations secure. It also comes in the form of just-in-time access when organizations give human and non-human identities elevated and granular privileged access to an application or system to perform a necessary task in real-time.

We all think about time, at least unconsciously, almost every waking moment, but today’s guest is hyper-aware of it. She’s Katherine Mowen, SVP of Information Security at Rate, the big mortgage and finance company that was called Guaranteed Rate until just a few days ago. She and her team need to make critical decisions and respond fast. It comes down to time. Like many of you, Katherine’s in a role where she goes to bed every night with a real possibility that she may get an urgent call with news of an emerging threat, an attack, or some other critical scenario. A call that requires swift action. With the emergence of AI, response times are becoming even faster because, as Katherine discusses, AI can figure out how to exploit vulnerabilities much quicker and more efficiently than humans. So in many ways, the offensive-defensive AI arms race is grounded in speed or time amid a wildly expanding threat landscape. We talk about that and risk and identity governance and lots of other things. It’s time. Here’s my conversation with Katherine Mowen.

David Puner: [00:02:35] Katherine Mowen, SVP of Information Security at Guaranteed Rate. Welcome to Trust Issues.

Katherine Mowen: [00:02:41] Good to be here. Thank you for having me.

David Puner: [00:02:44] Yeah, thank you. I’m pleased that we were able to do this this week on a Friday right before the 4th of July week. Yes. So thank you for taking the time. Looks like you’ve been with Guaranteed Rate since March of 2020. Is that right?

Katherine Mowen: [00:02:57] Yeah, that’s true. I started at Guaranteed Rate one week before we all started working from home because of the pandemic.

David Puner: [00:03:04] Okay.

Katherine Mowen: [00:03:05] So it was an interesting time to start a new role for sure.

David Puner: [00:03:08] Yeah. What was the beginning like and how did it surprise you as a result of that sort of change in plans as it were?

Katherine Mowen: [00:03:16] You know, when I started, you do all the normal stuff, getting walked around, introduced to people face-to-face, shaking hands. I will say I got very quickly thrown into a project, which was such a good sign when joining a new organization that within the first week, it’s like, «Hey, here’s a high-profile thing that I need you to help me with.» I’m like, okay, cool. So I really started kind of learning the ropes at GR kind of like right out of the gate, but then all of a sudden, it’s we’re in the middle of a global pandemic and I had met some folks on site that first week, but not everybody, and I was just like, alright, how is this going to go? What’s going to happen with the mortgage market? Like we’re all now just kind of stuck at home, like, who knows what we’re going to be able to accomplish and what’s this going to be like? But what I found was that everybody I was interfacing with at GR didn’t seem to care that it was video conferences and phone calls and things like that. They were extraordinarily accepting. It was like, «Oh, you’re here to do a job? Great. Let’s do this together. Let’s work on this.» And that was fantastic. So one of the first things that I really set about doing was working with each of the three security teams to get our roadmaps kind of more formalized and documented, agreed to make sure they had strategic risk value to the organization and then go about building our scrum boards in alignment with that and working with the teams to kind of start tracking towards these high-level objectives, as well as the smaller sub-goals that would get us there. So that was kind of how I spent the first, I don’t know, like 90 or so days that I was with GR. So it was a really interesting time, but also a time where everybody just kind of got together and said, this is the new normal. We’re just going to kind of proceed, which is amazing.

David Puner: [00:05:17] The new normal. I haven’t heard that said in a while now. So I guess it’s the old normal now.

Katherine Mowen: [00:05:22] The old normal.

David Puner: [00:05:23] Yeah. So prior to Guaranteed Rate, obviously you were in a number of places and we’ll probably talk specifically about at least one of them in a moment, but what’s your career path been to SVP of Information Security at Guaranteed Rate? And Guaranteed Rate, I should say, of course, is the mortgage and finance company, a very big one, in fact. So, what was your career path to your current role, and then what does your role entail?

Katherine Mowen: [00:05:45] So my career path may be a little bit different for folks in information security, although I really genuinely hope for not too much longer, because I was just at a conference yesterday talking about this exact same topic. We need more people in information security. That is a known problem. And we need to be a little bit more flexible in our thinking about what those transferable skill sets are and who might be interested in information security, people like me, who may not come from maybe a traditional, quote-unquote, IT technical background, but have some really good skills that they could absolutely leverage to make information security a more inclusive and maybe more well-rounded place to be. But going back to your original question, which is my career path, I actually started my career in public accounting.

David Puner: [00:06:23] Okay.

Katherine Mowen: [00:06:24] For a while there, I was a registered CPA. I went into public accounting when I was getting out of college. It wasn’t the Great Recession, but it was a recession. I was like, oh my gosh, what am I going to do? And my mother, who, full transparency, is an accounting professor, said, you know what? Maybe you should consider accounting. And I was like, what’s no, like, why would I do that? And she was like, well, there’s a subset of accounting called forensic accounting and fraud investigation. And maybe that would be of interest. And I was like, well, that sounds cool. So I went and I got a master’s in accounting, started in the big four, spent a few years doing financial statement auditing and then moved over to fraud investigation. And I was just like, you know what? I get it. There’s a role for people doing this kind of work, but I didn’t feel like it really suited me. And so I went ahead and moved over to internal audit at the Federal Reserve Bank of Chicago. I spent nine years there and when I started, I was a financial and operational auditor, but I felt like the really interesting work was being done by the IT auditors. So I weaseled my way over to IT audit by saying like, I’ll do IT governance audits, I’ll do this other stuff. And people were like, you want to do that? Sure, go for it. Have at it.

David Puner: [00:07:38] Yeah, I saw somewhere in a bio of yours that you got bitten by the IT bug. Yes. I didn’t even know that there was an IT audit bug. What is the IT audit bug? Is that a thing?

Katherine Mowen: [00:07:48] Yeah, but that was really what it was. I was like, this is much cooler work than what I’m doing. So like, yeah, let me get over there. And I think part of that was just the nature of being at the Federal Reserve itself, even in the early 2010s, information security at the Federal Reserve was a very robust practice. It was something that was taken extraordinarily seriously, as well it should be, it’s the Federal Reserve System, right? So those teams, like the InfoSec teams at the Federal Reserve, were doing some really innovative work. And so as a result, the audit team was looking at that and doing project audits around it and was driving forward the audit program and things like that. And I was just like, oh, that’s interesting. Like that, I want to be a part of. So I very intentionally worked with my manager to say like I have an interest in IT audit, like what can I do? And so that’s where I started with doing like the IT governance reviews and things like that as an entry point to then moving fully over to the IT audit team. And I actually got to be the manager of that team for a while and it got to the point where I was just like, I don’t want to be on the outside looking in. I want to do this. As my primary reason for being, I want to be in it with the practitioners doing information security on a day-to-day basis as my job function. So, you know, I ended up moving to a different organization, Federal Home Loan Bank of Chicago, where I managed the identity and access management team there. And then after that, moved to Guaranteed Rate.

David Puner: [00:09:10] Great. So without diving deeply into each aspect of it, how did nine years in the Federal Reserve Bank of Chicago’s audit department help prepare you for your current role?

Katherine Mowen: [00:09:20] The questions that information security practitioners should ultimately be asking themselves are those of risk management. And it’s the same thing when you’re in audit. When you’re creating an audit plan, you should be doing it on a risk-based basis. You shouldn’t be worrying about, are we putting the same controls in place for things that we are low-value targets from a confidentiality, integrity, availability, perspective, low risk? Like why would we put our hours there when we could be looking at the higher risk stuff? And it’s the same thing from an information security perspective.

David Puner: [00:09:53] You need…

Katherine Mowen: [00:09:53] To be able to assess the risk of different components of your IT environment and say, okay, our threat profile, given what’s going on in the world and given the nature of our organization, where do we put our limited time, treasure, and talent to bear to get the biggest risk reduction bang for our buck? Right. So spending that time as an auditor, thinking through those risk decisions around like, what are we actually going to look at in these reviews, going out to the business and saying, hey, you know, I don’t do your job. On a day-to-day basis, but I’m going to review the way you do it and having those productive conversations and getting that trust from them to actually perform these reviews and to take the findings that we had seriously and be able to communicate those findings in a way that we can say, okay, there’s a real reason why we’re telling you this is a problem and that you need to fix it and we’ll work with you to figure out the time frame for that and what the fix is and all of that good stuff. If you do that well as an auditor, that’s highly transferable to information security because you’re doing the same thing. You’re going out to your systems administration team, your networking team, your cloud engineering team, you know, whoever it might be, and saying, hey, we’re seeing problems. We’re seeing misconfigurations. We’re seeing vulnerabilities. We’re seeing things that we need your teams to fix and we need you to prioritize fixing them and being able to have that productive partner conversation with them about that is going to pay so much more dividends than just going to them and saying, like, I’m going to throw a problem to you over the fence. Deal with it. That’s an order. It’s a totally different way of interacting. And it’s, you know, if you do the former as opposed to the latter, you’re ultimately going to get a lot farther in securing your organization.

David Puner: [00:11:29] To bring it back then to present day, what is the scope of your current role? What does it entail? What does your team look like?

Katherine Mowen: [00:11:37] My team is broken up into three main parts: our security product and engineering team, they bring in new security technology, stand it up across the organization. The second team is the identity and access management team. So all things authentication, all things identity governance, privilege access management, that falls under them. And then our security operations and incident response team. So they’re the ones dealing with security events on a day in, day out basis, responding to them as needed. They also run our vulnerability management program and our general security hygiene program for the organization.

David Puner: [00:12:09] How do you define the vision for cybersecurity and identity protection across mortgage financing and insurance options, and what’s particularly challenging or singular to the space?

Katherine Mowen: [00:12:19] You know, from a high-level perspective, we’re looking at what does the threat landscape look like? What do we think the biggest risks to our organization are and how do we address those in a way that is going to balance risk reduction with organizational risk appetite and managing costs from that perspective? Each one of the three teams that I described earlier has their own roadmap. We break things up into objectives and key results. So objectives are kind of those big, hairy, audacious goals, usually take about a year to get done. And the key results are smaller pieces of the puzzle, probably about three months to complete. And however many of them there are, two, three, four of those completed, you’ve achieved your objective. Especially in the identity space, we’re looking at it across four pillars. One is our customer identity and access management, which also includes non-person identity and access management focus on that borrower experience or customer experience member. I think actually experience when they’re coming into any one of the guaranteed rate companies to do business, making sure that that is a pleasant user experience, but also a secure user experience for them. And then looking at the non-person piece as well, and making sure that we have robust authentication mechanisms in place, both internally and crucially externally across our environment as well. The next piece is identity governance. So we’re working on making sure that we have that central source of truth for identity across the organization, that we’re running periodic attestations on access, that we are managing that user access lifecycle, that we’re getting role-based access control in place, separation of duties in place, automating as much as we can, which is interesting because there are a lot of third parties that we do business with. So the automation there is a little tougher. Privileged access management is the third piece. We want to make sure that those privileged accounts, both from a person perspective and a non-person perspective, are being managed in a secure way, while also making sure that the friction around the use of those privileged accounts is as low as possible. Again, the challenge with security is you want to have security in place, but you also want to make it not so arduous that people go around it, right? And so from a privileged access management perspective, in particular, user experience is something that we’ve been really cognizant of for our systems administrators and others who are checking out credentials and things of that nature. And then the last piece is frictionless access. So, for our workforce users, how can we continue to push out as much single sign-on as we can? I would say we fought 90 percent of that battle. It’s the new stuff and the one-offs that we’re trying to continue to grab where we can, potentially moving to passwordless as well. I think everybody’s recognized that passwords are a problem for a really long time. Again, that whole idea of you could be really secure, but people will go around the controls if they’re too difficult. We’re telling people different passwords for every single site that you use, make it complex, and no one can remember their passwords. I’m one of them, too. I feel like I’m resetting my password more often than I’m remembering it. And so wanting to get to that frictionless place for users where it’s like, I’d really rather rely on, um, you’re right. I mean, we’re getting there, you know, we’re getting there. We’re working on the process to get people to sign in.

David Puner: [00:16:00] So you had mentioned customer user experience, obviously, when it comes to the mortgage application process and then whatever other features members are going to tap into from a digital front, how do you balance strong security with a positive user experience? And how does identity factor into that equation?

Katherine Mowen: [00:16:17] The thing I really like about the people who are coming to Guaranteed Rate for any one of our products is that it really does seem like our customer base is starting to understand the importance of security, because we get these questions, and so we want to have a robust authentication mechanism in place, which we do. And we offer options for multifactor and we require multifactor for all of our members. And so they can choose their own adventure with it to a certain degree. Like there are certain factors that we require other factors that people can opt into if they choose. But, you know, we want to make sure that front door is really robust for people so that they can feel confident in their overall user experience, whether they’re getting a mortgage, whether they’re doing insurance, personal finance, whatever that might be.

David Puner: [00:17:06] Okay, so then on to emerging threats, which as we know, they’re always emerging continuously, which I guess would be redundant, always and continuously, but what emerging threats to identity security do you see as critical right now? And what innovative technologies or strategies are pivotal for financial entities?

Katherine Mowen: [00:17:24] So I think we’re all aware of the ALPHV/BlackCat group and how they’ve been very prolific over the course of the past nine months to a year. This is something that we’ve been tracking and they’re really going after identity. One of their tactics is to impersonate highly privileged users, call up a help desk and say, «Hey, I need to reset my password.» And if they can make that happen, then there’s so much they can do. Right. And so we’ve been really looking at those tactics and saying, okay, we have some things in place on our side that already make it difficult for those kinds of attacks to be perpetrated. But we also want to, first of all, make our user base aware, that these are the kinds of things that are happening. So we’ve been talking with our help desk and saying, «Hey, if you’ve got people suspiciously calling in asking for credential resets, tell us about it. We want to hear about it.» Upping the ante a little bit on authenticating users when they’re calling into the help desk and making sure that we’re not using validation mechanisms that are just a little too easy to find on the open internet. We’ve been spending a fair amount of time looking at those kinds of attacks and saying, okay, how can we take, you know, I think we were already in a pretty good position last fall, we’re in a much better position now from that perspective.

David Puner: [00:18:28] Bring AI into that whole equation. How do you see the role of AI shaping the future of identity security? And how does that impact the way that you’re looking at emerging threats?

Katherine Mowen: [00:18:39] Well, one of the things I think about with AI is that there are use cases for it on both sides, right? You’ve got your malicious actors who are utilizing it to very quickly write exploits for newly identified vulnerabilities. You’ve got malicious actors using it to craft really, really good phishing emails, getting people to click on things, credential harvesting, that kind of thing. And then on the other side of it, you have security companies that are starting to embed AI into their products to make things easier for security teams to do their jobs. So to the degree that I can go into any one of our security platforms and ask a natural language question and say, «Hey, when was the last time user XYZ logged in as privileged on this device?» and get an answer as opposed to spending however long querying logs and trying to figure that out. That’s going to be a game-changer on our side as well. So you’re really looking at almost like an AI arms race. You’ve got folks on both sides trying to leverage this new technology as quickly as they can to their own ends. I think it’s going to be really interesting to see how it plays out. There’s also exploits with AI that is used for business purposes. And so, to the degree that you have a chatbot widely available, maybe authenticated, maybe not to get to it. And you can ask it questions that will coerce it into divulging sensitive data. That’s an issue as well, that we need to make sure that we’re being really careful about because these non-person chatbots can end up over credentialed. So that’s something that we need to consider for any organization, that’s another door that we need to make sure that we’re watching.

David Puner: [00:20:11] So the AI arms race that you mentioned, obviously arms race being attackers and defenders. Do you look at it as keeping up with attackers or is it still staying a step ahead of attackers?

Katherine Mowen: [00:20:22] I think it’s going to ebb and flow because I think both sides have the ability to be really creative and maybe there are times when one is a step ahead of the other. So I guess I don’t know the answer to that question. I think it’s going to depend on the situation and it’s going to depend on how people evolve with the technology. But, I think that there’s been enough discussion and concern about AI. Since, really, within the past year or so, it’s become a huge topic of conversation and folks on the defender side aren’t sleeping on it, which is good, but it’s going to be interesting to see how, when you close one door pretty solidly, people are going to try and find a way around it. And it’s not even just the malicious actors, it’s your normal everyday workforce users as well, who are going to say, if it gets too difficult to do security, we’re going to find ways around it. And so, even watching the way that people creatively try to work controls intentionally or unintentionally is something that we need to keep watching and keep responding to.

David Puner: [00:21:28] How are AI and machine learning at this time impacting or evolving your identity security operations at Guaranteed Rate?

Katherine Mowen: [00:21:37] I think right now we’re pretty reliant on our vendors in this space to say, you embed that in your products as part of the overall value proposition of whatever it is that you are providing. And as we continue to evolve with those third parties we do business with and watch the evolution of their products. AI is definitely something we’re asking about, right? How are you leveraging that again to help our teams be more efficient and effective? And so I think for us really, it’s a combination of watching that third-party vendor space and saying, okay, how are they making their overall tool set better through the use of AI ML? And then also watching what our business is doing from that perspective and saying, okay, there are folks internally on our product teams who are interested in this. And how do we also go out to them and say, okay, this is great. And we’re excited that you’re interested in this technology, but how do we make sure it’s secure as well? And having those proactive conversations. So that’s something we’re trying to do on the backend. But from an identity management perspective for us specifically, we’re a little bit more on the like we’ll leverage what our vendors have to offer and keep an eye on the market for that as well.

David Puner: [00:22:41] And then how do you think AI will or how is it affecting decision-making processes and governance in cybersecurity?

Katherine Mowen: [00:22:49] So this is where I’m going to get on my soapbox a little bit.

David Puner: [00:22:52] All right.

Katherine Mowen: [00:22:53] If I haven’t already been. I think it’s going to cause us to need to be faster and to be able to execute that much more effectively. And what I mean by that is, and this is something that I’ve been thinking about for a really long time, is, no pun intended, is the idea of time as an attack surface.

David Puner: [00:23:07] Mm-hmm. Okay.

Katherine Mowen: [00:23:08] And what I mean by that is, the longer you have to do anything, the harder it is to sustain that, and the harder it is to protect it. So, as I think about the data that organizations retain, the longer you have to retain that data, the longer you have to protect that data, the more data there is to protect, piling up as it relates to data retention, kind of the bigger your attack surface. So some of the conversations I’ll have with the business around deleting data and things of that nature, people want to set their retention periods longer if they can, because they’re like, oh, maybe I’ll need it one day. And it’s just like, yeah, but that’s also overhead for us to protect and volume that could potentially be at risk, right? Same thing with the length of time that you may need access within a certain application. To the degree that we can say you are only going to have access for x period of time as opposed to x plus y period of time reduces your risk and your threat profile and AI is only going to make the game that much tighter on time. If you look at the length of time that it takes for a threat actor, once they get an initial foothold in your environment to break out and move laterally, that time has gone from days to minutes over the course of the past few years. So we’re looking at saying, okay, we don’t have 24 hours to respond to an alert. We have 10 minutes.

David Puner: [00:25:04] Right.

Katherine Mowen: [00:25:04] That’s something that we want to make sure that we’re doing consistently across the board. And AI is only going to make that timeframe tighten, as I mentioned earlier, a vulnerability drops and you can use AI to come up with an exploit for it incredibly rapidly and start to deploy that. Whereas previously you needed human beings to figure out how to exploit a vulnerability and that takes time. And so now all of a sudden you’re in a position of saying, okay, we need to be faster to drop patches, to be faster to implement those patches. We need to be faster to identify, triage, and respond to potential malicious activity in our environment. We have to be faster to make those key decisions too. You mentioned governance. Governance is, oh my gosh, that’s my sweet spot. We’re having to make a decision about whether we’re going to shut down our network or not. This is not something that we can wait until morning on. If I’m getting a call at three o’clock in the morning, I need to be picking up my phone. Same with our CISO. And we have mechanisms in place to make sure we’re getting woken up at that time.

David Puner: [00:26:08] Right.

Katherine Mowen: [00:26:08] Because if a decision needs to be made, it needs to be made now. I cannot wait until normal business hours. And so I think AI is a part of it. I think there’s other things driving all of that. But the time you take or don’t take to either respond or make a decision and then respond is potentially the difference between a minor security event and a major one.

David Puner: [00:26:36] Is what you’re talking about here. Is it just the need for speed, or is it also a change in approach to the way that the organization is handling these types of threats?

Katherine Mowen: [00:26:48] I mean, it’s probably both because ideally, at the end of the day, you don’t want to be in react-slash-response mode if you don’t have to be. The goal of information security is not to have a crisis every other week. The goal of information security is to keep things pretty boring to the degree that you can. And so from that perspective, that’s going back to the conversation we were having earlier around what are the best bang for our buck things that we can do to reduce the likelihood of having an event in the first place at all? Putting those appropriate protective controls in place, multifactor everywhere is the big obvious one, but there’s many others. And say, okay, to the degree that we can not have a bad day at all, let’s try to do that. But if we’re in that gray zone of like, ooh, this could be really bad, how quickly can we move to minimize that? That’s where the need for speed and accurate speed is critical. And so we’ve had these conversations internally to say, okay, how can we make sure that we can execute on this faster? How can we make sure we’ve empowered our teams to make these decisions? For some reason, our CISO is out climbing Mount Everest and I’m in a coma. Who’s next in line to make that decision so that we don’t end up in this place just waiting or being indecisive? We need to be decisive and we need people to be empowered to make those decisions and understand the implications of the decisions that they’re making. And maybe actually a mistake is less impactful than people think. If we take down our network, how long is it really going to take to bring it back up? Maybe not as long as people fear. And maybe the reprisal wouldn’t be as bad if we had a false positive situation where we did that. So I think there’s also a lot of fear around doing some of this stuff. And you need to be ready to make that call. And there’s type one, type two error, right? There’s underreacting and there’s overreacting. We’ve had these kinds of conversations internally. Around like, where do we want to like err, right? Do we want to err on the side of underreacting or do we want to err on the side of overreacting? And you know, the environment that we’re in now. Where again, there’s less time to get all the information to make a perfect decision. We’re going to err on the side of overreacting and we’re going to basically like ask forgiveness later if we have to.

David Puner: [00:29:00] So that obviously, or maybe not obviously, would seem to create a lot of potential stress. So when you go to turn off the light every night, knowing that there’s a potential that you could get awoken at 3 a.m. or whatever it may be, how do you deal with that? How is that something, if it’s ever-present, how have you adjusted to that? And how do you live with that as part of what you do for a living?

Katherine Mowen: [00:29:25] Part of it is, I chose this, right? I want to be here. I want to be doing this job. I want to be willing to make that decision. I am willing to make that decision. And I think about that not from the perspective of, like, that’s a lot of power and I’m excited about it, but who I’m making that decision on behalf of. Ultimately, it’s our members, right? Like, I’ve been through the mortgage process a couple times myself, prior to joining Guaranteed Rate.

David Puner: [00:29:48] Mm-hmm.

Katherine Mowen: [00:29:48] And I’ve had problems both times, from an information security perspective.

David Puner: [00:29:51] Mm-hmm.

Katherine Mowen: [00:29:52] The first mortgage that I did years ago, it was within a year, I want to say, of closing. I got notification that an insider had stolen my loan file.

David Puner: [00:30:00] Wow.

Katherine Mowen: [00:30:01] And it’s like, okay, not great. Get some credit monitoring, etc. The person was caught, obviously. And then the second time we got that email, «Hey, your wiring instructions have changed. Send your down payment here instead of there.» And if we had done that, our down payment would have been stolen.

David Puner: [00:31:07] Wow.

Katherine Mowen: [00:31:08] And at that time, things have evolved a lot from this perspective. It’s easier to get your money back if that happens to you. But, you know, especially, that must’ve been what? Seven years ago, you’re pretty much out of luck. There goes your down payment. You’re coming to the closing table going, «Oh, I made my down payment.» And everybody’s going, «No, you didn’t.» That’s not a good day to have as a borrower. And so I think about who I’m doing this for, and it’s those people who trust us so much, right? It’s the people who are giving us their financial lives so that they can make probably the biggest financial transaction of their lives in buying a house.

David Puner: [00:31:33] Right.

Katherine Mowen: [00:31:34] And I mean, that’s the stuff of the American dream, right? It’s homeownership. I’m not thinking about the idea of having a bad night’s sleep. I’m thinking about what does it take to protect these people who are putting a lot of faith and trust in us.

David Puner: [00:32:08] Well, this being said, it’s Friday. I hope that you get at least a couple of restful nights of sleep this weekend and really appreciate you coming onto the podcast. Katherine Mowen, thanks for coming on to Trust Issues.

Katherine Mowen: [00:32:18] Thank you, David. It was wonderful to be here.

David Puner: [00:32:21] Thanks for listening to Trust Issues. If you liked this episode, please check out our back catalog for more conversations with cyber defenders and protectors. And don’t miss new episodes. Make sure you’re following us wherever you get your podcasts. And let’s see. Oh, oh yeah. Drop us a line if you feel so inclined. Questions, comments, suggestions. Which come to think of it are kind of like comments. Our email address is trustissues, all one word at cyberark.com. See you next time.