EP 59 – The Persistent Pursuit of Digital Transformation

David Puner [00:00:00]: You’re listening to the Trust Issues podcast. I’m David Puner, a senior editorial manager at CyberArk, the global leader in identity security. The summer games just wrapped, and athletes from around the world are heading home. Regardless of nationality or event, each athlete’s journey culminated in the same place: competing for gold in Paris, where perennial events like steeplechase played out alongside newcomer breaking. That’s breakdancing for those of you who may not have been around for the electric boogaloo-infused 1980s.

As it turns out, enterprises and their employees are also on similar singular digital transformation journeys. Yes, we’re heading deeper into a digital world each moment while maintaining legacy infrastructure and creating new solutions to keep up with the speed of business. If you don’t keep up, you can’t compete, and it’s a never-ending journey.

That brings us to today’s episode, which is inherently grounded in digital transformation, considering our guest is Deb Singh, who’s global CIO at Persistent Systems, the India-headquartered IT company that specializes in software engineering and digital transformation solutions for enterprises. In his role, he’s got a front-row seat for many digital transformation journeys. And wherever organizations may be on their digital transformation journeys, they encounter the critical need to balance innovation with stringent security protocols and compliance measures. This delicate interplay is essential for ensuring that the transformative power of tech is harnessed safely and responsibly.

Because digital transformation increases the complexity and diversity of identities, expanding the attack surface, and potential for identity compromise. In our conversation, Deb shares insights on the importance of integrating identity security into the fabric of digital transformation. He also highlights how these factors ensure that compliance is seamlessly woven into the cybersecurity strategies that protect against the ever-evolving cyberthreat landscape. We also discuss organizational cyber awareness, AI, and many other things. Let this conversational journey begin, and let’s put the word “journey” away for a while. Okay, here’s my conversation with Deb Singh.

David Puner [00:03:00]: Deb Singh, welcome to Trust Issues. Thank you so much for coming onto the podcast.

Deb Singh [00:03:05]: Thank you, David. Thank you so much.

David Puner [00:03:07]: I know it must be pretty late in your day beaming to us here from India. What time is it over there?

Deb Singh [00:03:11]: Uh, it is going to be 9 p.m.

David Puner [00:03:14]: Wow.

Deb Singh [00:03:15]: Yeah, a little late, but that’s okay.

David Puner [00:03:17]: You look very lively and perky and a lot better than I would probably at 9 p.m. tonight, so thank you very much. To start things off, why don’t we just jump right in? A company that specializes in software product engineering and digital transformation. What’s a typical day look like for you?

Deb Singh [00:03:34]: All right. So let’s talk about what is the typical life of a CIO in today’s time, and particularly for the IT services industry. IT services provide technology services, engineering services to its customers. And while we can create solutions and create possibly those cutting-edge new tech solutions, those solutions need to be tried and tested before you really take it to a client and say, “Hey, this is what we have been trying. This is what the result that it is giving us. This is the kind of use case that we have tested, and we have solved it. And we think this will really add a lot of value to your domain, your industry, your problems,” and that is something which CIOs do today. Before you take a new solution, every single customer will ask, “Hey, how have you tested it? How have you tried? Tell me where it is working. Tell me what exactly the outcome that you see in real life.” It is being on whiteboard, being in a PPT. That’s all good. It sounds great, but in real life, how that is translating, and that translation happens inside the subfloor of CIO because the CIO controls that entire technology and, of course, a large customer base, which is nothing but your employee base spread across the globe.

If you have a new tech that you are able to make happen, make work for your own enterprise, you can create that story and take it to any customer and say, “Hey, look, customer, you have this problem, which exactly we have solved in our advisation. And if that is what it is, if it has worked for us, it will definitely work for you as well,” and that confidence and that use case creation of solutions, creation of business solutions for your customers or different business scenarios, happens inside the CIO software. And that is what I can say a typical day looks like, while the traditional support—handling users, handling security, handling enterprise applications, etc.—continues to be the way it was happening in the past, but this is the additional component, which is now coming primarily because of the rapid change in the technology landscape.

David Puner [00:06:00]: I know that you have almost 24,000 employees across 21 countries at Persistent Systems. So between that and the customers, I have to assume that you are a bit strapped for time.

Deb Singh [00:06:07]: Well, that is part of the game, right? I think that is what the transformation I see as being in the industry for so long. And if I compare my own work, maybe 10 years back to today, that is a huge change. That is a huge change, primarily driven by the latest changes in the tech standpoint. The reference I was making is you have the ability to try new technologies, create new solutions, solve those business problems in a completely different way. And that is what enables you to test it out in your environment, then take it to a customer, right? So that is the priority for CIOs in today’s world, but that is only one part. The new addition is the hat for the business enablement side of it, creating solution offering side of it. And that is the key part of it. And that is where the CIOs of the tech services companies are definitely doing a great job in terms of putting those solutions, taking them to the customer. So you spend a sizable amount of your time on this second part of the newest requirement compared to what was happening maybe 10 years back.

David Puner [00:07:00]: You’re coming at all of this with an engineering background. At what point did you know that you wanted to be a CIO, and what’s your career path been?

Deb Singh [00:07:05]: So I started my career as a support engineer. And when I started working for the last initial six, seven years, that is the time I realized I have a deep interest in building solutions. While support is fine, but creating solutions which will solve business problems, getting into the core architecture of it, design part of it, driving the entire technology landscape, rather than being focused on a smaller component or smaller portion of it. And that is what definitely interests me. And that is when I started switching, moving from customer support towards the enterprise side of it. And over the period, yes, here I am. So it is the core odds to drive core technologies, design, architecture, solution. And that is what defined my path for the role of CIO.

David Puner [00:08:00]: How large is your team? Is it huge or not huge enough?

Deb Singh [00:08:03]: It is.

David Puner [00:08:04]: Okay.

Deb Singh [00:08:05]: It is big.

David Puner [00:08:06]: All right.

Deb Singh [00:08:07]: If I put it this way, inside the organization, you have got multiple different teams: finance, human resources, administration, legal, and so on and so forth. So the IT team is the largest function. The biggest function is the technology function. No exception here. My team is the largest team at Persistent as well. I am the biggest enabling function of the organization.

David Puner [00:08:30]: All right. Can you say how many people are on your team?

Deb Singh [00:08:33]: It is in excess of 500 plus people.

David Puner [00:08:35]: Wow. Okay. So what are the challenges of managing a large team spread across different geographies, and how do you ensure effective communication and collaboration?

Deb Singh [00:08:43]: We definitely had a pandemic a few years back, and that is while a lot of difficult times people have gone through, the entire world has gone through, but it has definitely taught us something great, which is essentially enabling every single individual to work in a virtual environment. Platforms like Teams, Zoom, and so on and so forth have completely changed the way we work.

David Puner [00:09:00]: Right.

Deb Singh [00:09:01]: So in today’s time, working with a distributed team across the globe is not at all a challenge. What matters is bringing that common objective, common goal for the distributed team. So your communication bringing them together to work as a team is the key part. If the value is visible and everybody understands what they are contributing to, you get a buy-in. And once you have a buy-in, you work as a single shared vision with that objective that we will make it happen. And that is the key part of it.

David Puner [00:09:36]: Were there any particular aspects that you had difficulty getting buy-in at any point, or has it all been progressively smooth?

Deb Singh [00:09:40]: There are definitely challenges. Every day is not the same day, right? When you drive—let’s say compliance is a critical component for a CIO role. Compliance is treated differently in every part of the globe, primarily because of culture, because of the regulatory requirements, because of the different way the things are driven in those countries, those geographies. And you put a uniform approach across the globe. People try to get into a certain level of resistance to that because they don’t understand the larger picture. You have to take everyone together for driving large initiatives. And I believe as long as you are focused on solution, focused on the outcome and show the value, it takes some time, but people get aligned.

David Puner [00:10:00]: Well, I’m glad that you mentioned regulations and compliance because given the heavily regulated nature of sectors like banking, financial services, insurance, and healthcare, how do you ensure compliance with various regulatory requirements across different geographies?

Deb Singh [00:10:10]: Compliance has to be driven as a culture. You cannot have compliance for project A or project B. It’s a different company, right? So what we do is we have created a basic framework for our organization, which cuts across the best of the requirements across the geo and the verticals that we are solving—we are delivering services to. So combining those together, we have that as the best baseline for our framework, our compliance framework. So this ensures the privacy part of it, the information security part of it, and, of course, the business continuity part of it. All three put together, we have created our own framework, compliance framework. Because what happens as we move people from one customer to another customer, or one industry to another industry, depending on their skill set they bring, and if I have a particular compliance standard or a compliance requirement for customer A, and I move that individual to another project tomorrow, which has a different compliance standard, that individual will not be able to align to that. So it essentially means there will be gaps. So what we do is we create a common baseline, which cuts across different industries that we serve, and, of course, different geos that we have, we are delivering services to, so that essentially means our baseline takes care of it, takes care of all the compliance requirements for the different verticals that we are delivering services to, or even geo for that matter.

David Puner [00:12:00]: So moving on to security then, how do you balance the need for strong security measures with the need for operational efficiency and user convenience?

Deb Singh [00:12:05]: That is tricky. That is tricky.

David Puner [00:12:06]: Okay.

Deb Singh [00:12:07]: Security and experience or convenience, right? They don’t go together. We bring controls based on the different standards that are defined. But while we bring controls, we have to ensure that it does not stop our business. It doesn’t come in the way of delivering services that we are supposed to do. And if that is what needs to be done, while compliance is critically paramount for us, we can’t compromise on that. By that, what I mean is, while I’m making some changes because of a compliance requirement, I go on and communicate to all my stakeholders, including employees and so on, saying, “This is what the change is. You used to go from point A to point B in this particular way, and that is changing. Now you have to do it in a different way.” Maybe that is a control requirement, maybe that is something else driving it. We give the complete reason behind it, and we tell them, “This is how it has to be done.” And if we do this, how it is going to help us, how it is going to help our customers. And once you show that value, you get a buy-in from your customers and employees as well. I mean, I’ll just give you an example. About six to nine months back, when ChatGPT was the trend, it was coming up, and everyone in the organization wanted to use ChatGPT. Across the industry, many organizations, particularly in IT services, took a call to stop access to ChatGPT.

David Puner [00:14:30]: Okay.

Deb Singh [00:14:31]: That’s very easy. Stopping access is a decision you make, so nobody can access it. But that essentially means you’re stopping innovation.

David Puner [00:14:38]: Right. So how long did it take for you to realize that’s what was going on and you needed to reverse it?

Deb Singh [00:14:43]: So what we did is we said, “Fine, we’re making a communication today because we don’t have an alternate mechanism to access it. We’re stopping it today, but we will come back soon.” Within one week, within seven days, we went back with a mechanism to enable access to ChatGPT. We created something called browser isolation. You click on that, it isolates into a particular browser. It will not allow you to go out of it, but you can do whatever you want inside. It’s like a virtual environment. That kind of met our requirement, and at the same time, it protected customer data or any other PII data being used in the ChatGPT environment. So we could stop the actual risk but, at the same time, not hinder innovation.

David Puner [00:15:00]: The inclination, the natural inclination, would be to want to lock it down. But then as a result, the innovation is hampered. So you need to free it while securing it. And that’s kind of a fine line to dance.

Deb Singh [00:15:12]: Absolutely. So, sticking with ChatGPT and generative AI in general, generative AI is, of course, transforming industries, but it’s also posing security risks across the board, like more sophisticated deepfake attacks and ransomware. How are you addressing these risks, and what changes have you seen in the threat landscape due to AI and generative AI?

Deb Singh [00:15:30]: It is scary. I’ll tell you why it is scary, why I’m saying that. Generative AI, as we all know, is extremely powerful. It has the ability to scan through data at an extremely high speed and give you the outcome maybe in a couple of seconds. Think about inside the environment, you have somehow a threat actor who got into your environment and is able to run, scan through your entire environment to find out where you have got open vulnerabilities. And if a generative AI is running on that, possibly the person will get that answer in a few seconds.

David Puner [00:16:00]: Right.

Deb Singh [00:16:01]: And once I know where the problem is, where the door is open, to exploit that open door, I will possibly take a couple of minutes more to immediately exploit that. So that essentially means earlier, what was taking days to exploit, to find the actual gap, then to exploit, now it can happen in minutes. So that is scary. Having said that, there are two other things that enterprises are driving. If you look at investment in security, that has definitely increased. I can say to a sizable percentage, depending on the industry they are in. So enterprises are investing in multiple different technologies, in solutions, which create possibly bottlenecks or multiple steps of data flow hurdles, which probably will give the enterprise more time or the security operations centers more time to detect because the threat actor is not able to move freely within the environment. So you get the time to understand or detect that anomaly and then respond, and of course, mitigate that. So that’s one way to look at it.

Then the second part—if you look at, I was reading the other day, I think in Hong Kong, there was one deepfake incident that happened. One enterprise lost around $25 million. But if you look at that today, what is the probability or what is the possible frequency it might happen? Because the compute requirement to create such deepfake videos or content in real time is extremely high. So hence, you don’t see too many examples around. But my take is maybe a few [00:19:00] quarters, four to six quarters down the line, it might become more easily achievable for threat actors. So enterprises need to be more aware in terms of how to manage those parts. And again, in security incident or security language, we always say awareness is the best medicine to stop a compromise. If every single employee is aware of how to detect a threat, how to address or understand what is an anomaly and what is genuine, that is definitely going to give us the premium in terms of ensuring that the possibility of compromise drops down dramatically.

At the same time, there are different technologies that enterprises are investing in—be it data classification, be it access controls, be it identity controls, and so on and so forth—to ensure that any communication that happens, they all have the ability to detect whether it’s a genuine communication or not. And that is probably the combination of these two—technology solutions and user awareness—is the only way to handle the threat that we are talking about because it is huge.

David Puner [00:20:00]: The AI arms race between attackers and defenders, which we’ve talked about quite a bit here on this podcast. Do you look at it as an AI arms race?

Deb Singh [00:20:07]: So for the threat actor, they use AI to break your environment. As an enterprise, we use AI to detect those compromises, detect those anomalies so that we can immediately respond to that and then, of course, mitigate it. So that is a fight between AIs. That’s happening, and that’s visible. If you talk about new ways—SIEM and SOAR solutions—they’re all AI-enabled.

David Puner [00:20:30]: Yes.

Deb Singh [00:20:31]: Because the amount of transaction data that we’re talking about, it is impossible for a human to consume and analyze in near real time, right?

David Puner [00:20:37]: Right.

Deb Singh [00:20:38]: So it is AI that is definitely doing that. I can say, not a gap, but a situation for a threat actor—they collaborate extensively between themselves. When I say “themselves,” I’m talking about between threat actors because they are working together to compromise one single target—maybe an enterprise. So that is a huge amount of collaboration happening in that space. But for enterprises, are enterprises collaborating with other enterprises to share the threats? The answer is no. The collaboration is only between the OEMs who are the technology providers and the enterprise that is consuming the services. It is a fight between AI and AI, so time will tell who is going to win, but yes, there are enough and more plans in place and the focus goes back to your processes, to your plan, to your playbook, because in today’s time, getting compromised is a given. It will happen someday.

David Puner [00:21:30]: But if you take yourself back then to, let’s say, January 2023, when this was all taking off, do you remember what you felt like back then about all of this? And how do you feel in comparison now?

Deb Singh [00:21:41]: If you look at a year and a half back from now to today, as an enterprise, if I talk about ourselves, we are much better positioned to handle any kind of situation. We have a very clearly defined playbook, which kind of ensures that we have the processes defined. Every single function, every single person within that function knows what is to be done when an incident happens. Be it [00:23:00] incident response by our team, be it the finance team, be it the delivery team, be it the human resources team, be it the legal team, be it the technology team—everyone knows what is to be done. Our immediate response plan, we are using AI for that again, so create the response, handle the situation to limit it to the minimal area and then put a recovery plan in place. So all these things are stitched together. We have a very clear approach to handle any situation that might happen because of any unwanted incident or event.

David Puner [00:23:30]: So then, going back to organizational cyber awareness, which you were talking about a moment ago, how do you cultivate a culture of identity security awareness and responsibility among employees across the organization?

Deb Singh [00:23:38]: Let’s talk about a typical life of an individual in today’s world. It is no longer limited to the working environment or the enterprise environment. Every individual has their own identity, their own digital presence in their personal world, on the personal side. So when we create awareness programs, we stitch it together by making them understand how identity is critical, not only for the enterprise side of it, but even for the personal side of it. So we look at it end to end, showing them what are the possible controls they need to bring in and how those controls will ensure that data doesn’t get compromised or that they don’t get into the wrong hands. So, starting from the basics of encryption of data, multi-factor authentication, protecting your identity, and so on and so forth. That’s the way we look at it when we create awareness—bringing the larger picture, bringing every individual or persona into the communication plan, and making it employee-centric, making it people-centric.

Every individual has got [00:25:00] their personal emails and so on. We encourage people to go enable multi-factor authentication on those as well, because you don’t want your personal emails getting compromised. So while we do that at the enterprise level, we carry the same culture, the same awareness, for your personal side as well. If we build that larger identity-related awareness, then it stays with the individual, with the persona, forever. And that is the way we see it.

David Puner [00:25:30]: Shifting over then to business strategy, in what ways do you collaborate with other business units to integrate identity security into Persistent Systems’ overall business strategy?

Deb Singh [00:25:39]: We spoke about how Persistent delivers services to different industries like BFSI, healthcare, and so on—heavily regulated industries. For those industries, if you look at the way we access customer environments, the way we consume services from the customer, or the way we deliver services to the customers, they may be a little different. So for every single type, we create solutions around how the access is going to be controlled, how the identity is going to be controlled, and what is the possible way, the risk that we are carrying for each of these threats that we are talking about. As long as we create a larger awareness around that, things definitely happen. And as I said, our core framework, whatever we have created, cuts across as the baseline for every single business. That takes care of every single industry that we provide services to. Our awareness program is also stitched along with that framework. So whatever the awareness program that we run, we make people come together, bring them together, and ensure that they understand the impact, they understand what their responsibility is, and they participate in the initiatives or the controls that we are driving. And it is not just the CISO function’s role to make an organization secure. No, it is not. It cannot be. It has to be done by every single employee because the strength of the chain depends on that single link.

David Puner [00:27:00]: Absolutely. And then how do you communicate identity risks and identity security strategies to other C-level executives and maybe your board of directors?

Deb Singh [00:27:08]: There are two ways that we do it. Of course, we produce our stats and different metrics for every single board meeting that happens every quarter. At a monthly level, we share the different metrics with the leadership as well. For example, suppose my CEO has gone for a customer meeting in Europe. At that time, there is an attempt to connect to the CEO’s device or to his environment from the U.S. or from Asia. That immediately gets detected. Of course, it definitely gets mitigated as well. But these are the kinds of compromises we capture, the typical attempts, and we showcase them as well. So that itself makes this particular situation so critical for the C-level executives because they know if their identity gets compromised, what is the impact. That is one way of doing it.

The second way is we do a lot of typical drills that we conduct. So we send out communication, which is marked like the CEO sending something to someone else, be it in WhatsApp, be it in an email, and different ways to see who is getting into the trap. And we do specialized programs for them to make them understand, “Hey, this is how it was run, and this is where you possibly didn’t detect and possibly didn’t analyze, and hence you got into the trap.” So luckily, this was done in a locally engineered controlled environment. Otherwise, you would have created a huge impact. So that is the way we drive things that ensure that every single person at the senior level is aware of what the possible [00:29:00] impact is and what their role is to protect their identity.

David Puner [00:29:03]: I think that would segue nicely into what are some of the common practices that organizations can adopt to strengthen their security posture that are maybe overlooked.

Deb Singh [00:29:10]: Create a framework that cuts across all the controls that you may be exposed to. So bring the best of the breed in terms of different frameworks that are available. Then create a single framework for your entire organization. Do not create multiple different frameworks by business units or by different geographies. Make it uniform because it’s a culture. It is not specific to a particular team or a particular individual. From a technology perspective, bring zero trust. That essentially means the system doesn’t trust anyone, not the individual, until the time I prove by my identity or by the controls that I have that I am who I am and I am authorized to access this content. So bring zero trust. Then definitely put the right identity and access management solution. Identity and access management will definitely give you multi-factor and other components, but at the same time, it gives you protection from any kind of attack or any kind of compromise that happens from different regions, which is not, I mean, which the system can detect very easily, right? So that you don’t get compromised there. Suppose your multi-factor didn’t work or whatever else didn’t behave the way it’s supposed to. So you have another level of control.

Then, another big component, which we haven’t spoken about: any compromise that happens—the first thing a threat actor tries to do is get access to administrative rights. They always try to elevate themselves to an administrator so that they can do larger damage because having an impact on one individual versus having an impact on the entire enterprise—they have different meanings, right? So the target is always the administrative rights. So bring a PAM solution, a privileged access management solution, which ensures that your administrators, they are the privileged access resources within the enterprise. So their access is controlled at another level compared to the general access and identity management. This means if by any chance your identity is compromised, your PAM will ensure that the compromise is not spreading across, it is limited to one individual only.

David Puner [00:31:00]: Uh-huh.

Deb Singh [00:31:01]: By doing that, you have a robust mechanism with your security operations center and other tools and systems to detect that compromise and get the time to immediately remediate that. And of course, put the required controls and mitigation plans post that. As long as you do this part—of course, that is easier said than done—you need to look holistically at what kind of current systems and tools you have, what the additional requirements are on top of that, how you can complement the different technologies, how you ensure these technologies are talking to each other, they’re exchanging data so that the intelligence is shared and not remaining in silos. Putting all together, create your plan and drive it. And at the end, focus on awareness campaigns, focus on testing your overall plan that you have created for any kind of unwanted situations. The playbook, what we would have done, do regular testing of your playbook to validate that you have really tested the different steps that you’re supposed to do as a remediation, as a recovery plan in case a disaster happens. So as long as you do all these points, you are good to go.

David Puner [00:33:00]: So I guess to come to the end here, although I feel like we could keep going for a lot longer, how do you see the near future and the future shaping up here? How [00:33:00] do you envision the role of IAM evolving in the next few years? And what emerging trends in identity security do you find most promising? And how might you prepare to integrate them into your strategy?

Deb Singh [00:33:11]: You have asked two questions.

David Puner [00:33:12]: At least two, right there.

Deb Singh [00:33:14]: Identity and access management—how it is going to evolve in the near future. If you look at and analyze all the compromises that have happened in the last few years, you will realize there are two areas that are the weakest links: one, user awareness—that is primarily for the ransomware side of it—and two, identity control—be it your password, you don’t have multi-factor enabled, and so on and so forth. These are the two weakest links across multiple thousands of compromises that have happened in the last few years. If these two can be handled, the level of security, the level of preparedness for the enterprise will be at least a multifold increase. It will be in the range of 98–99 percent. So it is extremely critical from that perspective.

Now, coming to the core tech part of it. Today, if you look at typical identity and access management, they are driven with keys, certificate-based and so on and so forth. Will that continue? There is a lot of research happening on that, and people are moving towards API-driven architecture, which is going to ensure that your identities are not shared the way they are getting shared between applications today, but it is done through API calls only in the backend so that the access to the bad actors is limited. That is one way to look at it. Then you talk about the access governance framework. I think in our terms, we call it IGA, Identity Governance Framework. In that, what happens is you define different personas and put governance for that persona on how the access is going to be provided. A common gap, if you look at it, is not revisiting the requirement of access over time. Some organizations do it once a year, some do it once a month as well. What is best for your organization? You have to agree on it, you have to find that out, and put a framework in place that ensures that the different levels of access being given—whether it is required after a certain duration of time—because many times what happens, I need access, I put in a request, I get access, I use that access for whatever the reason I had, but after that, I don’t go back to my original access. So that means the privileged access that I have for some time, or access to a particular environment that I have for some time, continues even though I do not need it. And if I don’t need it, that is additional access which is staying with me. The possibility is that I don’t focus on that. I don’t pay attention to that. There may be a compromise that could happen. So you need to have a governance framework that ensures there is a periodic check on who needs access to what resources, what devices, and so on and so forth, and that needs to marry together.

Privileged access—we spoke about it—you need to have a privileged access management solution as well. So every administrator needs to have a defined approach to handle privileges. As long as you look at every single aspect of it, I believe things will definitely change, and that is the way that identity access management is going to change.

David Puner [00:36:00]: Deb, to wrap things up here, I think I’ll ask you one more question about the immediate future for you. What’s next? Do you have dinner coming up? Bed? What’s going on? It’s 10 p.m. now for you. What are you going to do?

Deb Singh [00:36:12]: Luckily, I finished my dinner.

David Puner [00:36:14]: All right.

Deb Singh [00:36:15]: So I’ll go back to the hotel and probably get some sleep. I have a meeting starting early tomorrow morning, so I have to be ready.

David Puner [00:36:20]: Okay, so yes, it is time for sleep at the moment.

Deb Singh [00:36:23]: Yes.

David Puner [00:36:24]: Well, thank you so much for giving us so much of your time this late at night, before an early morning. It’s really interesting to hear what you’re up to and your take on all of this identity and security and privilege-related stuff and much more to come, of course. Really appreciate your time, Deb. Thanks for coming on to Trust Issues.

Deb Singh [00:36:40]: Thank you, David. It was a pleasure talking to you, and thank you for having me.

David Puner [00:36:44]: Thanks for listening to Trust Issues. If you liked this episode, please check out our back catalog for more conversations with cyber defenders and protectors. And don’t miss new episodes. Make sure you’re following us wherever you get your podcasts. And let’s see… Oh yeah, drop us a line if you feel so inclined—questions, comments, suggestions, which, come to think of it, are kind of like comments. Our email address is trustissues, all one word, at cyberark.com. See you next time.