WEBVTT 00:00.031 --> 00:05.464 [SPEAKER_02]: a tough because I'm seeing people with, I'm talking about some street killers and they can't get a job right now. 00:05.645 --> 00:07.209 [SPEAKER_00]: Yeah, it's brutal. 00:07.229 --> 00:14.968 [SPEAKER_02]: And I don't know what's going on, I'm like, is it because of the industry or is it because, because like now it's not even a pile of pie for Joe, you've got to know somebody at this point. 00:15.117 --> 00:18.865 [SPEAKER_01]: Yeah, I mean, I'll say like, it's kind of like a tech bubble, right? 00:18.985 --> 00:22.151 [SPEAKER_01]: No, the housing crisis in 2008, it's a tech bubble. 00:22.793 --> 00:30.829 [SPEAKER_01]: You have AI coming in where the perspective at least is that the average worker can be replaced, but I don't think that's necessarily the case. 00:30.969 --> 00:32.873 [SPEAKER_01]: It's more so that 00:32.853 --> 00:35.018 [SPEAKER_01]: AI is an amplifier, right? 00:35.078 --> 00:45.341 [SPEAKER_01]: So if you have one or two high-performing people, that really know the process and understand what they're doing, giving them a tool an AI tool can make it to where they can do the work of six to ten average people. 00:45.461 --> 00:50.132 [SPEAKER_01]: The technology and understanding the application and the meaning of the stuff comes into play. 00:50.272 --> 00:52.617 [SPEAKER_01]: That's where you can't be a checklist person. 00:54.014 --> 00:59.624 [SPEAKER_01]: Well, one, you have to understand that whenever there's a major change in an ATL, you have to be reassessed for another ATL. 01:00.285 --> 01:01.247 [SPEAKER_01]: That's issue number one. 01:01.547 --> 01:05.634 [SPEAKER_01]: So in the process of moving to the cloud, you have to redo the entire ATL assessment. 01:05.734 --> 01:06.115 [SPEAKER_03]: You do? 01:06.636 --> 01:06.876 [SPEAKER_01]: Yes. 01:07.738 --> 01:09.541 [SPEAKER_03]: Oh, man. 01:09.561 --> 01:16.393 [SPEAKER_01]: There may be exception cases, but the general rule is you're going to have to do it a full ATL. 01:19.529 --> 01:22.733 [SPEAKER_02]: Look, you probably never security class, maybe even a security clearance. 01:22.753 --> 01:26.398 [SPEAKER_02]: And nobody taught you how to write poems, or how to test a security control. 01:26.659 --> 01:29.322 [SPEAKER_02]: For us to meet at ATO Package, I'm Chris Arcala. 01:29.443 --> 01:35.511 [SPEAKER_02]: After years ago, I was in your shoes, qualified on paper, but completely lost when it came to ARMA. 01:35.731 --> 01:43.602 [SPEAKER_02]: I had a degree, I had to search, I had to drive, but what somebody said, how to test the AT2 control, or doubt a day to step on it. 01:43.662 --> 01:45.705 [SPEAKER_02]: I had no clue what that actually looked like. 01:45.685 --> 01:53.537 [SPEAKER_02]: Fast 4 or 5 years, I work to call a DOD at federal agencies, late control assessments, brand ATO package, and pass orders. 01:53.918 --> 01:58.044 [SPEAKER_02]: That's why I built armed out the academy to teach you the real world execution. 01:58.425 --> 02:00.348 [SPEAKER_02]: They don't cover in certification books. 02:01.029 --> 02:03.012 [SPEAKER_02]: Inside, I'll show you how to write a poem. 02:03.313 --> 02:04.875 [SPEAKER_02]: And don't get fast back. 02:04.855 --> 02:06.617 [SPEAKER_02]: Test and validate security controls. 02:07.098 --> 02:08.861 [SPEAKER_02]: Translate tech jargon. 02:08.881 --> 02:10.243 [SPEAKER_02]: Navigating this 853. 02:11.624 --> 02:13.187 [SPEAKER_02]: Enharamfocconfidence. 02:13.207 --> 02:17.973 [SPEAKER_02]: If you're in IT support in the Garmin systems, or stuck on any of this obscurity, this is your way. 02:18.434 --> 02:21.158 [SPEAKER_02]: The people who go through my training don't just be hiring. 02:21.218 --> 02:22.179 [SPEAKER_02]: They hit the world running. 02:22.700 --> 02:25.023 [SPEAKER_02]: Because they practice the work before day one. 02:25.464 --> 02:28.568 [SPEAKER_02]: Go to haramfacademy.io and just hit the work. 02:28.582 --> 02:31.466 [SPEAKER_02]: Welcome everybody to another edition of the Tech World Podcast. 02:31.486 --> 02:35.933 [SPEAKER_02]: I'm your host Chris, the Information Systems Security Officer in the Govtech space. 02:36.474 --> 02:39.719 [SPEAKER_02]: And in today's podcast, we're going to have a very good podcast today. 02:39.759 --> 02:41.241 [SPEAKER_02]: This is close to home to me. 02:41.261 --> 02:42.784 [SPEAKER_02]: I work in the compliance space. 02:43.264 --> 02:48.492 [SPEAKER_02]: So in the compliance space, I know everybody, I always talk about isos, information system security engineers. 02:48.913 --> 02:53.560 [SPEAKER_02]: But in this podcast, I'm very excited because we actually have a scar. 02:53.540 --> 03:00.688 [SPEAKER_02]: Um, a scar is one of the people that evaluates the HTO process and get your packages of proof and evaluate a lot of things going for. 03:00.748 --> 03:05.534 [SPEAKER_02]: So the person that we have on this podcast today is named as Dominique Richardson. 03:05.774 --> 03:07.556 [SPEAKER_02]: He went to Georgetown University. 03:07.897 --> 03:09.539 [SPEAKER_02]: He also has a CSSP. 03:10.280 --> 03:13.623 [SPEAKER_02]: He's also been working in this space for a very, very long time. 03:14.064 --> 03:16.987 [SPEAKER_02]: And, um, without further ado, hey Dominique, how you doing? 03:17.368 --> 03:17.969 [SPEAKER_01]: I'm a good man. 03:17.989 --> 03:18.349 [SPEAKER_01]: How are you? 03:18.329 --> 03:22.956 [SPEAKER_02]: I'm doing good, so I appreciate you coming on this podcast on the Saturday afternoon. 03:22.976 --> 03:31.888 [SPEAKER_02]: You can be part in, you can be doing all these stuff, but you're coming here to get back to the community, get back to these lovely people, so you know, love you, be on the podcast. 03:31.908 --> 03:41.822 [SPEAKER_01]: No, I appreciate you invite me, I mean, I feel like at this point of Matt, sometimes we have to remind ourselves to, you know, lift our head up and look around and say, okay. 03:41.802 --> 04:04.603 [SPEAKER_02]: What position am I in now am I in a giving position now and sometimes we fall short in that area and I'm just trying to find a way to give back now that I'm where man now because for those that don't know I'm a big fan of D on Sanders. 04:04.583 --> 04:08.507 [SPEAKER_02]: So, you know, we got to do this, and this is why we do, we do, you know, for sure. 04:09.127 --> 04:09.508 [SPEAKER_02]: Yeah. 04:09.528 --> 04:14.112 [SPEAKER_02]: So, you know, I love that you came on this podcast today, so we can talk about scars, what they do. 04:14.512 --> 04:22.540 [SPEAKER_02]: I have a lot of questions too, because even when I first talk to you, I was like, yeah, I feel like we got beef, you know, but we don't have beef, it's just we don't understand what each other does. 04:22.760 --> 04:23.761 [SPEAKER_02]: And you know what it is, so does. 04:23.881 --> 04:24.862 [SPEAKER_02]: I just don't know what y'all do. 04:25.282 --> 04:27.504 [SPEAKER_02]: So, now I'm glad you're coming on. 04:27.544 --> 04:33.730 [SPEAKER_02]: So, you know, just put an audience on this, that's not familiar, 04:33.980 --> 04:36.224 [SPEAKER_01]: All right, you know, my name is Dominique Richardson. 04:36.725 --> 04:40.651 [SPEAKER_01]: I went to Hampton University for my undergrad in physics. 04:41.373 --> 04:45.419 [SPEAKER_01]: At first I was part of the ROTC and I joined the army while I was there. 04:46.241 --> 04:50.468 [SPEAKER_01]: So then as I progressed and graduated, I kind of fell into engineering. 04:50.688 --> 04:53.373 [SPEAKER_01]: First I was doing networking stuff, project management stuff. 04:53.974 --> 04:58.722 [SPEAKER_01]: Then I gradually transitioned into, um, is a work, right? 04:58.702 --> 05:03.149 [SPEAKER_01]: So as I started getting more into this process, I started looking into other opportunities. 05:03.970 --> 05:12.082 [SPEAKER_01]: And I know I got invited to be a scour, and I was like, okay, I would love to be on the other side, because I wanted to grow my experience and get better at what I do. 05:12.483 --> 05:16.649 [SPEAKER_01]: And I mean, career-wise, that's mainly been the progression. 05:18.131 --> 05:21.296 [SPEAKER_02]: So, so to the audience, can you explain what is a scour? 05:21.656 --> 05:22.718 [SPEAKER_02]: What did they do? 05:22.799 --> 05:36.947 [SPEAKER_01]: All right, so a scó is a security control assessor representative, basically with the contractors that work with the agency, and the agency will have one point of contact, which will be just the scó, the security control assessor. 05:37.348 --> 05:38.310 [SPEAKER_01]: And we, 05:38.290 --> 05:43.702 [SPEAKER_01]: act on their behalf to do the assessment for all the packages and the changes going into a system. 05:43.862 --> 05:54.105 [SPEAKER_01]: So, for example, if there's a change request, if there's a poem, if you're pushing for a full ATO, we go through that process with you and tell you what needs to be changed and what needs to be modified. 05:54.457 --> 06:01.013 [SPEAKER_02]: So basically, would you tell them me, you're one of the people that review, valid days, and just to make sure us, it sounds know what we're doing. 06:01.033 --> 06:04.281 [SPEAKER_02]: And then we make sure everything's being processed through the programs correctly. 06:04.482 --> 06:05.685 [SPEAKER_01]: Now, that's one way to put it. 06:05.725 --> 06:05.966 [SPEAKER_01]: Yes. 06:06.387 --> 06:07.650 [SPEAKER_02]: Now, now I got you, I got you. 06:08.051 --> 06:11.419 [SPEAKER_02]: So, as being a star, 06:11.399 --> 06:18.598 [SPEAKER_02]: Can you kind of explain, like, you know, we use the seven steps RMF, um, what step do you usually focus on when being a scar? 06:18.618 --> 06:26.117 [SPEAKER_02]: Because I know what it's so, we kind of do like all seven of them, but I know what scar is just probably like either one or two, but which primary one do you focus on? 06:26.283 --> 06:31.351 [SPEAKER_01]: Mainly we do 4-6, primarily we do validations. 06:31.872 --> 06:35.498 [SPEAKER_01]: So let's say there's a package that's coming up into E-MAS. 06:35.538 --> 06:42.850 [SPEAKER_01]: We would look at it, we would assess it after the data is classified, and all those steps to zero through three are done. 06:43.611 --> 06:48.679 [SPEAKER_01]: At that point, you have your self-assessment that the system owner has, right? 06:48.659 --> 07:02.137 [SPEAKER_01]: they assess themselves, they have their CCIs and their technical validation done, they have their scans uploaded, whether it's dig or acas, they have their SCG with their saying, okay, these are the software that we have and they push it out into EMS. 07:02.737 --> 07:10.988 [SPEAKER_01]: From there, there's a process to go through where you go from that self-assessment to being validated by us. 07:10.968 --> 07:16.843 [SPEAKER_01]: And then saying, okay, this is good to go to get pushed to an ATO because we understand the risk that's associated with it. 07:17.124 --> 07:17.926 [SPEAKER_01]: We validated it. 07:18.527 --> 07:18.728 [SPEAKER_01]: All right. 07:18.988 --> 07:20.893 [SPEAKER_01]: So that's primarily what I do. 07:21.329 --> 07:23.732 [SPEAKER_02]: Okay, so understood, so you're about it. 07:23.752 --> 07:33.346 [SPEAKER_02]: So when it goes to a ATO package, when you're going through a ATO package, everybody always talks about getting a two to three year ATO in our space is very good. 07:33.706 --> 07:41.177 [SPEAKER_02]: Yeah, but I always focus on the continuous monitoring portion, but how do you get a two to three year ATO with what goes into that? 07:41.613 --> 07:42.795 [SPEAKER_01]: That's a lot, right? 07:42.855 --> 07:47.040 [SPEAKER_01]: There are four main package assets that contribute to that. 07:47.401 --> 07:49.443 [SPEAKER_01]: There's an SSP, the system security plan. 07:49.904 --> 08:04.824 [SPEAKER_01]: They're the poems, which is basically saying the plan of action in milestone, where you're saying this is what you're going to do for this stuff that's not compliant, where the mitigations and the plans and how you actually are structuring it and how it's going to be checked. 08:05.304 --> 08:08.869 [SPEAKER_01]: Then there's the SAR, right? 08:08.849 --> 08:13.841 [SPEAKER_01]: where it's an assessment of the entire posture of the package, right? 08:14.943 --> 08:22.902 [SPEAKER_01]: And the fourth is the letter itself saying you have an ATL, or you don't, and that letter will also contain the conditions of the ATL. 08:23.524 --> 08:27.533 [SPEAKER_01]: So everything is really structured around getting those four artifacts. 08:27.935 --> 08:33.503 [SPEAKER_01]: And mainly what we focus on is a documentation review to make sure that the processes are in place. 08:34.123 --> 08:38.009 [SPEAKER_01]: We make sure the document is signed and current and up to date. 08:38.650 --> 08:43.076 [SPEAKER_01]: We also focus on the technical validation as well as the CCI validation. 08:43.556 --> 08:45.219 [SPEAKER_01]: For technical, we're looking at the scans. 08:45.519 --> 08:52.609 [SPEAKER_01]: We go through the actual system components and we say, When we look at each part saying, okay, this is in place, this is in place, this isn't in place, right? 08:53.210 --> 08:57.115 [SPEAKER_01]: So that would, that could be like network configurations. 08:57.095 --> 09:00.181 [SPEAKER_01]: actual switch or router to verify that. 09:00.762 --> 09:13.346 [SPEAKER_01]: For the CCI validation, that's the actual breakdown of the individual checks based on the NIST-RMF and based on what classification of data it has, right? 09:13.466 --> 09:16.131 [SPEAKER_01]: That's this controls themselves at the lowest level. 09:17.334 --> 09:19.558 [SPEAKER_01]: So once we go through those two, 09:19.538 --> 09:24.105 [SPEAKER_01]: we get an understanding of the package itself by having a risk assessment based on all that. 09:24.666 --> 09:26.068 [SPEAKER_01]: And then we look at the risk assessment. 09:26.949 --> 09:35.181 [SPEAKER_01]: We look at how many how many findings are still open and we said, okay, based on this, this is the overall risk posture of the system. 09:35.702 --> 09:43.774 [SPEAKER_01]: And from there, we really just hand it to the sky and the AL to decide after we give them that breakdown and we advise from that position. 09:44.159 --> 09:52.179 [SPEAKER_02]: Yeah, because, like, just to clarify, it's an audience, a scar, a security control, assessor representative versus the, the scar. 09:52.239 --> 09:56.630 [SPEAKER_02]: So usually a representative is just independent entity that kind of reviews. 09:56.750 --> 10:00.700 [SPEAKER_02]: And then you send it to the government official, the scar to review is that correct? 10:00.680 --> 10:04.166 [SPEAKER_01]: Yeah, basically, the sky is one person, right? 10:04.947 --> 10:10.798 [SPEAKER_01]: And usually when the sky is one person, it's for a huge number of systems. 10:11.379 --> 10:14.865 [SPEAKER_01]: Up to a hundred, sometimes over a hundred for different agencies. 10:15.005 --> 10:15.566 [SPEAKER_03]: That's all right. 10:15.586 --> 10:16.227 [SPEAKER_03]: That tells it. 10:16.387 --> 10:17.229 [SPEAKER_01]: Yeah, exactly. 10:17.309 --> 10:18.571 [SPEAKER_01]: It can get very large. 10:18.611 --> 10:20.815 [SPEAKER_01]: So at that point, 10:20.795 --> 10:23.381 [SPEAKER_01]: Where basically his hands and ears, right? 10:23.742 --> 10:24.744 [SPEAKER_01]: We go into the system. 10:24.844 --> 10:26.548 [SPEAKER_01]: We work with the individual Isos. 10:26.588 --> 10:35.850 [SPEAKER_01]: We work with theism to say, okay, this is where it needs to be to meet these requirements and we advise based from there So that's that's really what the role we feel 10:36.151 --> 10:49.813 [SPEAKER_02]: Okay, so like, when you're doing this role, I know sometimes when somebody's sending a package up, they can either sometimes they fib a little bit about what the system is going on in this system, or maybe they just didn't have the correct information. 10:49.853 --> 10:54.480 [SPEAKER_02]: How would you resolve that with the programs? 10:54.460 --> 10:55.942 [SPEAKER_02]: It depends. 10:56.943 --> 11:00.106 [SPEAKER_01]: It depends what the description is, what the issue is. 11:00.166 --> 11:11.900 [SPEAKER_01]: For the most part, I personally prefer to try to reach out to the end up in the end directly and establish that relationship, but it can also get very political, right? 11:12.220 --> 11:18.047 [SPEAKER_01]: So you want to make sure that you're doing your due diligence to accurately communicate the information. 11:18.087 --> 11:19.388 [SPEAKER_01]: I'll say it like that. 11:19.368 --> 11:30.789 [SPEAKER_01]: So, but from there, I'll reach out and say, hey, look, these are issues I noticed and it can get to the point where it could be cross-training or it could be just explaining or pointing out. 11:31.791 --> 11:39.165 [SPEAKER_01]: And from there, we help them understand what the issue is so that they can come back with a better product. 11:39.652 --> 11:48.822 [SPEAKER_02]: Okay, so you kind of middle man, and when you're reaching out to these people, I know from a, for coming from your land, you have to have all your ducks in the road before you even go talk to them. 11:49.042 --> 11:51.510 [SPEAKER_02]: Yes, because I know you get challenged a lot by programs. 11:51.691 --> 11:53.256 [SPEAKER_01]: Exactly, yes, a lot. 11:53.506 --> 11:58.893 [SPEAKER_02]: So you got to make sure you got to females, the CY documents, you know? 11:59.073 --> 11:59.153 [SPEAKER_01]: CY. 11:59.193 --> 11:59.273 [SPEAKER_01]: Yes. 11:59.734 --> 12:02.878 [SPEAKER_01]: You got to be on point. 12:02.898 --> 12:04.100 [SPEAKER_01]: You have to be on point. 12:04.240 --> 12:05.882 [SPEAKER_01]: You got to be accurate with whatever you say. 12:05.902 --> 12:07.825 [SPEAKER_01]: You got to be consistent with what you say. 12:07.845 --> 12:09.807 [SPEAKER_01]: It has to be consistent with the past stuff. 12:10.328 --> 12:21.302 [SPEAKER_01]: For everything you say, you have to be able to point to documentation either from the agency or from the RMF knowledge site saying, this is why this is not good or this is why this is not good. 12:21.552 --> 12:33.756 [SPEAKER_02]: Yeah, because even as an ISO, I had to deal with that too, because sometimes with compliance, they don't really care, they just like, we're just going to go do versus we had to have set rules because of these rules are not in place then. 12:34.192 --> 12:36.937 [SPEAKER_02]: We can't move forward, you know, and it's just that's the issue. 12:36.957 --> 12:38.419 [SPEAKER_02]: I've been dealt with on our math in general. 12:38.439 --> 12:40.343 [SPEAKER_02]: It's like, how do we do it? 12:40.403 --> 12:43.028 [SPEAKER_02]: And then, and not wish in the future, we go to like a continuous. 12:43.048 --> 12:46.854 [SPEAKER_02]: We're going to get further down on that on like a continuous for sure. 12:46.874 --> 12:48.277 [SPEAKER_02]: I'm, you know, package is something. 12:49.038 --> 12:53.867 [SPEAKER_02]: But working in working in this space, there's different types of ATO packages. 12:54.087 --> 12:55.690 [SPEAKER_02]: Can you kind of break those down? 12:55.810 --> 12:57.533 [SPEAKER_02]: Like, and what is the ATO package? 12:58.120 --> 13:00.502 [SPEAKER_01]: All right, well, ATL is authority to operate. 13:00.743 --> 13:05.647 [SPEAKER_01]: Basically, it's the permissions lip for a system to work in a government space, right? 13:06.488 --> 13:12.874 [SPEAKER_01]: So there are different kinds based on what level or what you're trying to do with the system. 13:13.915 --> 13:16.077 [SPEAKER_01]: It mainly breaks down into three kinds, right? 13:16.217 --> 13:17.258 [SPEAKER_01]: There's the full ATL. 13:17.479 --> 13:24.185 [SPEAKER_01]: We have full authority to operate based on the data and the information level that that's approved, right? 13:24.826 --> 13:26.187 [SPEAKER_01]: There's the 13:27.297 --> 13:38.927 [SPEAKER_01]: there's the IATT, which is the interim authority to test, where you can't run live data, but you can stand up enough to actually test and it has like limited requirements to actually get it up to that point. 13:39.568 --> 13:39.789 [SPEAKER_01]: All right. 13:40.210 --> 13:43.298 [SPEAKER_01]: And then there's the ATOC or ATO with conditions. 13:43.548 --> 13:49.515 [SPEAKER_01]: And that's kind of a middle ground where a system can be live, but we acknowledge like these are the risks associated with it. 13:50.276 --> 13:54.100 [SPEAKER_01]: These are issues or conditions that have to be met for it to get a full ATO. 13:54.440 --> 13:58.845 [SPEAKER_01]: So it's like, okay, we can run this, but we know what the issues are with it. 13:59.466 --> 14:00.627 [SPEAKER_01]: I guess that's the best way to put it. 14:00.647 --> 14:04.732 [SPEAKER_02]: Yeah, because I think most packages are like a good condition. 14:04.792 --> 14:10.939 [SPEAKER_02]: So, you know, I was confused too, because I never seen a program get a full ATO. 14:11.020 --> 14:18.230 [SPEAKER_02]: is always like you have a conditions or or maybe I'm or extension or day to extension so that's what I was confused on that. 14:18.431 --> 14:22.777 [SPEAKER_01]: Well the extension can apply to the to the ATO or the ATOC. 14:23.318 --> 14:27.864 [SPEAKER_01]: It's not based on the information provided by a knowledge service site. 14:27.885 --> 14:30.789 [SPEAKER_01]: It's not supposed to extend to an ITT, right? 14:30.849 --> 14:35.796 [SPEAKER_01]: Because you're just testing, while you need an extension for a system that you're just testing at that point, right? 14:35.776 --> 14:39.625 [SPEAKER_01]: So, the extension can apply to both though, HEOC and ATO. 14:40.386 --> 14:55.540 [SPEAKER_01]: Now, from my perspective, at least the reason a lot of systems get in HEOC, as opposed to a full HEO, is that, you know, you want to have a working minimum viable product as soon as possible. 14:55.520 --> 15:01.472 [SPEAKER_01]: The easiest way to do that or the quickest way to do that, I should say, is to have an ATOC and then meet the conditions. 15:01.872 --> 15:05.900 [SPEAKER_01]: It's like a middle step between not having anything and having everything you need. 15:06.281 --> 15:06.562 [SPEAKER_01]: All right. 15:08.265 --> 15:10.930 [SPEAKER_01]: So yeah, that's the big difference between the two. 15:11.281 --> 15:13.083 [SPEAKER_02]: Okay, so I get what you're saying. 15:13.263 --> 15:14.625 [SPEAKER_02]: So that was a good breakdown. 15:15.326 --> 15:22.195 [SPEAKER_02]: So tell me about Scar tell me about like how political because you're you're in a different situation where you have to approve systems. 15:22.655 --> 15:28.282 [SPEAKER_02]: We do notice some maybe a national security system that needs to get approved. 15:28.883 --> 15:32.708 [SPEAKER_02]: It doesn't get approved or doesn't because it doesn't have is not caught up to anything. 15:33.529 --> 15:34.470 [SPEAKER_02]: And. 15:34.450 --> 15:39.918 [SPEAKER_02]: And sometimes people want to put a program, we know, push things, and push things all, how do you deal with stuff like that? 15:40.018 --> 15:41.861 [SPEAKER_02]: Or are you dealing with certain government officials? 15:41.901 --> 15:43.103 [SPEAKER_02]: Like, how do you work around it? 15:44.745 --> 15:46.928 [SPEAKER_01]: It can get you navigating three things, right? 15:47.369 --> 15:54.660 [SPEAKER_01]: You're navigating the technical where you're looking at the system itself, and you're saying, okay, this is not or is compliant because of this. 15:55.301 --> 15:58.666 [SPEAKER_01]: You're navigating the audit process, right? 15:58.706 --> 16:03.613 [SPEAKER_01]: You have to understand how NIST RMF goes into it, and then you have to navigate the political. 16:03.593 --> 16:09.240 [SPEAKER_01]: Now, for all three, one, you have to understand you're an independent assessor. 16:09.620 --> 16:13.324 [SPEAKER_01]: Everything you do, your name goes on and you're responsible for. 16:14.246 --> 16:18.190 [SPEAKER_01]: So, you have to keep that in mind and you have to be accurate and everything that you do. 16:18.811 --> 16:25.659 [SPEAKER_01]: With that said, you also have to understand that the scar and the AO are the one to ultimately make the decision. 16:25.959 --> 16:27.621 [SPEAKER_01]: You're advising on it, right? 16:28.923 --> 16:31.626 [SPEAKER_01]: And another thing is you have to understand 16:32.939 --> 16:45.222 [SPEAKER_01]: I guess I'm not going to say the political climate, but you have to understand what it is you're navigating and what the stakeholders are really looking for or trying to do based on what's there, right? 16:45.583 --> 16:48.248 [SPEAKER_01]: So for example, for system is actually 16:49.510 --> 17:00.150 [SPEAKER_01]: If it's not compliant, but there's a reason it has to stay up, you have to understand what's going on there and you have to do your best to secure the system as much as possible. 17:00.191 --> 17:02.996 [SPEAKER_01]: Because at the end of the day, we're protecting our country, right? 17:03.697 --> 17:05.140 [SPEAKER_01]: But we have to make sure the country runs. 17:05.440 --> 17:06.181 [SPEAKER_02]: That's the name of the game. 17:06.462 --> 17:06.682 [SPEAKER_02]: Yeah. 17:06.702 --> 17:10.007 [SPEAKER_02]: You know, he got people actually fighting wars and they need certain systems. 17:10.488 --> 17:10.729 [SPEAKER_02]: Exactly. 17:10.749 --> 17:16.618 [SPEAKER_01]: So it's sometimes you've got to remind yourself, it's a natural security system like this is very important. 17:16.678 --> 17:18.902 [SPEAKER_02]: Yeah, very, very, very important. 17:19.523 --> 17:19.623 [SPEAKER_02]: Yeah. 17:19.643 --> 17:23.249 [SPEAKER_02]: If you get that title, that means that if you goes down, a lot of things go down. 17:23.650 --> 17:24.150 [SPEAKER_01]: Exactly. 17:24.271 --> 17:24.591 [SPEAKER_01]: Yeah. 17:25.172 --> 17:30.621 [SPEAKER_02]: So, so working as a scar, wait, what are some other issues of working as a scar that you dealt with? 17:31.765 --> 17:36.658 [SPEAKER_01]: I'd say the most difficult thing to navigate would be the politics, right? 17:36.698 --> 17:37.220 [SPEAKER_01]: It's policy. 17:37.481 --> 17:40.669 [SPEAKER_01]: Because you have to be, like I said, you have to be privy to everything that's going on. 17:41.471 --> 17:43.176 [SPEAKER_01]: And a lot of, 17:44.540 --> 17:50.627 [SPEAKER_01]: organizations in a lot of independent contractors can take a more adversarial approach, right? 17:51.088 --> 18:03.562 [SPEAKER_01]: So it's like, I used to call, um, the, in the government, there's government workers, and then their contractors, contractors are often treated as like second class citizens in different situations as scenarios. 18:03.582 --> 18:09.990 [SPEAKER_02]: You do, you just, in less and less, you're like ahead of a, a contract in company, you're literally second class as men. 18:10.055 --> 18:17.829 [SPEAKER_01]: I mean, that, yeah, yeah, and that's a culture issue, but even outside of that, you just have to make sure your T's across. 18:17.949 --> 18:18.510 [SPEAKER_01]: I was a dot it. 18:18.610 --> 18:25.082 [SPEAKER_01]: You got to have your ducks in a row, and you got to have leadership that represents and stands up for you very well, which fortunately I've been blessed to have. 18:25.563 --> 18:26.064 [SPEAKER_02]: Thank you very much. 18:26.324 --> 18:26.584 [SPEAKER_01]: Yeah. 18:27.085 --> 18:28.047 [SPEAKER_01]: Amen. 18:28.027 --> 18:32.696 [SPEAKER_02]: Yeah, so I'm going to move forward inside of it kind of like the cloud environment. 18:32.997 --> 18:48.448 [SPEAKER_02]: Okay, so like you kind of break down like, what's the difference between a regular ATO and kind of like more of a cloud ATO or P, a provisional ATO or or and if I'm saying they're all just breaking down better but kind of break the difference between those. 18:48.985 --> 18:56.134 [SPEAKER_01]: Okay, so one with cloud systems for the regular ACL, there's other things you have to worry about, right? 18:56.915 --> 19:02.842 [SPEAKER_01]: The biggest things in my experience at least have are the inheritance associated with it, right? 19:02.862 --> 19:07.268 [SPEAKER_01]: So you might have a cloud system nested in a cloud system nested in a cloud system. 19:07.949 --> 19:15.718 [SPEAKER_01]: You might have an on-clave that sits in AWS, gov cloud, and then in that on-clave there are different systems that are within it, right? 19:15.899 --> 19:18.722 [SPEAKER_01]: And each one inherits this from the other. 19:20.002 --> 19:22.145 [SPEAKER_01]: like a nested egg kind of thing, right? 19:22.906 --> 19:36.683 [SPEAKER_01]: And that's where you get into IAS, PAS, and SAS, infrastructure as a service, where it's just the baseline hardware, PAS, where platform as a service, and SAS was just the software itself, your response will for the data, and what settings you have, right? 19:37.664 --> 19:42.330 [SPEAKER_01]: So for the regular ATO, that's where you have to worry about. 19:42.310 --> 19:47.242 [SPEAKER_01]: Now, the CCSRG is the ultimate highest reference for all that stuff. 19:48.084 --> 19:59.070 [SPEAKER_01]: So, from there, you have the PATO, which can be the Feverrant PA, you have the DOD on PA, which has reciprocity with everything else. 20:00.113 --> 20:02.535 [SPEAKER_01]: and then you have the actual ATO, right? 20:03.076 --> 20:10.263 [SPEAKER_01]: So what happens for this FedRAMP process, it is something called the FedRAMP hand, but that you can look at to, that's, you know, out there. 20:10.463 --> 20:11.304 [SPEAKER_01]: That's all. 20:11.324 --> 20:20.212 [SPEAKER_01]: But you'll have a system where it's approved for, for to be only FedRAMP environment, right? 20:20.593 --> 20:25.197 [SPEAKER_01]: So there's a FedRAMP site where there's a cloud service offering and a cloud service provider. 20:25.738 --> 20:29.361 [SPEAKER_01]: The provider creates the offering. 20:29.341 --> 20:42.743 [SPEAKER_01]: Assessment organization with three-pound and then from there it goes into the FedRAMP marketplace if it's sponsored by an agency right because the agency has to say there's a need for it first 20:44.022 --> 20:48.614 [SPEAKER_01]: So from there, let's say there's a cloud service offering that's already sponsored. 20:49.035 --> 21:00.343 [SPEAKER_01]: You take that cloud service offering, you prove you use a business case to say, okay, this is why the agency needs it, and then the agency itself has to assess it as well. 21:00.323 --> 21:04.311 [SPEAKER_01]: So, for example, there's a JVT. 21:05.393 --> 21:06.736 [SPEAKER_01]: I know JVT, yeah. 21:06.756 --> 21:07.177 [SPEAKER_01]: Exactly. 21:07.237 --> 21:15.273 [SPEAKER_01]: Where you go through and you take the cloud service offering and you say, okay, now the agency has to verify that what the three-pound said was accurate. 21:15.954 --> 21:20.323 [SPEAKER_01]: So, you assess that and then from there, you go to the process to get a full ATL. 21:20.455 --> 21:21.236 [SPEAKER_02]: So it's the same thing. 21:21.376 --> 21:22.899 [SPEAKER_02]: You get an E-mas instance also. 21:23.019 --> 21:24.642 [SPEAKER_01]: Yes, exactly. 21:24.762 --> 21:25.964 [SPEAKER_02]: I think you go through all that. 21:25.984 --> 21:27.947 [SPEAKER_02]: And then you have to get certain documentation, too. 21:29.049 --> 21:29.289 [SPEAKER_01]: Mm-hmm, yep. 21:29.309 --> 21:31.152 [SPEAKER_01]: It's a, that's just a high-level summary. 21:31.372 --> 21:33.796 [SPEAKER_01]: There's a lot of details with this as, it's a lot. 21:33.816 --> 21:34.037 [SPEAKER_01]: A lot. 21:34.197 --> 21:38.143 [SPEAKER_02]: But I ain't gonna lie, at all the people I had on, you broke it down the best. 21:38.410 --> 21:39.853 [SPEAKER_02]: That was that rip break down. 21:40.213 --> 21:40.614 [SPEAKER_01]: I try. 21:40.895 --> 21:41.776 [SPEAKER_01]: Yeah, it's complicated. 21:41.957 --> 21:45.063 [SPEAKER_02]: Yeah, for to be that complicated to break it down, man That was good. 21:45.303 --> 21:45.784 [SPEAKER_02]: That wasn't good. 21:45.864 --> 21:48.429 [SPEAKER_02]: That took me a while just to understand that process. 21:48.689 --> 21:49.030 [SPEAKER_01]: Oh, yeah. 21:49.331 --> 21:54.360 [SPEAKER_01]: It's it can be tedious It can be difficult, but it can also be rewarding, right? 21:54.543 --> 21:55.784 [SPEAKER_02]: So, so what is your role in that? 21:55.804 --> 22:01.691 [SPEAKER_02]: You're just assessing those ATOs or yours are you I've done a bit all over the place. 22:02.092 --> 22:03.273 [SPEAKER_01]: I've been on JVT's. 22:03.794 --> 22:07.758 [SPEAKER_01]: I've assessed for full ATOs for cloud environments. 22:08.459 --> 22:15.027 [SPEAKER_01]: I've actually helped with sponsoring a cloud surface offering and walked through that process as well. 22:15.267 --> 22:16.168 [SPEAKER_02]: Oh, you did all of that. 22:16.188 --> 22:18.311 [SPEAKER_01]: Yeah, so those are the main three I've done. 22:18.371 --> 22:20.033 [SPEAKER_01]: So, got a lot of experience. 22:20.053 --> 22:22.035 [SPEAKER_01]: So, a decent amount of experience, at least in that. 22:22.690 --> 22:29.273 [SPEAKER_02]: Because I feel like with the government space, everybody wants to go to the cloud, but it's like some programs don't need to go to the cloud. 22:29.293 --> 22:31.200 [SPEAKER_02]: I just think it's just a thing to everybody wants to do. 22:31.220 --> 22:32.785 [SPEAKER_02]: It costs a lot of money to even get it there. 22:33.558 --> 22:34.520 [SPEAKER_01]: I mean, it depends. 22:34.760 --> 22:36.523 [SPEAKER_01]: You have to have a good reason. 22:36.764 --> 22:37.125 [SPEAKER_01]: Of course. 22:37.345 --> 22:37.565 [SPEAKER_01]: Yes. 22:37.966 --> 22:47.344 [SPEAKER_01]: And there's some things where you're not going to be able to go to the cloud because I mean the the agency already has this has this environment where they say, okay, we can have it here. 22:47.905 --> 22:52.854 [SPEAKER_01]: There's no issue with keeping it here, but in a lot of instances going to the cloud can save a lot of money. 22:53.154 --> 22:53.575 [SPEAKER_01]: Right. 22:53.555 --> 22:55.537 [SPEAKER_01]: because you're offloading a lot of that responsibility. 22:56.018 --> 23:10.612 [SPEAKER_01]: Also, it's a good way to verify that things are secure, because what's easier to secure, a thousand little systems that are each their own thing, or a thousand systems that exist in an on-clave, with that on-clave you know it's secure. 23:10.713 --> 23:14.837 [SPEAKER_02]: Yeah, it's already, it's already secure, and it's already been vetted, so I'll trust that more. 23:15.077 --> 23:15.878 [SPEAKER_01]: Exactly, yeah. 23:16.218 --> 23:18.921 [SPEAKER_01]: And that's often the case with, you know, moving to the cloud. 23:19.373 --> 23:25.280 [SPEAKER_02]: What are some of the issues with moving to the cloud work with the ATO process? 23:26.642 --> 23:32.189 [SPEAKER_01]: Well, one, you have to understand that whenever there's a major change in an ATO, you have to be reassessed for another ATO. 23:32.850 --> 23:33.811 [SPEAKER_01]: That's issue number one. 23:34.112 --> 23:38.197 [SPEAKER_01]: So in the process of moving to the cloud, you have to redo the entire ATO assessment. 23:38.297 --> 23:38.677 [SPEAKER_03]: You do. 23:39.218 --> 23:39.438 [SPEAKER_01]: Yes. 23:40.299 --> 23:41.601 [SPEAKER_03]: Oh, man. 23:41.581 --> 23:48.912 [SPEAKER_01]: There may be exception cases, but the general rule is you're going to have to do it a full ATL. 23:48.932 --> 24:02.172 [SPEAKER_02]: So like, say if you're in a process of getting into the cloud and you have to get an ATL from the agency, do you mean that if some changes within that, say if you already got a process and got an ATL, you've got to redo it if something changes. 24:02.607 --> 24:04.049 [SPEAKER_01]: Yes, but think about it like this. 24:05.011 --> 24:09.137 [SPEAKER_01]: How much is actually changing when you migrate from on-prem to the cloud, everything? 24:09.798 --> 24:10.259 [SPEAKER_01]: Exactly. 24:10.519 --> 24:12.342 [SPEAKER_01]: The entire infrastructure is changing. 24:12.763 --> 24:14.706 [SPEAKER_01]: You're moving into a whole new house. 24:15.367 --> 24:21.115 [SPEAKER_01]: So when you're making that much of a significant change, most of the time, you're going to need a full-on ATO. 24:21.496 --> 24:28.146 [SPEAKER_01]: Because even within the arm and knowledge service, it says if there's a significant change to the system, there are two processes you can take. 24:28.166 --> 24:30.690 [SPEAKER_01]: You can take the change requests for things that are relatively small. 24:30.670 --> 24:34.456 [SPEAKER_01]: or you have to do a full 80O if it's a major change. 24:34.476 --> 24:34.796 [SPEAKER_02]: Yeah. 24:35.377 --> 24:35.758 [SPEAKER_01]: So yeah. 24:36.218 --> 24:36.799 [SPEAKER_02]: It's not a grief. 24:36.859 --> 24:51.381 [SPEAKER_02]: It's like a net-out thing about your A, you change a diagrams, you got to get the SRG, you know those sticks, you've got to get, you've got to create a document, documentation, it's a B, you've got to get the ISCP, most programmers have those, so yeah, you're changing everything. 24:51.401 --> 24:55.767 [SPEAKER_02]: So I get what you were saying, like, everything has to change, any other issues or that's the main word? 24:55.747 --> 24:58.371 [SPEAKER_01]: I mean, that's the main one. 24:58.391 --> 25:00.154 [SPEAKER_01]: Of course, you're going to have to redo the entire process. 25:00.674 --> 25:03.959 [SPEAKER_02]: And then I know with with with programs, they kind of come at you. 25:03.979 --> 25:05.942 [SPEAKER_02]: Hey, we need to hurry up and move as soon as possible. 25:06.143 --> 25:06.403 [SPEAKER_01]: Yes. 25:06.784 --> 25:08.246 [SPEAKER_02]: And you're like, I can't do nothing for you. 25:08.386 --> 25:15.176 [SPEAKER_01]: There's often a sense of urgency when the part what needs to be done beforehand is it done and from being honest. 25:15.537 --> 25:21.566 [SPEAKER_02]: Well, like in the HTO process, like testing controls and review controls, like there are some controls that can be more difficult. 25:21.987 --> 25:23.509 [SPEAKER_02]: Yes, can can be examples. 25:24.434 --> 25:32.763 [SPEAKER_01]: Okay, there are network architecture controls that really depend on the only network architecture, obviously. 25:33.564 --> 25:36.687 [SPEAKER_01]: There's somewhere you have to assess for something that's no longer there. 25:36.928 --> 25:38.750 [SPEAKER_01]: So you have to find the next best thing. 25:39.390 --> 25:47.799 [SPEAKER_01]: There are some controls where you have to have a very good understanding of how the software works within the application, or if it's containerization, how it's orchestrated. 25:47.900 --> 25:48.861 [SPEAKER_01]: Intangers are a beast. 25:48.921 --> 25:52.905 [SPEAKER_01]: Yes, like any microservices server that's architecture, 25:52.885 --> 25:56.775 [SPEAKER_01]: Depending on how it's done, there could be a lot you have to assess for. 25:57.517 --> 25:57.818 [SPEAKER_02]: Yeah. 25:57.898 --> 25:58.219 [SPEAKER_01]: So yeah. 25:58.961 --> 25:59.242 [SPEAKER_02]: Okay. 25:59.924 --> 26:02.591 [SPEAKER_02]: So we're going to move forward to kind of like the trends. 26:02.611 --> 26:05.478 [SPEAKER_02]: And actually, let me go back to, well, now I had a couple more questions. 26:05.679 --> 26:07.283 [SPEAKER_02]: So how would somebody become a scar? 26:08.545 --> 26:09.286 [SPEAKER_01]: being isle. 26:09.928 --> 26:11.190 [SPEAKER_01]: That's the easiest way. 26:11.992 --> 26:16.821 [SPEAKER_01]: If you have access to it, the Navy Qualifier validation certification path. 26:17.362 --> 26:27.803 [SPEAKER_01]: To do that, you have to be in the Navy and be working as either an isle or validator for a Navy or DOD agency. 26:27.783 --> 26:38.536 [SPEAKER_01]: certifications, you know, basically it mirrors the stuff of the iso, you just have to have a bit more experience, and also there are two certifications that are outside of that path. 26:38.556 --> 26:53.233 [SPEAKER_01]: The CISA certified information systems auditor and the CGRC, I think it's called it might have been updated since I last checked, but those are the two that I would think of that are specific to what we do. 26:53.821 --> 27:00.762 [SPEAKER_02]: And is it worth becoming a score because I think people become a score without being a so, but is it worth being a score or is it, do you think it's a good job? 27:01.163 --> 27:01.905 [SPEAKER_01]: I mean, I like it. 27:02.327 --> 27:03.971 [SPEAKER_01]: It's, it pays well. 27:04.192 --> 27:06.479 [SPEAKER_01]: You're, I'd rather be on this side than the other side. 27:06.519 --> 27:08.505 [SPEAKER_02]: Yeah, doing it. 27:08.671 --> 27:09.472 [SPEAKER_01]: You learn more. 27:09.693 --> 27:11.796 [SPEAKER_01]: Oh yeah, yeah, you learn about everything. 27:13.219 --> 27:23.998 [SPEAKER_01]: There's a certain thoroughness that you have to have, and there's a certain level of pride I take in protecting the interests of the country and make sure stuff is secure for us. 27:24.238 --> 27:24.739 [SPEAKER_01]: You know what I mean? 27:25.175 --> 27:27.480 [SPEAKER_02]: That's great to have. 27:28.122 --> 27:31.730 [SPEAKER_02]: A lot of people always ask me to want to get into cybersecurity and they want to work in the space. 27:32.712 --> 27:34.275 [SPEAKER_02]: Originally, I was just going to do it for the money. 27:34.977 --> 27:37.342 [SPEAKER_02]: But after a while, that can't be the only motivation. 27:37.522 --> 27:38.024 [SPEAKER_01]: Exactly. 27:38.485 --> 27:43.656 [SPEAKER_01]: I mean, there's a lot of, well, that's a couple of things that make 27:43.636 --> 27:47.421 [SPEAKER_01]: cybersecurity, great, and make it horrible at the same time. 27:47.902 --> 27:50.906 [SPEAKER_01]: The first is that everything you need to know is accessible. 27:52.428 --> 28:03.504 [SPEAKER_01]: You can't learn to be a bartender unless you're a bartender, but with cybersecurity, everything you need to know you can do yourself and build a reputation for it and become competent, all by yourself. 28:04.105 --> 28:04.305 [SPEAKER_01]: Right? 28:04.565 --> 28:04.986 [SPEAKER_01]: Yeah? 28:04.966 --> 28:09.670 [SPEAKER_01]: The second is that the industry changes so fast to change it, right? 28:09.890 --> 28:18.679 [SPEAKER_01]: Every, I'd say if you work eight hours a day, you're going to have to put an hour and a half to two hours aside every day to make sure you state relevant. 28:18.939 --> 28:23.663 [SPEAKER_01]: In the higher up you get the more time you have to put in outside of the job to make sure you state relevant. 28:23.683 --> 28:32.391 [SPEAKER_01]: Whether that's certification, whether that's conferences, learning new technologies, whether that's brushing up on your coding, whether that's actually configuring different, um, 28:32.371 --> 28:34.295 [SPEAKER_01]: systems, right? 28:35.258 --> 28:37.282 [SPEAKER_01]: So that's point number two. 28:37.643 --> 28:42.054 [SPEAKER_01]: And point number three, I compared to like learn a language, right? 28:42.394 --> 28:46.424 [SPEAKER_01]: When you first learn Spanish, for the first two years, you're not going to be able to speak with nobody. 28:47.145 --> 28:47.807 [SPEAKER_01]: It's even here. 28:47.847 --> 28:48.829 [SPEAKER_01]: It's going to sound fast. 28:48.869 --> 28:50.413 [SPEAKER_01]: You're just going to struggle. 28:50.393 --> 28:54.841 [SPEAKER_01]: But once you get to a point where it's like the dots are finally connecting, you have it. 28:55.041 --> 28:56.103 [SPEAKER_01]: It's like a writing a bike. 28:56.183 --> 29:00.992 [SPEAKER_01]: It's like you can always recall it and you can always understand it at its basis level. 29:02.294 --> 29:07.103 [SPEAKER_01]: So I think so, but they have to be willing to put in the time to get to that point. 29:07.370 --> 29:11.715 [SPEAKER_02]: Yeah, it's just the time, like, even me, I've worked eight hours a day. 29:11.915 --> 29:14.258 [SPEAKER_02]: You know, we got to deal with all that, learn all that knowledge. 29:14.579 --> 29:20.246 [SPEAKER_02]: Then I got to put in another three to four hours in the business, just understanding what people want to hear, technology. 29:20.606 --> 29:21.887 [SPEAKER_02]: And I got to do another joy. 29:21.968 --> 29:26.113 [SPEAKER_02]: I mean, another, sometimes I teach, you know, teach stuff on RMF. 29:26.193 --> 29:29.817 [SPEAKER_02]: And then that, so at some point, you can get burnt out to an end job, too, you know? 29:29.797 --> 29:43.885 [SPEAKER_01]: you can, you have to remind yourself of why you're doing it on a regular basis, whether it's daily or weekly, you have to thank God for giving you the grace to understand it and to keep going the way you do, right? 29:44.687 --> 29:50.218 [SPEAKER_01]: And you just have to be humble and find what you love about it, just like just like anything you do, right? 29:50.198 --> 30:05.709 [SPEAKER_02]: Yeah, yeah 100% like you just got to find some love and that's why I do my I take pride in Just knowing that the system's secure knowing that I'm taking a job seriously and that's what makes me go to sleep a night Yeah, so like with scar like how much money can you make like what's the range? 30:06.150 --> 30:09.577 [SPEAKER_02]: Did I know like we get to that level that's kind of a high tier job at that point? 30:10.218 --> 30:11.661 [SPEAKER_02]: So what you can make doing that job? 30:11.881 --> 30:12.342 [SPEAKER_01]: I mean 30:13.925 --> 30:21.097 [SPEAKER_01]: From what I've seen, I think the range can be anywhere from about 120 to about 220. 30:21.117 --> 30:21.518 [SPEAKER_02]: Is that all right? 30:21.538 --> 30:22.760 [SPEAKER_02]: Let's about two, Simon. 30:22.780 --> 30:30.512 [SPEAKER_01]: Yeah, you can make it that high, especially once you get to from the individual contributor to officially established an ammanagement role. 30:31.774 --> 30:35.781 [SPEAKER_01]: So that can make a, yeah, you can make a pretty good amount. 30:36.132 --> 30:57.212 [SPEAKER_01]: You mean you'd like to see SSP do that job right well just like with the ISO right you have to be either IIT or I am certified level 3 level 2 depending on the role right so I SSP is a good is a good starting point to get to that higher level it's not a starting point starting point but yeah it would definitely help and in some cases you need it. 30:57.614 --> 31:01.721 [SPEAKER_02]: There you need it, just the management, you kind of imagine at that point. 31:02.222 --> 31:04.626 [SPEAKER_02]: So, on our close to it, something, yeah. 31:04.706 --> 31:07.411 [SPEAKER_02]: You don't have to deal with some people, so you gotta need those skills. 31:07.772 --> 31:09.214 [SPEAKER_01]: Exactly, yeah, for sure. 31:09.635 --> 31:11.939 [SPEAKER_01]: And also, it helps you put stuff in perspective, right? 31:12.500 --> 31:18.711 [SPEAKER_01]: Because when you go from an individual contributor and you're just doing the work, you're only responsible for yourself, and then you're leading people. 31:18.978 --> 31:23.063 [SPEAKER_01]: what you do doesn't really matter in a way, right? 31:23.323 --> 31:25.306 [SPEAKER_01]: Your individual contribution doesn't matter. 31:25.326 --> 31:26.507 [SPEAKER_02]: You don't matter, though. 31:26.527 --> 31:27.028 [SPEAKER_01]: Right. 31:27.048 --> 31:36.399 [SPEAKER_01]: So it's like transferring from that to motivating, inspiring, helping, supporting people, guiding them, pushing them when even they don't think they can do something. 31:37.600 --> 31:39.343 [SPEAKER_01]: It's once again, it's a blessing. 31:40.043 --> 31:42.106 [SPEAKER_01]: It's a burden and a blessing. 31:42.546 --> 31:44.749 [SPEAKER_01]: It's to be a leader in any avenue. 31:45.050 --> 31:47.913 [SPEAKER_02]: Yeah, the interleaders, not an easy job. 31:48.614 --> 31:48.914 [SPEAKER_01]: It's not. 31:49.115 --> 31:50.416 [SPEAKER_02]: It's not. 31:50.536 --> 31:57.044 [SPEAKER_02]: So we're going to sort of, the arm of trains now to kind of, keep people in mind was coming up. 31:57.524 --> 32:00.347 [SPEAKER_02]: So I know we talked about it briefly like kind of like S-bombs. 32:00.367 --> 32:03.050 [SPEAKER_02]: You know, each E-mas is starting to take S-bombs now. 32:03.431 --> 32:06.835 [SPEAKER_02]: We're just kind of like the inventory tracker with software. 32:07.135 --> 32:07.736 [SPEAKER_01]: Yep. 32:07.756 --> 32:08.897 [SPEAKER_01]: Software, build a material. 32:08.995 --> 32:10.537 [SPEAKER_02]: Do you think that's a new trend that's coming? 32:10.877 --> 32:15.663 [SPEAKER_02]: Yeah, or explain what you think is going to happen with that? 32:16.684 --> 32:22.351 [SPEAKER_01]: I think that the industry is going to be changing a lot over the next, I'd say about five years. 32:22.891 --> 32:23.472 [SPEAKER_02]: Probably, yeah. 32:23.732 --> 32:28.919 [SPEAKER_01]: I think mainly what I would be referencing for this is the Swift initiative. 32:29.019 --> 32:29.920 [SPEAKER_02]: Yeah, I know about Swift. 32:30.040 --> 32:30.801 [SPEAKER_02]: Go ahead and talk about that. 32:30.821 --> 32:31.462 [SPEAKER_02]: Go ahead. 32:31.482 --> 32:37.669 [SPEAKER_01]: It's S-W-F-T, software, fast track initiative, 32:37.970 --> 32:45.342 [SPEAKER_01]: But basically, it's a request to information with us saying, okay, we have four things that we're looking for. 32:45.603 --> 32:46.784 [SPEAKER_01]: We're trying to implement AI. 32:47.025 --> 32:48.688 [SPEAKER_01]: We're revamping the RMF process. 32:49.128 --> 32:52.334 [SPEAKER_01]: We are, those are two I can remember right now. 32:52.754 --> 32:58.343 [SPEAKER_02]: So it's just, it's kind of, Swift is kind of like, like kind of like the software side. 32:58.404 --> 33:02.410 [SPEAKER_02]: It's more on the software fast track on the software to get it ethio compliance. 33:02.430 --> 33:04.213 [SPEAKER_01]: It's the software truth. 33:06.387 --> 33:12.453 [SPEAKER_01]: it's more so that it's a new process that's coming out to automate and make the RMF process more efficient. 33:13.354 --> 33:19.201 [SPEAKER_01]: And I think the the new framework or the construct that came out just came out is also a sign of that. 33:19.621 --> 33:28.351 [SPEAKER_02]: Yeah, and this and what that happening, that means a lot of our jobs, I don't know about your job, but I know for it, so you can kind of take out our job of that. 33:28.691 --> 33:34.437 [SPEAKER_02]: I don't in a way, or monitor, you're going to learn how to to get all the get your picture 33:34.687 --> 33:37.890 [SPEAKER_01]: I'll say it like this, you're gonna have to be more technical. 33:38.631 --> 33:40.813 [SPEAKER_01]: I think that's the biggest impact of this, right? 33:41.193 --> 33:46.038 [SPEAKER_01]: Because in GRC, you can be a checklist guy, right? 33:46.158 --> 33:51.283 [SPEAKER_01]: You can look at the paperwork, you can do line by line and say, okay, this is compliant and this is not compliant. 33:51.604 --> 33:54.046 [SPEAKER_01]: You can solely do documentation, right? 33:54.667 --> 34:00.913 [SPEAKER_01]: But I think the movement from Swift, which emphasizes AI automation, 34:00.893 --> 34:25.365 [SPEAKER_02]: and the new construct I think between the two of those it's going to be a lot of movement towards okay you got to be technical and GRC because a friend said a show AJ on I was sitting there I was reading his book about GRC engineering I kind of showed you something what a government is kind of moving towards that yeah you got to learn DevOps at this point you got to be a DevOps your GRC has become a DevOps position so 34:25.548 --> 34:40.705 [SPEAKER_01]: Yeah, for sure, because the way the S-bomb goes, basically there's going to be software factories or software pathways that are being implemented as opposed to entire systems of being built up, or at least I think that's the direction that's going in. 34:40.685 --> 34:42.247 [SPEAKER_01]: that's my interpretation of it. 34:42.968 --> 34:51.561 [SPEAKER_01]: And with that said, it's more so that the focus is going to be on continuous monitoring and making sure you're only using stuff from the S-bomb. 34:52.343 --> 34:54.826 [SPEAKER_01]: So if you do that, what's left to do? 34:55.307 --> 35:08.447 [SPEAKER_01]: Well, you have to look at the actual software itself, you have to look at the actual processes for assessing the software, you have to look at the pipeline, and that goes in DevSecOps, and that kind of pairs very well with the movement to the cloud, right? 35:08.782 --> 35:13.949 [SPEAKER_02]: So what you're saying is if we do if you in the next five years, you know, government slowly be 10. 35:14.389 --> 35:18.395 [SPEAKER_02]: Oh, yeah If you don't learn these skills, you're basically going to be out of job. 35:20.017 --> 35:21.419 [SPEAKER_01]: What you saying? 35:21.559 --> 35:24.903 [SPEAKER_01]: Or or The best way to stay competitive would be to learn those skills. 35:25.804 --> 35:26.525 [SPEAKER_01]: I'll say like that. 35:26.986 --> 35:34.536 [SPEAKER_01]: I'm hesitant to say anybody's going to be out of the job I hope that's not the case But I just try to prepare for reality, you know 35:34.617 --> 35:54.567 [SPEAKER_02]: It's the reality, because even I was looking at an AJ on, I know I keep represented him and I hear this book out, and somebody actually got a job in GRC engineering recently, which is basically DevOps, and is like, as the new move, they're hiring for that, or you can already have people listen to cloud engineering, they'll take your job because they already know that they can all they gotta do is they're gonna play it, and it complies is not hard to learn. 35:55.053 --> 35:55.434 [SPEAKER_02]: Hmm. 35:55.454 --> 35:55.955 [SPEAKER_02]: You don't think so? 35:56.477 --> 35:57.119 [SPEAKER_01]: No, compliant. 35:57.339 --> 36:03.998 [SPEAKER_02]: I say it take at least a year to just learn compliance like I, you know, I mean, I say really CCS RG. 36:04.339 --> 36:04.599 [SPEAKER_01]: Okay. 36:04.619 --> 36:07.888 [SPEAKER_01]: Try to learn that for six months and come back and just try to learn it on your own. 36:08.289 --> 36:10.716 [SPEAKER_01]: It can get very convoluted complex, right? 36:10.696 --> 36:28.924 [SPEAKER_01]: Like GRC is a business position, you're a business analyst at that point, because you're looking at the compliance requirements, and then at the next level, you're going to be looking at technical and you're going to be looking at, okay, how can I make this work under these specific scenarios and you have to apply it effectively? 36:29.505 --> 36:32.890 [SPEAKER_01]: That's actually a lot harder than I think people will be regretted for. 36:33.055 --> 36:54.270 [SPEAKER_01]: So let's say if you don't want to attack no will was another option we will go it kind of manager I mean even if you're a manager you have to understand the system that you manager I agree with some don't you know I mean some not wrong but I'd be that was advocate yeah you're not wrong some don't but I think between the direction that GRC is moving in 36:54.537 --> 36:59.341 [SPEAKER_01]: Even before this direction was being moved in, right? 36:59.682 --> 37:03.825 [SPEAKER_01]: If you don't understand the system that you responsible for in your managing, it's going to show. 37:04.806 --> 37:15.456 [SPEAKER_01]: That's not going to reflect well on you, the agency or organization you're working in, and also that can be to mistakes that can cost money and security. 37:16.096 --> 37:17.738 [SPEAKER_01]: This security of our country. 37:18.258 --> 37:18.518 [SPEAKER_01]: Yeah. 37:18.759 --> 37:22.502 [SPEAKER_01]: So I think I don't think that's a good place to be. 37:23.444 --> 37:26.389 [SPEAKER_02]: Do you think the government space is a good space right now? 37:26.569 --> 37:29.493 [SPEAKER_02]: Based off on that, yeah, yeah, yeah, still a good space. 37:30.375 --> 37:31.737 [SPEAKER_01]: Relatively speaking, yes. 37:32.358 --> 37:35.603 [SPEAKER_01]: I think I've been blessed to be secure in the position that I'm in. 37:36.604 --> 37:44.236 [SPEAKER_01]: So, but I've also seen a lot of people more skilled, the more experienced than me, losing their roles and having a hard time getting a new job. 37:45.078 --> 37:48.523 [SPEAKER_01]: So, I can't, I have to say yes considering that. 37:49.111 --> 37:50.052 [SPEAKER_02]: That's smart answer. 37:50.333 --> 37:52.796 [SPEAKER_01]: That's a tech is a tough industry. 37:52.816 --> 37:58.484 [SPEAKER_02]: Yeah, it's a tough, because I've seen people with, I'm talking about some street killers, and they can't get a job right now. 37:58.664 --> 38:00.226 [SPEAKER_00]: Yeah, it's brutal. 38:00.246 --> 38:01.448 [SPEAKER_02]: And I don't know what's going on. 38:01.468 --> 38:03.391 [SPEAKER_02]: I'm like, is it because of the industry? 38:03.551 --> 38:07.997 [SPEAKER_02]: Or is it because, because like now it's not even a battle plan for Joe, you got to know somebody at this point. 38:08.129 --> 38:11.915 [SPEAKER_01]: Yeah, I mean, I'll say it like, it's kind of like a tech bubble, right? 38:12.015 --> 38:22.190 [SPEAKER_01]: No, the housing crisis in 2008, it's a tech bubble, you have AI coming in where the perspective at least is that the average worker can be replaced. 38:22.230 --> 38:23.872 [SPEAKER_01]: But I don't think that's necessary in the case. 38:23.993 --> 38:28.059 [SPEAKER_01]: It's more so that AI is an amplifier, right? 38:28.119 --> 38:33.647 [SPEAKER_01]: So if you have one or two high performing people that really know the process and understand what they're doing, 38:33.627 --> 38:42.137 [SPEAKER_01]: Giving them a tool an AI tool can make it to where they can do the work of six to ten average people So I think I get some more money though. 38:42.157 --> 38:45.440 [SPEAKER_02]: I'm don't take out the job Exactly, and that's the way you talk about scars. 38:45.480 --> 38:53.890 [SPEAKER_01]: I'll be working like what like ten 12 sometimes ten programs are the same to Yeah, I mean But we have a good a good program. 38:53.910 --> 38:59.196 [SPEAKER_01]: We'll have a support system to make sure you're good to go But yeah, it can be a lot for sure 38:59.176 --> 39:00.057 [SPEAKER_01]: But it's fun. 39:00.557 --> 39:15.714 [SPEAKER_02]: Honestly, what do you think about zero trusted that a new thing because you know Zero trusted's not really a thing like it's obvious you're gonna put you know as much countermeasures But it's not really a software is it's kind of like it's a word It's a word to be honest with you. 39:16.094 --> 39:29.048 [SPEAKER_01]: I've been to so many conferences and they say zero trust and I'm like I think stuff can be a buzzword when The understanding across the board isn't there right zero trust is 39:29.770 --> 39:32.373 [SPEAKER_01]: My bad, you can't even come from here. 39:32.393 --> 39:35.817 [SPEAKER_01]: Yeah, no, I agree with you, but let's start the I agree with you. 39:36.217 --> 39:39.781 [SPEAKER_01]: But I'm saying a lot of people who are on these conferences just like blockchain. 39:40.341 --> 39:41.943 [SPEAKER_01]: Let's compare to blockchain, right? 39:42.043 --> 39:50.072 [SPEAKER_01]: When blockchain came out, the people that have a good solid understanding of cryptography looked at it and said, oh, we already know what this is. 39:50.472 --> 39:53.736 [SPEAKER_01]: It's just being implemented in a different environment in a new way. 39:54.205 --> 40:06.524 [SPEAKER_01]: right, so you have that baseline understanding, but for people in tech that that haven't haven't gotten that understanding of cryptography yet, that's literally blockchain is a new word. 40:07.326 --> 40:07.446 [SPEAKER_01]: Right. 40:08.087 --> 40:12.113 [SPEAKER_01]: So it's kind of the same way, with zero trust. 40:12.093 --> 40:18.085 [SPEAKER_01]: It really boils down to best practices that have already been established, but we kind of strayed away from my perspective. 40:18.185 --> 40:18.466 [SPEAKER_02]: Yeah. 40:19.027 --> 40:22.333 [SPEAKER_02]: This is basically a crystal clear target for you, and I did it in my master's program. 40:22.414 --> 40:27.604 [SPEAKER_02]: It's just encryption, you know, well, a little bit more than what you're going to say. 40:27.584 --> 40:29.346 [SPEAKER_01]: It's just a thought process. 40:29.386 --> 40:31.049 [SPEAKER_01]: It's a little bit of everything applied well. 40:31.549 --> 40:38.259 [SPEAKER_01]: It's a process thing where you make sure, okay, what processes do we have to ensure that we trust the individuals that we have? 40:38.739 --> 40:38.940 [SPEAKER_01]: Right? 40:40.462 --> 40:41.884 [SPEAKER_01]: It can be technology. 40:41.964 --> 40:44.828 [SPEAKER_01]: It can be like a T-point cryptography, right? 40:45.188 --> 40:48.433 [SPEAKER_01]: Okay, how often do we re-issure the keys? 40:48.533 --> 40:54.801 [SPEAKER_01]: Do re-issue keys after every 60 seconds to where that's the grill, zero trust, right? 40:54.882 --> 40:57.405 [SPEAKER_01]: Because 60 seconds is a very short time. 40:58.651 --> 41:00.443 [SPEAKER_01]: But you've got to think about the overhead. 41:00.463 --> 41:02.637 [SPEAKER_01]: I'm just using that as an example. 41:03.528 --> 41:07.534 [SPEAKER_01]: That's or it can be identity and access management. 41:07.834 --> 41:16.406 [SPEAKER_01]: You might be using an IDP and identity provider where you're saying, okay, this is a single sign on this third party is that managing, we're just going to let them do their thing. 41:16.747 --> 41:19.691 [SPEAKER_01]: We're going to tell them what requirements we want to meet and they're good to go. 41:20.452 --> 41:26.661 [SPEAKER_01]: So it really, zo trust is a lot is an inch deep and a lot of different areas. 41:27.182 --> 41:27.863 [SPEAKER_01]: I'll say like that. 41:27.903 --> 41:32.910 [SPEAKER_02]: Yeah, so just just hear about it, but it's not really, 41:33.430 --> 41:36.834 [SPEAKER_02]: learning technical schools is probably going to get you the best where you need to go. 41:36.854 --> 41:41.240 [SPEAKER_01]: Learning technical skills in knowing how to apply them. 41:41.961 --> 41:42.401 [SPEAKER_01]: Okay. 41:42.421 --> 41:44.304 [SPEAKER_01]: I think the application is what's important. 41:45.205 --> 41:56.179 [SPEAKER_01]: And then I think also people often get their head in the books so to speak to where even in their role they're just working within their individual scope. 41:56.780 --> 42:02.627 [SPEAKER_01]: You have to understand how to apply in the broad scheme of things, right? 42:02.607 --> 42:13.191 [SPEAKER_01]: But if that's not a major stopper or if that's it's identified as high risk, but the application of the system means that it's not a high risk you have to be able to identify that right. 42:13.778 --> 42:20.807 [SPEAKER_02]: Yeah, and just read like I remember one time I was working on something and it was a it was a category as a cat too, but really it was a cat one. 42:21.007 --> 42:23.351 [SPEAKER_02]: It was sent information to Microsoft. 42:23.371 --> 42:26.795 [SPEAKER_02]: I'm like this is a cat one man and just reading it as an exact. 42:27.176 --> 42:28.597 [SPEAKER_01]: That's straight up count point man. 42:28.838 --> 42:30.480 [SPEAKER_01]: That's something leaving your ATO bounds. 42:30.520 --> 42:34.205 [SPEAKER_01]: You got data that that's managed by the government going to a different organization. 42:34.365 --> 42:35.687 [SPEAKER_01]: You're not even privy to you. 42:35.707 --> 42:36.528 [SPEAKER_01]: How they manage it. 42:36.548 --> 42:37.850 [SPEAKER_01]: Did you hear what I said? 42:38.150 --> 42:38.250 [UNKNOWN]: Yeah. 42:38.838 --> 42:45.524 [SPEAKER_01]: So that, and that's where the understanding of the technology and understanding the application and the meaning of the stuff comes into play. 42:45.664 --> 42:48.046 [SPEAKER_01]: That's where you can't be, you can't be a checklists person. 42:49.387 --> 42:49.527 [SPEAKER_00]: Yeah. 42:49.547 --> 42:54.191 [SPEAKER_01]: That's one thing also that you cannot be a checklists person, you definitely will not survive over the next few years. 42:54.772 --> 42:55.232 [SPEAKER_02]: Yeah. 42:55.252 --> 42:55.973 [SPEAKER_02]: Keep that in mind. 42:55.993 --> 42:56.614 [SPEAKER_02]: Everybody. 42:57.034 --> 42:58.495 [SPEAKER_02]: GRC is not checklists. 42:59.116 --> 43:04.861 [SPEAKER_02]: Make sure you become more technical, whenever we view a technical, because, you know, even they say a scar is not technical, but really it is. 43:05.581 --> 43:08.524 [SPEAKER_02]: Is those, that's how they go. 43:10.833 --> 43:14.978 [SPEAKER_01]: I can see how an ISO doesn't require to be technical. 43:15.539 --> 43:17.141 [SPEAKER_01]: I think a better word is hands-on. 43:17.201 --> 43:18.142 [SPEAKER_01]: Hands-on. 43:18.162 --> 43:19.604 [SPEAKER_01]: I think a better word is hands-on. 43:19.784 --> 43:21.146 [SPEAKER_01]: You have to understand the technology. 43:21.166 --> 43:23.449 [SPEAKER_01]: You have to be able to call people out when stuff isn't configured, right? 43:24.070 --> 43:26.533 [SPEAKER_01]: But you don't have to be hands-on and configure it at yourself. 43:26.853 --> 43:27.133 [SPEAKER_02]: Yeah. 43:27.955 --> 43:28.675 [SPEAKER_02]: That's a good word. 43:28.715 --> 43:29.236 [SPEAKER_02]: I'm a student. 43:29.476 --> 43:31.038 [SPEAKER_02]: Yeah. 43:31.058 --> 43:32.460 [SPEAKER_02]: So we're getting towards the end. 43:32.620 --> 43:35.524 [SPEAKER_02]: Just keep sure to be honest, where they can find you at. 43:36.297 --> 43:37.419 [SPEAKER_01]: Oh, I'm one LinkedIn. 43:37.699 --> 43:39.482 [SPEAKER_01]: Just look up my name, Dominic Richardson. 43:40.183 --> 43:42.987 [SPEAKER_01]: And yeah, I mean, I don't really have a personal brand. 43:43.007 --> 43:44.189 [SPEAKER_01]: I'm just looking to build a community. 43:44.329 --> 43:46.332 [SPEAKER_02]: Well, you got a brand, and you're starting here. 43:46.893 --> 43:47.474 [SPEAKER_01]: I love it. 43:47.514 --> 43:49.357 [SPEAKER_01]: Starting here, first podcast. 43:49.377 --> 43:49.798 [SPEAKER_02]: Yeah. 43:50.138 --> 43:53.483 [SPEAKER_02]: OK, so what is one thing you want to lead audience with? 43:53.744 --> 43:56.768 [SPEAKER_02]: A statement, a quote, something that you want to lead to audience with, did I? 43:58.491 --> 43:59.572 [SPEAKER_02]: Something you want to, anything. 43:59.592 --> 44:01.275 [SPEAKER_02]: It can be anything. 44:03.128 --> 44:05.811 [SPEAKER_01]: If you do the work, successful come. 44:06.152 --> 44:07.454 [SPEAKER_01]: Opportunity looks like hard work. 44:07.474 --> 44:08.355 [SPEAKER_01]: Do the hard work. 44:08.895 --> 44:11.599 [SPEAKER_01]: Understand how you fit in and you will be successful. 44:12.300 --> 44:13.341 [SPEAKER_01]: But you got to do the work first. 44:14.903 --> 44:15.504 [SPEAKER_01]: It's all good it takes. 44:15.944 --> 44:20.230 [SPEAKER_02]: Yeah, sacrifice some, you know, like to get to that point. 44:20.310 --> 44:22.052 [SPEAKER_01]: Oh, and of course, leave it to God. 44:22.553 --> 44:23.214 [SPEAKER_01]: Yeah. 44:23.234 --> 44:24.015 [SPEAKER_01]: That's the biggest thing. 44:24.676 --> 44:26.338 [SPEAKER_02]: Leave it to God. 44:26.358 --> 44:27.199 [SPEAKER_02]: Yeah, that's a good one too. 44:28.340 --> 44:31.144 [SPEAKER_02]: Okay, and then what is your goal is with the next five years? 44:33.740 --> 45:00.470 [SPEAKER_01]: I would say community building a community being more involved in the community making sure I give back Christianity, deepening my faith in God, it's something I've gotten back to and contentment because I mean, I've worked hard to get here, but I've realized a lot of my upbringing came from a bit of, came from a lot of struggle and I realized a lot of what I learned in that process. 45:00.530 --> 45:01.671 [SPEAKER_01]: I have to unlearn now. 45:01.651 --> 45:09.024 [SPEAKER_01]: And that's been very hard, like, for example, I took my first vacation in 10 years, like, what are you doing? 45:09.104 --> 45:11.067 [SPEAKER_02]: There you must be hard, damn lot of dough. 45:11.408 --> 45:12.530 [SPEAKER_01]: What do you know? 45:12.610 --> 45:14.072 [SPEAKER_01]: I went to Barbados. 45:14.433 --> 45:15.154 [SPEAKER_02]: Oh, okay, right. 45:15.174 --> 45:15.955 [SPEAKER_01]: That's what I want. 45:15.976 --> 45:19.842 [SPEAKER_01]: Went on a cruise, went to Bimney, went to, um, well, as did we go. 45:20.483 --> 45:23.288 [SPEAKER_01]: Turks and cacos, swam and ocean, it was nice. 45:23.605 --> 45:24.286 [SPEAKER_02]: I ain't swimming. 45:24.747 --> 45:26.469 [SPEAKER_02]: Do you know what I'm playing, man? 45:26.489 --> 45:27.411 [SPEAKER_01]: I hate calling it. 45:27.431 --> 45:30.235 [SPEAKER_01]: Hey, I mean, it was, it was nice. 45:30.976 --> 45:32.298 [SPEAKER_01]: You got to, man, swimming is great. 45:32.838 --> 45:33.800 [SPEAKER_02]: We ought to swim. 45:33.820 --> 45:34.781 [SPEAKER_02]: I got to learn how to swim. 45:35.142 --> 45:35.502 [SPEAKER_01]: Oh, yeah. 45:35.522 --> 45:38.387 [SPEAKER_01]: Yeah, it's definitely learned, but it's, it's an experience, man. 45:38.867 --> 45:39.708 [SPEAKER_02]: I'm happy for you. 45:39.749 --> 45:40.770 [SPEAKER_02]: I'm glad to see you all. 45:41.172 --> 45:57.223 [SPEAKER_02]: That's that's good, man, and I'm glad you can tell me because you know in our space and I've been made aware that People that's like tech people like me is always like we got to get more we got to get more sometimes you got to just sit back and just this is what you do This is what you this is who you really are 45:57.558 --> 45:59.300 [SPEAKER_01]: Yeah, and that's being honest. 45:59.320 --> 46:00.922 [SPEAKER_01]: That's something I've really struggled with, right? 46:01.163 --> 46:09.053 [SPEAKER_01]: Because when you come from so little, when you come from where you struggle to get what you have, all you know is that fight to get more. 46:09.834 --> 46:12.577 [SPEAKER_01]: And I think that's hindered me in a lot of ways. 46:13.619 --> 46:17.103 [SPEAKER_01]: I think that's prevented me from being able to give back to the community the way I want to. 46:17.684 --> 46:19.586 [SPEAKER_01]: And I think that's something I need to change about myself. 46:20.387 --> 46:22.570 [SPEAKER_01]: So that's what I'm working on for the next five years. 46:23.005 --> 46:33.811 [SPEAKER_02]: I appreciate you, you know, coming to give this knowledge to the people, giving back, and I appreciate you being vulnerable and explaining some of the things that you've been through and where you're going. 46:33.932 --> 46:34.774 [SPEAKER_02]: I'm happy for you. 46:34.794 --> 46:35.014 [SPEAKER_02]: Come on. 46:35.034 --> 46:35.616 [SPEAKER_02]: Thank you, Dominique. 46:35.636 --> 46:36.137 [SPEAKER_02]: We're coming on. 46:36.353 --> 46:39.558 [SPEAKER_01]: Sure, thank you for inviting me, no problem. 46:39.578 --> 46:48.931 [SPEAKER_02]: So, if anybody watching the podcast, remember like the video, share the video, comment down below, subscribe to the channel, go on to TechWorldPocans.com website. 46:49.693 --> 46:54.540 [SPEAKER_02]: Check out our mythicalcantamine.io and remember everybody, get 1% better every day. 46:54.980 --> 46:56.843 [SPEAKER_02]: Peace out, I'll see you on next one.