Andy Ellis

I think that being the default state of the world is a reasonable assumption to start from.

Because if the metric is good, you should be able to figure it out why it says it's good.

Right.

This is one of the things I often tell CISOs when they're like, we try to go talk to the board and we don't know what they want to hear.

I'm like, only the CRO has metrics that anybody believes because at the end of the day, cash in bank is the only metric that matters.

Everything else is you're trying to tell a story.

And if you have the controls, you know, it's a good story.

If you don't have the controls, it's just a story.

So I just want to just point out that when passwords were first introduced, they were a great system because they were designed to let you get close enough to the Roman camp for the guards to spot you and figure out who you were.

That's all that passwords were meant for was to be like, you're coming up.

What do you mean the Roman camp?

a password was literally like the word that you would give out to your scouts and hunters.

Oh, right.

What you would say to them.

Yes.

And this is the word of the day.

So when they were coming back in, they'd be like, hey, the password is whatever.

And you didn't shoot them right away.

You like let them get close enough and then you would validate a little more.

So that was fine 2,000 years ago.