Andy Ellis

Right.

And so we talk about some of the things that companies get wrong.

You have to be continual on your patching.

You have to be wholesome.

You can't have these these scatomas and these dark areas that you just say, oh, those are the systems we don't patch.

Right.

Or those are the production systems we're scared of touching.

So.

Ross mentioned IAM hygiene, but it goes more than just the MFA and all the controls.

We talked about cleanup.

So is it worse?

You've got potentially tens of thousands of stale accounts.

You've got service accounts you don't know what they are.

You've got overprivileged accounts that you should be running Bloodhound on.

These are all, to me, all the hygiene basics and things, especially as a CISO coming new into a company.

You need to be finding all these skeletons, all these end of life.

Where's the end of life?

And my favorite thing to do on that example, and I'm wondering if Andy has done this, find all of your end of life and your legacy and don't steal that budget.

Get the budget for IT for them to go replace those and upgrade those.

That is the best security budget you can spend is reducing risk when it's not part of your budget.