CMMC, HIPAA, Insurance, and the Future of Security Standards with Craig Petronella

[00:00:02] [SPEAKER_01]: Well, we love use cases, but we love hearing from people in the field delivering solutions.

[00:00:07] [SPEAKER_01]: Craig Petronella has run Petronella Technology Group and focuses on technology compliance and

[00:00:14] [SPEAKER_01]: cybersecurity positioning himself as MSSP.

[00:00:18] [SPEAKER_01]: He joins me today on this bonus episode of the Business of Tech.

[00:00:23] [SPEAKER_01]: With as many breaches and security concerns as I report in this show, it should be obvious

[00:00:28] [SPEAKER_01]: that cybersecurity is not just about technology, but also the human expertise needed to interpret

[00:00:34] [SPEAKER_01]: and respond to complex threats.

[00:00:37] [SPEAKER_01]: Huntress is focused on elevating SMBs and MSPs around the world.

[00:00:42] [SPEAKER_01]: Huntress has a suite of fully managed cybersecurity solutions powered by a 24x7 human-led SOC,

[00:00:49] [SPEAKER_01]: dedicated to continuous monitoring, expert investigation, and rapid response.

[00:00:54] [SPEAKER_01]: And the proof is the execution.

[00:00:57] [SPEAKER_01]: Huntress is the number one rated EDR for SMBs on G2.

[00:01:02] [SPEAKER_01]: Want to know more about the platform?

[00:01:04] [SPEAKER_01]: Visit huntress.com slash MSP radio to learn more.

[00:01:10] [SPEAKER_01]: Well, Craig, thanks for joining me today.

[00:01:13] [SPEAKER_01]: Thank you for having me.

[00:01:14] [SPEAKER_01]: Now I was super excited to talk to you because you're out in the field working with customers

[00:01:19] [SPEAKER_01]: and helping them with compliance solutions, making sure that they are achieving regulatory

[00:01:24] [SPEAKER_01]: compliance.

[00:01:25] [SPEAKER_01]: Give me a sense of your view of the current kind of compliance landscape and we'll skew

[00:01:31] [SPEAKER_01]: US right now to limit that conversation a little bit.

[00:01:36] [SPEAKER_00]: Sure.

[00:01:37] [SPEAKER_00]: The latest compliance regulation is called the Cybersecurity Maturity Model Certification

[00:01:41] [SPEAKER_00]: or the CMMC.

[00:01:44] [SPEAKER_00]: And that's mainly for defense industrial base or Dib contractors.

[00:01:49] [SPEAKER_00]: Those that do business typically for a federal contract with the DOD or the government.

[00:01:55] [SPEAKER_00]: There are some other types of businesses that get kind of roped into that compliance, but

[00:02:00] [SPEAKER_00]: that's really our latest regulatory compliance standard.

[00:02:04] [SPEAKER_00]: Of course you've probably heard of HIPAA compliance for medical practices, which is

[00:02:08] [SPEAKER_00]: still a standard that was enacted in 1996 by Bill Clinton.

[00:02:13] [SPEAKER_00]: But it's dated.

[00:02:14] [SPEAKER_00]: 1996 is a long time, right?

[00:02:17] [SPEAKER_00]: A long time ago.

[00:02:18] [SPEAKER_00]: So CMMC is kind of the latest in compliance.

[00:02:21] [SPEAKER_00]: And then you've probably heard of FTC compliance, ADA compliance, fill in the blank.

[00:02:26] [SPEAKER_00]: But the problem in my opinion with a lot of these compliance regulatory frameworks

[00:02:31] [SPEAKER_00]: is there's no centralized or no consistent framework for everyone to follow.

[00:02:41] [SPEAKER_00]: So in my opinion it caused a lot of confusion.

[00:02:44] [SPEAKER_00]: So I think my prediction in the future is that CMMC will help with that and basically

[00:02:51] [SPEAKER_00]: make it so that businesses have a consistent framework to follow.

[00:02:57] [SPEAKER_01]: It's interesting you bring it up that way because my sort of follow on the way I've

[00:02:59] [SPEAKER_01]: been thinking about this is like, look, right now different industries do have specific

[00:03:03] [SPEAKER_01]: compliance requirements.

[00:03:06] [SPEAKER_01]: Is your thinking that the way this is going to go is CMMC will essentially just sort

[00:03:10] [SPEAKER_01]: of take over everywhere and will be the single standard across all industries?

[00:03:16] [SPEAKER_00]: I do.

[00:03:17] [SPEAKER_00]: Yeah, I think that that would actually be helpful for a lot of businesses to not only

[00:03:21] [SPEAKER_00]: make them more secure, get them more compliance and in alignment, but make things easier and

[00:03:27] [SPEAKER_00]: cheaper for most.

[00:03:29] [SPEAKER_01]: So is there particular signs you're seeing in the industry right now that you can

[00:03:33] [SPEAKER_01]: talk to that gives you indication of that happening or there?

[00:03:36] [SPEAKER_01]: I mean, right now I've only seen CMMC particularly the 2.0 rollout as it relates to

[00:03:41] [SPEAKER_01]: defense.

[00:03:42] [SPEAKER_01]: Now that's a pretty long reach.

[00:03:43] [SPEAKER_01]: Are you seeing conversations around health care or around financial services that would

[00:03:49] [SPEAKER_01]: look to be adopting that standard?

[00:03:52] [SPEAKER_00]: I do.

[00:03:53] [SPEAKER_00]: So kind of backing up a little bit.

[00:03:55] [SPEAKER_00]: So let's talk about HIPAA for a minute.

[00:03:57] [SPEAKER_00]: 1996, I think most people know go to the doctor's office.

[00:04:01] [SPEAKER_00]: Here's a stack of paperwork.

[00:04:02] [SPEAKER_00]: You agree, you agree, sign your life away.

[00:04:04] [SPEAKER_00]: You get your medical care.

[00:04:05] [SPEAKER_00]: But the sad reality is that medical practice is most likely not compliant with HIPAA.

[00:04:13] [SPEAKER_00]: They may have whatever fill in the blank EMR system and the common number one myth

[00:04:19] [SPEAKER_00]: is, oh, it's their job.

[00:04:22] [SPEAKER_00]: They keep me secure, right?

[00:04:24] [SPEAKER_00]: Absolutely not.

[00:04:26] [SPEAKER_00]: There's what's called the shared responsibility matrix.

[00:04:28] [SPEAKER_00]: There's responsibilities that the practice and the people that work at the practice have

[00:04:33] [SPEAKER_00]: to abide to and train themselves on and test.

[00:04:38] [SPEAKER_00]: So the problem, in my opinion, with most regulatory compliance frameworks is there's

[00:04:43] [SPEAKER_00]: not enough teeth in it.

[00:04:45] [SPEAKER_00]: There are not enough audits.

[00:04:47] [SPEAKER_00]: And there's not a third party validator.

[00:04:51] [SPEAKER_00]: And that's the big differentiator with CMMC.

[00:04:54] [SPEAKER_00]: So the CMMC 2.0 has three different maturity levels.

[00:04:58] [SPEAKER_00]: There's the first level which you can self-attest to.

[00:05:02] [SPEAKER_00]: The second level is where you're actually dealing with controlled, unclassified information

[00:05:06] [SPEAKER_00]: or CUI, sensitive stuff you don't want people to see in the public.

[00:05:10] [SPEAKER_00]: And then the third is the most robust, which is level three.

[00:05:14] [SPEAKER_00]: But on level two and level three, level two, you have to have a third party

[00:05:20] [SPEAKER_00]: check all of your stuff and make sure that you have two forms of evidence for all the controls.

[00:05:25] [SPEAKER_00]: All your staff is trained.

[00:05:27] [SPEAKER_00]: You have the proof.

[00:05:28] [SPEAKER_00]: So it's a proof model where you can't fake it and say, oh yeah, I'm going to check that box.

[00:05:33] [SPEAKER_00]: Yeah, I'm compliant where most companies, including Dib companies, are checking that box

[00:05:38] [SPEAKER_00]: and saying, oh yeah, I'm compliant with NIST 800-171 and oh yeah, I'm compliant with 172.

[00:05:44] [SPEAKER_00]: That was just released to, you know, I'm compliant with that too.

[00:05:47] [SPEAKER_00]: And then they take the money and they get these grants from the government.

[00:05:51] [SPEAKER_00]: But if they were more audits, most would fail.

[00:05:54] [SPEAKER_00]: And the government knew this when they came out with DFARS 70, 19, and 70, 20.

[00:05:59] [SPEAKER_00]: They basically called the cards of speaking with Defense Industrial Base.

[00:06:04] [SPEAKER_00]: They called them and they're like, okay, we know that you guys are getting hacked.

[00:06:08] [SPEAKER_00]: We know that most of you are not doing what we asked you to do with DFARS and NIST.

[00:06:12] [SPEAKER_00]: So upload your score to what's called the SPERS system, SPRS system.

[00:06:18] [SPEAKER_00]: And you have a score range of negative 203 to positive 110.

[00:06:23] [SPEAKER_00]: Upload your score to the system if you've got any gaps and it makes your score less than 110.

[00:06:28] [SPEAKER_00]: You need to show why it's a gap and how you're going to fix it and when you're going to fix it.

[00:06:34] [SPEAKER_00]: And you upload all that including your system security plan to the portal.

[00:06:38] [SPEAKER_00]: And then we'll move on.

[00:06:39] [SPEAKER_00]: Well, by the way, if you don't have an SSP or a system security plan,

[00:06:42] [SPEAKER_00]: you immediately fail and you go to negative 203 score.

[00:06:47] [SPEAKER_00]: So anyway, that was like four years ago now that they mandated that.

[00:06:51] [SPEAKER_00]: But my point is that the reality is with all these other regulations, HIPAA, FTC, whatever,

[00:06:59] [SPEAKER_00]: fill in the blank, they don't have that.

[00:07:00] [SPEAKER_00]: So they're behind, they're dated.

[00:07:03] [SPEAKER_00]: It's all in a trust model of oh yeah, we're doing that.

[00:07:07] [SPEAKER_01]: So give me a little bit of your thinking then on the way this will get implemented in terms of having the teeth.

[00:07:16] [SPEAKER_01]: Because notoriously, Congress has been quite bad about passing things like privacy laws broadly for the consumers.

[00:07:24] [SPEAKER_01]: How do you see this playing out from an enforcement perspective to make sure that people really that there really are teeth to what's happening here?

[00:07:33] [SPEAKER_00]: Well, kind of starting with the CMMC.

[00:07:35] [SPEAKER_00]: So if you don't follow the process after it becomes law, you don't get the gold star.

[00:07:40] [SPEAKER_00]: You don't get the license.

[00:07:41] [SPEAKER_00]: You don't get the contract.

[00:07:43] [SPEAKER_00]: So if a HIPAA practice, for example, a medical practice wants to see patients, if this is enacted and let's fast forward five or 10 years and CMMC becomes standard for them, and they don't do it, then they're no longer allowed to see patients.

[00:08:00] [SPEAKER_00]: I think that would be a big teeth disruptor.

[00:08:03] [SPEAKER_00]: Oh no, I've panicked.

[00:08:06] [SPEAKER_00]: But that's kind of my point.

[00:08:08] [SPEAKER_00]: My point is that there needs to be more audits.

[00:08:10] [SPEAKER_00]: There needs to be more regulatory framework around look, we can't just trust that you're checking this box.

[00:08:17] [SPEAKER_00]: You need to be validated.

[00:08:18] [SPEAKER_00]: Kind of like PCI kind of led the way in this a little bit before CMMC 2.0, where at least PCI, like if your Ticketmaster for example, and you're doing huge volume, you need to have a PCI auditor actually check your stuff.

[00:08:31] [SPEAKER_00]: So that's good in my opinion.

[00:08:33] [SPEAKER_00]: But obviously self attestation and checking the box just doesn't work.

[00:08:37] [SPEAKER_00]: I mean, just look at the headlines.

[00:08:39] [SPEAKER_00]: I mean, I completely agree.

[00:08:42] [SPEAKER_01]: What I'm just trying to understand is I'm trying to get to the point of understanding where we think the most effective teeth are going to be.

[00:08:48] [SPEAKER_01]: And so I want to make sure that I'm clear on your position.

[00:08:51] [SPEAKER_01]: You essentially just think that the best way to give this teeth is to deny people to the business if they are not at that level of standard.

[00:08:59] [SPEAKER_01]: Is that sort of a fair assessment?

[00:09:00] [SPEAKER_00]: I think that's fair.

[00:09:02] [SPEAKER_00]: And let's let's put it this way.

[00:09:04] [SPEAKER_00]: If we'll put it to draw what we use the analogy of driving, right?

[00:09:08] [SPEAKER_00]: If the if the state that you live in said, oh yeah, fill this out, take this online five minute thing.

[00:09:13] [SPEAKER_00]: Yeah, you can go drive.

[00:09:15] [SPEAKER_00]: They're not going to do that.

[00:09:16] [SPEAKER_00]: You actually need to be validated and tested with an instructor and then to go physically in there be proctored.

[00:09:22] [SPEAKER_00]: So you can't fake it anymore.

[00:09:23] [SPEAKER_00]: Right.

[00:09:24] [SPEAKER_00]: So if they have that system in the driver's analogy and it works to someone in most aspects, it works better than the other way.

[00:09:35] [SPEAKER_00]: Right.

[00:09:36] [SPEAKER_00]: I do think the put teeth in it would be good to kind of do that because here's the thing people don't take action unless they have to.

[00:09:45] [SPEAKER_00]: So I'll give you another segue.

[00:09:47] [SPEAKER_00]: Cyber security insurance.

[00:09:49] [SPEAKER_00]: I'm sure you've heard of cybersecurity insurance.

[00:09:51] [SPEAKER_00]: I was about to ask you about it.

[00:09:52] [SPEAKER_00]: So I'm glad you brought it up.

[00:09:54] [SPEAKER_00]: So ransomware ransomware a lot of companies have enacted.

[00:09:59] [SPEAKER_00]: Hey, I mean, oh no, I got hacked.

[00:10:01] [SPEAKER_00]: I didn't do the right thing.

[00:10:02] [SPEAKER_00]: My employee clicked on the wrong email, whatever fill in the blank.

[00:10:06] [SPEAKER_00]: We got ransomware our systems are shut down.

[00:10:09] [SPEAKER_00]: What do we do?

[00:10:10] [SPEAKER_00]: First people they call us their insurance company.

[00:10:12] [SPEAKER_00]: We need to put in a claim while the first reality check if they didn't already have cybersecurity insurance is they typically don't have coverage or enough coverage.

[00:10:20] [SPEAKER_00]: So they have usually a very small 10, 20, $50,000 maybe umbrella or something like that.

[00:10:26] [SPEAKER_00]: That, you know, will pay something.

[00:10:28] [SPEAKER_00]: But so at the beginning when these ransomware attacks were happening, a lot of these insurance companies were just losing their shirts because they were just bleeding out.

[00:10:37] [SPEAKER_00]: So then they got smarter and we're like, all right, we need to put in some minimum safeguards for if you want to qualify for cybersecurity insurance, you need to do this.

[00:10:47] [SPEAKER_00]: And some of them are obvious, like MFA on your email, MFA everywhere on your systems training.

[00:10:54] [SPEAKER_00]: And then you have to prove the evidence that you do these things.

[00:10:57] [SPEAKER_00]: And then when you submit a claim, if you have the proof, your odds of the payout are high or higher, right?

[00:11:05] [SPEAKER_00]: So since all that has kind of like revolutionized a lot of insurance companies now are actually backing out and they don't even want to secure anymore.

[00:11:13] [SPEAKER_00]: And they're just getting out of that business model because they just can't figure it out.

[00:11:17] [SPEAKER_00]: But I think that that's where we're moving towards.

[00:11:19] [SPEAKER_00]: I think we're moving towards a, you know, don't trust verify model.

[00:11:25] [SPEAKER_01]: So where are you seeing like in the field right now with compliance levels?

[00:11:30] [SPEAKER_01]: Like how compliant are most customers?

[00:11:33] [SPEAKER_01]: Where is the maturity of the market right now?

[00:11:37] [SPEAKER_00]: I would say that most are not compliant.

[00:11:40] [SPEAKER_00]: And that's also why we see the headlines that we see.

[00:11:44] [SPEAKER_00]: And I think even, I think the big myth is, oh, I'm a small company.

[00:11:50] [SPEAKER_00]: I don't need to be compliant or I don't need to do X.

[00:11:53] [SPEAKER_00]: Whereas with HIPAA, they don't discriminate you if you see one patient or 10,000 patients, you still have to follow the same rules.

[00:11:59] [SPEAKER_00]: And yeah, there's going to be what I call a foundational level of stuff that people have to do across people, process and technology just to get them up to a compliant level.

[00:12:12] [SPEAKER_00]: And yeah, that might be expensive for one person, you know, doing their practice and easier for a company of 100,000 or 10,000 to spread that cost.

[00:12:22] [SPEAKER_00]: But the reality is that's how the law is written and you have to still do the, you have to still comply or you're at risk.

[00:12:29] [SPEAKER_00]: So the broad stroke answer to your question is, in my opinion, most are not compliant.

[00:12:35] [SPEAKER_00]: I mean, the headlines don't lie.

[00:12:37] [SPEAKER_00]: And the ones that you would think are compliant like, I won't name names, but big reaches fill in the blank that you've probably seen in the newspapers recently.

[00:12:50] [SPEAKER_00]: Even with those companies that are, I mean, you would be like, wow, this is a huge company.

[00:12:55] [SPEAKER_00]: They're doing all this stuff, right?

[00:12:57] [SPEAKER_00]: No.

[00:12:58] [SPEAKER_00]: They're not because if they were, I mean, in some of these breaches, it makes people, in my opinion, in my field, laugh because if they were just doing some of the stuff that we talk about every day, it would have saved that customer.

[00:13:12] [SPEAKER_00]: And I'll give you an example, you know, encryption.

[00:13:15] [SPEAKER_00]: If a lot of these big businesses were encrypting your data and my data, if a breach happened and the payload was encrypted, then the hackers can't like say, oh, I'm going to go post this on the dark web.

[00:13:29] [SPEAKER_00]: Who cares?

[00:13:30] [SPEAKER_00]: Right?

[00:13:30] [SPEAKER_00]: It's all scrambled.

[00:13:31] [SPEAKER_00]: It's encrypted.

[00:13:32] [SPEAKER_00]: But they're not even doing that stuff.

[00:13:35] [SPEAKER_00]: And that's like basic 101 stuff that's easy to do nowadays.

[00:13:39] [SPEAKER_00]: So that's my stance on it.

[00:13:41] [SPEAKER_00]: I would say most are not compliant.

[00:13:44] [SPEAKER_00]: Some try hard but are still not compliant.

[00:13:47] [SPEAKER_00]: But again, I believe in the trust.

[00:13:50] [SPEAKER_00]: Don't trust verify model.

[00:13:52] [SPEAKER_01]: I'm 100% with you.

[00:13:54] [SPEAKER_01]: So I want to get a little bit of your take then on where you think the responsibility and sort of liability of this ought to lie.

[00:14:00] [SPEAKER_01]: Like there's almost a public or private approach to this because there's a certain element of like, you are essentially, you know, completely incompetent at some level on the basics.

[00:14:12] [SPEAKER_01]: If you're not doing certain basic things, for example, forcing multi-factor authentication, basic encryption, not keeping your software up to date.

[00:14:21] [SPEAKER_01]: Give me a sense of where your cut where which approach you lean more toward and why of our do we think that this is a matter of like regulatory compliance that will solve it through sort of government and fine or do we solve it by approaching this from the insurance perspective and making it so, you know, you could

[00:14:39] [SPEAKER_01]: essentially get wiped out as a business and completely non comply like from an insurance perspective or is it a balance of both?

[00:14:45] [SPEAKER_01]: Like how would you approach this of making this more important for end customers?

[00:14:52] [SPEAKER_00]: I would leverage the power of AI.

[00:14:54] [SPEAKER_00]: So what I would do is we'll use Microsoft as an example.

[00:14:59] [SPEAKER_00]: Microsoft's a huge corporation.

[00:15:00] [SPEAKER_00]: They have a lot invested in AI.

[00:15:02] [SPEAKER_00]: I believe one day in the future, logging into Microsoft 365 portal, we will see a list of compliance regulatory frameworks.

[00:15:12] [SPEAKER_00]: Check all the ones that apply to you and Microsoft will do all the security controls that they can to abide and comply.

[00:15:21] [SPEAKER_00]: Right now, I'm not saying that that's everything you need to do.

[00:15:23] [SPEAKER_00]: I'm just saying that I foresee a future where maybe Congress or some regulatory framework forces big corporation like Microsoft to do something like that.

[00:15:37] [SPEAKER_00]: And then by default have some of that turned on when you log in or sign up as a new user and like make it so that if you have to opt out, like it's hard.

[00:15:48] [SPEAKER_00]: Like, no, no, no, I don't want to do that.

[00:15:50] [SPEAKER_00]: But make it like really hard to actually unwind it.

[00:15:53] [SPEAKER_00]: I think that will help.

[00:15:55] [SPEAKER_00]: I don't think it's the solution for everything because like I said, there is the shared responsibility model.

[00:16:00] [SPEAKER_00]: If most people, I think the common misconception and myth with Microsoft and a lot of other vendors is, oh, they're responsible for my security and backup.

[00:16:09] [SPEAKER_00]: And if you read their terms and conditions, they're actually not and they hold themselves harmless and they actually say, you have to back up your data.

[00:16:15] [SPEAKER_00]: Look, we just give you the knobs and the dials to turn.

[00:16:19] [SPEAKER_00]: But it's your responsibility for any security, any data, anything.

[00:16:24] [SPEAKER_00]: We just give you this stuff.

[00:16:25] [SPEAKER_00]: You need to know how to turn it.

[00:16:27] Right.

[00:16:28] [SPEAKER_00]: So I think that that in the future leveraging AI will help with that part of it.

[00:16:33] [SPEAKER_00]: But again, it goes back to the shared responsibility matrix.

[00:16:36] [SPEAKER_00]: You need to be trained.

[00:16:38] [SPEAKER_00]: Your staff needs to be trained.

[00:16:39] [SPEAKER_00]: You need to have evidence based compliance with various controls, things like that.

[00:16:45] [SPEAKER_00]: But I think that that will help in the future.

[00:16:48] [SPEAKER_01]: I mean, I want to get your sense then about, you know, Jenny Stirlie, who's with Sysa has come out recently and sort of thrown out the gauntlet saying that we don't have a security problem.

[00:16:57] [SPEAKER_01]: We actually have a software quality problem.

[00:16:59] [SPEAKER_01]: And, you know, and part of Sysa's move right now, the security design is to a kind of opt-in model of making manufacturers more responsible for that.

[00:17:09] [SPEAKER_01]: It sounds like you would be, you're very pro for that.

[00:17:11] [SPEAKER_01]: Like, where do you feel that the right limits of that responsibility for the software manufacturers are?

[00:17:18] [SPEAKER_00]: Well, I think that you've got obviously closed sourced and open sourced.

[00:17:23] [SPEAKER_00]: Right.

[00:17:23] [SPEAKER_00]: And I think that there's arguments on both sides, but I think the reality is open source.

[00:17:28] [SPEAKER_00]: I think since it's vetted in the public and it's all validated or can be validated by anyone at any time, I think could arguably be more secure of a model opposed to a closed source model.

[00:17:41] [SPEAKER_00]: So now you say, you know, the software needs to be more secure or maybe a framework of requiring certain security standards.

[00:17:51] [SPEAKER_00]: And then maybe there needs to be some kind of audit at that level.

[00:17:56] [SPEAKER_00]: You know what I mean?

[00:17:56] [SPEAKER_00]: Like so if Microsoft's programming in X, whatever fill in the blank language, then we need to get this third party to validate our code kind of thing.

[00:18:05] [SPEAKER_00]: So I feel like that checks and balance third party zero trust model is the future.

[00:18:12] [SPEAKER_01]: Craig Paternalla is a security and compliance expert with over 30 years of experience, having helped thousands of businesses across industries like healthcare, defense and finance.

[00:18:22] [SPEAKER_01]: As the founder of the Petronella Technology Group, he's dedicated to guiding organizations through the complexity of IT compliance and protecting them from evolving cyber threats.

[00:18:30] [SPEAKER_01]: Craig, this has been a great conversation. Thanks for joining me today.

[00:18:32] [SPEAKER_01]: Thank you so much for having me.

[00:19:20] [SPEAKER_01]: The Business of Tech is written and produced by me, Dave Sobel under Ethics Guidelines posted at businessof.tech.

[00:19:28] [SPEAKER_01]: If you like the content, please make sure to hit that like button and follow or subscribe.

[00:19:34] [SPEAKER_01]: It's free and easy and the best way to support the show and help us grow.

[00:19:39] [SPEAKER_01]: You can also check out our Patreon where you can join the business of tech community at patreon.com slash MSP radio or buy our Why Do We Care Merch at businessof.tech.

[00:19:51] [SPEAKER_01]: Finally, if you're interested in advertising on this show, visit MSPradio.com slash engage.

[00:19:58] [SPEAKER_01]: Once again, thanks for listening to me and I will talk to you again on our next episode of The Business of Tech.