Ep 14: Examining the AI Paradox with Ingersoll Rand VP & CISO Noah Davis

‍Evan: Hi there, and welcome to Enterprise Software Defenders, a show that highlights how enterprise security leaders are using innovative technologies to stop the most sophisticated cyber attacks.

In each episode, Fortune 500 CISOs share how the threat landscape has changed due to the cloud, real world examples of modern attacks, and the role AI can play in the future of cybersecurity. I’m Evan Reiser, the CEO and founder of Abnormal Security. 

‍Mike: And I’m Mike Britton, the CISO of Abnormal Security. Today on the show, we’re bringing you a conversation with Noah Davis, Vice President and Chief Information Security Officer at Ingersoll Rand. 

Ingersoll Rand is a Fortune 500 global industrial manufacturing company, with over 18,000 employees and 7 billion dollars of annual revenue. For over 160 years, Ingersoll Rand has been a leader in innovative air, fluid, energy, and medical technologies, providing mission-critical solutions to increase industrial productivity. 

In this conversation, Noah shares his thoughts on navigating the human threats of AI in cybersecurity, the duality of AI for attackers and defenders, and how AI is shaping the in-demand skills for the next generation of cybersecurity professionals.

‍Evan: First of all, thank you so much for taking time to join us today. Maybe to start off, can you give our audience a bit of background about kind of your career, maybe your current role today? 

Noah: Sure. Yeah. My name's Noah Davis. I'm the vice president and chief information security officer at Ingersoll Rand. And the best way to say what Ingersoll Rand does is we're a $7 billion company and we make things that help other people make things, which means we're in industrial manufacturing. So tools, hoists, winches, compressors, The big moving things. That's, that's kind of what we do. 

How did I kind of get into the field, so way back in the day before the true kind of more connected internet, when you're talking kind of dial up modems, uh, my buddy's dad owned a local ISP. I built pinium two computers. I helped network my AP physics class in high school. Learned nothing about physics, but got an A in the class. Uh, then when I took the entrance exam, kind of bombed it, got no credit in college, um, and then from there, I just kind of went through college and took, uh, started out in computer science. Um, started to do some machine language. It was like, whoa, that's way too intense. Backed it off and came out of school and degrees in finance, accounting, computer information systems, international business.

And then I started an audit, IT audit, cause I like to travel. See the world and it was a way I could see a lot of it and not really be responsible for it. Like audits. Awesome. Cause you can just look at things and go, Hey, you missed a spot, and then somebody else has to go fix it, but you learn a lot. 

And then from audit, I had a, I had an old boss that asked me to move to Germany and kind of do IT operations, uh, kind of end user kind of computing environment that was mostly outsourced. So that was really, really, uh, good learnings, uh, came back and ran an IT audit shop, then moved into kind of your traditional cybersecurity areas of endpoint security, then network security, then data access, identity, then I did divestiture of a 4 billion business, got architecture. Then got SecOps and then became a CISO. 

Evan: I know you're very passionate about what you do. That makes you a great leader. When did that kind of light bulb go off? When did you realize that, hey, cybersecurity is like a worthy thing or something that would kind of bring you energy or you wanted to, you know, spend, I mean, it's a hard job, right? There's easier jobs. When did that kind of click for you? 

Noah: So I've always liked IT, right? When I got into IT, like I said, I was building Pentium IIs. Cybersecurity wasn't really a thing then. So it was more, I was like, Oh, I want to be a CIO. And I got the accounting and finance background. Cause I was like, ah. If you want to be successful at tech, you have to be able to talk the language of business and the language of business is numbers. And then it was actually when I was auditing at Tyco, I tend to like problems. So when I did my auditing course in college, I wrote a paper on Enron, WorldCom and Tyco and Tyco was the only one left standing. So I was like, Hey, I want to go work there. How does that happen? 

So during that, they gave me some classes. One was polish and we can get into that story, which is a fun one too. And the other one was ethical hacking. So, I used to go around to ADT facilities in North America and just Try to tailgate people in, jack in, run PWDump3E, John the Ripper, and see what I could get.

That, doing that, was the most fun I had ever had. So that's when I was like, ooh, this security thing that isn't quite cyber security yet, because this is 2003 or 2004, that's what I want to do. So I just kept trying to move myself in ways that got me closer. 

Mike: So what are some unique cybersecurity use cases that Ingersoll Rand that an outsider may not fully appreciate?

Noah: So I'll phrase this kind of differently. There are organizations that make money in cybersecurity, selling cybersecurity services. That's not our organization. So it's not so much that it's necessarily a new, unique cybersecurity challenge. It's a unique resource challenge, because people that want to be top of their game, like I'm going to have a hard time kind of retaining them. We're a smaller shop because we don't make money selling cyber or doing cyber. Right. So we have to find other strong partners to work with where you've kind of earned your bones other places. Cause there's not a lot to go. I mean, we're 20 to 25 people in total. When you look at the expanded kind of third parties that we're using too. 

Um, so really that's more of my challenge is how do I keep a small team of highly compensated, really skilled people, thow do I keep them challenged and how do I automate A lot of the noise and we'll call it high volume, kind of low value stuff that everybody in cyber has to do. How do I pass that off to either a third party or automate it out of our process so that we're kind of continually focused on the most challenging kind of aspects? 

Mike: So when it comes to that, especially in the industrial space, are there some unique attacks that you see that others may not be exposed to?

Noah: Yeah, definitely around kind of the OT side, so the product cybersecurity side for us is big. We split product cyber into two pieces. There's digital, which is kind of the interfaces with our customer and the websites that they look at, they can tell the utilization of their compressors and other various different things. And then there's the embedded. So PLCs, logic controllers on those compressors. That source code. It's not Stuxnet, but it's still that same type of risk vein of those compressors have air really, really, really compressed. If you can get past some of those security controls on a PLC, You can make that compressor explode.

So there, those are more of the things that make me nervous at night, is how do you really secure some of those challenges? And, and the flip side of that is that those also tend to be in engineering departments where they are really capable of IT and they don't like IT and cyber guys kind of muscling into their space. So it's an influence and kind of govern, bring under everybody under an umbrella and keep everybody happy while you're trying to move a needle forward. 

Evan: Well, Mike understands that. That's why at, um, at Abnormal Security, we made IT report into the CISO versus the other way around. 

Noah: I actually think that's the way the industry is going to go. It may still be led by a CIO, but I think the CIOs of the future are all going to have to have that background as a CISO. Just because it's becoming so fundamental. And then effectively you get that net result of IT roles through security. 

How else do you get secure by design in IT? how do you get there unless you do that? 

Evan: If you go back to, you know, what was considered security risks, 20 years ago, the security landscape 20 years ago has changed. And probably in all of our first jobs. We sat down at a desktop computer in a building on a local network. And like, if you wanted to break into that organization, it was through the front door. Maybe through email, but probably not.Maybe you had a firewall, but probably not, but that was it. It was much different. 

Today, we're in a crazy different world. Like, at our company, people don't have really a lot of desktop software. Maybe a web browser, maybe zoom, maybe Slack, maybe Excel. That's probably it. And you think about a lot of the work that gets done, the systems of record, you know, the data stored, even the, the primary, the business applications are all in the cloud and people can access that anywhere in the world. Any device, any network, as long as they're kind of authenticated and authorized, you can get in.

It's crazy, right? Because like things outside the building, outside your device, outside your network can now affect your stuff. And that's both the feature of the cloud and also the, one of the biggest challenges. So how do you see like the threat landscape changing with this new kind of cloud based application environment compared to where you were 10 years ago.

Noah: Exponential growth. There is no perimeter. Everything's permeable and fluid now. Everybody talks about zero trust, and we keep kind of recreating these, these names for things that are just kind of reinventing the same thing and adding a little twist on it.

I always think of everything as kind of a security journey. Kind of like you're, you're headed towards zero trust. It's never a destination you get to. I think it's the same thing with SaaS, IaaS or, or on prem. It's what do you have? How do you look at it? Where do you find your weaknesses. Mitigate and patch those weaknesses as much as possible, to get within your risk appetite, because you can't fully eliminate it. You can't stop the human threat, and like 82 to 84 percent of all incidents come from the human threat. 

So you've seen it and what we've done with IaaS, in the shared responsibility models, and everybody's kind of talking about risk and trying to shift it over there, take it over there, and the same thing with SaaS. There's some benefits that I talked to our executives about because our company has been around since 1886, so we aren't fully cloud, either IS, SaaS or PaaS by any means. We've still got a lot of on prem stuff. And the way I explain the benefits of moving there is, look, we do give away a little bit of control.

From a security aspect, definitely on a SaaS platform. You're giving away a lot of that security control. What you're getting back is if I did my job bad on an on prem environment, you lose every business capability when they get inside our data center. Now with SaaS, you lose like a singular business capability, so you can still move along at a faster pace. So it's, it's that kind of Russian roulette thing. It's, it's a single bullet taking it out, or you had a bomb that totally took out your entire organization. So it's diversification of some of your business capability risk is the way that I look at it.

You're just kind of constantly re evaluating it. I mean, there's new technology now, new security concerns. API security. That definitely wasn't a thing. It definitely is today. You just always have to be kind of open to learning and going and really admitting to yourself, I don't know what the hell that is. And I think I need to. Like, what book do I open or who do I talk to, to try to start to figure this out and at least get a fundamental concept of what it is so I can start to try to approach it.

The sad part is, with each of these new things, you can't forget the old ones. So still my number one key is be brilliant at the basics. Be brilliant at your identity management, your patching, your vulnerability management. Be brilliant at your basics and you're still going to be better than probably 85 percent of organizations out there. Then start worrying about your next level of kind of higher maturity things, and admit you're an idiot like me. You know you can figure it out. That's the one thing I know I'm good at is learning. I don't know everything, but I know I can learn. 

Evan: You use this term human threat was hoping you can maybe explain what you meant by that. You know, mostly cybersecurity companies are protecting infrastructure, your networks, your devices. Say more about what you mean by human threat. 

Noah: Well, there's intentional and unintentional. Everybody has dealt with a user that works in IT, and we all know that they run various, we'll call them letter grades of F as in incompetent with IT, kind of like my parents. To A's, right? Which are your cyber security teams or your infrastructure teams, your cloud teams, your Kubernetes teams. Those teams.

So the human threat kind of lies upon that scale of intelligence with it, like I'm going to kind of disregard the intentional aspects of it now, but anybody on any given day can make a mistake when they configure a cloud server and they spin it up and they don't take the tech mark to make sure that they didn't expose it to the internet, that they applied the latest patches. And there's some governance you can put in there too, to automate those things, but it's, that's really what I'm talking about. 

The human threat is kind of that unintentional, they're moving too fast and the kids scream in the car and they click yes on the MFA token. They're eating their lunch and somebody hits them up with a question and they write something on their desk that shouldn't be there, or they misconfigure something because they're rushing through their standard work or their steps of what they're trying to do. And it creates a vulnerability that can effectively be exploited. That's mostly what I mean by the human threat. 

Mike: So when you look at these human threats, we've got a lot of technology that's changed a lot just in the last couple of years with AI and ChatGPT 4. When you look at emerging threats from attackers, do you see some ways that maybe attackers are going to be leveraging this new technology to take advantage of these various, I guess, cyber skills or cyber savviness across the spectrum?

Noah: I think it's, they're going to take advantage of cyber savviness as, or lack thereof. I mean, you've seen it in a couple of them. There was the one that happened in Hong Kong where they did actually a video conference call and it was a 25 million payout because he thought he was on the phone with the CFO and there was a video of it. That is the definitive kind of, yeah, that was AI. And it, it was really convincing. And I don't even know that you could have that level of awareness. If I'm on my phone with my CFO, unless I'm cutting some jokes or doing some of you know, like the CIA type stuff where you're like, Who was your friend when you were 16 and what color car did you drive, so you could get some type of validation of the answer that it's not AI, like that's very hard to say. Oh, man, that's not real. So I think you're gonna see that, right? 

And this gets down into this really kind of squirrely conversation. Uh, you know, the Terminator of, but I do think it kind of devolves down into, you know, blue teams and red teams. Your, your table stakes are gonna be AI for defense and AI for attack. I use a lot of commonality to the movie, I don't know if you've seen, it's a Disney one, have little kids. So I tend to watch more Disney movies, Hidden Figures, where they were talking about the moon landing and it used to be just straight up kind of hardcore grunt math in your head. And then, you know, they had, they had the super high end kind of mathematicians that they would pass some of the lower level calculations down. And then they introduced the mainframe and they realized the game has changed, and the people that were kind of doing the lower level grunt calculations realize they had to pivot to add value to how you execute on a mainframe because that job was going away. I think a lot of people in IT need to start thinking about that and making that shift, too.

There's still a lot of room for intelligent people in the IT space AI isn't gonna take those jobs away. But it's how do you add value to what AI is doing? Or take it to that next level analysis, because the one thing AI isn't good at is innovation. It takes everything in its model has to have had something that happened before. I don't think AI is ever going to get to a point where it will make that disruptive technology, um, like the iPhone. There's nothing historically that would have, you know, indicated that that was a thing or that it would work. So that's still the human factor that has to go on top and add value to the additional amount of data that we're able to process and work through and connect now. 

Evan: There's kind of a false narrative around like AI is going to take jobs like for all three of us, if all of a sudden every worker is twice as productive because they have AI, like, we want to hire more people, not fewer people, right?

Noah: Exactly. It's about how, how do you get to the outcomes you're looking at faster. It doesn't necessarily mean that the people are gone behind it. It's just, you're making them hyper efficient. 

Evan: So you mentioned this example where the criminal use kind of like these Jarev AI videos to impersonate the CFO, to trick this person to wire transfer. So that would have been impossible five years ago. 

Today it's, it's possible but it requires, it's a little hard, right? You got to get this, the training videos and you got to precompute these things and create these fake scripts, set up this fake zoom call. It's not hard to imagine like five years in the future, maybe even one year in the future, if not today, this stuff gets even easier for the average criminal to do, and the level of sophistication would go up, and there's like more channels for how we communicate. It's not just zoom. It's going to be WhatsApp and text, and like, you know, I message and FaceTime and whatever the next thing is. And these systems will be increasingly integrated, where once you're kind of tricked in one, you're intrigued in all of them. 

So what's your prognosis here? We're at a time in civilization where we've never invested more in cybersecurity. There's also never been more negative impact from cybersecurity attacks than ever. The attackers are getting all these great tools. There's a shortage of, you know, cybersecurity talent. Where are we going? What's the trajectory here? 

Noah: I'm not a negative guy. I think, you know, generative AI is very similar, and this is probably not the best example, but like nuclear power. You get really great aspects from nuclear power, but you also get the drawback of the atom bomb. You can't separate those two. It's the same thing with generative AI. 

So I do think it goes down to that level of, yeah, the threat actor is going to keep innovating and they're going to templatize it, standard work it, make it easier to do. I mean, that's how you have ransomware as a service. They figured out how to do this and make a business model out of it. They will do the same thing leveraging generative AI to do these kind of business email compromises, but now I'm guessing you're going to call it like Teams or, or zoom, zoom video conferencing compromise. I'm not really sure what it's going to be called, right? Video compromise. 

And they'll keep monetizing that as long as it makes money. But what I have faith in is that the good guys, well, it's a cat and mouse game and it's continual. They will find ways to interject that, be able to identify it, determine the patterns that it seems scripted and give you some percentage of confidence on, Hey, we think this is fake, versus no, that's, that's definitely your CFO. And who knows, you might even get copilot to have you prompt and be like, you should ask this question to see if this is a legit human. 

It's going to be this continual kind of cat and mouse game going back and forth. But I think, for the cool and awesome power that is generative AI, it comes along with badness and you have to accept that, you know. For every force there's an equal and opposite force. That's just the way the world kind of works. And I know that's not a hugely specific answer, but I don't know how to answer it better that that's how I view it in my head too.

Evan: I'm with you. I think the nuclear energy example is, is, is very good. Any technology is a tool, tools can be used for good or evil. There's lots of great use for a screwdriver, some bad ones too. I think the only place that the analogy breaks down a little bit is that it's very difficult and time intensive and money intensive to build uranium enrichment facility.

But like a year from now, like any criminal on the internet can go download the bad GPT mod on their laptop, so it's very accessible. And so, um, like if that tool is very powerful and it becomes more accessible and more broadly used, to what extent does that increase the importance of protecting against this human threat as these digital identities are easier to impersonate if not compromise. 

Noah: I think it actually increases the importance of correlation of the existing data sets within your environment and how do you find those patterns within yours that help you apply defensive methods better 

So if we're going to stay with the video conferencing one, right, like I doubt that they checked the IP that that video conference was connected to. There's a lot of different pieces around commonality around like, does this person regularly call them? Is this from an IP that we've seen them coming from before? Are there tones or other things in the voice? Like, there's ways to get there but it's, you got to look at using the mountains of data that you have within your environment and making new kind of correlations and connections that, that give you better insight into the legitimacy of what you, unfortunately, the legitimacy of what you're seeing in front of your very own eyes.

Mike: Yeah, no, and you know, we've, we've had a pretty grim look at the future and we've talked about how AI is going to enable cyber criminals to operate at a higher scale. Let's talk about the other side for just a minute, and you were briefly touching on that. What should give us optimism? What role do you think AI will play in helping defenders, not just stop attacks, but ideally get further ahead of the criminals?

Noah: Yeah, so like one of the things that we're kind of working on in our area is we call it operationalized threat intelligence. So using your recorded features your I think digital risk protection from other offerings, you know There's a bunch of them, around 10 thousand services, and then kind of taking that And automating use cases and playbooks.

So right now we're automated across our, our brands to look for exposed credentials, and then taking those credentials and without human intervention going, does that match our complexity? Does that match our time and day for reset? Is that a potential bad one. Is that, you know, potentially a valid one.

And then automating the, kind of the reset of the password of the tokens, potentially even disabling the account. And then passing that to a threat hunting team that goes back and then looks for 30, 60, 90 days across all your data sets to see if anything, um, untoward or anomalous kind of happened with that account. That's one use case, but it's really in, in creating a common platform to bring all of this data into to look at it from multiple different ways.

We're working with our third party MDR firm, um, and abnormal, and we take those accounts in and they also do a phishing analyzer piece, so it's, it's not that everybody is going to bat a hundred percent all the time, but it's across multiple parties, can you get to that a hundred percent or at least get down to 99. 99. If you can give me the two nines in cyber, I'm actually pretty happy. Availability, it's a different conversation, but you give me two nines in cyber, I'm thrilled. Um, so I really think that's it, and I think it's starting to happen kind of organically.

We also found a great success when we actually created a centralized security operations or leverage, um, a centralized security operations platform and then started creating automated playbooks. Again, that's, how do I keep my very talented staff to work with me engaged? It's by taking out the noise of having to respond to every little itty bitty bit and automating out, you know, the high volume, low value stuff. And when you bring everything into a common platform, what we saw was that our MTTR decreased by 90%, like we went from 17 and a half days, almost a year ago, and we're down to about two days now for MTTR.

And then. And then what we're actually dealing with. We're laser focused on the highest risk, which the highest risk is the fun stuff, cause that's where you see the new stuff. That's where you see the polymorphic malware, that makes it past a bunch of other tricks, and that's what gets my team jazzed up to look at too.

They don't want to look at the Nigerian email scam or this extortion email. That made it through the security email gateway. Not mentioning names there. But that made it through a bunch of them. They were tired of looking at those, but Polymer from malware? Oh, I see why it made it through. Let's analyze this so we can report it and make it better. Um, and that's kind of the, that gets back to the fun nerdy stuff of cyber. 

Evan: You know, you're almost implying that people didn't join Cybersecurity to like hunt through terabytes of log files. 

Noah: Yeah. Yeah. No, no. I don't know about the reverse malware engineer guys, maybe those guys, like they're a little different breed. I love them. Their brain thinks differently, but they like to get in the hardcore, do the analysis. I love talking to them. I would lose my mind doing it though. 

Evan: There's certainly, uh, some work that a lot of, I think, security analysts, you know, are forced to do today that machines are much better at doing and it frees them up to do things that they are more intellectually stimulating and things that humans are better at doing than computers.

Noah: Yeah, absolutely. 

Mike: I guess one follow up too with, with AI, you know, Using AI in security and in your practice, do you think that's going to also enable you to look for some different talent that you may not have necessarily either needed or wanted in the past? 

Noah: It does. So I take a different tact on talent too, right? You can see it by my shirt, powered by ADHD, like on the back of it, it says normalized neurodivergency. Like if you look across cyber, you're going to find a really high preponderance of kind of, um, Neurodivergent people, because they see different things. So I look for a lot of transferable skills like pattern identification. I don't care that you work eight continuous hours. I care about outputs, and that's really a different kind of change in leadership too, is the outputs. 

Like I have some extremely talented people. Some days they're just off. You need a mental day. And then they'll come back the next day or they'll get online at 2 a. m. and work till 6 a. m. And in those four hours, they've done the equivalent of 12 hours worth of work of somebody else that I'd pick off the street. So for me, it's really about, I think there will be opportunities there, but you got to look towards non traditional means too. 

The other thing I've done in my workplaces. I said, look, when it comes to cyber, I don't care if they have a degree, because sometimes that thought process actually constricts creativity and I think you need an abundance of creativity to solve the problems that are coming at us. So you need to be able to think about it differently. If you have some type of experience, within cyber, within number matching, if you can solve a Rubik's cube in under two minutes, like I want to talk to you. Those are my things that I kind of look for. It's the transferable skills. Attitude and aptitude. You give me that we can move mountains, but that's really kind of how I focus.

Evan: Hey, we're short on time. So we're gonna switch over to our, our lightning round. So these are questions that are impossible to answer quickly, but that's part of the challenge. So, looking for, kind of like, the one tweet version and I'll let Mike go first. 

Mike: So do you have any advice to a security leader who stepped into their first CISO job about what they may overestimate or underestimate about the job?

Noah: Yes, they have overestimated their importance and how technical they are and that that got them in the room, and they have underestimated the need to speak cyber and the language of their CEO, CFO, and general counsel. 

Evan: What's the best way for CISOs to stay up to date on, you know, new security challenges, especially related to AI?

Noah: Create a network, man. You got to have a network of friends and people that you're close to. Like Mike, we were talking about Steve Johnson. I still have lunch with him like every other month. We're kind of in different fields. I participate in a group of about 50 of them, and we just kind of wing questions back and forth.

And then the third one is like, Find a podcast that gives you the news within five minutes every day. The cyber news within five minutes. There's a bunch of them out there like, find that and listen to it relatively religiously. 

Mike: So on a more personal side, what's a book that you've read that had a big impact on you and why?

Noah: Essentialism by Greg McKeown. There's actually Well, there's four. Uh, so probably going over my time here. Essentialism by Greg McKeown, which is do less but better. His next one, effortless. So once you've gotten down to the essential, how do you make it effortless. It's the same thing I was talking about finding those people that they'll do it and grind it once to figure out the model and then make that model just work.

We did that with our M& A. For us to assess M& A now, it takes less than 10 minutes for every M& A we do. We give them a risk posture that tells them exactly what they need to do. Uh, the third book is one called, um, The Obstacle is the Way. It's kind of modern stoicism. That one's pretty rock on too, cause sometimes you just gotta do the hard s–t. And you gotta power through it. 

And then the fourth one is Extreme, Extreme Ownership by Jocko,  and the one chapter, like if you talk to Sherry, she'd say chapter seven, prioritize and execute, that's it. Those are my great books that will help you be good at cyber leadership and focus, um, pretty consistently.

Evan: What do you believe is going to be true about AI's future impact on cybersecurity that most people would consider science fiction? So looking for kind of like your contrarian take. 

Noah: I think it's going to kill a lot of technologies. We're starting to see it now. And there's one thing that I say, and a lot of people disagree with me, but I think the secure email gateway is in its death spiral, right?

What AI does is the known bad, the hashes, the things that we used to use in the past that would protect us, they're gone, because you can do so much single serving that it, that's what I mean it's going to devolve into AI blue team, AI red team, that's really where I think it goes. 

Mike: Alright, last question. Any advice you'd share to inspire the next generation of security leaders?

Noah: Yeah, the skills that got you there aren't the skills that are going to make you succeed. So never be afraid of reinventing yourself. Never be afraid of looking like one of the least intelligent people in the room. Ask the questions, because most people are too afraid to ask the questions. And then once you've figured that out, as you start to move up the ranks. 

I will tell you what one mentor told me and it changed my whole approach. He said, play by the rules of BBG. I was like, what's BBG? Be brief, be bright and be gone. When you're in the room with the CEO, the CFO, don't talk unless you're going to add value. Don't talk just cause you're there. But if you say something, make it short. He told me it was a half a flick of a thumb on a mobile device was as long as my emails could be. Because they're always traveling, they're always moving. If they got a double flick, you're done. So be brief, be bright, be gone, make a statement, show up and then shut up. 

Evan: Okay. I got like so many more questions. Now I want to talk to you about so many things, but we are out of time. Unfortunately. Great to see you as always really enjoyed the conversation. Wish we had a lot more time and looking forward to chatting again soon. 

Noah: Yeah, absolutely. Thanks guys. Thanks for having me on. I really enjoyed it. It's always fun to kind of kick around ideas.

Mike: That was Noah Davis, Vice President and Chief Information Security Officer at Ingersoll Rand. Thanks for listening to the Enterprise Software Defenders podcast. I'm Mike Britton, the CISO of Abnormal Security. 

‍Evan: And I'm Evan Reiser, the CEO and founder of Abnormal Security. Please be sure to subscribe so you never miss an episode. You can find more great lessons from technology leaders and other enterprise software experts at enterprise software.blog.

‍Mike: This show is produced by Josh Meer. See you next time.