From reading a book about cloud security after his deployment at a naval base in Naples to becoming the Senior Vice President and CISO for Oracle SaaS Cloud Security, our guest today, David Cross, unpacks traveling technology and how to best tackle compliance in 2023. 

He’s traveled 69 countries and intends to travel to many more; he relates it to compliance, understanding the world, and it’s different cultures, just like you need to understand what your organization needs, and how you need to adapt and navigate your business forward. 

When it comes to security compliance, he believes communication is critical, it’s the only way to create successful teams, and ensure your organization can stay compliant and secure. 

“The thing with security compliance and single source of truth is that music beat that people can align to, when there’s ambiguity, uncertainty and confusion, you always want to have a pillar in a source of truth” – David Cross

From running races to ensuring audit requirements are met, David Cross believes in ensuring you’re always ready to fight, you have your framework principles in place, and it’s not a last minute rush on the eve of the audit, because you’re preparing year round so when you actually have the audit, all things are covered.

Transcript:

Kyle Morris: 

Hello and welcome back to everyone, and thank you again for joining us for another episode of Comply or Die. I’m your host, Kyle Morris. And with me today is a very special guest. I know I tend to say this on all of our podcasts, but we really have been very privileged and fortunate to speak to some really, really well respected, industry leaders in the world of compliance.

Kyle Morris: More on our guest today, David Cross, is no exception to that. A quick introduction and background from my side. Currently, the senior Vice President and CISO for Oracle Cloud Security, which in itself, I mean, is a massive role, and I’d love to unpack that a bit of time to come. Some more background highlights, obviously as CISO, as I mentioned, cloud security engineering exec, focusing on the implementation and next generation cloud platform and solutions. 

A track record of leading security technologies, including encryption, authentication, and authorization, as well as being recognized for repeatedly building and leading world-class, high-performance engineering and product teams, the seasoned global development experts in optimizing talent and resources, and equally important an expert traveler. 

So David, thank you so much for being on the podcast. Apart from what I’ve just jumped into, and if there’s anything there you’d like to elaborate on, a look on a bit more, tell us a bit about yourself, please. 

David Cross: 

Thanks, Kyle, it’s, great to finally, uh, connect. I know we’ve been working on this for quite some time and very excited and certainly, you know, talking to my friends in South Africa, you know, after being a world traveler right, and visiting a number of years ago. 

It’s quite exciting to doing a joint podcast. So one of the things that I think that my current role I’d like to call out is that, you know, Oracle’s a very large company, but I’m really, I’m the CISO for the Oracle SaaS Cloud, right? 

Because we’re a very large company and that’s where my focus is being a world-class, you know, cloud application provider in the security around that.

Kyle Morris: 

Amazing. The travel one points I want to add, they’re not quite related to compliance, the world of technology that, I mean, we’ll unpack quite a bit today. Isn’t it a wonderful thing? You’re sitting, well, we are geographically separated by thousands of kilometers or miles, and yet we’re able to be on a podcast joint, like you said, and be on this together today.

So thank you for your time and tell me, let’s maybe look at your background. You began in the Navy, correct? 

David Cross:

Correct. 

Kyle Morris:

And now you’re in cloud security. Take us on a bit of a journey through that. 

David Cross: 

Sure, certainly. Uh, I was a US Navy, aviation, so I served in a couple of conflicts in the Persian Gulf also, you know, with NATO and Bosnia & Herzegovina, a number of years ago.

And interestingly enough, when I was returning to the United States, we stopped in Naples, Italy, and there’s what’s called a Naval Exchange building and where we can buy things at a discount, and I bought a book. 

It was the first edition of Bruce Schneider’s applied cryptography, and this was the book I was going to read on the way back across the Atlantic to the United States.

And as I read this book, I realized this is where I want my career to be in security. Right? And although I had the computer science or computer information systems degree, I realized that there’s something special about security, right? And with all my experience in the military electronic warfare, I realized that’s exactly where I wanted to jump in.

Kyle Morris: 

That’s, that’s so cool. Uh, I want to say we often, there are these stories with these industry leaders that we always seem to come across, and they’re those that you think about when it’s, what was your inspiring story, or what got you into this? And it’s never just, oh, I went, and I studied this and that happened. I mean, okay, yes, you had the technology background or basis for that, but I don’t wanna call it destiny, but who knows? 

Maybe, um, tell us a little bit, David, about your traveling and maybe even couple that with how you balance compliance or what you’ve seen around the world, what you’ve been exposed to in different compliance aspects?

David Cross: 

Great question. Certainly I, it’s always been my passion, you know, certainly as a child, certainly you, through high school, college, you know, certainly. And then in the military, being able to travel around the world, it just became my lifelong passion. My goal is to really have a visit at least 100 countries before I die. 

I’m like the 68, 69 in that range, right? And my own little personal travel blog called David Cross travels.com. But let’s come back to your point about compliance is sometimes compliance is not just, one locale, one region.

David Cross: 

It’s not just about the United States for all of us here, it’s about understanding the world, right, and compliance in regions and regulations. It’s important to understand the entire world, and when you’re a world traveler, you can understand it and embrace it much more, and that’s been kind of that combined passion.

Kyle Morris: 

And, and tell us a little bit about that, em, embracing it more obviously from your side, in your role with people from different geographical spaces. Have, have you found different trends, how people will adopt certain compliance and security, or just how it’s vastly different across the world? 

David Cross: Well, absolutely. I certainly, there are many things I’ll say the EU is a good example of that is really understanding that, is their fear, right? You know, with that of the US national government, you know, in having control over all data in the cloud, well, certainly for some in the EU that’s a very sensitive topic, and when you can meet and talk to people in person, you can understand it much better.

As you’re calling out, it’s great that we can have these virtual conversations, engagements, which wasn’t possible 20 years ago. But at the same time, there’s also an element of when you meet someone in person and really can feel their gestures, their emotions, while understanding them deeper, you can then understand what is really needed, you know, from their perspective that may be difficult to, understand in a virtual or electronic form.

Kyle Morris: 

Absolutely thinking about, I mean, bring, maybe bringing my own personal experience into exactly that, like you say, we live in this world that I suppose, COVID-19 just really sped up that process of remote working and, and changed the way we went about work on a daily basis, but exactly like you just mentioned, definitely and cons to there’s productivity gain.

Meet people from every single part of the world in, in one day and just service way more people that than previously you could, but like you say, you don’t get that personal touch, you can’t get that feeling of someone’s emotion. 

It’s very easy to, I don’t know, maybe have a hoodie on and be half visible in your camera, and to go about things that way. What, what do you prefer from maybe looking pre-COVID-19 to now? Do you enjoy the balance? Does one vastly outweigh the other for you? 

David Cross: 

Well, certainly I could say that, you know, I, for many years I thought, oh, I’ve never wanted to just work from home. And I think through COVID-19, I think we all learned a balance.

David Cross: And I think as we’re returning to the world now, the hybrid, it’s a balance of both, right. And understanding, because I think there’s an element in team meetings of where everyone is virtual. Can you really build that comm camaraderie, you know, that morale? 

 That energy versus in person, you know? So I think there’s another element is when there are some hard decisions to be made and there may be a little bit of conflict and friction when we kind of have like the, the one way of, you know, zoom or, or teams, you know, interaction virtually to work through a hard decision.

David Cross: It’s a little more difficult. So I think it’s now we’re finding the right balance in maybe trying to adjust or maybe to apply the right tools in venue. For the right, uh, for the right type of decision or, or engagement. 

Kyle Morris: 

Sure. And on that very important point of balance, looking at your role specifically and that of your colleagues, how, how have you been able to sort of keep that? I mean, if we focus just on the role of a CISO and the ever-changing world of cybersecurity and threats to IT and everything involved in that world from an IT perspective.

David Cross: 

Well, I think there’s one thing that, um, in talking about. You know, distributed, you know, organizations, distributed teams, distributed customers, distributed engagement. So one of the things that I’ve learned many, many years ago, certainly I had the opportunity to, to work not just in the mothership, you know, of a corporate.

I actually worked overseas as an expat, you know, in the Middle East as well. Um, so I learned that communication. Is mission critical. It’s the only way to have SU successful distributed teams. And so what I started writing, you know, I don’t know, more than 15 years ago, I used to try, I started writing a weekly mail called The Weekly Dossier, right?

And I called it the Dossier ’cause it’s not a newsletter, it’s not a status mail ’cause people just delete those. But then I started writing this weekly mail every week, so that people can understand. What are the decisions, you know, that have been made? You know, what’s important to understand? You know, where’s the information and then people get this natural musical rhythm beat.

Where can I find the information? How do I know what’s going on? What does, you know, what decision’s been made? I said, I always have one answer. Did you read the dossier? And if it’s also, if it’s not in the dossier, I said, you should hold me accountable. But this is a big way to, especially when security and compliance, right, is to always have that single source of truth, that music beat, that people can align to and always turn to that channel.

It helps them enormously. When there’s ambiguity, there’s uncertainty, there’s confusion. You always want to have a pillar and a source of truth. 

Kyle Morris: 

Deep, deep words and great insights there. Let’s, let’s tie all of that into, into maybe, or if we can, what is the one most important compliance aspects? Interpret it however you want.

Kyle Morris: 

Can you pinpoint one from another, maybe now? 

David Cross: 

Well, you know, I think there’s always an element is, you know, Some people say compliance is not security. Security doesn’t mean compliance. But I think that the thing I love about compliance and audits, or they say the one I love the most is really sometimes your internal audits, where it’s really, there’s no holds barred, right?

There’s the kimono is opened, right? There, everyone is safe, right? And how you can really understand, you know, uh, the truth at, at the granular level to really identify where is. Their risk, you know, where is the biggest challenge? And it kind of goes back to a little bit of like my military experience, whether it’s, um, the US Navy, let’s say aviation, is that mistakes can be made, right?

But the thing is, everyone is safe to reveal what was performed, what was done, what is, you know, what’s an accident or what is a, um, um, uh, something that could be better, right? And it’s very transparent and open, and everyone is safe to reveal that information. And that is how when you can have an audit, sometimes an internal audit, right, for compliance or the pre-audit, if you will, before the public one.

This is sometimes how you can make things the best and because most importantly, people are safe, and you reward the transparency. 

Kyle Morris: 

And maybe to, to translate that to compliance specific terms. When we are saying safe and being able to make mistakes. I would definitely interpret that as having controls in place to be able to mitigate whatever’s gone wrong, uh, that you would have security incidents.

You can’t necessarily prevent those, but you can have really industry leading response plans and management teams and testing drills and that sort of thing. Would, would you agree with that? 

David Cross: 

Oh, absolutely. And I think this is where security then comes into play in a big way, is an element, is the defense in depth, right? Is that for like an audit or compliance? You say there needs to be one control, but really the best security, right in compliance, is when you can have multiple controls so that there’s never a single point of failure. 

Kyle Morris: 

And talking compliance, and I’m going to put a small math equation in there. Well, not really, but does SOC to equal security?

David Cross: 

I believe that SOC two provides great practices. Right? And it is kind of, um, I go back to my military analogy is that sometimes is that you, you train like you need to fight, right? And sometimes like SOC two, right? Is an element, is that you want to have good practices in your training. You’re validating, you’re checking your work so that when the time comes that you know if an action needs to be performed or there’s a risk, right?

David Cross: You’re always being trained in operating, and you’re testing yourselves to be ready for the game. Or we could say, as you and I were talking earlier, before we joined the podcast, let’s talk about sports, right? The best athletes and the best teams are the ones that train and are ready and are tested before the big game comes on.

Kyle Morris: Yeah, absolutely. Great analogy. And talking about that training. If we look at. An important one. I mean, your, your people are your biggest risk in, in the organization, right? Mm-hmm. And if we look at controls around employee specific training, security awareness, just cyber hygiene, anything like that, so often, I’ve definitely come across it that it’s, it’s a checkbox exercise.

It’s something you need to be doing and there’s great value in it, but it’s something that could just be put there, an account on an annual basis. You need to do this training to maintain compliance. And that’s, taking the training one, and I mean, if, if we think about sportsman, yes, maybe some just have these exceptional talents, but they find ways to keep it exciting.

Kyle Morris: How can you, your role, or I think you can probably see where I’m going with this. How do you make that not mundane and repetitive and boring for people? 

David Cross: 

I think it’s two parts. And certainly, and I know it’s not easy. I think there’s one element is how you target the training specific to the role, right?

David Cross: Is so that security awareness, awareness training is very different for an executive assistant versus a developer versus someone that’s a content, you know, writer. And if you can sometimes have the training more specific to their roles and responsibilities, it’s much, it’s much more relevant. Right?

And it’s much more helpful ’cause then people will tune in because they understand. You know, the context of the training. Another element which I really like, and it’s hard, especially, but I’ll say in the, the, the technical world is interactive training, right? Where it’s more of like, I’m, I’m actually not just listening to something and doing a multiple choice chest, but I’m like, I’m actually performing a task, and I have to think about what I’m learning and applying it. I know this training’s a little more expensive and a little bit harder, but if you people can learn so much more when it’s interactive. Or we could say on the job, you know, training in a virtual way. 

Kyle Morris: 

Absolutely, and the value of that is huge.

Kyle Morris: 

And I think we as people, I’m definitely the same if I’m sitting, listening to a recorded video of myself talking for 45 minutes versus having something, like you said, interactive. It keeps you engaged, it’s stimulating, it’s thought-provoking. Let’s maybe tie that if, if we think in a large enterprise environment, it maybe makes, it makes sense, you’re going to have logically separated business units and departments.

Let’s talk about a startup. From the ground up, you’ve got a company of eight or 10 people. Obviously the same sort of process wouldn’t apply, but you’d need something as a basis. What would be your recommendation? How would you tie that all together in the most interactable meaningful way? I. 

David Cross: 

You know that, I think that’s a great example is that trying to build the training yourself, especially in the smaller companies, even whether you’re a startup or a small company, I mean, or medium companies, is that, is that what your skill set is?

Versus using some of the great third party providers and solution providers out there is a much, much better toy choice, right. Then to have a dedicated person performing that or trying to create that training. Right. I’ll even say some things like going to the cybersecurity space, like SOC, right?

It’s like should everybody have a 24 by seven, you know, security operations team? Like it doesn’t make sense, you know, economically. And from a skill set perspective versus using it as a managed service 

Kyle Morris: 

And talking about EX, exactly what you said, the outsourcing pod or third party providers. There are, there are huge pros to it. There are obviously a few considerations organizations perhaps need to take into account or think about before just enabling the next few services and, and pay more money. How have you seen that that change in, in your line of work? Let’s talk before SAS and the cloud was really a thing versus where we are now.

David Cross: 

Well, I just spoke at the R S A conference, you know, just a couple of weeks ago in San Francisco. And the element is, one of my first statements was to the audience and saying that it’s not a question of if you are moving to the cloud, the question of when you are finally moving to the cloud.

David Cross: 

Right? The world’s changed. We’re past that now. Right? And so now it’s an element is moving to the cloud in a way that is most productive, and you have the services that help you to be, to be secure and compliant with that. And sometimes you may not have the staff or the skills, uh, to perform that all yourself.

David Cross: 

And that’s where the third party providers, the SaaS providers, the third party, uh, uh, solution providers and managed service providers can help you with that. And so that, I’ll give you a simple example, right? So, hey, I’m running my own mail server and I have the skills of how to set up the operating system and manage that.

That’s a different skill set than having mail service systems in the cloud, and that’s okay. We have to move on, but that’s the future I. 

Kyle Morris: 

And the future. The future is now, like you’ve said, it’s, it’s not a case of are you going to, it’s, when are you going to do it and how are you going to do it most appropriately, and maybe two of the letters tied into this discussion with where technology is now, is AI.

How, how do you see this? And let’s focus on the good. Let’s be optimistic today. Helping the technological space, helping compliance. 

David Cross: 

This is a very exciting area and I think it’s, it’s exploding as we speak. Right. You know, and it’s going to continue to explode. And the world’s changed already because of it.

I think the productivity and capabilities, that, you know, came with like smartphones and came with the cloud, and now AI is making it, you know, exponential. And so I think of now of like generating code, generating content, right? It’s, you can save enormous amounts of time. However, we know it doesn’t have the polish.

It does not have the final touches. You know, for of perfection, right? And so first we see that we, we can really grow enormously, you know, from productivity, capabilities, production of content and information like never before. Yet at the same time it’s crystal clear, we still need humans to really take it to the final level and release it. 

The second thing is, which I think is being emerging, you know, I think in the, in the industry and especially from a security and compliance, is we’re going to need additional tools to say, oh, that code that was generated, is it secure? Right? Has it been tested and validated in the information that we submit and get and, and pull out? Are there any sensitivities in it? Is there sensitive data? Is there PII, right? Are we going to be compliant? And so I think we’re going to need tools and technology to help us with that. Because just like everything, we can name your favorite tool of, Hey children, let’s go out in the street with the bikes.

Like, well, you better, you know, wear some helmets. You, you need helmets and knee pads, right? Just don’t go out there with no protection whatsoever. 

Kyle Morris: I love how you tied that back to some proper old school safety. Thinking about it. From, I mean, I mean, there was, there were tons of things in there, and I’m probably gonna forget half of them in reflection and going through it now with you.

But the first one was, you can’t replace people. And I, I mean, I don’t think truer words will be said on this podcast ever. And it’s, it’s a really interesting space. Like you say, take into account AI, the productivity, the cost saving, all of that. People still want people. And at the end of the day, if you have a system telling you this is good, or you are face-to-face with a human that is telling you this is good.

Kyle Morris: 

I think inherently, how we are wired as human beings tells us to go with what the person’s saying. And maybe it’s a generational thing, maybe it’s changing as well. Do you see it differently to that? Do you, do you agree with it? 

David Cross: 

Well, I think just like if you go back to the auto industry, I don’t know how many years ago, 10, 20, you know, plus years ago, robots appeared in the auto industry and people say there’s no human workers anymore.

David Cross: 

That hasn’t changed. There are still humans, right? There’s still opportunities and I think there’s an element of the continued curation of, of everything that’s, that that’s performed, right. I think it. I think there’s an element where there’s lots of manual tedious re repetition. That’s where automation, whether it’s robots or ChatGPT, right?

They come into play, but we’re still human, and we need that kind of additional polish and that’s not changed and that I’ve seen in my lifetime. 

Kyle Morris: 

Absolutely. 

And it was a very key part I did want to add. But to jump into another element of, of the people side and AI, an example I actually came across in the past week is obviously, like we say in these added use cases for AI and what people are doing, and I came across a, I dunno if it was a study or maybe just a very gutsy deal that someone took on and a guy decided to outsource all of his finance to ChatGPT, and basically did, did you see this article? What are your, maybe before I jump into that, just for the, the audience listening, essentially what ended up happening was, like we said, he outsourced all of this to ChatGPT and said, where can you, where can I save money and cut back?

And it went, and it ran through all his financial records. It went and checked all his existing subscriptions, went to go and look at subscriptions that weren’t, uh, currently being used to go and cancel them. Went so far as something related to Wi-Fi on an airline. He got ChatGPT to draft up a legal document that got sent through to cancel a subscription or get a refund paid or something to that extent.

Kyle Morris: And I mean, I read this, and I just thought, firstly, I would not be prepared to be giving something that’s, you aren’t a hundred percent clear on access to all of this. But the other side of it is, well, it saved him money. So what are, what are your takes from that? 

David Cross: 

Well, I think in some ways this is like taking many things we’ve had in place to the next level.So if we go back, I don’t know how many 20 years ago, the first online bill pay, right? Having a bank. What, oh my gosh, we still have my checkbook. All those type of things, and very sensitive, careful watching everything nowadays, you’re like, oh, I’m changing banks. Set up bill pay. You don’t even think about it.

It’s become the defacto standard. You think about, the other automation of, well, now we have online, uh, or, uh, email systems, like we have spam filters and things like that. Well, I’m trusting them to find, you know, the bad males. We accept it, it’s, we’re well past that now. And so I have seen that we have other things that find unused subscription.

David Cross: It’s just taking things to the next level of more automation that makes sense. But it does take curation and polish over time to improve it. And I think that’s all we’re seeing now. 

Kyle Morris: 

I remembered what I wanted because you, you touched on it now, and I thank you for that. The polishing side from the human aspect, like you said advancements with AI and the use of it, like you said, to take repetitive tasks, repetitive, tedious tasks that people would typically be doing, tied back maybe to the training we spoke about, it’s boring. People don’t want to do it. It’s inaccurate. Outsource that to the machine, like we’ve said there. You get your accuracy, you save a ton of money because you don’t have someone whacking away at something repetitive and doing it wrong.

The other side of the technologies and, and you had explained an example with the different services and the safety and e even now, the, the spam filter example, I think maybe it’s so true. We have, there are points in times when something is new, and we resent it, and we reject it and that is not okay and then suddenly, A switch flicks, and we accept it, and that’s how we do things.

And I suppose that’s maybe a space we are moving into AI, but with technology specifically, like you said, there’s from a secure coding perspective, okay, you could get a bot, or you could get an AI to generate that code for you. And okay, you want a security perspective. So you could install a SaaS tool that will do code vulnerability scanning, for example.

Let’s go back to balance. Where do we keep a balance between AI, these SaaS tools, just clicking at things and actually saying, wait, okay, this is enough? 

David Cross: 

Well, I think that the thing that comes to the area that comes to mind is ultimately when you have to make decisions, right? And then the liability or the risk of those individual decisions, right?

I’ll give you a simple example, then we’ll go to one to more, you know, you know what we’re talking about an audit. So in life, is AI going to say, yes, you’re getting married to this person. We can joke about that with the TV shows, and I’m sure there’ll be some good ones, but ultimately you’re going to get married to someone, that’s a decision that only a human can make.

But now let’s talk about an audit, right? Is this a reasonable risk, you know, to accept, um, or let’s say for compliance, this is a reasonable risk to accept with the potential liabilities where we, you’ve maybe you’ve been able to quantify some elements, but not all of them. They’re very qualitative and so.

Make a decision, is that going to be AI or going to be a human? When there’s liabilities and responsibilities, humans are always going to come to play. Right? And so I think that’s where it’s going to continue, is that we can get, AI will help us quantify more and more, so we can make good decisions. But ultimately the, the accountability is not to the AI. It’s not the computer, it’s the human. 

Kyle Morris: 

Absolutely, That was actually where I wanted to go with the next part of this conversation. But you hit the proverbial nail right on the head there, and you can utilize that. I mean, I, asked you what the balance was. You’ve told the listeners exactly what that balance is.

Use it to make better informed, more educated decisions, but the person needs to be there on the other side to make that yes or no decision. I’m, uh, we discussed, uh, you can tie that directly into regulatory requirements. If we go back to the audit space, let’s talk then in terms of continuous compliance, obviously your audits as an organization, most people look at it, the audit is coming at this time of the year.

We make sure everything’s good, then we carry on living our lives, doing our job on a daily basis, and the year rolls around continuous compliance. It’s becoming more and more relevant, and it’s becoming more and more necessary. What are your thoughts on it? 

David Cross: 

Well, I love that. I’m a big fan of the continuous compliance because an element is, it’s kind of like we go back to sports, is that, hey, you have one competition, or you know, one, I’m, I’m a runner as myself, it’s like you’re going to do one marathon a year, and so that means only once per year you’re going to train and be ready for that, and you’re going to peak up. Well, actually, no, it’s best that you’re round, you, you have a rhythm and a diet and training so that you’re always in shape, for that marathon. 

In some ways, I’m finding now that, you know, from audits and compliance is that when you’re continually doing it, it’s not an element of everyone being in a fire drill and fighting to the end and trying to get things right.

And then you go dark, or you go, latent, or you get kind of tired, you know of it. Right. And, and therefore when it comes around the next year, right. It’s very, very difficult to get right, versus you’re building into a constant rhythm, you want to stay with a good diet, you want to stay with a good, you know, training plan. You want to save good fitness continuously, right, so that it’s easier when the time comes for your race or your competition, or your audit. 

Kyle Morris: 

For anyone listening that would think of the comparison where you are comparing continuous compliance with a lifestyle and a healthy lifestyle, I think would probably think we’re completely off our rockers, but it makes sense.

Kyle Morris: It makes it easier. It’s not a what, it becomes built into your daily tasks? It’s not a huge workload, it’s bite-sized pieces on a daily, weekly, monthly basis. And in your experience, David, managing this and being able to drive this continuous compliance, how do you two parts, one, deliver and get people to understand and see that value of doing it on a daily basis? What have you found to be really effective in how you’ve gone about this?

David Cross: Absolutely. Well, let’s come back and mention AI and automation again, right? I think when it’s an element of, it’s all manual, right? And a fire drill, and all the humans have to do all the work, you know, that is not their normal jobs, not their favorite functions.

You know, it’s very, very difficult versus the investment in the automation is that, that the controls are in place. You’re validating the controls, you’re collecting the evidence, right? You’re mapping everything. When that becomes an automated system, the humans don’t have a hard time making that part of their daily.

Routines and, and, and operations. And because you’ve taken away the, the more difficult manual things, and now they’re just focused on the most meaningful things that need their attention, needs, their innovation, uh, their, their direct, input on versus the manual tedious chores. And that’s what it’s all about. If you invest in the automation, and this is where AI and automation will continue to help us, then it’s actually not a problem to do on a daily basis anymore. 

Kyle Morris: 

Find the value and, and get that to make sense. It’s, it’s so simple. I don’t know why anyone struggles with compliance. You’ve broken it down so simply for everyone listening today for myself as well, um, David, I think that is a perfect place to actually wrap up today. I want to maybe take this opportunity firstly to thank you. Thank you for conversation.

Before we close out, is there anything you’d like to add? Anything at all in closing, 

David Cross: 

In closing, I think there’s an element is we’re all in the community together, right? And it’s about, we also have, uh, I’d say in the broader security space, not just compliance, right? We also have common enemies, right? And how as a community, we’re not just competitors with each other from a business perspective, but how we can have common defenses, how we can share information, how we can share threat intelligence, how we can share, you know, best practices, because I think when we’re all in a better state from an audit compliance and security standpoint, we are a great defense against, you know, the evil attackers in criminals. 

Kyle Morris: 

Safe, safe to say, unfortunately, there are more and more of those on a daily basis, and the attack mechanisms are just getting more and more advanced, and so hopefully the advancements of AI will help counter that just as quickly as they’re popping up.

David, thank you so much for your time, for taking time out of your very, very busy schedule to chat to us today. I really look forward to meeting up with you, hopefully in South Africa. That should be a great starting point. We can go and watch a Springbok game together or otherwise somewhere around the world as you, you get your 70 odd travel destinations closer to that a hundred.

David Cross: 

Yeah, thanks Kyle. Certainly it has been great to, you know, reconnect here with South Africa and I know should wear my green Springbok, you know hat, you know, but it didn’t match the tie in suit today. 

Kyle Morris: We’ll give you a pass for that one. David, thank you so much. 

David Cross: 

Thanks, Kyle.