Navroop Mitter:

[00.00.02.13–00.00.33.17] 

Hello, this is Navroop Mitter, founder of ArmorText. I’m delighted to welcome you to this episode of The Lock & Key Lounge, where we bring you the smartest minds from legal, government, tech, and critical infrastructure to talk about groundbreaking ideas that you can apply now to strengthen your cybersecurity program and collectively keep us all safer. You can find all of our podcasts on our site, ArmorText.com, and listen to them on your favorite streaming channels. 

[00.00.33.20–00.00.34.00] 

And I’m delighted to welcome Amy Mushahwar to our program.

Amy Mushahwar:

[00.00.34.01–00.00.36.04] 

Thank you so much. Nice to be here.

Navroop:

[00.00.36.06–00.01.03.14] 

Amy Mushahwar is the kind of lawyer you rarely come across, one who’s also been a CISO. And while many attorneys advise on cybersecurity on the sidelines, Amy has actually lived it at the engineering level. She currently serves as Chair of the Privacy, Data Security, and Data Management Practice at Lowenstein Sandler, where she helps companies navigate everything from ransomware incidents impacting millions to aligning their technical infrastructure with complex regulatory requirements, especially in the age of AI.

[00.01.03.17–00.01.22.20] 

With nearly 20 years of experience as both a cyber attorney and a former technical consultant, Amy is the person companies call when privacy and security issues are deeply entangled in technology. She’s led hundreds of data incidents and continues to be the go-to advisor for startups and Fortune 500 companies alike. We’re really thrilled to have her with us today.

[00.01.23.01–00.01.45.00] 

So before we get started, I want to set the stage just a little bit. Behind the glossy surfaces of emerging tech and M&A deals lies a quiet but critical risk, and that’s compromised code, embedded threat actors, and the increasing industrialization of the cyber criminal ecosystem. In this episode, we’re diving into how tech built by startups, often developed with freelance labor and questionable security hygiene, is making its way into the infrastructure of critical industries through acquisition. 

[00.01.45.00–00.02.07.06] 

We’ll talk about how cyber criminals are professionalizing, offering benefits packages and funding models that look suspiciously like venture capital, and how all of this combines with the rise of AI to create a much more dangerous threat landscape. And so, with that said, Amy, before we get into the technical weeds, let’s zoom out. 

[00.02.07.07–00.02.13.13] 

What’s changed about the threat actor landscape that companies, and especially their M&A teams, aren’t accounting for yet?

Amy:

[00.02.13.17–00.02.42.13] 

Absolutely, Navroop. I think what the first thing is that every single M&A, whether or not it’s a technical M&A, requires a security due diligence, because you might be acquiring a manufacturing company, but now you’re worried about whether or not that sales floor can become inoperable by virtue of them not having security hygiene, and perhaps their machines brought to a standstill by a ransomware.

[00.02.42.16–00.03.16.04] 

So all M&As now become a security investigation. But what’s much more interesting—as we have the technical targets, where you’re acquiring a computing infrastructure and you want to rely on, let’s say, a SaaS platform or coding components—what’s very interesting now is, in addition to the security vulnerabilities from that target, you’re now worried about the sum total of vulnerabilities of that entire integration.

[00.03.16.08–00.03.50.05] 

And we still have lawyers who aren’t as technically knowledgeable about the risks of an integration and an acquisition. To put this in a little bit more context, we had a banner year for acquisition in 2019 and 2020, and we also had a banner several years of data breach response in 2021, 2022, and 2023. What we’re seeing now is, unfortunately, the ghosts of acquisitions past.

[00.03.50.06–00.04.18.13] 

When you don’t check cybersecurity on the M&A side, you do so at your own peril. And that really is a difference for the M&A community that’s well known by the security community. And many are still angry without good BCISOs, BISO at the helm, who are watching M&A. But we compound that with the true security risks that are going on right now, that we have increased ransomware-as-a-service, professionalization of ransomware.

[00.04.18.18–00.04.50.12] 

Not just ransomware but also gateway VPNs and other bottleneck technologies that are creating breaches in mass like the Cisco vulnerability that we’ve all been dealing with for the past roughly about a week. And then also the fact that if you are acquiring a SaaS platform as a gateway to the enterprises of hundreds of companies, you might even be acquiring a multi-business breach risk. 

[00.04.50.14–00.04.54.08] 

So, in a nutshell, right now the stakes are higher.

Navroop:

[00.04.54.12–00.05.36.20] 

To me, I mean that’s an interesting set of points, right. You’re right. As cybersecurity professionals, we’re a bit more aware that when we’re acquiring new technologies and integrated them in, we may be inheriting some of the pitfalls of their lack of cybersecurity hygiene and/or potentially the vulnerabilities that were introduced maliciously by others. When it comes to communicating that, though, to the M&A side of the house, right—the corp dev teams internally at an organization—how are you helping them connect the dots between the ghosts of acquisitions past to literally what’s taking place today in terms of breaches or new cyber vulnerabilities that are being discovered?

[00.05.36.22–00.06.00.00] 

How—are you—is there like a master mental model or a sort of master map somewhere that you’ve drawn out that says you acquired X on this day, or so-and-so company acquired Y on—oh, by the way, 18 months later, here’s this breach. And we can actually show that there’s a causal relationship between what was acquired and what is now causing this data breach, or this leak, or whatever else is taking place.

Amy:

[00.06.00.02–00.06.23.17] 

What’s really interesting is, I almost wish it was as fun as the murder crime maps where we saw tiny little breadcrumbs and then realized, oh, all of a sudden it’s an acquisition. It’s usually much easier than that. Someone’s coming off of an old website. Someone’s coming off of legacy infrastructure that’s acquired. 

[00.06.23.19–00.06.49.00] 

The tech is directly to an old domain. So, oftentimes, the attacker speaks volumes and we don’t have to say a word. But—and most often—we see it’s not the traditional company infrastructure that is breached. Usually, someone gets in through either legacy or newly acquired infrastructure that all of a sudden now has a trust relationship with your environment. 

[00.06.49.02–00.07.10.03] 

Or now you’ve inherited, for example, a new vendor relationship from an acquisition that isn’t treated in the same way that you’re treated. But usually, that direct linkage to the acquisition is often quite obvious, and you can see it through tangible systems, domains, customers, and brands.

Navroop:

[00.07.10.07–00.07.36.14] 

Given how obvious it is, one would hope, then, that M&A teams have taken some lessons, then, from the breaches of 21, 22, and 23 that stemmed from the acquisitions of 19 and 20 to start to update how they approach cybersecurity during the due diligence process during an M&A activity. But it sounds like that might actually still be a problem, despite how easy it is to establish a causal link between the two.

Amy:

[00.07.37.17–00.08.07.09] 

What is interesting is, it depends on the M&A team. So M&A teams who have embedded cybersecurity practices and experts definitely have a significant playbook when it comes in this—when it comes to cybersecurity and also privacy. For those who do not have an established SNE team and don’t appropriate—appropriately liaise with other practices with that knowledge, it really is at their own peril. 

[00.08.07.11–00.08.43.19] 

Because, unfortunately, what we see is the M&A team is very much incentivized to close the transaction, and security, when it’s—unfortunately, when it’s docked properly—can become a significant gating issue. So you need experience not just with someone who understands security, but someone who understands security and who understands how to appropriately reduce risk to a point where a company is salable.

[00.08.43.21–00.09.22.21] 

I’ll give you a very good example of this. Some companies are already in, or just as a matter of course, undertaking due diligence scans. That’s excellent. Usually, they’re external and not internal only, so they’re limited. But some—I’ve seen some equity groups are doing it with, for example, insurer scanning tools. And we saw a coalition scanning tool being used to undertake external scans, looking for things that are typically creating a hole, like open vulnerabilities to the dirty web, open RDP, lack of second-factor authentication.

[00.09.22.22–00.09.53.17] 

And that is quite helpful. It’s a baby scan and by no means giving you a 100% picture of the acquisition that you’re buying, but at least it’s better than the traditional due diligence model that is interview only. What I also think is excellent—usually, of the companies that are scanning—is usually they are building the cost of security improvements. 

[00.09.53.19–00.10.28.16] 

And the asset purchase agreement also comes with commitment and budget for CrowdStrike, licensing for ETR, for appropriately upgrading their firewall infrastructure, for ultimate migrations if they’re needed. There are some very helpful equity companies that have a playbook for security integration. And I think that’s an extremely smart move right now, coupled with a sophisticated counsel in the M&A process that understands security and understands how to mitigate security risk.

Navroop:

[00.10.28.19–00.11.04.21] 

I think it would be tremendously helpful if such a playbook were to be distributed under Creative Commons license, kind of like we do all of the tabletop exercises that we open source every single year in conjunction with our law firm and other partners. Let’s—switching gears here for a second. So when we were doing our prep calls, the thing that stood out almost most to me was that it seemed like a lot of this was actually being driven by organizations of all sizes becoming more reliant on tech developed by startups and/or vertical specific tech companies.

[00.11.04.23–00.11.27.16] 

And so I’d love to learn a little bit more about where these risks are showing up in the legacy code or the outsourced development. What are the platforms that these startups, especially these vertical specific tech ones, are using, but also, is it simply just a matter of dirty hygiene, or is this intentionally malicious? 

[00.11.27.18–00.11.31.22] 

If—I’d love for you to share some of the war stories that we talked about during our prep session.

Amy:

[00.11.32.03–00.12.11.15] 

Absolutely. So we’ve all been hearing a little bit regarding artificial intelligence lately, and we had one client that unfortunately was acquired, received seed funding, was AI enabled, and had an employee who was a foreign developer who helped her build the agentic AI that powered what was a cooking website. So not a nation-state secret website. That founder unfortunately woke up on one January day. 

[00.12.11.16–00.12.55.14] 

Her employee was gone. She went to log in to her website, and she couldn’t. And worst of all, they were just a few weeks away from a national launch of the website. Her website was previously deployed in Texas only, and they were going to deploy nationwide, and they were anticipating a multiple-fold revenue increase. So the scary part is, we ultimately linked that founder’s departing employee to both taking the custody of the various different SaaS tools that comprised her site and locking her out. 

[00.12.55.17–00.13.23.05] 

And then serving her a ransom for her site. Doing a bit more digging, we also found that that particular employee wasn’t just some young kid. He had a—he was a 19-year-old with a criminal enterprise behind him. And it’s fairly common in both foreign developer schemes and those that we’ve all heard in the security industry pretty regularly from Mandiant and other DFIR companies.

[00.13.23.07–00.14.01.05] 

I’m trying to indicate the foreign worker in the South Korean—North Korean worker issue. This was unique because, unlike the DPRK workers that are primarily going just to funnel employment wages back to the country, given sanctions, in this case, it was a direct threat actor group that was ransoming companies and also stealing company training and validation data—which, the data, for those of you who work in AI and who are listening, the data is king. 

[00.14.01.07–00.14.27.04] 

Because when you are feeding training data into your standard generative AI platform, it’s not the platform that has all the value. It’s the data that you’re using to train the generative AI models and to output reliable results, and to have that held back—10 to 15, maybe 20% of the data pool—in order to validate the results you’re receiving.

[00.14.27.06–00.14.53.11] 

So in this case, it was terrifying that we had this founder who was locked out of her website. We thought it might just be an employee dispute. And then, lo and behold, the employee was lying in wait for months to ransom her, steal her IP, and then hopefully make out with both a ransom and all the IP of the company. 

[00.14.53.12–00.15.34.14] 

Now, that didn’t happen. Thank goodness. We worked heavily with law enforcement, got all of her site back with no ransom, got all of her IP back. But wow, was that a really tense two months that she went through for us to engage law enforcement and get all of that content back. We certainly—this is just one example—but I think the issue that we’re seeing broadly is foreign developer groups, while they become necessary with startups, and they’re necessary within the ecosystem because you can’t afford New York or San Francisco developers straight out the gate as a young company. 

[00.15.34.14–00.15.57.12] 

But it allows to have a step away from identity and the ability to cloak identity—which, Navroop, coming from ArmorText, you’re all about identity. But having that one step away from physical presence and identity really can create havoc. And it creates a moment for the criminal enterprise to slip in.

[00.15.57.12–00.16.21.08] 

And that happened in this case. And we’ve seen other cases where startups are using employee labor. Maybe they’re not locked out of their website, but they might have IP theft, they might be overcharged and have disputes regarding labor and working that you find out maybe are a little bit more than the average of their employment dispute. 

[00.16.21.10–00.16.40.21] 

There’s all sorts of permutations, unfortunately, of gig developer fraud. And it’s a huge issue in the startup ecosystem. And it’s a huge issue for the startup ecosystem centers of San Francisco and New York and also my budding hub in Northern Virginia.

Navroop:

[00.16.40.23–00.17.18.08] 

So it’s currently October, and this is my favorite month of the year because I absolutely love Halloween—favorite holiday, has been since I was a young kid. So I actually want to pivot away from talking about the gig workers and the remote IT worker fraud, or from like the 19-year-olds backed by the criminal enterprise, to actually talk about some of the other war stories you shared when we were talking—when we first decided we should do a podcast episode on this, right. 

[00.17.18.13–00.17.31.11]

We—you talked about these ghosts in the codebase, things get baked in long before an acquired company ever gets involved, in the hopes that the company actually does get acquired so that then they can actually take action. And turn this unrealized risk into an actual issue, right. Can you walk us through an example of how that risk manifests in the wild?

Amy:

[00.17.31.12–00.18.06.14] 

Absolutely. My favorite thing—in quotes, my favorite painful thing—is quite often just backdoors, just plain old backdoors that aren’t going through a VPN, that are backdoors directly available from the codebase. And unfortunately, this is an issue that can happen because of maliciousness. It also can happen if you have a developer who just wanted easy access to their platform and never made correction before they locked the organization. 

[00.18.06.17–00.18.36.07] 

So access backdoors are a severe problem. Scans sometimes help, but it is an issue that you fight if you don’t have someone review the codebase. And ultimately, most acquired companies are in a position where often they are reviewing the codebase and often rewriting substantial portions of it, which is kind of one of the safest ways to mitigate.

[00.18.36.09–00.19.19.15] 

We also find a ghost in the codebase is often encryption keys—embedded encryption keys—to where if you have embedded payment encryption keys, if you have embedded authentication, they are easy ways to steal money and, in the case of authentication, gain access to the platform. But if we rise up and take a step back, when you’re going through M&A, if the code is king and you are buying a platform because it has a slick interface, it has excellent logic, it has a reactivity speed that you’re really excited about. 

[00.19.19.15–00.19.45.20]

And the code is quite efficient, and it is incumbent upon you have it reviewed because you don’t want to wake up one day and find out that someone else is processing your merchant IDs. You don’t want to wake up one day and find out that someone has the ability to access your programming, potentially alter it. You don’t want to find out one day that your Kubernetes clusters are being deleted instead of reconstituting. 

[00.19.45.21–00.20.11.15] 

There’s all sorts of permutations of issues that we have when code is king and it is not reviewed, and maybe you do not have the ability or time to review all of it. Often you don’t, but you do have an ability to get security scans to try to locate essential and primary areas of the code for review. 

[00.20.11.18–00.20.36.08] 

And if it means that much to you, hire a security company that can throw bodies at the problem—especially if you are spending multi-millions, spend the thousands to make sure that what you are purchasing is not a bump in the night. I love Halloween too, but I most certainly do not want razorblades in my candy. And if you don’t check the code, they can be there.

Navroop:

[00.20.36.12–00.20.56.08] 

Well, that’s certainly a throwback for all of us 80s kids who had their parents looking through their Reese’s peanut butter cups for razorblades or the apples. Shifting gears for a second, I imagine that a lot of this is actually further complicated by AI tools and AI-native startups. Can you tell us a little bit more about what you’ve seen there?

Amy:

[00.20.56.11–00.21.22.07] 

Oh yes, I’m coding. What’s coding anymore? We—I think the most interesting component is with the development of AI being able to assist with the writing of code. We used to just have the problem—the developers didn’t really understand infrastructure, and the infrastructure people were always screaming at the developers. But the developers at least understood how to read and write their own code. 

[00.21.22.10–00.21.51.11] 

With some of the startups, we have people using AI prompts to piece together code sections and just try to make it work—with people drafting code without any coding theory—which is a little scary to me, that we have both the lack of infrastructure knowledge and the lack of true coding knowledge in some of the developers who are the technical developers of the platform.

Navroop:

[00.21.51.14–00.22.07.02] 

I mean, you just gotta love vibe coding, right? It’s a vibe. And with that corny joke aside, putting your CISO hat on, what would you most be worried about in an AI-native acquisition? What kind of due diligence practices need to evolve for that new reality?

Amy:

[00.22.07.06–00.22.34.09] 

Absolutely. I’m not just going to give the standard lawyer answer of ensuring appropriate auditing—and in and output and input auditing. That’s a given. But it’s a given that’s very difficult ‘cause the legal community is still figuring out what is a—what does a proper audit look like for both validating the technology and validating that adverse action and discrimination doesn’t exist?

[00.22.34.11–00.23.13.00] 

So let’s put aside the problem that everyone’s having—and we’re still trying to solve as an industry—as much as vendors try to market to you that they’ve got that problem solved. They don’t. What I am extremely concerned about in native applications is that we have more opportunities for presentment of secure APIs. So if—let’s take the standard e-commerce website. If I have a shopping cart, that shopping cart usually is tokenized and integrated within—with a payment gateway or a payment processor or an e-commerce platform.

[00.23.13.02–00.23.46.02]

So I, as the less-than-knowledgeable e-commerce company, can have that functionality performed by someone who is PCI DSS level one certified. If I am now selling my wares through an in-AI bot that is performing what will become a concierge service to explain to you the things in which you desire, and then present to you the shopping cart experience—that is a dynamically presented gateway to payment processing.

[00.23.46.05–00.24.14.14] 

And it’s not just payments. Payments is one example, but dynamic presentment of a secure gateway—be it payments, be it government contracts portals, be it healthcare information—offers many more ways for encryption mistakes and secure tunnel mistakes to occur. And I think that’s only one issue, encryption and secure presentment.

[00.24.14.15–00.24.55.04] 

But we also have AI integrations, like the issue that Salesloft is having with its Drift platform, that happened three and a half weeks ago. Four weeks ago—forgetting days. But where just the plain old API had vulnerabilities within it. Bubbling all of this up—secure tokenization, but also secure APIs—are far more at risk in an environment where they have to be dynamically created from code that is not static, in links that will not be static.

[00.24.55.06–00.25.18.01] 

And I think, just myself as a security professional, I’m still wrapping my head around how the permutations of in which the secure presentment will be an issue. And I’m actually—when I’m walking around at conferences, I’m seeing if people are talking about this issue, and I’m not seeing dynamic presentment being an issue that folks are talking about.

[00.25.18.03–00.25.43.09] 

But I think, in the coming years, it will be because we’re going to be moving from a static shopping cart, from a static healthcare experience, to more of a concierge care, concierge sales experience with agentic AI. And we just might be in another kind of golden moment of security vulnerability shift.

Navroop:

[00.25.43.11–00.26.06.17] 

I believe you’re right. I mean, as I’m walking around security conference one after the other for the last couple months, I’ve actually heard a lot about the virtues of dynamic presentment. But you’re right. I haven’t seen many people focused on discussion on the vulnerabilities associated, or the risks associated, with dynamic presentment. 

[00.26.06.18–00.26.25.14] 

So absolutely, I think you’re right. This is probably a topic that’s being underexplored at the moment mainly because everyone’s caught up in the hype cycle of how great the AI is, and how great agents are, and everything they can do for us. And this probably—I want to say an intentional—but you’re right, there’s probably some downplaying of what those risks and all of these are. 

[00.26.25.14–00.26.28.19] 

And we’re going to have to have that conversation sooner rather than later.

Amy:

[00.26.29.00–00.26.54.19] 

Or we could have the 2005 to 2015 epic year of payment card breaches. We don’t want to be back there—or the current season that we’re in, where we still have an awful lot of healthcare breaches. It is just, I hope we learned this lesson without the pain. And if there’s no lesson at all, and folks already have it handled, I want to make sure that we’re sharing that openly and honestly. 

[00.26.54.21–00.27.17.12] 

But I think the conversation is one that needs to be had because you’re definitely right. Dynamic constitution of encryption keys and things can be a benefit because everything will be uniquely created and less susceptible to guessing. But dynamic reconstitution of the user experience and of the code on top of it—I just think is a new element that we just haven’t really fully explored yet.

Navroop:

[00.27.17.17–00.27.43.12] 

So, coming back to something you mentioned earlier about some of these equity groups having well-established playbooks that draw upon the cross-functional expertise of other parts of the team. I’m wondering about—well, if you were staring down a portfolio of new acquisitions, what would you be asking for both from your legal peers as well as the board to make sure those deals weren’t importing additional risk or unnecessary risk? 

[00.27.43.12–00.27.55.20] 

And for the CISOs listening, on the flip side of that, how can they make sure they’re actually brought in earlier when these deals are still forming, rather than being tasked with dealing with the issue once it’s been realized?

Amy:

[00.27.55.22–00.28.24.12] 

So I’m going to answer this a bit differently depending on where you are in the funding ecosystem and where you are in venture and equity. When you’re dealing with Series Seed and Series A—so those usually low-digit millions to maybe two-figure millions if it’s an amazing idea—you are importing risk. The best thing that you—these are companies that are at the garage level, and you are buying a company without any, usually, security of the structure.

[00.28.24.14–00.28.50.02] 

And the only reason why you’re getting the investment as cheap as you’re getting it is because you are asked to help with professionalizing the infrastructure. So if you are a Series Seed or a Series A funder, the way that you protect yourself is having an integration playbook, is noting to your founders that some of my investment is going to go to security, some of my investment is going to go to inspection. 

[00.28.50.04–00.29.17.05] 

Professionalization of your infrastructure, movement to the cloud, adding in defense-in-depth security. If you are investing in a—in an established company, you will, of course, be doing the due diligence and hopefully technical scanning. But we have seen three-digit millions, and sometimes investments with Bs in front of it, that had a less-than-stellar security review or less-than-rigorous security review.

[00.29.17.05–00.29.51.01] 

We’d never want to see that. But sometimes the investment opportunity is so great that folks have to clean it up at the end. I think for CISOs, it’s read the room. If you know that this investment is happening regardless as to your input, and you can’t stop it, then you work on that TSA end, and you keep the systems isolated from being—to use a Star Trek term—borg’d into your infrastructure until you’re ready to do so.

[00.29.51.03–00.30.18.07] 

And I think that if, usually, CISOs themselves don’t have the time to do that, it’s—if you’re big enough to have a BISO community and have one designated to your accelerator venture team and your M&A, excellent. If you’re not, hire the resources that do—that are not connected to the deal and are not incentivized by the deal’s closure.

[00.30.18.09–00.30.41.03] 

You want to have someone in the room who’s helping you with that TSA, who is not paid upon closure of the transaction. So if you’re a little investor, and not a little investor but making a little investment in a Seed or Series A, best thing that you can do is clean up. Because post-acquisition risk will occur.

[00.30.41.04–00.31.10.06] 

That is the nature of Seed and Series A funding. If you’re getting a mid-level or significant investment, it’s really understanding what’s the business interest at play, what sectors is this target geared towards for its customers? Is security a pre-acquisition risk, or do I have to make this a transition services agreement, a transition and post-acquisition risk. 

[00.31.10.08–00.31.26.19] 

You have the luxury of at least reading the room and seeing if there’s a pre-acquisition play for those bigger investments. Sometimes you don’t have the luxury of the execution on those. And the best thing that you can do is influence the environment integration post-transition.

Navroop:

[00.31.26.23–00.31.47.17] 

So I’ve be—and absolutely loving the range, from ghost in the codebase to razorblades in the candy, and now to integration into the Borg references from Star Trek. But we are actually coming up on our time here. So, if you’ve got a moment, I’d love to ask one more final interesting kind of question—in which we tend to end our episodes on.

Amy:

[00.31.47.17–00.31.53.16] 

Happy to. And also, all I can really offer are 80s references and early 90s.

Navroop:

[00.31.53.21–00.32.12.11] 

I love it. 80s and 90s. This is a throwback for all of us that are similarly aged. So let’s say you just helped a company unravel a long tail of compromise that had been quietly lurking since a pre-acquisition codebase integration. What are you pouring to mark that kind of win?

Amy:

[00.32.12.16–00.32.15.18] 

I’m going to have you say that again. What am I pouring to mark that kind of win?

Navroop:

[00.32.15.19–00.32.24.23] 

It is The Lock & Key Lounge. So we often ask what kind of libation do folks celebrate—you just had that win, you just helped them unravel that long tail compromise. What do you—

Amy:

[00.32.25.04–00.32.27.20] 

Oh. This is an alcohol question. Excellent.

Navroop:

[00.32.27.21–00.32.39.11] 

Oh, 100%. It is The Lock & Key Lounge. If we were on video, I would have already sent you a bottle of whatever your answer is going to be. So we’d toast on the air, but sadly, we’re audio only still.

Amy:

[00.32.39.13–00.33.05.02] 

Yeah, yeah. It’s the security community. If we can’t have a pour, we actually can’t live through what we have to live through. I would say a good bottle of wine. And I happen to really love any really excellent, crisp California chardonnay, but I can actually link this to a breach, which was really fun. 

[00.33.05.05–00.33.32.04] 

I actually dealt with a payment processor that was a payment processor to the California winery industry. And, funny enough, my best wine recommendations happened to be from that particular breach. Because this guy knew all of these private, membership-only California wineries. So, I actually get to link the two today.

Navroop:

[00.33.32.08–00.33.50.14]

Now that is pretty cool. I would love to get the little cheat sheet on what I should be ordering. As someone who’s a neophyte when it comes to wine, and that would be quite helpful. Thankfully, my knowledge of whiskey and gin is far better. And with that, I’d like to thank all of our listeners for joining us on this episode of The Lock & Key Lounge. 

[00.33.50.16–00.33.57.22] 

Remember, next time you’re sipping due diligence over a startup acquisition, check the codebase for ghosts before you check the closing documents.

Amy:

[00.33.57.23–00.34.15.13]

Thank you so much for having me, Navroop. This was a—this is a fun opportunity to, hopefully, it’ll let your hair down but also understand that ghosts lurk at every single corner in the acquisition process. And if you don’t defend yourself, you’re destined to have a post-acquisition headache.

Navroop:

[00.34.15.17–00.34.24.18] 

I am with you on all that minus letting the hair down. As a Sikh, mine is still wrapped up in my nice, neat turban, but I really loved having you on this episode, so thank you for joining us.

Amy:

[00.34.24.21–00.34.26.04] 

Thank you.

Matt Calligan:

[00.34.26.06–00.34.58.19] 

We really hope you enjoyed this episode of The Lock & Key Lounge. If you’re a cybersecurity expert or you have a unique insight or point of view on the topic—and we know you do—we’d love to hear from you. Please email us at lounge@armortext.com or our website, armortext.com/podcast. I’m Matt Calligan, Director of Revenue Operations here at ArmorText, inviting you back here next time, where you’ll get live, unenciphered, unfiltered, stirred—never shaken—insights into the latest cybersecurity concepts.