Caffeinated Risk

Cybercrime, Intelligence and Impact with Richard LaTulip

McCreight & Leece Season 6 Episode 4

Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.

0:00 | 34:53

Richard LaTulip joins Caffeinated Risk for a candid conversation connecting cybercrime investigations, threat intelligence, and practical business risk. Richard is a Field CISO with Recorded Future, a former United States Secret Service special agent, and both the author and real-life main character behind the true crime story Operation Carder Kaos.

The discussion starts with Richard’s experience investigating organized cybercrime and quickly moves beyond the “kid in a hoodie” myth toward the reality of structured criminal ecosystems, specialized roles, and professionalized operations. From there, the conversation turns to what threat intelligence should actually do for security teams: be timely, relevant, and actionable.

Tim, Doug, and Richard explore how organizations can use actionable intelligence to assess vulnerabilities based on actual business impact, not just severity scores or compliance checkboxes. That risk-based approach is a core ESRM touchstone and is becoming even more important as AI-assisted cyber attacks increase the speed, scale, and adaptability of adversaries.

Richard LaTulip

An auditor will come into your environment and ask you the simple question of whether or not you have intelligence. And you show him an email from the FBI that's related to cyber, or you show him an email that's related from CISA that's also related to cyber, they're gonna go, oh, you get intelligence. And you will pass that control and flying colors. The reality is that's not intelligence. This is a feed that you're getting. An analogy that I like to use, and it kind of brings together feeds and outsides. But if you think about the operation or the business, you know the Titanic and you know what happened to the Titanic, right? The Titanic, we look at it and we start breaking it down by comparing it to an organization. When they launched on their main voyage and they started heading across, they were getting, in theory, intelligence. But what I would argue is the intelligence that they were getting was not timely, it was not relevant, and it was not actionable. Meaning that if they had the right intelligence at the right time, they would have been able to move the ship left or right, depending on the scenario, and avoid the iceberg. Using intelligence effectively is the difference between making it from port A to port B or ending up at the bottom of the ocean.

Announcer

This is Caffeinated Risk, the podcast for security professionals by security professionals. Here are your two self-proclaimed grumpy security guys, Tim McCreet and Doug Lease.

Tim McCreight

Welcome, folks, to season six of Caffeinated Risk. Our next podcast guest is Richard Latop, field CISO at Recorded Future, and a former United States Secret Service Special Agent, spending years conducting undercover cybercrime investigations targeting international criminal networks. Drawing on decades of investigative and cybersecurity leadership experience, Richard provides thought leadership and public speaking on cyber threat intelligence, social engineering, and strategies to strengthen cyber resilience. He holds a Master of Science in Cybersecurity Policy and Governance from Boston College and maintains the CISSP and CISM certifications. Richard is also the author of the true crime book Operation Carter Chaos: How One Agent Penetrated the Underground Economy. And now let's check out our latest podcast with Richard Latuda. Hi, Richard. Welcome to the show. Thanks so much for taking some time and being part of Caffeinated Risk. We really appreciate it.

Richard LaTulip

No, absolutely. I appreciate you guys taking the time to invite me onto your show and look forward to the conversation.

Tim McCreight

I kind of want to talk a little bit about the stories and how you actually got to where you were in your career and where you are today. Because I think that's what our listeners are really going to find intriguing is the path you took to get into the Secret Service and then how you move from there. I think that would be super cool.

Richard LaTulip

What you're talking about in terms of the stories, you know, the stories are phenomenally great, I think. Everyone, when you read the reviews on Amazon or you look at, you know, other persons who've had the opportunity to read the book and you talk to them one-on-one, you'll find, you know, very positive reviews, uh a lot of excitement, you'll find a lot of intrigue. You know, it's it's the reach, right? And being able to reach to get to people is is the largest challenge. And you know, clearly coming on podcasts like yours and others, and being able to just go out into the community and have conversations and you know, share the stories, connect them to the real world, you know, show how a lot of the things that I experienced are still relevant today. You know, you see a lot of the uh the tricks and the tradecraft being utilized in say the mid-2000s, still applicable today. Um, there's still a lot of human error, there's still a lot of room for social engineering, and and so uh the bad guys are leveraging this, but I would echo that.

Doug Leece

A lot of my day job, I'm doing incident response on the other end of set events, and I've been doing this a long, long time, and you know, crime is still crime at the end of the day. I've been associated with law enforcement groups for quite a while. And when I go attend their trainings and things like that, it's a very different world, but I'm sensing that most of the criminal element isn't like the high-flying folks we see on television and everything. These are troubled or desperate people as well, right?

Richard LaTulip

When we talk about criminals, or we talk about people who are operating on the dark web.

Doug Leece

Cyber criminal, yeah.

Richard LaTulip

Yeah, cyber criminals. There are there are levels, at least the way that I would determine it.

Doug Leece

Okay.

Richard LaTulip

When I was, say, at the Secret Service, just starting junior agents, and of course, you get just you catch all sorts of cases. And at times the police would call, and I would remember some of the bigger cases that we would get called on, and these were really actually quite small. But the point being is the the majority of the calls that came in, it was an individual that was in a hotel room that was down on their lock that had an all-in-one printer that was making counterfeit currency, and they were using that all-in-one printer from that. And you would also find drugs in those rooms, you would find people, like I said, down on their lock. They were trying to make ends meet, and their their solution was not getting off the drug per se, but making counterfeit currency, right? That was the solution. And so we would get those phone calls, and so that that would be where I would say you get the the tiers. And it in the dark web or on those carting forums, carters is a general term that encapsulates everybody, but generally speaking, it's the person that goes to the streets that grabs the credit card that was obtained via network construction and uses that as a storefront. The sophistication, okay, yeah, you have to have some sophistication to be able to get that. But usually what I found out is there's one guy orchestrating many that he's sending out onto the street, so to speak. Then you have your tier above that, which now you get into certain types of vendors. And those vendors are the people who sell maybe the plastic that you're using to put the cards and code them on. And then you also have the tools that are for the trade that are being sold. And then you have the vendors who sold sell that intellectual property, that actual credit card data, the track one, track two data that goes on to those credit cards. You're rising up levels of tiers. And then, of course, you have your people that provide the infrastructure, you have your people that provide the means of facilitating money transfers or money laundering, and then you have your hackers, right? And so that's how that rises. And of course, in between all of that, at certain levels, depending on the popularity of the forum, your administrators will be very popular of that particular forum, and they will have a but they will rise on those ranks. What we have found over the course of time is these things are highly organized and they are not disjointed, they're not just randomly put together. And a lot of times, it's a core group of friends who who know each other in real life and have you know come up with this opportunity to generate income for themselves. Wow.

Doug Leece

Yeah, and we talk about organized crime, but I think you laid it out very well that there's different different cogs in the wheel. And I think that really just puts that whole kid in the basement in a hoodie myth to rest. When we're up against criminal gangs, they have a plan, they're organized, they have a way of operating. And if you fall victim to their behavior, it's gonna work for them because they're professionals at this. This isn't their first time.

Richard LaTulip

Well, uh, one thing I'll also uh you know highlight, or or I like to highlight because your reference of you know a kid in a hoodie in a basement of his mom's place. When you get to the world of hackers, there are hackers and tiers of hackers, right? Yep. This culture within the organization, you know, I would classify myself as a script kitty. Uh yes, I can take a program and I can give it commands and I can check all the boxes and I can hit run and I may ex I may experience success where I penetrate a network and I will exfiltrate data. Does that make me a hacker? In the world of hackers, theoretically, yes. But when you look at the hacker who can code from basically the ground up, that creates custom strips, that creates their own opportunities, those individuals who have that level of expertise that have the organizational uh aspects behind them, these are the individuals who uh rise to that top. I would even say that one time when I was doing a lot of this work at our headquarters unit or even in the field, there was probably I'd say the top five, maybe 10% of the hackers of the world were disrupting 80 to 90 percent of the networks.

Tim McCreight

That's pretty impressive from a statistics perspective, that you get that kind of skill set at that upper echelon. And it it just feels to me this this sounds horrible to say, but it feels very structured like an organization, like a company, like the worlds that Doug and I live in and protect. It feels that that same structure, they just seem to have gotten it better, if that makes sense. They've they've gotten better at operating within the environment than we are on the other side of the web.

Richard LaTulip

So uh one thing that doesn't slow them down is our our policies.

Tim McCreight

Yeah.

Richard LaTulip

Okay. We have committees, we make decisions, we have you know the nuances of just working together. They they don't operate like that. I mean, there's no now there are ransomware as a service organizations that at the height of when you would say they were combining a lot of different talents together. They had a little bit of an HR system, they had a recruitment system. Seriously, they had an onboarding system, they had a, you know, uh, say you had to go get your total of, say, I don't know, 10 or or 10 different accesses to businesses during that time. So they had quotas, if you will, and they were judged on their performance. And if they were not performing, they were let go from those organizations. And so there were, but now we see that on a rarer side, but nonetheless, my biggest struggle when I work with the U.S. Secret Service, and again, this is time frames, things have changed. You've seen Lockbit the takedown recently in the news, where that was highly organized between multiple international law enforcement agencies, and it worked out very well. And they used the modern tools, but roll back to say 2005, 6, 7, and 8 and 9, and a little bit beyond that as well. The infrastructure of communication between law enforcement agencies, especially international law enforcement agencies, was not very streamlined. Okay. You know, so going through my internal policies to then going to another agency, say like the Office of International Affairs or the Foreign Asset Control, right? That office as well. Now you're dealing with a new subset of not just culture, but policies. And then, of course, now translate that to transmitting a document overseas to name the country in the world, asking them to do something without having an established relationship. You're following the policy and the procedures, but the urgency maybe or the importance of it is not necessarily flowing along with it as it goes from agency to agency to agency, then back to you. That can be sometimes months, and in some rare cases, a year or longer. Bad guys, especially at that time, was pick up the phone, call, ask, done.

Doug Leece

Yeah.

Richard LaTulip

Think about this when we talk about vulnerability management, service level agreements, and we're we're asking another department within our own organizations to do something. Hey, patch it because there's this critical vulnerability that could be exposed that allows remote code execution, you know, and do this very quickly. And they're like, well, okay. Sometimes we're very lucky and they work very quickly, but other times you get, well, the SLA says 15 days, and you know.

Doug Leece

Yeah, and I guess this is where the risk management gets a little knock on the head that we're trying to use risk management to balance these things out. Yeah, you can't have a whole department running on chaos, and that's the whole point of SLAs. But the reality is that they can turn this around in a few hours sometimes. The barrier should be do you know the impact if that thing got popped? And most of the time we don't know that. We know how to fill out a form, but we don't really understand the ramifications of that particular thing being taken out to discern whether that's urgent enough to drop what you're doing. Sure. Have you seen anybody have success? Because I you're also a field CISO, I believe, right? So you you talk with a lot of business leaders as well. Have you seen organizations have success figuring out where they should, when they should jump? Because there's always going to be a fire, but is that one that's relevant to you? Is a really hard question to ask day in and day out.

Richard LaTulip

Look, uh, I I hear I hear that that question often about where, when, and how.

Tim McCreight

Yeah.

Richard LaTulip

When an organization appreciates, understands, and values their security team and doesn't just look at them as a cost center, you have way better results. I believe that the security team and the information management as a whole, right? You know, part of what I, when I do have the opportunity to speak at conferences, the things that I try to say is expressing the value of the organization. And you do that by collaborating with your peers, understanding where the risks are, understanding the impact of whatever it is in that department, if compromise would cause to the organization. And then from there, understanding next how to create a strategy that secures that environment. Obviously, mostly coupled, you know, you have the tools, you couple that with intelligence and being able to say, to your point, you know, we understand if a critical service within our organization was to go down, the impact is X, but then the opportunity, right? We need to have that full equation. And then this is where intelligence comes in as a valuable component to be able to say, you know, all of these being equal and now being executed on the bad guy, here is your total risk and business impact of the organization. So now you can put it into a big formula that this critical vulnerability is in our environment that is connected to this critical vulnerability or critical service within the business line. And this adversary is leveraging it in real time. And now you have a vision that I think most businesses can understand. I need to jump for this.

Tim McCreight

I like that because that's one of the things that I think we've seen struggles over the you know the last 10, 15 years is drawing in the data and understanding what the risk is from that business lens, that perspective. But I really like that you brought in and overlay. Now I'm bringing in threat intelligence. Now I'm bringing in something that they may not have had access to before and to highlight it to the executives so they see what the what-if scenario. And I think that was that was key for me over the years. Uh, it's great to hear that you're doing this as well, that you're letting people see the what if. And I think that's important. But can I ask though, Richard, when you're when you're working with organizations that are new to this or they're coming into this, they're looking at it from that different lens, they're trying to focus on the human element. Are companies seeing the value of what Intel can bring? Are they seeing how what you know a reliable intelligence can actually help reduce the risk that's facing the organization? And where have you seen the ability to bring that into different organizations in your current role?

Richard LaTulip

The more mature organizations, obviously, they're easier to have these conversations with. And then also just how do you understand, how do you translate, say, intelligence into something that's very understandable to say individuals who haven't really been exposed to it, or their version of intelligence really comes from a book they read or a movie they read, and the CIA, the NSA was in it, and they're like, ooh, intelligence, right? Or military operations. The key is, and this is some things that I try to talk to organizations about, is how is it you look at intelligence? If you're going along a framework, say it's an ISO or a NIST, or it doesn't make a difference, you should pick your framework. But the point being is an auditor will come into your environment and ask you the simple question of whether or not you have intelligence. And you show him an email from the FBI that's related to cyber, or you show him an email that's related from CISA that's also related to cyber, they're gonna go, oh, you get intelligence. And you will pass that control and flying colors. The reality is that's not intelligence, this is a feed that you're getting. An analogy that I like to use, and it kind of brings together feeds and outsides. But if you think about the operation of the business, you know the Titanic and you know what happened to the Titanic, right? Yeah. The Titanic, we look at it and we start breaking it down by comparing it to an organization. So it was an idea that was created by some people who thought, oh, you know what, I got a great idea. They went to people who were investors, and these people thought, oh, this is a great luxury liner, unsyncable, latest technology, transit the the Atlantic, move people safely from uh point A to point B in a luxury perfect, we love it, they invest. Now that's your organization, that's your startup. Now you start going, you got wheels on the uh on the on the car, so to speak, or the bus. And now you start building this. Now, what you need you need the technology, the propulsion, the navigation, you need you need all of those components. And so these are your controls that you're starting to put into your business to make sure that you're enabling business and you're allowing it to succeed. You need people, right? So you start hiring the people to be able to manage and to put into place all the different things that you need within your organization. Now that you have it built, and now that you have your people in place, you need to market this. And so your other aspects, your sales teams come in, your marketing teams come in, and now before you know it, you have a huge line of people willing to buy tickets because why? They believe in the idea. It's unsinkable. I have safety, right? You have luxury in in different classes, right? So I can transit the Atlantic in style, so to speak. When they launched on their maiden voyage and they started heading across, they were getting, in theory, intelligence. But what I would argue is the intelligence that they were getting was not timely, it was not relevant, and it was not actionable. Meaning that if they had the right intelligence at the right time, they would have been able to move the ship left or right, depending on the scenario, and avoid the iceberg. Using intelligence effectively is the difference between making it from port A to port B or ending up at the bottom of the ocean.

Doug Leece

That is amazing. Yeah. I have listened to a lot of talks about threat intelligence, and that is the very first time I've ever heard it broken down exactly at the business level, and the value of why I need to know it when I need to know it. And it needs to be relevant. I really don't care about rain, but icebergs are a big deal. I guess that was one of my original displeasures with the whole threat intel was we seem to get a lot of very consumable low-on the pyramid of pain kind of stuff like IPs and hashes, and you'd mostly be swatting at flies. But I've been on the hunt lately for a deeper thing, like where we're trying to get into how the adversaries do what they do. And it was funny, I was talking with a policeman a couple of days ago, and he said, Oh, you mean like their MO. That's what we call it in our business. And I go, Yeah, that's what I've been calling it too. But everybody was kind of looking at me like I was weird. And it seems like threat intelligence is the one place where we're dealing with force and uh intelligence, uh investigation, all that at physical crime, and then this whole digital thing, that's the one place where they seem to meet. It's a fascinating field. To Tim's point earlier, I don't think a lot of companies have really caught on to you really need this and you need to do it well. Yeah. Why do you think that is? Like we got fooled with the hashes and IPs, but that was a long time ago, and the products have come a long way since then. But I don't know that our appetite for consuming them differently has.

Richard LaTulip

Yeah, I mean I think there's a couple of, you know, if you again going back to your auditors and we'll turn back the clocks of time. And you remember the first time an auditor would come through and he would go, Do you have a firewall?

Tim McCreight

Yeah.

Richard LaTulip

And you'd be like, here it is. And then they would go, check, you're good to go. Uh, thumbs up. Did they go inside your firewall and say, uh, what are the settings? Oh, it's any, any, any, any allow. So you have no security. And so and then, of course, now I know the auditors. Do you have an XDR solution? Do you have a SIM? As I mentioned earlier, do you have intelligence? If you give them that email from SISA, they're gonna pass you on that, say, control. They're gonna let you let you fly by. It's just like the firewall that's not set. It's a it's an open, ambiguous piece of information that may not even be relevant to your organization, that may not even be distributed as it should. So, real intelligence, when I talk to organizations, it needs to be timely, it needs to be actionable, and it needs to be relevant. If you're not having at least those three things, you don't really have intelligence because quite frankly, now you get the issue of alert fatigue. Nothing's improving my situation and lowering my risk and changing the business impact if something bad was to happen. So the messaging is really key, but also I would say the follow-through of understanding what intelligence really is if used if used professionally. If it's not used professionally, even the best intelligence organizations will provide you zero intelligence. Because if if again, if you set it and forget it and never look at it, then it doesn't matter that you have all these alerts. So you almost need to say, and and I try to say this too when I when I've when I've consulted for new businesses, is we can't just go get, say, for example, Zscaler, we just can't go get a SIM. We can't just go get an XDR solution without having the people to manage it. Because again, if you do that, there's a cost that associates with it. Whatever the tools cost is, plus the manpower that you need, and then you also can't just throw in 18 tools at once because the culture of an organization will revolt immediately, and you, as an organization, in terms of information security management, will lose traction within that organization. So it almost needs to be a strategic plan of identifying, again, working with your business, what is it that's most critical to our success, and start knocking down the big chunks. And then you start coming down, say, okay, I've got the sim, I've got the XDR, I've got, say, a CASB or whatever it is that you need. And then now what's the final peak puzzle? It's not that it wasn't important, but you're knocking down the big chunks. Now you start fine-tuning everything, you add intelligence to it. So now you're strategic. So now your team is really a force multiplier based on the fact that you're only responding to the things that will cause the most impact in a negative way towards your organization.

Tim McCreight

I think that's a perfect approach. And I wanted to ask too, how you know, with the work that you've done in your past and and where you are today and looking ahead, you you've talked about culture, and you know, we we talk about that a lot here on the show as well, is changing the perception and the value that security has from a culture perspective. But how how do you help organizations see that there's culturally there's a value in the security program and that the people on the other side of the screen with their hands on the keyboard can eventually become an asset, not a liability inside an organization? How do you get to that messaging with the company, with the executive team?

Richard LaTulip

Yeah, it'll always be like with anything else, top-down approach, right? If your CEO does not care about security, no one else in the organization will care about scope security. So, from that perspective, and you can even argue it starts from the board, right? Because the board, if the board is looking at your organization from at least a lens to some degree, not just of all business, but just some lens, just add a small, I often call it the kaleidoscope, right? So as you turn that kaleidoscope, you're turning it to fit what you need that's best for your organization. And so if that starts from the top and filters down, then the culture can slowly start to change. Because if you think most organizations, they start from that, obviously, startup where it's the wild, wild west. Security is not even uh on their radar in the very beginning, and quite frankly, it's only about bringing in revenue and revenue generation and product development. But moving to the the maturity as the corporation grows, now you have to start, you you have a responsibility to protect, obviously, with the the privacy laws, which are helping, by the way, GDPR, the CCPA, these things help because quite frankly, you know, uh if you didn't have that regulatory aspect, what what do we know? Most businesses wouldn't necessarily automatically do it. You know, they still may and they still did, but we're talking about scaling. We're talking about making sure that all businesses, when they get into, you know, areas in which they're touching PII or PHI, their their mindset or culture is to do the right thing. So from the leadership, it's the policies. From the policies, it's the training. I think also the training is not often enough. The annual training is not just like when we start thinking of continuous monitoring, you know, we should be we should be leveraging tools that are designed to continuously monitor our environments. And we should also be looking at not just an annual review from our employees, but keeping it top of mind, making sure that they understand what their role and how they play a vital role in providing security to organizations. Um, but I think it's a combination of things and it definitely has to start at the top.

Doug Leece

Yeah. Yeah. And I think until we can tie the lack of resilience or the lack of proper risk management into a financial outcome, they don't get there. And I I like what you said about the intelligence ensures that you're making the best use of your investment of your security team. They're working on the things that are gonna hurt the most.

Richard LaTulip

Oh, yeah. I mean, look, the other question that sometimes I'll get and I'm sorry I'm asking you guys is. No, no, this is all good. This is all good. But the return on return on investment for intelligent, like how do you how do you talk about that ROI? And this is where I start talking about well, you you start, you can start with the low hanging fruit, basically say, because it's always in the news. Well, an average ransomware attack costs an organization, say it's a half a million dollars. It may be more than that, but let's just say it's a half a million dollars. And then and then they go, okay, well, that's a half a million dollars. Well, what's the tool cost? And then they say, well, you know, and then you can start saying, well, what's the average time that it takes over the course of whatever X and you come up with your equation and say that your incident might be a point, you know, uh, let's say every five years, you have a 50% chance of that happening. So every 10 years it'll happen. And so they say, Well, it's probably not worth it because we can we can go. But you've missed a line, a large portion, if you will, of what it is an incident will cause to the organization. Now, brand is arguably interesting because there are corporations out there who, amazingly enough, have had multiple cybersecurity incidents, yet their stock prices have risen regardless. So brand is a part one, but still it turns consumers off and you get the attention. So you have to talk about brand, uh the reputation of your brand and the diminishing of it, right? So it's still in part of the equation, but how much is arguable in terms of cost? Because everyone can look at the stock tickers and see that companies that have experienced bad things have gone up, right? And so uh beyond that, you want to start looking at depending on your line of business. Now, if you're in manufacturing, you have great examples of being able to convince the business of the damages. Just look at uh Jaguar Land Rover. Yeah, initial estimates was at 1.8 billion, but now it's well over two, uh two plus maybe even three billion dollars worth of damages. So the half a million dollar ransomware payment can go now into this of billions very quickly, depending on your line of business, right? Beyond that, you would even say further is all businesses, and even though if you were to say, hey, well, we don't collect PII, well, I would question that because you have employees that you use services that they have data. You also have private data that's intellectual property to your organization. So you you still really can get into, depending on what you're operating, is are you in California? Does CCPA apply? Well, your employees are just as much as your clients in terms of the value and what you're supposed to be protecting. So you still have that as a potential compromise. Why do I even bring that up? Because at the very tail end of this, it becomes the regulatory agencies that are going to come in and say, based on the data that's lost, there's a there is a number that can be equated. You want to say when I was working in the Secret Service, it was $500 a credit card that the court accepted as a loss for every credit card, right? Whether you can say it was a $10,000 loss or a $1,000 loss, if you had nothing else, they would say, on average, we agree that's $500 per credit card. So you can come out with a loss. You can even say, you know, theoretically, that they, the regulators, will come in and potentially fine you uh based on the loss. Now, if you're working in EU, it's a percentage of your revenue, right? So uh that's a different equation. Now, ultimately, I will tell you this: once everything is said and done, I guarantee you, as soon as you walk out the door, there's 10 lawyers with a class action lawsuit ready to hand it to you. You can Google it and you can look at like change healthcare, if I'm not mistaken. The last I read, they were at 22 class action lawsuits that were being leveraged against their organization. So when we talk about business impact, it's not just the ransomware events and the time consumption of your people and the brand uh recognition loss. It is the totality of what is your downtown, what is what is the regulators, and what is the potential for the class actions.

Tim McCreight

Well, thank you, sir. This was awesome. Thank you so much for spending time with us today. We really appreciate it. This was great getting on the show. So thank you for that. I appreciate it.

Richard LaTulip

Absolutely. No, I thank you. Thank you very much. And anyone that has the opportunity, please. I I know that you can search Amazon, get Operation Carter Chaos, read the book. You know, it's a great historical where cybercrime originated, where it's going to, the play that it does in the in the world that we live in today, and to see how things really, the gaps that existed then, a lot of places still exist today. And we need to be focused on those and we need to understand that so that we can do better at protecting our infrastructure from compromise.

Doug Leece

I agree. Thank you again. Awesome. Thank you, sir.

Tim McCreight

Thanks for listening to the latest podcast from Caffeinated Risk. Make sure you visit our website, caffeinatedrisk.com, to stay up to date on what we've been working on. Our website has bios of our podcast guests, posts about topics we're passionate about, and even a library reference material we find valuable in the work we do every day. And don't forget to subscribe to Caffeinated Risk on your favorite podcast service. This way you'll be notified when we release our next podcast. And you can listen to our previous guests just in case you missed them. Thanks so much for listening to Caffeinated Risk.