Hi, I’m Greg Schaffer, and welcome to the Virtual CISO Moment. Patrick Ross joins us today. He is owner and advisor at InfoSecurity Blueprint. Patrick, thank you so much for joining us today.
Patrick: Oh, it’s my pleasure, Greg. Thanks for having me.
Greg: I like to start as we always start here because I always love hearing people’s stories and their journeys, everything. Tell me why and how you got involved into this whole technology space and just bring us to your career to where you’re at today as an entrepreneur.
Patrick: Yeah, absolutely. So I’ll try to give you the short version so I don’t go on forever about it, but it really goes back to, um, all the way to when I was a kid and in high school, I just always was into computers, had a computer when I was in middle school and, you know, played games primarily as a kid, right? But that bled over into high school and I went into the Vo-Tech program at my local high school. So I spent half the day my junior year and half the day my senior year out of my home district and working just on technology. And from there I went to a New York State school, College of Technology, for a bachelor degree in network administration and just really furthered my knowledge and my love for technology there.
And while I was there, they added some courses that focused around information security and they added enough that that became their fourth minor offered. And I thought that made sense. It was a good alignment, right? I’m in network administration, let’s get some security knowledge under my belt. And that was really my first like peek into, hey, we should secure this stuff that we’re doing.
So from there, I spent the first five years of my career working as a help desk technician, onsite technician, onsite system installer for a couple local managed service providers. So hopping from client to client, seeing different technologies, different ways of doing things, different industries. To me, that was a great exposure. Five years across three different companies, too, over that time worth of clients, just seeing so many different ways to do things.
From there, I moved to be an IT manager, system administrator, at a large nonprofit in the area. And that gave me the ability to oversee some staff, oversee multiple locations, expand our locations. We had, I believe it was twelve by the time I left, grew up from eight or nine. And it was a great experience just focusing in on, you know, this is the business that I’m growing and securing and all that.
And somewhere around that time is when the school that I went to actually added more courses where information security and assurance became their fourth major in the bachelor program. And to me, that was just another indication of this is its own industry with the technology. It’s not just a footnote of network administration.
So from there, I worked at an accounting firm for several years, working with clients primarily on the information security assessment side, which I then carried over in my own business a few years ago, helping small and medium businesses with compliance and just best practices and what do we do to stay secure.
Greg: We’ve got something in common. We have a few things in common. One of the things we have in common is that I also learned about IT stuff at a New York public school. Although it was a little different, I went to SUNY Buffalo, and it was a few years before you. In fact, they didn’t have twisted pair Ethernet at the time and they didn’t have courses on any of this stuff. I worked in the computing center there as a student assistant as my first job in IT. And it started there in, I guess it’s been thirty-six years ago now.
So, yeah, yeah, yeah. And certainly working help desk then and now, I mean, they were amazing. It helps out an awful lot. But I have to ask you, what was the impetus for you, though, to form your own business? What made you think like, “I need to do this”?
Patrick: So just like that minor in information security when I was in college was just kind of hanging out, waiting for the right time for me to career transition and focus on it. I’ve always wanted to have my own business and just do things the way that I learn, but take what I learned from a bunch of different places and do it my own way and do it in a way that I think is better, that I think I could provide a better service.
And I just—I’ve always wanted to do it. And it was the right time in my career where I’ve had that range of experiences I described. I spent several years working with clients directly doing information security assessments and helping them manage their risk that I felt I was ready to do it on my own. So I’ve been doing that the past couple of years.
Greg: So if you were to give one piece of advice to somebody who’s been in the field for a while and they’re thinking about going off on their own like you’ve done and like I’ve done, what’s that one piece of advice?
Patrick: The one thing I actually told a couple people this this week, I tell people a lot is if you have the ability to keep your full-time job, it’s not a conflict of interest, and you can start something on the side, I recommend doing that. Because like you alluded to early on, it takes a lot to build. Like you said, hang your shingle. People don’t just come to you. It takes a while to learn how to run a business.
In my position, it would have been a conflict of interest because I was already doing consulting. So I had to kind of make that hard stop and go out on my own, which if you have to do it that way, do it. Just make sure you’re ready to do it and do a little research on what it takes and the first steps you have to take and be ready to execute them on day one.
Greg: Do a personal risk assessment, right?
Patrick: Yeah, absolutely.
Greg: Yeah. Yeah. And I was able to start it while still working full time. There wasn’t a conflict of interest. And fortunately, I would add on a recommendation to that. I think that that’s spot on, but I would add on that—make sure that you get your buy-in from your employer, just to be sure. Dot I’s, cross T’s. You want to make, you don’t want to burn any bridges. You want to make sure everything’s happy, but that way you can have that little bit of runway. You can start building a client base a bit.
But to your point, if you know it’s the time and you’ve done the personal risk assessment, make the jump. So I agree.
Well, let’s talk a little bit about your clientele. You pretty much work with small and mid-sized businesses?
Patrick: Yep. So clients everywhere from sole entrepreneur, just concerned about how they’re handling their data to several hundred employees with internal IT person and maybe internal IT team looking for a little bit help with the security side or the compliance side.
Greg: So kind of like you play in the virtual CISO space in some ways, right?
Patrick: Yeah, so I don’t really advertise or market that way, but I think a lot of the services I have overlap with what you’d expect out of a virtual CISO. So I just—I don’t lead with it just because I don’t have the actual CISO experience or the industry experience, but to that level where I’ve done it internally somewhere. But I’m helping with risk management, I’m helping with compliance, I’m helping with the program governance, policy writing—all of the things that a CISO or virtual CISO would lead.
Greg: So how does your fractional advisor model differ from, let’s say, a traditional consulting engagement in the space? What is your niche?
Patrick: Yeah, so I really focus on simplifying as much as possible, taking that first step. So even down to the name of the business, InfoSecurity Blueprint, it’s about—you know, the blueprint is building out the plan of what you’re doing.
So I think businesses get overwhelmed and just don’t start. Anytime anyone’s overwhelmed with anything, you just—you make an excuse not to do it. So the analogy I always give is your dishes are gonna build up, right?
So you come home from work at the end of the day or maybe the end of the week and all of your dishes are dirty or the dishes you need to make dinner are dirty. You have a couple options. You can wash all the dishes and then make dinner. It’s gonna set you back on dinner. You could wash the ones you just need for dinner. Or you can outsource it and you can get takeout or delivery or something, right?
So there’s options. And the way that I try to help people is just wash that first dish and get dinner made and then worry about the rest of them tomorrow. It’s a tomorrow problem. And we can start to plan out how we’re going to achieve that and take that first step.
Greg: I think that you touched on something so important. Well, first of all, I like the dishwashing analogy. It actually calls to mind a story when I was in school in Buffalo. I was living with a few friends and we would sometimes not agree on like whose dishes were in the sink and all that. And sometimes, being men, we were kind of all hard-headed, and we would have the sink full of dishes and nobody would touch it.
At one point, Tom, I left a lengthy note about risk management with regards to, you know, “You’re doing a risk…” And this guy was in business. And he’s like, “By the time that Greg took to audit the actual situation, you could have actually solved the situation, Greg.”
And I just remember that getting that note back. It’s like one of those flashes of memories that probably I hadn’t thought of in like decades.
But talking about smaller businesses and other businesses too—and they kind of get this deer in the headlight look—they don’t know where to start. We try to tell them it’s like, just start.
I know that they have a lot of misconceptions about how to navigate some of the frameworks. We throw at them all these acronyms—CMMC, HIPAA, and so forth. What’s like one of the biggest misconceptions that you see from smaller organizations when they’re approaching like having to go through compliance for the first time of some framework?
Patrick: Yes, I think it’s two-part. It’s really that the framework or the requirement they have is entirely technical and it’s just something that IT handles. And the reality of it is there’s a lot more than just the technical aspect. Even HIPAA is a good example of—it’s been around for so long that in the body of text there, it breaks it to administrative, physical, and technical.
So take all of that in mind. And what are you doing for business risk management, not just your technical part?
And combined with that is that they believe that just performing those requirements is enough. So it’s something IT handles and they’re doing it, so we’re done.
And it’s more than that. It’s making sure that you have the policy procedures in place to continue doing it and that if you have a change in staff—whether it’s a permanent change or it’s someone that’s out on vacation filling in—that they are going to do it the same way and that you have that. That’s where the maturity comes in. When you talk about maturity models, it’s that we will continue to do it over and over.
Greg: I think that we do have a problem in the industry of people and businesses having this perception that it is just a technical issue.
And that’s one of the things that I like about the name of your company. I think it’s very well named, but you say InfoSecurity Blueprint—you don’t say Cybersecurity Blueprint. Because to me, I don’t know to you, I’m wondering if you agree or disagree, and if so, why—cybersecurity kind of gives like a purely technical connotation, whereas information security talks about things in more in business terms.
Patrick: Yeah, I agree with that. Yeah, I think to me, I made a very conscious decision not to be “Cybersecurity Blueprint” because I think when people hear “cyber,” they think the technical things that we need to do. And I want to talk to business owners about business risk.
I say “cybersecurity,” they’re going to think, “Oh, the computers, all the ransomware, it’s above my head, eyes are glossing over.” So, you know, InfoSecurity, I think I could write that very—a little bit more and say, “This is business risk. How are you addressing it? How’s it going to impact your business? Let’s have that conversation.”
I even have a slide in presentations where I say, “What are we trying to protect? You’re trying to protect your cyber—whatever that means. You’re trying to protect your information at the end of the day. That’s what you’re trying to protect.”
Greg: Right. So, I love it. I don’t know, you might’ve stolen that from me because a lot of times when I get—when I’ve given presentations, I’m like, “You know, cybersecurity—I don’t even know what that is. What is a cyber? I can’t tangibly like hold a cyber. I don’t know what a cyber is. I know what a computer is. I know what information is. I know what data is. I don’t know what a cyber is.”
And yet we as an industry have like fallen in love with everything being “cybersecurity.”
And I think it’s personally—now I’m on my soapbox—I think it’s personally done a disservice to the industry because of exactly what you said. It’s like people inherently think about that everything is just technical in this field.
And I am probably going to steal this from you—your line, this is one of the best lines I’ve heard on this program: “I want to talk to business owners about business risks.”
That’s exactly what we should be doing. And unfortunately, in our industry, we don’t do that well enough.
How can we do that better in our industry?
Patrick: That’s a good question. I think that’s going to take a little bit of time for business owners and leadership to realize that this is their problem and it’s not just IT’s problem.
So it’s the continual education of explaining what does this mean to you and how do we have that conversation?
I had a client engagement recently and we did a control assessment against the CIS Controls Implementation Group One. And part of when we were scoping out that project, I was talking to my IT manager and I said, “I’d like to do a risk assessment with this.”
So to me, a control assessment or a gap assessment or however you want to call it is different than what a risk assessment is. Because like I told him, “I want senior leadership in the room for that risk assessment. You and I and your team are going to do the control assessment. A lot of that’s technical. We will reach out to HR and payroll, different operations, different places when we need to, but we can lead that initiative. But that risk assessment—I want your CEO, I want your CFO, I want whoever’s head of operations. I want those people in that room.”
And we did that. And they actually asked the question leading up to scheduling, “Do we all need to be in this?” And he sent me that question. I’m like, “Yeah, you know, they do.”
And they did. And we had a very effective meeting. And during that meeting, I heard things like, “Oh, I never thought of it that way,” or “I didn’t think of that angle,” or “That this would impact that.” You can see that discovery happening when we’re talking.
And one of the chief officers walked up after people were leaving and said, “Dare I say, I had fun doing this.” Like—we discussed the risk to your business and you’re coming up and telling me you had fun? Like, I think that’s a good engagement, right?
Greg: Absolutely.
Patrick: So we need to get more executives on board like that, I think. And that’ll start to change the perspective of, “Okay, we can start to own this. It’s not just technical. We’re not afraid of it anymore.”
Greg: Well, I think one of the root causes of that, though, is something that you said, is that, you know, a control or a gap assessment is different from a risk assessment.
And unfortunately, in our industry, I think that you’re going to see a lot of folks that are going to disagree with that—or maybe better put, that they don’t understand that. And I completely agree with it.
It’s like you can do a gap against some sort of list or some sort of framework, but that’s not telling you anything to the business. It’s telling you you don’t have a particular control in place or you’re not meeting a particular requirement.
But why should I care as a business owner? I don’t care. It’s like, okay, we didn’t hit that mark. We got ninety percent. That’s cool, right? We passed the test, right?
But it’s not about that. It’s about risk. It’s about business risk.
And I really wish—to answer my own question—I wish that in our industry, we would understand that everything with information security is all about managing risk. And that’s not just in the corporate world; it’s in the personal world as well.
We can go off and tell people until we’re blue in the face, “Use MFA on everything.” But if they don’t understand the risk of not doing so, are they really going to adopt it?
Patrick: Yeah, right. And it’s not just where to use it, it’s what system to use it on and how do you do it and what type of MFA. There’s a lot of details to it. And I think sometimes we get lost in those details, but it’s evaluating: this is a very critical system, yeah, you need the best MFA.
And this isn’t a critical system. The exposure here may not have as big of an impact, so sure, your staff could use SMS.
And I think a lot of times as security professionals, we’re saying, “Oh, you always need to do the best. You always need to do the best.” It’s sometimes the most difficult, the most friction.
We don’t always have to do that. So that’s where we have to make sure we have our risk lenses on as well and say, “Oh, okay, maybe you don’t need the highest level. Maybe that isn’t a system you need MFA on.” Dare I say that out loud, right?
It’s—you evaluate where you need it and what level you need it to.
And that’s with every control. It’s how much do we need so we’re not getting in the way of the business at the same time as we’re helping the business.
Greg: And that’s one mistake that fundamentally a lot of information security consulting people and firms make is that they immediately jump into doing this gap and control analysis of sorts without trying to understand the business.
It’s like you can’t—you can’t get to the risk side without understanding the business first.
And so how do you, when you approach a
new client, how do you work that part of the engagement? How do you understand the business flow as quickly as possible?
Patrick: Yeah, and that’s a real challenge because that’s time you have to build in your assessment one way or another, and then that turns into—translates into fees, right? And you’re trying to keep it manageable, you’re trying to keep—but make sure you get the engagement that’s scoped and focused the way you want.
So kind of two ways. One, I make sure that all of my introduction meetings and all of my kickoff—not kickoff meetings but all my introduction meetings—are complimentary. I want to learn about you and your business and if I can help you and how I can help you before we even engage.
And then part of the kickoff meeting of the project, the first meeting, we’re going to talk about the business for a while. So tell me about—I’ll start with, if I’m working with a control assessment, like the recent example I gave with IT manager—tell me about your technology. Like break it out, talk me through your network diagram, talk me through your systems, your information flow.
And from there, break off into different questions and just start peeling it back.
And you have to ask questions and listen first.
And then as you go through that assessment, you’re not going to find it all out in that half hour, hour, or whatever you can dedicate in the kickoff.
So as you go through the assessment, stop and say, “Maybe I care a little bit less about where’s the MFA right now because I want to know what is this process.”
I actually went through something similar with a manufacturer that I was working with when we were talking about passwords. And it was, you know, CMMC assessment as well, so a higher bar.
And they had a production computer or computers on the production floor that they had the machinists would sign into to log time and look up parts and stuff like that. And they had a common password on them.
So we talked through, can you have it or not? What’s the screen timeout on there? Re-enter the password?
And when we’re talking through, I’m like, “Well, if you have it lock out after five minutes, then they have to type their password back in. That’s common logic, right?”
And my client goes, “They’re going to do that a hundred times a day. And even if it takes five seconds to type the password and multiply that out by the day and by the week. And how much time are we losing on our production a week by typing in passwords?”
Right. So, oh, okay, let’s rethink this. Let’s come up with a different solution then.
It’s not always our common path of thinking of what we have to do. Sometimes you have to figure out compensating controls and can we scope it different.
Back to the example I gave earlier. Is this something that needs that control to that level or can we adjust it a little bit?
Greg: Yeah, it’s so important to understand the friction that you could be introducing with processes just because you want something a certain way without taking into account the whole business flow.
Because ultimately, the only reason why we’re there is to help the business continue to be a business.
I mean, there’s nothing else. I mean, that’s why businesses are in business.
And one of the things that I think it’s almost a requirement nowadays is like in any conversation with regards to—if there’s a vendor that’s trying to sell something or even on a podcast, I guess now it’s kind of a soft requirement—I’ve got to ask something about AI, otherwise I get kicked out of the club or something.
So I’m going to do that. It’s like, of course, AI is such the big buzzword. It seems like we have a new one every couple of years or something like that.
And so people are trying to understand the risks associated with it.
I’m curious, from your perspective, how do you see—or do you see—the smaller businesses addressing AI usage and AI governance? And so how? And if they’re not really addressing it, is it a cultural thing? Do they not feel it’s such a big risk? Or what are your thoughts on that?
Patrick: That’s a good question. I think a lot of businesses are eager to use it somehow because just the hype around it and the way that they see other businesses are using it to enable their business.
So I think they’re hopping into it pretty quick. And I’ve had a lot of businesses ask, like, “What’s the risk here? Like, can I use it? Should I not use it? Where’s my information going?” So they’re asking a lot of good questions.
And my answer to them is usually: use it like you’d use any other tool. The AI isn’t your business anymore. It’s a business-enabling tool—so use it that way.
And when it comes down to the risk of it, treat it like you treat an intern. You’re going to hire an intern. They’re going to be here for a short amount of time, and then they’re going to leave. Are you going to give them access to PII, to personal data, to your accounts? Are you going to tell them things you shouldn’t tell them? Probably not. You’re going to restrict how much you’re going to tell them.
And on the flip side, make sure you’re checking their work. Are you going to give the intern free access to post on your social media and to send reports to your clients? No. Are they going to draft one for you and bring it to you? And then you’re going to proofread it and give them some feedback and change it? Probably.
So do the same thing with AI—at least in the LLM usage of it—is don’t upload anything that you wouldn’t tell an intern and check the work like you would an intern.
Greg: Well, and when you first said “intern,” I was internally chuckling when you said, “Treat them like an intern.” I’m like, what is he going to say? It’s like pay him really bad stuff, put him in a desk in the machine room and blame everything on him. I mean, isn’t that what we do with interns?
I’m only kidding, everybody. Don’t haze the intern. Don’t haze the AI. They’re both going to remember—particularly the AI when they take over the world.
I always say please and thank you to GPT.
But the point, too, about, you know, be careful what you put in it. Don’t assume that the AI—like the free version of ChatGPT—it’ll take what you put in and it’ll learn from it.
Some of the other versions, you have a way to toggle that on and off. And depending upon, I guess, which level it is might be which is defaulted.
You need to understand that. You need to understand where—and this is true no matter where you put your data, but even more so with AI because it’s just so easy to do something so bad.
It’s like before you type anything anywhere or speak anything anywhere, understand where that anywhere is and where it can go.
And I think that if we can get people and businesses to understand that basic truth right there—think like a risk manager—instead of like just saying, “Don’t do something,” we’re going to get a lot more traction.
Patrick: Yeah, I agree. And I’ve told people before—and ChatGPT is an example—with the subscription, you could toggle that off.
But I always tell them, okay, A) there’s just another third-party vendor that you have to decide if you’re trusting your data to, right?
And if you do, do you trust that toggle? When you look at the way that all these models are created, do you trust it? I think there’s rightfully skepticism there.
So these models scooped up data and brought in data and there’s lawsuits of works that are being used for the different models and stuff like that. They’re in a race here and they’re trying to build their models and their data sets.
So maybe you trust them at their word, maybe you don’t. But if you really want to use AI in your workflow, you can set up local models.
So it’s a bigger lift, especially for a small business, but you can set it up either locally on a physical or you can host it in a cloud environment where you can keep all of that data you’re uploading within your system.
It’s not going back to them. You know it’s not, because if you set it up the right way, you know it’s not.
And it’ll have the same power that those LLMs have. So if you’re really looking to use it in your business, you know, put the resources to it and use it in your business.
If you’re just looking for a shortcut and you want to throw it in a web browser and upload it, that’s a different level of risk.
Greg: Yeah, it’s stressful no matter how you think about it, though—even just trying to keep up with the technology.
You know, that’s what makes our field so much fun and yet stressful.
And of course, being an entrepreneur has its own levels of stress.
We talked about, you know, it’s not exactly easy just going out and saying you’re going to do something, expect business to come to you.
I always encourage folks that they need to decompress from the stresses of the job and from being an entrepreneur, for those who are.
It does seem that more often than not now, I’m talking with people on this podcast who are solo business owners or small business owners.
And I don’t know if that’s just—there’s no strategy behind it—but I’ve realized that most recently that seems to be the case.
So I encourage folks that deal with the stress in a positive way. I think all of us, I can certainly say for myself, I have dealt with stress in a negative way, an unproductive way, an unhealthy way, and it’s not the way to go.
So I encourage folks to do this. And that’s why I ask this question. Plus, I always love hearing what different people do. What’s one of the things you do to decompress from the stress of everything in our field?
Patrick: Yes, I think from the entrepreneur side first is you always hear the sole entrepreneurs and business owners of the fifty, sixty, seventy—however high work weeks you want to get. You need to put the work in, and it’ll be more some weeks than others. You have busier weeks and you’re going to do a lot of upfront work.
But I do my best to keep that balance and keep it within the work week, within reasonable hours. That way, when I’m off, when I’m not working, I’m not looking at my phone and working still.
So really make that separation the best you can. I think it’s healthy with any business, but keeping—or any job—but keeping that true as a business owner, that way, you know, the weekends are mine unless I’m scheduling an event or something. They’re mine to do what I want and keep that disconnect so it doesn’t feel like I’m always doing it.
So with anything, especially a job, you need some difference, some separation. You’ve got to change your pace.
I think that’s the first thing.
In that free time, it’s spending time with my dogs here, getting outside with them.
In the summer, I play in a hockey league. I love playing hockey. It’s good just to go run around and sweat a little bit.
And then, you know, through the winter, it’s staying inside, playing video games, finding games that are not themselves stressful, because then you’re just transferring your stress to a different target.
But just find a way to get immersed in something, take your mind off of it.
And you know, that—video games could be anything, whatever hobby. Just have a hobby. Have something you do. And, you know, for me, that’s what I like doing.
Greg: So in my days when I lived up in the Buffalo-Amherst region, I remember—and I often tell people that they have two seasons there. It’s July and snow.
But you’re talking about—I mean, that’s obviously an exaggeration—but you talk about having hockey, playing hockey in the summertime. That’s a thing up there.
Patrick: Yeah, so it’s indoor ball hockey.
Greg: Well, I figured it would be indoor, yeah.
Patrick: So we actually play—it’s on an ice rink, but in the summer they don’t maintain the ice, so we play on the surface where the ice usually is.
So it has to be off-season for ice hockey.
Greg: So you’re hitting a ball around?
Patrick: Yeah, yep. Oh, yeah. On foot, using the ball. There’s roller leagues, there’s ice leagues, there’s different types. Even the ice leagues go year-round too, though. Some places do maintain ice and have year-round ice leagues.
Greg: Well, I could actually see the advantage of wanting to go spend some time in an ice rink, you know, in the middle of a hot summer.
But the one good thing about Buffalo that I remember weather-wise that—you know, you got those two big air conditioners, the cold lakes, Erie and Ontario.
And often the wind is from up there. It’s like—the weather in the middle of the summer in Buffalo is absolutely wonderful.
I’m in Tennessee now and been here for thirty years. And it’s, you know, it’s a little bit hotter in the summertime.
Patrick: Yeah, I live in a more rural area. So I’ll leave here to go to an event downtown. And when you’re downtown, the arena for a hockey game or a lacrosse game or something, it’s right on the waterfront. So it’s easily ten degrees cooler and windy there.
So I’ll dress one way, I’ll be like, “Oh, I should have dressed a different way.” So it catches me off guard all the time. But it’s beautiful down there.
Greg: They still have that single line rail that goes from the university straight into downtown?
Patrick: Yep, still running.
Greg: Awesome, awesome. Yeah, many times I was on that train.
But what are some future plans you got for either you or for InfoSecurity Blueprint or both?
Patrick: Yeah, so I guess for InfoSecurity Blueprint, it’s just—I’m almost two years in, so it’s constantly reevaluating what I’m offering, how I’m offering it, who I’m serving. And it’s really part of my mission to serve small businesses, micro businesses, small businesses, nonprofits—some of the types that don’t typically have the resource that I’m providing.
So my plan is to build out enough of a client base that I can, you know, turn my focus back to helping them and, you know, making things affordable for them and offering them services and keeping them secure.
Greg: Awesome. If somebody wanted to get a hold of you guys, what’s the best way to do it?
Patrick: So if you go to LinkedIn or Facebook, you can search for InfoSecurity Blueprint. You’ll find the pages there. You can email me directly at prost@InfoSecurityBlueprint.com.
Greg: Awesome. Well, Patrick, appreciate you spending time with us this morning. Good to hear a little bit about the Buffalo area. It’s been a while since I’ve been up there. I’m going to have to take a trip up there at some point in time.
But it’s great talking to you this morning. Thank you for sharing your wisdom.
Patrick: Yeah, it was great talking to you. Thanks for having me.
Greg: All right, everybody, stay secure.
Patrick: Thank you.