Security Architecture, An Adventure?

um worked with quite a lot of vendors uh Fortune 500 and and major other folks out there in the industry um these are my contact details uh they're just here they're not at the end so if anyone wants to reach out to me please feel free to I've created this email just for this event so that no one can fish me so all right okay topic of the day security architecture and adventure so how many folks here work in security architecture and Fields it's its adventure looking into the architecture every day hands up anyone feels that way okay great because I get fascinated when I go out and see do the reviews or perform due diligence I get fascinated

by the things I see out there proposed by vendors business whoever is Project teams right and and they would be like I'm like wow okay example everyone gets admin role on this application because it's just five people who needs to have this application so everyone is now super admin on the application this is something we find out a lot and those admins can do whatever they want right so I'll start with this but our cyber security team is always working on it right so those Adventures they love those Adventures they turn those Adventures into opportunities right so idea of today's talk I will not be just talking about Adventures there's so many of them uh I can talk about them

about days and days but what we'll talk about today we're going to think and talk about building an Enterprise security practice right the concept of security architecture and the security architecture framework and most important how we can come up with a assessment or that can help us improve that framework right so normally when we see in an organization security architecture can be seen from two different views right one is everything that falls into security comes into security architecture right rather be it'll be SEC Ops Assurance red teaming blue teaming all can fall under it there is another version of it that I like to I'm I'm presenting here which is security architecture should be something that is Standalone and then is

helping our folks in operations in assurance side in the security GRC side and build it all up to the security posture so there's one security posture that we think we should achieve and then all these it it Drells down there's a tree that forms under that security posture will be like yes we want to do threat hunting we want to do pen testing vulnerability management we want to establish a good security architecture of applications systems posture right and then there's our blue blue teaming red teaming side and then there's a GRC side who's who's doing the policies now it is possible that some organizations are are small teams right have small security teams budgets and all and they

might be wearing multiple hat and there are other organizations that would be like yeah okay we have these these bandwidth and and Manpower we can we can do this right and that some are doing that right we'll see the the role of security assessment as a shift left approach um the presenter for me did a really good job at that and yesterday on a panel we was listening to Tanya and others where they were talking about shift left from a Dev secop standpoint we're going to think of shift left from a perspective of building a secure architecture and how an assessment can be implemented in that way uh we'll understand what where assessment can be

applied how it can be built and we'll understand how to kick off the overall process now this is something that is the goal is to understand the overall strategy of it it's not something that uh will be built in a day so okay what is security architecture so first thing that came into my mind my best friend Chad G I went to chat gbt and I asked what is security architecture right and Chad gave a definition of of the components like it's security layings network segmentation there should be Access Control monitoring and response and compliance and risk management and there's there's a lot more to it but the initial answer from chat gbt that we got

everyone is using chat gbt right there's no one that is like now we don't use chat Bots because they steal our information no no one thinks that okay okay I'm the only one okay okay okay so what is security architecture right some of my findings uh that I've seen right is security architectures means the Strategic design of your security controls in the organization right it helps Alli cyber security with business goal very important we want to align with business goal business Vision what is the mission of our organization right it is unique different for every every business it helps enable Gap analysis right uh rather it be a threat risk assessment or are we doing whatever but when we form

when we trying to build a strong security architecture one of the initial things that give us is a gap analysis right of what gaps risks exist in our environment today and then the final product what we want to be a final product out of this is a is a framework framework that is supported through something we can call assessment right which helps us build it right it helps us build the framework the assessment and the process that if we send something out to a business it's not a surprise for them from business I mean anyone in the technology who's doing a project bringing a new application new vendor standing up a new platform it should not be a surprise for them it

should be a process they at that everyone understands it should be familiar questions that goes out every time and then know that security team is going to ask us or security architecture folks is going to ask us about these questions every time it will become it is more of like becoming a habit of bringing that into design it's kind of a culture shift okay um what concepts falls under security architecture right there's so many of them so many but zero trust it was it was quite a thing couple of years back before AI everyone was marketing around zero trust you can buy product and it'll do zero trust in your environment it'll just Implement zero

trust anyone did that I did it failed now no product does zero trust no product it's how you deploy it how your culture or organization is okay but there are other Concepts goes into it and some are here enablers due to some controls right there are more to it there's more to it but I can take so much it's a just a vast vast topic I can as I said can speak about it for days and days so zero trust defense and depth enabled by security through up security anyone no okay Network Security application security Cloud security and so on right but I've highlighted two I've highlighted two items here that I really want to talk about first is

security through upse security it is not really a concept that comes under zero under under security architecture but it comes as it comes natural right so what is security by OB through OB security it's like if attacker or an outsider don't know my system they don't know what's in my system they cannot hack it right it is by protecting the secrecy of your systems not really implementing security controls and best practices it should not be the practice when we are practicing security or when we are doing security through up security because it's like no one's know going to know it we can keep passwords as admin one 23 and no one's going to know because it's

just admin one 123 no one knows it outside so that should not be there another is balance balance between usability and security right I don't want my users to click on a on a authenticator or OTP every 5 minutes right there have been known attacks around it now but I don't want to make it so secure that it's difficult to use by my business Folks by my it teams right out there but I don't want to make it so simple that they can set up I love passwords U admin 123 is my favorite password so I don't want folks to set passwords at one to three so a control on it is we put complexity password

rotations minimum characters all that kind of stuff so usability and security sometime says it goes directly in proportional if um in in terms of physics but that's what it is not really that it's about how you balance both things and play hand in hand right okay um too much um we have talked so far about security architecture Concepts that fall under it right but how about we start how where to start with it now this is a known knowledge out there but how do we start with it right CIA everyone knows it a CI track confidentiality Integrity availability right think about it and then think about the systems platforms users applications that fall under it

right what will be the impact of the in um so f for example right if there's an HR System and everyone has access to that HR System and someone changes the Integrity of that system right what will be the impact on the business the Integrity have changed now if there is a crownal very important application for yours business and it's down in business LS right it's not available there's no redundancy there's no backup what will happen in those scenarios right these are hypothetical scenarios might not exist but these are some scenarios that we think about think about sensitive data where that data is stored who's having access to that data third parties right things like supply chain vectors

are very important when it comes to sensitive data because when supply chain kind of attack happens so data data is most important key that we trying to protect along with our systems people everything else right and think about Integrations there is in our environments there's no Standalone application that is working all on its own there are lot of Integrations apis running at the back end and these apis are like running in milliseconds and there are thousands of these think about those and very important think about assume if breached what will happen if we are breached right what are the controls in place that are stopping an attacker from lateral movement right do you have right roles

and permissions in place do you have Network segmentation in place or do you have a flat Network these are some of the questions that you would go and think about when you start thinking that okay let's create a architecture practice right all right great idea right good idea my cat says so so it's it's but but I don't know my full inventory it's a legacy system I have no idea about its integration it was there before I joined right how many guys have or how many people have learned heard this it was here before I joined so I have no idea right I don't have all my crown jeels listed we did an we so some would be

we've done an assess uh an audit in 2016 that was onetime audit requirement and that's when we had CR jeels we had we have no updates after that that's exists today right these are things you find out when you go talk to BU talk to teams out there to procurement teams and stuff you will find out things that are missing should things would not be up to date until you have a really fine graen automated process that is working and have a huge security budget millions of dollars um think about apis API running at the back end right but who knows how many apis what system is running what apis I don't know right and then think about the AI everyone is

adopting AI at a speed of light right I don't even know what security control should go in it there's so many security research going on in the field of AI but everyone wants to adopt AI chatbots translators right all all these and there are so many vendors out there and partners who who are integrating these AI um features into the applications as a part of auto updates or updates right which which we see oh now I see on my social media there's a new AI chatbot that I can ask question on and surprise it's training on your data right recently if you've heard the LinkedIn news or checked your LinkedIn settings there's a toggle in your LinkedIn too

for AI which is saying AI must might be training on your data if you don't want that go and disable it I I don't I like people train on my data it's false data so good right but so broken API right is an example where user asks a joke why did the chicken cross the road right and users like punch line come on this the time punch line punch line to what you didn't create a full INF full good established API it don't have the punch line and I won't even go into user training and all that but this is a real-time example where where it was practice that report fish button was actually embedded with a

malicious URL and it was an obvious Malicia um fishing email so everyone as soon as it saw that that oh it's it is it is 100% of fishing email because it was crafted that way they went down on that report fish button and clicked it that's that is the training given out right that's what folks are supposed to do so report it okay so coming back coming back onto building building strong architecture right uh so I I I made a a transcript because there's so much I I might get confused so um ignore this um these are few Concepts right how to start with the process um as I said think of it from a

high level start with creating a security architecture framework that support supports your security posture on the top top is a security posture then comes the security architecture framework and it should support it right and it should be custom to your organization need there's standards out there that can help you with this Nest Coit ISO CIS MRE none of this will be off the-shelf fitting your environment or your organization's need for most scenarios it is mostly in hybrid approach you read Nest best practices maybe cyber security framework you go to ISO 270001 to read those right and then you come up with what actually should align with your organization what what should go with it right based on that

framework build in security assessment to support it right and apply that assessment as a preventative control everyone's I actually I'm loving it everyone's talking about shift left so shift left right before you bring things on board when you before you onboard it you apply this assessment you apply is at a preventative control that it supports a defensive control right it supports your blue team red team it supports the tool you have in your environment that is saying okay we are going to detect as soon as we see a ransom right and before going to that stage apply it before that folks are not able to go till that stage right I'm not saying it's not important everything

this is a life cycle but shift left on this on this methodology right very important make the business aware of the assessment framework and and the process because this can be like can be seen as a hurdle sometimes but what what you can do is provide trainings provide examples to the business folks or the it teams what you're trying to achieve actually you're trying to identify risks at a very early stage and very important you are trying to be in line with project timelines right you are not stopping a project on Thursday when it's going to go live on Friday you are giving your security requirements at a very early stage of a project life cycle of a project and and

maybe first second third week of of the design right so train your your management train train the users to think of it like like a process Improvement and a culture Improvement rather than seeing it can block it can produce delays right okay what can be in a security architecture assessment security boundaries that's all you care about now yes okay so anything that connect dots so when you think about creating in security architecture assessment you can go on different levels so one is your V so this this part of it will be when you're talking about the vendors when you're talking about any platform internally built applications internally built systems right in those scenarios right ask questions the assessment

starts with Q&A build this Q&A that applies to everyone to your your environment and send this Q&A to everyone every time same same questionnaire so as I said earlier right folks become familiar with these questions that and the practices we are trying to implement in the culture in the in the environment so these are every time same kind of questions and this is not just one time questionnaire there'll be follow-ups back and forth but start with it right ask questions around authentication mfas permissions roles right data security where what kind of encryption and Transit encryption reest what kind of where is the encryption Keys being stored what kind of tokens are used if it's a system

to System Authentication noway some recent things I've seen is refresh token being used a lot when a system to System Authentication is happening there's a there's a authentication token and then there's this refresh token and refresh token is not expiring it's it's life time is set to infinite but actually no one is going out there till that depth asking how's the refresh token taking place how's what is the expiry of the refresh token what is the refresh token doing to the authentication token so these are the kind of questions that you go ahead and ask when you do this Q&A right um logging monitoring very important aspect uh we see folks doing logging and monitoring all the time but

locally on a system on a server and when attack or incident happens first thing it's locally on a system someone goes in there tampers them change them delete them right no point of creating logs if they can be deleted changed tampered no point always always as a practice as a very early practice make sure that logs are being stored at a location or at a storage where they cannot be they cannot be changed altered with public has three buckets best practice no I'm I'm kidding don't do public S3 buckets so use log analytics workspaces use this there's ways out there right um if you're using S3 bucket make sure you're you're securing it there are seam solutions

that are giving this these uh kind of functionalities to store your log who have access to log application Security application security funds this up if there's a application SAS application that is a part of your your project think about it ask questions around validation take best practices from OAS top 10 it's out there you don't have to create anything from zero up the practice is there you have to go read through it and then think what should be the right questions I'm asking from these top 10 questions because OAS have literally gone into each and every top 10 they've given and explained it through they have the tactics they have examples they have mitigation strategies

controls they have built a complete format of it follow it networks ask about networks firewalls ask about flat if you have a flat net network if it's being implemented in a flat Network bring up things like micro segmentation macro segmentation zonings at a very early stage this is this is a strategy that if if we start bringing up in sometimes you'll see some project standing up if it's not there or if it's there getting utilized in a very good very good format or way right all this shift left when we doing this at a very early stage of a project when it comes when our application comes in a configuration comes in we are doing it

at first point we're not doing it at the end when everything is built and now you're coming up with these are the security risks and coming up with the timeline we'll fix it in two years right that should not be the ideal approach the ideal approach is you give them requirements at very early stage and say let's plan it till we come into production if possible if possible if not let's let's see what mitigating controls we can put in right okay so this is from a perspective and we thinking internal applications developed platforms vendors brought in right these kind of scenarios but usually I see apis right we don't I've seen in the in in

Industry the practice that I've talked to various folks is around apis right what kind of questions is asked on apis when we say there is integration at the back end right this should all fall under right right here are some examples of the recent this year's attacks that that happened or breaches that happened due to V kpis right 400,000 Live 360 users phone were phone numbers were leaked it was unsecure API basically um if I go into more depth of it it was an unauthenticated endo uh for an API you don't need authentication on that it was it was because I think they thought phone numbers are not sensitive information or hackers abuse the API of

Millions of all the MFA phone numbers and then they did a swim swap attack to verify MFA so they had somehow passwords and now for the second Factor they have phone numbers with Sim swap attack and they were able to verify the second factor and get into the system that's how this happened actually so what are apis apis think of apis as as roads roads in the town recently came up with this example with discussing with one of my very close friends so these are roads what does Road do they interconnect city right all the transportation happen on these roads and what what do we do to make roads secure there's so many rules around it we have anyone has to drive on

a road have to get a driver license their signs the speed limits stuff right APS are same they're taking your data interconnecting your application they're enhancing your application's capabilities to to fetch data fetch functionalities from other applications dependencies so why not secure them secure them it's similar things right here we are protecting people there we protecting data both are very important so at a very early stage right again I would keep saying at a very early stage so okay so concept of secure by Design secure during at build process is one of the best practice that I've seen so far have helped um various organizations have worked with um OAS API security project uh this was one of the um the

recently they updated in maybe two years back they came up with OAS have these different categories right I I keep I track OAS so much because they keep on updating it they keep it's a live living document right they have connect these for S they have best practices for application security for API they also have some stuff for AI we'll talk about later but same concept they have it there they' have explained it very well take best practices from that ask questions around that best practices documentation for developer this just don't go for the the apis but the entire devop secure coding stuff but documentation for Developers for apis how they should build it is very

important folks who are using templates um I don't know um in some Industries I've seen their templates made by Developers for their commun Community they can just download that API template and start coding on the top of the template don't have to create everything from Bas on right so if someone is using those kind of templates for automations how they should start coding it as per the security best practices and those can be taken from something like oasp and oasp is not the only source there Nest have published uh Publications around API security uh one of the um industry vendors is also doing a great job uh I would like to call them out API

SE University I don't know if you guys have heard about them Curry was here last year they've done a very great job at explaining API security they have free courses they have certifications all that kind of stuff so if you guys want to see just just search API SEC University and Google and that'll be the first link you'll be seeing okay Implement tools checks around design phase of it right so I've come across this this um very good flow diagram which so shows a infinite Loop the infinite Loop is between API development life cycle and the API operation life cycle and the idea is it says start from indate indate is when the idea is generated to to create API

start from there design develop test document and from document to configuration deploy publish operate make infinite Loop of it integrate these both things keep monitoring on them and this is the way I think most of this should be should be established at least so again coming back coming back what can go in the security architect security assessment that is going to help help our security framework and which is going to help our security posture okay all right again security boundaries API Integrations we ask at the time of assessment what kind of Integrations are happening if the answer is no it is fine good great but if the answer is s again we go back to the best

practices we ask that q&as we document API control standards we send those standards to the development Community very at the very beginning when they're starting to develop develop it right start implementing thorough monitoring on the apis right and API inventory very important make so when we are bringing new apis Ure to make to add them into your inventory if it's automated process great if not automated process try to make it automated process there's tools out there which are for free available free tools have their own perks right I would not go into that but there are tools out there that will help you invent rzee your apis right and this will really solve a lot of puzzle when

we talking about architecture all of these best practices I'm saying here should go into your Q&A for the assessment that you do due deligence on at the very beginning okay ai ai so this is what something I asked again Chad GPT I've wrote something about it actually um okay so I asked Chad gbt what is here and it came back because CH gbt is my best friend I ask everything from Chad gbt because if I ask if I start asking my friend these many questions they'll block me so I just asked chity about it right so it said okay there's there's a weak AI narrow AI said there's strong AI General Ai and then it said there's

Terminator a super intelligent AI I mean right and that's what when it said super intelligent AI it's hypothetically passing human intelligence I'm like I should have not asked it's creating panic in me now right losing jobs no no it can never do that I think but overall what a ai's aim is to bring to mix automation with intelligence and bring effic icy into the workplace cool are there any cyber security risks there I don't see any anyone see okay okay you're getting my jokes good I'm bad at it though okay I see Cy everywhere and I've been talking about shift left so much that even my animation will be shifting left right it's so much in me you'll see they're

going left left left right so here are some examples uh recently that we've seen in the industry again um there was this example where hundred instances of a malicious AIML model was seen on a platform on a hugging face platform it's it's a artificial intelligence n llm or natural language vendor that provides like it provides a community of collaboration for all AI models more than 100 instances were seen that were doing malicious back threats into the models right um Google AI search uh prompts fishing sites so it was it was giving fishing sides as an output where it was taking folks to unwanted Chrome extensions such as iPhone giveaways who doesn't want a free iPhone

right so iPhone giveaways browser spam subscriptions and other things X is facing a gdpr complaint recently because you don't know where the chatbot is going to take your data to train it so that is one concern gdpr if your if your organization has to be compliant with gdpr in any ways or forms and then Integrity issue huge AI is not just cyber security risk it's it it has risk ethically it has risk to integrity and then cyber security is on the top of it it's a cream so obviously um musician was charged with 10 million streaming royalties fraud using AI even the AI is helping to steal artists uh work here okay one thing that I recently came

across um in the last event that blackhead this year someone was presenting around around llms and how the the models llms and Rag and chat Bots based on them work and hallucination and prompt injections they go they go in the model it's how the model works you can change it they're controls on it they're mitigating controls on it but that's how the model work so here's an example this is me typing in it's kind of same example but I I typed it both in chat Copilot and chat gbt that's I think the most used chat Bots today and I was like I want to show of a reer with nothing but a goat and I've got a board I want to carry two

items how can I do that so you see the answer right co-pilot is awesome it's saying take your cabbage wolf again saying wolf I won't take a wolf with me on a boat I would die it would eat me but this is this is kind of things that you should one should be aware of when we relying on on chat GPT chat Bots for information right and nowadays even if you if using chat gbt more recently it's even giving a disclaimer at the very end the model might be using your information to tree to train right this is the disclaimer that chat GPT is giving now so just FYI how about securing it no need it's secur by Design

secure by default it's it's the co-pilot thing that Microsoft present I don't want to go into it co-pilot Studio but if someone wants to talk about about it please feel free to after the talk right I'm here um again we don't have to develop anything from zero up there are standards out there the so I've taken what what each of this does right the nest AI RMF it talks about security privacy ethical controls around AI theas top 10 llm provides good control on the llm based AI models chat Bots and very important MRA Mitre is a living knowledge base MRE at list is a living knowledge based of advisory tactics and techniques on against the AI embedded systems and this

is based on real world observations it's a living document it gets updated regularly right to take guidance from it if you're making a threat risk model against an AI so let's um you can apply this treat external data as input if the AI model knows the data it can leak the data and it would not um keep your tradition it would not keep your traditional U reack or permission model up to this limit so it it have access to everything if once it reads the data it can be it can leak the data and a chatbot can be controlled the output can be controlled to it right I can train it on a wrong data set for a targeted audience and I

can influence it through that design Downstream components as if they are internet facing right anything that is coming down from your AI model have some kind of check at that point always treat it as if it's coming from internet for all the other controls you're taking from internet you have some controls out there right folks have have implemented some sort of technology and not name any but how about AI this start one should start implementing these controls on AI as well and monitoring of AI applications and chatbots there a lot of New Market vendors coming up with this technology which is great and for they would they would provide you insights on what your users and what your applications on chat

using AI is doing what is going outside what is coming inside what kind of attacks that I've seen if it was injection tag jailbreak kind of scenarios it would give alert it is more of a sack op side that can take care of it but this is a part this is a part that you should ask when when you're doing this due diligence again coming back so security architecture assessment security framework security posture right coming back at the very low assessment what should it do and we should start asking questions around AI does your application platform have ai it have features on AI does it digest or integrates with my data right is it training on my data if

it's not training on my data what it is doing with my data right how come how is I is someone claiming that this is only internal to your organization one of the great myths is the data is only internal to the organization if the chatbot or your LM is is probable to to injection tax or or I would say jailbreak right this is this nothing is internal at that point zero trust right uh actionable advice at the very end right design and create a security architecture framework that fits your organization understand the new tax surfaces it's not just the traditional way that we'll Implement re back or we'll take a tool from industry that'll do defense in depth and zero trust by

default build security assessments to support your framework rather be a manual assessment you're using a tool or using a threat risk assessment before this talk we've heard about it adop shift left add evaluations to multiple Technologies you don't need have to create assessment for every every platform if you're doing it you have you can have one single assessment that would apply to all it can be a SP smart assessment where people can go and say it is out of scope are you using API no it's out of scope it should not ask more questions so there are ways to build build these right if you want to talk more about it we can discuss um there

are existing Frameworks and standards out there again I've said this multiple time we don't have to build anything from ground up until we are researching on it feel free to do so I would include me uh but there are existing Frameworks out there use them uh they're of great knowledge they're living documents they're being updated right regularly thank you you're awesome you've heard me for 30 minutes so thank you so much ah I have time per questions oh okay I just uh she's ringing the mic so hi um thank you for the presentation I want to ask about Ai and corporate data so if you have an AI being used in a corporate environment it will have

access to all the data that is being fed what about the data that is sitting on storage in the corporate environment is it possible for AI to have access to that data it is if if there is an integration so for example AIS are having a lot of outof the blue out of the box Integrations with a lot of platforms right if there while you're building the chatbot they call it Creator so creator of a chatbot right if if you're build at time of creation if you're building it in a way that there's integration but you're not utilizing the data there's integration it have access to data as soon as you give initial link it have access to the data

yep my name is Rise you were able to cap me engage throughout the presentation because the scenarios that you describe uh you discuss during the presentation like uh the about the Legacy system I've come across those questions at one point or other in my career so the presentation was brilliant now coming to the question you mentioned during the presentation that you were uh that you implemented security architecture framework at the at the place where you work so my question is that how long Direct take you to incorporate this process into into your environment and how are you able to convince your management because usually this uh security assessment it delays the uh overall project delivery timeline

right so um not just one organization I've seen this working in multiple organizations right the the idea behind this right is is training training the management training the management and bringing out value out of it right showing them at a very early stage that you've identified a risk that could have exploited right for example MFA being sent to SMS on SMS otps being sent to SMS which is provable to a Sim swab attack right so these kind of scenarios metrics you take to the management saying we are we are going to stop these kind of attacks at the very beginning of a project and explain that this will be a life cycle this will not output delays

this will be going along the life cycle of the project right timelines this is a culture change it takes time it is not a weeks months quarters job it is years right it takes you start something you get Buy in you create a process you train folks right say for the first year and you start doing this and slowly first of all at the very beginning you'll get push back 100% it's some de developer community folks or project management side would say no we're not going to do this this has never been happened before and all that but with time and with management support maybe depending on how your organization it's a multi-year project kind of thing but

at one point it will start supporting itself people will be aware of it and they will start start implementing it by themselves thank you uh just have one question and hello hi Tom um thank you great presentation um I want to ask a question on um you defined one of the challenges as uh lack of information people don't know it's a legacy system it was before us um another big one was striking the balance between usability and security how do you define that sweet spot where usability and security both have their say and it's it's a secure architecture great when my manager says good that's no no what I what I usually what I've seen is it's a lot of back and forth

with the users sometimes you would go with a control that when you start using yourself you'll feel no this is too much right I do that when I suggest a control before suggesting that control out to the folks I try that control on myself right I might say for example someone is using their BYOD I would say encrypt your disk right there your dis should be encrypt it and then I would come back to my system and say how I'm going to encrypt my disk right all those steps so first of all you apply it on yourself and then there's possibility you are a security guy or it person who understands it can deal with it have

someone tested in the business site take advice have have a have a group that you can go to and say can you look into it go to seit sometimes or or folks who are supporting seit right talk to them say these are the things we are going to implement you think we will get the Buy in do you think it's too much and that will really solve the problem and you'll not get the push back when you'll present it on a final day because you've spread it so much and you've talked about it so much to all the folks that the mindset is already there that yes this is bringing value and this is also

bringing balance along with it so yeah so would you suggest that governance would uh drive this process in terms of uh making sure that people are following the uh secure architecture uh you're implementing policies around it standards around it and procedures around it so would it be the governments would it be the driving force or uh the business it depends it really it really great question um it really depends what what what government wants to move towards with right there's a I see there's two segments right this private sector and this government sector both governance yeah okay sorry I missed governance absolutely so how are you going to do this right uh you have an

assessment you can just throw your assessment to people and they'll be like where is it written in the governance site that we have to follow it is it in your information security policy right or is it somewhere in your governance structure that we have to follow it you would you always you'll get this question where does it say in the documentation or in the policy that this has to be done so governance has to drive it right in the beginning of said governance we this process is going to support governance takes give support take support from governance sack Ops and the Assurance side of of this of the security no