Not Your Mama's Risk Assessment by Seth Earby

[Music] all right we'll go ahead and get started here uh so there has been a change of schedule for those that are unaware uh we had a little bit of a last minute Dropout and by last minute I have less than 23 hours to develop this presentation uh so please forgive me if it's uh if it's bad if it's great I'm a hero uh so this one is going to be called not your mama's risk assessment and and what this is is really uh what I started as is kind of this grander idea of what I think we have wrong with risk Assessments in the cyber security community and how I think we can improve

on those um it end up becoming a DI tribe of why I don't like Risk assessments and so we're going to explore that a little bit so obviously disclaimer uh these are my opinions this is how I feel about risk assessments if anybody pays me to do a risk assessment I'll gladly do it but this is what uh I I wanted to come up to so who am I um I'm Seth Herby I'm a certified information security manager um currently I am a principal program manager in the GRC space I oversee a Healthcare company in private Equity um have a Consulting background uh did that for many years both in the it space and security um spent time doing security

and Cloud work and then more formally doing uh risk management and you know GRC uh program development so when I first kind of came up with this uh this presentation you know one of the things that I've been thinking about is some of the problems that that we're faced with as a c secur Community I think that's important which is why I wanted to bring this to everybody's attention is I think we're on the onset of a problem that's only going to increase within the IT industry right you know uh a lot of us have maybe been familiar with that security has been Cally referred to as the department of no right we're the people that are

going in there telling people no you can't do that because XYZ unfortunately that's maybe sometimes well deserved uh the downside of that is that also presents us into a culture where with some of these organizations that were were seen as uh Inhibitors and not enablers you know and probably a lot of us uh can resonate with some of the on the bottom piece where 59% of us in the cyber security Community are understaffed you know so we don't really have uh colleagues and people in our rooms to really uh you know help us uh o oversee these these objectives and so we're already coming at to a disadvantage from our cyber security Staffing um and you know I think this is

really you know piece you know a big piece of the pie because this all comes together right I think modern it tooling and the ability that uh devops Dev SEC Ops and and people and and modern it uh engineering organizations have way more tools and advantages when it comes to automation deploying things from infrastructure as code uh containerizing things they can spin up infrastructure and place data in places that we have never seen much faster than we can move before so when we're talking about risk assessments and how we're doing this we're already we're already coming to the game late and this is why I think we need to evaluate the solution so I I

think a lot of of this times uh you know we're we're kind of our own failure right you know and the the analogy here that I find is just super funny is pop sockets right you know we've as a as a society we wanted phones to be bigger better and faster and then at some point somebody had to invent something because now our phones were too big and now they were inconvenient for us to hold you know and I think that we've also kind of done that in in the in the same sense of security where we we know that there are problems that exist you know we know that we have to include governance on

some of these Solutions from engineering from it from development Etc but the only way that we figured out to uh thwart those capabilities are by introducing these Legacy processes that ultimately end up becoming more of a paper pusher you know and these these assessments that we end up doing you know are already asking Bower plate language you know maybe we're using risk assessments from when we were still you know spinning up Server 2012 and doing kind of a more on premise deployment now we're moved to the cloud now now we're exploring kubernetes and a couple other uh you know platforms of a service engine a lot of these risk assessments don't have the ability to stack up to

what these modern it tools on So eventually we're we're left with a a lot of empty questions uh and ultimately you know even speaking to this as a as a practitioner you know a lot of times when we're doing these traditional risk assessments and and these information is getting passed on to us uh you know for the request we're not getting that same Telemetry from the people to understand why are we doing this risk assessment what what what is being asked for this what is the business case where we're doing this we're just being told to do security actions for you know sometimes what I would refer to as security theater right we we want to make sure

that security gives it its blessing but we're not really uh prepared to answer the questions and to really face this challenge head on you know and so a lot of times you know when when we're talking about risk assessments you know what I really want to illustrate now there is a risk assessment as you know some of us that have been carried over in last conversation um you know when we come to like CSS and you know very you know or even more just you know uh middling uh mature organizations there are risk assessments that actually do bring value to an organization you can do a proper risk assessment but a lot of times when I'm seeing risk

assessments is these little ad hoc uh processes when we're doing a risk assessment for a deployment uh maybe in the software uh development life cycle we have a risk assessment to evaluate certain Solutions right they're these you know uh microfocused siloed risk assessments that don't really have any interworking with into the the business you know and there're often these nebulous and uh questions you know where we're asking them is this secure you know is data encrypted well what do you mean by data encryption TLS or AES um you know and I think a lot of times that we we end up doing these risk assessments these are the ones that I'm I'm picking on it's

not necessarily this is a a diet tribe of of why all risk assessments are bad but commonly when we Face these see these in the industries this is what you know I want us to address you know and again coming you know a great segue coming out of the the CSF 2.0 you know there is a a great um culture shift in how we're putting governance into our our practices when it comes to cyber security development you know when we're in the governance risk and compliance states that is our job is to identify risk and present you know uh controls and and and mitigating these threats within our organization and this is something that you know

we're tasd do and sometimes risk assessments may be the best way or may not be the best way to do this but it's one of the easiest ways I I think you know a lot of times I attribute this is this is the C you know the answer C choice we don't really know what the answer is but we can start with the risk assessment right um what we're what we're hoping to get through is this is is understanding a way to pragmatically introduce and understand risk versus you know starting with a risk assessment and you know the other piece of it is with the risk assessments Pro there's not a a one-sized fits-all and there's so many

different specialization when it comes to risk assessments there's privacy there's data there's software there's engineering there's so many different risk assessments that we can do so a lot of times there's not uh a single one- siiz fits-all solution so we combine a lot of things and we end up these Franken assessments and that all all of a sudden the information that we have can't tell a clear story or doesn't give a clear answer of of what is actually going on you know and so whenever we get these risk assessments we're left with not much information right you know we end up with a pretty dumpster fire we end up coming up with a proposal and an

Excel spreadsheet and we're using fancy software and the executives get a p a nice PDF report but a lot of times it doesn't tell us an answer a clear picture of what risk are being presented with the organization we understand that encryption may not be done or you know there may be some uh you know poor uh uh control assignments when it comes to uh user access but it doesn't really give us an ultimate understanding of what this the risk are present with the organization and what we need to focus on for Mis mitigation at a larger level you know and I think a lot of times that I I find this again you know speaking

from my own experience is that these are asynchronous products right so I'm doing a risk assessment on um you know a new development practice and so I take some time and I go in there and I do a you know closeted risk assessment and and and evaluate certain things but I'm not actually having a conversation with these teams if any of us were in the the uh risk management framework session earlier this morning you know that's one of the things that that Samantha talked about is you know the best way to eliminate risk is having conversations you want to have the most impact on organization go talk to people you know and I think when we get into a risk

assessment we're we're uh in a conflict of pushing paper and trying to deliver a product versus actually having a conversation about uh the results we can achieve so you know I kind of come up with my own framework of of how you know I think we need to re-evaluate these risk assessments So Sol for X utilize standard risk management practices find ways to leverage governance that reduce these manual processes extract resources from available information and report back to stakeholders so if you're paying attention to that that means we suffer uh is is that's the main thing that I want us to you know focus on is is finding out ways that in each one of

these little elements of how we can uh create these risk Assessments in a practical way so software x what this is really going to go into and and what I wanted to illustrate with this right is uh I love this quote by Charles karing right you know and many of us have probably hear you know different forms of this but a problem well stated is half solved right you know is what are we actually looking to accomplish here are we doing a risk assessment to produce a risk assessment or are we doing a risk assessment to understand that the the risk that are are available in this service or this practice and how are we going to mitigate it right you

know those that are are uh of us that are experienced GRC practitioners you understand that there's really four things that we can do with with risk we can mitigate them we can accept them avoid or transfer whenever we're doing a risk assessment if they do not fall under one of those four categories to where we're not looking we can't figure a way that okay now faced with this information we can't accept it or mitigate it or whatever that maybe that risk assessment isn't the right answer and then you know under understanding that if we're you know we're truing solving for x that we're actually doing this to create uh uh a value add to the

organization that's going to help us uh you know keep out of these uh Legacy processes and making sure that you know evaluating our strategy when it comes to uh these reports you know and kind of the other half too and I think it's funny within math you know a lot of us probably all grew up that you know uh oh you have to learn algebra and you have to learn these multiplication because you're not always going to have a calculator on you right you know we now we live in a in a digital age where all this information is available to us and so when we're asked to find a problem hey find an issue or you know we need to

do a risk assessment on chat GPT okay well if we sit all of us in a room and we all produce a separate result on chat gbt we're all going to get different answers for each one so if the information has already been done can we find a trove of information where somebody's already done this work has already evaluated large language models have done risk assessments on these is there work that we can use from other people to help us solve these answers so we're not solving this problem alone you know and I think that's another piece of just you know utilizing standard risk management Frameworks you know like using the risk management framework from n not using the cyber

security framework using maturity models being able to establish things that people can use you know I think one of the things that's really interesting when we start talking about um risk management Frameworks is a the amount of uh risk management Frameworks that there are um but there are so many great resources that we can use without having to to pay for them right you know if any of us have ever gone through ISO 27,000 And1 or going through ISO audits that is a paid subscription we pay the privilege of being able to torture ourselves through that audit and you know I think what helps us as an organization and practitioners is that there's so many

great resources that we can use that can help us align our strategies without having to assimilate into a uh an expensive or you know very uh heavy lift you know and I think when we're understanding the risk within our organization that's going to give us a more clear definition you know when we're using using a formalized process we're going to consolidate information on our own we're we're going to be able to find the uh the real practical issues that happen within uh our processes and you know we'll be able to use work that somebody's already done the uh the mass Forest you know and I think the other piece of it is that there are

organizations that can establish a risk model right you know there is a maturity index you know those are there are three and four and five level organizations that are that have established an Enterprise risk framework that have establish you know Enterprise risk tolerance but a lot of us you know again speaking my own experience aren't in organizations that have said okay we are willing to accept any cybercity loss between you know $10,000 and $55,000 within this you know system very many organizations do not have that well documented and so a lot of times whenever we're doing these things you know we're we're expecting things to work in a vacuum but the Practical implementation of of that doesn't work

so why we need a solve for these um established Frameworks is that they're going to help us overcome those challenges because they're going to see things that you know we may not see in our own organization finding ways to reduce the manual processes right you know like I said because I I think as an organization you know the the the technology landscape is growing the cyber security Workforce is is struggling right now with keep you know getting people to make you know keep up with demands to uh you know be able to staff appropriately budgets are getting cut and so whatever we can do to to automate ourselves really helps us you know be able to take our programs to the

next level you know and I I think that there's as much as what engineering has you know we can use a lot of that security engineering you know I've even heard people uh kind of working through processes in in the gr space which you know a lot of us in in GRC don't have a very uh heavy engineering team but you know there are people that are working on trying to do GRC engineering and build things like scripts and and governance process and tools to help us to be able to do these you know uh on the-fly risk assessments and and and risk quantification that wouldn't be able to normally do uh in our Legacy

processes you know and there's even tools and things out there um you know things like whiz lace work um you know there's so many different uh you know different security engines that can help uh you know not even just GRC platforms but specialized interest you know if you're a cloud company and you have a lot of developers and you're moving you know spinning up VMS up and down and you know there's just way too much for you know one person to handle be able to use things like automation you know be able to use tools be able to use infrastructure as code and contain ERS and and inst structures you know work with your engineering teams to sponsor

these types of Standards uh you know one of my favorite things I always say in meetings is Engineers don't read policies you know I don't know any of us that have worked with Engineers before but none of them can tell you what a single company policy is but as soon as you publish a standard you publish a framework they're Johnny on the spot each and every time and so that's where I think we need to shift from these organizations and not saying that we need to do these ad hoc risk assessments and process but we need to work with our our our leaders and our engineering team to build these standards to where we can

start automating some of that stuff the the resources you know I I think it's it's important because like I mentioned earlier you know can this answer be Googled right you know is there information where people have already done this you know there there's so many things you know nowadays that I think is uh really exciting to be within cyber security is that there's so much work that others have done that have more budget more people more time more expertise to find all the information you know and I I think a lot of times whenever we do this you know we're kind of like this dog here we're happy with the work we resed but as soon as we see

somebody else's one we we realize we missed a spot you know and I I think when we're asking these arbitrary questions and we're doing these qu you know these ad hoc qualifi risk assessments we're leaving a lot on the table right you know things like sock 2 ISO 270001 if you're a high trust organization you're probably been way through much much more suffering and torture than I could ever throw at you you know and so being able to take some of these results and realize that uh the information that we already have or being produced by other people uh can have value and then you know com coming to events like this going to security

conferences looking at Defcon looking at black you know other black hats there's so many times whenever we're faced with new technology that somebody that has way more time than what we can do and a lot more expertise can go in there and do these types of proof of Concepts and understand that these risks are out there you know I find a lot of times when working with engineering teams when you know whether it's a security product or a new way of of devel uh developing software or whatever uh a lot of them may be apprehensive about a new technology because they don't understand it right they they said oh we can't do that because it's not secure but they

have no ability of a to back that up and then and be the the reason why it's it's not it's unsecure is because it's unknown but there's so many people that do this work that can go out there and do these proof of Concepts and that can really you know uh provide tangible uh evidence in order to support these claims you know and I think reporting back to stakeholders is Big you know a lot of times when I've seen these risk assessments where you know the information ends up just getting we do this risk assessment uh you know we give them you know behind closed doors we kind of give an answer to one or two

people but that information never makes it back to larger teams to to take action right you know like I said Engineers don't read policies so if you're constantly doing risk assessments and you're constantly finding uh baselines are are not established you know machines aren't being patched TLS one you know uh 1.1 is so enabled you know think or or whatever it may be that if there's if you're finding routine problems and that never makes it back to stakeholders you're going to keep repeating that work each and every time and so that's where I feel like you know for us doing uh these tasks for risk assessments that's what we owe it back to these stakeholders to prove hey you

know not only are these little micro Assessments in there but on a macro level this is the things that we need to do better you know and then start creating this dialogue around the discovery you know I think that's another piece you know as uh Sam pointed out in the earlier conversation with the RMF is that you know I think the real risk mitigation uh comes from us having conversations with larger teams right this isn't when we're trying to uh reduce risk in data privacy or we're trying to reduce risk in engineering we have to have larger conversations that that transcend the security team rather that's at our leadership level or even at uh individual contributor level and

making sure that we're we're getting this information back to teams and it's not getting stuck on Excel spreadsheet or a PDF report and sitting on you know a SharePoint drive somewhere you know and I'm sure maybe some of us have seen it but you know even just qualifying information at arbitrary level can be somewhat nebulous right I've seen examples to where you know we kind of have that normal heat map right that little nine nine grid heat mat where if it's low impact but uh or if it's low likelihood but high impact it's somewhere medium but if it's high you know likelihood and low impact it's also a medium and that can completely change the story or or where we need to focus

our controls and so that's where I think when we start having conversations and getting away from you know these ad hoc on paper risk assessments and actually start talking about risk mitigation strategies we can actually start un uncovering that and and know what it means uh when we start talking about impact to the organization so kind of you know coming up here uh why I think this matters is you know I think work is getting faster I mean I'm sure all of us have you know not been under a rock and have heard you know about the the upcoming Trend SS from things like chat GPT and and uh open AIS and so many different Tech

platforms where we're only going to see more data we're only going to see uh work done faster engineering times deploy quicker uh Cy you know hackers and threats you know coming up uh more and more often and I I think that's going to be really important it's going to and change you know uh the like the the work lives for each and every one of us you know and these technological changes that we've you know gone through as you know security organizations is uh adopting you know AI LMS platforms as a service right you know how many of us you know I've seen things like j u mongod DB uh fire JS you know a lot of

these different platforms uh you know produced by different providers you know have compromises or have you know weaknesses in their security and that impacts you know a massive part of our supply chain you know and then also being able to adopt strategies like BYOD and zero trust you know I think that's also a major thing that we've had to um you know work with as an organization so we're not staying stagnant we're not stay we're not entering a mode where we're going to play catchup we're going to be involving as a security organization just like engineering and and and our our work course is going to be changing as well and so you know being able to get into a process that is

more mature and more refined and that we're actually at eliminating risk and not creating more work for ourselves is really valuable you know these Technologies you know I I I think some of these technologies that we end up uh getting approached to by certain organizations you know bring much more value to certain people's eyes than what the security risk are my example for this would be um you know here recently we were evaluating a uh an AI dictation assistant for our clinicians and you know on paper when we start writing this down you know this was going to be a system that would be installed on a uh clinician's iPhone they would be able to

fire up this application they would have a visit with the patient it would record all the information of the visit with the doctor transcribe it upload it to their chart and recommend diagnosis yeah right shaking your hand no like we're not going to do any of that right and and absolutely a lot of us were at the table sitting like no there's no way in hell we can do this this is absolutely crazy but for each one of our clinicians if we award this out from Enterprise ride they assume that this is going to improve each clinician's efficiency at 30% if on the conservative amount it does meet that minimum qualification of improving each clinician's uh ability to

diagnose report charts accurately Bill information etc etc they're expecting an Roi of $30 million a year on this one software I am going to lose that fight each and every time when I'm approaching to leadership if I say no we can't do this because it's scary versus this is why you should turn down a a $30 million increase to the bottom line so when we're faced with decisions like that what are we going to be use we have to be start getting more comfortable with some of this ambiguity getting comfortable with the fact that I am not going to be able to answer everything that this technology does but is the risk of losing a $30 million payra uh

pay raise to the bottom line is that something you're willing to play ball with because there's there's going to be answers I can't give you and Leadership has to make that

decision yeah diis yeah million now a lot less than what you're going to pay because your extration right but we have to have that conversation right we have to have that conversation I I can't turn a paper report and say this this scares me so please go away uh you know we have to have a conversation of understanding what are the risk of yes this May net us $30 million but what are the consequences how how far can we make a proof of concept saying this is how we can you know the ends do not justify the means and you know we we stand to lose more than $30 million being tasked to prove that puts us in a position of of

Excellence versus uh a a period of apprehension because we're not sure what could be done my RO it's always a yes but right yeah but you're going have to add all these guards to do it yeah 100% you know that's what I mean having a conversation versus you turning over a piece of paper shooting an email saying this sucks because XYZ you know and I I I think when you know a lot of us are working with organizations that you you know it and security are split out from the organization you know maybe there's some followup where you know there's a cesa that reports to a CIO or there's you know some sort of you know underpinning

there but I I think a lot of us you know we we're separated from it and security but there shouldn't be a separation of our culture right I think that's where you know when I was talking about building these standards and building these um you know environments where we're actually having conversations with our engineering teams and figuring out what we can do better that's going to be a a piece of why you know we're kind of all Fighting the same battle and we have to kind of recruit people um you know outside of the security to help us with our agenda you know and so one of the ways that I want to kind of Rebrand this

is uh you know uh the department of so right you know is as in so what like what what are those things yes where are our yes buts in this type of conversation when we're talking with people and you know they said hey we want to explore you know using uh uh a Azure devops to secure our our code or to do cicd you know what are we going to you know do about that is you know like I said solve for x you know start figuring out ways to where we can start putting V variables in our processes saying no matter who comes to me or no matter who what brings to me this is our

process of understanding risk and it doesn't matter if this is uh pii Phi privacy risk uh engineering risk you know uh DLP risk you know anything in there you know try to create a framework uh an established framework where we say this is how we operationalize understanding Enterprise risk you know and then utilizing the Frameworks is going to be a major part in that right whenever we start using some of these Frameworks that uh you know have been long you know battle tested and and and tried and true you know we can actually start getting you know larger pieces to to flow kind of in the same direction you know and I think when we start you

know again kind of my whole cliche of Engineers don't read policies you know when we create standards you know it's kind of like putting the guard rails up in a in a bowling alley right uh when we add these guard rails you know no matter how much the ball balances back and forth it's going to move into a linear Direction so as we're working from uh Enterprise GRC perspective start finding ways to where we're not just kind of shooting from a wide angle and start kind of narrowing our Focus you know and I I think a lot of times you know uh some of us you know in in leadership and and and other organizations whenever

there's a new thing in there you know I'm sure a lot of us have been part of the conversation you know where you're at a water cooler or something and you know an executive a marketing executive or somebody else says hey what do you think about chat GPT or what do you think about AI you know you start getting asked these questions about you know uh what's going on kind of latest from you know the the latest spin on technology and you know I think as professionals and you know hopefully a lot of us here uh for this conference are taking time because we want to understand things better we want to we want to know more than what we know

today and I think that's a great way for us to get ahead is whenever we're faced with these uh you know new challenges in the world or we're faced with you know new ideas is that we figure out a way to support that and say so what let's figure out the the yeses and buts to the situation and find a way to enable it you know and I think a lot of that's going to steer from being being transparent you know I think a lot of security you know has this whole uh uh culture Zeitgeist of it of being transparency that you know the more that we can see under the hood and we can

understand uh the math to to coming up to these equations is is really important and I I I do think so and it's when we're working with these stakeholders and we're working with these Marketing Executives or uh sales directors and you know we're we're having conversations about improving the security is we need to start working with them and having uh conversations about how to improve improv processes and not just doing you know linear ad hoc exess uh experiments so that's it uh kind of a a quick rundown um want to you know be able to fill any questions have you know if anybody wants to take anything offline with me I'm happy to do that um we can always meet

up and talk if you want to add me there um but we'll open the floor first row so lening to you I about us VOR assment you're

I'm Bas and I

about went and this is what we you know say if you you agree with us do it for like each one questions yeah would be a way to it I'll paint a scenario so I like if I have to do a a formal like vendor assessment I do like yes and no questions because it eliminates the gray right you know you if I ask if you're encrypting data or you know you're doing this there's a yes or no there shouldn't be like ah maybe sometimes you know like that doesn't count but in a scenario for organization if you asked Microsoft the same question and they didn't make an 80% would you guys kick Microsoft out

the door no actually if they yeah

okay attestation yeah yeah okay but I'm just saying us the IT department saying yes we approve or don't or no we don't approve yeah you know what if one of those questions that they fail is the reason why you problem later on yeah and we've approved it yeah well and again I I think there's that transparency right taking it back to the stakeholders is you know a lot of times I'm faced with doing vendor risk assessments and stuff as well and and working in the healthcare space you know a lot of times that those you know have Phi or pi and stuff as well and my first thing is is when I do a vendor risk

assessment you know irrespective of if they have stock two or not when I'm evaluating the solution the first person I go back to is the person that brought it to me you know and so if this is one of our our chief medical officer or you know our marketing director or sales director if they brought forth an app to me and they say Hey you know we want to start doing business with them the first person I call when I I have those results is likely them and and I start having a discussion with them saying hey they hit 75 we're looking for an 80 this is where we're at do you think you know

is is this worth pursuing a relationship and us having a larger conversation to see how we can get to that next level or maybe they they pass with flying cover colors we need to have a discussion saying hey they did really really well and we're going to hold them to the standard to be able to you know keep you know delivering that same Excellence so that answer your question so I don't work theate requ C folks be appointed in certain position so in a case similar to yours we really wouldn't go back to the person us user offici risk yeah could Beal influence control ownership of that escalate to our c that senior level person either senior

exective service person or a one two three or fourar general they're the ones that have the authority to balance submission to Cy security r

right find another to do they want or the CIO orever Oran will we got five other things that we've already approved trust that does the exact same thing this person is doing this person so we have a hierarchy of approvals and end user is the last person

yeah industry those are dollars see it all the time in the news right yeah

million yep yeah yeah yeah six of one half dozen other kind of thing you mention you private right yeah soate one of the I have risk

comp

yeah no I I think that's great so I mean I would be I I would have to distinguish the difference between legal and business governance versus it governance right and so you know really where I'm I'm focus on on on these risk assessments are on the it governance piece because I think there's so many different nuances that comes to it rather you know if you're working in private equity and you're in healthcare there's only you know only a few degrees of separation between legal legal in compliance or not but when we're talking about risk assessments you know there's so many different things that interplay between it systems that are are often nebulous and rabbit holy in order to figure it

out and so typically whenever I'm faced with risk assessments that is a that is a separate delineation for our services where uh legal and compliance and those in the m&a team do their kind of due diligence and then we have a due diligence to understand security assessments and uh you know data privacy risk and stuff before that so I I 100% believe those have to be two separate disc conjoin activities But ultimately should play into the same decision within the private Equity space and

Leadership yeah I I think there's again you know just because the way that like I feel that we have to have conversations I sometimes will elect to go out there and reach to them and copy their homework right you know I'm all for if somebody's you know done the the heavy lifting for me and they've had a you know Peak under the hood you know I I'll use that to verify my own information so yeah I think you know establishing a conduit between you know maybe two you know two parties that wouldn't normally interface because I think there is a lot of value right what they see under the hood and the transactions if people are telling you

that you know we're not storing any pii or Phi on site and then you know the compliance team is saying yeah we've got you know such and such records you know on store you know somebody somebody's math needs to be checked out and that's where I think you know having that interplay and establishing that conduit with you know parallel departments even though you're not totally conjoined there can be a lot of value add with that and there awesome well thank you all [Music]

[Music]