Jeff Gardiner - The Critical Nexus of Risk Management in Cybersecurity

Okay. All right, everyone. Um, next up we have Jeff. Oh, sorry. Um, talking about risk management in cyber security. Can you hear me? All right. Who here in this room is a cyber security professional? Put put up your hands. A lot of you. Is there anyone here that is not a cyber security professional? Okay, a couple. Those that had your hand up first, I'm going to pick on you today, but don't throw tomatoes and eggs yet. I'm about to tell a story about our profession. I'm going to tell a story about how our profession sees itself. If we asked everyone in this room what cyber security, we would get a done a many different answers. Um,

I want to give you my answer and I'm going to I'm going to tell you a story as to why I've come to that conclusion. And that story is going to have good guys and it's going to have bad guys. And the stage for this story is corporations organizations and governments, including apparently satellite uh satellite companies um around the world. So um I'm not going to introduce my experience or any of my credentials until after the talk because I want you to think about the story and not the storyteller. So I think we all agree cyber security has a critical uh role and we've see daily what the consequences of neglecting risk management are. Here we have uh discs

hardware sure shuts down its email locks employees accounts out after cyber attack. These are fairly standard and I'm not doing these to scare you. This is kind of traditional to start a cyber security talk with the scary stuff. Black suit ransomware stole data of uh just about a million from a software vendor. Toyota confirms thirdparty data breach impacting customers. This is a supply chain management issue. Park and Fly notifies 1 million customers of data breach. You've seen this. So this is not new to anyone. Now shifting gears for a minute. What's the consequences of this? This is CFO magazine who analyzed small and medium business failures in North America. And they came to the conclusion

that the vast majority of small and medium-sized businesses that fail, 82% of them fail due to poor cash flow issues. What's that got to do with cyber security? 60% of small companies close within six months of being hacked. What's that got to do with cash flow? The average cost of a data breach to Canadian firms um is 7 million. This was in 2022, it was an IBM study. The real cost of a data breach in 2024 in the US is up to uh 4.88 million. Here are the largest data breaches in history. Yahoo at 470 million, Veterans Affairs at half a billion dollars, Equifax was 1.4 billion, Epsilon was 4 billion, and uh Net PETA and Xpeter were

vulnerabilities, but they affected so many companies that it's estimated the cost of those data breaches was $10 billion. Now, if that's not loud enough for you, there it is again. Okay, so there's a relationship between cash flow and cyber security. we can see the importance of what it is we do. And of course, we always hear um we don't have the budget for good cyber security. Well, if you can't afford cyber security, you can't afford a data breach. So, where am I going with this? Well, I want to tell you about uh an economist. This guy Fred uh Fritz M Muslap was doing some investigations in 1962 and he looked at the largest economy in the world which was then and

is still today the American economy. And what he noticed was that as the American economy grew from the beginning of the century especially from 1960 on it started to diverge from the proportion of the economy that was due to the creation the sales and the trade of tangible goods. So why is the economy growing faster than America's ability to produce, sell, and trade tangible goods? Hm. He found a problem and he wanted an answer to it. Well, coincidentally, he had been doing previous research on the growth of knowledge workers in the US. He uh he went to a bunch of companies and he asked them on an annual basis for a bunch of years, how many

filing cabinets do you have? and he noticed that the growth of knowledge workers increased from 1900 to 1962. He also noticed that the number of patents that were registered in the US correlated to the gap in the GDP. So here's that one you just saw. Notice the the knowledge portion of it which had not previously been measured by accountants and whatnot exactly explains the growth in the US economy. So he discovered what's called the knowledge economy. And if you take the tangible economy and the knowledge economy, that explains the economy. And what this is telling us is that information is currency. Technology is the medium of value creation and information is a form of capital. So when we look at those

largest data breaches in history and we say why does the loss of information result in such big bills, it's because information is a form of capital. Now I would ask you as cyber security professionals have has this insight occurred to you. Hold that thought. Information is capital. The market value of a company exceeds the book value of a company um because its tangible assets only show part of the picture and organizations rely on intangible assets far more than tangible ones. So if you think that um a company that spends four like a take take a university that's that might have a a police force that spends $4 million a year on traditional brickandmortar policing and ask yourself is that the

whole picture in terms of security? What's it spending on cyber security given that universities or datari businesses um their their intangible assets are worth more than their tangible assets. So let's talk risk management in cyber security and I want to compare ineffective and effective approaches because this is going to speak directly to the question about what is cyber security. So where do you find these controls? Just read the list and shout out where you think they come from. Asset performance monitoring, secure transfer and custody, asset management, evaluation, segregation of duties. Where do these words come from? Anyone? GBT. Chat GBT. No, they're related to a profession. Yeah. Physical security, financial control. All of these are financial controls. This is

how we safeguard our money, our capital. We have things like performance monitoring, secure transfer and custody of capital, um fraud detection and monitoring, audit reconciliation, segregation of duties. Why does that seem familiar to this audience? Because cyber security has exactly the same controls. So if you never saw yourself as a a financial officer, maybe you should because your approach to cyber security should be or should look exactly like how accountants and financial analysts safeguard money. Financial analysts know where all of their assets are. We have seven accounts. Here's who has access to those accounts. I I go into companies on a regular basis on behalf of glass house and I look at companies cyber security

programs and I ask the the security teams do you know where your critical data sets are and I and more often than not I get the word the answer no. So the question is if an accountant doesn't know what accounts he has how good of an accountant is he? If a cyber security analyst doesn't know where their critical data is, dot dot dot. So let's now look at cyber security definitions and the curriculum that um our profession um I'm not picking on you because we have to critique ourselves in order to improve. So let's look at what we actually learn. I asked 75 cyber security professionals what's their definition of cyber security. Here are some of the responses. It's stopping

hackers, attackers, intruders. It's the practice of protecting internet connected systems. These are all great answers. I do a first cycle encoding, which is a fancy academic way of saying I do a theme analysis. And here's the themes that come out of those answers. And when you boil it down, these are the answers that I got into seven quick pathy statements. We protect systems and datas in from threats. We prevent malicious attacks and intrusions. We ensure confidentiality, integrity and availability. We implement security measures and controls. We secure specific technology domains. We teach humans and best practices. We safeguard infrastructure and system. Now, these are good answers. But in all of this, something struck me as missing. So maybe I shouldn't be asking

cyber security professionals. Maybe I should be asking the experts. So I went to Oxford dictionary and according to them it's the practice of defending computer systems, networks and data against theft, damage and blah blah blah blah blah. I I looked at US CIR definition. It's the protection of internet connected systems from digital threats blah blah blah blah blah and so on and so forth. They all gave similar answers. Still there's something missing. Can anyone guess what is missing from all of those definitions? managing risk. Is there a relationship between what we do and cyber security? It's risk management. So, here's a new definition. I propose this. I want you to think about it this way, and you can reject

this if you'd like, but cyber security is the practice of identifying, assessing, and managing risks associated with use of technology to handle information. If at the heart of our profession is protecting a new form of capital, I think this is a better definition and I'm going to show you why. Harvard Law School forum on corporate governance wrote this nice paper. It's a bit of thick reading, but it has two things that we can learn from it. Most corporate boards fail to understand how reliant they are on technology for the creation of value. I'll say that again. Most modern businesses fail to understand how reliant on technology they are to create value. I'll point out that in the last

100 years, if you looked at the world's top 30 most successful businesses, more than half of them were in natural resources, oil and gas. In the last 25 years, the only companies that have broken into that very elite list are information companies, Microsoft and Amazon. informationrich information centric companies. So if a company in the 21st century doesn't understand that it relies on technology for the creation of value, it's missing the boat. Second thing this paper says is that the vast majority of boards don't understand cyber security as a technical risk. And I know this to be true on behalf of Glasow Systems. I go into companies and I ask questions of boards such as who manages financial

risk? The board does. Who manages reputational risk? The board does. Who manages legal risk? The board does. Who manages technical risk or a cyber security team? Oh, their strategic risk managers. Do they know that? And I know the answer to that is also no. If I go in and talk to a cyber security team, I ask them, do you know that your board thinks your job is to manage strategic risk? No. We don't do that. We we we worry about controls. We look for vulnerabilities. We patch systems. Do you see a problem here? I see a problem here. The overlooked element of risk management. So, let's look on cyber security uh education in the gap. I look

I went to NIST's um nice site which is uh a registry of certification courses. It includes things like um CISSP um ISA all of these cyber security certification courses. They're all there. Um, I looked at almost 2400 of them, 2397 to be precise, and I looked at the curriculums. 44 of them out of 2400 focus on risk. That's 1.83%. 113 of them focus on hacking, how to be a better hacker. So, you got four times as much chance of learning how to hack than you do in how to risk manage. Now, think about that. If I'm at a bank and I want to hire a security guard, is it better to hire someone that understands how to look for signs of

entry or someone that can pick locks? I think the logic is is a little skewed. When you look at their skills that um these certification courses require, their skills and abilities, they say this is what you need to know and this is what you need to be able to do. Out of 445 knowledge statements, 49 were related to risk. That's a little better. That's 6.3%. So the word is in our vocabulary slightly but when you look at the ability statements what are you able to do as a as a cyber security professional six were riskrelated that's 1.34% and zero were hacking related so the professionals who say this is what you need to learn and this is what you

need to know and be able to do they don't think you need to know how to hack they do think marginally that you need to to learn how to risk manage what professions currently learn risk management financial analysts accountants project managers insurance professionals, engineers, safety officers and some health care professions. Um, cyber security should be at the very top of that list in my opinion. So, what are the broader implications um of this education gap? What's the impact on our profession? What's the impact on organizations that employ us? In order to answer that question, we first need to understand what I mean when I say risk. So, we're going to do some thought exercises. If I ask you to

walk across one of these two roads. The first is a country road and the second is is the 401 going into Toronto. And I'm going to put a blindfold on you. Which of those two are you going to choose? The country road. Why? Because the chances of something, the likelihood, let's use that word, the likelihood of something bad happening to you is less. Right? So likelihood and risk are somehow related. If I asked you to walk across uh like an area where traffic occurs, the country road and I said this country road only has skateboards and this country road has trucks. Which of those roads would you choose? The skateboard. Because some somehow impact and risk are

related. This is the only math equation. So, if you're math phobic, I apologize. I won't go I I won't go past this. At the end of the day, risk is a fancy word we use, but it really means the likelihood of something bad happening and the impact of something bad happening. And risk is actually something you can calculate. If you can estimate qualitatively what the likelihood is, I think it's probable. I don't think it's probable. And the impact is is it would destroy the whole whole organization or would only impact five noisy users. then you can calculate risk and that suggests that there are different kinds of risk. There are low probability high impact risks. If this

guy falls into the pit, it's going to have a high impact. But the probability is low because it's only a narrow little thing. There's high probability high impact risks. There's low probability, low impact risks. And then there's high probability low impact risks. And the question I would ask is how often are we as cyber security professionals coming into contact with this kind of thinking. From that you can create a risk matrix. A risk matrix can take qualitative assessments such as rare, unlikely, possible, likely to almost certain and insignificant, minor, moderate, major, and critical. And you can actually create risk scores. Now, when you say that there's a risk as a cyber security professional and the

business unit ignores you, why are they ignoring you? Because you haven't demonstrated how you've come to that conclusion. If you can show them that this is possible and the impact would be critical and you say this is a high risk, you can demonstrate your calculation, are they going to ignore you? No. Because you're not speaking a technology language, you're speaking a riskmanagement language. Now, one thing to note about impact. impact is relative to the organization. I worked I was CISO at the University of Western Ontario um for eight years and um when you when I I stopped talking the language of technology and I started talking the language of risk um I I got a lot more

attention the impact was always relative to the entire organization. So the universities for example have um uh strategic missions to teach and to educate. They don't care about ancillary things such as the ability to host uh like a a classroom website or bus schedule. They're there to teach and to and to educate. And so impact is relative to that. I once got a an a risk assessment from a faculty that said something was a high risk. And when I reported it to the university, I reported it as a moderate risk. And the facult the dean jumped all over me and said, "I reported it to you as a high risk." and I said yes relative to the

faculty you're correct it is a high risk it will impact your faculty relative to the university it's a moderate risk because it won't impact the whole university so impact is relative to the whole organization and likelihood is a function of things like vulnerabilities exposures threats mitigating controls words you've heard why have you heard them are you using them in a risk calculation so let me ask this and I do want feedback what is cyber Security's goal, what's its goal? Mitigate risk. Mitigate risk is right. But its goal is specifically to reduce the impact potential impact of a risk event to reduce probability. But if you don't think in terms of probability, impact, which is the elements of risk, then you

you you you don't really have a goal. Cyber security is very simple. It has two goals. Reduce the likelihood, reduce the impact. And you have in your toolbox risk acceptance, risk avoidance, transferring risk, reducing risk, hedging risks. When was the last time someone in our prof profession said to their boss, you can accept this risk? How do you know when to accept risk? When to avoid risk? Again, if you're not doing a risk calculation, you can't make those decisions. If it's a low probability and a low impact event, you can accept risk. If it's a low probability, high impact event, you transfer it. If it's a high probability, low uh impact event, you can reduce it. And then if it's high

probability, high impact, you avoid it. So those tools in your toolbox have to be used based on your ability to understand risk. And this came from a journal on risk management. It's they call it, you know, the risk management process. Do we perceive risk? Do we assess risk? Do we communicate risk? And then do we manage risk? You'll notice that this works equally well to our profession. Do we perceive the vulnerabilities, the threats in our environment? Do we assess them? Do we communicate them? And then do we manage them? So you can see that if I'm wrong that our profession is not about technical risk management, this alignment should not hold so nicely. Some case studies. So cloud

security has kind of a uh it it's got two problems associated with it. First, people think that when they move to the cloud, all of the risk management is owned by the cloud service provider. A that's wrong. Two, if they recognize that they own some portion of the risk management, it's often difficult to explain what portion of that risk management do we own. So you've seen these cloud service models where you have on premises infrastructure as a service, platform as a service, and software as a service. And on on prem all of the risk management belongs to us just because all of the technology stack belongs to us. When you start to get into some of the cloud models where you

have infrastructure as a service, the risk management accompanies that. So not only do you have a relationship on the left hand side between the service provider's responsibility over the technology and then the client's responsibility over the technology stack, you also have a split responsibility when it comes to risk management. And the same is true of platform as a service and the same is true of software as a service. So understanding risk management in these terms actually makes something that seems difficult a lot easier to understand. Case study two. I did a review on a company that had a very good software architecture review process as part of their change management. Before technology could go from development

into production, the security team had to do a technical security review. Great. I was really happy to see this. That was very advanced thinking on part of the company. Except that the company wanted to deploy uh a wealth management system and in the wealth management system there was a component that shared system status from one uh component to another and it was using TLS version 1.2 to and the security team was holding up business enablement of this wealth management system, the bread and butter of the company. Now, if we look at this from a riskmanagement perspective, TLS version 1.2, it's true, it should be 1.3, but what is the likelihood that this is actually a problem considering

it's in confined space and it's between two um systems that talk to each other about system status? Well, the likelihood is although uh compromises of TLS 1.2 to have been seen in the wild that the chances are really, really, really low. There's a lot bigger fish to fry up there. And secondly, this was contained and there were other compensating controls. So the question I would ask is if the cyber security team that was doing this architecture review understood risk management, they wouldn't hold up business enablement because of this vulnerability. This is a risk that we can accept. Vulnerability management with equal critical vulnerabilities. another team. They had two equal boxes. They were Dells with running some version of

Linux and they came up in a vulnerability scan with 61 critical vulnerabilities. One system was an HR system and the other system was something meaningless like bus schedules. And I asked the team which of these two is greater risk and they looked at the the the tenable and they said they're both equal. They both have 62 critical vulnerabilities. Is that a true statement? Because if you understand that um that our job is really technical risk management and we do our simple risk calculation in our head. The impact of losing bus schedules is low. The impact of losing HR data is high even if the likelihood is the same. They both have 62. You worry about the HR system and

not the bus schedule system. And this is just a simple risk calculation. This one comes from seam data. This data came from a seam. I have added some columns here. This is that this is exactly the data that a a sock looked at and they looked at the the the uh the row highlighted in in yellow. And you'll notice that they labeled it as high. That label was assigned by human cyber security professionals, some of whom have a great deal of experience. And what is it? It's an unusual amount of external inbound email from an IP address known to be a malicious IP. What is that? We call it spam, right? They said this is high. But I also want you

to notice the multiple login failures that was listed as low. When you actually do a risk calculation and the seam gives us that it gives us a magnitude number based on the criticality of the asset and it gives us a prediction probability. This is sim voodoo but they actually give you the two things you need to calculate risk. I added the risk calculation and when you order by risk you'll notice that the multiple login failures is the highest risk in that list which was categorized as low and the detection of unusual amount spam happens all the time so it's got a high probability but it's it's it's uh impact was only two when you actually calculate a risk a score

you get like 18% versus 50%. This was a successful attack on many credentials outside the company that went missed simply because the security analyst looking at this data didn't ask the question what's the likelihood times the probability and you'll notice that in the uh the list of kind of the worst attack types these likelihood and impacts I've estimated on other data so don't take that as gospel but let's assume it's reasonably good this is your attacks ordered by risk failed login attempts is top 15 whereas spam is further down much further down like 32 or something. So, how can we assess our profession as teaching us to be effective risk managers? If I'm right, what are what you should see if

I'm right that we're missing the boat as a profession? Um, this is the kind of things you'll see. And I want this I want you to think about this. Is any of this true? If none of this is true, I've wasted your time and we'll go to lunch. If any of this is true, I want you to to to think to take away the message. Are technical solutions prioritized over riskmanagement strategies? Is there a lack of communication between your cyber security professionals and your business leaders? Are we focused on defending against specific threat in instead of overall risks? Is risk management ineffective due to an unclear understanding of the business objectives? Do we fail to prioritize

ongoing monitoring assessments of risks and vulnerabilities? Like are any of these resonating with any of you? And the list goes on. There's a lot of maladies that you can see when our profession ignores the core of its purpose. So let's get to the conclusion, the question and the answer and summarize the key points. Key insights. What can we take away from this talk? We can take away that cyber security is technical risk management. The profession needs to practice riskbased decision-making. Cyber security controls focus on protecting IT assets that process information. Cyber security professionals need to adopt the language of risk, not the language of technology and the profession needs to learn how to balance business objectives with

protection efforts. So what are our call to actions? I I I if I've convinced you that my view of cyber security is correct, what can we do about it? First to employers, three things. Have crossf functional risk management training. Have your cyber security professionals learn how to understand risk. Create collaborative risk committees. Include your cyber security professionals with your auditors and other people who do under in your and your and your project managers who understand risk. Integrate risk management into cyber security job descriptions and key performance indicators. What can we do if we're actually engaged in training our juniors? Develop business aligned risk management modules. Emphasize risk communication and training. Don't talk to your boss about technology. Talk to

them about risk. They'll listen to you. Incorporate emerging threats in adaptive risk management. So use risk equals likelihood times impact to actually understand emerging threats. And then if you have any influence over the industry, and this is really why I created this talk, I I do want to influence the industry. Promote industry-wide risk management standards such as NIST. uh create cyber security leadership development programs and establish riskmanagement apprenticeships and mentorships, accountability for what we do, protecting probably our most valuable asset cannot be outsourced. And I want to thank Memorial University for naming uh a center after me. Uh questions and answer. By the way, my my credentials um I've been in cyber security for 30 years. I've been a CISO

um twice. CISO stands for career is soon over because you're expected to be a change advocate in often change resistant organizations and uh and my CISO experience is is more than a decade. So, do you guys have any comments or questions or anything you want to discuss? Because I know probably nobody has has put it so succinctly in this way, but I I really do want your feedback. Yeah. I thought it was a great presentation. I I really like the putting these things in in perspective in terms of the the impact especially just a comment on training the other way around and risk managers uh as a an IT manager for a small group of

companies getting an insurance policy cyber coverage from these riskmanagement companies. Uh, I found their questionnaires were absolutely dismal and I guess it was from the underwriters or something, but I'd like to see something like this go towards like the other places to I mean there was dumb questions like number of records and this kinds of things. So just I'll tell you why because their actuarialists understand risk but when they write up these cyber security questionnaires they don't ask the actuarialist to do it. They ask the cyber security team in the insurance company to do it and then some and then some project team who's come in to try to sell the policy. Yeah. And they have no idea. So nobody knows how

to answer them. Yeah. But I've just showed you like there is a way to quantify risk. Even if your instinct isn't to put a number to it, if you can qualitatively assess it, remember I showed you likely to unlikely and I showed you probable to improbable. if you can and and and this is my experience. It's true. While I'm bashing the profession and and I do that because I love my profession. I grew up I was a a Unix administrator, a system architectctor. If it if the operating system ends in ex I've touched it. I built high performance computers, bailwolf computers, clusters. I built dic pack systems for healthcare institutions. And when I hit risk

management, when I hit cyber security, I had a lot of technical background. But nobody took me by the hand and said, "Your boss isn't listening to you because of this, and this is how you prioritize this over this." Like, nobody did that. And so I I look at somebody that's got 30 years in this in this profession, and I say, "What can I do for the next generation?" And I'm telling you, this is the this is what I've learned is learn how to risk manage and start thinking differently about what you do. And if you can do that, you're going to be impactful. Yeah, I agree. uh often I've seen it multiple times where impact or

likelihood get mixed up and then something that should have been higher priority just gets lost in the mix. Right. Thank you. Thank you for your comments. Yes. Yeah. Thanks for your talk. Um and very much appreciate the the considerations of impact and thinking through those things and prioritizing etc. Um, but what do you do with the fact that for an awful lot of things in security, the probability of attack is zero and it's zero and it's zero and then one day it's one and you can't predict which of those things are going to go from zero to one. Not everything is like that, but some things are. So, how do those fit into the kind of that risk matrix approach

that you're talking about? So, I've mowled over probability quite a a lot. Um, I don't think the probability is zero. I think that we don't have enough data because organizations that get breached don't publish their data. If I go back to that list of all of the things um if I go back to this list, do we know that ransomware is happening? Yes. Do we know that DOS is are happening? Brute force attacks, SQL injections, and we're not even talking the human things like social engineering. Is are is the probability of any of these things zero? No, it's just that we're not measuring it. So the next question is if we're not measuring it, what's the next best thing we can

do? And the best next best thing we can do is use our judgment. If I connect a computer to the internet and I don't connect it to the internet, how does that impact probability? Well, the internet is connected to the world and a standalone system not connected to the world or behind a firewall is not connected to the world. So we can make educated professional judgments on what that probability is. But I don't I don't think that and I'm not saying you're suggesting this, but I don't think we should be using the difficulty in estimating probability to stop us from using this general approach. Does that make sense? Sure. Um but when it comes to some

specific things like um the discovery of previously unanticipated classes of vulnerabilities, that kind of thing. Um, is there a place for uncertainty of saying here's a whole range of I have absolutely no idea how likely this thing is. It might be super likely in 10 years. Right now I feel like it's not very likely but really I have no idea. Is there a place for that kind of yeah there is epistemic humility? I guess if you get into so this equation I've showed you I've said that this is a cyber security equation. Do you know what its origin is? expected. You're right. Good for you. The very first paper on this was done by the Department of Commerce in the US

back in 1959 and um it was an economist that in his prior life was asked what's the value of an investment if I don't have 100% uh return rate on that investment. And so the value of an investment is equal to the likelihood times its return. So, say for example, I I I I buy a I buy a lottery ticket and I've got a 60% chance of winning $100. The value of that that that return is actually $60, right? 60% times the its overall value, its impact. However, when he got into when he got asked by the department of commerce to estimate cyber security risk, he said, "Well, if we can estimate the value of a

of an investment with improbable with with imperfect information, we can also estimate its opposite, the risk, one minus that value." And that's where this comes from. It is an expected value calculation that came from the world of economics that we that we we we use. And to your point, if you actually look at expected value calculations, it's it's more than this. There are things um that you can there are factors that you can factor in for error for imperfect information like this. I I make it look like this because I'm trying to convince a cyber security audience that we should be using it. But if you actually look at an expected value um calculation, there's more math that you can do. And

kudos to you. That person should get a prize cuz that's the first time anybody's ever answered that correctly. Anybody else? I'm standing between a crowd and your lunch. Thank you. You've been a very Oh, one more. One last question.

always balancing your risk based on that. Well, remember I said that can I interrupt one second? Can you repeat that question for the people on So the question is um risk managing risk is often a function of funding. Is that did I capture that correctly? So remember I said that there's a gap between how the board perceives who manages risk and how cyber security professionals see themselves. We first have to remedy that problem. It's not up to us to determine which risks to manage ultimately. It's up to the people that control the budgets. But we need to be able to talk meaningfully to them about the risks. We should spend this amount of money to

solve this problem. Loses credibility when that problem actually isn't a risk. we we lose credibility. But if we can show them why it's a high risk and convince them that it's a high risk, you are going to get the funding support. That's been my experience. But I had to learn to talk to them differently. Okay. Thank you all for your time and your attention. Have a great lunch.