From What to How in Cybersecurity: Self Care, Culture, and Strategy

hey morning everybody appreciate the patience it's uh it's great to be with folks again to see people again and uh thank you it's a beautiful facility so thank you to the organizers and thank you to the volunteers for making it all happen and getting us all back together safely before i get started i did want to share a little bit of a personal story of my own connection to the raleigh durham area i did live here briefly about 20 years ago but it goes back a bit before that so my dad's family migrated to the u.s from china and from hong kong in the late 60s and early 70s and they settled in the in the northeast

and my mom's family was from upstate new york and that's where my parents met they met in 1972 they were i think they were both right out of high school and i don't know if you've ever been to upstate new york in the wintertime it's it's different than this it's cold and i think the winter of 72-73 was was worse than normal so they got to the spring of 73 and we're like yeah that's it we're heading south um and so they were their plan was to drive to florida and live in florida and they were you know they're right out of high school they didn't have a lot of money so they got in the car

went and then they ran out of money when they ran out of money they happened to be here in the raleigh durham area so this is where they set up their lives and and their family and my sister was born here um both are actually all three of my dad's sisters moved down from the northeast they all went to nc state so i don't know if there's any wolfpack folks here they all met their husbands here and started their family so it's a really special a special place for me and my family i'm sure for the folks who are locals it's special for you as well um and it's great to be back here especially for b-sides i mean b-sides as

ashley mentioned it's an amazing event it's an amazing community i'm from the bay area i've been to besides sf a bunch i've been to the las vegas one and then now rdu and i'm sure this is going to be the best one i'm really looking forward to the day i love that it's it's by the community it's for the community and it's really explicit that it's trying to you know take different perspectives and different views on our field and that's what i want to try to do today is maybe give a little bit of a different you know take on your normal information security conference so that's what we'll do so we'll get started and um you know with any kind of complex

topic like cyber security i always think it's helpful to think about you know analogies and comparisons and metaphors that maybe help us think about it a different way and for the purpose at least to get us kicked off here i wanted to talk about like this this idea of a healthy lifestyle or like personal health and well-being i would say i don't think there's any real ambiguity about like what the recommendations are right we're supposed to get eight hours of sleep i don't know how many of you all do that i think i think it's just a drink like eight glasses of water you know eat decently don't smoke don't drink too much get some exercise like we generally know

what to do but it's hard right it's it's for many reasons like it's hard to wake up early and go for a run for me i love pizza it's hard to say no to an extra slice of pizza or another glass of wine and you know those are those are like simpler examples but if you look at um what the department of health and human services says they actually have this this concept what they call the social determinants of health and there's all kinds of structural and systemic barriers to being healthy everything from access to health insurance to income instability and it's pretty easy to see like how this fits together right you can imagine maybe

you're like a single parent you've got to work a couple of jobs to make ends meet right you got tons of stress in your life you don't have health insurance you don't have time to exercise you don't have time to make healthy meals there's a lot of barriers so it's not enough to know what to do there's clearly like we need some help to get to the how and i would say we're pretty much in the same boat in security there's no shortage of guidance out there right this is just the random sampling you got the nist cyber security framework you've got the center for internet security pci if you're into compliance um and you know one thing

speaking of recommendations so i know like security folks are really opinionated but my guess is i would wager on this if i were to ask everybody in this audience tell me the top five recommendations you have to improve security for individuals and even for organizations my guess would be there would be two of them that would be on almost every list and those are two-factor authentication and patching and i just think like anecdotally those are just good things like they've been around forever they're kind of unambiguously good and actually even if you look at the data so if you're familiar with verizon's dbir the databa data breach investigation report they basically look at all incidents that happen in a year

and in 2015 they looked and they said for all the incidents that happened like what were the controls that would have that would have addressed the most issues and the top two were two-factor authentication apache about 24 each so we've got the data we all anecdotally anecdotally know that these are good things to do they've been around forever right so how do you think are we doing great in these areas yeah kind of a grumpy audience let's let's let's see let's let's dive in let's look at two-factor authentication first so this is from twitter's uh account transparency report they just published and this is not a you know i'm not banging on twitter at all they've got

2.3 of adoption 2.3 adoption in their user base they've been around for 15 years it's a they've got a 200 million users and they have 2.3 percent of their users use two-factor authentication and i know you're thinking you're thinking well it's a consumer service it's social media people don't care about their credentials i'm sure enterprise is way better it actually it actually is it is way better it all but you know way better is all relative it's uh this is from this is from a really good talk uh at rsa last year by the identity team at microsoft and they basically said this isn't like microsoft employees but this is in their enterprise environment right

this is a huge environment they have a billion monthly users they see 30 billion authentication events a day 11 use mfa that's the state of enterprise this is this this is on youtube really great talk go check it out so yeah we're doing like between four and five times better in the enterprise and consumer but that's it's hard to get excited about eleven percent patching though right we're i know we've we've nailed patching so let's dig in a little bit uh actually we haven't this is from sisa this is the cyber security and infrastructure security agency they published this uh earlier this summer they basically did an analysis of the most frequently exploited bugs in 2020.

most of them are years old the number seven bug number seven vulnerability most exploited last year was from 2017 apologies my my little uh animation is off there but so these are years old right so and even if we go even more recent this is actually just a couple weeks ago there was some neat research published by i think it was palo alto networks and they have one of these you know it's always great when you have a named vulnerability when you have a funny name uh this thing called azure scape which is a cross-account container takeover in a microsoft azure service called azure container instances it turns out aci or azure container instances was

running a run c which is part of the container runtime from 2016 that had what had multiple well-known container escape vulnerabilities and the thing that like is is troubling to me is this service only went ga in 2018. so even when it went live it was already vulnerable and there were three years later and again i'm not i'm not trying to beat up on microsoft um but i would any organization in the entire world that knows the importance of patching and vulnerability management it's microsoft and i'll take a let's take a little trip down memory lane does anybody use windows 98 they had windows update since windows 98 so this is like it's probably an operating system that's

probably older than some people in this room and they had automatic updates so they windows actually had automatic updates as a core part of their operating system since 2000 so that's two decades two plus decades they've actually had patch tuesday since 2003. again not trying to beat up on microsoft but they clearly know what they're doing but they still have problems and at this point you're probably saying wow this is really depressing talk jason this is like this is like a keynote we're supposed to be positive right we're supposed to be we're supposed to get excited and um you know i really just really just kind of use that as an example it's it's one

thing to know what to do it's a different thing to get it done and that's really what i want to talk about but i don't want to i don't want to talk about changing the industry i'm not i mean frankly i'm not that ambitious and you know i tend to be more practical but i do want to talk about changing ourselves like changing the people in this room and the people watching this talk about how we approach you know our careers and in this industry uh because i really do think that that by some adjustments we can we can actually have more fun at work and we can actually have better outcomes for the organizations that we work for

and uh you know i think as mentioned with b-sides it's all about learning and and sharing and so i you know i had a bunch of jobs in my career and i was yeah i spent the most time at netflix i was there a little bit over 10 years and i um i started at netflix as an engineer and netflix was one of the first big companies to go into the public cloud so this is around i started at 2011 so i really started to help them use aws securely and you know i kind of grew the team from there and i led the team and by the time i left a few months ago the team was about 150 folks and you

know so the company had grown a lot and it's seen all kinds of change and you know we did everything from going to the public cloud to you know becoming a global service to creating our own entertainment studio which was you know it's not really something you get a lot of chances to do in your career and you know i learned a bunch from my co-workers on netflix and just from like steering through everything so that's kind of what i want to share you know i don't i won't get super specific or super technical but you know just share some of the learnings i've found and hopefully folks can kind of abstract that away and apply that to your to your

day-to-day and i want to start and just to kind of like to summarize sort of what we'll we'll look at really three areas so self we'll start with ourselves and kind of how we approach things how we approach our own lives how we approach the field go about going to culture which is the culture of the organizations that we work in and then talk about strategy like how do we actually develop strategy and apply that and make sure everyone's aligned and starting with self and kind of taking care of ourselves and you may say well why is self-care important for cyber security isn't it a really like like no low stress field but it's really

not but i think you know one of my favorite metaphors just generally if you've ever been on an airplane in the united states you've heard the safety briefing right they say in the event of loss of cabin pressure i've heard this so many times put on your own mask first and really what they mean is if you're going to help people whether it's your family your friends or your coworkers you got to be taking care of yourself right if you're not like if if you're having issues or you're not like able to bring your full self to work then you're going to have it's going to be you're not going to be able to contribute as much let's start there

and i want to start first with uh you know managing life and we we've talked about work-life balance for a decade for forever and but these last 18 months or so with covet have been extreme like i would say i don't know about y'all but there is no work-life balance i mean you know i was fortunate enough to be able to work from home but you know you're working from your dining room table you got to do like zoom with friends it's like there's no you know there's no end there's no separation and you know i would get this message every week this is like the you know the apple screen time and be like yeah i know apple i i know i'm

using this phone a lot like we're all plugged in it was too much and and i would say you know as much benefit as the internet has and social media it can also be damaging right so if i think about social media right you you log into linkedin and you see everybody oh this person got promoted or this person's having great success and then you log into facebook and you know so-and-so's daughter just got into harvard or something and you know you go into instagram and people are doing you know workouts and their vacation and they're cooking all kinds of interesting stuff and you you i think it's just natural to think well hey i want that i want to

have a great career i want to be healthy i want to be taking great vacations and you know i think there's nothing wrong with that but i would say where we start to run into into issues is we're trying to do it all at once and one of the really this is like one of the most influential things i ever read in my whole career my entire life was this article here from eric sinaway it was in the harvard business review about 10 years ago and it's entitled no you can't have it all and you could probably guess from the title of what that means and what what sidway says is he basically says instead of just work life

he actually has seven different dimensions of your life so hobbies you know spirituality physical health work family and you really have to be explicit about who you want to be in each of these dimensions at any given time like over the course of life you can probably you know do great things and all these things but at any given time you want to be able to like there's only 24 hours in a day so just just as an example imagine you're like you're maybe a young young married couple you've got you've got children um and you're both working and that's a lot already right you've got kids you've got two careers and then maybe one of

the partners says hey i want to i want to you know get further in my career so i'm going to do like an executive mba program at night so then you got kids you got career you got night school that's it's it's you're starting to get a lot of balls in the air it's probably not a great time to like try to learn italian or train um train for a marathon or start volunteering for like your church group as a treasurer or something like that there's a limited amount of time and we sort of fool ourselves if we think we can be excellent in everything all the time so what cineway does he has this

really nice set of questions around your priorities like what do you want to emphasize right i would say as humans we don't really like to say no right we want to try to do it all but it's really about understanding what the costs are what the trade-offs are and then making sure that you can let go right a lot of it is about learning to let go learning to say no so that's kind of you know how how do you think about your overall priorities and i would say also with with that framework you want to revisit that right five years from now is going to be different than now and you also want if

you're in a relationship or you want to be talking about that with your partner as well and so the second the second element here around self is about keeping perspective and so in security like what is what is our goal in security like can you win like is there is there like a finish line is there there's not really a finish line is there it's like what does success look like especially you know i always think a lot of what we're trying to do is prevent bad things from happening so what does success look like when that's kind of what you're trying to do and if something bad does happen we're trying to help our organizations

you know return to some normalcy because really our organ the places that we work they're not in business to not get hacked right they're business to stream movies or sell shoes or whatever it is and then security's part of that we're supporting it and a framework that i really like to sort of do the kind of like mental shift to get into this mode is uh what's called the infinite game and you may be familiar with this uh simon sinek wrote a book about it just a couple years ago called the infinite game and it's an extension of an earlier book i think from the 80s from james carse and if you're not familiar just just

from a definitions perspective so finite games we're used to playing these this is what we all play like think basketball in a finite game you've got consistent rules you know who's playing and there's a defined result right in basketball it's five on five whoever's got the most points at the end wins done go on with your life in an infinite game though there are no rules and players come and go and you may not even know who's playing and the goal is to keep playing the goal is to continue there is no finish line so what is an infinite game well i would say life is the ultimate infinite game right business is an infinite game

right there's no there's no winning in business you want to stay in business politics is an infinite game so within politics you have discrete finite games so an individual election cycle is a finite game you have known candidates you have a set of rules you got a winner but politics over the long term like if you look at the us system the multi-party system each one of those parties has a long-term agenda that they're trying to bend things towards right and it's an infinite game it never ends and i would say absolutely security completely falls into this concept of an infinite game and for me like as you sort of think about this model like one of the most

dangerous things to me is if you are going into security which i would say is an infinite game with the mindset that it's a finite game and so i'll take off some characteristics here of a finite mindset and you can you can kind of gauge to yourself whether you've ever worked with with folks like this they're thinking near term right like what do we do today like what do we do today and they're think everything is high stakes right you got to win at all costs like we got to get this patch installed like we we have to say no to using this thing right there's a lot of that no because everything is like

everything's urgent and it's you want to be right you want to get your way right that's kind of the it's very transactional right because you're not thinking long term you're thinking about short-term wins the the infinite mindset i would say when applied to security it's going to be quite different you're thinking long term right and when you think long term it's a sustained effort right if you are like sprinting every day when you work in security you're going to get burned out really really quick it's a long game so you have to think about it that way it's about reaching compromise and it's about making progress right that's really what i think about security it's you're trying to leave things

better than when when you got in right because there is no finish line there's no winning right we're just trying to make things better and it's about building relationships so it's that shift right i would i would almost guarantee everybody here has worked with somebody in that left-hand column where they're everything's urgent everything's anxious anxious and when when you think about security and this is sort of like the third part of this this talk about the self is uh managing stressful situations it's very tied to that idea of finite versus infinite and like like we talked about earlier there's a lot of stressful situations in security incidents vulnerabilities they happen they don't go away and in stressful situations the the

model that i really like to kind of think about especially in security is this idea of what's called a step down transformer so in electricity a step down transformer takes a high voltage signal and turns it to low voltage that's not that's not exactly what we're talking about in security but this is a concept from a field of leadership study called resilient leadership and here's a book here there's there's also a really interesting pdf and a step down transformer when you're talking about it at work or even anytime in life is you make things relatively less stressful less anxious less reactive like have you ever walked into a room like where there's an incident and like people are

they're heated does it help to like go in there and like start yelling and screaming and pounding out does that make things better that never makes things better if you go in there and you're relatively less it doesn't mean you're a robot right but you're less anxious and just to kind of use a personal anecdote uh a couple years ago i was working there was an incident going on at netflix i think it was a vulnerability came in through our bug bounty program which i mean that happens all the time right that's the job and security but that's not the job for the people who own those apps that are impacted right so i remember

the vp who ran that app she called me one evening at like 8 30 or 9 at night and was very agitated was very nervous because she was worried that a vulnerability in her application was going to cause like a big impact for netflix so you know i was just kind of talking her through what the findings were and you know what how we were working with our team to remediate and kind of the mitigation timeline and you know after a couple minutes she just kind of like said jason i'm freaking out why aren't you freaking out are you high and i was like i was like no i mean i'm not high i mean

this is you know it's a wednesday when you work in security but like if i had brought like anxiety and stress and reactivity to that conversation that just makes things worse but by being you know stepping things down that's the way to handle it and you may be saying you know this is from leadership study and you may say well i i don't manage people right am i a leader and i would say absolutely everybody has a has a chance and opportunities to be a leader and especially and i think this is a responsibility we all need to take seriously when there's a when there's a crisis happening at work and security you're the expert

right you know relatively more than most of the people involved right you're gonna have pr you're gonna have marketing legal you know more and what are you gonna do with that imbalance of knowledge and so what i what i would ask people to do is think about a case when you were in a crisis situation there was an imbalance of expertise but you were the one who knew less right so for me the car breaks down i don't know anything about cars and i got to go to the mechanic i'm stressed out the mechanic knows more than i do how is that person going to handle that situation are they going to take advantage of me are they going to talk

down to me or even like higher stakes think about you have a health issue right you have to you got to go to the doctor you got to get tests done you don't know what's going on you're nervous you're highly stressed the doctor went to medical school i didn't go to medical school how are they going to treat that like what to think about bedside manner right how they handle that is tremendously impactful especially when you think in that context of the infinite game and you think long term so if there's a problem at work a security issue and you're the security person and you know say something gets gets popped and you're like oh gee i i told you that was

going to happen and we told you to you know patch that that doesn't help right you're just it just makes things worse so what i like to think about there like when you are when you are the one with expertise and it's a crisis think about this analogy of lowering a drawbridge you want to lower your drawbridge you want to create connection because when people know less than you do and it's a stressful situation they're vulnerable right and you want to you want to basically create you know you want to have empathy so you lower the drawbridge you create connection right the the alternative there is you raise the draw page and you create separation and

that's that doesn't help that's that short term mindset it's not thinking long term it's not thinking about building relationships because you got to work with these folks right from here on out so that's that's kind of you know taking care of yourself we talked about priorities in our own life we talked about the long game we talked about reducing stress and i want to talk about culture and strategy and i'll talk about these you know at the same time because they're pretty related and for the purpose of what we'll what we'll talk about here culture is really about how an organization works together it's your shared set of values your processes and then strategy is for how are you going

to achieve your goals how are you going to allocate resources what decisions are you going to make and the most famous quote in this you know relating to these two words from peter drucker many years ago he said culture each strategy for breakfast and this is completely true but what he's saying is you could have a great strategy if it doesn't align with your organization culture you're going to fail right because culture trumps strategy and just to make this like more real i wanted to use this example this is uh my former colleague laura and he's a really interesting follower on twitter i would suggest to follow but he a few months ago he was tweeting out

interview questions and like seeing responses and and i really like this one it's basically you're a manager you're building a tool it's a pretty good tool it works pretty well it turns out somebody else at the organization has already built that and your but yours is better right so you're in an interview situation how would you how would you handle that role play that conversation what lauren is asking here is what's your strategy like how are you going to handle that so i've never this has never happened to me personally but if i was the one being interviewed i would say okay well what are the past experiences i can draw on that are helpful

so i would think what's a time when i've had to have a difficult conversation with a co-worker right what's the time when i had to try to influence a peer what maybe what's a time where i've had to do like a side-by-side feature comparison amongst products and i think those are the right those are the right you know bodies of knowledge but the problem is what you don't know is what's the culture of the organization if you don't know that you can't answer it correctly and if you follow this thread somebody chimes in with a really great response it was somebody who had worked at both amazon and microsoft and that person said it depends

at amazon they have a really well known principal that says it's better to have two of something than zero right so at amazon they explicitly say duplication is okay so if you know that's the culture you can't escalate this you'll be like oh this thing's that's not going to go anywhere right you're going to fail and you're going to be frustrated because you think you're doing the right thing but it's against the culture whereas at microsoft they would handle it differently they would want to step back they might want to talk about strategic focus they might do some re-orging so you would handle it differently

looking at in other enterprise contexts i would have failed because i wasn't taking into account the cultural context and there's a couple of other uh elements that are really important in the netflix culture one of them is freedom what we call freedom and responsibility you can make your own decisions you're responsible for the outcomes if you really want to go like a different path you're free to do it but you're going to be on the hook for for responsibility and then context not control so this is kind of like the anti-micro managing is like you want to make sure your teams and everybody understands the context of the company what's important where is the strategic alignment because

if everyone has context then you can make really good independent decisions so if you think about the implications for security right and this is just like a highlight here so if if we know the culture like the number one thing on there is encourage independent decision making if you know that's the culture like would you have a bunch of like centralized approvals and you know top-down approach and like it's not a place where you ask permission right so if you're trying to like put together structures that emphasize which a lot of traditional security programs do it's not going to work then there's also share information openly well if you know the company and the culture wants to share information

openly you probably don't want to go to like a default deny lock everything down approach right because people value access to information and then you know avoiding rules so if i know the company wants to avoid rules i'm going to be careful about policy right so the cultural lessons there really just abstractly is you want to understand how the how the organization works like what is the risk tolerance how do you make decisions and then you want to combine that with your own past experience right because that's that's why you got the job your past experience and then it really comes together when you look at it through the lens of the culture of the organizations you're

working so then you know strategy is kind of the final piece we'll talk about here and strategy you you talk about like there's so many books on strategy and you could read forever about it if you'd like to i really like this quote to summarize strategy in a nutshell this is from reed he's the netflix co-founder and ceo and you know he says here strategy is pain right it has to be difficult because it's about what you don't do right remember when we were talking about self-care and you know deciding what you want to prioritize it's hard to say no right and i would say you know in some theoretical perfect world where you've got infinite resources in

infinite time i don't think does anybody have infinite budget and like you don't so you if you know you have constraints let's work within the constraints what how do you say no and the way that netflix articulates strategy is through a model called strategic bets and strategic bets are very explicit and transparent choices but they're choices between multiple reasonable approaches right because you know if you think about it like you're trying to climb if you want to get to the top of the mountain there's probably more than one way up there you got to pick one and they create focus and they also we talked about context not control it provides context so if you're

strategically aligned if you understand the bet then you can make good decisions and these are some examples from the these are available on the netflix investor relations site from the long-term view you can see it there it says netflix is a focused passion brand it's not a do everything brand starbucks not 711 southwest not united right and then below that we don't offer pay-per-view or free ad-supported content those are fine business models right so that's an acknowledgement like yeah you can there are other ways to do it we're not gonna do that we're gonna do this and by being explicit being transparent being consistent right because that's that's on on the public internet so then clearly

the external world knows how netflix is moving so that creates tremendous amount of strategic alignment internally there's no confusion about are we doing ads no i mean it's right there i mean so this provides a lot of consistency and a lot of context for folks to work in and if you're interested in the way like a little bit more detail about how strategy bets work my former colleague john may he's he leads the platform security team at netflix wrote a really really nice article summarizing that called place your bets and i wanted to talk about some specific security strategy bets that we created you know as we built the team and and these were all in the context of the

culture and so i want to kind of do a bit of a deep dive into one of them and then kind of you know we'll give a few other examples just so you have a sense of how strategy bets work and the first one i was actually telling some folks at dinner last night so the the last social event i went to pre-kobits i guess probably like february of 2020 was a security meet-up um like happy hour in san francisco and you know there's a bunch of folks from other tech companies and i was having a conversation with somebody from another really well-known uh tech brand uh on their security team and she was telling me

that their cto wants all engineers to think security first and i said that's great i think that's a great strategic position and i'm sure like we like that would be a nice place to work because like think about what falls out of your cto saying that right it's it's really a nice rallying cry because everybody's like yes security first right a lot of us have been have been trying to reach for that for many years it also demonstrates your commitment and it makes clear like how you're going to prioritize right i said that's that's amazing i would say netflix has a dramatically different approach i said at netflix we want engineers to focus on what they were hired to do

these are just different approaches they're not one of them's not right and wrong you got to choose one that aligns with your culture so when you say that you want engineers to focus here's really what that means is i want i want my folks to focus i want them to have less cognitive load right you'll know like it's hard to develop software like you got to keep a lot of stuff in your brain like ci and testing and source code management deployment and observability performance i don't want you know folks worrying about security it also recognizes specialization right and scarcity are good engineers easy to hire are they cheap right if we hire a great

algorithms engineer i want them thinking about algorithms i don't want them thinking about security to me i believe that that gives the best position for the company like that's the best use of their resources but it also drives excellence it demands excellence from the security team because if that's your approach basically the security team needs to build products and tools that are simple and easy for engineers to use to solve their security problems like if you're not willing to do that if you're not going to demand excellence out of your security team then you can't take that approach so this is kind of an example of like a strategic bet and these are both completely fine ways

to go about it but you can't do both you got to choose right you want to we we talked about that like we got a narrow we got to focus we don't have unlimited resources and if we think about a few more examples that we created in the security team over the years one was we said we want to publicly share information we don't want to keep it private right so what did that mean for us well that meant we did a lot of open source you know we we i think we open sourced like 30-something projects when i was there did lots of peer-to-peer collaboration you know like we did a lot of conference presentations and i think

i thought that that was useful that's why we created that bet there's nothing wrong with being private about your security program like it's certainly easier to create software and not make it open source like that i guarantee you that's a simpler way to do it but we just thought we thought it would be a net benefit for us as we built a team and by doing that by being explicit like we have that we would have this written in a document then folks understand okay here's our position on conference on information sharing they don't need to ask their manager it's right there the next one and we had i don't know i think we have maybe 20 of these the next

one i'll just talk about briefly was you know we wanted to do targeted security training not broad and compulsory training there's nothing wrong with like having every employee do like a bunch of mandatory security awareness training nothing wrong with that we just thought it'd be a more effective use of our resources to do targeted training for the audiences that we thought were most impacted so an application team that a bug bounty finding maybe your finance team because you're worried about business email compromise and the last one i'll talk about is we had a we had a saying that we would say guard rails not gates right we want automated controls we want minimal human interaction and we want

we're not going to try to prevent every every bug from happening instead we want to focus on our ability to deploy software really quickly we wanted to we want to focus on detection and response versus trying to prevent everything from happening and you can see how the investments would fall out from there right but when we say that if i if we say that then we know we're not going to put a bunch of investment in these sort of mandatory gates that people have to pass through so just wrapping things up so we really talked about three main areas right we talked about the self and i think the real the main takeaway there is like you

got to cultivate ways to remove stress from the overall system so whether it's making priorities in your personal life so to give yourself more breathing room whether it's thinking long term at work or we talked about that idea of being a step down transformer talk about culture right you definitely don't want to push up hill you want to understand like how does the organization work and then that's how you want to apply your expertise and then finally with strategy right there's usually multiple correct or appropriate ways but you got to choose you and you want to be explicit with your choices so that people are strategically aligned and of course you want to fit that direction to your

culture that is it and i appreciate your time

you