Swimming Upstream: Regulation vs Security

it's going to be my honor to introduce our next speaker we have Robert Wood he runs the security and compliance team at nuna who's Corps directive started protecta one of the nation's largest collective health care data sets previously he was consultant principal consultant at sea jewel where he founded and led the red red team assessment practice and worked with strategic clients across the United States in an advisory capacity here we go

maybe there we go computers work all right good morning everybody let's get to it all right so who's that let us pray so this morning we're going to talk about the the age-old battle between regulation and compliance and security where most of us likely fall and some of the challenges that end up coming into those into that battle when those things are at odds with one another even though regulation and compliance was was kind of brought into being with the best of intentions of things like NIST and ISO and all of these frameworks out there they were they were introduced to to try to make us all better and give us some structure and so I want to share some

some personal stories about how we've handled you know some of the at odds and craziness things that come up between between juggling security and best practices around security and some of those regulatory requirements so so really touch on this I run the security compliance teams at nuna we're a healthcare analytics company based on the road here in soma and we work with very large employers health plans government agencies etc to help them deliver better faster cheaper health care services through a variety of analytics products and probably the most important thing down here is I'm a massive Batman fan my wife calls me a fanatic I teeter-totter anyone on my team will tell you it's probably the

latter so first things first I want to cover what is the actual problem and what are the what are some of the symptoms of this of this bigger compliance versus security issue and I think it boils down to three main things the first being that there are a zillion frameworks out there you know you've probably all seen the xkcd around like making 11 framework to rule them all and just ended ending up introducing another framework on top of you know n number of you just end up with an N plus one problem and so we're drowning in this complexity that is compliance that comes from government regulations and customers and maybe you know internal organizational policy and it's

just a lot of stuff to manage for already overburdened security teams and then you know we probably all heard this story the the compliance of security theater so when we see compliance companies end up on the front page of The Times or The Wall Street Journal after they suffered some kind of breach and you know we have to ask ourselves what's what's going on there why is that how is that possible and then something I'll refer to as the the gotta catch'em all is a pokeymon syndrome and in compliance and so digging into each of these a little bit more so to give you a snapshot so noona is a relatively smaller newer player in the health care

scene but since we are dealing in the health care data space we're all pretty much automatically subject to to HIPAA the security and privacy rules if you might imagine but beyond that based on the customers that we end up engaging with we've already tracked and kind of put ourselves in a position where we have to track over eight different standards which ends up leading us to track over 300 plus controls unique controls across all of these and then on top of that we end up dealing with customer specific audits which can come at any time but it most happen annually we end up with the possibility of random OCR audits and then we have to of course

conduct our own internal assessments and audits to satisfy all of these other requirements which you know if you're if you're familiar we've going through that process is a lot of overhead for any any security fam and what ends up happening is I end up looking like this in the straitjacket and it's you know it ends up leading into this tension where you know the customer shows up or somebody shows up on site or calls up or sends an email and they're like you know we need we need you two to go through to jump through this hoop for us and you know many security teams will end up just kind of rushing to the door to you know

to show them these massive spreadsheets if anyone's anyone's familiar with dealing with compliance in the government space they used to track all of this stuff in these big massive binders and they would just hand auditors you know trapper keepers of compliance controls if you might imagine you know this is why our government employees resemble this and it's not pretty the next thing security or compliance as security theater so a few reasons why I think this ends up being the case that is compliant companies you know consider like your targets and your home depot's end up falling victim to breaches so anytime that you're going through any kind of assessment or an audit your of course going to put your best foot

forward so teams are gonna you know maybe kind of spin things in the right way they're going to really polish things up they're gonna you know clean it it's like cleaning up before before company comes over you want to make sure everything's in its right place you know you vacuum you put everything away you don't have your your laundry laying out everywhere and this is kind of what's happening with any time that we go through assessments so that way we can achieve that that business objective that you know the company needs to get compliance to you know not fall victim to find to enable business development thanks to that effect and then beyond that because compliance oftentimes maps

directly to some kind of business objectives ie not getting fined or enabling business development what I've seen in many many cases that budgets only go so far as enabling compliance you know you're only going to get enough money to handle or implement the processes the controls etc that are covered by whatever frameworks you're subject to whether it's pti or HIPAA or ISO or NIST whatever and and beyond that you know I'm sure you're all familiar like control frameworks don't cover everything so for instance in all of those frameworks that we're covering the words fishing or social engineering or anything pertaining to to social engineering attacks or human based attacks isn't mentioned or referenced anywhere the only thing that's mentioned

or references that we do an annual PowerPoint 15-minute security awareness training which you know I'm sure if any of you guys have gone through those is not really a sufficient thing to guard against their to enable people and power people to guard themselves against one of arguably like the most prevalent attack factors that are leading to a lot of these breaches today and so you know why why is that and then third we're going to talk about some of the gotta catch'em all syndrome and this is really where people become so enamored this is why I call it a pokeymon syndrome any pokémons go players in here show hands or friends who have there we go friends who have

played pokemon go so I've I've watched people like walk into ladders and and do all sorts of crazy things playing playing their games and or just being on their phones and so what this ends up looking like is people become so enamored tracking these controls that they forget about everything else around them they forget about best practices they forget about you know making sure that the controls are implementing this guy doesn't die don't worry he comes close so we end up forgetting about the things that are right around us or making sure it's making sure that you know that the controls that we're implementing are the processes we're implementing are actually effective and we'll do one more this is yeah that's

akin to what I what I end up wouldn't ended up witnessing and so we end up in this situation where we don't really care about are the things we're implementing effective and that's a big problem because if something's not effective if it doesn't cover the entire scope of what it should be covering but you've just checked your box and move on then you're going to end up in a big issue in a big problem down the road and so this is an issue that that I've run into a few different times is cases like this where you end up with regulatory policy over here an organizational policy over here and if you guys can read the text in here these are kind of

summarized or memorized versions of the controls that were covered and if you notice in the organizational policy it's it's kind of gnarliest it's not something that you would actually want to do so they're basically saying network traffic to databases from applications to applications with whatever must be unencrypted so that way we can effectively monitor it well that's not cool for anyone who you know is familiar with the pen testing landscape or you know just configuring and you know actually guarding these systems we know that that's not that's not cool that's not kosher but that is something that an organization that I've worked with actually enforced upon system owners across the organization but at the same

time they had all of these other regulatory policies to make sure that they satisfied such as encrypted network services must be used wherever possible and then all of these other things and so what ended up with this ended up looking like is they they ended up shrinking down the scope or kind of dumbing down all of these other controls that were they were arguably best practices or things that they should be doing in some form or fashion just so they could satisfy and catch them all the network traffic must be unencrypted and there was a lot of just excuses and it was you know once you started shaving the yak adjust it never seemed to end it

was it was excuse after excuse and you know exception after exception and it was really gnarly and so from all of that you know we have to ask ourselves you know that's where we are today or that's where we have been and how do we start to how do we start to change that and so some things that have been effective for for us at nuna is to first figure out the sea people or entities that can help you drive change or those that actually care about change whether you know whether they just care about compliance or whether they care about you know the bigger picture of security you know actual security figure out what's important to them you know are

they worried about business development are they worried about making sure that customers trust them are they worried about marketing image things like that the more stakeholders you can identify around your your company that actually care about you know what some of the fallouts are one of the fallouts that might come from any kind of breach or you know compliance issue find those people and figure out what's important to them figure out what language they speak you know what you know that way you can use their kind of jargon when you're when you're aligning and partnering with them and then right off the bat start to make your efforts visible so you know we we in this

industry have a have a gnarly habit of you know operating in this upset or you know behind the Iron Curtain fashion where we don't want everyone to see how the sausage is made but if you can show people how the sausage is made and what's behind the curtain then people can start to see just how much work there is to do and how little compliance actually ends up scratching the surface and so one thing that's helped us is to think about you know actually having this this global list of things to talk about so you know in many organizations or you know focus just on nuna with the products that we that we manage of those eight different

standards in the sum of those some of those standards or requirements come from specific customers on specific products and so if we were to start to try to manage this mapping around you know customer only customer a and B care about standard you know this standard relative to this product but customer be carried you know cares about two different standards relative to you know two different products and you know it just becomes a giant mess and so you know the cloud security alliance has published this fantastic mapping that covers a lot of the things that you're probably dealing with or will have to deal with at some point in terms of compliance standards that you can take

that as a starting point and figure out what are the industry relevant standards that I have to adhere to you know is it because of the space that I'm playing in whether financial services or health care energy telecommunications whatever are you working in the public or private sector are you planning on building something that might be sold to the government in some form or fashion because if so that opens you up to a whole new bucket of fun and then are you are you running everything on premise and some in some way or are you starting to outsource things to cloud vendors of some form or fashion because that will that will kind of dictator or influence

what kinds of things that you start to look lat look at and the scope of the be control sets that you have to manage and what I mean by that is things you may be able to to cleave off a lot of a lot of requirements that you have around availability or you know the way that virtualization or you know hypervisor layer controls are managed just use an example and then within that within that global framework you can start to funnel in are things that you know need to happen so we did this at nuna we started to throw in you know other best practices other capabilities things like threat modeling and things like static analysis

and you know running manual penetration tests instead of just you know regular nessus scans things like that into this massive framework and so that way when we're being transparent and showing people you know just how much work there is and you know how much of it we're doing on a regular basis that can start to influence budget decisions and budget discussions and then past that as I mentioned we end up getting a lot of customer requirements as I'm sure some of you folks in the audience do as well and you have to start to tease out what are the specific apps that come from your customers that can inform the direction that you want to take your

security program and you have to either figure out how to map those asks to something that you're already tracking or plan to track or you just add that end as another security control some examples of things that we ended up getting from particular customers during like an RFP process or a bidding process were you need to have some kind of data loss prevention policy or capability in place you need to have you know controls to to restrict the use of USB drives on your laptops something like that stuff that's not covered in a normal compliance framework and then what you end up with when you have this this funnel of of a global controls matrix is

you can present this document when it's pushed together to a customer you don't have to worry about going through all of the specific hoops and you know jumping through all of those things to to pass a customer audit if you're dealing in the enterprise space you're likely to end up dealing in the enterprise space that is selling to enterprise customers and a b2b fashion you're going to end up going through a lot of these things because they have their own very robust sender governance programs and the one audit you and test you and make sure that you're up to their standards and so if you can if you can show them the standards that you're at and then let

them deal with the work pedals that will save you a lot of time and in our world time is time is everything so the next thing I want to talk about is reframing the risk narrative and what I mean by that is we need to get away from just labeling things as high medium and low risk and so to see the CIA did a study back in the 90s and some folks here may have read it but it was on the psychology of intelligence analysis and what they did is they took about 20 to 25 like national security relevant events and they rank them high medium low just that high medium and low and they varied who they were delivering

these results to who delivered them the time of day and the order in which they deliver these results and what they found through doing this is that people's interpretation of what high medium and low meant very very drastically depending on the order depending on who presented them thanks to that effect and if we think about that in our world if you don't have somebody very compelling you know giving this you know giving this decision maker the you know the risk break out the rich landscapes if you will within your organization and telling them what high actually means then you're likely to end up with a lot of different opinions across your decision makers decision makers minds and so you know I would

urge you to start to think about measuring things in terms of numbers so and you don't have to be perfect we don't need very very complete data you don't need to go and gauge a vendor to do this who have done you know big data analytics and machine learning on on risk numbers to throw a few buzzwords in there you can do it as simply as saying within the next year this event has you know this event within a ninety percent confidence interval could happen anywhere from 5 times 2 15 times depending on the threats that we that we kind of deal with and expect and from an impact perspective this thing might cost us anywhere from a hundred dollars if it

happens to ten thousand dollars which would be a pretty nominal you know mishap versus something like a let's say a sequel injection issue on your your flagship app that you know could extract and expose all of your customer data that could cost you much much more on the hundreds of thousands to millions of dollars and so it'll help you prioritize by numbers and this is a way that a lot of finance teams do it because finance teams of course dictate our budget you know how how much risk you're actually at and they can start to model these things and think about them in a little bit more sane manner it's much harder to argue with numbers than it is high medium and

low because everyone's going to have their own interpretation of that and then past that we can start to align capabilities with strategic objectives so all of those people that you found in the beginning of this that actually care about you know what care about compliance care about security and your organization's start to build a mental model you know this does not have to be a big formal mapping you don't have to script anything but start to build stories around the various capabilities that you're developing and fostering in and and building and maintaining in your organization so things like Incident Response things like disaster recovery and business continuity and vulnerability management stuff like that those big broad categories that all of

these controls roll up into you don't need a specific breakdown of everything that everything that funnels up and do a capability but you should have stories around how these capabilities map to and help help achieve or help support those business objectives and what we found is when we start to have those kind of discussions you know you map it to an ok our KPI objective and key result or a key performance indicator within your organization executives can start to see that hey this thing over here this objective whatever you know measurement tool or that they used to guide their strategic decision making this thing that I care about over here is going to be directly impacted based on the

performance of this particular capability and so if that's a really big one for them then maybe that's a maybe that's a reason to funnel more resources into it I'm so moving into more of an implementation perspective you know you first have to figure out or you know one of the early things you have to figure out is what are you actually working with what platforms and tools and you know cloud service providers are you are you building on top of what vendors are you using and you have to figure out what your shared responsibility it looks like so think about you know the shared responsibility model of AWS in terms of AWS we can handle these things that the

underlying layers and then you're responsible for everything that happens on top of it it looks very similar in a compliance and security perspective you know you can't end up bringing in a bunch of vendors to handle and process and store and compute on your sensitive data or your most valued assets who are not up to the same standards that you are I'll use an example from a vendor that we recently evaluated or in the process of evaluating and we have a vendor governance process so we send out questionnaires to folks and we ended up getting in the response in LOL to one question that we asked like do you do this particular security thing and their

response with LOL right and so like if an auditor were to come in and we were to give them all of this stuff their response would more likely be WTF not ello it's like they would not find it as funny as this particular vendor did so you know figure out what your shared responsibility model looks like with regards to all of the things that you're building on or using or the people you're engaging with and that'll help you figure out what controls actually matter to you and what ones don't and they all they'll ultimately matter but what ones you have to actually track or which ones you can just say you know we're using vendor a drop a link into

their compliance page and say you know we're done with it you know we trust them to handle this particular area of our organization and one idea that we've been experimenting with lately is this idea of adopting test-driven development to test driven compliance and so writing tests or starting with a condition that fails on a particular control so is x encrypted is x resource encrypted is this networking is this network connection encrypted things to that effect and this won't you won't be able to do this across your entire portfolio but the more things that you can adopt and build automated tests for in a similar fashion that we would any kind of quality function you know you can

start to you can start to track these things as part of your CI CD pipeline you can start to deliver results or bugs to the developers that are potentially turning things off or or writing something new that doesn't conform to the standards that you're rolling out of your organization and you can put the responsibility back on them to fix a bug and not necessarily deal with compliance you know it's all about framing it just as it in the same way that we don't go to a developer and say or at least we're not anymore according to the trends that we're on you know we don't go to a developer and say you have n number of

vulnerabilities to deal with we say you know you have a number of bugs to deal with it's all bugs you know whether it's a quality bug or a security bug it's all issues that negatively impact the performance of the system that you're working on so please please address it you know and you can start to work with your your build or ops teams to you know fail builds based on certain things happening or certain conditions not being met and this again feeds into that idea of monitoring and reporting on the state of your compliance program and so then we start to think about you know if we're tracking all of these things we start to be able to generate metrics for

them which is great metrics are fantastic and you know if you're running these things on a case-by-case basis you know point in time audits then it becomes very difficult or you're not getting very timely metrics like doing a quarterly assessment as an example however if you're running a lot of your control stuff through a CI CD pipeline and you can start to track these things how they're how they're performing over time how quick are you to remediate a particular control gone wrong thinks that affect that provides a much more compelling story to auditors as well as to the decision makers within your organization and you also start to introduce this concept of transparent reporting and transparent reporting what

we found is is a very very effective tool for increasing social pressure on people so whether it's social pressure on an executive or social pressure on a developer if somebody introduced an issue and everybody knows about that issue being in place then they have more pressure on them to fix it and this works even in an executive circle so if you're doing roll up reports to to an executive team or to a board you know highlighting where all of the Stan we're all of all of these things stand from a you know from a coverage perspective from a you know where eighty percent of the way there and business continuity disaster recovery ninety percent on instant response etc and you

started you start to call out which director which executive is responsible for these things nobody likes to look foolish in front of their peers and this is not a necessarily a thing to a tool to make people look foolish but everyone wants to make sure that their stuff you know their house is nice and polished any time the company comes over and so this is a way to start to do that and what I want to what I want to highlight is this relationship right here between the strategic the strategic alignment with capabilities and the metrics so if you can start to build build metrics around the capabilities that you're tracking and want to track and that are

important to key stakeholders then you can start to tell really compelling stories to both auditors and 22 internal execs or people who are influencing or controlling budget and so you know moving into you know how do we actually fight upstream what do we actually do when when these things are at odds with one another so I think there are there are six main big takeaways the first is making sure that we reframe the narrative around around compliance reframe the narrative around risk and start to think more about how we can how we can report towards people's intrinsic motivation so you know if they're motivated by you know by again business development or making sure that their

customers trust them when they walk into a sales meeting or something to that effect then talking to them in the in the language or in the in the narratives that they have is going to be a much more powerful story then this next one so that way you don't end up in the straitjacket condition of the Pokemon syndrome you need to identify why you actually need to be compliant and to what you need to be compliance to so not everyone needs to be fed ramp compliant for instance only vendors who are building software to sell to a government agency of some form or fashion need to be FedRAMP compliant and you know you don't want to be taking on

something as massive and meaty as Fed if you don't have to it's not necessarily impressive if you're FedRAMP compliant not settling to the government however if you need to or plan to if your business wants to go down that road finding those things out early so that way you can structure things accordingly is going to be a really really important thing and then this is where we start to think about the point three and four start to think about the be social pressure in the transparency element so we need to make our reporting personal to those who would actually matter so this is you know very very closely related to the intrinsic motivations but you know we need to make sure that we're

that we're communicating in the same native tongue as the people who are you know to who this matters because compliance enables us to do business in some way compliance isn't necessarily bad but it can be it's like a necessary evil in the organizations that we work and then this was not mentioned mentioned in the past but you know and this probably comes to no surprise but make sure that you have some element of deadlines and directly responsible individuals or accountability when it comes to remediation of these things you don't want to be on the hook in your organization for actually handling all of the remediation work that might come from you know any kind of audit or

assessment there's probably going to be a lot of it and so if you can start to pinpoint the team's the project managers the business owners etc who are actually going to be responsible for from managing all of these things then it's going to it's going to benefit you in the long run you're not going to have to do as much work to maintain it to do the work initially etc because you probably got your own massive bucket of work to handle on your plate and then of course if you can start to you know this end this ties back to the to the risk narrative you know using numbers to drive how we talk about risk if you're

not just saying hey mister mister or missus developer you've got a high-risk vulnerability you know when nobody are actually know what that knows what that means and so if you're talking about you know if this thing has a you know with a ninety percent confidence interval has a chance of happening you know 50 times this year and it's going to cost us 50 million dollars which we know is going to put us under because that way out does our reliability insurance and blah blah blah then you know you can start to you can start to work with people and come up with much more sane deadlines you know maybe you don't have or maybe you do in

your organization's a set deadline based on risk for things to be remediated in my consulting experience I've seen that go both very well and extremely poorly in the sense that some issues are just way too big to to remediate in a in a set amount of time and so you know having these these hard and fast rules that kind of blanket everything can sometimes be very difficult and then of course in the compliance space and this is one of those things that that is counterintuitive to most is you know we need to embrace automation much like we are in the rest of the security space so you know compliance is kind of a subset a sub function of this broader

generalized thing that is information security at our organizations and the more that we can embrace automation to to implement to maintain to to course-correct all of these different controls the better position we're going to be in and then of course as you're automating things that allows you to to start taking measurements on things and if you can measure things you can manage things and once you once you can start met managing things you can set your own objectives that then roll up into the bigger KPIs or you know again whatever objective objective tracking tool that your executive teams are using and so with that I will stop blabbering for a little bit and wrap up and does anyone

have any questions thank

oh oh yeah look back

sure so the question was and correct me if I if I paraphrase incorrectly was for new people that are coming into the organization how do you continually make sure that that your compliance initiatives or you know control implementation initiatives are accurately maintained and things don't go off the rail as you know as time goes on because you know we'll build something and like you know controls and compliance and all of that is like right on top of the business and everything's aligned perfectly but very much like when you you know build a you know build a network and design everything appropriately the business and you know compliance start to like come out of sync with the rest of the you know the

original technical vision but all right so so that's really where I think the automation comes into play so the more and more things that you can that you can implement via via automation it's just it's just there it becomes a part of people's normal workflows you know the normal testing frameworks that end up being used and run against the against the the codebase that you're that you're maintaining and you know this of course gets a little bit more complex to the more and more products that you have but you know if you're if you're writing good tests and you you really commit yourself to writing good tests as you know any good quality function in an organization does then

you know it's a kind of self maintains and then from a you know from those controls that can't necessarily be automated one thing that we found really effective is identifying these business owners basically mapping business owners to a particular capability and so let's say you know business continuity is a great it's a great example so you know that may fall if we think about business continuity from a revenue perspective and operations perspective and a technical operations perspective you know we may we may highlight two people maybe one person in operations one person in engineering who is responsible for basically making sure that you know if things go off the rails you know they're going to be the ones on the hook

and then we just have you know like ongoing conversations with those individuals and we put the pressure back on them to to maintain these capabilities and so will do things like like tabletop exercises to oh we're we're not measuring the effectiveness of a bunch of specific controls but rather will just pick a scenario a lot of a hat and go talk to you know talk to those those individuals who are responsible set up a tabletop exercise and you know will drop this scenario on them and you know everyone in there and their team will make it a cross-functional thing and you know we'll make it fun and engaging and all of that and you know we'll talk through

how they would actually respond to the scenario so you know like availability zone goes down or you know somebody compromises their social media accounts and starts spewing a bunch of crap like what do you what do you actually do have you have you thought about all of these things and if their answers are not very good or compelling or if they just have no idea what to do then that shows that they're not actually you know taking this taking this thing seriously and then we can start to you know we can start to work with them to create project plans because ultimately if you make it real for them in the sense that something that they're responsible for

is going to completely fall over because they haven't maintained this this responsibility then you know they're going to be the ones that look like the fools not you necessarily like HR is another really good example because there's so much HR related controls starting to be injected into like NIST and iso and these other these other frameworks Thanks any other questions

yeah so the question was just to repeat was when there's a lot of different platforms and tools and technologies in at play how do you manage all of that under one roof is that okay so so one thing that we've found that we found effective is we've got we've got a few different platforms so to speak across the business lines that we're maintaining so one way is to try to just you know push people to consolidate that's not actually an easy thing to do and it's probably not actually very likely to happen but one thing we've had to kind of adapt to and this introduces a little bit of complexity but is is capturing somewhat of a scope if you

will / control and so you know something as simple as something as simple as encryption at rest of data sources land you would we would extrapolate that to to a particular product and then an owning team and so we have each of our controls mapped to somebody who somebody or a team who is going to own it and the product that it relates to and it's kind of an additional and additional mapping and so a lot of controls if you go through these these frameworks like sought to or ISO or NIST are more organizationally focused or at least there's a subset of controls within them that are organizationally focused and those are the easy ones to handle but

with a from a product to product perspective well oftentimes just will not really worried about the technology necessarily from a from a compliance management perspective we'll just figure out what team owns it what product it relates to and then that you know the specifics around managing technologies and all of that is more of a nuance that will deal with outside of this this particular compliance like tracking because then it just becomes way to wait too cumbersome at least from our perspective or our experience yes

so I'll paraphrase and let me know if I got it right do you ever look at with regards to personal information or other high-value assets how much of it is going into or out of a particular part of a system and then how do you prioritize is that ok so that's where I think the risk like talking numbers around risk really comes in handy so you know if we if we just use the the ordinal risk scale to talk about you know everything is high medium and low risk you know it's all very much relative to the thing that you're talking about for instance if you engage a pen test team and you have them come

in and test like let's say you have some organizational or regulatory man data says thou shalt have everything in your application portfolio pen test it manually pen tested by a third party all right great you know that team is going to look at the the scope of the thing that they're testing and they're going to risk rank things in that high medium and low or no fashion relative to the thing that they're looking at and so if you were to just sit back and look at you know high medium low critical whatever risk issues across the entire you know set of reports that you end up getting you're not really going to get much useful information because you're

going to have you know high risk critical risk issues and a bunch of very very low risk applications let's say you're juggling like you know 100 200 300 applications I found this very frequently when when I was working with banks at digital and they would have these like marketing sites or other you know like temporary like advertising advertising sites that went through almost no testing whatsoever and you know they would just be subject to a manual tests you know once every two years or something to that effect and you know so of course they're littered with issues but they don't really care because they're throwaway sites that aren't really connected to anything and so that's where I think starting to talk

about numbers when it comes to risk like if something were to happen relative to this particular scope it's going to cost the business this much and even if it has a really really high likelihood of happening it might happen you know to 300 times in a year or whatever you know kind of time cadence you set or use you know if the impact is so nominal that it doesn't really matter then you can you can wait d prioritize those things does that make sense any other questions

that's a good question so the the particular question was how do you deal with with issues that let's say something goes down and that that thing going down does not itself introduce a business risk in terms of financial loss or something to that effect versus something that you know is directly impacting the business like you know the sequel injection or something that I've heard that you know data loss of some sort so in that case I probably that's actually a really good question you could probably chain them together in the sense that you know if this thing happens you know if you would probably marry the two things together and like look at them as 11 joined risk so you

know if your intrusion detection system goes down you're you're much more likely to to fly blind and if you don't see if you don't see a risk then or you know somebody poking around your network then you know you're in for trouble in some way shape or form so i would probably just right that right that risk out as one thing such as you're not able to see you know somebody somebody stealing data or somebody accessing a particular system and i would i would probably rank it at the the greatest this thing that would be most impacted and so let's say it's you know somebody accessing some high-value server and you want to be able to see that and the IDS going down

is is what's going to enable you to do that and if it's out then you're flying blind then i would probably i would focus on you're not able to see somebody accessing or somebody accesses the high-value server you know that's X likely to happen because of because of the fact that this thing is you know maybe in stable something to that effect and therefore it could cost you this amount of money so I probably just rewrite the risk it doesn't necessarily have to be a in my in my opinion and everyone else it will probably have their own but it doesn't have to be a very specific a very specific instance in all cases any other questions

alright well thank you very much everybody and like Reid said please rate for coffee and and have breakfast and be merry so thank [Applause] [Music] the one

[Music]