The Changing Face of Resilience

Yeah, so, so thanks very much to both of our, our speakers cuz they set the scene up really, really well. I wrote these slides a while ago and I tried to cut them down. I didn't really finish cutting them down, so there's many more slides. But having heard what's been said by the last two speakers, I'm going to move swiftly through some of those because I don't think I need to cover as much as I would have covered otherwise.

Resilience in terms of change, the changes that have been taking place over the last few years, I found it very interesting how, looking at examples, and it's really good that politics was used as an example or political situation in the way that we deal with events and things. Because my background was economics and politics. I actually did study that at some point as well as the previous presidents that got nearly shot or whatever.

And, and, and it does play into the way that governments deal with crises and some of the things that, that the governments do. They do very, very well. Unfortunately, we haven't taken some of those lessons on.

However, moving on, what I'm gonna try and cover very quickly in this is first of all, basically where this research originated from. And it was basically from challenges that I saw as a CSO speaking to other CSOs about some of the wireless technologies around and some of the things that, that would basically, I I would say not being predicted early enough. And that's really what, what in, in my mind, the focus of what I wanna talk about it is that prediction and that aspect of it.

Because if we don't predict correctly, we don't predict the right things, we don't understand the elements involved in prediction, then we are gonna make things wrong. No matter how well we try, we are gonna end up, even if we are resilient, dealing with things last minute rather than preparing for them and being able to prepare for them. And that prediction is really what, what I wanna focus on. So early on in terms of this year, I did some work around wireless.

There's lots and lots of different types of wireless technologies around wifi, wifi, direct Bluetooth, nearfield communication, many, many different types. And there's all different combinations.

And if any one sort of device, any one time connects to two or, or uses two different means of, of, of these types of communication effectively it's what we used to call once upon a time, if you've been involved in networking, dual home network or dual home device and basically creates a bridge between the two networks between, it's a bit like having a network that you, where you're connected to the DMZ and you're connected within your own network. So effectively that's what happened.

And, and the implications of these is, is quite important because if you are sitting there and you are connected, wired on one network, and however, half an hour ago maybe you were in Starbucks and you were connected Starbucks or you were at home and you put your laptop away, came to the office, then plugged into your docking station and started to work from there. Effectively, if your wireless network is, is still on and somebody makes and and, and it's connecting automatically all attacker needs to do is open it up and perhaps connect and start to find out what's going on.

So the origins of of, of really trying to understand this and speaking with other CSOs was how many CSOs actually look at that as one of the vectors around attack. And it was interesting that at the moment there aren't many technologies.

What, what most technologies work on is around giving you every connection that's already connected but not all the other connections that are open within your environment. So what I went around spoke to CSOs and I said, Look, do you have any visibility looking for visibility? Cause I was, the work I was doing was with a vendor that provides that visibility. And the interesting thing I found was that there weren't enough current models around for people to think that they need to look at this as an issue.

However, some of the environments that the vendor was working into, we found in hospitals where you'd have medical devices like MRA scanners, which you could connect to in about four or five different ways that were open. And all attacker needed to do was connect to any one of those. And there were into the patient record system as well as the admin system because these things connected directly into them. Then we looked at a whole range of other types of, again, these sorts of connections.

And we found that within client sites we saw, and there was one instance that one of the companies that we were working with, they'd found in the UK within a healthcare environment where an attacker had managed to take out of the healthcare environment, 450 gigabytes of data and an investigator, this was our contact managed to investigate. And what he found was not how they got in, but how they got out and how they got out was they'd stored all this data on a device that was part the infrastructure, but they attacked three smart TVs in the boardroom and these three smart TVs.

What they did was the TVs were connected wired wirelessly and wifi direct. And if you, from what I've just said earlier on, you're creating three bridges there effectively. And what the attackers managed to do was connect and what out the three technologies, the easiest one to break into is wifi direct. Because wifi direct for those not familiar with the standard, basically although it's a secure standard, many of the vendors build on top of that standard because the standard itself is quite limited.

And because it's limited, all the extras that they build on are the bits that are vulnerability are where the vulnerabilities are. And we've found issues not just with WI wifi direct within that example I've said, but within HP wifi direct and lots of other wifi direct.

So this original research was around detection and our ability to detect and actually look at if we're trying to predict what's gonna happen in the future and trying to prepare for it, how are we actually looking at the visibility part of what's going on and how are we making sure we've got the technology to be able to pick up all those things that we need to pick up. Because it's a bit like trying to understand your network without having a firewall.

Well, if you didn't have a firewall which enabled you to look at some of those things, you won't be able to say equally this is the same sort of thing. So then I expanded from there and effectively this is called geo connectivity or wifi direct and so on. So I started to look from there.

So we've, we've had over a period of time converge communications where devices are down to a basic common set of technologies and we've had this ongoing invasion of IOT devices and it's going really, really well. And it's been predicted by every other vendor out there. Cisco predicted 20 billion devices by 2022. And I'm sure we've gone beyond that.

So, so many of the services that come with a lot these iot devices are using several, not one in the old days our laptops used to come with wired network card and then with wireless as well, but with several wireless communication technologies. And what this means is effectively we're in a situation where once upon a time, the visibility that we would've had with our firewalls and is not applying to wireless and the range of devices that are out there. And that's one of the things that I think that needs to be looked at.

What this means is that, you know, there's obvious vulnerabilities when we are looking at in terms of resilience, we look at vulnerabilities, we look at exploits, we look at bugs, All of these are obvious things that we know we need to look at. We understand that there's lots of external events that are going on out there and we need to take into account what what's happening out there. And many of these give us enough of information, which gives us one move ahead.

And what we were starting to look at with some of the CSOs I was speaking to was, what we need to be thinking is we need to be thinking 2, 3, 4, 5 steps ahead and are we able to do that? And although communication and wireless was an example where the discussion started from, it's not the end point and we think we need to be going further. So in terms of where we think we need to be, we start to think about the intelligence that we need to start looking at moving forward with all this.

And we need to start exploring, you know, what we, you know, if, if something is gonna happen and what needs to take place with a whole range of different events for X to happen. And the example our last speaker gave in terms of all the things that were known there were, there were many, many things that were known and all of those things that were known could have been predicted well in advance. And what we were thinking about with the CSOs that we were speaking to was, how'd you get beyond that? How'd you get beyond that basic first couple of steps?

Because that's what we need to be the position we need to be in because if we're in that sort of position, we're in a position where we're not gonna be making poor decisions. I mean we've, we've been through organizations where we've seen critical systems running and operating systems that are no longer supported developing, using programming languages that where the skill pool is very, very narrow.

Seen this in lots of banking environments, building infrastructures, saw fantastic on that third point, saw fantastic image graphic in LinkedIn the other day where there's a building and the building is, is rock solid on one side and everything else on the other side is on small stones. And all you have to do is pull out a stone and this fantastic infrastructure that everything's on is on these two pillars. And effectively that's the sort of thing that we have been doing in terms of some of the work that we have been doing over the last few years.

And, and I've seen this in many, many organizations working as a consultant. And there are many examples that we can look at where the prediction aspect of the business has gone wrong. And these are just some of them other things that we have done where, where we've, we've seen failure in these. It's it's the failure to account for the impact of changing external factors and, and and really trying to spot the obvious.

And, and that obvious, although it may not lesser be slight, you know, security related, there are similar challenges. And tomorrow I'm doing a presentation around frameworks. This is a a a slide of, of, of, of the area.

Now why I'm using this for this presentation here is basically many of the frameworks that we have have been letting us down because what we are doing in terms of when we're looking at resiliencies quite often we look at these areas here and the last speaker looked at these as well mention these, and then if you break them down into the different asset groups, you can look at those and where the controls are.

So if you put controls in each of these, the presentation I'm doing tomorrow is looking at where the concentration is and why it's there using eight different frameworks effectively I'm spoil a spoil alert here. Effectively everything comes into this area here, which is that green area here. And the question is, how can we do better detection? How can we be more resilient in terms of detecting, responding, recover, If our identify leads us to basically put loads of controls in protect, if we haven't got the visibility, if we're not detecting, how can we respond effectively? And that's that.

And our foot, basically our standards and the way that our standards have been working for quite some time have been letting us down because we've entirely focused on these. Although I know every event I go to we understand and we say, you know, there's two types of organizations, those that know that they've been breached, those that don't or, and there's lots of variations of that as well. And effectively why we, we've, we used to say that is because this was correct. Now I i I know all of us say that we need to be responding.

We can't focus all of our efforts in protection, it needs to be in detect response and so on. But at the moment, the standards that we've got have been letting us down. And in terms of what we know we've missed in terms of current approaches, the Mara bot botnet we had a couple years ago that occurred.

It was, it was coming and we've been talking about it and I'll say we, I know I've talked about possible impacts and possible attacks using CCTV systems. The first time I spoke about CCTV systems was around 2004 when I'd researched into vulnerability stuff, network CCTV systems. And that was so easy to break into, to actually end up at this point where we can say, do you know what, this is gonna happen. It wasn't a surprise. We should have been prepared for it. And it impacted, you know, the infrastructure, eternal blue, this was some malware we know about.

It's, it's, it's the take to take down Iran and we, it's been around in the wild still, it's still impacting many, many ways. And what we are not doing is looking at how we can respond to that. The wanna cry Petya yet that's been around, it's still going around and we're still not responding effectively to it.

And, and really I think what, what what you said in in towards the end, we should all be able to afford it. We will have a right. And the thing is, many organizations out there do not have the resources to be able to protect themselves even with some of the simple things that we need to do. So takeovers extent of what's been missing, do we really know?

There's been lots and lots and lots and, and, and there was this thing 10 years ago called Red October and this was a piece of malware that for five years in all the government buildings and departments and so on had been sitting there collecting lots and lots of data. It was only in, in, in government buildings that's where they're detected it the most. Sitting there collecting lots and lots of data. But it hadn't done anything other than that. It hadn't sent it anywhere, not done anything.

So what I'm trying to raise is there are things that we, what I, I believe that at the moment our resilience models are not giving us that we are missing. And some of the bleeding obvious things that we've got are the pandemic, the Ukraine war, some of the tactics around influencing elections that what, what, what those tactics that we use in the west use are being used right now using social media democracy.

The truth isn't, is no longer undeniable and that's shouldn't come as a surprise to us because the technologies to do what's happening have been around for some time and we shouldn't really be surprised with that. And the deep thanks are getting better. Criminals are an, attackers are benefiting from lots and lots of different technologies and we are, and the DT there is digital trans transformation. And in terms of what digital transformation does enable that we need to be thinking of and looking at predicting for the future really is a whole range of things.

And, and at the moment we're not really doing that. So I'm gonna try and move very, very quickly. I've got lots of slides which I had, but I'm gonna try and move quickly to what I think with the colleagues that I've been speaking to and where I'm moving towards, what, what sort of things that we need to be looking at.

So in terms of that we do need to look at, we've had de privatization, we've had the on layer approach and we've had what we're now calling zero trust really that helped us formalize and look at things okay, look at things in, in a, in a very different way than we had in the past. And I think what we need is a common improved framework that we haven't had, which is more descriptive of the language to understand the multi connected, the multi impacting dimensions of the technologies that we've got. And I think that's what our current models and our current thinking has been lacking.

We need to also enable the use of what if scenarios in far better days than we currently have that are now enable us to look 3, 4, 5 years ahead rather than look at Right. And, and many CSOs we speak to, there's a report, I dunno if anyone sent it as a report called Market for Lemons. It's a very interesting report.

What it looks at is how the current market for security vendors and the products that are being produced in the quality and the efficacy in some respects is going down and the reports compiled speaking to a hundred plus CISOs and what was going on, how they chose their vendors, how they chose solutions, how they chose what to look at and what not to look at. So basically really in terms of the scenarios, that's what they missed.

The CSOs were saying that they buy a lot of things looking and speaking at other CSOs when the question came to, well, okay, so you are speaking to other CSOs, do you look at and do you speak to and do you test things? And what they found was out for hundred one CSO would normally do a proper testing and and compare products in the right ways, then you'd get five that would rely on that one and others that would rely on those sorts of things. So in terms of creating what if scenarios we're using technologies, it's only going to happen in a very, very restricted way.

Obviously we need better dialogue with vendors. Cause I do think that if we understand and predict more and predict more effectively, we're in a better position to have a dialogue of the tools that we think we are going to be needing in the future and the types of things that we need rather than loan maybe entrepreneurs trying to guess at things and then trying to sell something for whatever they've worked out.

We need, you know, a type of war or attack sort of preparedness against resilience and really try and look at how we can be better prepared around resilience in the same way that wars and, and sort of political situations have that sort of political analysis that we've seen in the White House in government and so on. And, and there are lots and lots of parallels that they've have been used within defense that at the moment we don't take on board in predicting in the same way when it comes to resilience and, and that, and I think that that's something that, that really does need to change.

So there is a lot of work that's going on at the moment. We are holding some workshops next year at the moment. This is very, very early stages of, of trying to understand what is it that we need to be going towards, what do we need to do about it, what do we want as CSOs trying to cope with resilience. We don't want to be in a position where we're trying to make sort of decisions in ways that we are relying on information that's six months old, a year old and nothing more than that. There needs to be better intelligence. That's really where we're coming from. Okay.

I think that's, that's about it. I'll hand back to you. Yeah. Well thanks very much sa we're in the happy circumstance of having both you and our previous speakers still in the room and the unhappy circumstance of not having our next speaker in the room. So we can take a couple of questions, just a remind it to you, everyone who's joining us online, if you've got any questions for SA or Andre, please send those through and I I can ask them in meantime, we'll just carry on talking to you.

SA would you say that that technology change is one of the most significant things that organizations are having to face today? Yeah, absolutely. Just grab the mic.

Yeah, absolutely. I think the thing is that each year technology is moving on faster and faster. It's impacting in many, many different ways. And I think that's really in the conversations we've had with CISOs, that's what we've been finding that things that they thought weren't gonna impact actually did and did in different ways than they thought that they would.

Yes, there are possible to make predictions, but it, it, it is just so fast moving now. But there are many things that we could have seen, but it it, I mean social media for one it wifi and I think many things that we're talking about, yes they are fast moving, but at the same time we've seen them in organizations. The first time we came across things like Dropbox, it it, it was like wildfire, wildfire within the environment in the enterprise as people cotton on and, and everywhere all enterprises were talking about.

So one day there weren't, and a couple of weeks later, lots and lots of people were talking about it and it does it, it does move very, very fast. Yeah.

So now, And it's the adoption part that, that is just as fast as the development side. Yes. So it's two, two sides of the coin. Yeah.

Through, through Sal's presentation. Andre, I saw you nodding away at a couple of things.

I mean, are there any points that, that you'd like to tag on? I've got a mic. Okay.

Mike, for both of you you'd like to tag on to to, to what Sal's been saying from your presentation too, which, you know, looked at the, the political situation and how the parallels between that and cybersecurity. I think based on just what you were saying, the critical we're facing three sort of waves of accelerating change. The first is undeniably and we've not talked about it a huge amount, right? But a relentless and dynamic adversary landscape, right?

Who and, and groups of industrialized organized criminals who are using brutal innovation to target and expose exactly the second wave of accelerating change is the one you talking about, which is, you know, which is rampant adoption of new technology, right? And I sort of use those words deliberately, right? Because this is not controlled progress and adoption in a, you know, a safe and secure manner. This is rampant society wide adoption of new technology before it's proven.

And I think as you talked about, those unproven technologies that now find themselves in every facet of our homes, our lives, you know, are then butting right up against this sort of third wave of change, which we heard about earlier on today, which is I think aggressive, punitive and delayed regulation. So the only controls that we are operating and trying to put in place, or the only control we're trying to exert at a macro level is regulation. By its own definition, it's at least five to seven years out of date by the time it's widely adopted, right?

The, the use and adoption of those regulations and standards is being driven increasingly by punitive fines and measures, which creates a very negative space. And also disenfranchises people who I am able to understand those technical standards and measures and regulations and who aren't able to then pay the fines, right?

So if you, if you place those three at the heart of any given situation, I defy anybody who isn't a massive global organization with huge deep pockets to actually figure their way through that. So what we're asking people organizations to do is continually make really difficult choices and compromises not based on budget or risk, but based on the fact that they can't keep up with those three cycles and they're all slamming together right now.

And that's what, you know, that's why I was nodding because I think every time we talk about any of these threads, you can expose it and any of those dimensions. Totally agree. I mean on on the legislative side and you know, we, we've, we've seen the regulation or depending on where you are come in regarding I devices, and it's interesting way back in 2013, the, the committee, I think it's committee or working group 26 of GD looking at gdpr.

They produced a paper on I and they said quite straightforwardly, this is on what, what advice that we are giving here is all around personal use of iot because we know it's not, it's not around smart homes, it's not around smart buildings or anything like that because we, we understand all of that hasn't played out yet. And that was very wise of them to actually make it clear that they were only talking about that.

And, and having moved forward from there, if we look at things today, some of the work that's going on around the world, I'm involved in the code of practice that's being used for CCTV installers. Now CCTV installers, many of them have been around for 20, 30, 35, 40 years when they got in the technology that they worked on compared to today, totally different.

Now, if overnight by regulation, you are gonna say that now because you are installing security devices, we want you to be able to secure it to the right network levels. You are gonna have no one left in the industry who understands network cctv. The whole industry is completely wiped out.

So, so when we're talking about predicting and looking these, this, this was known a while ago, it wasn't something new, but even the legislation it's having to impact and it's not just cctv, I I also do some work with the fire industry and they're having the same issue lighting industry, same issue and, and regulation is impacting them even though on the side side we might argue and we're saying, do you know what these three sort of, sorry, controls that being talked about within the legislation, basically they're too low level. We need to include all 13 elements of the Etsy standard.

Not just three of them because they're too basic. The industry is struggling to cope with three of them, how he's gonna cope with the other 13.

And again, predicting that has been known and, and you know, and the first wave, second wave, we had disagreements about what we thought was a first second wave. So I didn't get into that, but I totally agree with you and it is right and, and we are having to cope with it. Legislative is very punitive And I, we don't, and I don't think we've really learned the lessons of what works well. So even if I go back and think about, you know, to to, to drive and own a car, you know you have to be able to afford it.

You have to have a personal certificate that proves your ability to operate that vehicle. The manufacturer has to conform to certain safety standards and have those accredited. Then you as an individual have to make sure every year that that vehicle is in the safe and proper state. And then you have to have a license so that vehicle is registered and even then you can't drive it around because you also have to have liability insurance, which covers anything that may happen now nobody leaves their home in the morning thinking they're gonna have a crash and need all of those things.

But we recognize that actions happen every single day in a cyber context. Almost none of those field conditions exist and none of them are integrated. It's unbelievable that we can't take that lesson and say, Right, this is a vital piece of equipment that moves people from A to B, right? This is vital infrastructure that moves data from A to B. Why can't we say you have to a certain level of skills to operate this stuff? You have to have insurance to cover anything that you may inadvertently cause or might time that may happen to you, right? We need to standardize and place safety controls.

You have a burden of trust to make sure that the brakes on your digital infrastructure are as good as the brakes on your, you know, on your, on your car. And I'm always reminded you ask somebody why the brakes on the car exist and they say what to stop you. Well actually, well yes, right? But we're sort of smiling because actually the brakes were allow you to go faster.

If I said, here you go, get in this car, it's beautiful, it's new, it's shiny, everything's looked after, before you get in, the brakes are not the best, right? How you would operate that vehicle would be completely different. You'd be cautiously looking, you'd be really nervous, you'd test them a few times to see if you got inside.

I said, Look, this is amazing. This car's great. Everything's there. You know what best brakes in the entire world. You'd feel relaxed, you'd drive faster, you'd still maybe test them once or twice, but you would operate in a completely different way. You'd be less nervous, less timid, and a huge amount faster. And we don't think about security in that way.

Yeah, I agree. I love the automotive analogies cuz I remember reading a book by roll Dwell. He says what his family was one of the earliest families in their area to get a car and his sister had a small collision and the windscreen glass shattered and cut to ribbons.

And, but today we don't have that issue because cars come with windscreen glass. Now I, I like the the brakes analogy too, because that speaks to another one of your favorite topics, Andres, there is, is security as an enabler. You didn't talk about it this morning. You were talking around about, you know, the role of the C zone and kind of this new idea of being in, in lobbying and so on.

I mean, seeing we have time, can you perhaps explore that, that thought around security as an enabler? Because as an IT journalist for many years, this was something that we were always here, but when I challenge people, they're right. What do you mean? Give me an example. They weren't that forthcoming.

So, you know, maybe just tell me a bit about from your experience, what that really means and how it can work. Yeah, thank you. We've always said security is there to both protect and enable their users and, and data within an organization. When a user can access, transform, or create data value is then created. And they use that in a number of different ways, right? When a user's ability to access that data to create value is delayed or destroyed inadvertently or deliberately, right? The whole thing starts to stop.

So for me that's the, that's the fundamental part of an enabling, an enabling, you know, equation, right? Yes, I can put controls in place to try and make it all safer, right?

Yes, I can, I can try and educate every single user so that they are not the weakest, you know, weakest link in the chain, but they are actually a first line of defense. But the value that has to be created, that has to be enabled and you have to allow people to do that, right? So security in the nicest sense, security has to create a space. We are not policemen and women, right? We should not be standards agents, we should not be compliance checkers, right? At the very least, at the very best we should be like this sort of dormant on a, on a nightclub, right?

We want our users to feel safe, your name, check you dressed appropriately in you go right now, play, create, interact in a safe space and hopefully nobody will take photos of you while you're doing whatever you're do in a nightclub. And then when you leave again, right? You've had a really positive experience, we've gotta be able to do that.

Now, that's a, that's a somewhat innate analogy, but for so much of what we do and present and those, those stages are beautiful in their simplicity and their widespread adoption, but they start with identifying identify, so often starts with identifying vulnerabilities and systems and things like that. I much prefer we would start with a question that says, how do I assess my organization and how would I enable my organization to move faster? Right? We don't do it very often. You're absolutely right.

But essentially though, what you have been describing both of you though, is a tension between security and business that's always existed where, you know, the business wants to move faster.

They want to to, to use the new bright shiny toys to be productive, to cost cuts, cuts, cut costs and, and you know, sort of be, be get ahead, get at a business advantage, but they're not really considering, well, you know, who, who puts the breaks on them and says, well whoa, you know, So is that, that part of the c role that you were discussing, this only is kind of just working between the technology guys and, and, and the, you know, I think it genuinely is and I think it will, it will happen, right?

So, and I'll across a second, if you think about what's happening, right from an external business perspective, organizations now are understanding and identifying that there is a climate crisis going on and taking discrete actions and steps across every part of their business, right? How can we be more aware of that climate crisis? I think we're about to face the same thing into a trust crisis, which relates to how we operate and how data is shared and what truth is and all those kind of things.

And I, I think we'll see that flow down through organizations, right? That's not about operationally being secure. That is about how is my organization a trustworthy organization in terms of the data I use, the information I give the customers I look after and all those components in the same way that organizations want to be, you know, respectful of climate change in the climate crisis for facing and take appropriate actions right across every part, right?

So I think that will be a trigger to change us from being, you know, sort of a back, a backroom technology focused sort of control organization to one that actually can add value and the organizations that can understand a trust crisis and a climate crisis and that people are at the heart of that I think are the ones that are gonna do really well, the ones that don't won't. So, no. So I know over the years that this is also a question that you've looked at.

I mean, what, what has been your experience? Last week I was involved in a panel on looking at hybrid working and that trust aspect came up in terms of how, you know, one minute before the lockdown and the pandemic, we had loads and loads of controls in our offices a week later, everyone working from home, no controls.

And, and, and that trust element was we were now in a position where there were no controls for in some enterprises and in the home environment, how can they trust their employees? How can they create that trust? And that trust goes two ways.

So, so the first thing I would say to you is it's important that the environment, you know, our customers, our suppliers and our employees trust us, but we need to be trusting them as well. And that trust is quite important.

So, so coming back to then to, to what they're looking for on the employee side, we looked at trust and we were saying that, and this is a big bag of mine. That, and it, for me, it is a key thing about trust in the environment we're in at the moment, this economic climate and it's gonna get worse. We are trying to do more in less time. We are trying to find techniques and skills that would enable us to do more in less time. And one of those things is skimming emails very, very quickly.

However, security people insist on sending phishing emails once they've identified a new way of being fished, they want to test it on the whole of the employee population until them in the nicest possible way, because we're nice people that they're doing it wrong. Now, if they stop doing that, if they know what this fish is, why not just bloody well block it a border and and, and save everyone a whole load of time. Now this is what I mean about trust.

So that trust needs to be created and that trust where we're trying to work fast and yet security are practicing these fishing techniques to find out who's doing what and how they're doing it. Who can fall for this sort of technique? I think we're slowing people down, we're slowing the business down. We're spending money on tech and resources, on technologies that are slowing the business down. What we need to look at is how we can improve and make the business work faster and the employees will tell us, that's why we had Dropbox, that's why we had mobile phones coming in.

That's why we had social networks coming into the enterprise. That's why we had wifi. All of these things were employees telling us we want this. It wasn't it and security coming along and saying, what do fancy doing about this? Would you like some more tools around that?

It's the, you know, the staff telling, saying this is what we want and we need to trust them and say, Look, what can we help you get that will help you do more in less time? Let us go away and explore it. We'll come back with some options. You can look at those options. Doesn't work like that. It's the other way around.

Sorry, I'll Stop but Get off all hockey horse. It's, it is great concept. I is there anything you wanted to add to that, Andre, or, I mean has that been your experience where, you know, if you work with the, the user population and, and sort of try and find a way of doing things securely rather than just telling 'em they're doing it wrong?

Yeah, nobody likes being told they're doing something wrong, right? That that's the kind of, that's the kind of powerful in the moment. Feedback we all love at home, isn't it? Right. You're doing that wrong. What does it make you wanna do? Do it again.

But the thing I would, the only final thing I will come back to, and I will, I will keep sort of exposing this for me is the, the fundamental critical imbalance between large organizations who are funded, who understand the complexities of technology and have deep experience over many years of rolling out security programs and controls and the other 95% of the entire workforce who don't, who don't understand security, who don't understand risk, who are just trying to get by after two years of a global pandemic with almost no financial reserves, with no security expertise, and yet are now on the front line of being targeted every single day by, you know, very, very, very, very motivated and nuanced cyber criminals.

For me that is the biggest asymmetry, imbalance we've gotta face into as an industry. It's not about how do we protect the best things the best and how do we continue to get better, which of course we've got to, right? But how do we help the largest single most at risk attack surface, which is pretty much the vast majority of employees in small and medium businesses. And I think that's something where our language needs to change, our behaviors need to change, and our processes and technologies and controls need to change.

Gentlemen, thank you very much indeed for those insights and fulfilling the time. So profitably I think for all our audience, both here and and online. Thank you very much indeed. Thank.