 Welcome to the Telecom Exchange CEO Round Tables, both for our guests here at Telecom Exchange NYC and for our viewers joining us on RCR TV and JSA TV. Our second panel today is on network security, both in 2017 and beyond. And we're very honored to have my friend, Evan Christel, social media business strategist and advisor for UCstrategies.com, but really the number one social media influencer in our industry. So it's truly in, and I'm not just saying it, there's actually folks who survey these things and tell us as well. So it is our honor. He brings 20 plus years of sales, alliances and biz dev experience in the communications and infrastructure applications. And if you're like me, you're one of his over 126,000 Twitter followers of Evans, if last count is right, he's probably grown that since I checked it a couple of days ago. He's a top Twitter and LinkedIn influencer in our space and if you're also like me, you're retweeting all of his amazing research and social content, particularly on network security, which makes him a perfect moderator for our esteemed panelists. So please go ahead and welcome social influencer, my friend, Mr. Evan Christel. Wow, what an introduction. I've never been introduced that way before. That's awesome. Thank you. When I tell people what I do for a living as a social media influencer, I get very strange and quizzical looks. And so it requires some clarification maybe afterwards exactly what I do. But I was once called the George Tekai of the telecom world. So I wasn't sure if that was an insult or a compliment, but I'll take it, whatever, whatever, a little odd maybe, but interesting nonetheless I hope. So today's panel are really a really esteemed group of individuals and really timely because security and cybersecurity of top of mind as individuals, as consumers, as business people and there isn't a day that goes by that there isn't a top of the fold headline around a data breach or a DDoS attack or some other cybersecurity incident. It's permeated every aspect of our life, including things like politics now. So this panel is really a high profile and an excellent group of individuals to talk about a few points of view in the industry. So we'll start on my left. It'd be great to introduce yourself, but I'd like to understand what keeps you up at night in terms of a professional in this space around cybersecurity and security topics. What are you worried about? What do you fear the most? And if we could start maybe with a brief introduction and go from there. Sure. Hi. I'm Nazar Ahmad. Part of the network team at Facebook, essentially we worry about the production network that Facebook runs to support Facebook, WhatsApp, Instagram, Oculus, things like that. There's a number of services under that. And also focus on a little bit of the more in the R&D side of building technologies to have broadband widely available across the globe as well. So there's a lot of work we're doing on the access side for technology development. In terms of what keeps me up at night, it's kind of interesting that we're on the security panel. I'll give you a quick short story. A long time ago we did a red team exercise. We invited a bunch of people to try to hack in. And the key takeaway out of that for me was you're never secure, you're always only a little far or further away from being hacked. So it's something that is really unnerving that you'll never be done in terms of feeling secure. And you just need to make sure that we're continuing to invest in security, infrastructure, security technologies, especially detection and mitigation. You have to constantly invest in it. You'll never feel secure. So that's a really unnerving feeling for somebody who runs an infrastructure for a site like Facebook which has a lot of data. You just never feel like you're done. Great. That was really interesting. Leo? Thank you. So I'm Leo Thaddeo on the CISO for Sixterra. Previous to my role at Sixterra I was the special agent in charge of the FBI's New York Cyber Division. So I got to see the adversary from a couple of perspectives. So if you ask what keeps me up at night is building a security program that's focused on yesterday's vulnerabilities and yesterday's adversaries. It's very hard to anticipate what the next generation of attacks is going to look like and what our infrastructure will do when attacked. So we spend a lot of money fighting the last war and I wonder sometimes if it's totally wasted. And I'll give you an example. When you look at the Sony breach of 2014, the Sony Pictures Entertainment was focused on protecting motion pictures that had not yet been distributed. And they thought those were their crown jewels and that's where the potential risk was. And what they failed to realize with that the real risk to the company was in the information in some sensitive emails. So you could, from Sony's point of view, make another movie and recover the losses if you lost the movie. But what you couldn't do very easily was recover relationships. For example with the artists that make the movies. So the attackers in that case understood better than the defenders what was really of value and Sony for all that's spent on security because if you remember they were breached in 2011 and many times in between those breaches. So they had a very expensive and robust security apparatus but they were defending against the adversary and with a perspective that was out of date. So that's my fear is that we don't truly understand what's coming. Thanks. That was very helpful. George as a telco you have a 24-7 service expectation. So I know what keeps you up at night but in particular relative to cyber security cyber attacks on infrastructure what are you most worried about? First of all just to introduce myself I'm a CTO at YRIE and our company is a wholesale network operator. We focus on underserved markets so we extend private secure networks into remote markets for our carrier customers. And what keeps me up at night with our own internal networks really is the people and the psychology of our people, our employees. We can put all kinds of technology, detection and prevention to try and block these intrusions from coming into our network but at the end of the day people are people and they're going to get tricked into clicking on a link or you know posting something on a social media site that can be used to penetrate a network. Yeah social media is now the new battle zone for cyber security. Laurent maybe an introduction and also what not only worries you but also your customers who are working with you in a collaborative way. Thank you very happy to be here so my name is Laurent I'm one of the founder of Zanage so we are a cyber security company we provide protection against networks and applications. Here's a problem I have when you ask me this question is what keeps me up at night is never the same thing and that's I think Leo said it very well and you did as well is as a vendor as a provider of cyber security solution we have to play one step ahead and it's really hard to play one step ahead when you are still trying to catch up on many subjects so I'll just give you an example. We see a lot of attacks happening these days on APIs and API security is probably one of the least well understood and well protected way communication between machine to machine but it's also communication between your phone and your application and the back end server of the application you're trying to access to. And we see a lot of very disturbing activities on the traffic on APIs or in general between bot versus human traffic and we see a lot of different examples of this and I mean we see bots that behave like humans they're really hard to catch because they really look like a person behind the screen or behind the app but in fact it's a machine you're fighting against and then we also see humans like that behave like bots and that's nightmare because if you have a very solid bot protection you're able to identify hey this is not a real person because of this behavior but it happened to be it's a real person usually sitting in an emerging country that you know from nine to five that is going to a site and copy data and then try to sell this data to someone else so bot management identifying bot with behaviors is very hard to do and it's even harder when there is no real expected person behind the screen when you're talking of API security or machine to machine and we have a lot of examples on this but this is really what we see right now as something that is a bit scary application protection is well understood there are a lot of providers that know how to prevent data breaches on applications API security is much harder to do it thanks that was helpful I'd love to come back and talk about some specific examples for some terrifying ones from your team around attacks that are directed towards things like e-commerce sites and airlines that are very specifically focused on disrupting revenue so we have one case and it's a customer it's an airline and this is what happened to this customer so they have about 1% of their revenue come from China they are in Southeast Asia but 60% of their cancellation come from China as this is really weird right so 60% of canceling a ticket is Chinese based and one person is one person of China is their revenue something is wrong and so we looked at it and we looked at the behavior of these users and we find out 24 hours a day these are people we think going to a site booking a plane ticket waiting 24 hours and canceling it so what happened is what the plane gets full as bots are booking the tickets so the remaining seats are expensive because that's how yield management work for airline and therefore during this time the low-cost airline the competition is selling tickets like crazy because they are cheaper right so security is not always about hey I'm gonna steal your information I'm gonna steal your credit cards numbers and your health care records it's also about hurting your business by inappropriate use of a website but we want people to buy tickets right so how do you how do you make sure that hey no this is not a real one so we we we look at the behavior we could catch we could catch them they are all from Chenzhen it's outside of Hong Kong it's in mainland China it's a few IP address we know who they are they know that we know who they are because they can't buy tickets anymore and it's a game obviously this is a group that was hired by we think some competition you know they don't make money themselves they make money by the consulting that they provide or the service they provide to buy tickets and we could catch them because of their unusual way of behavior these are same same person or same entity that is being repeated be repeated tasks all day long changing IP is changing everything all the time but still repetitive and that's how we could catch them and sorry guys you can buy tickets anymore yeah it's funny you describe it as a game a game it's not so funny so speaking of which there's a man Facebook obviously the most the biggest social network in the world you must be an extraordinary target of attacks how has the evolution of these tack attacks taking place in the sophistication and the nature of the attacks what what have you seen from your perspective well one interesting fact we're under attack right now so we're attacked about 100% of the time something is going on the it's essentially you see the attacks on several different fronts and it's not one specific thing I think the attack on the network infrastructure itself is actually have diminished and I think it's not big returns for people but it really depends on which actors you're dealing with and we essentially see all of them there's some that are just trying to prove something to get in the others are trying to take over some machines or trying to get to data or the other some are really trying to cause other infrastructure or denial of service type environment so we see essentially the whole gamut of things and as I said the infrastructure ones are the sort of relatively easy ones because there was those scenarios are relatively well understood and good defenses against that it's the things that Lauren was talking about looking at the broader set of information that we have as an infrastructure everything from API is down to the network device that's carrying those bids and having the ability to have detection across and it's kind of I think it's going to lead into more of a how we think about those things because one of the fundamental things that we have been trying to change is instead of the security being implemented by a platform or a device we're really looking at security as a collection of a lot of data and a lot of analytics that we can do on top and we're essentially looking for patterns so when I say a lot of data it's essentially picking data from any platform and any service and anything that we build from API's to hardware that we deploy on the network side or the servers things like that so getting the entire stack of network and systems involved and have that data set available and then be able to do a lot of compute on it to detect patterns so this is the advantage that we do have is you know we have a lot of software engineers as well so we can actually have machine learning type people work on building an analysis of what we're actually seeing and pick out the little patterns and the hardest ones are the one or two trickle that come in somebody that does a brute force attack that's sort of usually easy but the one or two or three things that happen quietly those are the ones that we need to kind of pick out and it could be at any different any level and that sort of kind of leads into how security is implemented and how we think about security interesting so Leo you know we heard the scale and the velocity of attacks are increasing what about sophistication back from when you were in the FBI through the present day what do you've noticed about the the sophistication of the attacks and even the attackers perhaps yeah there's no doubt that sophistication at every level is increasing so down from the hobby have a hobby hacker all the way to the nation state it's certainly an increase in sophistication and what we've seen even just recently with want to cry and others is the adoption of what were nation state tools to criminal purposes or perhaps nation state purposes which is possible in that case so they are there is a proliferation of tools and talent that is exploding we have organizations today that are investing in research and development for their hacking talent they are farming within criminal communities to find talent so I'll give you an example recently in the Yahoo breach there was an indictment that accused two Russian intelligence officers of aiding criminal hackers in two two areas according to the indictment one is in enriching themselves in a criminal sense with a scheme to enrich themselves the other was using the hackers to advance legitimate well authorized regime sanctioned hacking activity and so when you can meld the capabilities of a nation state with the criminal groups you naturally will have an advance in the capabilities of the criminal groups and it's a vicious cycle that is to the detriment of defenders so I think the bottom line for us is we are no longer facing a spectrum of attackers were pretty much focused on the high end of sophistication and capability at all times and that's because criminal groups have adopted nation state tools and techniques and nation states have masked them their own activity behind criminal group identities and that's been borne out in a number of cases so what does it mean for defenders it means for defenders that we used to take a risk-based approach where we looked at our adversaries tried to determine the motives tried to determine what they were after and spent our money wisely meaning you spent more money on the things that were important and against the most sophisticated adversaries but today most adversaries most adversaries are sophisticated and most resources are very valuable there's very little information that's not valuable so it's very hard to take a risk-based approach to cyber defense everything's important and everybody's after it and they all have the best tools so it's just bad news all around it's almost throw your hands up and say what do we do next but I think there are some ways for us to catch up and one of the most important I think is in how we design and implement our infrastructure and having secure infrastructure is really the key and having consolidation of tools and not having to manage tools or manage vendors and reducing the complexity of those tools is really the future of security and we have to start moving in that direction and that's where I think our investments need to be that's exciting and it it's funny that technology may be our savior in the form of machine learning and artificial intelligence in the end but we have a long way to go George what about you from the telco perspective we would I used to worry about security it was mainly DDoS attacks and now we're seeing the intensity of those up by an order of magnitude but you know what else is on your mind in terms of threats to your infrastructure well what we're seeing from from our customers really is almost a movement back to private networks you know we're all talking about the internet and opening up the internet but if you have mission critical operations and sensitive data like government and financial you know unless you're really comfortable that that data is going to be protected you know there's really we're seeing a pushback for private and private you know can come in different flavors when we talk about private we're talking about traffic that does not pass over the internet at all we have some customers actually that put it in their contracts that their traffic shall not pass through the internet not even our management traffic as a network operator we can't connect to our remote locations through through the internet so that you know that's that's a challenge definitely then when we're all we're talking about access to the network access to the physical sites there's a whole another layer that you need to put on when you're dealing with with security it's not just access to the data it's you know who's actually going to be touching that data who's going to be touching that box who's going to go into that government office to to put in a router and so there's a whole layer of security in terms of clearances what kind of back checks do you need to do on the employees and how do you maintain you know that it's current that you're not sending somebody in there that has a criminal background or you know they even do credit checks for some that are dealing with financial institutions because if you are you know if you're in financial difficulty you may be more tempted to to skim a little bit into your pocket so that's what we're seeing in terms of private you know private networks and you know you can't go private everywhere but you know some of these mission critical operations that need to make sure that there's not going to be a security breach or willing to pay a little bit extra to get that that level of security yeah sort of back to the future all right you must see a lot in terms of all the customers you work with you know what what's the what's your view of this your customers in terms of how they're being threatened and intact and this new level of sophistication so we see this private network quite often in fact especially financial institution stock exchanges is a good example universities as well have private networks connect universities to each other the problem here is in the education side at least is well the attack come from within so it's a private network that actually contains the attack into the product network but they actually attacking other participants that belongs to the same private network so we've seen this one a few times the the one of the I think the fans that we see works quite quite well or at least the area of research we spending a lot of time on is machine to machine protection using artificial intelligence and pattern analysis as you mentioned very often when the attack is very sophisticated you actually don't fight someone you fight another artificial intelligence that is changing its pattern and its behavior on the fly and the only way you can protect this is to have the same tools and so we spend a lot of time in in pattern behavior you know behavioral analysis using pattern recognition machine learning techniques that are changing themselves based on the change of the attack surface or the attack behavior or the attack strategy on the other side and in fact you may not know this but most of the things that happens today are not it's not someone it's other most sophisticated one at least you are we are already in the machine to machine defense and the analyst the human analysis is very important to make these are going to evolve but in many ways they evolve by themselves we don't even know we don't even understand how they do it how the our are going to change in front of the other side's change this is why we call this artificial intelligence obviously but this these are the the the area of research that we spend a lot of time on is making the defense move at the same time as we see the attack move in every respect to the point where we let the machine do its own thing and trust in a way which is weird to say but trust in a way the artificial intelligence is able to change as fast as the other guy that's helpful so to jump how do we build a platform that allows a sort of layer defense there's no cookie cutter for every customer every network but do you have a notion of a model or technology spectrum that will work there are a number of things you have to do to build a defense model that is sustainable and learning over time one of the things that we found was that no single platform or solution that you could buy from the industry would scale or be able to span the horizon that that we cover or we wanted to cover so we ended up building a lot of our systems internally and the key principle there is that we're building security capabilities across the board in pretty much the entire layer of the infrastructure stack and all the way up to the application itself but not just that but the other thing that we really focus on is that security is part of the entire fabric of Facebook rather than security being a layer that a team implements in certain ways so very simple human example of the first day you come into Facebook and you join as an employee this will be really rolled into you and even simple things like hey if you don't have any need to touch user data do not go near to use the data if you touch user data and you didn't need to you'll be walked out before your feet even touch the ground this is a first-day of orientation with a new employee coming in and getting that message it's pretty shocking for people saying oh my I just joined the company instead of saying welcome they say do not go near the data otherwise you'll be walked out in a minute but that just sort of gets the message across in terms of how we think about security it shouldn't be that security came in said hey this is our policy implement that everybody's involved so every software system we're building we're building capabilities in that that we're having detection capabilities to be able to collect data and and and essentially be able to analyze it we'll do simple things like we're talking about what that employee might click on so we run these campaigns called Hacktober's and there's a team just comes up with very creative fishing lures to get you to click on stuff and employees sort of compete on who can identify the most Hacktober's when you get an email from Mark saying hey I am or Mark's admin saying hey we're doing this new series about running lunch with Mark so you're invited click here to to sign up would you click now this is your CEO saying hey I'm running a new group call to have lunch with employees most people would be like yeah click let's do this oops so they there's there are things that you you have to do that are just not obvious it may not be technology but it's making security as part of your normal everyday routine so every system you're building is starts out with the security architecture that makes sense rather than you built a system and then you're going and saying okay how do I secure this thing that invariably ends up in the wrong wrong space so I can sort of go on to the list of things that we ended up doing the the trouble that we do have with this model is that we find it hard to to find solutions from the industry that we can buy they tend to be very narrow very specific and doesn't scale the other thing that for us in terms of response of a security incident is that we want to be able to detect and mitigate very quickly and when I say very quickly we're talking within seconds and anything you want to do in seconds you can't have a human involved so you have to figure out how you get a detectance software and be able to mitigate it and at times mitigation requires you're taking devices offline quarantine them so you have to build platforms or ability to actually detect in software and mitigate and take a platform completely offline without a human getting involved right and so for that you end up essentially building your own systems that know the infrastructure really really well yeah it's an interesting time in Leo the days of going to your favorite vendor Cisco or HP is one-stop shop and just buying a security solution or over what are your thoughts on that this the architecture that's needed and building a layer defense you know building a platform versus you know buying boxes that quote-unquote secure the network yeah I think that's a great point it's getting very expensive to buy all these tools and manage them and maintain the headcount necessary to keep them running so I think it's useful to look at what it what it what the adversary requires to do to do their job and two of the things that you see common in every attack and I haven't found one that doesn't have these two components is is the abuse of user credentials and the what we call lateral movement that is moving from a lesser protected segment of the network to a sensitive part of the network and when you think about those two components of an attack denying those is transferring complexity and difficulty and expense to the adversary and better protecting yourself so we are very focused on software-defined perimeter as a way to prevent those two steps in the first part software-defined perimeter as a as a specification as an architecture requires very robust authentication of the user meaning not just username and password not just even multi-factor but context and I think you're going to see more context being used to determine who is on the other end of the communication it's not just packets that tell us whether that person under has the username and the password but where that person is what type of device that person is using the time of day and all the things that should make a user more credible when presenting themselves to be privileged to a part of your network so first part of software-defined perimeter I think in authenticating the user is very very important the second part is the ability to create micro segments and that is a trend that we really have to focus on it's sort of going back to the basics you only give someone access to a part of the network that they need access to and what we have in the present architecture is on a VLAN once I have access to one resource on the VLAN I theoretically and in most cases can send packets to everything else on that segment and as a result I can explore other resources for vulnerabilities and eventually find one and escalate so the ability to micro segment the ability to authenticate users robustly and to do that with policy-driven automated engines rather than with traditional human managed firewall rules I think is really the way forward we've focused on software defined perimeter we think that's a way to go as an architecture we we are deploying software defined perimeter in our own environment which has reduced some cost and complexity on our side and we think that in terms of investment going forward by reducing headcount we're not only getting security benefit on the front end by making our network invisible but we're also reducing the number of people it takes to manage this network so there are some platforms out there but I think like you said it's a it's a basic change in how we architect instead of trying to use firewalls VPNs knacks and other hard to manage legacy technologies if you think about it the stateful firewall was introduced in 1994 forward almost 20 years we're still trying to contort this tool to do what we needed to do in cloud and hybrid environment so we need some native cloud tools and changes in architecture and I think software defined perimeter for us anyway in terms of deploying it internally is a platform that we find very promising thanks that was helpful George what technologies are you applying to the security challenge in your network or at the application level yeah the network that we deliver to our customers is it's managed ethernet it's generally a layer two so it's private to a point the thing is that generally we're going through multiple network providers so that's the challenge there is you really need to know how your data is getting from point A to point B because the weakest link is is going to be you know one device may be in a little a little remote community telco that that is you know part of your path so you really need to you know ask those questions you know we talked a lot about trust trust your partners I think you need to earn that trust so until you truly understand you know the technology behind the services that that we're buying as part of our solution and the practices are secure you know you really have to ask those tough questions and a lot of it does come down to practices and processes as well it's not just the technology I mean technology is changing so quickly the devices that are out there in the network you know there's constant updates and patches and it's very easy to deploy a solution and forget about it for a while until there's a problem then you go back and say oh yeah well that that software's you know two years old so it's really important that that you have really tight processes on on managing your infrastructure and keeping them up to date great thank you Lorette I look at the cybersecurity market maps I think you've seen the same and there are thousands of vendors and you're looking at that chart you're wondering how do all these pieces fit together what's your perspective on the landscape or the vendor landscape and where you fit but how you know how does someone rationalize all these different applications and solutions and talk about gateways and VPNs and firewalls to put together a complete picture well they don't that's the problem and so one thing I know I'm on the other side but do not trust your supplier right do not trust your vendor because he's gonna say oh we take care of everything don't worry about it and and and then you find out about the perimeter is actually not what I thought it would be and and it's a nightmare when it happens and we see this sometimes do not trust your vendor understand what they do and and the perimeter of what they do another thing and my my colleagues say that's very well software defined or networks or even in username and password use what I call orthogonal defense orthogonal means that they are independent from one to the other so it's very good example with a username and password well the context of what this user is doing has nothing to do with the knowledge of the password of that person and so if you have a context analysis or behave your analysis that is independent from the knowledge of this guy has a right password therefore he should be able to do anything he wants then these orthogonalities or these independence between layers is what I think works because you you it's very hard to crack you crack one layer you will not crack the other one because the other one has nothing to do with the previous so orthogonalities of defense behavior based analytic has nothing to do with an attack payload you you may have an attack payload then you will detect it there it's kind of the antivirus but for applications and networks more sophisticated I guess but the behavior to get there is also what matters and you'll catch him or you catch the guy whether there is an attack payload or whether there is a behavior or or by this combination of these two things that is really weird this behavior have never seen from this user even though I know who this user is very well one example we have is a very large bank in North America and they have usernames in public they have customers looking at the accounts and they have these two factor authentications they know this user has been a customer for 10 years therefore he should access his account no problem but then you find out oh well his desktop was compromised and it's not him moving the mouse it's actually someone else and how do you identify this is well it's a very autogonal way of doing it is is his port open you know are there other ports then port ATN443 open on his machine and if that's the case then there is a higher degree of probability that he may be compromised therefore I will increase my risk awareness for these users even though I know him for 10 years it's because of this autogonal independent layer that you add on top of each other now nobody has a clear way and I'll stop here nobody has a clear way also yeah but am I protecting all my parameters and is there anything else open why we don't know that's why you cannot trust your vendor you have to do this exercise yourself but by adding independent layer on top of each other is usually a good practice that's very helpful so we only have a few minutes left but I would like to talk about I think what one of the biggest problems is in the industry which is complacency it's amazing to think that despite being in the news paper headlines in the news headlines every day breaches and attacks there seems to be this almost acceptance of as the new norm particularly with it within the executive suite or the boardroom you don't really see many CEOs being fired for a data breach despite you know massive implications you know what's your what's your thought about engaging leadership management the board the CEO in these discussions and how to how to really get them more aware and involved to the side of the business typically something they know you know fairly a little about I'll take a easy shot Mark Mark Zuckerberg not not included yeah like that is very much into security but to me it's the easy ways to especially people run security is go hire a red team and have them attack your infrastructure try to to hack in and when they do show the data to your CEO and it doesn't freak that out or them out then you've got a problem but most of the time that's all it takes to get people to really the message look I've got all your user data here on a server outside your infrastructure and that's all it takes so you really need that wake-up call Leo what does it take as an advisor working for CEOs to really get them informed educated sort of on the right track as far as you know cyber security goes yes so it's hard to get CEOs and boards focused because security is not a core part of their business it doesn't generate revenue in most cases it is a cost factor it if not implemented properly it can impact operations negatively so it's not something people want to do a lot of naturally what I think is changing is that boards and CEOs are responding to the consumer whether they are business to business or business to consumer more customers are becoming security aware and demanding security so if you look at something like department of financial services cyber regulations that are issued it's all about who you're doing business with should have certain security measures in place and until the market in effect demands this type of quality in the service meaning a security component there's always going to be an eye towards making cuts and making and minimizing security so I think what's changing and it's a positive thing is that both individual consumers and businesses are demanding of their vendors more security in the products and security is becoming more of a differentiator for some vendors for most vendors and as a result that CEOs and boards will naturally from a business case focus on security so as a security professional you can talk to your blue in the face and and demand security and eventually wear out your welcome and be walked out the door there's nothing more powerful than having the customer demand security and I think that's the mindset that's changing and that's what's going to change the attitude in the board in the boardroom and at the in the C in the C suites George obviously comes down company to company but what does your company think in terms of the importance of security in your yeah I mean definitely I know our CEO is really big on security it's a differentiator for our solution and so we practice that internally as well and I think the key really is is to understand at the senior levels that security is not just an IT issue it's an organizational issue that the whole organization has to has to rally behind they have to understand the impact of a breach to the whole organization not just lost data but lost revenue lost customers you know brand damage you know for you know every dollar that you put into being proactive you spend $14 in you know being reactive and trying to fix the problem so that's the challenge but at the end of the day you know it always comes down to you've got your IT budget and it's always a certain percentage of your revenue and it's it's a challenge it's a challenge but like you said until there's a wake-up call you know things don't don't change but I know within our organization we we take we take it very seriously good it's good to hear we get the support yeah Laurent what about you I mean you're obviously selling to the CSO to the CIO but do you have conversations with executive leaders as we do have this kind of conversation usually the chief security officer is a good good contact for us some companies don't have one yeah this is weird okay so there's two kind of customers there's a one I call the security by design so that's a Facebook of the world and my colleagues as well where they understand anything they do has to be secured and it's it's built in when they are doing it right and then there are all the others and for all the others our best friend is a Wall Street Journal really is the news well you know guess what happened to target yeah it could happen to you guys what do you think about it and then and the last point I have is security does not have to be expensive it's really funny how people think about this it doesn't have to cost money that much it's it's a few percentage on your on your IT budget it doesn't need to be more than this we are building we see trends of building product not just us where security products are actually simple to use it used to be that security are you know we just sell complexity oh because it's a complex problem it's an important problem therefore it's so complex you have to do all of these things that are very very expensive it's not the case anymore security you know we sell we simplify the function we sell to companies who do not have a security practice they have a CISO they have the culture but they don't have the 200 people team that bank of America has security doesn't have to be expensive and and again the the Wall Street Journal is a best friend well thanks thanks so much panel really great panel it's really rare to get so much experience right here on on one stage so thanks again