 Welcome to the GATT, the podcast for enterprise leaders delivering timely insights for today's global economy and tomorrow's competitive advantage. I'm Chris Kane, president of the Center for Global Enterprise. And this week, we will be re-releasing key episodes from 2023 that we believe are very topical and on the minds of you, our listeners, given the challenges confronting business leaders around the world. Welcome to the GATT, podcast for enterprise leaders delivering timely insights for today's global economy and tomorrow's competitive advantage. I'm your host, Chris Kane, president of the Center for Global Enterprise. And today, we will be discussing the pluses and minuses of President Biden's recently released National Cybersecurity Strategy with Sam Palmosano, chairman of the Center for Global Enterprise and former vice chair of President Obama's commission on enhancing national cybersecurity and Karen Evans, managing director of the Cyber Readiness Institute and former CIO of the U.S. Department of Homeland Security, as well as a number of other cybersecurity leadership roles in the U.S. government. Sam and Karen, thank you for being with us today. In March, President Biden released his administration's new national cybersecurity strategy. This followed a number of executive orders and other actions that he has taken and other governments have taken around the world. It is the latest in a series of movements in the regulatory and legal responsibilities for companies to take proactive steps to defend against cybersecurity incidents. While the Biden plan may be the most ambitious we've seen thus far, other governments are also advancing new regulatory requirements. For example, the EU has proposed new regulations that would require any device connected to the internet to have security features built in. So, after years of relying mostly on voluntary efforts to encourage companies to shore up their cyber defenses, these government and regulatory developments seem to be examples of how regulators are deploying new tools and incentives to mitigate cybersecurity risks. Should the Biden plan become policy, companies can expect to face new regulations and lawsuits perhaps if they fail to make secure products or do not enact basic cybersecurity measures. It seems that business leaders must prepare themselves now to operate in a global economic environment with increased cybersecurity requirements and liability. So, Karen, perhaps we can start with you. What are the pluses and minuses of the President's plan if the goal is to get companies to implement new cybersecurity capabilities and to increase their state of cyber readiness? Well, I think what the Biden plan outlines is a real change in the paradigm. There's a lot of things, as you said in your opening comments, Chris, that we've been trying for gosh, a micro over 20 years. And so like what's old is new again, but it is trying to shift some of the responsibility away from the specific consumer on to product developers, on to software developers so that they're more responsible in the ecosystem as they go forward. Sam, your thoughts on pluses and minuses from the President's new strategy? Yeah, I would agree with Karen, Chris. I mean, back to the Obama commission, one of the things we talked about heavily was design security from day one versus make it an afterthought. And of course, the debate is slowing down innovation and therefore more cost if you do it this way. And we argued though, not necessarily, not if you design from day one. So to her point, put more onus or emphasis on the products themselves in the future and then therefore have the stick, I guess, in a way because if you don't comply with the regulations that the government potentially could impose, as you know that they haven't, this is just the strategy paper at this point in time. But then there would be financial risk associated with lack of compliance. So the plan has five pillars to it. And the third pillar really is what I think I'd like to focus on today, because it probably is of most interest to our business leaders in the audience. And it's about shaping market forces to derive security and resilience. And Sam, to your point, one of the fundamental elements of pillar number three is shifting liability for software products and services to promote secure development and practices. It's an interesting model, i.e. being a stick model, perhaps you could argue it's probably both a carrot and a stick to get market forces to act in a different way. Karen, I wanted to ask you something about the CRI and its mission and how it relates to this pillar number three. Part of the plan that the president has proposed embodies a statement, the following statement. Today, end users bear too great a burden for mitigating cyber risks. Individuals, small businesses, state and local governments and infrastructure operators have limited resources and competing priorities. Yet these actors' choices can have significant impact on our national cybersecurity. And this is the quote that I find most intriguing and especially relevant to the Cyber Readiness Institute's mission and approach. Our collective cyber resilience cannot rely on the constant vigilance of our smallest organizations and individual citizens. Do you agree with that statement? Well, I do agree with the statement and I'm glad you asked me about that because when the strategy came out, I actually wrote a blog post about it because I would be excited if we did shift the paradigm so that some of the software developers, and as Sam said, that we shift some of the responsibilities away. So I would be happy if CRI's Core 4 became the Core 3, which deals with one of our Core 4 issues is automatic updates because this is part of what a small business has to do. They don't necessarily understand all the updates that come out from software vendors, but we do tell them, hey, you need to apply them. In this particular case, if it's really done from the beginning, the thought would be that these automatic updates would actually cut back, that you wouldn't need to do it every week. There are certain vendors that we all know that they release patches every week because of what they're doing. They don't have the resources to be able to test the impact of what these patches are going to be. So we error on the side of saying, hey, you should do the automatic updates. I would be happy if I had to come up with a new fourth area where we cut down to three areas and have them focused on those three areas that they can do, which is related to the human behavior because there's enough things that are happening around email and trying to use phishing emails to exploit and do a whole bunch of social engineering that if we could just be focused on that, that would help unto itself if the rest of industry does their part. So Sam, when you were Vice Chair of President Obama's Cybersecurity Commission, there was a large focus on the federal government and what the federal government could do to protect itself and build resilience. But you also had a focus on business and especially small and medium businesses. In this context, from what you've learned through the Obama Commission and what you see in the president's new national cybersecurity plan, what are some of the lessons learned coming out of the Obama experience that could help make the Biden administration's initiative here achieve greater results? Or what are some of the areas that concern you about gaps in execution? Well, Chris, a couple of different things. First of all, I think we need to simplify what we can expect. Let's start with the small business we're caring was we can, and she mentioned a lot of the expectations from those organizations because they are most vulnerable and they have no resources to really implement complex solutions. So in many, many ways, we need to take the lens, I'd say, of the smallest, most vulnerable in the technology areas of these companies and then work to the bigger companies. The bigger companies have the resources and the expertise and money and they'll do the best that they can do, in my opinion. However, it's the other area that we need to focus on. That's why we created CRI and Karen is running that for us. But that was the whole point of that. The other thing is I really do believe that you needed a combination of marketplace incentives as well as government oversight and regulation. Both are required, by the way. So not the meaning, this approach, which is more leaning towards the government approach or through inspection or procurement and those sorts of things versus the other. But we always believed in the Obama commission that if you had a way to be, that there was a positive gain to invest in cyber, i.e. insurance as a mechanism so you could get insured, therefore cover some of your risk and your liability, that would help drive adoption faster than strictly over the government regulatory mechanism to get the necessary investment made to prevent these going into the future. So one of the things that's in pillar three of the president's plan touches exactly on the cyber insurance area, Sam. And I'd like to ask both you and Karen about your thoughts about one, the concept that the administration is proposing here, which is to create a federal cyber insurance backstop in their words. And it goes on to articulate the fact that the administration will assess the need for and possible structures of a federal insurance response to catastrophic cyber events that would support the existing cyber insurance market. In developing this assessment, the administration will seek input and counsel with Congress, state regulators and industry stakeholders. Karen, maybe we could start with you from the work of the CRI. What is your assessment of where the cyber insurance marketplaces today and will an initiative like this from the federal government accelerate the development and the robustness of the cyber insurance marketplace or will it return? Well, the cyber insurance market, cyber insurance itself is really evolving. And I think what if you really take a look at this, some of the bigger insurance companies, you know, we're starting to back away from some of this. This is why the administration has this in there, because if you can attribute or do attribution for an attack to a nation state, then the insurance companies are saying, hey, we shouldn't have to pay for that, that the federal government should actually help defend, as Sam was saying, the most vulnerable. And a lot of times the most vulnerable, they're in a supply chain, or they're somewhere in the distribution or the ecosystem for larger companies, which then becomes the opening into those larger companies. So everybody is really interconnected. I think as this moves forward, and I know Congress is looking at it, and there's a couple ways to look at this problem, they're looking at legislation, in order to be able to incentivize it to be able to put some tools. I personally think it should be part, this is Karen Evans, this is part of the work that we're doing in CRI, that it should be part of the business insurance. I'm a small business myself. And so it should be part of business insurance, and that maybe this whole evolution of cyber insurance, because companies see that gap, and they're going into it is actually going to even cause more of confusion for small and mid-sized businesses thinking that, okay, my business insurance, this is I use technology in my business, and my business insurance should cover this, how much should it cover? And I think that that's part of what Sam is talking about too, is because no business doesn't use technology today. It's the way that you use the technology and how you go forward. And this is why CRI, again, you know, I really love the mission space, is to be able to help small and mid-sized businesses really understand what some of these business issues are. But as we've been talking all along here, it becomes a choice of where are they going to apply their resources. And to get an additional insurance policy, when you don't really understand the landscape overall, you're going to opt to the side of accepting the risk because you don't understand it, and you're going to think it's covered by your business insurance. Sam, thoughts about the insurance marketplace? It seems like it has been slow to develop in the cyberspace. But on the other hand, Karen's point about, well, maybe it shouldn't be a category end of itself. Maybe you ought to be a category, a subcategory of business insurance generally. I actually think it's a pretty good suggestion that Karen brought up because the problem is if you have a unique policy, then you have to come up with the guidelines or risk factors associated with the unique policy. And then, therefore, I'd say the mechanisms to audit whether the company has put those mechanisms in place. If you make it as part of your standard risk practices, from a company perspective, you should view this as just another element of risk that you'd have in your business. And therefore, that should be covered as well. Now, there's a lot of hesitancy, and I do understand that, as far as the insurance companies are concerned, because they don't have the mechanisms to actually assess risk and damages. In property insurance, Chris, it's easy to assess damage. Your house got knocked down by a storm or a hurricane would have you. If your brand is damaged because you've lost some data, how do you assess that damage? And although we would all say subjectively, yes, of course your brand is damaged because you can't be trusted, but how do you financially quantify that? And that's part of the challenge, I think, to defend the insurance industry that they have is how do they actually put together a policy that is assessed risk and can therefore cover the associated damages in event of cars. So do either of you see movement on the ability for the insurance industry to figure out the model that makes assessing the risk more immediate and more practical? Karen, have you seen any movement? I think that there is movement with some of the companies that are actually moving forward trying to do the assessment of risk, right? And so there are certain companies like risk recon, like Bitsite, there's like three or four other of them, that if you use that in conjunction with some other services that you can get a more holistic approach of how people see them, right? And there are a lot of companies that are also emerging as it relates to supply chain, because as Sam said, it's one of many risks that you have to look at your trading partner. The other point that I wanted to bring up, which is in that national strategy of what you read, Chris, is that people are hesitant to establish some kind of backstop in this particular area because it's like, oh, are we going to end up incentivizing the wrong behavior? And are we going to say, oh, okay, if cyber insurance develops as a separate instrument unto itself, okay, well, I'm not going to buy because if there's a catastrophic issue and it's related to a nation state, and I haven't really done my part, but I'm part of that overall landscape, well, then I can tap into this pool. And so I don't have to invest my own resources. And so this is part of that balance that I think Sam was talking about is like, how do you really go forward and construct it in a way? And we've done it. There are other models that we can look at more in depth. For example, and I think they talk about this a little bit, but I know we've all talked about in the past when we're looking at this is flood insurance. And a regular insurance company isn't going to ensure you if you live in a flood plain, but we want to develop flood paying so the government becomes a backstop if you're living in a flood plain. And so that one's pretty easy. But as Sam points out, it's really hard in an automated technology area about assessing the risk and what is the damage? Sam, any movement that you're sensing from? And I guess the question I'd add on for you is is there a role for technology here? Are you saying technologies come forward that will help the insurance industry automate the risk assessment? Yeah, because a couple of different things. Well, one of the things that we recommended in the Obama commission has actually been implemented, which is you might argue much of our surprise given there are two different administrations after President Obama. But fundamentally, a lot has been done and a lot of progress has been made. Insurance has been the slowest, in my opinion. And we've worked, we've met with a bunch of different companies myself, folks from Homeland Security and CISA met with a bunch of the leaders of those companies and the like. And yes, it is a difficult problem. But I also think at the end of the day, there's an economic consideration going on, although no one ever admits that. And they just can't see the economic value of having this type of unique plan. And maybe if it's embedded in their normal business insurance practices, there would be economic value as far as they're charging mechanisms, that's my point, when I say economic value. Now, I mean, I'm cynical, so I'm assuming there must be something because you imagine some of the big insurance companies perhaps would have done something significant by now, and they really have it in my observation. So the other thing I thought that I'd have, which is create a competitor, which always works, that somebody they have to chase, and maybe like it's in the early days of credit, it's established in the Commerce Department or Treasury or someplace like that. And it's a temporary mechanism, where all of a sudden there's an alternative to them. And then perhaps they will respond because competitions that are the marketplace. I find that a lot of these large institutions don't move quickly when it's just government pushing them to do so. We've broken this episode into two parts. In part two, the discussion is around data stewardship and responsibility, software security and liability, and cybersecurity market forces versus regulation. With Sam Palmisano, Chairman of the Center for Global Enterprise, and former Vice Chair of President Obama's Commission on Enhancing National Cybersecurity, and Karen Evans, Managing Director of the Cyber Readiness Institute, and former CIO of the U.S. Department of Homeland Security, as well as a number of other cybersecurity leadership roles in the U.S. government. There are two other elements of Tiller 3 that I think are worthy to talk about before we move on to some more general questions. One would be, Sam in particular, there's a section in here about holding the stewards of our data accountable. It talks about how organizations, when organizations that have data on individuals fail to act as responsible stewards for this data, they externalize the cost onto everyday Americans. I know that you have been leading an organization of leading companies, and it's called the Data and Trust Alliance. We've had actually episodes on this before, but it seems to me that the President's cybersecurity plan has validated the mission and the motivation for starting the DMTA. Could you talk a little bit about what you see the companies and the DMTA and the marketplace doing along this lines of being more accountable stewards? Chris, it's an excellent point. Since we started the initiative, they've addressed multiple areas around data issues, especially in the point of view of bias within the data, and there are 25 extremely large companies. If you add them up, there's over 7 million employees, so they're very large companies. The CEOs participate to build a little bit on your point, but having said all that, they came up with a whole set of processes that affect HR and procurement and how they operate, dealing with the transparency of the data there for the bias in the data, so that you don't have bias reflected, whether it's in hiring, promotion, pay, all the associated practices around human resources. They've also done more work around mergers and acquisitions to have a data practice, so you analyze data as an asset component to that to ensure that you are avoiding a lot of the risk that could occur if you buy companies that have not had, I'll call it, appropriate protections of that data. The last one that they're working on today, quite honestly, you think of the providence of the data itself. Where is the source of the data? The importance of that, Chris, is because the issue with the sourcing is the transparency, so that regardless of how you apply it and how it's used, you talk about where it came from and how it's being used, and therefore how your business benefits as a result of that. I mean, it gets down to one word, which is called trust, and more and more, if you look at these regenerative AI solutions and technologies that are out there, it's going to get down to trust at the end of the day. I think business has a role to lead in that environment versus rely on government regulation to figure out how to actually do this. Karen, as the former CIO of the Department of Homeland Security, you have any thoughts on the accountability of data stewardship? I have a lot of thoughts in this area, and I appreciate everything that Sam was saying, but I can tell you, in my former role, I had the opportunity to actually handle our incident response as it relates to SolarWinds. And one of the big questions from our oversight committees was, how come DHS didn't be, how come they couldn't detect it prior to private industry seeing it, right? And the challenge is that our data stores aren't as vast as private industry data stores are. We just don't have them. And if you follow a lot of this process, what ends up happening is all the companies, and I believe in market forces myself, are saying, sure, we'll give you access to that data for a price. And everybody's arguing back, saying it's my data in the first place, so I should be able to have access to my data. And so that's part of the data stewardship here. If you're going to hold a federal agency accountable to really manage the risk and manage those services and keep them running, regardless of what is happening, then I have to have visibility into my own data. I'm not saying give me access into everybody else's data, but I am saying you have to give me visibility into the services that you're providing for me, because I can't do it all myself, right? So this is a partnership with industry, but I have to be able to analyze my own data. And the other part that they're talking about with this, which I also think, if we get all the way back to our original discussions, is when the credit bureaus were all hacked, and then they passed on the cost of remediation of everything they did on to either the users of that data, which is every company, anybody who does anything with credit, and the actual users themselves, and then me as a user is responsible for cleaning up my own data, which they end up reselling and jacked up the cost because they had to do remediation on their infrastructure in the first place. So that's got to stop. And I don't know, without working directly with industry, what is the best way to move forward to make sure that the data to Sam's point, you can trust in it, but that it's being protected appropriately. Okay, so before we move on to more general questions, there is one last section of tiller three that I would like to go a little bit deeper on it. We touched on it very quickly, which is shifting the liability for insecure software products and services. And for our listeners who happen to be in the IT services and software business, this is particularly important. Sam, let's start with you. How do you envision business models and business operations changing in the software and IT services sector if this liability is now shifted over to them? And if the administration in its own statements is successful at working with Congress in the private sector to develop legislation establishing liability for software products and services? Well, Chris, I'll start with the first thing, which is how do you define liability? And the problem is, as you know, it's a combination of the provider and the user. So is liability only on the provider of the technology or the services company offering the technology, or is it how people use the technology? I mean, for example, people that misuse technology in multiple different ways in society, you tend not to penalize the provider of that particular kind of technology, whatever it happens to be, because they use it multiple different ways, and you just really can't limit its usage. So my point is, though, it sounds like a very good thing to do, you know, right? Because, therefore, it would stimulate quite honestly this idea of design security from day one, design it in day one, which is really the goal. I mean, if you had security designed from day one, it would just make it more difficult for the people to hack into these systems. Look, it doesn't mean it's going to go away, it just makes it more difficult and therefore more sophisticated, more expensive. So a lot of these small things that occur probably won't occur. Having said all that, the definition of liability, you could just create a whole series of litigation, which the trial lawyers would probably love by the way, you know, right, that no one can conclude whether it was the product itself or the use of the product itself. So it's really a hard thing to do. I think quite honestly where I would start on this is not on worried about imposing liability. I would encourage a stand-in around what it means to design from software from day one, create the built materials for software so you can expect the vulnerabilities are, and then the companies that do that well should be rewarded and then the ones that don't should be penalized. I mean, I'd come at it that way versus create a whole new segment of the legal industry so the only ones benefiting are the trial lawyers. Yeah, hopefully we can use a model and create incentives for a race to the top as opposed to the race to the bottom, which is trying to mitigate and eliminate risk and liability exposure on behalf of a company. Karen, any thoughts on the software industry and what kind of models and operating changes we're going to see if this goes through? Well, this is one of the ones that's what is old is new again. And at a high level, everybody agrees with everything Sam says. At a high level, everybody agrees secure by design. And a lot of these fit on a bumper sticker like secure to market versus first to market. The challenges in the definition, they'll get one level further down and talk about due diligence. And, you know, if you can define the due diligence and separate out the issues of what Sam is saying, like did the developer, the software provider due due diligence, and then was it used by a criminal element because there was something in there that they hadn't thought about and it wasn't exploited. And that has always been the rub moving forward. One of the biggest things that came out when that strategy was actually released is there is a part of there and it talks about harmonization of regulations. And so the industry folks are actually asking, are you going to harmonize regulations first and then issue new ones where you seek out? So are you going to issue new ones and harmonize later? Because if you issue new ones and harmonize later, that's going to like increase the cost. Now we're full circle back to the other questions that you're asking is, you know, I'm going to have to pass on that cost to the consumer in order to be able to take it to market. And can I actually get these principles built into the culture of my organization in order to be able to develop it in a way that, you know, I've done everything I can that's humanly possible to secure this so that a small business can implement and not necessarily have to think about it. Seems like it's a huge challenge, but one that's so structurally important that we have to do something around it. It won't be easy because think about all the discussions on date of privacy and any trust, how long they've gone on. That'll be short cycle relative to this. Yeah, this is probably a little bit more pervasive. Everybody in the world, as Karen says, has a point of view relative to this. Trying to put that into legislation is going to be pretty hard to do. Let's talk a little bit about some market oriented or general things that the U.S. actions and cybersecurity like that president's new strategy, as well as those actions from other nations around the world seem to be telling us that there's little appetite for allowing companies to voluntarily opt in when it comes to cybersecurity. And that after years of increasing cyber incidents and the likelihood that they're only going to become more voluminous, not less. Do you think we've come to the point where market forces are no longer enough to encourage organizations to take the appropriate steps to protect their own businesses? So will we have more of a command and control approach to regulation than we've had thus far? It seems like based upon our conversation that you see that happening, but just relative to government actions, do you see this trend not only moving forward but being locked in? Karen, how about if we start with you? So I'm going to go to the Karen and a stick approach here. I do think the whole idea of voluntary participation or voluntary opt-in, I just don't see that working because we've been trying it for the last 25 years. And so some people do it well, some people don't. I do think as you continue to go forward that some type of regulation is going to happen. So you can either be part of the solution and get ahead of it. And I think some of the incentives of what the federal government in the United States can do, and I think other governments are looking at this to see how the United States implements it, is the incentive of the federal marketplace itself. It's a big chunk of change as it relates to acquisitions, over $70 billion in the federal market. And Congress has given it several different tools to be able to implement secure products. So the piece then gets back to, okay, if I have the money because there's a modernization fund now that has like billions of dollars in it, and I have different bodies that allows me to take intelligence information, mix it in with acquisition information, and then give guidance out. Now how do you incentivize businesses to actually then deliver the solutions that the federal government needs? And that's through the competition. So if you know you can win a contract and it's not mandatory, so it's optional. You don't have to participate in the federal market. But a lot of companies do and they want to have that business. I think that's where you can get some of the incentives and drive some of the products because they're going to have to develop them for the federal government. You're not going to maintain two different development cycles. You're going to try to gain as much efficiencies as you can. And I think that the way the federal government's going to move forward is, okay, we'll put our money where our mouth is and we're going to only buy these types of products. Yeah, that will be an important milestone. The federal government and its purchasing power has always been a major factor in economic and societal change in many respects, and the ability for it to act as an incentive or a catalyst for marketplace response will be very interesting to see how quickly that can materialize. Sam, any thoughts about the marketplace and opt-in forces versus conscripted requirements? No, I'm more curious. Let's take the administrative side of a government because you have to separate out the defensive intelligence. But let's take the civilian side of government, dot gov, not dot mill. Actually, within the procurement guidelines, they also could become a standard for corporations as well. I mean, if assuming that it works and it doesn't impede innovation, then I think you could see the adoption rate move from the government into... They'll give me an example in the PC industry. When the government started purchasing directly, that actually lifted Dell. I mean, that was their first user base was the government, right? Now, everybody just buys everything electronically. It started in PCs, but it's gone everywhere, I needless to say. But you can see the effect of a large consumer out there weighing in that drove a lot of that change. So that's my analogy I'd make here. So I sort of agree with Karen now you have to separate out intelligence and defense and all the rest of that here. Let's just take commercial environments. I think she's right. And I think that could lead to more kind of a commercial adoption. But that's the carrot again versus the stick because you can decide you don't want to sell them in governments. And that's fine. You can decide you don't want to sell the large companies. I mean, nobody's making you do that, right? You could define your market as something else and then be very happy there. Now put ourselves in the seat of that CEO or business leader who has this opportunity ahead of them to either follow a carrot strategy or a stick strategy. What questions, Sam, if you were a CEO, would you be asking your board and your senior leadership team today about cybersecurity and how your company is going to be positioned both in the marketplace as well as in the regulatory compliance environment? And then Karen, maybe we can come to you. Yeah, I'll start. I mean, basically CEO or the board, whatever perspective you want to take on this, Chris, fundamentally it's risk. It's no different than all the other factors of your enterprise risk. And all large companies and mid-sized companies have enterprise risk models today that are broader than just strictly financial risk. They're much broader today as result of some of the other areas of we've had problems with in the past. This is just part of that. So part of that process in the corporation, it goes through the audits of all the other areas of risk. It's rolling off to come up with an enterprise level model. A lot of that came out of the LA financial crisis because they lost control of the risk factors in the banking system. And we're seeing that again, by the way. But nonetheless, fundamentally, that's how you should think about it as enterprise risk. There's audit, there's controls, there's the board level function, there's committees of the board. You know, all that stuff already exists. So I would just include that as part of that. Now the other thing I would do quite honestly is I think you need people on the board who can ask the right questions when they come into the board or on the audit committee when they come in. And so therefore the skillset of the, it could be a CEO with a technology background. It doesn't have to be a deep technologist per se, but at least they understand the issues and can ask the right questions to make sure that there's a check and balance in the process. Karen, some of your members in the cyber readiness institute at the largest corporations in the world and certainly some of the most revered brands. What questions should their CEOs be asking of their board or their senior leadership team to make sure they're positioned properly? And not just the CRI members, but of course any corporation? Well, I think it's the same question over and over again. And this goes back in my history. You alluded to this. I think, you know, my government experience just never goes away. I had the opportunity, Chris, to handle the very first hacking incident in the federal government in 1996. And it's what happens in the immediate aftermath. And so when you ask, like, I love serving on audit committees and people think I'm nuts, but that's usually, you know, like the question I ask, it's not what's going to happen 30 days later. Everybody's really good at the 30 days later. It's like, what happens? Do you even know that you've been compromised? What happens within the first 24 hours of an incident occurring? And most companies have a hard time answering that question, like who's in charge? You know, what's the communications plan? How are we going to respond? Like everybody kind of goes off and does their thing, but the CEO is the one who has to answer. In my case, it's always the secretary of, you know, of the department or agency that has to go out and talk publicly to the president of the United States and to the American people. And it gets back into the trust. So what happens within, you know, the first 24 hours and nine times out of the 10 companies can answer that question of who's in charge and who's leading in the first 24 hours. Yeah. And Chris, what I would do is once you establish it, you have to rehearse it. You know, you have to practice this. A terrible thing was 9-11, but at IBM, we had disaster recovery as part of the process. Who to convene? Who led? Who knew? Who called? So immediately when that popular plane hit the tower, the system just kicks in. And we got the people, all the stuff that goes on, including getting all the people out of the city, right, has to happen. So, I mean, it's no different with that to me, to Karen's point. All those processes need to be established, and then they have to kick in immediately, whereas the manager team knows exactly what to do when that occurs. So Karen, if a company wanted to establish that playbook and then also do those rehearsals, are those the kinds of things that the Cyber Readiness Institute can help with? Or do you know of other parties that could help? Well, absolutely, especially, you know, we're very focused on small and mid-sized businesses, but I do know large companies that have talked to me about using our materials, because our materials are offered for free. We do put together a playbook. And the way I describe it is, when you finish the CRI program just around these four core areas, which is automatic updating, phishing, multi-factor authentication, securing, removable media, you end up with a business continuity plan. And so a small business or a large business means some of the large businesses that I've talked to, they use it for their annual training to Sam's point. And then they exercise it out to see if people really know, you know, okay, if it's a small one, how does it continue to escalate? How do you handle this? And then, you know, we have sample communications, emails, things like that, that you send out. And the reason why I'm really excited about it is because it's not the dollar's commitment for small and mid-sized businesses, it's actually the time commitment to understand because then you're creating a culture. So as you continue to grow, because we want all small businesses to grow to be medium and then large, you've already established this culture. So it's just, you've got the core pieces and you keep building the pieces, like Sam said, more and more onto it so that all the risks associated with the enterprise then can be addressed in your business continuity plan. So you want to build cybersecurity muscle memory? Yes, I do. All right, well Sam and Karen, thank you for being with us today. But before we leave, we always like to ask our guests to give our listeners one strategic insight to consider. And we call it our emerging critical issues moment. And in one word or one phrase, tell us what issue you see on the horizon doesn't necessarily have to be about cybersecurity, but since we've been talking about it, feel free to go there. What issue do you see on the horizon that business leaders need to put on the radar that they may not be doing so today? Karen, why don't we start with you? So mine isn't necessarily going to be about cybersecurity, but it is going to be about an issue that we covered, which is the reliance or the use of machine learning artificial intelligence. I would answer the question and say why answer the question. I've been a lot of these large CEO events and they asked me about cyber. I say you should assume that somebody's already penetrated your systems. So what do you do about it when you leave here tonight? How do you build that muscle memory of rehearsal? I just believe some foreign entity of some kind is already in there, especially if you're doing anything in technology or biologics or pharma or finance and critical industries. You just have to assume they're there whether you know it or not. Okay, great. Thank you very much. We'll come back to these insights and future shows, but I want to thank you very much for your taking the time to be with us today. You've been listening to The Get, sponsored by the Center for Global Enterprise, celebrating 10 years of convening global enterprise leaders around the most important business transformation issues.