 Thank you very much Kathy. That was very gracious of you and and long and I'll Dispense with any other introductory remarks. I'm really honored to be asked to give a keynote in front of this many people on a topic that is so central to what you're going to do for the rest of the conference and In honor of that keynote thing. I'm not gonna Give you the normal power points with five hundred slot, you know bullet points and a recitation of what's going on Because I think you'll you'll get that at the rest of the conference What I want to start with is really to give you the benefit of about 20 years worth of work in the Intersection and this is going to be the theme at the intersection of Privacy cyber security data security law policy processes business stuff all that stuff. I've lived that the way to sum up what I've done in the last 20 plus years is I've lived at the intersection and And and that's I don't want to give you some lessons from living at the intersection because I think what you all are doing as security professionals in the education industry sector profession discipline is really Going to be your success is going to be dependent on how well you thrive at that intersection and how you manage the Intersection between what you do and what your other colleagues are doing within your organization or institution and outside So that's what I'm basically going to do Hello people on the on the web This is I guess very interactive so you can submit questions and somebody will represent your questions And anybody in the audience if you feel like raising a hand and asking something, please do that I'm very happy to stop and pause there, too So the technology is working which is really good And the theme really is collaboration living at the intersection and what it takes to do that is really team building a team and so Before I get started into the lessons. I want to talk a little bit about what why the landscape is so hard and I'm not going to recite a mandian statistics. Yay. I'm not going to recite Verizon report statistics I'm not going to do that. You know all of those but what I will say is I don't know how many of you get to go in front of boards of directors or Testify in front of Congress or talk to CEOs. So that's kind of what I do. That's that's my shtick, right? And And I've frequently been called upon to be a representative of a team or the translator for those who need some Kind of simplification of concepts that come so easily to those who are trained in in areas and really expert in them And I want to I want to give you that perspective and tell you why where we're living today is frankly terrifying Concerning, you know pick a pick an adjective. I don't want to get too flamboyant about it, but it is very serious and Example of the seriousness of it that's not coming out of one of the vendor reports is I was at the I don't at a ceremony in in February at the White House. It's all drop names I was at the White House on them in February for the release of the NIST Cybersecurity framework How many of you have looked at the framework? Everybody in the room everybody on the web. I'm sure so so this is a pretty You can argue about what it really means and how effective it will be But I happen to think it's a very consequential document and I'll tell you a little bit more why later but I was at the Ceremony and this thing was announced and you know there were a lot of their several CEOs There were several cabinet secretaries and the chief of staff for the White House gets up and and gives the introduction and He said, you know, there are There's one thing we can all agree on from the White House perspective from the administration is that cyber security is one of the only systemic risks Facing the United States one of the only systemic risks facing the United States and I thought that was very telling that the declarations have been coming in a very Blunt way about how significant these issues are that we're all addressing in our own institutions There are only a few others that are systemic Maybe global warming maybe a few others But this one is systemic and the realization the public discussion that's been had the last several years about What to do about post breach target that target is the target reference Target has terrified Boards of directors your bosses your management your your administrations to say are we doing enough? Are the people on my team? Up to the task. What do we need to do and how do I? Explain what we're doing. That is absolutely part of the landscape now Then a way that even five years ago three years ago was but not quite as much as it is and it really It makes people kind of in between betwixts in between because on the one hand you do have the targets and the the University of Maryland Incident and others that affect Individuals Individual records that might have been or were reasonably supposed to have been compromised and so you get to go Public with those because of the laws in the United States that require disclosure, which I assume everyone here is familiar with But you know if you have a penetration and reasonable, you know You have a reason to believe that records about individuals that involve credit card numbers or financial data are compromised You have to go public a very unique Invention of the American legal system by the way we started it other countries are now taking that in and saying well that makes sense I'll do that too So that's on the one hand you get that interplay and you get people coming to investigate and maybe sue you There's a plaintiff's bar now again an American invention plaintiff's bar. That's saying that's interesting but on the other side of the kind of thought process and Frankly on the other side of Capital Hill are those who are really focused on Nation-states, they're really focused on geopolitical issues and they're focused on China other geographies. They're focused on controversies. For example the Ukraine Tensions have had a cyber element to them and they're really focused on what do you do to? Incent and support behavior by the private sector including Education to protect intellectual assets and how do you incent? Collaboration and make everyone feel like they got to do their best and not be penalized by coming forward and saying we've got issues We've got a vulnerability We've got heartbleed and we're remediating and we've got some issues and you kind of get a landscape where you're in the United States in particular where you're caught between Those who are looking at identity theft and really want to reinforce the fact that everyone's got to have good security And we got to go deal with breaches in a fairly significant punishing sort of way and and the rest of the Issues which are let's let's all collaborate and get better at security and it's a very very challenging place and Those who are sitting in positions of having to allocate resources and make decisions are Struggling to figure out how do you do the right things? How do you do what their security folks are telling them to do their privacy folks are telling them to do but But keep in mind this landscape. So that's that's a backdrop and The the reason I guess I'm asked to do these kinds of talks is that I've been around for a while and I've lived in this intersection and So my background is I was an engineer Went to law school did a little bit of law, but then kind of backed into the privacy Space when I was asked to figure out what to do about privacy back in the mid 90s when the web emerged as a medium of business and That's how I got into security because I backed into it because once you got I've got to be appointed a Privacy officer. I think I'm the first in business. I guess fortune 1,000 at least and What does it mean to be a privacy officer? How many of your institutions have somebody doing privacy? About 30 percent how many of you do the privacy work? Almost as many so I think frequently it lands with IT security information security and that's fine but sometimes it's not and You could tell sometimes as an organization's mature. They actually start splitting them apart Because they're actually kind of different and that's what I what I discovered over time is that they're very different But at the same time if you're gonna need somebody to pull it together, you know, you end up Gravitating and and putting the two together sometimes and that's what happened to me. So I was doing privacy As a privacy officer and then I started getting calls around 2005 Right about when the first data breach notification law was enacted in California It said, you know what we seem to have an issue here an incident. Can you help us? I thought well, you know, I guess so That's data security and then eventually cyber security. And so my first lesson is a Lot of us do this together But there's actually a big difference between and amongst these concepts and it's useful to have a sense of what the differences Are and what the terms are so just for purposes of our discussion I'm gonna just kind of give you my definition and I would source the definitions from useful authoritative places and I I start with right now the there's a NIST framework has great definitions the NIST framework draws from White House Documents that I think are pretty good because they reflect a lot of stakeholders useful to start there, but cyber basically the policies that every technique you do to secure IT systems digital systems that have data and that are used to undergird our our society data security protection of the information on those systems privacy Policy decisions mainly policy decisions and actions you take to deal with information about individuals and More broadly when you're not talking about data privacy you get into the broader concept of privacy Which which I won't get into here, but basically there are differences and one Way to think about it is that you can't really have data privacy unless you have data security and cyber security You can't really have data security Unless you have a reasonable degree of cyber security because the data isn't gonna be safe unless you secure the the the systems on which it's up It's it's resident and on which it flows right But you can have cyber security without having either of the others But then why bother why bother with it because then you're not securing assets that matter and that you're not Maybe protecting values that have come to matter to us is in society So that's a way of thinking about the relationships between the among the three concepts the other though lesson to Over time I kind of figured it out that There are lots of places with people with very deep expertise and opinion Lots of situations where you end up spending a lot of time debating what these terms mean I Don't know how many of you have been in these discussions, but I have a friend who's involved in them She's a federal regulator She can't really tell me the details, but she tells me that she's in charge of an interagency task force trying to come up with Standards new new cyber security related standards that will be influential But she's telling me about these interagency meetings and they are spending she said a lot of time debating the meanings of words like cyber security Privacy in other words that have been defined many many times by the administration that that is responsible for this work That's an example. How many of you've been in standards efforts where you spent a lot of time doing this and I've been inside organizations I've advised organizations where you could see that there's a lot of delay in trying to get a team together and go work on an Answer work on a solution Because you're spending a lot of time saying you know what I got my definition. I've got you know information governance Let's not get off on a detailed discussion about what does that mean? Information governance and everyone has their view and everyone said that in order to put a team together You've got to settle on some common ways of rough cuts of what what you're working on what the terms mean what the ideas are But don't spend too much time or else you're gonna eat up the time and those are waiting for answers We'll come back and say what what's taking so long So that's one thing and then if you're gonna put a team together That's gonna do data governance or data security or security Part of the other issue is you know boundaries if you've spent a lot of time figuring out who's who's doing what and kind of guard them It's it's gonna it's gonna add time. So it really the answer to some of the big challenges facing us are Not to spend too much time on this but then you know not to ignore them either Why did why did they why did the folks at edgacos asked us asked me to talk about Team building a team. I think one of the the theme for the conference is Mind tricks and other strategies. So I think this falls into the context of other strategies I know that education is unique. I know that that kinds organizations that you all are in lend themselves to Decentralized decentralized actors right and but at the same time you've got responsibilities a cut across They cut across departments have got across institutions, maybe even campuses that are that are very large and Part of the only answer really is to build a team and I'm not talking I think I was talking to dinner at dinner last night with somebody from from the audience I'm not talking about building your team. I mean, yeah, that takes time that takes skill To identify the people who are going to really be part of your core team. I'm talking about team across your institution and team across Institutions like in edgacos, you know identifying those folks who you can work with to get something done and collaboration like that is Really useful Sometimes it can be a total waste of time So in the in the context of cyber and privacy The trick is to know which one to use and and when to use it sometimes if you're going to deploy a particular technology I get it. You need a project management plan and you got to go do it But if you're going to be deploying something or doing something that's controversial that has policy implications or privacy implications pause and Figure out who else needs to be part of that and there's a in the education space not Not in higher ed particularly. It's a new entrant is an example of of a privacy related Issue that got an organization caught in in a bind I'm not how many of you know the the organization in bloom if you've heard of in bloom Gates Foundation another foundation invested a hundred and fifty million dollars in the creation of a company That was intended to create and offer middleware cloud hosted middleware Solution for storage and management of education records the clients of in bloom were supposed to be school districts and So launched with a fanfare going to revolutionize educational records because you can put them in the cloud school districts and schools and you could track Student performance and teacher performance logitunally over time Which is a value proposition that is something many people find very valuable very very useful others think not so much and In bloom after operating for a few years just shut its doors Go put why? several reasons one of the reasons were From the outside looking at the situation Backlash and a concern about privacy and it really became evident that they had not built enough of a team Outside of their organization that said you know what here's the second station is doing something good And they have some protections in place and we know about what they're doing We help them do it etc etc that kind of collaboration if you're going to embark on a an initiative was was not quite there and It got it got to them. So that's a collaboration is a really important Point but knowing when to do it went to build the ecosystem Now I mentioned in bloom Because I was trying to figure out what are the examples here that absolutely are Resonant and unique to education as a sector Privacy or security and in bloom is definitely one of them The other is you know some of the reach recent breaches. There's a if you ever need ammunition or ever need Information about what's going on in education in terms of breaches. I don't know how many of you know the privacy rights clearing house site or Pogo was right Website It is kind of a funnest name, but the but these sites actually, you know, I don't see any better for Identifying pub where you can find information about publicly disclosed data data security events breaches You can actually sort or go through those for Incidents involving institutions of whatever sector right so it's educational educational institutions and You go through them and you kind of speak up patterns and Education is is kind of unique. I mean the threat actors that go after you all Most frequently are your own folks, right? So you get a lot of careless behavior That can lead to breaches. That's for sure. That's why awareness is so important and so, you know user engineering You might get insiders Insiders I as I understand now I am going to kind of go to the mandiant and Vendor reports, but I you know and from my own experience the insider issue Because of what you've gotten in your institutions is is a very serious issue. Not you're not unique in that a lot of other Sectors that have valuable data are Definitely targets of that but but your your institutions are pretty special and but your institutions also are ones where it's likely to You're likely to be able to isolate and find the crown jewels a little bit more easily maybe than companies which are More diffuse and have multiple instances of some of these pieces of data So so so that insider vector is definitely something that's very significant for your sector and then Whatever else I in terms of outside actors coming in What are people are really trying to get at with with your your sector in terms of Security you know it better than I do but you've got some you know the intellectual assets that you have a really key and then you know Student identities or personnel identities. You've got a lot of people educational institutions are all about people and you've got those assets and you're and The sector is known unfortunately as being one of the easier targets. So while you're not a bank You're not some of the companies I work with that are Maybe more significant targets You certainly have the right profile to continue being a target and continue being a Victim of these breaches. So that's that's one aspect on the security side What makes you unique in the education arena? It's probably more interesting. I think Because there's a lot there's gonna be a fair amount of attention on education I think in the next five years and there are a lot of forces that that drive that in bloom is an example of An organization getting caught in an interesting combination of factors First is that education like medicine like other areas which are a little bit slower to pick up and adopt new technologies or to do it in a way that's kind of made me more vetted Education is ripe. You're seeing your institutions adopt cloud platforms. You're getting Social platforms introduced into your environments potentially without you're getting too much Control over over who's using what so you're getting more consumer type platforms coming into your institutions You've got some regulation that covers data privacy or privacy in education Some but there's a fair amount of momentum building in Washington In particular, but also at the state level that whatever Exists is not enough to protect student privacy and it's not enough to protect the security of information that you all have You all your institutions have act to which you have access and to which for which you have management Responsibilities, there's a very significant amount of concern that's built up over the last five years There have been briefings where senator a couple of senators senator carries others have have talked about this They've focused on K through 12. They talked about higher education The the breaches involving respect institutions haven't helped matters and so you're sitting in a situation where you have now that concern front and center Driven by data security breaches, but also by this notion that there's new technologies and that institutions aren't spending as much time in oversight Deciding whether or not to vendor Certain solutions certain data And then once they do keeping keeping a handle on it That's I think palpable and so that's what will drive changes in law and Then changes and standards that might come out from those who fund As a result of the NIST framework and other activities going on in government a lot of the funding that will come out of the federal arena We'll have new conditions tied to it. I believe that we'll talk about, you know, show us your security plan Demonstrate that you have put in place the elements of recent education department guidance on using outside vendors for, you know Cloud services that sort of thing and I think that is inevitable and that's what makes the sector Not unique, but you'll see change happening in this sector as it's happened in others So I think that that's coming But in the main actually the or not here and what is not Unique is that what's happening to other sectors too. It's not it's not unique to education But the fact that you've got so many stakeholders and that you've got decision-making processes in your institutions that are pretty diffuse Means that you have to have a lot of collaboration a lot of Consensus building as you figure out how to deal with them. What's your position on legislation? What's your position on these standards? How do you take standards that are supposed to be imposed and then socialize them and get support for them? All of that points to the need to build consensus And I've talked about Proposals I've talked about other missed the NIST framework incidents The other tried and true techniques a trick. It's not a mind mind trick, but it's another strategy is You know, I don't know how many of you scan the social media or the press On your phone or every day, you know, I think the the folks I'm working with I may with CSOs lawyers and You know risk managers, that's that's who I work with these days client base and What I what's been very successful? I find is you kind of wake up in the morning Early early morning see what's happening out there. It's a new breach. It's a new lawsuit. It's a new proposal something It's something happened Maybe the security is an exchange commission for those companies that are publicly held what the SEC says It's really important. So whoever is announcing something or saying something is to take that and plug it right back to the company management I Don't know how many of you do that or make a habit of it You don't want to overdo it, but really good trick the strategy is to say that's happened there, right? So if you're not using the University of Maryland incident or other things in your sector and say Look at what happened or I've been to edge a cause Here's what this peer group has said or here's what I learned about this is using that judiciously is Very effective It's very effective to attract resource to justify resource to justify and inform what your what your story is going to be You know a thought a story is worth a thousand words I'll get a one pictures worth a thousand words a story is worth two thousand words because an example will get some You know get your folks get your leadership wondering and and thinking that that's something they might do too It's not always going to work, but it's a it's a for sure useful and in terms of looking for guidance and other external developments, I think The NIST framework I'll come back to now and spend a little bit time on this because I actually do think it's a very useful tool even if you're not considered to be part of the critical infrastructure and I'm actually curious to think to ask you I mean do you all think that the institutions of which you're a part are part of the critical infrastructure Do you how many of you think you are part of the CI and it's a weird question? I know because it's a you can have different parts of the institution so about 15% of you Sort of raised your hands and that's about the state of the definition of critical infrastructure right there It's like it's a little like pornography You know when you see it they kind of know it to paraphrase a famous Supreme Court justice in case and and that's really kind of Why the NIST framework is actually a useful tool? so When in February when the when the Obama administration released out of NIST the National Institutes for Standards of Technology The framework it did so after a year exactly a year of a stakeholder process that involved about 3,000 people and I don't know if any of you were part of the workshops that were held the framework was in is intended By word but by black and white to apply and be used by the cyber by the critical infrastructure Those industries were a part of the critical infrastructure So the the framework resulted out of an executive order the president signed back in 2012 It said basically that the politics around that executive order were For the first term of the Obama administration The administration was building its position on cyber security. I was thinking about do we need legislation? It came up with a position said we need law and there's a kind of a write-up of what the law should be But at some point in 2011 20 early 2012 the administration concluded no, we're not going to push legislation We don't we're not going to do it. And so the the political play was in the state of the union address in 2012 Obama the president talked about cyber security and said basically I signed an executive order I'm gonna do we're gonna do as an administration what we're going to do and then we're going to Now wait for Congress to do more so the administration that the strategy that the administration is on is basically Doing what can be done under current law Within within its power within the the agencies and waiting for any other laws for Congress That's basically the posture that you can expect for the rest of this term this this administration See what next when next might bring That should tell you something about don't wait don't don't expect too many new laws Actually don't expect any new laws in privacy or security unless something really consequential happens at which point Then we're talking about a kind of a 9-11 kind of a situation. So that's the landscape The executive order that was signed in 2012 said, okay, here are all these things. We're going to do six or seven different areas One of which was let's get a new framework out there And we're gonna we're gonna mobilize and use NIST Which is a very respected agency to mobilize and take a framework that will be voluntary But that could apply to any critical infrastructure sector and anyone else who wants to use it 3,000 people get consulted stakeholder things and stakeholder sessions and You take all of the ISO NIST other security standards and you boil them down to what is a document that can be used by board of directors? By management by the CIO the CISO and anybody else in the organization who wants to kind of track and say How are we doing on managing cyber security risk and that document that Was issued a year later right on schedule is like 45 50 pages and is actually pretty pretty good I can read it. I actually help you know input to it So if if you know you can have lots of different type of people looking at it and using it It becomes a rosetta stone so you can use it to translate lots of people can look at it and say oh I get I get what that means and so the simple words That are used to describe the basic basic activities go I go back to the point about let's not argue about definitions. They could have used different words They could have used a lot better words probably I think so They have these like one word descriptions of the first thing you do in managing cyber security risk is identify Identify what the hell does that mean identify? I only kind of dig into it. So what they mean is identify the risks and then Identify because I had to keep we're using the word identify identify All of the assets that you have in your the information assets you have in your in your domain and you're in your organization Which is really hard nobody really knows exactly what they have but that's they say you know make an attempt there and I did they keep going and identify things and then detect and defend and recover and those are the words the one word One word descriptions of the basic things you need to do why is that powerful for you all it's it's silly Right, you know much better What the elements of a security program need to be you can go to much more sophisticated tools But you know what sit inside a board of directors or sit and answer your provost or your Chancellor's question if you ever if you ever been in the situation they say well tell me how are we doing in our security program and Explain to me because I'm not very technical explain to me What what are the ingredients that go into a good security program? I don't many of you have ever gotten that question. I have gotten that a lot of times Recently, I mean I've been consulting more on the consultant side the last couple of years I'd never got it inside a company because we already kind of knew that But on the outside I've been I've been consulting and talking to a lot of senior people the first time I ever got that question I froze Because I was so deep into what I knew and thinking and somebody asked me the simple question and I kind of looked at them And I thought you know, how do I answer that? Do I start talking about the law? Do I start talking about the elements of the ISOs? You know 27,000 framework do I start talking about? COVID do I use this that and I realized if I had opened my mouth and went if I'd gone down that road I'd have lost them within a second and They would not have understood what I was saying and they would say okay. Well, that's nice But I got to go figure out now What I can understand enough and then to go figure out how to make decisions about and make funding decisions particularly about and What the rose what the what this rosetta stone what the NIST framework does for all of us as a community is Is it helps us not have to come up with definitions and words on our own and then worry about them and all that we just I think I Think suspending the desire to to make your own for a second If I were in if I were appointed newly appointed a CISO or an IT security person, which I won't be but if I were Or if I was counseling one which actually more likely happens And they said well, you know, how do I explain what I want to do? I said well, you know take these words take these this kind of checklisty thing Which which is kind of a guide. It doesn't you have to do all of it and say, you know, here's this authoritative Summary of what the world in the United States at least what that what the United States currently expects to be in a security program and And look at it and say, you know, have you know, we're gonna be expected to have identified our risk and identified our information on our assets and have done certain things we are expected to Detect attacks and be able to defend against them and if we are hit we are expected to have certain mechanisms in there to recover et cetera et cetera and That's what we're expected. Those are the ingredients of a successful security program That is plain English makes sense and it's tied to an external standard that it's not mandatory, but it's actually eventually Because of the the landscape here and the challenges. It's it's likely to be something like it is coming Maybe not not in the next couple years, but it's eventually there'll be something there that says, you know What there is a standard of care to which organizations will be held in the critical infrastructure or anybody who even gets close to being considered to be important And that's why that's why I think this is you know, not legal advice But practical is like look for something you can hang your hat on and maybe edge of cause has other guidance To use but this is something that is sufficiently general and high level that you can hang your hat on and whether or not You know some of aspects some elements of your institutions likely will be considered to be vital critical and when they When the when the administration released the framework they they had it actually snuck in there kind of a definition of critical infrastructure that was Even more expansive and mind-blowingly so than other similar pronouncements. So it's basically anything that anybody Thinks is important or relies upon it's critical infrastructure So if if in your community your organization somehow plays that kind of role somebody's going to say well You really are important So, you know, I think what when clients ask me are we critical infrastructure or not, you know I've actually just you know several months ago produced a memo that true the trace the history of that term and It's kind of interesting to see the history. We don't have time to go into it here But you know, there is a there's a definition It doesn't if there's nothing magical that happens if you think about yourself or talk about yourself as critical infrastructure Might it might you might get regulation coming down the pike that sweeps in those who might be part of you Know what the Department of Homeland Security considers critical, but at this time for practical purposes You know that the definition is pretty loose so I Have two more any questions or any any comments, please get ready or pop up a hand if you'd like or I don't know if we're Going to use are we going to use mics? We're going to use my so get ready if you want to do it Lesson seven FUD I assume this is a technology crowd. So FUD is a term you know fear uncertainty and doubt You know this this this don't let fear uncertainty and doubt about law particularly privacy laws get in the way of doing what you need to do And I hear I'm I'm really thinking about information sharing the kind of information sharing that is Commonly understood to be effective and useful in dealing with threat and I actually was talking to the NCF TA yesterday national cyber friend cyber forensics training Alliance if you know them in Pittsburgh and They had asked me to come do a version of this discussion for them because what they had seen is that? law enforcement forensics folks and others involved in response Were getting increasingly hampered by organizations is I can't share information because I got privacy concerns I've got the these issues and it's been a barrier for a long time, but there's a lot more interested information sharing now There's a there's a push to do it. It's in the next framework. There's a section says are you sharing information? There's legislation designed to try to encourage and alleviate the concerns here people understand that something useful to do But then if you go and try to do it, you know people like me in organizations will say wait a minute Did you think about this? Did you think about that? What about privacy? And there can be some absolutely valid issues totally valid But what is useful here is is really educated people what what really is useful to share? I mean most of the information you want to get out or get is not personal information So there really is no privacy concern. It's a much more technical and signature type stuff, right? So education is part of getting rid of the FUD Other other tech techniques would be to you know get help to figure out, you know, is there really an issue? Because you know, I don't know how many times this happened to you, but I go Sometimes I have an elderly mom and I have authority I have a power of attorney able to get information about her health care I'm completely authorized It takes me every time I go to a new provider or see somebody who doesn't know me It either get one of two things they kind of Disregard and just give it to me without even asking to see my power of attorney right like that, which is one one bad thing But then most of the time what happens is no you can't have that HIPAA tells me I can't give it to you I said well here. Here's this and this and that I said HIPAA HIPAA HIPAA, and they just they have the bureaucrat answer Which is there's there's something I don't know what it is, but I can't take a risk Because it's something here says I can't But if you read a little bit no, no, no, I can't and that's really human nature It's it's a time-saving risk mitigation strategy on an individual level is to say no because there's this this thing I've read about and there are penalties associated with it and I better say no and That I think it does help create an environment of fun You take that HIPAA example and make it applicable to others and you get this this in behavior in organizations and really what? My lesson has been you know, that's where it helps to have you know a couple of allies here to help say no no no I understand what you're saying, but no this is really not that it's this That kind of getting through and barreling through objections is it's really important to get stuff done And that's why I conclude with my last lesson That's kind of you know, maybe maybe a little self-serving, but the maybe maybe a lot less so sorry, but but the You know my best friend and ally when I was inside the company was my colleague the CISO the chief information security officer Because you can't have privacy without Security, so I couldn't do anything frankly without the benefit of and the collaboration of The IT and this IT security folks in particular We were extremely close both I as a counselor to them and a kind of a uber risk manager but they to me as Colleagues who understood much more deeply than I ever will the the process and the technology aspects that they were they were undertaking on behalf of an institution that's very large and Now what I see is organizations that do have Experts and leaders within them that are collaborating if you grab on to a lawyer grab on to your internal Colleagues who understand the policies and the legal aspects that you do not you're not specialized in they can help you barrel through I Cannot tell you how many organizations I've gone to where it's the general counsel Who is now sitting at these board meetings general counsels go to all almost all board meetings They have a corporate secretary role most of them they sit in those board meetings They listen to the discussion CIOs typically are Invited but the general counsel are always there and they hear about these issues They take it back and they're asked by the CFO or the CEO could you go figure out if we're okay? Guess who they're gonna call they're gonna call their friend the inside lawyers I think I say well you could could you could talk to these guys Could you like figure out if they're on the up and up are they okay? And then and then they come back and they put these issues on agendas you get presentations going they can be very influential in elevating the issues and Selecting and framing and if you make friends and allies of those folks They will take you places that you need to go to get your case and Case-made and your your your agenda prosecuted so that's why I think you know other than being generally nice person and collaborating That's why in in institutions. It's useful to have them as colleagues and friends anybody have Questions or observations, maybe short ones observations questions longer that you want to you want to raise and they could be about Legal issues policy Other lessons other observations because I think we're almost at time anything from the web Nothing from the web. Okay So what I've been trying to do and it Okay, so what I've tried to do is give you a kind of a sense of Context I think the things to watch for by the way I have a we are my team and I have a blog if you're interested in more Deep kind of analysis of legal issues in the security or cyber area as they come out We we propose something about once every couple of days. It's called HL data protection calm What I what I think is coming in in this area in terms of legal and policy issues that that teams ought to be aware of our Watch data breach notification. I think we're gonna be coming and seeing a federal standard sometime soon That is one of the pieces of law that Will be likely to progress if anything does the other is watch the Federal Trade Commission to the extent there is a regulator in the United States that talks about or looks at data security and data privacy It is the Federal Trade Commission their authority under their the laws that govern them It's been expanding because they've been suing and getting recovery and consent degrees with a number of different kinds of companies They are under challenged by a company called Wyndham Worldwide. It's a hotel company Their authorities being challenged and they're now on appeal The FTC won the first round that is also I think pretty consequential Another area to watch is or even to participate in is self-regulation The the in the United States the Obama administration is on record as supporting and they are supporting initiatives to create Standards and self-regulation in not just security but but privacy in particular around things like like online standards and Facial recognition use of facial recognition technologies, which is not about your areas But there are companies in organizations starting to use facial recognition as a way of authenticating for security purposes and for other purposes You know kind of physical security aspects There are some very interesting self-regulation going on sponsored by The U.S. Department of Commerce and then watch your agencies your agencies the ones that you deal with whether it's funding or standard setting Are going to be under pressure to do more in these areas and they're going to be doing more whether it's funding restrictions to wait for your programs or substantive Restrictions or standards that's coming to and the only way to do it is to have a team To respond. So thank you very much for the for the morning and have a great conference You