 Tangent, he apparently is somewhere else. I happen to be walking by and the illustrious group of, you know, representing, I guess corporate America is what you guys represent, is that correct? Okay. CISO, they told me they wanted me to go ahead and step up here. If Dark Tangent comes in, I'll be happy to hand over the process to him, but in the meantime, this is kind of a, I mean, I literally just walked by. I have no idea what the panel is about or anything, something along the lines of CISOs and they're going to discuss a number of things. There's a few sample questions in the book in there, such things as, I think one of the sample questions was how do the panelists feel about security research, its impact upon the economy, impact upon the community, and I think that's especially timely when you consider what happened at Black Hat with Mike Lynn and the now of former ISS employee being sued by a myriad of people apparently. So why don't we have someone up here on the panel kind of jump in. You guys be thinking of questions too to ask these people. Actually first off, let's just go down the line. You guys go down the line and introduce yourselves, tell who you are, and then we'll get to the question. That sound okay? Just name, name, title, and IP address of your VPN. Just to, yeah, qualifications too. So I'm Justin Semeny. I'm Justin Semeny from Verisign. Sorry, we're on information security. He's not qualified. Pamela Fusco, chief information security officer, Merck Pharmaceutical. I'm certifiable. I'm Scott Blake. I'm a CISO Liberty Mutual Insurance Company. My background was the VP of Information Security at Bindview Corporation. A couple ex-Bindview people around I see founded the Razor Security Research Team. And so I obviously have a bias for very much in favor of information security research, particularly basic research around vulnerabilities. I think it's essential to improving the technology that we have to work with as part of our, as part of the businesses that we're trying to operate. So I'm all in favor. Hey, sorry I'm late. I've been distracted by other business. I've got these slides up here, but it doesn't work. It doesn't work. So you got through the introductions? No, still going? Oh, okay. Thanks, Pam. Hi, I'm David Mortman. I'm the chief information security officer for Siebel Systems. Most of you have the pleasure of having your personal information in one of my systems at one of these people's companies. So that's why I'm here. I'm Ken Flyle, CISO Capital IQ, a Division of Standard Resource. I'm Andre Gold, Director of Information Security for Canon Airlines. And I'm Paul Simmons, CISO of ICI, and I sit on the board of the Jericho Forum. And I think people were asking, you were asking about qualifications. The only qualification I hold is I'm a qualified whitewater canoe instructor. Okay, sorry I was late. Typically when we, we've tried this in the past. I had all these really nice questions and tried to get them off on certain topics. And we didn't have a lot of time for questions and answers. So this time I'm going to try something different, which is a lot more audience participation. I have a couple of questions for them first. And then we're going to let them talk about it for a while. I only have two or three. And then we're going to open it up to the general audience. And then my job is just to make sure that if you ask like a 30 second question, I'm going to distill it down into like a four second question. So keep that in mind. Okay, hey, so question. Would you hire hackers? How does the word hacker influence your hiring decision? And or are you purely concerned about criminal backgrounds? I mean, if somebody comes to you like Hobbit and says I'm a self described gray, gray bearded Unix hacker, whoever's got the most serious feelings about this? Well, I've hired a lot of hackers in my time. So I am very much in favor of using hackers and I use the term really in the in the old school sense. I mean, we're talking about people who break things for the purpose of knowledge who generate new knowledge about systems and software and what have you and that's essential for doing security research. However, I would also add to that that it would be I would not ever recommend hiring a criminal. Now where the line gets drawn is sometimes a little bit fuzzy, but that may be a whole nother discussion. I mean, would you do a Google search on their hacking handle and see if you know pops up on some Chinese defacement team or I would definitely look at published research for that somebody has done and you know look at what what participation in in discussion lists where they've contributed positively to the community or not. And if there's somebody who you know has respect to their peers and so forth in terms of I would not intentionally dig deep into other activities beyond those positive contributions to the to the research community other than a criminal background check. I've hired people who've gone bad so they were good when they came and then they went to the dark you know the other side. And the other thing is I would do was it because they're reading 2600 or something. Because I'm really tough man. No and the other thing is I would do Google search but if they're good I'm not gonna find it anyway. So yeah I I don't hire hackers I hire intelligent people and if the two kind of you know correlate to each other then so be it. So you think this whole debate about hiring hackers is a non-issue pretty much. I've got a 13-year-old daughter so you know I'm pretty much shell shot yeah. There's a there's a media misconception I think that's out there that that hacker correlates to criminal which I think most of us will hopefully agree is wrong that there there may be certainly examples of correlation but that doesn't necessarily prove the rule. So it's sort of like a plumber right you can have a plumber or you can have a criminal plumber but they're still basically a plumber. So yeah you can be a criminal hacker or you can be a yeah over in the UK we have a thing called check certification I don't know anyone here is checked certified basically what it means it's the only certification as far as I know in the world for hacking and it's actually sponsored by the UK government and it means that you're clear to hack UK government systems and that means they've done a background check and they're happy with you working on government systems and personally that's good enough for me if you're checked certified I'll hire you anytime. Anybody have any questions or comments on that? Yeah are you in the red please? So the question was there's a presenter at Black Hat who is fired for giving his talk and he quit two hours before his talk apparently but he wasn't fired but had he not been you know quit he would have been fired and the question was would somebody like that have any hiring prospects and companies represented by these types? I'll answer that okay yes I would hire him because I don't consider him to be a criminal I consider him to be someone who has brought something to someone's attention and he's gotten quite a bit of attention over it but I think that we all learn from what has happened in the past and I hope that we move forward so I think that he was he's a qualified individual and if I had a position and he passed the HR criminal blah blah blah he would be gainfully employed. Anybody else? I just second it in so far as you know there was a call for security research I don't currently run a security research team but if I did then sure for the same with the same caveat. I think there's another question over here on sir what are your peers up to do you know they hiding from this issue are they indifferent or? I think it's our responsibility to bring security to their attention that's what they pay me for and I'm lucky in that respect I get quite a bit of support from the executive staff and I think that they would trust the opinion of what I'm bringing to the table but I also trust it's not just me it's my team and I have about five people in this room that come with me to Black Hat and to DEF CON and I trust them and if they're you know they're gonna be working with these people I just sign the paperwork and pay the bills right so if they're in agreement that an individual such as that is welcome on the team I'll be damned then I'll take it to the highest level I need to get the person hired. One more question we'll move on to a new one sir I'm sorry talk a bit louder please well that's a broader question than whether or not they're gonna hire hackers. That's a privacy question. We could ask them about the Patriot Act later that's not a problem but is it a hiring a hacker related type question what's that that has violated the Patriot Act? It's being done every five seconds. I mean plenty of people are hacking every day and they're not being busted on the Patriot Act so okay so let's move on to the next oh do you have one more question sir? Right right and we I think there's a question on this earlier his question was how do you rate private versus professional experience versus maybe academic security experience and weigh that in a hiring type decision and also kind of relates to what we talked about earlier which is certification you know would you hire somebody with a CISSP or a security MCSE over somebody with nothing so perspective actually work experience so the work experience actually means a lot when we get specific down into the skill sets of actually hacking or breaking applications or breaking OSes or networks etc. I agree there's not really a lot of corporate jobs that you can actually reference on a resume in order to prove those skill sets a lot of that actually just comes out in the interview process you break them down and be able to say how would you do X Y and Z or what is your mentality or thought process going through an actual attack and making sure that it's mature and it's done in a well-defined manner and it's not you know a script kitty kind of attack you know it's actually very well thought out and very detailed I mean so just to expand on that a little bit I mean degrees certifications I mean they hold their place in a sense that I mean you have concepts you know as well as you know degrees you know within you know our organizations as well you know allows for mobility of that corporate ladder so to speak as well but you know when I'm out there like you know Pam said everything else you know looking to bring on people to augment my staff for respective duties and everything else it's all about the experience I mean the the degrees and those type of things they're okay but they're kind of like the last thing that I look at it's like okay where's this guy girl been know what have they done and what can they bring to the organization so half the people in my team don't actually have degrees of any sort I think they have high school degrees probably but work experience is more metric for getting the resumes onto my desk then for actually as a hiring metric at that point more important than actually even experience for me and my team is just getting there getting the ideas getting I can teach them the technical skills they need to have I can teach them the project management skills they need but they just don't get it they don't get the idea of security they don't get the idea of risk management it doesn't matter if they've been doing this for ten years or if they have a PhD in computer science I don't care yeah but I'm getting this back to reality the bottom line is when you're faced with six or eight hundred CVs on your desk or certainly going through a human resources department you go degree no degree degree no degree degree no degree ultimately a relevant degree says that you are capable of a certain degree of learning and yet absolutely you bring them into your business and you teach them and you put them on training courses and everything else but the degree says at least they have the capability in the way with all to go out and learn new skills and it might not be perfect but it is generally a fact of life in the corporate world the other the other qualification I tack on to that is publications for someone who's going to be doing research or red team kinds of activities you'd want to I would want to see published new vulnerabilities or published papers on techniques things like that as part of the as part of the qualification seconding the other things that have been that have been said degrees do count unfortunately I think one thing being left out of the equation is attitude also you know if you've got the worst attitude and you're the best hacker I don't want you if you can't play well with others I don't want you so you know that okay oh so we'll have one last question then we'll move on to a new topic well I think I think you know you've got to let them you know devote a certain amount of their time you can't have I don't I don't have my folks doing a hundred percent of you know their focus time on one particular task I let them work in you know different areas of security you know we provide them with the training that you know that they'd like to go to within reason so that you know those are just a few of the things we also do peer training and you know sit-downs lunches you know outings that sort of thing so okay send them to dev con thanks fam okay next topic is kind of near and dear to my heart related to the whole Enron case and that's data retention you know in the wake of Microsoft how long do you keep data and do you do it as a defensive measure against lawsuit or is it just sheared sheared log bloat what's your what's your overall thought on log retention data retention anybody so I'll jump in here so log retention or data retention more specifically can actually be driven more by external legislation be it credit card information personal information etc so there's a lot of limitations on and requirements on how long we have to hold it and when we actually have to delete it outside of that you know the perspective is basically on a yearly time frame we go through most of the data the main reason for keeping the data is not only providing a service from the application side but it's also being able to go back in time for things issues like litigation yes so would you say what a year six months ten years I would say about a year I mean there's certain things that we have that definitely go beyond that but about a year is pretty much the baseline no unfortunately we delete data you know a lot sooner than that unless there are sort of regulatory requirements you know around it around that data but data has proven to be a liability to us as well you know within court and so our legal department actually comes down and emandates that that data you know over 60 over the 60 days actually be removed and be expunged from the environment our data retention policy is about 80 pages and it's driven by a wide variety of state and federal legislation for different types of information and it's there are a lot of different things and everything has its own rules for how it gets so it's a total nightmare mess I wouldn't call it a nightmare but it's complex yeah I mean we're driven by legislation and we've got places because we're a chemical company where we have to keep data on on people and particularly their state of health for ten years after they die so potentially that's up to a hundred you know a hundred years which is a real issue because your course media changes the whole time media doesn't have a hundred year life I was gonna say you've got a lot of money in Mac store and Hitachi we go we're going back to microfiche microfiche is about the only thing that actually works properly okay sir question is how how many of you have assigned policies dictating how long you'll keep the data yeah sign hall we keep data 100 years in the pharmaceutical industry which is it's crazy because when you store data a hundred years now the technology that we used in like you know 1801 it doesn't exist in 2005 I'm sorry who speaking now speak stand up please oh okay the question is how do you secure that data once it's archived do you put it in a big hole in the wall or do you hole in the ground salt mines salt mines are really good salt mines are really good sunglasses right right so now that you're storing data for a hundred years or whatever does it ever come in handy have you ever actually used it for anything ten years but we were founded in 95 so I think with furthest we've had to go back is in the order of about 30 years we were founded in 1928 what was the circumstance for that it was a it was a health claim against us for the disease that they developed and they blamed it on us it didn't they didn't win it I don't know what the exact number is for us but the company was founded in 1912 and we sell life insurance and have since then so probably that far back general counsel legal pretty much everybody raise your hand if it's driven by legal yeah if you could have your way would you get rid of it no so you think that it is in the appropriate position so that's totally the correct location for that okay yeah the data retention policies dictate not only how long to retain but but also when to destroy so a lot of our policies are are written in terms of the maximum retention period not only the minimum required retention and when you reach those maximums you just purge yep and hopefully that stone mountain place doesn't have your hands on their tapes right I probably lost it anyway do you think that the burden or the overhead impaired by performing these retention policies is a burden on the business function yeah we we at ICI corporate center in London we have a 15-month deletion policy on email and basically we force our employees when it comes up to 15 months to actually sort it go through it this is automated it puts into a bucket and says you will sort this and you're forced to go through and either delete it or put it into the archiving system at which point you have to give it a title a date what it's about and when it needs to be deleted automatically but yeah absolutely that 15 I mean you can work on projects that you know for three years in some cases so yeah it's a real problem there are certain issues where we have internal monitoring projects where to monitor individual activity and we actually have a very short retention for that data obviously there's a lot of personal stuff going through the network and we do have investigations that we need to go back a year to really see what the full activity of a particular individual is so that would be one of the cases that we would have that it would impede what we do personally from a business standpoint I mean really the the federal requirements or the industry requirements on data retention that are applicable to us really kind of really has changed the business and how they perform the service so not really from a service standpoint okay I've got one more question oh sir other yeah so the question is that are there data privacy laws surrounding how you retain the data do you have to keep it encrypted rot 13 you know how do you how do you keep it in the paper files are really well that's successor yeah yeah so you say microfiche and then you physically have control of it and then you put it somewhere and hope it doesn't burn down so when you look at things like PCI where visas mastercard certification program where they actually require the encryption of credit card data well for the companies that do it the we all do absolutely the the basically going going back to the point I think the encryption of the actual data on the tapes before they're shipped out is very important the encryption of the data within the database is even though they're running in production like the credit card data social security numbers etc I mean it's absolutely imperative that we do that because application security is getting a lot more dangerous nowadays and without it it's just a recipe for disaster so from a data encryption perspective it also depends on what the data is and where the data is going so there's encryption regulations data in transit needs to be encrypted but in some cases data at rest does not there's also because we're you know international different encryption laws Paris is different than you know what we do in Germany location of the data there's no offsite storage in Germany and I may be wrong it may have changed but last I checked it wasn't so we have to be very careful when we're talking about what we're doing with what parts of the data and with what region specific as well and which algorithms so Jeff's a little busy sorry yeah there's some action going around pool to right now I needed to know about I don't know if anyone remembers the quote I don't know first is here but you know the was that if you think encryption will solve your problem you don't understand encryption and you don't understand your problem right it's a great quote and I think if we look carefully I have to disagree with Justin a little bit but if we look carefully at some of the issues where we look at how things are needing to be encrypted or whether they should be encrypted you know look at something like backup tapes right backup tapes are it's a great idea to store them in an encrypted format until you need to actually restore from the tape right then you have a problem because you need to decrypt that information right and now that depending on where you are I mean if it was just a simple drive failure then that's fine but if you're if your data center exploded and you know all your key material was there you have a major problem so where are you going to store the key material well the safe place to store it is with the tape so what's the point of that right you've got your you've got your key taped to the tape and so you so you can be sure that you'll be able to get the data back off of it and the guy who designed the key system you know is retired last year and exactly you know 10 10 20 years down the road you know how you're going to do that you look at some of the application things you know especially encrypting data at rest in a database something on that application server or database server knows how to decrypt that data or it's completely useless right the problem then for the folks in the room becomes find that piece of software and control it sitting in memory the key is sitting in memory so it could be anywhere it could be could be sitting on a smart card that's plugged into the that's plugged into the machine but it but something knows how to get it right some piece of code on that machine knows how to decrypt the information that's in that database and somebody's going to be able to figure out how to get it off well I guess the the point of the encryption of the tapes is not necessarily for protection it's it's not necessarily the encryption on the tapes is more so protecting it when that data is in someone else's hands we don't put our keys on our tapes you know and it is a problem there's no question about it in regards to how you manage those keys for for us we we've had a little bit of experience in the keys and so we actually have a distributed model and how we actually put it out but but but yeah I mean to your point there are some fundamental flaws but you really have to understand your use case for encryption and if you think encryption is going to protect you from everything yeah I absolutely agree you don't understand encryption yeah okay this is the last one on this topic we can revisit it when we go to general questions and answers but how do you deal with all right so we talked about this briefly but how do you deal with obsolescence are you constantly updating your tech backup technology and taking all your tapes from five years ago and updating today's technology and do you go through this rev cycle every you know five years do you decide it's time to re-upgrade everything anybody I'll say it again microfish microfish is where it's at guys we have we have seriously looked at it because we got this requirement for a hundred years plus storage we have seriously looked at the problem and absolutely it's it's a do you do it in machine code I mean how's it machine readable is it in print it 3d barcode or no we print it you right you print it onto onto a full paper in our case or letter paper in your case and you put it up you photograph it and put it on these right in the print out though isn't it the print out that it's encoded in a printed format in what a 3d barcode a giant full-page 3d barcode is it ones and zeroes on the whole page is it no no no it's just that it's that it's their date if they filled in a form we print the form and we microfish oh I see I see right yeah well I'm just wondering what like my Microsoft so you're saying it's definitely not Unicode right no definitely not Jeff you'll be so do you print it yeah I'm just wondering how do you print Microsoft word binary and it comes out squiggle question mark space base dash no we're talking the application Microsoft word the application okay okay so it's it's so it's in hex it's in hex well the only reason I'm wondering is because years ago some guys sold an application that would 3d encode your application print it out on your Epson FX 80 printer and then all you have to do is re-scan it in and you would have incredible data densities is basically each dot on the date matrix printer was you know one or zero and they were claiming this thousand-year thing with a basic algorithm you could reconstruct the data whenever you wanted as built in CRC checking and redundancy but they will only head on floppy yeah okay sold it on floppy disk but the the business doesn't care about storing the application they only care about the data right so the data gets the data gets printed out in a report and it's paper or micro fish or whatever and it's the data that gets stored so okay I'm just concerned that you have the data but nothing to interpret it you have people it's in English okay okay right you want to put back up the minute the I think we address this I you know hundred years of data we've just gone through you know last year a recall on a product that we had and we had to find all the data it's a problem so we're not going to sit here and tell you that we have a cure I mean you know we have drug cures but it's a problem you have to understand again this whole data at rest issue is huge because I don't think that folks realize how much data they were going to need what purpose they would need to recover it for and when they would need to recover it so you're right it's an issue right now for Merck we have a lot of data that's paper driven because with wet signatures we have a lot of data that's not so it is an issue you have to you have to figure out what it is you're going to do and I think part of it is is what data you need to make assumptions Miss Cleo's crystal ball I say this all the time what data may I need to go back and look at a hundred years 15 25 two months today tomorrow whatever and how do I get to that in what tallow technology is going to be there and that's when you really have to have your peering partners with your vendors and hope that they're cutting-edge solutions because you work with them to migrate off of what's old and bring it to the new you know we try to do that with Microsoft but anyway so you really need to have peering partners with your vendors okay new topic so if you had to rate your the danger from hackers evil outside influences that are like board college students versus organized criminals versus internal employees how would you prioritize those three just what keeps you up at night the inside employee you're the Russian mafia Oracle oracle keep your way no Marianne's not here it's okay she won't kick my ass no seriously I'm internal employees industrial espionage and then outside influences for us it's the organized crime the internal and then the hacker you guys yeah for us it's it's the outside industrial espionage number one is your number one be the internal employee so it's internal employee in an industrial espionage or top-2 and the outside hacker is pretty much in the grass one of them not to disrespect anyone yeah I mean I made the comment at blackhead I mean and one of the reasons why it's the internal employee because we don't necessarily have a culture that's conducive to actually permeating security within you know our fabric you know our employee base and everything else like that you know we've traditionally built applications predicated on you know three things right cheap fast you can build them cheap fast or secure you know you have any two of those but it's real hard to have all three of those attainable in any project application that you work on and so we've traditionally done you know that the cheap you know and the fast as a way to convince our business units that hey technology can add value you know now in this day and age and everything else you know going back and trying to get you know security development you know integrated into the sdlcs and then just the methodology and mindset within the employees you know it is somewhat of a challenge for us so so when security vendors are selling all the new blinky blinky products that are all focused to protect you from hackers that's not terribly relevant to what you want to buy you just call bullshit go with it well you know what I think that an internal individual that crosses the line is the external individual and who's also to say not to say that the internal employee the trusted employee not pegging on you or Dave doesn't share that information with an external person on a chatboard right so I think for me it's one of the same but I just go to bed it right now because it'll be there in the morning okay well I mean I'll kick off with that I mean we're a chemical company at the end of the day you can go out and buy our product our brand new product and you put it into a gas chromatograph and you can get a spectral analysis and you can go out and copy it it's very easy yeah what what is going to keep paying my salary and my bonus going forwards is what we've got in the heads of our scientists and what's in our computers what's coming next it's how we steal a march on the competition it's an intellectual property absolutely and it is key to our business so it might be totally trivial things like paint that you paint on and starts pink and dries white which is one of our you know latest tricks it might seem daft but it's absolutely stealing a march for those people who want to over paint their ceilings and it's you know it's selling very well at the moment and the competition will bring something out in the near future absolutely so it's how you can get that edge on the competition and that's all tied up in intellectual property and ultimately that's what I'm there to protect how you do it of course is the whole range because you've got Trojans out there you've got hackers out there you do have industrial espionage and we know we have a lot of that out there trying to steal those secrets and of course you've got the you know the mafia and and the organized crime coming on but they're sort of carpet bombing you rather than trying to do anything targeted at the moment when they get bored beating up the banks and the gambling sites maybe they'll turn their attention to us who knows for me my main priority is protecting our customers data whether that's on our site or at our customer site so I'm spending most of my time these days beating up on product marketing and engineering trying to get new features into the product so I spend most of my time dealing with audit which is yeah it's a bit of a problem actually with a lot of companies where where we actually find a lot of our attention being focused in areas that probably maybe in our opinion aren't necessarily where they should be focused on I mean I'm a very big believer in audit but the some of the rules and requirements coming out of socks are a little bit misguided audit for audit sake is not exactly I mean there needs to be a purpose to it I mean so when we go through and we do an audit I mean I want to expect that we hit the source code we go through the entire application we actually review it for low true load testing not just does everybody have a password which is important too but but there's a lot bigger issues out there but as far as the culture within the company I think awareness campaigns kind of get a little bit of a slack internally but it's very important to really consistently beat that drum of what's important do your job these are the things not to do etc etc so my job is actually not to protect the company from information security threats my job is to understand the information security risks that the company faces which is in risk in combination is threats vulnerabilities and assets right putting those all together and educating our business leaders as to what those risks are how seriously they should take them and to facilitate them making a decision about what is the level of risk that they want to accept because ultimately at the end of the day it's a business decision exactly and we're insurance right we're in the risk management business we understand this at least we understand risk management in other areas anyway we would love to have better data which would enable us to do you know more management on that front but in the meantime it's a more art than science and that's where that's what my job is is to is to try to present a picture of what the situation is to our business people so that they can make a decision about what to do I want to go to this gentleman over here I work for a private company yes no I mean identity management for some sakes is pretty important I don't like to have people tell me what I should do when they don't understand our business or they don't understand our infrastructure or they don't understand technique you know a basic operating system I mean a lot of the audit organizations aren't necessarily very technical in nature therefore can't really understand what the actual risk is on your particular environment or actually how to do some of the artwork in regards to the multiple layers of mitigation that were implemented to protect you know your application or your OS or your network or whatever the identity management issue is I mean we need to be able to very clearly and concisely identify who has access to what and who they are and what they did and centrally it's important but it needs to be driven in the right way right and just to expand on that too I think you know identity management is another one of those you know vogue topics within you know information security and everything else and so the problem with identity management is that if you don't have role clarity within your organization meaning that I as undergo an employee of kind on the airlines gets access to X are in a resource and everything else doesn't matter you know what identity management technology solution that you have I mean there's business process and definitions that need to be fine be defined at the role level before you can even think about you know any sort of federated identity management or anything like that understanding the process understanding the roles understanding the application understanding you know what a maintenance worker needs access to versus a pilot you know for my particular you know organization under understanding those type of things gonna take a question from the guy in the back what what do you think the benefit is is there a benefit to your business or your company by being here for me it's a benefit to my profession what I do during the day is my day job that's why I earn my living this is my profession my company doesn't sell security products you guys help me protect my drugs that's why I'm here that's why I send my staff here no yes and I push her no but it's true I mean this is you know either way it's gonna happen whether we're here or not so why not be a part of it I mean we're sitting up here because we all understand and have bought into the fact security through obscurity it does not work the problem is there's a whole lot of business out there who haven't tweaked to that yet and there's a large router company I suspect is in that category to add to that a little bit I think you know hanging out with you guys for a few days I get just as much out of it you know if not more you know then then you guys do so gentlemen and glasses okay so the rephrase the question basically is is we hear about cyber espionage or espionage in general how how realistic is it does it actually occur in your industry is it something that's sort of just made up in the papers and have you seen them progress in sophistication over the years from maybe old techniques to new computerized techniques I'm guessing that maybe Pamela's industry is pretty competitive so clinical trials clinical trials well I ask her because she she's in charge of a 24 hour response team so I'm not real clear what the question is does it happen in your industry and if it does has it gotten better over the years in the pharmaceutical industry we are exceedingly competitive I don't want to say espionage doesn't happen and I'm certainly not going to say that it does because it's a very thin line so for instance when you're producing a drug it's exceedingly competitive it's very expensive it takes about seven to eight years to bring a drug to market that costs approximately eight million dollars however the bang for the buck is you're one you recoup about nine million after that it's profit so getting to market is the issue and there have been studies done where competitors have gotten to market with a very similar drug 30 days before us and we never reached the power curve we made great money on it excellent you know it helped humanity the community whatever but we it's the dollar value they just never made it there so it's time to market was it espionage you know hard to say a lot of speculation 800 million eight million develop 800 million return but you've got a like not every drug you make as a winner no that well that's a thing I mean but that's why it costs so much money but the other part of it is to we're not getting a drug talk here but the other part of it is for instance when you're developing a drug for instance you know what propitia is right it's for all those guys that want to grow hair originally it wasn't meant to be propitia it was a drug for colon cancer during clinical trials which is why we have to spend 800 million dollars to develop a drug it came out that this particular drug that we were developing for colon cancer helped men grow hair on their head hence therefore we got two drugs so you know a double whammy yet kind of like Vegas two four the insurance industry is actually a little bit strange in that respect in that we're required to file publicly much of our business information rates some degree of underwriting and so forth so a lot of our stuff is in the public domain already and the competitiveness has has a lot to do more with brand and reputation than anything else it seems to me as though the business people that I at our company always seem to know what everybody else is doing in the industry I don't understand exactly how they do that but it seems to be universal even at other companies in the industry so I don't know if they all you know get together on the weekends or what but I don't think there's a lot of industrial espionage taking place because of the sort of semi-public nature of some of the services that we provide so from from from a general perspective or an industry perspective the amount of of that particular crime going on is really stayed the same it's actually the methods that they're using in order to get the data out very typically it's the same old methods conversations walking out with knowledge however when you start seeing things like data being embedded in images technography it gets a very complicated in order to truly identify it while it's leaving your company but typically it's it's just walking out the door within somebody's head guy in a sense post shirt I recognize your fine fashion sense there does on a response belong in your organization or if it doesn't where does it belong in the hierarchy for us it does one of the things I own is it audit the reason that we actually put that there specifically is because we wanted the skill sets and the control belief system to really be embedded within the person who's doing it we didn't want it filtering out into kind of a business unit or application kind of mentality when looking at the controls within it so yes it's it's within our group now I've seen it a lot of different ways yeah they focus on finance the guy next next to what do you kill a bad app that was developed internally well I think you know well I I think you know it as a whole our mission is security so I mean you know that that's kind of one in the same you know in as far as you know getting security embedded into the application in the first place I think that that's probably one of the hardest challenges that companies are facing today and getting that mindset established and you know you've got the developers you know coming into the organization fresh out of school didn't really teach him proper coding techniques that sort of thing how do you get education into your how do you get that integrated into the whole development life cycle and how do you make that process repeatable okay well we're actually out of time so I think I'll take one more question and then these gentlemen and ladies will be around just and they'll be happy to answer your questions hang out buy my beer you know okay gentlemen right here in the corner yes at the end of the day your job is to inform the business decision makers so they can make an informed decision right so and you can't do that if you don't understand the business you have to know what I spend more time in my job learning about how insurance works than probably anything else okay let's give him a round of applause thank him for coming up here