- Welcome to The Cyber5, where security experts and leaders answer five burning questions on one hot topic and actionable intelligence enterprise. Topics include adversary research and attribution, digital executive protection, supply chain risk, brand reputation and protection, disinformation, and cyber threat intelligence. I'm your host, Landon Winkelvoss, co-founder of NISOS, the Managed Intelligence Company. In this episode, I talk with chief information security officer, of H&R Block, Josh Brown. We talk about building a security team that truly knows the business, and building intelligence to inform a proper risk strategy. We'll have a frank conversation about what the business of security means and how to develop a team that understands multiple business lines. So a security team is anchoring their security strategy to how the company is driving revenue. We'll talk through how to do this at scale within the intelligence discipline that touches many lines of risk, not just cybersecurity. Stay with us. Josh Brown, welcome to the show, sir. Would you mind sharing a little bit about your background for our listeners please? - Yeah, absolutely, yeah, I'm Josh Brown. I'm the Vice President and global Chief Information Security Officer for H&R Block, that's the present role. Before that I worked at several different entities within the Omnicom Group of Companies. Before that, we're going way back in the way back machine. I cut my teeth at The Motley Fool during the.com bubble of the early 2000s. So I've worked in every segment, I think except .gov over 25 plus years in the industry. Obviously my views and opinions have been shaped by the places I've worked, the type of work I've done. Just to be clear, these are my opinions, my views. They don't necessarily reflect any views of people, entities, businesses that I've worked with or for. - No, I appreciate you joining. And I've wanted to have this type of conversation for a while with a senior security personnel like yourself. And today we're gonna be talking about really the business of security and that's building a security team that really knows the business and can use intelligence to really inform proper risk strategy. So kind of starting out, I think we can all admit security engineers, security professionals are not professionals in whatever the business is, whether that be taxes, whether that be financial services, whether that be retail, manufacturing, but I think that's such an important part to really understand what the business does and how they make money and to adapt your security strategy and adapt to everything that you do in security, whether that be security architecture, whether that be networking, whether that be security operations, pen testing, really all the application security, the whole gamut, right? And so I guess from that perspective, what does the business of security mean to you? Understanding that security personnel are not business unit subject matter experts. How do you develop security personnel who genuinely know the details so they can form legitimate risk? - First of all, I love, love, love, love this topic. I think this is critical. There's not enough thought I think put into a lot of security programs in terms of answering that fundamental question about what is the business of security? I'd given a talk not too long ago that was focusing on this very topic, right? What's the role of security in a business as part of the business and how do you make sure that you're fulfilling that function? The business of security can be distilled down to something very simple, which is security is there to help the business make well-informed risk based decisions. You cannot do that except accidentally, unless you have a deep understanding of how the business functions and what its risks are. All of the things that we normally talk about about security capabilities and whether you're being proactive or reactive and how mature you are and all those things, you cannot separate that from what the business is there to deliver. Security is there to provide guardrails for the business. I mean, one of the phrases we use internally is we try to create safe spaces for the business to try dangerous things. And one of the stories I love telling, and I don't know if this story is true or not, but my mom said a long time ago when I was a kid, why spoil a great story for the sake of a few facts? So I'm gonna tell it anyway. When the first cars rolled off the assembly lines from the Ford plant, they didn't have brakes. Brakes weren't added until later because cars needed to go faster and it was dangerous. And so reframing the relationship of a security team to the rest of the business. And I think that's an important thing too, is to realize that it's not, we're gonna do what the business wants to do. It's you're part of the business. You're helping inform those decisions. We are there to provide some structure and yes, people talk a lot about the trade off between security and all the options that people want to do. All the things they wanna do and the way they wanna do 'em. Yes, we are going to constrain the set of all possible options. That doesn't mean that we're not ultimately there to help the business innovate, help it be more agile. We're trying to take away the options that really shouldn't be on the table because they pose unacceptable risks to the business. So onto the second part of your question about security personnel not being business unit SMEs. One of the things that I did as I was preparing for this role at H&R Block, I was brought in three years ago, as a director under a new CISO to help kind of reboot the program. I was obviously familiar with the company, just from the sense of there's H&R Block locations all over the U.S Everybody knows the brand. It's a huge brand, it cast a big shadow. But I didn't know anything about how the internal business functioned, what the split of the revenue was, where the major cost centers were, other than the standard people, roof tops and technology. So one of the things I set out to do was get myself mentors outside of the IT group across the company. I got three or four different mentors from the product side of the house, from the legal side of the house, et cetera. And also looked for mentors from my past that could help me get ready for this role. I'm one person, right? So I knew what I had to do to get myself ready and get comfortable with the business. But the real question is what do you do about your security personnel? And I think that a big piece of this, that's actually pretty damn challenging right now is security personnel are in such high demand, with 500,000 unfilled security jobs in the U.S alone. The experienced people are in extremely high demand, and there's a lot of churn across the industry. You can't magic up more security people. We have to make them, we have to people in careers. And I think part of that can be solved by program that Block has put together recently called Accelerate. And the idea is let's open junior talent pipelines to local colleges and universities. It's essentially a paid internship program that brings in people at an associate level, it expects no expertise, no actual experience in the role and works them together as a cohort through several different positions in the company. And what you end up with on the other side is you have somebody who's got exposure to the business, not just understanding roughly how the business works, but now has personal contacts in different areas across the business, has a cohort of other associates at the same level that has had the same experience and then can sort of pick and choose where they apply their skills. We've done this for a while with our security operations center, we have a 10 to 12 week onboarding process. And by the end of that, the person knows not only how to do the role, we know if they're going to be successful or not at least at a high level. And we really are hiring for intelligence and people skills at this point, which means all the rest of it can be taught. Those are the things you can't teach. You can't teach somebody how not to be a sociopath. You can't teach somebody.. those soft skills are just a lot harder to pick up than technical skills. Business skills, I think, grow with a person over time. So is it important necessarily for a brand new starting SOC analyst to have deep understanding about how the business works? Well, no, but as that person stays on and works, they're gonna learn some of that just through osmosis, through their peers. But really those understanding need to shape the strategy, the department. And that's my role, that's my director's role. It's our top line manager's roles. Then there's the, how do you get a 360 view of risk? So let's say you understand the business well, you have to look at sources of intelligence. So some of these we create ourselves as we look across transactional data of our different lines of business. I have a fraud team that looks very closely at tax fraud. We use, of course, all the buzzwords, AI, machine learning, things like that to suss out anomalous activity on tax filing, just the same way you would do it with looking at anomalous activity on your user segment of the network for example. We also participate in several of the well known institutions or entities that help get you actionable intelligence. So I have kind of a mixed view of threat intelligence in general largely because even if you get to a vertical like financial services, right? There's a huge difference between what a bank does or an investment company does and what H&R Block does. Are there some similarities? Of course there are, right? But from a threat intelligence perspective, a threat actor group could be targeting a bank and it's gonna be irrelevant to us because that's just not what we do. Similarly, if a foreign national or a threat actor group was targeting a tax preparation company that wouldn't be as valuable information for a bank. So we participate in a local fusion center in Kansas City, with the public private interface there, with law enforcement. And we also were the non bank entity to be accepted into the FS-ISAC, financial services ISAC. So we have kind of a two-way flow of data with that group in terms of understanding what risks are out there and figuring out how to tailor those to our particular part of the FinTech and financial services segment. But I think overall, just to kind of wrap up the question, this is a huge problem in our industry, both the technical people understanding how the business operates, what the business cares about, what the business tolerance for risk is, helping the business actually understand what it means to accept a risk rather than mitigate it. And I think getting actionable intelligence rather than just buying a service and saying, well, we've got a threat intelligence service, we're done. Huge problems would have to be addressed. - Is this a leadership issue, or is this a cyber security issue? And what I mean by that is I think that the CISO level, we could all probably agree that the CISO level is really just that almost that politician that works across the business. Handshakes and kissing babies, yeah, absolutely. - Yeah, 100%. - You'd probably agree that even any leader, they have to almost work themselves out of a job in a lot of ways. They have to put in redundancies that ultimately are work their way down. Is this a overall leadership issue within the cyber security space? Or is this just more training almost and more process that needs to be put in place in the security team that they need to actually learn and work across the outside of security and work across and work with their business peers? Or is it a combination of both? - I do think it's both. It's definitely a leadership problem. Enough leaders are not making sure that their employees are well positioned for whatever role they're hoping to get in their career, whether it's at the same company or not. For people to advance, of course, there's differences between individual contributors and people leaders. I think in general, if people leaders want to continue to advance, they're going to have to develop some business acumen, whether that's financial aspects, learning how to forecast, how to make budgets, how to do cost benefit analyses, ROIs, all that sort of table stakes, but for the individual contributors, I think it's a little different. I think the key is that for the business to understand that security challenges are actual business challenges, not just technology challenges, this is a two way street. So as much as security people need to learn from and about the business, the business needs to learn from and about information security, it's every one's problem. And it's not just, we put these people in the cubicles on the third floor, and sometimes we turn the lights on if they've been well behaved. It's not that kind of a thing. It's security getting seats at the boardroom, at the executive table. And to do that, you can't just be speaking tech speak. You can't just be speaking the way we, an info sec team would speak to each other. You have to speak the language of the business. You have to meet them where they are. And part of that, when you say is a leadership problem or not? I think it absolutely is a leadership problem. That's where it has to start. We have to set that example. And I hope that my team seeing me meet with legal, with HR, with product, with all different parts of the business, I'm very active encouraging participation in some of our cross-functional group committees, like a diversity inclusion and belonging committee, for example. We're trying to make sure that we have mentorships, both security people mentoring non-security people and other parts of the business mentoring security people. So I think it's certainly gonna be dependent on the business that you're in, your role within the business, but everybody needs to have at least a baseline understanding of how the business makes money and what its view is on risk. Otherwise you're screaming into the void, right? They're not gonna understand what you're trying to do to help them. And actually, you're not gonna understand what you're trying to do help them because you don't know what they need. - Now, these are certainly important aspects of scale, right? Within any department I think that anybody that feels that their knowledge is just their IP is gonna struggle anytime in the private sector. That's just an aspect of working down to having everything that you know pushed down to your senior leaders so they can ultimately do what you do. And so when they meet with legal and compliance and meet with other business stakeholders, they can ultimately do the same thing. And that's where they wanna go. And I think that those are just important aspects that can scale any department or enterprise for any scalable business. Diving into the second part of your discussion there around intelligence. How do you use intelligence to focus on business line threats? Are there specific to business losing money, right? Not just overall specific industry trends. 'Cause I think you touched on it, right? Yes, there's threats against the banks or a financial institution. I have to imagine those threats are not exactly helpful for very specific issues of tax fraud, right? Which are so specific, right? And so customer focused. - No, you're absolutely right. I mean that data, it's not that it's bad data, right? It's good to know that there's rumblings of an attack on financial services, right? But how do I make that actionable? What is it that my SOC analysts need to look for? And should we be looking on the dark web for evidence of compromised accounts? I mean, yes, all those things, right? But really when we look at the kind of intelligence that is going to help us avoid events that cause the business to lose money, so I'll give you a concrete example. Tax filing season just opened up. And like I said, we have a tax fraud team and we have switched SIEM providers in the last 18 months or so. Moved to a next generation SIEM platform, a security information and event management platform. And for the first time we started feeding our tax fraud data into that platform because my view is they're all threats, right? And we should be trying to develop the most holistic view of risk and threats that we can. Within the first couple of weeks, we were able to basically diffuse what is a big data problem. When you talk about millions and millions of tax returns being filed. We're much more able now to quickly pick up on patterns of anomalous behavior. And is this something that is human readable? I mean, in theory, yeah. But if you wanna look at a spreadsheet with several million lines in it, be my guest. It's way easier and more effective and efficient to say, okay, we know we've got 50 years of data on what tax filing looks like. So it's very easy having that data to benchmark what actionable intelligence would look like, right? We see this number of returns typically in the first week that filing is open. If you suddenly see 10 times that amount coming from an IP range in China, that's a problem. And so being able to flag those things and react extremely quickly to them is where the power of automation and machine learning, and some of that tooling comes into place. I think that's how you get past the general threats. At the same time, information sharing in general, I think is really starting to come into its own through the fusion centers, through the ISACs, through things like that. So if you look at indicators of compromise that get released publicly by law enforcement, sometimes by the federal government or NIST or whatever, or from the Internet Storm Center at SANS on breaches of shared service providers, for example. Once they've identified those IOCs and get them out there, then you can actually take those and make them relevant to you by feeding them into your SIEM, feeding them into your visibility platforms, whatever they are. But I think as private entities, we have to not just be on the receiving end of that data. We have to be sharing what we are seeing in our own instances back out to the community. I don't think anybody on the white hat side of things thinks we're winning. We've been getting beat down by the adversaries for years. I think the problem is, well, there's lots of problems. There's the fact that our adversaries only have to be right once and we have to be right all the time. There's the fact that we operate under constraints like time and money and people and the adversaries don't. But ultimately they can attack any of us. And if one of our competitors, or even just a business down the street that has no relation to our company is getting attacked by the same people, we have no idea. We need to get the threat intelligence feeds bidirectional. So that companies that have large enough mature enough security organizations can contribute back to that and make it better for all of us. - Do you think that information security technology is over marketed toward APT threats and those threats they're only really relevant to a certain amount of industries and realistically, a lot of the security technologies under engineered to actually threats that matter such as fraud, such as account takeovers, such as business email compromise, those types of things. - Well, I certainly think that a lot of the marketing is driven by fear. I've wrote an article on this about a year ago about it's fear uncertainty in sales, right? Is how the pattern goes. - Yeah. - I think that's right. I mean, I think the amount of focus that gets put on say zero day mitigation. For most companies like the bad guys, aren't gonna burn an O day on you, they just aren't. Those are expensive to develop. And once they're out, they're out. For the kind of companies that are critical infrastructure, critical services, large financial institutions, healthcare, I mean, Red Cross, right? Just had a cyber attack and had 500,000 records or something compromised. And that's a relief agency. So I think the answer to your question is both yes and no. There's certainly a danger in thinking, well, none of that applies to me, right? What do I have that would be valuable enough for somebody to attack it? On the other hand, I do think that we are oftentimes not realistic about what the threats are actually facing us and how likely they are. So, we're head quartered in Kansas City. Could there be a massive flood that took out our headquarters? I mean, anything's possible. It seems really unlikely. It's not being in the center of the country. And so it's things like that, right? That the likelihood of a loss event absolutely has to be figured in. And it's one thing to say that's highly unlikely, but it would also be hugely impactful so we need to have a plan in place. But for things like APTs, I mean, detection is still the key. It's been the key that that level of visibility that many places just don't ever get right is foundational to doing any kind of real security. From a detection perspective, if the adversary, I love seeing these stories after somebody's been breached and when it finally comes to light and they make a statement that almost everybody's like, it was a highly sophisticated and targeted attack. Like mm-mmh, was it though? I mean, that's a safe way to say like, well, there's nothing we could have done because it was so advanced. I mean, sure, there are attacks like that, but basic blocking and tackling many places still aren't doing that right. And so, yeah, if you can't detect a standard business email compromise, you're gonna struggle against a well funded, well motivated adversary. - Yeah, threats against the confidentiality, integrity, availability of data systems and networks, right? That's traditional cyber threats. I think what you've been talking but lot, and really is hammered is the other threats around fraud, physical security, even supply chain. Do you think about going outside the firewall to address these threats proactively, I guess, how have you built the system, the machine, the automation that can really handle those types of problems at scale? - I'm not gonna pretend that this is something that I've solved and I don't worry about it every single day. Any security leader with salt has trouble sleeping a lot. We have like over 10,000 retail locations. So physical attacks are obviously a concern. We've architected our information systems in such a way to mitigate the risk of any single location having any sort of a physical event. It doesn't mean I don't care about 'em, I absolutely do. But with 10,000 locations, everything from civil unrest that we've seen over the last few years, particularly to potentially targeted attacks. I mean, there's a wide variety of concerns there. Fraud is a constant problem. And of course, what we've seen just in the last 18 months, everything from Kronos most recently, right? Which was not a supply chain attack, except in the sense that so many companies relied on Kronos for their punch cards, right? And if that's a critical service to you being able to like pay your employees, now you've got a problem with your supply chain. Solar Winds obviously was the big wake up call there. Our board is really concerned about supply chain and third party. We have a pretty robust supplier risk management program, but even until relatively recently, because of the number of suppliers that you're vetting, it's very difficult to build and staff a team where you could be auditing your most critical suppliers constantly. And I think frankly, those suppliers wouldn't put up with that. I mean, if you've ever gone to a big supplier like Microsoft or a Google or whatever and said, "Hey, could you fill out this security questionnaire for us?" They're gonna tell you to go pound sand. So what do we do there? Well, happily, this is an area where we have a process pretty locked down. We know the questions we ask based on the data or what kind of access you're getting. We have very specific criteria that you have to meet to be an approved supplier for us. But I think what's happening in the marketplace is a reaction to this realization of the importance of supply chain security and third party risk and products like Black Kite, for example, not to pick on them but they provide and everything from them to like the security scorecards and bit site and things like that, where they're trying to provide a continuous view of risk. And we implemented a platform like that in the last year, we loaded all of our tier one suppliers into it. And I can tell you when the Log4j thing happened recently, it was so helpful to be able to quickly go and run a report and say, all right, these are the tier one suppliers that are showing as having a Log4j outstanding as a vulnerability, let let's go review all the contracts and see what kind of data they're touching, whether this is an actual concern for us or not. And then we can follow up in a targeted way. So instead of treating all your vendors the same, all your supply lines the same, you can actually target based on given threats, given risks. And that means you're being much more surgical in the way you do employ your resources. But as far as the CIA area, I mean, I think the shift for things happening and being important from a risk perspective outside the traditional firewall, that's really been growing over the last, at least the last decade. COVID accelerated that. The work from anywhere movement has accelerated the spread of where our people are and frankly where some of our data is. Cloud services exacerbate that problem as well. So my view for a while has been that we have to focus our controls as close to the data as we can. And what that means now is the perimeters dissolved. We have micro perimeters, which are really just individuals. So the security barrier is really all the way down at the identity level. So we need to be tracking at the identity level what access looks like, what authorization looks like. It's taken a consolidated problem and made it distributed problem. There are technologies that are emerging that help deal with this, but it really is a mind shift that was going on in the industry. And it's in the last 24 months, it's become much more real. - Why is supply chain risk so difficult and realistically, in your opinion, how do you solve that long term? I've talked a lot of security leaders about this over the past six months. And it almost feels that there has to be some sort of democratization, maybe that's the wrong word. So, I mean, like, I think words are very important here, but in terms of the SDLC, the software development life cycle, there almost needs to be almost a democratization or tough transparency toward how things are actually going in the build process. And maybe Blockchains is a solution there for the future. What are your overall thoughts on how to solve that? - Well, I think, the one thing that we've learned, the industry has learned from the, like the Kronos outage. Again, that wasn't a supply chain attack, at least to the best of my knowledge, but it certainly affected companies as a key supplier of services. And as more and more services get outsourced, I think we have to think of supply chain as not just, oh, they have some of my customer data. They perform function acts on it. And if they got breached, that would be bad. Now it's really business interruption from a third party getting breached or getting ransomware or whatever, and how that affects your ability to run your business. We're really expanding our understanding of what supply chain attacks mean to us. I think that it's very easy to go down a rabbit hole there that has no bottom. So think back to the Target breach, right? Target got breached via a compromised HVAC contractor, what the hell? Like, how do you, we care about third party risks. So now we need to care about fourth party risk. Well, what about their suppliers? What about fifth party? Like how deep do you go, right? It's like the old, it's turtles all the way down, it's super worrisome. So think about us with 10,000 retail locations. If we do a national contract with a nationwide cleaning company that's gonna sterilize those offices every 24 hours during COVID, for example, now I've gotta worry about that company. I mean, we may vet them out and they may be great, what do they subcontract out to? What do those subcontractors subcontract out to? And so I think you're right, there is a democratization because insurance isn't going to help you here really. And we're definitely seeing that in the cyber risk insurance space. I think there is an obligation to vet and validate to a set of standards the people that you directly do business with and also require them to do that with their suppliers. So that's part of our vetting process is, show me what your supplier risk management process is? But that's no guarantee, right? And there are no guarantees in this space. So I think this is a tough problem, and I honestly, I don't know how it's gonna shake out. I think everybody tries to do the best they can here, but you're right, there needs to be either some sort of a global clearing house for this kind of information. I mean, think about we're operating in a country where there's not even a standard breach notification law. I know that's been talked about, I think it's a great idea, but on the opposite side of that is we need a way to be able to share threat intelligence, to share indicators of compromise, to share capabilities and knowledge across the board if we're going to collectively have a chance against our adversaries. - There's a lot of discussion around how best to integrate intelligence teams. Some people think that intelligence teams can't be under the security operations team 'cause they're just gonna care about CIA of data systems and networks. People think that needs to be broader, I guess, like I think you're probably in a very critical role to kind of really see this 'cause you have line of sight into a lot of different issues of where Intel can be valuable. Even just to the security, just the physical security of the offices and even into the fraud issue. I guess what pitfalls should be avoided when integrating intelligence teams with the rest of security and how do Intel teams really need to start thinking about their actual customers? From finally that intel sharing aspect, how do those feeds, those services, how do they push those bidirectionally? - In terms of integrating intelligence teams with the other functions, it's really an it depends question. I think it depends on the size of the team on what the team is trying to accomplish, the business market segment they're in. But in general, I think that I worry a little bit about threat intelligence becoming the only thing that matters and that coloring the results of what your analysts, what your SOC engineers are looking for if they're only using that intelligence to drive their hunts rather than hunting based on what they know. Because again, that threat intelligence is not indexed specifically to your business, right? This is back to where are understanding the business, understanding the largest business risk, how they operate. If you've got a new product launching that's in stealth mode, like threat intelligence is not going to be helpful for you there. So I think there does need to be some independence of that function just to make sure that you're not coloring your results with it. My view on intelligence is that we should be using intelligence to enrich everything else we're doing. It is the Umami of our security stew. It's that extra bit that we can add to make what we're seeing makes sense or bring it into sharper focus. I think people can get complacent with sources of intelligence. So the danger with that is I think it is a whole spectrum, but on one end it's we stop looking at it because none of it's ever relevant to us. And the other end of that spectrum is it's so relevant that that drives everything we do. And I think both of those extremes are unhealthy. Obviously your red team should be using it. Your blue team should be using it, but the real value is the intersection of those two teams and what they can do. As far as pushing data back, intelligence back to the community. I know there's some companies that are marketing this kind of thing, there's been some standards for years now around format of threat feeds for some levels of success there. I haven't seen the right answer yet. So I think this is still an area where there's a lot of opportunity in the marketplace to come up with a better solution. I participate in a local CISO group in Kansas City. We meet monthly and talk a lot about this stuff. Like I said, FS-ISAC is out there, lots of other ISACs, local fusion teams. I mean, I think all of those things are ingredients, but I don't think we have the master recipe correct yet. - So when you say the master recipe, are you really getting to just picking up the phone and calling somebody, or are you talking about a means of automation and a means of bidirectionality? - I think it has to be automated and bidirectional because if you think about a startup, right? That's 100 people, they are likely not gonna have a dedicated threat intel team. They're likely not gonna have their own red team. I mean, if you have 100 person company, if you've got a security guy you're probably doing pretty well. It shouldn't only be the richest largest companies that are able to and themselves, it needs to be everybody. And so that means that is there a shared service out there that people could contribute to in exchange for something? And that at certain sizes, companies could be able to buy into that or take up the service, that intel feeds, whatever. I think it sounds anti-capitalist, right? Because we've spent the money on our tooling and our people on our training and we wanna reap the benefits of that. But I think that's not a winning recipe overall. Like I said, I think what I read was that 2021 exceeded the number of reported breaches from 2020 by the time we got to the end of September. This problem is getting worse, not better. And so if we keep treating ourselves as individual entities that cannot share information, we can't talk about breaches, we can't talk about threats, how are we expected to get better as an industry? A lot of companies talk about tearing down silos inside and not compartmentalizing data. We have to do this across the industry. We have to find a way to do it that doesn't threaten the confidentiality of businesses, won't be seen by the legal departments as some sort of a like, oh, no, you can't do that type of thing. It needs to be structured in a way that everybody can benefit from it. - So if you ask the current, and not just sit here and get political, but there's certainly a lot of frameworks, a lot of initiatives that come from the government, we can say this, some of them have been good. You look at the Mitre ATT&CK framework, you look at the Cyber Kill Chain, right? There's a lot of things that have come out of the public sector, but of course, coming out of the current administration there seems to be a lot more policies put in place where companies are supposed to come and report certain information and have a certain set of standards. Is that really plausible or is this have to be solved within automation, within the private sector? - And again, no wrong answer, I'm just kind of curious. - Yeah, no. - What's gonna be like the quickest aspect here. - I hesitate to say that this is a problem that government can solve. I think that if you look at our own government security scorecards, they're terrible. True. - That said, the OMB and the executive orders around Zero Trust, what came out of the NEST framework around here's guidance on architecture for zero. Like that's all positive stuff, that's great. I think that there could be some guidance like that issued around threat intelligence and data sharing. If you think about some of the biggest managed service providers out there are in cloud providers, like, AWS and Microsoft, right? They have massive amounts of signal intelligence from all their customers. And so if you're a Microsoft shop and you buy into like their E5, I forget what they're calling it now, ATP advanced threat protection stuff, right? You're getting the benefit of signals intelligence across all of their customers. That is, I think one way that the private sector is starting to tackle this problem. The problem is it's pay to play still. And I think we need something that either lowers the barrier of entry for smaller entities or there's some sort of open source, and maybe I'm just missing it here. Maybe there is an open source solution that plays into this. I mean, I know there's open source threat intelligence platforms and things like that. So maybe there is something there that's just not getting the kind of uptake that it would need to be successful. But I think from the policy side, if the government is gonna have a role here, I think there needs to be requirements around breach notification. We probably, well, we're well past the point where we need to have a national privacy law rather than 50 different privacy laws to deal with. And I think that putting a framework like that in place, then the market can respond and help fill those needs. - Josh, I can't thank you enough for your time today. This conversation has been certainly extremely nuanced and has been very helpful and is certainly hopefully helpful to many. Appreciate your time today, sir. For the latest subject matter expertise around managed intelligence, please visit us at www.nisos.com. There we feature all the latest content from NISOS experts on solutions ranging from supply chain risk, adversary research and attribution, digital executive protection, merger and acquisition diligence, brand protection and disinformation, as well as cyber threat intelligence. A special thank you to all NISOS teammates who engage with our clients to conduct some of the world's most challenging security problems on the digital plane and conduct high state security investigations. Without the value the team provides day in day out, this podcast would not be possible. Thank you for listening.