Welcome everyone to our Flex Talk webinar brought brought to you by Flexential and Fortra. Today we'll be talking about the NIST Cybersecurity Framework, how to protect your data, your applications, and your business. Also, we'll be talking about operational resiliency and data protection and how NIST plays into that. My name is Boo Verde. I'm the Cloud and Data Protection overlay. Joining us today is Will Bass, the VP of Cybersecurity Services at Flexential. Also we have Antonio Sanchez, the Principal Security Evangelist at Fortra. The agenda for today is we're talking about the cybersecurity framework and then also the latest updates that were provided in the 2.0 release. Also the governance function that is part of the 2.0 release will be covered. And then how can the the cybersecurity framework be beneficial to your organization? And then lastly, we'll end out some tips on how you can use the the framework in your organization. And then we'll follow up with some questions. So make sure you type in your questions in the chat box. Well, let's start with you. For those not familiar with what a framework is what what is a framework and and what are some of the benefits of adopting a framework? Yeah. Thanks, Boo. And I appreciate you guys having me here. So yes, so the framework, so there's a number of different frameworks out there. You know, some of the more common ones are like ISO and and sock two. You, you, you see those out there a lot, but there's also some more kind of industry specific like Hippo when it comes around the healthcare. And we also have the, the NIST cycle security framework, which is one that's put out by NIST, which is a standards organization. The nice thing about it is that it's, you know, it's it's public, it's free. You can just go down the the website and just and download it. So it's, it's a great one, but really kind of the benefit of, you know, of frameworks is that it's a great way to accelerate your, your cybersecurity maturity and really kind of help with, with the adoption. You know, it's, it's a good way to kind of understand and assess and prioritize what you should be doing from a side of perspective to reduce the risk to the organization. Also kind of helps align, you know, policy and business and technology approaches with each other as far as, you know, when it comes to managing the cybersecurity risk out there. And it's really kind of good because it, it uses this a common language that is easy to understand. So it's, it's one that can kind of go across the entire organization, but also one that can go to, you know, to customers and to, you know, and, and to your internal staff as well. You know, being able to have everyone understand what we're talking about when, you know, when you're talking about, you know, you know, the various policies out there and so forth. So, so it's, it's a good way to, you know, like I said, kind of accelerate that journey, use that common language so everyone can be on, on the kind of the same page when it comes to these things. And it really just kind of helps help, you know, helps you move faster than if you're trying to do this from scratch, do without, you know, without kind of starting with, with this guidance out here. And, and like I said, the NIST, NIST Cyber Story Framework is a great one because like I said, it's free. You can just go to the, you can go to the website and just and download it and start to use it. Start to use it today. Yeah. And if I can add on to that, Will, by the way, Will Boo. Thanks for having me today. The the thing about frameworks as well is every organization is somewhere in the evolution of their security strategy. Nobody's security strategy should always be static. And this is what we're doing. It's constantly involving and constantly improving and with the framework work, it allows you to be able to add that structure, which will you were talking about. You're adding structure so you're able to track how you're doing because at the end of the day, that's what the business leaders, that's what board that's what everybody wants to know is how are we doing, how are we improving and how do we know that we're improving? And we're also helping to clarify and, and, and define roles and responsibilities for different folks across the organization because security is a team sport, everybody is involved with it. So you you in order to be able to improve and evolve you have to have structure. And by having structure then you can start tracking where you are and and and track your improvements over time as well. Great. Thanks for that. I think you're absolutely correct. It's a, it's a teamwork project. So Antonio like let's let's actually dig into this. What is the some of the differences between 1.1 and 2.0? Yeah, absolutely. So we'll touched on this a little bit. So the original, this CSF was created in 2014. It was originally intended or targeted for critical infrastructure. So think, think of power plants, think of water treatment centers, think of things like hospital critical infrastructure that's required to keep the, to, to keep the, the, the country moving. And it was made-up of five functions, identifying, protecting, detecting, responding and recovering. And that, well, that was in 2014. A lot has changed with in the world, especially within cybersecurity from 2014. So one of the things that that they did with the new 2.0 framework is that they added a 6th function. And this is the governance function that you see on the right hand side on the screen. And we'll go into a little more detail of what exactly that means. But the idea being is that by adding the governance function, it's allow you to, it allows it to be able to define roles and responsibilities and accountability as well. And it also elevates the security, the security conversation or the security program to the C-Suite as well as to the board as well. The other big changes that we see with going from 1.1 to 2 dot O is that there's additional clarity. Meaning in the previous one, there was a high level sort of statement of what needs to be done, but then it was a little vague in terms of what does that actually mean. So one of the things that 2 dot O did is that they added some common language and simple language and some very specific examples on tactical execution on on what that means. I'll give you an example. Let's take identify which is the the first function. It would say something like make sure you have an inventory of all your systems. Well, in the new one, it says make sure you have an inventory of all your systems. And there would be another section that says this includes IT systems, OT systems and IoT as well. And then it would go a step further by saying you have to have a, a inventory of what did, what all these things are. And you also have to have a way to that you're constantly looking at how is this inventory changing? This is what we call your IT estate makes up your entire IT estate, your IT, your OT and your IoT. And it's always dynamic. There's always new things being spun up. There's always things coming down depending on the organization. So it's putting some, a few extra layers of specific language and common language so that people know, oh, I need to go ahead and do this versus trying to leave some of that up to, to to interpretation. Will did I miss anything there? Yeah, you covered quite a quite a bit of it there. You know, and you know, I think, you know, kind of the other aspect to this is, you know, kind of what they have with these new kind of target profiles. So really kind of the idea behind these is, is you kind of, you know, understand, assess and prioritize what you need to do to to reduce your risk to the organization. So kind of what what these are is, you know, you kind of need to understand, OK, where, where do you stand currently and then you know, where do you want to be? So that's kind of what these target profiles are and they kind of come in a different couple different, different forms. They can be kind of industry specific, you know, you mentioned like the water industry earlier. So they'll have a specific one because they have some, you know, some specific, you know, cyber security things that they need to worry about. The maybe another other types of organizations out there don't need to. So it could be like that, or they can be around specific things like says, you know, supply chain or ransomware, so that you can kind of focus on what are the threats? How do I reduce the risk for these specific things, you know, as quickly as possible. So, you know, so for, you know, take for example, you know, the ransomware one that's, you know, certainly one of the, the biggest ones that's on everyone's, everyone's mind out there. You know, that's going that's going to step through each, each of these different, each of these different sections of the framework or kind of all six of them is going to kind of pull out the, the, the critical, the critical aspects that that need to be focused on that. So do you need, you know, so for, you know, for ransomware, for instance, you know, that's going to be one that's going to really be focused on user training because you know, it's usually done, you know, you just started with a social engineering attack, for instance. So that's going to be kind of one piece and it's going to give you those specific details, those specific examples on what you should be doing to help reduce that risk to the organization. But it's also going to touch on other things. You know, how can you protect it? You know, you should have things like, you know, multi factor authentication in place. You should have, you know, you should have security on your e-mail. So it's going to kind of go into those specific areas for these different types of threats, you know, and they have a whole bunch of a whole bunch of different kind of target profiles out there. You know, more coming online all the time. And I, I imagine that, you know, over time that, you know, as 2.0 kind of catches on, we're going to see those for a lot of different industries and there's a lot of different threats out there, you know, especially as kind of as, as, as new threats arise, I can see more target profiles coming up over time. All right, thanks for that. Actually, why don't we dovetail on that conversation will about, you know, ransomware, some of the new threats. How does the how does the framework help deal with some of the new threats? I mean, this the old framework was 2014, almost 10 years ago. There's a lot new threat, a lot of new threats out there in the last 10 years. How does the framework help with with some of that? Let me get into AI, ChatGPT, things of that nature. Yeah, you know, that's really kind of where some of this government function comes in because it's it's understanding. OK, what, what are those new threats? How, how do you deal with those? What do you need to put in place to help help deal with that? Because you know, you mentioned, you know, AI is a great one. Obviously that's a really hot topic right now. You know what, what threat does that have towards cybersecurity? I mean, I think it's pretty clear at this point it's going to help. It's going to help with social engineering both from a, you know, kind of a, a targeted attack, but then also kind of a more general attack is you're going to see definitely more well crafted phishing emails, for example. But what are the threats? You know, what are the ways they going to do it? You know, it's one that we don't really know yet, but you know, but you can kind of take, you know, take that, understand that threat, bring it through this framework here so the organization can evaluate it and understand, you know, what should you be doing to prepare for that? What should you be doing from, you know, from it, from a defense perspective? What should you be doing from you know, you know, from, you know, from a, you know, from a respond perspective, when when those type of things happen, you know, the you know, supply chain isn't is another really good one is like, you know, what updates the policies? What should you be asking your vendors? What should those type of things be happening? So the nice thing about this is that, you know, it's one that's made to mature overtime, be able to bring these in, you know, as target profiles get written for these different threats overtime, that's also going to help organizations. But it's it's, it's a nice evolving framework that's not meant to just kind of be, you know, one and done. It's it's meant to, you know, evolve as the industry evolves because, you know, as, you know, like I said, it's it's this has been around for about a decade. You know, ransomware didn't, didn't exist, you know, and, you know, certainly supply chain attacks were not anyone's mind. So, you know, being able to have that more kind of improvement of the framework of where it's able to evolve as threats evolve for whatever's coming down the pipe, you know, six months, three years, five years from now, it's really able to kind of kind of deal with those and help an organization prepare as those new threats arise. Well, so yeah, Antonio, I'll bring you into the conversation here for for the governance piece, was that specifically put in place for, you know, visibility to the board, upper management, private equity, like why was that piece introduced? Yeah, it's it's, it's for some accountability is where that was brought in. And and by the way, you know, will you guys have touched on it. Ransomware wasn't a thing in 2014, neither were supply chain attacks. The other one that I'll add that really wasn't a thing back then were platforms. I mean there are hardly any organizations with platforms out there either. So what do you do with those? And this is the new 2.0 also provides guidance on all of those things, how to deal with those things, how to address those things. And it also says, you know what, not only that, but there needs to be some accountability because in 2014, this was targeted for critical infrastructure. We talked about water treatment plants as an example, but it was one of those things where organizations saw so much value in it that they kind of started adopting that as well. So in doing so, they had to ensure that there was some level of accountability and there's such that people at the board level looked at cyber risk as overall business risk because essentially that's what it is. It's a it's overall business risk. So by by doing this, it, it, it, it require it has a higher level of accountability to where the sea level and also the board and it was happening in pockets. I mean, we, we, we've all talked to some, some customers who had very involved sea level and board members as far as what we were doing from a, what the organization was doing from the cyber perspective. And we had others where that was very much shielded and the cyber teams were insulated. So this is also also sort of a forcing function as well to have people understand and elevate the conversation of this isn't just cyber risk. This is business risk because at the end of the day, every organization is concerned about increasing business, it's increasing revenue, it's increasing market share or it's increasing efficiency. And so anything that could potentially affect that is something that they need to know about because all of that, all of that is basically business risk. And now cyber risk is as a result a part of business risk. And again, it's, it's, it's an evolution as well. So they didn't intend all types of organizations from all industries to, to adopt it, but they did. So they had to figure out, well, how do we need to evolve this as well? What are the threats that we don't know about today that are going to be out there three months, I'm sorry, three years, five years from now? And do we have some flexibility and some guidelines to be able to allow people to to to deal with those effectively? Because at the end of the day, they all want to be able to keep their business up and running, keep operations running and get back to operations as quickly as possible in the UK in the event that that something happens. Yeah, I like that you started off with the accountability piece. Sorry, Will, just I'll bring you back in here. You know we live in a data-driven world with with metrics and everything. I mean I feel like what you talked about with the accountability piece is what upper management is looking for. I don't know Will if you want to add on to that piece. Yeah, Yeah, you mentioned data. That's exactly where I was going with this is, you know, when you're talking about board level stuff, they want to see data. You know, they want to understand that they're, they, you know, they're making an investment in cybersecurity, You want to make sure that they are getting the return on their investment there, which sometimes can be hard in cybersecurity because, you know, if you're doing your job, nothing is happening, which, which can be, you know, kind of difficult. It's like, well, why should we give you more money if nothing's happening? It's like, so really it's, it's understanding and having in the right metrics. So you know this, so this government function talks about, you know, KPI's and KRI, so key performance indicators, key risk indicators. So it's really ways to help measure the the effectiveness of the program to show that that return our investment is happening, to show that, you know, hey, you know, you, you invested dollars with us last year and we've been turned around. Here's what we did with it. And now here's the, you know, here's the reduction in attacks that we're seeing, or here's the, the, you know, the increase in the number of tax that we've caught. Here's the reduction in risk to the organization because of that. So it which is a huge critical function when it comes to when it comes to cybersecurity, making sure that you have that those measurements in there so you can show the effectiveness of the program, show how it's maturing overtime so that you can, you can continue to get that funding. Because, you know, cybersecurity really is kind of a journey. You know, as you're kind of mentioned, those threats evolve overtime. So there's going to be something new that none of us have thought of that you're going to need to get funding either through a new tool, additional headcount or just time for your people. And you need to be able to show, you know, show that return, show what's happening and show how, how you know, you know that investment is paying off for the business and, and helping it, helping it, helping reduce risk to the organization. Yeah. So along the lines of this topic of just risk mitigation, risk management, how does cybersecurity policy play into this? If you've got experience of that, I think it'd be beneficial to the audience. Yeah. So a policy policy is important because policy is kind of the, you know, is really kind of the driver for everything else. If you don't have it written down, how can you go in and enforce that? So that's really kind of that's kind of kind of that starting level. So you want to make sure you have a good set of policies that covers, you know, covers everything inside the organization that's accounting for, you know, what are the business requirements? What are the regulatory requirements? What are those aspects there? Make sure that the, you know, those are communicated to everyone inside of the organization, but also to, you know, to third parties as well. We've definitely seen a lot more customers asking for, you know, you know, what does your program look like? What are your policies? You know, actually, you know, actually having is, you know, send those to them so that they can take a look at it to make sure that you have, you have a good mature cybersecurity program, you know, from there and that drives everything else, you know, from there that's going to drive, you know, what are your procedures to do things? What are the tooling that you're going to have to be able to so that you can actually meet what you're seeing and writing in your policy. So really that's really kind of that key aspect with that, you know, and goes right along with the government function. That's really kind of where that, you know, the policy set. It's really kind of that foundational aspect that can drive everything else inside the. Yeah, that's great. And Antonio, maybe you've got some experience in this other aspect of of of policy is, is in cybersecurity insurance. I'd love to get your take on that. I feel like that's changed dramatically since 2020 on on what the carriers are doing. Yeah, absolutely. I mean, it used to be from an insurance perspective, the carriers would basically would, would say, Hey, you know, we have some minimum set of standards and if you have these, then we'll go ahead and insure you. And then all of a sudden they were paying out a whole bunch of in, in, in ransomware payments. And then they became more stringent in terms of, Hey, we have a minimum set of policies, but those minimum set of policies are absolute bare minimum. Now our minimums were, were were we're raising those minimums a little bit. So, you know, you're required to have multi factor authentication as a minimum, whereas before that was a nice step. You're required to have some sort of EDR or EDR like tool for your, for your systems. Before that was that was sort that was more of a of an optional nice to have. Now it's a requirement. It's it's things like that. But even the insurance companies are requiring a certain level of hygiene in order to just make them insurable. And organizations are finding that out in some cases the hard way because they're real. They're seeing their premiums go up or they're seeing exclusions that are happening. So ransomware is one of them. That's that, that's. That's that's excluded from a lot of policy, from a lot of policies as well, or might have a separate policy. But at the end of the day, it's everybody, not just the insurers, but also your business partners, both your current business partners as well as your potential business partners. They want to see some sort of level of security posture that you're taking and they want and you have to demonstrate that. So we'll talk about having that policy and ensuring that it's communicated. Well, he's right, because the the partners are going to ask for that as well. It's like, hey, I know we've been doing business for 10 years, but we need to see this from you now because we have to protect our organizations because again, supply chain attacks weren't really a thing 10 years ago or back in 2014 and now they are. So it's becoming much more stringent. People want to know what you're doing. People want to know more about your policy, your your security program. They want to know that you're taking steps to be able to protect yourself is because you're in. They want to make sure that you have a certain level of security posture and security hygiene before continuing to do business with them, whether that's a partner or whether that's taking taking out a cyber insurance. Great. Thank you. Let's let's move on and talk about how organizations are benefiting from the framework. Antonio, you want to continue with your your talk track. Yeah. I mean, so we talked a little bit about accountability, which which again, it's elevating from not just the, the the security team, but to the sea level as well as to the boardroom. But the other thing is that since it provides some, some some clarification, some clarity and it defines the roles and responsibilities, it's able to leave less to interpretation. So people know exactly what what they need to go do. It, it, it able to provide expectations for who does what when, which is especially critical in the event of an incident where something makes it past your first line of defenses and they're actually inside the organization and, and, and who does what, when and what you do. And, and again, the language is much more clear. It was it, it's been such that it accounts for the unknowns that people that that that we don't know about the next type of attack that we're not even thinking about right now, which we all, I think can agree on this phone is probably going to be something related to AI, whether it's the chat and GPT kind of thing or maybe some sort of voice cloning or who knows what it's going to be. But it does take into account for that as well. And because at the end of the day, we're all starting from somewhere. We're all someplace within our security journey and we want to be able to get to the next level because we as security professionals need to continue to support the business in their goals. And their goals are things like increasing revenue, increasing market share, increasing demand, increasing efficiency, all of those things. And we need to be able to support those things because there's not a single organization that's out there that's whose goal is to be the most secure organization in the world. Everybody wants to wants to grow their business, but you also need to have it. You need also need to understand where's that money going? Where are those resources going? Where is that effort going? What am I getting in return from that? And tell it to me in business speak not in the tech jargon or in the cyber jargon kind of language. Will care to provide some additional thoughts here. Yeah, yeah, absolutely. You know, I think that's that's one of the nice things about this is that that that's simple, you know, easy to understand language so you can communicate with the stakeholders out there. It really kind of helps, helps facilitate it helps get that buy in from the rest of the organization. So, yeah, so this is 1 where you're kind of have a customer example of one of a customer that we worked with. So this is one they have lots of publicly facing websites and, and, and in this case, you know, we kind of identified the need that they didn't have, you know, they didn't have, you know, they didn't have, you know, kind of that that they didn't have like a sock type service involved. So, you know, they needed to, you know, basically collect other logs, have it, you know, essentially simply located, but then also have that, that real time 24 by 7 monitoring of it. So we work with them. We actually got alert logic installed for them. And so, so they kind of help protect them from, you know, potential attacks. So, you know, recently we're actually on, on a, on a phone call and, and, and working with them and got a, got a phone call from the alert logic SoC that said, Hey, we've now we're detecting some burps with activity on one of your websites. So it's one where, you know, we're able to jump in there. We actually, you know, pulled in, you know, not only our instrument response team, but also actually pulled in one of our pen testers in real time to help take a look at this. But we're able to, we're able to trace the attack where you basically block the subnet that the attack is coming from to stop the attack itself. And then from there we, you know, that kind of, you know, basically kind of respond aspect of it able to stop the attack. And then we're able to take a take a look at it. We're able to determine that, you know, this, they didn't do anything to the server. They were basically just fingerprinting it. They're using Berks week to fingerprinting at this point. So they're trying to figure out, hey, is this is this server vulnerable? Is there something out there that, you know, they can potentially get into? So from there, you know, we took a look at the server. You need to make sure it wasn't compromised. Luckily it was not compromised to make sure there weren't any, you know, vulnerability, anything that we were system. So, you know, did some additional vulnerability scanning, did a review of it. Like I said, we had one of our pen testers actually take a look at it. The nice thing is we, we discovered that, you know, it wasn't, you know, it wasn't vulnerable to that. So we didn't actually have to have to recover anything because we're able to just keep the system up and available out there and, and doing what it was supposed to do. And then, you know, and the other aspect is, you know, we, we learned something from this. It's like, OK, hey, you know, we, we identified a, a, a subnet from a, you know, from a country that should probably not have been accessing this system and we work. We went ahead and just permanently blocked that. You know, kind of we did that kind of the tech phase is kind of, you know, and respond phase. But then we went ahead and just kept that block in there to reduce the risk of a future attack. Yeah, that's great. I love the real world examples. It really puts the framework into into place. What are the topics I wanted to cover was operational resiliency. Do you have any examples there about a data protection or disaster recovery situation where the framework helps out? Yeah, the framework goes really well with that. I mean primarily because you're most likely to you know, when it comes when it comes to like a disaster type event, it's more likely to be a cyber event than it is, you know, kind of more traditional doctor ven you might think of as like a natural disaster or you know a fire in a facility, those type of things. So it really goes hand in hand with that. So having a good doctor plan, making sure that you're, you know, your, your security team, your doctor team, you know, if the separate team are working together on these things, you're kind of combining that instant response disaster recovery aspects, kind of having that, that overlapping aspect is really important because you know, if, when you're, when you're talking about recovering. So let's see, we can use like ransomware, for example, because that's, that's the most likely cyber event that's going to happen. So, so from, from that aspect, you know, we've seen, you know, we've seen customers out there that have, have had had to do this. So they have a, you know, it gets past their, you know, it gets past their defenses. The, the ransomware has now released inside of their organization and now they're into that recover phase. So you know, what we, what we're seeing is that, you know, most organizations have recovered from attack like this. Each we need to use more than just their backups. You know, that's kind of been the traditional aspect when it comes to when it when it comes to recovering from that type of attack. And so so being able to use like your Dr. for instance, to be able to cover that. So if you have a good robust, you know, D Ras type solution, for example, you know, you could recover your environment. We actually had one customer that actually did this. So they they got attacked. It was a bad attack. It got all throughout the organization, but they were able to recover all of their their, you know, their critical systems within 4 hours using their DRAS solution. The nice thing is that you can then have that run in a separate environment. So once you understand, I should say to back up a little bit there, once you understand, OK, here's the point of attack, here's where where it started to happen. You can then recover from before that point. So then they were able to get back up and running with within 4 hours so that their production environment or customer facing environment was up. That gave them, you know, the time in the breathing room to make sure that the, you know, the bad actor was ejected from their, from their environment. And then also, you know, and then after that also give them time to, you know, use backups to recover. There are other systems that weren't as critical. So maybe these are some of your internal systems, your dev systems, those type of systems. So, you know, using that, that type of solution really helps, you know, from a, you know, certainly from a respond and recover aspect where you can, you know, you can recover from, from some sort of an event very quickly and, and make sure that the organization's able to keep functioning. Great. Thanks for that. Let's go on to our kind of take away slides. You know, where does an organization begin? You know, is there sort of on a headcount or resources or dollars gap analysis that's performed? Where does where does someone begin by by adopting this framework? Yeah, I, I can start here. So yeah, really the where you want to start is kind of with that, that gap analysis. So is understand, OK, where are you from a current cybersecurity perspective and then determine where you want to be. So you can use your target profile, a target profile for this, for example, and understanding, OK, what are those gaps and what do we have? What do we need to do to reduce those gaps? So one thing I will say is, you know, most organizations, let's say, probably it's gonna probably take at least 18 months to, you know, to really, you know, mature your, your organization and, and get you to, you know, kind of where you want to be kind of as a first step. And there's a couple of reasons for that one. And, you know, it takes 10 some time to do this too. A lot of the times they're, they're solutions that require budgeting. So you usually have to go through a budget cycle to get some of those things. But the nice thing about about doing it this way, though, is you don't have to wait for that to start to reduce the risk organization. So you can, you can take a look at those gaps. You can start to prioritize those gaps. And that prioritization can be, you know, not just on what's the risk to the organization, but you know, what's, you know, how much time, how much I've heard, how much many dollars does it take to actually, you know, to actually do something about it? So, so that's, so that's a nice thing is you can sit there and say, hey, you know, some of this is just we need to write some policies. We need to do some user education. That's something that, you know, takes a little bit of time, but it doesn't necessarily take a lot of dollars to go do something like that. And then, you know, the kind of the key here too is get that kind of constantly reevaluating where you are. So you want to, you know, you kind of want to take a look at, hey, you know, OK, we've done this. You know, here's here's what we did over the last, you know, 12 months, for example. Let's go back and let's go assess ourselves again. Let's understand where we are. It's also a good way, you know, we kind of mentioned, you know, giving that that data and that information to the board, showing that progress. You know, what did you do? Showing them actual data of how you did this, but then also identifying it's like, you know, OK, what has changed? Maybe there's a new threat, maybe AI has evolved and now, you know, we now know the new attack factor that AI is going to help with. So bringing those in as well and kind of going through this and understanding where those gaps where, you know, where, where do we need to focus our time and resources to, you know, kind of keep that, that maturity journey going because it is kind of a constant cycle because you know, there's always new threats, there's always new challenges, there's always new things coming out there. So kind of continually going through that to to, to make sure that you're, you know, consistently reducing risk to the organization and evaluating where you are. Yeah. And if I can add to that as well, always ensure that you're talking to the business leaders and understand the drivers and the objectives, the long term strategy of the business. Because as an example, if one of the long term strategies of the business is to enter into a new market, well, it's important that you know that and important you understand what are the potential risks or things that we need to think about in entering this new market. What are the things that we're going to have to demonstrate? What are the new partnerships that we may have to forge to be able to enter into that market? And what are those requirements, especially if it's a higher related regulated industry as well, because then that will also help inform the prioritization of the things that you need to go do. And it would also help during the time where you need to go and ask for resources to be able to meet that. You say, hey, we want to go ahead and get enter this market, which is going to require us to do this, this and this in order to do this, it's going to require this headcount, this budget, this tool, this, whatever the case may be as well. So always make sure you're talking to your to your business leaders and understand the, the, the vision and the strategy of, of the, of the business. Two other quick things came to mind. You know, 1 is there's a great reference tool, the CSF reference tool out there on this website. It's a great one to take a look at. That's where a lot of the examples are, implementation examples are located to kind of help put that into that common language we've been talking about. So you kind of understand what it is. And the kind of the other thing is, you know, you don't, you don't need to do this alone. You know, our organization can, can help other organizations, other can help. So, you know, if you need help getting this moving, getting this going, understanding where you are, help determine where you want to be. You know you can you can bring in, you know, outside experts to certainly help accelerate your journey as well. Great. Thanks for that. Let's move on. And as a reminder, please enter your questions into the chat box. We'll be getting them answered here in in a few seconds. And then I also wanted to highlight we have a white paper out today, Accelerate Your Cybersecurity Maturity Journey. You should see a link on your chat to be able to download it right from this or our website. The other thing I wanted to mention was make sure to download the Cybersecurity Framework 2 point O that on the NIST website. And lastly, make sure to reach out to our Flex Central professional Services team so they can give you a better understanding of how you can accelerate your cybersecurity maturity. All right, let's move on to the questions now. All right, let's talk about some of the questions that we may have here today. The first question that gets typically asked is will the session be recorded and and sent out? Absolutely. We will send this out within the next 24 hours for everyone that is registered. So we got a couple questions that have come in. Let me take a look at some of them right now. Number question, the question, the first question is I expect my management to ask me what precisely the benefits to the organization is if we redirect resources to implementing and managing this. Antonio, do you want to talk about some of the benefits of of implementing this such security awareness program? Yeah, sure. At the end of the day, I mean we're all looking at security professionals, We're all looking to improve the security posture of the organization because at the end of the day, a solid security program is going to reduce the risk that some sort of an attack will cripple the organization. And that's something that no organization wants. At the end of the day, your senior leadership, your board of directors, you're thinking in terms of things like business growth, so increased revenue, increased demand, increased market share, improved or efficient operations. And so you don't want to do anything that's going to potentially interrupt business, but it's important to communicate to the to in those terms. You know, at the end of the day, you're trying to identify weaknesses, areas that could be compromised and have the protections in place for those particular attack vectors. And if you get attacked, you want to be able to demonstrate that you can contain it and recover fully and quickly and get back to normal business operations. Great. Thanks for that. The next question is, we've already looked at the NIST one point O framework and it was determined that it was too much effort. Is there anything in the two point O version that can reduce the lift? Or is there any changes that are in it will do you want to take that one? Yeah, yeah. So it's still, you know, it's still going to be work. You know, there's no way to to implement a, a security framework without without putting in some work effort and and resources. But you know, they've definitely brought some improvements with two point O that should make it easier. You know, one of the aspects here is, is the profiles that really kind of let you do this in an incremental way. So you could go identify what you know and what are some of the bigger risks to your work and kind of attack those and, and do it over a longer time frame, especially, you know, if you don't have necessary all all of the resources or people time that you need to to go, you know, the whole thing. It's kind of, you know, kind of that, you know, like how do you eat an elephant, you know, one bite at a time type of thing. So you can kind of use, you know, aspects like that to kind of help build it overtime and improve it. You know, every, every single time you kind of make a step in that direction, you're reducing risk to the organization. And then also the reference tool. That's that's a great tool as well, especially with kind of all the real world examples. It kind of breaks it down and really kind of puts it into that plant plain English aspect of it, which really helps it kind of become a little bit more consumable. I think, you know, with 1.0 a lot of, you know, a lot of organizations kind of struggle with, OK, I see this here. What does it mean? How do I do this? And the reference tool is really a really good one to kind of help help kind of put it into, into terms that people understand, give those examples so that it's a little bit easier to understand and and, and go implement inside your organization. Great, thanks. There's a couple ones that I'll try to sum up in, in one question. So we're a small organization. We don't have the security personnel, we don't have the resources, the staff on hand. Where do we start? How do we go about this? You know, what's the initial phase of this, Antonio? Do you want to do you want to take that? Yeah, sure. So I mean, it's something that we hear a lot, particularly for organizations that might be in hyper growth mode or maybe they've kind of, you know, jump from, you know, seed funding into, you know, just just for just the next level, next round of funding, right? Somebody within the organization has some level of responsibility. I mean, I, I could argue that security is everybody's responsibility, but typically somebody's going to take lead on something like that. And there's things in there that they can do today to ensure that they are able to, to go through the steps and implement this. And the best thing is, is that you can just do it a little bit at a time and fight it up or take it in in small chunks. You don't have to do it all at once because at the end of the day, what you're the goal is to be in a stronger security posture 6 months from now, a year from now than what you are today. And you want to be able to track towards it. So you're definitely going to get leadership, buy in for it. But at the end of the day, you don't have to do it by yourself. I mean, there's a lot of expertise. Out there that can be able to help, you know, in hand flexential that can help with that. So you don't have to do it on your own. There are resources that are available to you because at the end of the day, you're supporting the business as security leaders. Worse, you're supporting the business with the with the with their growth objectives, which is again tying it back to increase revenue, increase margin, get help where where you need it. Thanks, Antonio. Again, a couple of other questions around. I'll see if I can surmise these into one question. I've been in an organization where we're adopting a lot of these frameworks. There's a challenge of the maintenance in the management as an effort long term. Is there any reason to think that this one will be any difference? There's a lot of obviously resources, time and and energy that's put into maintaining some of these frameworks. Well, you want to take that you got experience with it. What's is this? Is 2 point O any different than some of the other frameworks that you've implemented? Yes. So I mean, you know some of the other ones have a 2, but you know really kind of with the two point O, it's really around that government function that really has really kind of helped, you know, kind of helps with that from an executive, you know standpoint. So if you get that executive sponsors involved, you get the, you, you bring them in as stakeholders, that really helps, you know, get them, get them engaged with it. It means it's, you're more likely to have success if you're going to have that engagement from the, you know, from the, the senior people inside of the organization, which really kind of can help propel the, the, the propel it over time, You know, help help them when it comes to, you know, the improvements that can buy in from the whole organization when it comes to funding, making sure that you're getting that funding over time. You know, so really that's kind of the key. And that's, that's really the whole kind of point of the whole government function is to, is to, you know, educate, educate the senior leaders in the org and then make sure that they have that buy in and want to see this through and, and reduce risk to the organization. Right, as a follow up, I've got really on there is we've been doing this kind of ad hoc. Is there a way to kind of come in and take a look at this programmatically from like where are the gaps that we have? Is that, you know, how do you recommend somebody goes and whether with it done pieces of it, but they're they're missing other pieces of it as well. How do we go about and and kind of taking a look at that from a holistic approach? Yeah. I mean, this is really, you kind of want to do that gap analysis aspect and, and come in and kind of, OK, what is our current, what is our current profile? Taking a look at that, you know, sitting down, determining, OK, where do you want to be? You know, what, what, what does that future state look like? And then doing that gap analysis on, you know, where, where those holes are inside of the organization. And then from there you can prioritize. So you can do that in a couple different ways. It could be, you know, it could be, you know, kind of what are the, what are the bigger risks the organization, which is going to vary some by industry. It could also be something that is, you know, how much time or how much, how many dollars does it take to do it? Because obviously if it's, you know, if, if it helped by just, you know, writing a policy or, or pushing out a GPO, you know, those things are, are fairly low from a effort and cost perspective. But if it means going out and procuring, you know, you know, new security tools, those type of things, those things that you know, might kind of be a little bit lower on that on that scale or might have to go through a budget cycle. So kind of doing that gap analysis and understanding, you know where those where those gaps are and then doing that prioritization based on that information to kind of figure out, you know, where where the organizations start to help reduce. Great. Thanks. I think we're, we're about at the end of the webinar. So Will and Antonio really appreciate your, your expertise and insights, especially doing cybersecurity awareness month on this, this topic. So as mentioned, make sure to check out the links for additional content that we provided. And thank you for attending the Flex stock. Thank you. Thanks.