Why Your Insider Risk Program Must Be Holistic: A conversation with Wendy Overton and James Turgal

James: Good afternoon, everybody.
And welcome. We're talking about insider risk and insider threat kind of insider risk management today. And it's really, it's really a constant that I think is as misunderstood by a number of different companies out there. I have a lot of experience from my FBI days actually doing that and, and building, building different programs. But our idea here is to have a conversation by really looking at what, what has worked in the past, certainly how Optiv looks at this and really helping to frame the conversation about, you know, enabling your company to identify, and then certainly mitigate those insider risks in a proactive nature and not just reacting to it. So again, James Turgal, I previous 22 years with the FBI was actually involved with building the FBI's insider threat program and insider risk program. And it was the second iteration of that because we, you know, early on was one of those, one of those situations and I think a number of companies face out there where you have different groups of an organization, different parts of an organization you've got chief security officer in one part of the organization. You then have the it folks in another, certainly in the FBI, we weren't, we were no different. We are an insider threat group that had their own tools and their own you know, methodology. We had the security division that was doing its own thing, and we had it on the other side. And those separate entities really is what, what causes these types of programs to fail. And so one of the things that I think is really important for companies to understand is this is a, this has to be a holistic part of your strategy. Insider risk insider threat is always, I think, mistaken for it's just an insider program. It's just an insider who's, who's threatening the, the organization. Totally not true. I mean, I've, I've worked a number of different cases in my FBI career where that insider was either an insider because they were either, they were intentionally wanting to cause damage to the organization or they unintentionally caused damage to organization. Or they were actually, you know, in one case where the individual became an actual, you know, intelligence officer for a nation state because there were a disgruntled employee and they were groomed by the by the Chinese, in order to, you know, steal data from the, from the organization. So you cannot look at this in isolation, insider can mean both that person who's inside. And it can also be someone who is absolutely placed into the organization by organized crime, by competitors and certainly by nation states. And I've worked a number of those cases. And it should encompass a lot of different aspects of your, of your organization, right? It's it, it's human resources. It is the security philosophy that should go with that. So Wendy, what are your thoughts on, you know, getting started on what companies should kind of think about when it comes to building their program?

Wendy: Yeah, thanks, Jim. So, you know, a little bit about my background, but just to share with everyone here. You know, I started my career at the national security agency as an intelligence analyst working in counter intelligence, counter terrorism and foreign policy have leveraged a lot of that experience throughout my consulting career as well, where I've helped clients think through how to design that holistic, proactive, insider risk program that you mentioned. So at Optiv the way that we try to help a lot of our clients is through that holistic lens. And that's really fundamentally you know, the wave of the future for insider risk or insider threat. There are a lot of companies that still think about it very much from a cyber centric point of view. And of course there's lots of different things from a cyber perspective that we can use to really help from a prevention detection, mitigation, recovery type activity, but there's so much more to it than just cyber and really getting our clients and others to understand that, you know, from the holistic perspective, there's physical, there's general other behavioral activities that you may not be seeing in that logical environment that you need to, you know, really bring into your program and your understanding of that holistic risk. That's really the critical piece in getting people to push their programs forward and become more mature. The second element that I'll share with that with you too about that is really just the from a proactive perspective, you can't be proactive without necessarily understanding the risks that you're looking for and how those behaviors can present those risks. Right? So again, that holistic perspective, if you're just looking at someone's, you know, login activity as an example you know, that doesn't necessarily tell you too much about maybe why they might be logging in it at weird hours, or downloading an inordinate amount of data or something like that. But if you see that, Hey, you know, they actually put in their two weeks notice the other day that might give you a little bit more context and understanding this person actually is doing something that could be considered out of the ordinary from their business as usual type activities. So that's one of the ways that really think about it, but at the end of the day, there's lots of tools and different other, you know, security solutions that you can look at that are very, very helpful. But if you're not sitting back and thinking about this strategically, how you want to incorporate the different elements of security that you already have in place into your insider risk program, and on top of that really understanding where you want to take it and what risks you're really seeking to mitigate. It's going to be hard to really leverage those tools effectively. You might end up with a very expensive tool that does a lot of really cool, fancy things, but it doesn't really help you to mitigate the risk overall. And most, most importantly, it doesn't help you to kind of get left on that spectrum of ideation to execution or action, and really getting more towards that ideation piece so that you're mitigating the risk proactively as quickly as possible. I know that you've had a lot of experience in doing that as well. Jim, I would really be interested in understanding some more about how you've leveraged tools effectively, but also looking at that more programmatic element.

James: No, thanks. And let me, so let's, let me go back just for a second about some of the stuff that you talked about, cause it's really important for everybody to understand the people part of this. You know, we, we talk about anybody who's been in, you know, in cyber, right? We talk about that. Cyber is really more of a I think is more of a people problem, a people issue than a technology issue, right. Right. I've, I've interviewed the Chinese and the Russians and the, and the bad, you know, organized crime threat actors out there, right. They're after, they're after, data they're after after your data to monetize it, right. They're they're the threat actors out there, but if there wasn't that human element, both inside the organization and outside the organization, right? You wouldn't, we wouldn't, we wouldn't have jobs, but we wouldn't be having this conversation because everything would be protected. And so it's, it's really important for any program out there. You have to have what I call buy-in from key stakeholders. You have to have the human relations folks there. And part of the, part of my experience with the FBI was when I was the chief human capital officer for the organization before I became the CIO and, and one position led to the other. And a lot of that was me understanding when we were building our insider risk program and insider threat program about the people aspect of it, right? There's a, there's certainly a technology and a governance piece that you talked about, Wendy, which was the Hey knowing that this individual employee is leaving in two weeks, right. There's a process for that, but it really a mature, insider risk program is really, should really be designed about what are those things that your employees are actually doing? How are they reacting, you know, are there social media aspects out? I've worked a number of different cases where you have individual employees who are disgruntled and they're out on social media and they're, they're bashing their, their employer. And guess what, the Chinese and the Russians and the north Koreans, they actually skim the internet and skin, social media networks for that type of data to see if they actually want to attack that, that company. And so this has to be a, not just a holistic IT program and its cyber program, but it has to be a people part as well because you, you absolutely need the people aspect of this, both inside the organization to understand and to get buy-in because there's a lot of, there are privacy issues. There are certainly culture issues which leads to a lot of different conversations between, you know, employees that feel that, you know, the company, the big brother is watching everything that they're doing and not, you know, not trusting them. And it's, and it's not about that. It's about the employees understanding, you know, this program is there to protect them. It's also there to protect the data, protect the company, protect their livelihoods. There has to be a people part of it. And I think sometimes that really gets lost with certain organizations.

Wendy: Yeah, I agree, Jim. And actually, if you don't mind, there's one key thing that you just mentioned there, which is that it's also meant to protect the people that, you know, we're potentially monitoring in the like. Right. I know that that's really hard to get across to employees as well. And that's where that communication training and awareness piece really and the cultural aspect especially really comes into play. But, you know, at the end of the day, there is a bit of a, kind of a honey vinegar type situation with us. Right. And there are a lot of things that companies can do that tend to be a little bit more positively viewed that can help to mitigate risk on insiders. Right. So I think that's a really important aspect. I just wanted to reiterate that there.

James: No, you're absolutely right. And culture, culture plays such an important role here, right? Because every, every organization, right, the FBI has a particular culture. You know, companies have a particular culture inside them. And, and I have seen a number of different programs, insider risk programs fail because they, they tried to put too many tools, monitoring tools onto their networks. You know, I certainly one of the, one of the, you know, examples and experiences I have as the, as the CIO of the FBI, you know, we were working in insider risk issue. And you know, this is before we had actually put together kind of this as a platform where there were different aspects, right? The, the insider risk guys are off doing what they're doing, and they're looking at particular activities or behaviors of the employees, right. I've got the security division who are employing tools out on my networks when I'm the CIO. Right. And, and you actually, I actually had a situation where we had so many monitoring tools sitting on one particular one particular office and one particular employee's desktop that the guy sitting next to him, right. It would take about 30 seconds, 45 seconds for the, the other guy to boot up his system. And the subject of this inquiry, you know, it took 15 minutes for his system to boot up and they're sitting next to each other right now that's a, that's a failure on, you know, both a strategy level. It's a failure of the tools because they employed so many tools and, and let's face it, right. The, the guy was looking at the guy next to him going, wow, why is your system so much faster? It's, it's lessons like that. It has to be right. It has to be coordinated. There needs to be a platform and, and I actually did, you know, actually design, you know, kind of a platform as a service where we had like a task force environment where you literally have all of the data from, you know, the it network guys that, that are understanding what's normal on your networks. You've got the HR folks who are not giving away any privacy secrets and not giving away, you know, privacy information about employees. But they're able to understand if that employee deal, if an employee's name comes up, they're able to go back, you know, work the issue from an HR standpoint, provide some context to the larger program as to how you know, why, why is this individual even being looked at? Is there any backstory, right? When did, to your point, is that person, did they give two weeks notice? Do they have a history of, you know, are they the, are they the employee, right. Who finds a, a thumb drive out in the parking lot and tries to plug it into the desktop? Right. We've, we've seen those as well. And so it's, it's, it's really having that context about the employee, which is so important to be able to give the tools right. To give the, you know, the actual platforms themselves you know, something to work on and actually actually makes sense, you know, w what are your thoughts?

Wendy: Yeah. I think that's really critical, right? Because if you don't set up the tools correctly, I mean, a lot of people worry more about integrations with data and, you know, all those different types of connections, which of course is, is very critical to the success of the tool, but there's lots of other kind of backend processes and, and thought that needs to go into it, to make those tools successful too, just in how you integrate it across the business. And it's not just looking at it, HR, legal ethics, also the business as well, because that, that culture aspects can be critical to what's business. As usual for one portion of the business may not be in another, they may also be business as usual for, you know, individuals with privileged access versus not with others. Right. And then, you know, another thing that we're seeing quite a bit that companies are struggling with at this point is not only privacy concerns, like you mentioned around global privacy laws that are recently coming into effect, or those that have been established for a little while, but also thinking through you know, working from home and lots of kind of hybrid work models or total work from home models that a lot of companies are having to deal with now and what is business as usual look like in that point? How do you actually protect your data while still enabling your workforce to do the jobs that they need to do? And now that they have to connect to a printer at their house, instead of one at the office, you know, it's simple things like that that are very difficult for you to really put the proper controls in place that you may have been able to restrict more easily before you know, without really hurting that user experience to make it, you know, kind of more IT-focused. So have you had any interaction with clients thinking through what that might look like from this kind of COVID and post COVID type workforce scenario, Jim?

James: Yeah, no, I, I have, and, and certainly, you know, my, my previous life prior to Optiv, I had a number of different engagements and, and certainly a few at Optiv since, since joining and, and one thing that really comes around and it's always been, it's always been an issue with from a cyber risk standpoint, right. Is the whole training and awareness. Right. We, we talk a lot about training a workforce and yes, we do phishing, you know, email training and there's, there's, you know, what we call the habitual clickers, right? Who are out there always clicking the link that they shouldn't. So imagine, imagine now you, you have a situation where all these employees who used to be in, in your brick and mortar building, right. Where you could, you could somewhat control the environment. Right. You could control the networks, right. You could control the ability, you know, of when they got the, the fishing training and you could you know, in some, some certainly mature companies would, would come in and utilize HR tools or, or bonuses or disciplinary action in order to try to stop the habitual clickers. Well, guess what, you know, now those individuals are sitting at their house. They are utilizing their home networks and, and, and home router. And I would, I would virtually bet money that the password on that home router right. Is the word password, and it's not capitalized. Right. and so is you have not only cyber risk issues there, you have this huge training gap. But also, you know, one of the things you and I have certainly worked on together before. But I want your thoughts on is the, the physical security side of this as well, because all too often, right. Again, companies get focused on, well, this is just just as just an insight or some bad employee inside our organization. And it's so much broader than that.

Wendy: It is. And, and with work from home, especially that potential physical element broadens even further, right. Unfortunately we've seen at the workplace still some situations where physical violence has taken place, whether by a current or former employee, just in recent months in the last year. And then of course too, there's potential, you know, now a domestic violence type situations that we have to worry about for people working from home, right. And how that extends, how companies support and, or potentially intervene if necessary is another thing that really gets into that cultural elements and understanding the holistic perspective of insider risk. Because as stated before, it's not just meant to protect the company's assets from a, you know, resources or IT type element, but really also to help the resources is so far as the people element as well. We've talked a lot too about leveraging social media with clients to help understand what is that, you know, outside of work perspective, look like, which nowadays can be a little tricky, especially because of privacy elements, but then also just making sure culturally that you're not setting yourself up to potentially instill further insider threats, because people feel that they're constantly being watched, not trusted all those types of things right. So there's lots of different balances there about not only the physical elements, as far as working from home, and then what we are seeing at, at workplaces that are still in person, but then also thinking through some additional home elements too. Right. but more with that, that physical element one of the key things that a lot of people aren't thinking about as well as, as much as, you know, we hope that this would never happen to any of us, but what are you leaving out? And your family members or visitors to your house, even if it's, you know, someone coming to work on your air conditioning because it's summertime and it always breaks in summertime you know, what are they potentially seeing or having access to as well, and making sure that just like in the office, that you're not necessarily leaving things out for people to see that they, shouldn't not giving people undo access to different areas of your house when, you know, they're coming to work on that air conditioning or something else. Right. thinking about your home office as the office, like you do it at the workplace is really important to you and to your point, making sure that your employees think about as well through training updates and training and, or just, you know, intermittent emails or other communications that help them to think from that perspective can also be really, really helpful as well.

James: Yeah, no, absolutely. And so I want to kind of turn this a little bit more to the, you know, the practical, how, how should they be thinking about this? Right. And so we talk a lot about roadmaps. We talk a lot about that whole concept of operations and it's, and it's a great way to build a strategy, but the insider threat piece needs to be thought of a little differently, because again, it can be an outsider who is trying to access an insider. It is, could be an insider again, both intentional or unintentional, right. It's, it's trying to figure out from your company's perspective, what are those risk indicators, right? What are the things cause, cause I can, I can certainly tell you from experience that, you know, the risk indicators that, that we looked at inside the FBI for our employees are going to be different than the risk indicators that at some private sector company. Right. So Wendy, what are your thoughts on the whole risk indicator piece?

Wendy: I think it's critical to really understand that. And through that also defining the company's risk tolerance as well. Right. another critical element there too is, as you think about that governance aspects is ensuring that you're coordinating with other elements of the company of the business to understand what those PRI potential risk indicators should look like, because you can kind of, you know, derive those from a cyber it perspective and a bit of a siloed manner. But again, is that really going to help you to understand the contextual risks and the, the other risks that could help you to really understand actually this individual should be increasingly elevated because of what else is going on? And what's that another key thing that you know, some of the tools that we've seen do pretty well, others, you know, might be lacking in, or yet still aren't able to do from a holistic perspective is correlating and aggregating that risk and helping you to give that holistic perspective again but really here, what I mean is, as an example, you can assign a certain level of risks, see a weighted risk to inserting a USB into your laptop. You can assign, you know, the same or a different level of risks to visiting some sort of you know sharing website. That's maybe not approved by the company, right. But the two together could show you that this person might be trying to exfiltrate data more so than you would typically anticipate would be, would be typical, right. And if you don't correlate those activities and understand the elevated risk and how they potentially aggregate and add on to each other, that's basically, you're just looking at the same type of stuff that you would be looking at it as SIM or some other logging monitoring type application. Right. So helping to build out in a way, kind of a risk management framework that does that for you and helps your analysts to understand that information more holistically is also critical as well. And something that we've seen a lot of people trying to do to mature their programs. And again, to your point earlier, taking that cultural perspective, a business perspective, my understanding that it's a person centric type issue and potential solution as well. I know you've talked with a lot of clients about that issue as well. Do you have anything else that you've seen that clients have been thinking about from a potential risk indicator perspective?

James: Yeah and, and it's, it's, you know, usually you have of the clients that I've spoken to, the ones that struggle with this, you know, insider, insider risk sometimes is one of those things it's just too hard, right? It's too big. They don't, they don't know where to start. And they certainly from a risk indicator, they don't, they don't necessarily have a mature enough human resource type of program. And there's no correlation between what HR is doing and what, you know, IT and cyber are doing at the same time. And there has to be, usually those are completely siloed organizations. And that's really where the rubber meets the road, right. Is being able to understand, you know, certainly the cyber folks can, can come up with, you know, types of activities and types of behavior on the systems, on the networks that if they then educate the HR folks about, Hey, here's, here's what you should be looking at for, you know, from an HR standpoint of those individuals that you could flag for us that might, you know, show those types of indicators and, and be able to pass information back and forth. And one of the ways I found this to be, to get past the fact that this is just too big to tackle or I too hard of an issue. And one of the things we did at the FBI was to create this pilot program to, to start one building, what are those indicators, right? What should we be looking at? What type of behavior taking a look at, you know, bringing the HR folks to the table and saying, okay, we're going to do this. And yes, our tools, and I've seen many, many tools, tools don't make a program, right. Tools are an added bonus. They provide you with data. But again, this is really like, we've talked about, this is a people centric problem. And, and I've worked just as many cases where you've got foreign nations, nation states who are taking the information from previous attacks like the OPM hack and a number of others and actually utilizing that data that's out in the wild to then target different individuals inside a company inside the government. And so again, inside, outside, right, it's still that threat, but being able to come up with what is that pilot program so that it's not too hard. And one of the key issues that I want to talk about now is, is how do you communicate that to, to an organization because this is, this will, this will either succeed or fail, right? Based upon your your company's ability, leadership's ability to communicate the necessary, you know, the needs of the program that, why do we need such a thing? What is, what is the, what are we trying to accomplish by doing it? What are your thoughts on the communications piece?

Wendy: Yeah, I mean, first and foremost, just understanding where actually your program's going to sit and who's going to be in charge of it. But through that, getting cross business buy-in as to that being the construct and how, you know, really the cross business is going to have governance and really what that governance model looks like is critical too. So to be Frank and a lot of the really successful programs that we've seen doing a lot of that backend strategy, vision, and kind of governance model definition as what really set them up for success and enabled them to then clearly articulate not only across the rest of the business, maybe potentially lower levels, but then especially to the workforce, what it is, why it's necessary and again, how it's meant to protect not only the company, but most importantly, its employees as well with that, to understanding how you you know, wherever the program sits, how you actually integrate all of those other elements and understanding what gaps you have as well, because you may have a spectacular physical security program and your cybersecurity program is really getting up and running and more mature understanding from an insider perspective, what gaps and risks might be present through some sort of assessment or otherwise can really be helpful as well, so that you then understand not only what you have to work with or don't have to work with, but then also you can really use that to influence the other areas that throughout the business, cyber, physical HR, et cetera, to help achieve those gaps or mitigate those gaps and really achieve success and it's not to say that, you know, the business or cyber or whomever might want to close those gaps, right? But then at that point, you understand where you might have elevated risks or, you know, a bigger kind of blinders compared to other areas and can work with that and really move your program around that. But if you don't have that holistic understanding upfront, and more importantly, that buy-in from the rest of the company, once you go out to really share that vision and understand what you have to work with to then move forward it can be really tough to be successful, especially too, if you're having to start out from a more siloed perspective and then grow a lot of times, that can be difficult as well, because you may also have that siloed perspective. It's not to say that you can't expand you can't be successful as you seek to really expand and mature your insider risk program, but it can be a little bit difficult so making sure that you're starting out on that right foot and incorporating that kind of cross business working group for insider risk and incorporating the right people from the start who are not only understanding of what you're trying to achieve, but able to make those key decisions for their area of the business as you're working through, this is critical as well. So to be, to be honest, there's a lot of strategy and governance type activities that people tend to kind of skip over because they do focus as we talked about before on those more technical solutions. And like you said, tools are tools, right. They can be used to support your program, but they're not going to be the thing that's truly going to help you mitigate the risk at the end of the day.

James: Right. And it's just, you know, just to kind of foot stomp, something you talked about earlier, this is about if we throw around words like, you know, employee, well guess what employees are, full-time employees, they're, part-time employees, they're contractors, right. And, and you mentioned earlier, what are the, what is the company's risk tolerance? Well, you should be, you should be having these types of conversations about risk tolerance with different types of employees, right? What are, what do we allow our as far as privileged access management or just data access management with employees, right. Versus contractors versus part-time employees. And now, you know, you've, you, you really need to define that in a very broad way now, because guess what, those people are sitting at home again with their personal routers. And you're, you're, you're not having the ability to control the environment even somewhat, right in a brick and mortar type of setting. And so your, your ability to be be very broad in that discussion and that definition of what an employee is, I think is something that is really helpful for companies, because you need to have different rules for different types of employees, right? When, when you and I we're, we're, you know, government employees, right. We had security clearances and based upon your security clearance, right. There's a different level of access. And I think companies should, should try to understand that it's not just open to everybody and doesn't necessarily mean that every employee, you know, access to everything. And so access management is a critical aspect of this, and certainly being able to understand those, those different rules with different types of employees and the access management piece is really, you know, part of that, that philosophy, part of that bigger picture that you're talking about earlier, as far as that holistic strategy, because you need to account for all of those different types of, of organizational positions and who should have access to what and, and, and why you know, and then, you know, I tend to, to, to bring this full circle, right we talked a lot about the, the people part, right. And the strategy and the holistic part. Right. But there's also, as you mentioned earlier, the, the cyber risk piece, right. Is it risk-based monitoring, is it critical assets, right. Is it, you know, what is the brand protection you know, give me your thoughts on how do how do we, how do we take everything that you and I have talked about thus far, right? The people, the potential tools, right? The strategy, how do you tie in the cyber?

Wendy: Sure. So I think one of the critical elements, there is an kind of in coordination with understanding that risk tolerance piece is understanding what are the critical assets, right? You mentioned asset management, if you don't know what you're really trying to protect, and what's most important to the business, then how do you really know what your risk tolerance is? Typically, a lot of times that ends up being something that sits in the it realm, whether it be some sort of database or a system or software, or maybe data itself. Right. So understanding that will be critical to then not only understanding the risk tolerance and being able to level set that. And then all of the other things we talked about for PRI's, but also where are you need to potentially implement additional controls or additional monitoring or whatever the case may be to help you to mitigate that risk and get it to the level that you feel is tolerable with that too there's lots of different things that, as you're thinking about that risk management framework, or how you roll out a proof of concept type activity that you can look at different, more cyber centric type contextual indicators or other activities to really understand what it is that you want to do from a cyber perspective. So here, what I mean is maybe for that initial rollout and proof of concept, you focus on privileged access users, right? So those individuals, you may think are riskier because of their privileged asset access. And then through that also you're able to then use those cyber tools in cybersecurity, know how to really understand, okay, is this a risk that we can mitigate, whether it be through additional monitoring or additional controls, or maybe even you know, something as simple as new policies or new kind of communication around those policies too, because if people don't know what's expected of them, then how can you expect them to achieve it? right. So there's lots of different elements there that you can look at. Of course, you know, we've talked about the tools aren't going to solve the problem, but they can definitely enable it. So looking at, from a tools, from a cyber perspective, the tools that you have to be able to achieve the risk tolerance for risk level, that you want to there's of course, different things from a controls perspective, a monitoring and logging perspective, and then other lots of other tools that you can use as well to help you get there. What do you already have in place? Have you considered what you have in place to be able to leverage that first, before going out and buying some something else, right? Because sometimes what you have, and maybe even capabilities within that tool that you're not currently using could help you to mitigate that risk to an achievable level, without incurring additional costs and that's not to say that everyone's going to be able to solve the problem with what they already have in place, but those are some really critical first steps from a cyber perspective. So we always try to help people think about, because it can be pretty daunting and it can be hard sometimes to, to get the funding you need when you can't prove that you're necessarily, you know, mitigating risks, because it's hard to prove a negative sometimes, right. But once it does happen, of course, you know, as we all know within security, the money starts to roll in, but at that point it's a little too little too late. So understanding all those different perspectives and the value that it can bring to the company through achieving that risk tolerance or risk mitigation is critical as well.

James: Yeah, absolutely. So as we wrap up here, Wendy, what are the like two, two good takeaways for everybody today, from your perspective, like how to think about this?

Wendy: I would say that the first key takeaway is around understanding the culture, right? So it's not just a cyber culture or culture of the business for, at large the holistic culture of the company and integrating all of those different things to understanding what really makes sense from a tools and people and a process aspects so that as you're implementing your program, whether it be from the starting stages all the way up to really optimizing your mature program, that you're building something that not only mitigates risk, but also ensures that you're not, you know, kind of inciting new insider threats in the process, because as much as it may be easier for us to really just implement tons of different things that make it restrictive and, and make it easy for you to be able to log and monitor that doesn't necessarily mean that it makes the people feel good about working at your company anymore. The other aspect that I would say there too, is really about thinking hard about the tools that you have and the different capabilities from a security perspective overall. And I say that specifically, not just for cyber, but for physical security as well, again, insider threat is, or insider risk is really like a concept, right? It's not necessarily the same type of domains that we might typically look at from a security perspective. And I say that because it, it really combines a lot of the different domains that we typically look at to help understand that holistic risk and a threat. So looking at your program, starting there and understanding culturally what you want to do, and then security wise, what you can do. And combining the two can really help your program get off on the right foot from the start.

James: No, that's really important. And, you know, from my perspective this is, you know, you and I have used this term in the past, right. Holistic and, and, and really, I just want to finalize what, what we really mean by that, right? This is, this is every aspect of the company, right? It's it, it's HR, it's legal, right? It's your general counsel's office needs to be involved in this. It's your ethics and compliance folks, right? It is, it is, the culture is what makes this company is what makes people want to work for your company? You need to highlight that and you need to celebrate that. And you need to communicate to your employees the fact that this program is there to protect them, it's to protect that culture. It is to protect, you know, their livelihood and, and, and to be able to utilize the tools, you know, not to spy, right but to, to make sure that you're secure in both data protection and, and or data loss, and certainly protecting those employees are there that communications piece by far is the most critical aspect of any kind of insider risk program. And being able to bring all of that to bear, right? The coordination of all those separate entities, but being able to communicate that to the employees and really, I mean, this has to be from the lowest level to the highest levels of the organization. Everybody has to have buy-in right from the mail room to the boardroom will boardroom to the mail room. This is really about it's about building trust, not, not destroying trust. So, yeah. So Wendy, thanks again for talk with me today about insider risk programs. And you know, I know we'll have many more opportunities to meet with clients after this to talk further.

Wendy: Yeah. Thanks so much for the time Jim.