Hello.Good morning, good afternoon. Good evening from wherever you are joining us and welcome once again to this talk on this, uh, rather early this week. It's a Tuesday. I know it might feel like Thursday, but it's actually a Tuesday for, uh, today. But we do have a great session, some wonderful panelists. We're going to be talking about cyber resilience, your last line of defense before we get there, uh, I must remind you all of the awards of a nice talk mug for the best question, the funniest question, the toughest question. The one that makes us laugh or cry the most. Uh, I'm once again traveling, so I don't have my nice talk to show you, but imagine it. It's a white mug. It says nice talk on it, and they are collector's items, I can tell you that right now. Uh, so please do use the chat function, which is around about there on your screen to send a question to our panelists, and we will do our best to get to it as appropriate. So now let's me, uh, welcome onto the stage, please. Heather, Raza, Sandra and Grant. Hello. Welcome, everyone. Hello.Heather. Hey, Tom. Pleasure to be here. Uh, be here again. I mean, you were only here last week. In fact, not even a week ago. Um, so. Welcome back. Raza. Welcome. I believe this is your first time on an actual Tice talk on the during the week. Is that correct? No. I have been on one before. When you've been on ones in the conferences. Right. Conferences and one about three years ago. Oh sorry. That was before my time. It doesn't count. Uh, and. Sandra, welcome. Hello. Hi. Welcome back. Sandra. Lovely to see you. And to our sponsor, Grant. Hi there. Welcome, everybody. Thank you for inviting me, I guess. Yeah. Well, um, thank you for sponsoring and making us invite you. Uh, it's very,much appreciated. Thank you for this week's tea and biscuits. Right. Um. God, someone's already started. Quick question. Can someone get Tom a razor? I mean, come on, it's not good, is it? It's not a great start, really, is it? Uh, let's go right on to the news item. It's, uh, from the cyber magazine publication, and the headline reads inside the UK Government's Cyber Security and Resilience Bill. Now, I took a, you know, a look through this, obviously, in my preparation. And one thing that really stood out for me is it said that between 2015 and 2019, it's assumed a full four years. Cyber threats cost the UK economy nearly £22 billion per year. Uh, so that's what, £88 billion over four years. Now, as the, uh, owner of the UK economy, it's taken until now, another five,and a half years later for the government to actually put a bill together. Is this, um, just the government being slow or is it the government actually saying this is not our problem, it should be the individual companies problem? Um, I think they started off thinking it should be the companies individuals problem. Now they've realised that they need to bring a bill to put focus on it. Because, you know, companies have gone in lots of different directions. And I think actually there was a stat that the UK government published which said that last year, 2024, 70% of companies hada cyber attack and a lot of those were breached. So I think it's about time that the government started to put guidelines in a framework together, from my opinion anyway. Yeah, I think from a, um, you know, from a government perspective in terms of sort of regulation and bills and all of that type of thing. I mean, if you've got a market, you generally think from a resilience. So providing services to the citizen and you're generally better off having, you know, a buoyant market competing against each other to promote the investment in it. It's only really when that market begins to fail, whether you've got large monopolies or you've got stress concentrations that you really,need to start getting in the, you know, thinking about the regulation. And I think that's really where we've got to ourselves now with people moving to the cloud. Going down to, you know, just a few of the large sort of hyperscalers, then, um, then we're starting to get to critical national infrastructure levels. Um, and so and I think that's really, um, you know, the point that we got to up until this point, the market was fine. It was working. People were People are investing. They were protecting themselves because they had to. And I think we just hit that turning point. You know, thatpoint of inflection, um, where we need to, you know, reassess it as critical national infrastructure. I agree. It's really interesting. Go on. Heather. Sorry. I was just gonna say, I think it's really interesting when we think about the role of regulation and the government setting the standard for critical national infrastructure that drives action across the economy as well, thatstat that you quoted, Tom, I think that's critical when we think about what we're doing as cybersecurity professionals and resilience professionals, it's really contributing significantly to the economic security and economic resilience of UK plc. And I think those figures are extremely impactful when we reflect on the cost of cyber attacks to the economy and the importance of the mission that we all have. AndI think thisparticular bill is obviously focused on critical national infrastructure, but it will drive broader social action as well in the way that regulation often does. And so I think it's very welcome at this point in time. And it's a critical juncture for the cybersecurity industry and for resilience professionals. Yeah. Raza. Yeah.No, I was just going to say just agreeing with everything that Sandra and Heather just said. I think it's also a matter of timing. If going back to what Sandra's point was that if you government had reacted too early, it wouldn't have been as relevant. And I think with the geopolitical situation that we're facing, it's becoming more and more relevant and interesting to make sure that companies are doing the right thing because we are seeing that it's right in your face. So it needs to be relevant and therefore hence useful to have a regulation that actually helps people out as opposed to just putting a restriction on it. So I need. And I think that'sthe right balance that the government has done. So I totally agree. I mean, we're in. Good. Company. Oh, sorry. Do go on. I was going to say we are at that moment where we can, you know, we have got the tools and technologies that enable us to shift from reactive to more proactive approaches. So I agree entirely with the point that Rasa is making about timing and the, you know, thebest time is now. Yeah. But sorry, it is a bit edged sword now. I mean, I'm I have to sit there and, you know, have it having worked for a company that did have data centers to hear that data centers are now going to be part of the critical national infrastructure. Having also spent a very long time working for parts of the critical national infrastructure, once you have that label, you don't half feel as if you've got a target on your back. Yeah. Because you're advertising to the world, um, some of which might want to attack you, um, that, um, you know, you're critical to the nation, um, and, uh, you know, thatreally focuses the attention, I think. You know, when you're, uh, when you're trying to look after it. And sometimes not in an obvious manner either. It's not you're not water or power or something. You're a couple of lines down the chain as well, but you've just advertised how critical you are. Therefore. Um, but talking about timing, I was going to say we're in good company with CNI regulation in that the EU isjust pushing out NIST two at the moment. Obviously, that's on the heels of NIST, which came in, you know, a number of years ago, albeit this was, I wouldn't say not successful, but has it's not exactly set the world alight or rather the EU alight with fines and actual action. I couldn't find any example of any organisation that was fined any kind of significant money under NIST, even though the regulations were breached on a number of occasions. Um, So, uh, but nonetheless, it seems like the EU is,uh, acting at around about the same time as,the UK government in tightening up and broadening the scope of, uh, the CNI, uh, the scope of,those in CNI and those who are covered by it. Yeah, this is an interesting one, because at least it starts to bring commonality of standards and reporting and things like this. And I think part of the problems we've had with the Cyber Resilience and security before is,a lack of requirement and standardization around reporting, because if we keep hiding what's been happening, nobody gains the benefit of that. And the threat actors just gained the positivity of it because they're making money out of that. So I think the kind of release of these, you know, of more guidelines around that, more on the reporting, I think makes a massive difference. And of course, it's a European thing. But let's face it, you know, most of the companies that I talked to have European entities as part of their, you know, their UK organizations. organisations, so they have to apply to it, you know or sorry, adhere to it anyway. So I'm always glad to see these frameworks. And for some companies they don't have a big Department of Security department. They need help and guidelines to help them get through this as well. So it's you know, it works kind of for both large companies all the way down to small ones as well. And I think moving beyond that compliance focus, we should all be thinking about how we can build resilience in our organisations. And, you know, keeping up with regulation can't keep up with evolving cyber threats. And so I think regulation is important. Frameworks are important. But we all need to be thinking anyway about the services that we provide, the processes that we support, and how we can respond and recover and learn from attacks and breaches when they inevitably occur. And I think it's the culture. Going back to your point, Heather, having that culture and organisation that, you know, raises their hand when something has happened. But it's not justwhen there's an attack. But generally there should be a muscle reflex that allows people to talk about other incidents that happened, but they should be an internal incident issue. Um, raising of the hand as well. So I'm just going to this question which is on thechat. Um, the difference between resilience and recovery. So my immediate reaction to that. Well, resilience is really how you plan it all out, where you identify your vulnerabilities, yourvulnerable points and mapping of all those things and having a framework that actually works. Um, and then recovery side of things is a lot of it is how do you play that out? What is your playbook? Do you have a playbook? Are you working to your playbook? Is that playbook addressed at least twice a year? So those are the kind of things that I would think of. I don't know what your thoughts are. I tend to look at it slightly differently. I tend to look at, you know, from a resilience at the organizational level, Tom, sort of like rolling his eyes and he would think of it like crack on. So at the top level, I tend to think the organizational level, because resilience can exist at every level of the organization. The individual people are going to be resilient because they can deal with stress. Teams can be resilient because they can absorb and adapt departments, business units, technology, blahetc.,And so I think it is all about that, anticipating that something bad could happen. It's about putting measures in place to prevent stuff.happen. It's about responding when those preventative measures fail. So we talk to Heather talked about the defense and offense. Um, and then it's about adapting. And it's about learning. And that requires a whole, um, sort of organization.So,for me, resilience is the whole thing. And,recovery is just, um, sort of that one part of it. And I think also coming to playbooks.works, I think in a certain if,you have the say like technology resilience where there isn't. Well, we've got AI coming in, but there isn't a controlling mind there. Um, so you have to build in. It's done with things like redundancy, duplication, all of that. And therefore you have a normal response. But an organisation is a socio economic thing that is, you know, powered by technology. And in that case you can think your way out of it. And so that's where you need that innovation and knowing. So it's not about just planning for things that, you know, it's being ready to be able to respond and adapt that things as they appear. Yeah, I would agree with that. I think that's such a critical point. So being able to grow and to learn through unexpected events, I think that's absolutely critical. And I really like your point where you were touching on the positive security culture that we need as well to support this. Often people are your first line of defence within an organisation. So having people and, you know, raising concerns or speaking about events before rather than, you know, waiting for major attacks to occur, can be really helpful in helping to build that resilience within an organization. And I think, as Sandra says, it starts, you know, you've got you can have resilience in multiple levels. You've got personal resilience, you've got leadership, resilience, then building that organizational resilience. But it's not just about recovering from cyber attacks when they inevitably recur. It's being able to withstand and adapt, continue to operate, learn and grow and do that in a way that maintains trust because it's, you know, for a lot of organizations, it's about continuing to foster trust with their stakeholders and with broader society as well, particularly where they're providing essential services as in critical national infrastructure cases. Mhm. Yeah I kind of agree. And so the kind of point of cyber recovery, the last line of defense, the answer is yes and no. I think you know it's a component of it. But equally there's the challenge of when do you recover, how long before you can recover? And there's a whole time element from a technology perspective and from a business perspective that you have to focus on as well. Because today's protection mechanisms that I see, and I'm talking from a technology standpoint on recovery, are they're still the backup of that's done every night and the business recovers from that. Well, that's up to 24 hours worth of lost data that the business then has to try and patch together and reestablish or rebuild. So detection and accurate and fast detection ofan attack means you're in a better position to then have better recovery mechanisms. So, you know, the last line of defense is a combination of things. But you're right in the sense that technology is only one component of a strategy. You know, it's actually more than that. It's the people, it's the business. It's the SLAs that the business requires that has to flow through to everything that sits underneath. So there's a lot of components, and I don't think yet we see a good holistic set of guidelines and strategy. I think what the government announced helps, but I think there's still a lot more work to do in getting people to recognise that everybody within the business and, you know, is part of this kind of solution and answer, I guess. And I think, I think that's weird and sorry, I was just going to say that's where the security leadership. Sorry. Justto say that's where security leadership and governance comes into play. So having a security strategy, supporting the broader business strategy is critical. And I think if I were tosummarise what this conversation means to me, it's shifting from a reactive to a proactive approach. So it's having that security strategy, supporting your business strategy and where security is really a partner and enabler to the business. Yeah, I was just going to pick. Up on the recovery bit because you're talking about recovery. Um, we often suggest that we're going to recover back to where we were. Um, but there's no point in recovering back to where we were just to get hit down back, you know, back again. You've got to have that learning there before.that happens, Oh, yeah. I'm back. Somebody else has attacked me. It's burning up. And so?we've all focused, you know, things like, um, you know, a real key pillar ofresilience. It's just a pillar, but it's just, you know, along with the security and all of that. The business continuity has been historically about getting back to where you were. Whereas nowadays we have to get back to where we want to be, where we're more resilient. Um, and change management. Yeah. No I agree. I think management. But I think the other point that Grant raised, I just want to go back to your point. Grant is the components and supplier risk that we're not. We need to consider that. And I'm sure we all do. But that is a key component of the things that can go wrong. And we must have much better due diligence where suppliers are concerned. We must have a especially with critical suppliers are concerned and the critical infrastructure. Yes, absolutely. But then we have critical suppliers within that infrastructure. And are we talking to another in the most honest and transparent way and wherethose challenges are, have we addressed those challenges in a nice professional way? So. And that's an area that we need to be mindful of. So when you talk about substitutability we need to really think about so what does that mean and what will the cost be to the firm when you think about substituting one for another. And I don't know whatyour experiences are to the panel. Just want to get. I think everybody's. Views on. That. If we were to think so, I think supply chain security and supply chain management is absolutely critical. I think if we think inbroader terms, whether it's the cybersecurity framework or whatever framework we're using, respond is one function. And absolutely to Sandra's point, you know, we need to be able to grow and, um, you know, and really raise the bar through each adverse experience that we have. And supply chain management is absolutely critical when we think about, you know, building resilience from a security leadership perspective within an organization, it doesn't stop at the boundaries of the organization. So similar to zero trust architecture. When we talk about network security and you know, the old inside and outside paradigms, um, being replaced, when we think about supply chain management, we've got to think about building resilience across the ecosystem. And that includes our suppliers as partners. So working with our suppliers as partners and helping to, you know, to build resilience across the entire ecosystem. And that can extend particularly for critical national infrastructure that can extend to regional resilience, to national resilience. Even so, you know, thinking responsibly about, um, all of our partnerships and connections, I think is really critical. And understanding our supply chain, rather, as you say, is often where it starts. And that's often the challenge. Yeah. And I think your point partnership isabsolutely key term. So,in the olden days when we had, um, you know, people,supplying us on a supply chain and we were saying, how do you make your supply chain resilient or we'll have multiple people doing that and,that really we've got to change that mindset. Um, because, um, you know, it could be us that's in trouble. And so and if we've just got that arm's length relationship with them, they'll drop us like a brick. Um, and so therefore, what we've got to start to do is to, is to start to build those andshare the risks. Yeah, exactly. Heather's point, you know, we are now an ecosystem. Absolutely. And so we've got to be to Rouses Point transparent. And Grant's point is to understand, uh, you know, the whole picture, uh, and work together and,that that's, um, that's a different, difficult cultural change. Um, you know. We were individuals and we were just contracting with somebody. And if they didn't do anything, then weyou know, penalize them. So interestingly, I mean, when GDPR came out as a regulation, they pushed that responsibility down through your supply chain so that it wasn't just your company. You had to meet GDPR. Your suppliers had to also meet those regulations and had to prove to you so that you could prove toyour regulators that you could do that. Maybe we need something that actually pushes that same level of responsibility from a cyber security, cyber resilience capability, so that organizations have to prove to the ones they supply that they are meeting, you know, NIST, for example, if that's the framework that you do, but whatever it is, but we don't have that level of responsibility here. I think it'd be quite interesting to see that come out as something that would help build that,you know, that tower of responsibility. I suppose that's the word. But it's. Interesting. That. GDPR to come out to drive the conversation around the supply chain because prior to GDPR and let's face it, it's been, you know, eight years ago now. Nine years ago. Yeah,Um, prior to that, supply chain wasn't really a hot topic in our industry. And it took a piece, you know, I yes, we would maybe look at the top, you know, our immediate suppliers, the ones who were connecting to us, but we didn't look at the chain at all. We didn't go any further. Really? Um, it was only when it was became enshrined in legislation that we were we found ourselves driven to address the entire supply chain, or at least as much of it as we possibly could. So I think. That's true, Tom. But we also had major supply chain attacks that raised awareness. Yeah.And I think, you know, what we want to do here is toget ahead of the game, to be more proactive without needing those major examples. Yeah.I was going to say it makes me show how old I am. But for 30 years I always was as part of business continuity and business analysis. We've always had to being part of the financial services. We've always had tolook at the critical suppliers, but also their own dependencies. And plus a lot of the banks that I worked for at the time were investing in some of these startups as well. So we wanted to make sure that they were fit and proper to deliver services because as a that regulators are not very forgiving to the financial services sector. So maybe. Yeah, it's a different and the same thing. What I want to just sort of elaborate on today, what I see is artificial intelligence that um, that Sandra just mentioned. So we are fintech and we use AI quite significantly within our, in our offering. And what I love to see is,the model governance side of things and how that's shaping up and how we're connecting with our data protection officer and doing data. The DP, um, you know, the DP assessments and so forth. So I think impact assessments and I think those are really important to understand. How is data governed and how is data managed within these models. And I think we need that's the next sort of area of what we'd need to create more resilience around as well, so that when you're using these kind of these tools and they become more and more, they become more embedded within the culture of the organization. We need to understand that, and we need to unpick that and make sure thatis properly addressed. So there's a question. That are often sorry, that are often governance frameworks that already exist in organizations. So, you know, data governance, many organizations are already somewhere along that journey. And there are lessons that can be learned across sectors. So I like your point about the financial services sector. So highly regulated sector that has been having discussions about cyber resilience and operational resilience for a number of years now. So I think there's a lot to be gained from collaboration and learnings shared across sectors. Yeah. So there's,a question that's come in from, uh, Chris Butler and uh, before I jump on to it specifically, but it does raise the, um, a,point that I,caught quite early on between, uh, Heather and Sandra and how there was a different definitions of what resilience and recovery is. And, you know, is resilience in recovery just a rebadged business continuity and disaster recovery program, or is it actually fundamentally different? Uh, because, uh, Chris has said here, uh, brings you back to business continuity and the good old fashioned BIA, this allows you to understand your business properly and therefore prioritize continuity, recovery and backup strategies. So what is you know, what happened to the good old business continuity plan? Well, I think yeah. Uh, so business continuity means it's a bit like resilience. It means different things to different people. Youcan. Yeah. So,in its widest sense when it first came out, because I was around before it first came out. Well, actually, before it was badged as such. Yeah. And, um, you know, a lot of us understand it from those, you know, all of those years ago as being the big strategic thing it was. Can I still do business, i.e. can I still trade. So it was at the strategic and it was at the top level. And it was all about the, um, you know, anticipating the risk. So we had risk management in the umbrella. It had, you know, protection, prevention, security and the whole shebang. However, over the years, um, it went down into much more of an operational thing, and it's become very much,um, in,recent years, um, you know, it's become very much about, um, just the operations and it's been very sort of tick boxy and down at the bottom level. But what I've seen now, and I think Chris is alluding to here. It's actually it's naturally now coming back to how it was first seen assomething much bigger. Um, but Chris is onChris's question here on Chris's comment here about the good old business impact analysis. It is. Absolutely. Yeah. You can't beat it for going. And what am I? You know, what am I do what do I deliver out. What are my products and services and which ones do I want to keep going? Um, if the balloon goes up and then that tells you deconstruct them to find out what you need and what you depend upon, and then put you invest your money in that way. And then you can, you know, work it out. It'san old tool, but itworks. It works. Yeah. Business continuity and disaster recovery is absolutely part of, you know, continues to be part of the landscape. Um, and it'sreally as Sandra says, you know, we've moved to a point where we're now understanding cybersecurity as a driver of business resilience and business continuity planning as a driver at that strategic level, which is where the conversation needs to happen. And so I think that's the key shift that we're seeing here. And it's a mindset shift in terms of the conversations. I agree. Yeah. Just going back to your point, Heather. If you look at the cyber assessment framework that's just been that's, you know, come up. I love the way that those questions have been asked. It's very,specific. And it talks about what are the kind of tick boxes, not what we're aiming at. It's a much wider conversation. Going back to what Sandra was saying, it's a much wider conversation. You need to understand what good looks like. And that assessment framework actually spells it out for you. It tells you what good looks like. What should the board be doing? Is the board having the. Is the board having those discussions? Um, are there is their responsibility maps are those things? I mean, of course in financial services we must because we have the SMF andall those factors in there. Butgenerally within the industry, across the board without being. You know, financial services or others. That's a really good,piece of work. In terms of the. CAF is great, I think, because that's, you know, it's clear objectives, it's principles based. It's not telling. People it's principles. Yeah. It's not prescriptive. It's saying have you thought about it? Going back to your point, have you thought about this. Have you thought about that. I think that's very helpful. Yeah. Another resource that I really like is the board toolkit that we have as well. So I think having this conversation back to Sandra's point, having this conversation at board level is critical because it's, you know, that's where it all comes from. And I think the CAF isreally powerful tool to help with that and a great framework. Yeah. Interestingly and actually sitting across that is Terry mentioned something about costs can be a big factor in how far organisations will go in protecting themselves and delivering, and I'm actually more interested in what the panel's view are. Do you think there's a People just do the best they can afford? Or do you think people really recognize the risk of not doing that and actually needing to spend money, find money from the organization? It's always interesting as to what the priorities are in a business sometimes, and whether they're prepared to pay for that ultimate resilience, if you like. I think it comes back again to the need for strategy and, you know, to understand, to prioritize and to, you know, to take that risk based approach. And the way that you do that is by having really strong strategic leadership and external advisors, if you need that. But, you know, a really clear view of how your security strategy supports the business and what your priorities are, and then your business case. It's always a cost benefit calculation. And it's, you know, security is there to support the business. Isn't it also dependent upon if it's before an event or after an event? That's what I was. Yeah, I wanted to pick up on that. We've done. That's where we want to move. Away. Yeah. So having a strategy So yeah, you're shifting from that reactive approach where, you know, you get lots of money to spend to being more proactive. So you're actually be able to take more of a risk based approach if you've got a strategy in place. So it depends. Sorry, I was going to say justa quick point. Uh, Tom, just going back to Heather's point. So when did you have the event? Now, if you faced an event in your career history, it may not be with the firm, but you may have faced this event with somewhere,else. So you understand what can go wrong. So that's why being part of a firm that has that vision is and type of people you bring on to your firm. They may not have faced it in this particular firm, but you faced it elsewhere in a similar environment. And I think you must draw on that experience to talk about certification, talk about ISO certification and all those things, which is really important, and cyber Frameworks. But then you also get the response. We'll make sure it doesn't happen in the first place then. Well, exactly. That's the point. We need to think proactive. We need to bring that experience and. Allow that experience.to,inform a company that is not as old and as new. I completely agree with that. I agree we have to be proactive, but the response would very often be, well, make sure it doesn't happen to us and then we won't have to spend all this money. That's what you can't stop it happening. I think, Tom, you know nowadays you can't stop it happening. I agree, I agree exactly. A lot on your side. I'm playing devil's advocate, but I've heard these arguments before. Right? Oh, I see. What you mean. Right? No. Yeah. The board needs to be switched on. Absolutely. And that's why it's important for the security leadership or, you know, the executive leadership that has responsibility for security to be having those board level conversations. Absolutely helping with that mindset shift. It's awareness raising. It's you know, it's conversations. It's, you know, speaking to your peers at board level. And often, you know, using the language of risk can help with that. But it'sreally, you know, it's a culture shift and a mindset shift. But what we've got to be ever so careful are, you know, that, um, you know, we I think we are getting the realization because security and especially on the, on the information security was very much about hardening,And I think the sudden realization that we are getting the realization and we've all known it for years, but the realization, you know, larger is the fact that, um, you know, it,is going to, um, you know, it could happen. Um, and what we've got to make sure is that people don't just completely move the money away from prevent and straight into response. Yeah, it's got to be across balance. Well, absolutely. It's got to be a balance. And that's the very strategic. Yeah. The maturity of your exec team demonstrates that. So and thatis well, yeah. Fortunately I've been part of some very good mature teams. But yeah, there have been a couple of instances going back a few years that weren't. Buton the whole I think financial services there tends to be that level of good,organizations are mature and balanced. They've had to be. We cannot afford to be down for more than, you know, whatever. So it's really. Yeah, exactly. Minutes, seconds, whatever. So we need to have 99%, um, online real time. So I want to spend the last few minutes here. Atiq has just posted a question. How can an organization balance certifications and frameworks with real world experience to build? True. Oh, that's a great question. I love the way thatquestion's been asked because it's not. Butin itself, those certifications require you to build that muscle reflex. Going back to that point, we must continuously be living thatyou know the values of the certification. Does that make sense? It's not a one stop shop. It's not right. We've got this certificate. We can now move on. You have to. Live. Yes. Because you're audited. You even then. You can then flex that muscle a month before the audit and make sure. No again. Yeah. But then you're. Confident. I think it's confidence giving these things. I always think of these certifications and even the, you know, any of the standards and even the regulation, they're necessary, but they're not sufficient because resilience is about is you can't make resilience as a whole from the resilience of the parts. It'sabout the relationships and what you do with them. Exactly. But I think theygive you the confidence because you've got so many moving parts. When you look at a whole organization and there's so many and it is complex, you know, proper complex problem. Um, but actually these are touch points in different areas to go. Yeah, I think I am doing that right. I am, I am going in the right direction over there. And if you've got all of these confident points, confidence points, that means that you can think about the,whole better. Andyou don't have to think about that bit. So absolutely I think it's. Really important just onthe point about compliance, um, that, you know, we need to avoid any kind of checkbox approaches to compliance. So that'sgenerally a low maturity type approach. So really important tomeet baseline standards. But to the question as to howyou can build true resilience that comes back to positive culture within the organization and sharing, you know, collaborating, sharing learnings and having that, you know, that really strong culture within the organization. You can't get that through compliance checklists important as they are. So I think, you know, focusing on culture, strong leadership where, you know, examples are being set by leaders within the organization and everyone's encouraged to share learnings and experience. I think isthe answer to the question that's being asked. But also. The language you use, you shouldn't one shouldn't be using the compliance language or the risk language. It should be very intuitive. It should align. So you're trying to get the right outcomes, the focus on the outcomes. And if you need language that is a bit more, you know, friendly and a little bit less. So that is where you win people over and you're actually achieving those standards without the,clunky language that a lot of this comes out to because you're focused on the outcomes, aren't you? Have you read the policy? Have you done that? Have you done training? Oh, but make that part of more part of the culture of the organization. Yes, I'm. Looking. To you. The best security implementation is the one where nobody talks about security because they just Absolutely. They just do it right. Exactly. It is absolutely. Weird. Isn't it, to be aware and secure themselves. Yeah, absolutely. And we'resecurity adds value to the business. So I think that's another key point to focus on. So always looking for where um, you know, security can enable and can add value as well. And to your point on it, you know it's everyone's responsibility. Absolutely. So it's business risk that's being managed here. Yeah.100%. So keep it simple. Keep it simple stupid. Yeah. Exactly,Uh, what's. Oh. Another terror. I tell you what, I think Terry might want a mug this week. Um, Terry hasn't. Shut up. Uh, the board typically doesn't have the same level of knowledge as, uh, as you do. And in some cases, they don't want to know that. I think that'ssadly true, isn't it? Well, I don't agree, I don't. Agree. I don't agree. No, I think you know, the,board have um, because we've got different you know, an organisation is a multidisciplinary. Everyone has their own little speciality. They understand operations, it understand it, you know, um, you know, I don't know understands lending or whatever and etcetera,Um, and actually an organisation by definition, uh, has got to be greater than the sum of its parts. Absolutely agree. With that. Have a different role. Andif you are an expert within an organisation, the onus is on you to be able. To. Communicate your expertise in a language that they can understand. They're looking up here and they're guiding, you know, they're guiding the organisation. Don't come,to the board with tiny little details about, oh, I've done this training Extreme force over here, or I need to invest in this little down here. It says Rasa says it's the objectives and the objectives within the context of the organization. And then you will find I've,not come across a board, um, that I haven't learned from and,who have given really,good advice when absolutely. It's your dashboard. Youneed to tell your dashboard yourboard. This is the dashboard. This is how we're mitigating those risks. These are the controls. This is what we've done. You need to do a show and tell. And the board isusually in most my experience is 100% well say 99% of the time they're much more switched on than we give them credit for. Number one. Number two, they're giving you time to demonstrate to them that you're doing a good job that you're doing. And I think that's really important. But isn't. The prerequisite. For. That to actually be invited to the table in the first place? Yes, absolutely. I think it's.critical that security has a seat at the top level in all, and certainly in the organizations that we're talking about. Here. Absolutely. Yeah. And I think that'syou know, that's the that's part of the critical change that we need in this space. And that's why it's, you know, it's so welcome to see, um, you know, regulation and the broader conversations that are driving that change. I think going back to Sandra's point about, um, you know, it's a multidisciplinary team. So when you are in those board level conversations, you are part of a multidisciplinary team, and getting into operational level details wouldn't be appropriate. So you wouldn't expect colleagues to, you know, to have to know about the operational details in your area. But being able to have that conversation and to translate at that level is, um, is a key skill. And. Yeah. Tom. Absolutely. Security needs that seat at the table in order to be able to do that. I'm going to draw us to a close. Here we are at time. Uh, I'm going to give everybody a chance here to give some advice to our audience, which is the standard question what should our audience do when they get to their desks tomorrow when it comes to resilience? Uh, I'm going to start with Heather, and I'm going to give you 20s because we're, uh, nudging up against the time at the moment. So, Heather. So I think since we've spoken a lot about, uh, board level conversations, I would recommend going to read the CFC board toolkit and to share that with your boards if they haven't already had sight of it. Uh, it's a really good piece of practical advice there. Raza. I really like the cyber assessment framework. And I think what I would do is,share that more widely, uh, and,build that into all the work that we're doing with the ISO certifications and everything else. So, yeah, I really like that piece of work. Very good. Sandra. I go to the executive and I'd go to the board and I'd ask them what's important to them. What is it that they want? If something were to be disrupted, what do they. What is important? What is the essence of the organization that will then allow me to focus in on making sure that those risks around them are anticipated. We can put controls in place to prevent them, and then we can respond and adapt and learn as appropriate. Very good. And finally, a grant. Yeah. A slightly technology without talking about technology. Kind of for me, I think actually go back and look at what is it that the attacks are trying to get to, and ultimately they're trying to get to the data that's within your organization. That's the value, the money piece that they're trying to go through. So from my perspective, it's actually don't just look at protecting it and doing all of those things, but actually look at stopping and dealing with those attacks as they happen. At the very beginning. And that's a technology answer, and it's what NetApp do. But, you know, I think we look at it the wrong way round. We always look at it after the fact. What how do we do? What do we do after the attack? Well, let's actually look at it the other way around. Let's actually be much more proactive at the very beginning. And I think we're still not doing that properly yet. So excellent. Thank you. Heather, Raza, Sandra and Grant, thank you all so much for making my job so easy today. Uh, it's been a fabulous conversation, a non-stop conversation. Uh, so thank you very much. Uh, so, yeah, Heather, thank you. Pleasure to be here. Again. Raza. Thank you. Thank you so. Much, Tom. For having us. Sandra. Thank you. Thank you so much. Really enjoyed that. Absolutely. And Grant, our sponsor a double thank you to you. You're welcome. And thank you for the conversation. It's been very enlightening. And all that's left to me is two things. Firstly, uh, don't forget we are back on. We're not here next week, but we're onthe 24th of April. Um, I'm not sure if that's a Tuesday or Thursday. You might want to check your calendar. Uh, where we're going to be talking about Dora. A new law for a new dawn. Um, although I don't see a dawn on the invite list yet. But nonetheless, we'll be talking about Dora. And as regards the mug, I'm going to give the mug to Terry Downing. But on two conditions. One, that Terry justdoesn't ask any more questions, and two, that he take thatthey take back what they said about my beard. And if that's, uh, confirmed with Blandina, then, uh. Congratulations, Terry. I do hope you enjoy your mug. Uh, so all that's left for me is to say thank you to our audience. Thank you all so much. Thank you to our panelists. And, uh, in the meantime, don't forget to stay secure, my friends. Thank you.