Former TikTok CISO Shares 2024 Cyber Budget Priorities (where does AI fit?) - Ep 71

Show Notes

Former TikTok CISO Roland Clouthier emphasizes the imperative role of AI in staying competitive in the evolving business landscape: 
"If my business is going to compete and succeed, and everyone else is using AI to reduce their OpEx and drive new technology to make us better than the next guy, I better be doing it too." 
In this enlightening podcast episode, Clouthier explores crucial aspects of cybersecurity budgets in 2024, including cloud security, data protection, and personnel considerations. Uncover valuable insights as he shares his 'five key takeaways' for effective cyber budgets, stressing the significance of data protection: "A third of our job is going to be around how we protect data. You'll be able to engage and deliver things like AI if you can control your data." 
Gain strategic guidance on addressing the evolving skills landscape with Clouthier's advice: 
"Just look at your people. These are all new skills. These are all new areas. Make sure you're making the appropriate adjustments to your job families. You're migrating their skills through training, and then you're looking where you're getting your people from in the future." 
Stay ahead in cybersecurity by delving into this insightful discussion on the latest industry trends.

Follow or subscribe to the show on your preferred podcast platform.
Share the show with others in the cybersecurity world.
Get in touch via reimaginingcyber@gmail.com

As featured on Million Podcasts' Best 100 Cybersecurity Podcast and Best 70
Chief Information Security Officer CISO Podcasts rankings.

Transcript

[00:00:00] Rob Aragao: Well, everyone, hello, Rob here from Reimagining Cyber and of course, joined every time by my co-host, Stan. Stan, really looking forward to our discussion today. We have Roland Cloutier joining us. I know you're going to get into the details on his background, but you know, we just had a conversation with Tim Rohrbaugh on the last podcast drop, and it was all about areas to start thinking about and applying different kind of mechanisms around your security budget.
[00:00:27] And as we go in with Roland, we're going to really cover those, those focus areas for next year. And, and one of the things we will absolutely jump into is. The AI topic, of course, but there's, you know, there's an interesting thing, obviously, that you're aware of with the Biden administration. You want to talk a little bit about that?
[00:00:42] Stan Wisseman: So the Biden administration is trying to get ahead of the curve and they issued this executive order on safe, secure, and trustworthy artificial intelligence. And they're trying to lay some of the, not guardrails at this point. It really is trying to get [00:01:00] some action going on how we need to be thinking about protecting these algorithms, ensuring that, you know, the, as this, this area evolves, that we are at least at this page on a voluntary basis trying to ensure that those providers of AI are putting in place the proper safeguards and ethical considerations.
[00:01:22] So I, I think that, you know, we all as, you know, most of us being users of artificial intelligence or will be users of AI, we, we are sort of at the whim of some of these that are providing this as a service. And we hope that they're doing the right thing, but the EO is sort of setting that mindset for the industry, as well as those in the federal government, the agencies, as far as their use of AI.
[00:01:49] And hopefully that is going to sway providers. 
[00:01:52] Rob Aragao: Well, I'm really looking forward to that conversation today. Why don't you get into exactly who it is we're speaking with? Very exciting guest today.
[00:01:58] Stan Wisseman:. Well, Rob, today we [00:02:00] have our guest Roland Clouthier. And Roland is currently a principal with the Business Protection Group, and he's held some significant SISO positions, including at TikTok, and he was a VP and Global Chief Security Officer at ADP, as well as the VP and CSO at EMC.
[00:02:18] Roland, it's delightful to have you with us today before we dive into the conversation. Anything else you'd like to add about your background? 
[00:02:24] Roland Clouthier: Absolutely not, Stan. That's just way too much as is. So, no, I'm good. Thank you. 
[00:02:30] Stan Wisseman: Well, hey, you know, as you know, having been in the seat many times for many years, autumn is sort of the budget planning timeframe, right?
[00:02:40] When people sort of get in the midst of their, their budget. For next year. And we're interested in hearing your insights as to what you think the key priorities are. And I have to tell you last month, I had the opportunity to not only attend our worldwide conference, the OpenText World in Las Vegas, but also Gartner, the [00:03:00] Gartner IT Summit and artificial intelligence is the buzzword du  jour, right?
[00:03:06] Roland Clouthier: It is, that's a, that's a thing/!
[00:03:09] Stan Wisseman: It's not a surprise, right? So I imagine that somewhere on your priority list, and I'm curious as to how you think information security programs should you know, integrate that into their planning, either where they're within their own controls or how they're going to help monitor what's happening as far as within the business.
[00:03:28] Roland Clouthier: 
[00:03:30] Yeah. So first of all, if you want to be a CISO next year or the year after you better figure it out, right? Like I, I, you know from a planning perspective, the use of AI or even the understanding of it within your environment is super important. Now, like a lot of the bigger organizations, they've been doing ML, AI.
[00:03:48] And, you know, until, you know, the, the ChatGPT, big LLM, you know, integrated with your own data asset capability came along over the last, you know, year or so a lot of that kind of [00:04:00] ran in the R and D space and the CTOs organization and CISOs didn't have direct management or control authority over it in any realistic way.
[00:04:08] And now, of course, everyone's looking at them. And I think, I think it's good for CISOs to look at it in two ways. The first is. If my business is going to compete and succeed in the industry we're in today, and everyone else is using AI to reduce their OpEx and adjust their margins and drive new technology to make us better than the next guy, well, I better be doing it too, and I better enable my organization to be able to do that.
[00:04:33] So I should have a focus capability on helping them accomplish that. The second is my job is to defend a business and ensure the sustainability of the operations, the resiliency of the company itself, and, you know, and the security of all the things that I'm, I'm supposed to be security. So I've got to do those things.
[00:04:51] And I, I don't think they're diametrically opposed. I think in our jobs, that's the problem with our job every day, right? I want to run to cloud. I want to [00:05:00] use 3rd, 4th and 5th party ecosystem in order to reduce my cost on processing. I want, we have to deal with these things every day. And AI is just a faster way of doing that.
[00:05:10] And there, I think there are key components we need to look at. So first of all, on the. On the how do I help my organization figure this out? Because a lot of them are turning to us and say, make us make us safe and let us use AI, right? Like, it's, it's not necessarily our jobs. It's a CPO. There's a CRO.
[00:05:26] There's an EIO involved across the entirety of the board, but helping it. Focus up you know, and I think the team like over at General Mills did a great job, right? Like they, they sat down, they created an oversight organization, had the right people in it, and then they created clear guidelines. Like, Thous may not do this.
[00:05:45] Thous can do that if you think it's cool and it fits into this category. Thous may do this if you go through a process, you know, with this type of information. So they established clear guidelines, not a hard and fast policy, but clear guidelines. And then they educated their [00:06:00] entire company, like their entire company.
[00:06:02] They went and said, here's how you can use AI. And so here are the guardrails, right
[00:06:06] Stan Wisseman: And then ensuring that everybody understands what those guardrails are and how that potentially jumpstart their processes from there. 
[00:06:16] Roland Clouthier: And if you don't understand it, call 1 800 HELP DESK for AI, and we'll help you figure it out.
[00:06:22] And I mean, that's a great thing, right? 
[00:06:25] Rob Aragao: Well, I think that was an important thing too, Roland, right, is that's one of the things that, you know, I've seen a lot of organizations at the very beginning of the year, because ChatGPT is what became it kind of consumerized at that point in time, right?
[00:06:36] The world was excited. They wanted to jump in and try to figure out different ways that they could kind of start learning this thing. And then, as you point out, you have to kind of hit the brakes a little bit, put the guardrails in and Stan mentioned to say, Hey, hold on, right. Especially for an organization that's, you know, potentially having access to consumer information, customer data.
[00:06:55] Be careful what you're using this stuff for. P. H. I. 
[00:06:57] Roland Clouthier: Financial information. Exactly. 
[00:06:59] Rob Aragao: Sensitive [00:07:00] data. Yeah. 
[00:07:01] Roland Clouthier: And by the way, it may not be regulated sensitive data, but it might be the IP of your organization that you lose patents on if that goes to market, right? Like there's real reasons, Rob, that, that we have to be thinking, how do we help them apply the brakes as a business and let the people think about it?
[00:07:17] And by the way, let them be accountable. Right. And in some way it's, it's helped them be accountable for themselves. And so I think that focus in getting that stood up, that education, that capability, and those processes to  fast pace people through the process when they need help is one way that CISOs can really help.
[00:07:38] And we're good at that. We're good at finding a problem area, getting them on to a, you know, an on ramp or an off ramp that's necessary and creating the education and excitement around it. I think a lot of great CISOs I know do that super well. Yeah. And the other, the other thing we do is protect infrastructure.
[00:07:57] And really, AI pipelines, guys. [00:08:00] It's just infrastructure and software. It's, it's a CICD on crack for AI and it's the infrastructure that goes along with it. Right. I mean, think about it's, it's infrastructure, data, network, transmission, data, storage. Access AAA in general the 20 percent is the weird stuff like insertion defense and scorecard management on the client side.
[00:08:23] Yeah, model defense, right? That's the 20%. And by the way, there's about five companies out there, four companies that are kind of doing that in the market today in any real way. And, and so people get wound up around the, what do I do for the 20%? Do you know where all your AI is? Do you know the infrastructure it's sitting on?
[00:08:43] Is it micro segmented from the rest of the environment? Do you know what data is in that data infrastructure? Have you done data analysis, data defense on it? Do you know what is connecting and going out of those data stores? Alright, do you know your API infrastructure that is [00:09:00] connected to, to that? And, and do you have the right controls and monitoring capability in place?
[00:09:03] You've got enough work for the next year or two to protect the divine segment and protect your AI environments that will get you 80 percent of the way of protecting it the rest of it, you know, there are great partners out there. So priorities for AI help your company be successful and embracing and understanding it.
[00:09:23] Second part of it's going to be go do our jobs on the, the infrastructure data and components that make up your AI environment. 
[00:09:33] Rob Aragao: . Great points. Excellent. You know, kind of calling out to take something that, you know, isn't the easiest topic and try to kind of simplify it in your approach. Right? So, so let's, let's get a little bit more because we knew I was going to start things off, but let's get a little bit more into your perspective on.
[00:09:46] The other things that are emerging, the other things that people really need to be considering as well, as they're going into, again, kind of that budget season right now. So what's the plan for 2024? What, what are some of those emerging trends and technologies that you would kind of say, Hey, you should really [00:10:00] be focusing and thinking about this as well.
[00:10:02] Stan Wisseman: One of them, Roland, obviously, you know, if you think about cloud security, right, I mean, that's something that everybody has been doing, migrating more quickly too, but what's new in cloud security in that context for 2024.
[00:10:14] Roland Clouthier: Cloud security, my favorite, the gift that keeps on giving you know, I think in many contexts, I think I call it something a little bit differently now.
[00:10:26] I call it like. Cloud platform, environmental defense, right? Like I got to call it a sexy name because you know, cloud just seems to have gone away. It's not like an analyst right now. You know that, right? I don't say that, man. Don't get me old, I guess. Listen, there's, there's probably four things. One of them is going to repetitive.
[00:10:47] I'll let you guess what it is in a minute. But there's, there's four things I think about in this space. One is If you haven't finished implementing your cloud controls, go finish them, right? Like automate [00:11:00] them, you know, automating the capabilities around those that we've, we've put a bunch of controls in.
[00:11:04] There's a lot of great cloud defense platforms that have come to light, you know the whizzes and the aquas of the world and, you know, all the companies doing great things out there. But you need, your companies have now integrated cloud as a component of how they build and develop their business at speed.
[00:11:20] Right. Like, so I'm going to start a new service that's going to start up in 12 seconds. Not two weeks, not two months, 12 seconds. 12 seconds. Right. So I'm, I'm, I'm growing astronomically and I have to keep the controls, the capabilities to protect, defend, monitor, and be able to respond to those environments.
[00:11:37] So to be able to integrate all of that stuff into my SOAR, into my SIM, into my business resiliency, you know, like. That has to happen with automation. So whether you do it yourself, bring in a partner, I don't care. Think about your head of dream is cloud environments and how you're providing your services at scale and speed.
[00:11:54] And so in 24. Clean up and automate I think is, is huge.[00:12:00] The second area that no one's talking about, and I'm shocked because I'm sure now that you called me an analyst, I think next year, the analyst will pick up on this, but microservice mesh environments. Right. So one thing I learned, well, massive growth there for me, technical when I was at TikTok and ByteChance.
[00:12:16] With the amount of microservices in the world, like, like, I think TikTok has  like 4, 500 microservices, something crazy like that, like to create the app. And so you think about your business and you go. Yeah, I heard them call it microservices, but isn't that just a container? No, it's not. It's like an entire environment.
[00:12:34] And so what, you know, so what, what, what was it such a learning opportunity for me was these mesh environments that make up the control plane infrastructure for microservices is like a new shadow it. It's how the microservices talk, it's how they move data, it's how they control, you know, connect between APIs and they don't necessarily have to go outside that service mesh to actually do things like authentication, logging, and all [00:13:00] of the other stuff.
[00:13:00] So all of a sudden you have this massive amount of compute infrastructure and data movement. In this mesh environment, and you're saying, yeah, the data goes here to here, and we're monitoring it, but it actually goes between the microservices in the mesh, and you never see it. How do you defend against that?
[00:13:16] Figure that out in your environment. Focus on micro microservices, not just containers. Compliance and insurance automation guys. We just got to get. And I don't, it's, I'm sorry to all my best friends who are compliance people in our field, but we've got to get rid of that. Like that CCM and CCA or continuing controls, assurance and monitoring has to happen.
[00:13:35] And so a bunch of great startups in that area start thinking about how I go out, validate that my controls are in place and working and automated that they're still doing their job. And the efficacy is good. I collect the evidence and I put it in a place that someone can just populate a document with and go do my 12 compliance activities.
[00:13:52] People shouldn't be doing that stuff anymore. And I think the, the, the last area in, in that [00:14:00] space that is important to me is APIs, like the API infrastructure, both in what we were talking about in AI and in this space, we, that, that should be insightful. People should be looking to see. What are my things connecting to?
[00:14:19] How are they authenticating? You know, what, what services are they connecting internally and externally? What does my digital landscape look like through my API environment? How do I catalog? And when was the last time they were validated from a security vulnerability standpoint? Like. We forget about APIs because we think of it as code, but they're not there.
[00:14:36] A thing. 
[00:14:39] Stan Wisseman: Yeah, I think organizations  are pretty much blind to their API exposure. Yeah, and whether it be in the context of cloud AI or applications, you know, it's one of those things where there's increasing awareness like, oh, crud, this is a, you know, exploding as an attack surface and we've got to get a handle on it.
[00:14:55] Roland Clouthier: 
[00:14:56] Yeah. So in cloud, that's kind of my, like, my, if you're going to focus [00:15:00] on stuff in 24. Finish your integration and automation. Think about microservices. Get out of the compliance game by, by automating the hell out of that and then go figure out your APIs. Those are the four. 
[00:15:12] Rob Aragao: That makes  sense. So let's talk about identities next, because everyone's talking about identities.
[00:15:16] Whether it's, hey, we're revisiting and trying to kind of get a handle on, you know, our program and different elements of it. How we're dealing with, you know, the not non human identities, right? IOT devices, these, these applications, APIs, Microsoft, they're, they're all a form of identities, right?
[00:15:33] Coming in what are you seeing in that area? What are your thoughts? Do you have a top four, top two, top three, top five? What do you got? 
[00:15:40] Roland Clouthier: I'm just. Freaking floored that I'm I'm not 29 anymore. And you look at it's thanks, babe. And it's a couple of years later from when I started in the first big project I did was around identity.
[00:15:54] And we're still talking about it because it's so mad and I get it. It's, I mean, it's massive to scale, [00:16:00] but you're right. It's, you know, first of all, this might be a newsflash, but if you haven't done centralized. Triple a and I did any assurance, maybe you should centralize, right? Like, you know, yeah, but you gotta go beyond that.
[00:16:14] So step one, centralize it to actually manage it, control it and validate it. And you know, what's going on. I think the second one came to me this year and not through my personal experience. Although I've had to do some stuff in the social side around inauthentic identity and, individual validation and verification, but this whole new world around identity verification to access validation, like the proofing of it, basically, yeah, I mean, like the whole issue that, you know, it happened out with our favorite folks in Las Vegas, you know, last month in a couple of those really well designed hacks gets back to identity validation.
[00:16:55] So some of the work we do online for verification. [00:17:00] Invalidation. We never really talk about what does that mean for our enterprise or platform access management. 
[00:17:06] Stan Wisseman: Well, I think, I think that a whole broader category of just identity governance, right? You know, and, and identity proofing being part of that.
[00:17:13] But, but, but, you know, having a handle on how you're governing your identities, not only for, again, carbon based life forms, but also the non-carbon based life forms in your environment. 
[00:17:25] Roland Clouthier: You know that, that's, that's key. So, so my suggestions to my peers for 24 is don't have to solve for it. Don't do your threat mapping, right?
[00:17:33] Like, figure out what identity verification means to you for your administration, administrative access, you know to your employ, to your, you know, general employees, to your executives to. What is, what does that mean? Money movement versus approvals versus cloud exit. Like, what does that mean? And, and how do you do that in a meaningful way where you have the most risk?
[00:17:54] So I think this year risk assessment around that super, super important. The other focus, and I'm a [00:18:00] big transparency guy, like I, let's go out and find it because if I can't see it, I can't protect it, right? Like I have to understand it to be able to do it. So what's the, beyond the human and, and really saying you were talking about that beyond the carbon based life forms, right?
[00:18:14] You know machine to machine access application, the application authentication token verification, validation, these 
[00:18:20] Stan Wisseman: service accounts that let's face it are abused left and right, because they're sort of under the radar 
[00:18:26] Roland Clouthier: who moves them, who has, who has access, how long does token verification work across how many platforms that is, can use it, right?
[00:18:33] If you have, if you have one token management you know, that is for a specific entire, let's say it's a go to market application you're using, And it's used across the entire chain. Is that good? Probably not. Is it good for 48 or 92 hours or 3 weeks? Probably not good, right? You know, you're going to have to start doing threat based analytics on this beyond human identity authentication authorization capability.
[00:18:59] And it starts with [00:19:00] cataloging it and understanding it and making sure you have a good handle on it. 
[00:19:05] Stan Wisseman: So in  the area of data, right? I mean... Data is like the new oil, people, you know, they're looking to mine the data to be able to take and monetize the data they've, they've, they've ingested into their enterprise.
[00:19:17] Right. And, and we still run across organizations that really don't still have a handle on where their sensitive data is, whether it be in structure or unstructured repositories. What do you think the priorities are in that context of again, knowing what you're trying to protect. And, and then in these different use cases in the organization, whether it be for analytics or other things, how then to ensure that in 2024, that data is protected appropriately.
[00:19:45] Roland Clouthier: 
[00:19:48] Yeah. This was a life lesson over the last three or four years. Like There's, I've been in critical infrastructure demands and big data type organizations since the MCADP for a decade, like they really, really sensitive data where your information is how [00:20:00] you're protecting consumer data, like table stakes, right?
[00:20:02] Silly discussion, but when you really start getting into the details of compliance and assurance. And validation across jurisdictional lines and the implication of privacy enforcement requirements and be able to operate in different jurisdictions, right? Like, this becomes super important. And, and you know, I used to get a lot of pushback when I talked about this, Stan, because.
[00:20:25] I mean, I think, you know, You're, you're rolling, you're a C sector big companies, you know, you're a multi countries, you know, that's super important. You know, we're a Republic of 50 states and they are all their own governments. Yeah, 
[00:20:37] Stan Wisseman: Elon has his own set of requirements now. 
[00:20:40] Roland Clouthier: Right. You know, if you're holding children.
[00:20:42] If you have kid, you know, children's data, like under the age of 16 in Illinois, it's very different than having it in Florida, right? Like in the States treated very differently. And so your, your accountability for managing and assuring the level of protection of the data within your care, custody and control.
[00:20:59] Is super [00:21:00] important. So data defense is now I've, I, I asked a lot of my peers, like, so what are you doing in data defense area? Well, we're going to implement X to go find it. That's great. I mean, from my perspective, as long as you do in the basic 4 things, where is it? What is it contextually, not just is it a social security number or a driver's license or a federal ID card?
[00:21:22] Who has access to it? And where did it come from and where did it go? So then you can apply, you know, all the things that you were talking about, Stan, like you know, am I supposed to use that data in certain context or not, right? Like if you can answer those four things, you're probably at, at the, at the top, you know, 10 percent of 5 percent of companies that can do that, but that is super hard.
[00:21:45] So organizations have to be able to find their information, apply controls. And, and do it in a reasonable time. We can't take four weeks to scan our data stores and come back and say, I know where my, my PCI [00:22:00] stuff is, and I know where my health care stuff is. 
[00:22:04] Stan Wisseman: Well, there's a legacy piles of data, right? I mean, that's one thing, but we're also the volume, just of these ingestion of new data, sort of like we need to get a handle on the new data as it's coming in and catalog it and protect it.
[00:22:16] But then you have the piles of data that are becoming, you know, toxic, potentially, in your environment, and you need to be able to act on that as well, including talking to the business unit about, let's get it out if we're not using it.
[00:22:29] Roland Clouthier: It hasn't been touched in six months. It's duplicative in 14 different areas.
[00:22:34] We're using up this much storage, which equates to this in dollars. You are 100 percent right. And you can't do that unless you instrument the totality of your environment to be able to see it. And know what it is. And, and if we keep going down this path is I'm going to scan for weeks, and I'm going to tell you where our driver's license is first name, last name, date of birth, like, contextually, that does not help your business.
[00:22:56] It helps compliance and compliance assurance [00:23:00] on a few issues and areas, but it does not help manage. Your data defense issues. So I think focusing on 24 is what is my multi year roadmap to get to transparency, AAA and I won't go down the kind of data legacy data, pathing stuff, cause that's a little complex now, but for next year, getting a basic infrastructure, where is it?
[00:23:23] Who, what is it? Who has access to it? And where did it come from? Where did it go? You're, you're got to be well on your way. 
[00:23:29] Rob Aragao: Good foundation to start on. Definitely. Definitely. So, so Roland, I think I'm going to do the five takeaways, right? These are the five areas that we've discussed that you were saying, Hey, listen, if I'm looking into next year and also building the plan over multiple years, of course, right?
[00:23:44] AI, we started off cause that's the hot topic. Everybody understands. Right. But it's getting, you know, kind of a better perspective of, as you said, if you can do certain things, you can get good headstart, you can probably cover about 80 percent kind of putting the right policy guardrails in place, helping you get augmented on that side of it going [00:24:00] forward.
[00:24:00] Then you talked about, Hey, listen, cloud, we've been talking about cloud for the past, what, four or five years now, and it's continuous in the conversation. Yeah. Continuing the conversation. Right. I kind of go back to the whole, like we're still trying to figure out. Really, what is the shared responsibility model?
[00:24:13] And it's like, come on, really, we're still dealing with that. But people are right. The third you talked about is around APIs, but also the microservices mesh as you described it, right? Again, a key area, I think as you explained, you know, your most previous role was an eye opener, if you will, right?
[00:24:31] With over 4, 500 microservices just, I mean, for one given application, granted, a massive application, but still. Like people aren't really wrapping their heads around that currently and they need to start thinking about that as you stated. The identity piece, yes, back from your early days of last year when you were 29, it's still a conversation today, right?
[00:24:49] And everyone's trying to figure out again, what's next? What are we doing? Identity proofing, identity governance, as we discussed a lot of great topics in that front. And then The data, because ultimately, if you think about it, [00:25:00] from the attacker perspective, what are they trying to ultimately get to? The data.
[00:25:03] So how do we actually have better understanding of what actually we have for sensitive, important data, whether it is something that's driven by privacy regulation, whether it is something that's our intellectual property, customer information, you name it. Like we need to better understand what type of data is important for our business, our particular functions in our business, get visibility into it, have ongoing basis of being able to understand where it resides.
[00:25:27] And as you said, build that foundation to then up level and say, okay, now we want to take certain actions, how we protect it and so on and so forth. So those are the five kind of over the top areas that you really called out as people should be paying attention to right now as they're planning for next year.
[00:25:42] Did I miss anything on that front? 
[00:25:44] Roland Clouthier: Dan, can I get an 
amen? 
[00:25:49] Roland Clouthier: That's perfect. Listen, guys, at the end of the day. A third of our job is going to be around how we protect data and it's infrastructure is everything, but you know, the requirements and the privacy [00:26:00] enforce all that's falling to us. That's going to be around the data. You know, you'll be great if you can go focus on that and you'll be able to engage and deliver things like AI if you can control your data.
[00:26:09] And then the only last thing I would say, guys, just look at your people. These are all new skills. These are all new areas. Make sure you're making the appropriate adjustments to your job families. You're, you're, you're migrating their skills through training, and then you're looking at, you know, where you're getting your people from in the future.
[00:26:25] Important point. Very important point. 
[00:26:28] Stan Wisseman: Thank you, Roland. Really appreciate your insights. Excellent 
[00:26:31] Roland Clouthier: conversation, Roland. Definitely. Thanks for your time, guys. It was awesome.