Cyber Resilience: Are Your Strategies Fit For Purpose? Ep 115

Show Notes

In the latest episode of Reimagining Cyber, Rob interviews Bindu Sundaresan, Director of Cybersecurity Solutions at Level Blue, about the evolution and significance of cyber resilience. Bindu, with over 20 years in cybersecurity, discusses how the field has shifted from a focus solely on prevention to a broader approach that includes resilience and recovery.

Key points from the conversation:

1.    Historical Focus: Traditionally, cybersecurity strategies concentrated on preventing attacks. However, the current threat landscape necessitates a shift towards resilience, acknowledging that breaches are inevitable.

2.    Modern Approach: Organizations are now integrating business continuity planning and disaster recovery with cybersecurity efforts. This holistic approach ensures that operations can continue and recover swiftly after an attack.

3.    Business Alignment: Bindu emphasizes that cybersecurity should be seen not just as a technical issue but as a business problem affecting overall operations. This shift in perspective helps align cybersecurity efforts with business outcomes and improves the strategic value of cybersecurity roles.

4.    CISO's Role: For Chief Information Security Officers (CISOs), successfully integrating resilience into their programs involves understanding and prioritizing risks based on business impact. This requires effective communication with other business units and aligning cybersecurity investments with broader business goals.

5.    Evolution of Cybersecurity: The conversation highlights the shift from compliance-driven approaches to risk-driven and resilience-focused strategies. This evolution is crucial for achieving digital resilience and 

6.    Identifying Sensitive Data: Organizations must first identify what constitutes sensitive data for their specific context, considering regulatory requirements, business use, and industry standards. Without this understanding, investments in data protection might be misallocated.

7.    Data Classification and Flow: It is crucial to classify sensitive data and map how it flows within and outside the organization. This helps in applying appropriate security controls and prevents unnecessary complexity and expense.

8.    Continuous Review: Data classification and protection are not one-time tasks. Organizations need to regularly update their data inventory and classification as their data environment evolves

9.    Incident Response and Resilience: Organizations should develop tiered recovery plans that prioritize critical business functions during incidents. Regularly updated tabletop exercises should simulate realistic and current scenarios to test response plans effectively.

10.Cross-Functional Involvement: Effective incident response involves cross-functional teams, including IT, legal, PR, and executive leadership. Establishing what constitutes minimum viable operations helps prioritize recovery efforts and resource allocation during an incident.

11.Evolving Practices: The goal is to continuously refine incident response and recovery practices to improve resilience over time. Embracing a lifecycle approach to security and resilience can turn digital resilience into a competitive advantage.

Follow or subscribe to the show on your preferred podcast platform.
Share the show with others in the cybersecurity world.
Get in touch via reimaginingcyber@gmail.com

Transcript

[00:00:00] Rob: Welcome everyone to another episode of Reimagining Cyber. Rob here and today's guest is Bindu Sundaresan, Director of Cybersecurity Solutions at Level Blue, a joint venture by AT& T. Bindu has over 20 years of experience having led cyber risk engagements for Fortune 500 clients from strategy to technology implementation to breach response.

[00:00:20] Prior to AT& T, Bindu was a senior manager with Versign and previously a senior consultant with KPMG. Welcome been do very excited to have you on. Is there any additional information on your background? You'd like to share with the audience. 

[00:00:33] Bindu: Thank you so much. And I'm so excited to be here. Um, they're all good.

[00:00:38] Rob: Excellent. Excellent. You and I actually had an opportunity to meet. I think it was roughly a year ago at a panel that we did up in, uh, in the state of New York and, um, One of the key connection points is all around cyber resiliency, which actually been do, I don't know if I share this with you previously, but that was the foundational kind of theme that the podcast actually started off was promoting and pushing out this need for us to kind of pivot our thinking from traditional cybersecurity into more of a resiliency mindset and approach and better ends, honestly, aligning with business outcomes.

[00:01:08] And I know you're. Very much a strong proponent of that as well. So we wanted to come back to that topic. It's been a little bit of a while where we've had an episode that actually really kind of hones in and focuses on it again. So more of a, what have you seen, how are things evolving kind of conversation saying?

[00:01:24] So again, what better person to have on than yourself? So that being said. Um, this shift that again happened several years ago has been pretty well adopted, I think, for most organizations, maybe some more of the traditional enterprise level, kind of more mature organizations in that that pivot point. But let me just get your thoughts, you know, kind of what's your take on what's happened over the past few years and getting more of that adoption to buy in the conversations that you kind of had in seeing this shift.

[00:01:52] Um, and again, you know, just that model overall and people evolving finally to that point in time of realizing the value behind of a cyber resiliency based approach. 

[00:02:02] Bindu:

[00:02:15] Typically, you know, I've started, uh, doing cybersecurity a little over 20 years ago, and traditionally cybersecurity strategies were heavily focused on prevention, right? It's about building strong defenses, keeping the threat outs. Uh, but then today, the reality of, you know, the threat landscape that we are seeing today, and we all know it's not a cliche anymore.

[00:02:35] It's not a matter of if, it's about when an organization faces a cyber incident. That realization over the years has led to the adoption of cyber resilience as the focus without, you know, sort of only focusing on prevention and protection, but also spending some time and focus on the ability to recover.

[00:02:57] I think that sort of, you know, gave birth to the idea of resilience, where you're going beyond just preventing attacks. It is really about ensuring the continuity in terms of, you know, your operations, because at the end of the day, any organization. We are in it, obviously, to the to improve the bottom line, make the money and continue to operate and provide the service.

[00:03:19] So how do we do all of that? When an attack happens to you? How do you do that? Why? Minimizing the impact of that attack? So that approach of resilience comes with that background off. First acknowledging that breaches can happen to any type of organization. So you not only need to be prepared to defend against those threats, but you have to simultaneously sustain business operations and recover swiftly.

[00:03:48] So in my experience with clients, when I work with organizations, The way they're anchoring their cyber programs today is definitely focused on that resilience based approach. Right? So that, uh, that mindset shift at that leadership level where they're thinking about cyber security, not just as a technical issue, but a business problem that is affecting that entire organization.

[00:04:12] That change in perspective has You know, really helped with several key actions. I would say in the resilient space, like, you know, I'll give you an example, you know, gone are the days where organizations are approaching BCP, which is the business continuity planning and the disaster recovery as separate from cyber security.

[00:04:32] Today, all of that is integrated, and that's a big step towards resilience, right? 

[00:04:37] Rob: So I think you hit on some of the very key kind of attributes in the four tenets or goals of cyber resiliency, um, which is basically again, you try to do the best you can to prepare for a cyber attack. You then obviously know that things will occur and you need to minimize, as you called out, the impact of those occurrences, those incidents and events, uh, and then as quickly as you can recover.

[00:04:59] And I think again, a very key in the fourth kind of core tenant is. evolve, take those lessons learned, right? Better the program, better your security controls, because you know, again, of course, these things will continue to happen. But one of the key elements that you just really, um, hit upon, which I think is the most critical, is that connection point back to the business, the business outcomes.

[00:05:21] One. Two, I think it's been adopted because of the type of verbiage that we're now using in discussing resiliency in general, right? And so I, I've actually just, you know, been like, I've actually evolved it from cyber to be more of like a digital resilience conversation because, right, the board, uh, the C suite, they understand operational resiliency.

[00:05:42] That language makes all the sense in the world. And so I think again, when we came about and said, Hey, let's start having these discussions. And it was really around COVID let's be honest, right? That kind of people just start realizing, Hey, we need to be much more resilient. And the similar context in our conversations aligned to an understanding at that board level.

[00:06:01] of resiliency. And you also called out the mindset shift. And it truly, in some cases, especially for like the cyber technology kind of aspect of an operation is a major cultural shift. So maybe there's an example you can share of, you know, a CISA that you've worked with in the past and kind of how you've helped them kind of see the value in aligning back to this approach around resilience.

[00:06:27] As it relates to their maturation of their program, but also, I think, most importantly, like, like, as a CISO pivoting from a technical oriented perspective. To be in much more business aligned and getting that credibility and that literally opportunity to have a seat at the table that we've always talked about the desire for.

[00:06:43] Bindu: Yeah. And you know, that's a great question, right? So I think, you know, over the years, what we have seen is, you know, we talk about, Hey, cybersecurity has to get a seat at the table, right? And finally we do have that seat at the table, but how are you as a CISO going Cyber risk without it being sort of drowned, you know, in the overall scheme of business risk, especially when you get into, let's say, the quantitative aspect of it, but you're not able to really tie it back to resilience, right?

[00:07:18] There is a disconnect. So if you think about resilience and you think about a holistic view of risk, you want to be able to combine your cyber risks. And tie it back to business impact. So let's just, you know, take a look at that. So, for example, if you're a CSO, how would you prioritize securing, let's say, a critical financial application that directly impacts revenue generation over a lower risk system?

[00:07:44] To be able to prioritize like that, you need to have a strong understanding of the business goals. So that you can manage that risk effectively. So let's say you had a hundred coins to spend and you need to now have that decision making based on data to be able to align it back to your risk management and say, you will spend, let's say 40 coins on prevention.

[00:08:08] You're going to spend, let's say 30 coins on detection. Then you'll spend the remaining 30 on response. How do you keep this balance? And does that balance change over time. So if you think about, you know, how organizations have evolved in terms of the security budget, you know, conversation, we used to be extremely compliance focused, you know, let's say about, uh, 20 years ago, it was all about meeting the compliance deadline, meeting, you know, the, uh, sort of rule of compliance, not being penalized for noncompliance.

[00:08:43] And then it became, Hey, You know, we do compliance, but then we go about it as. Okay, I need to achieve this compliance, but I'm not worried about sustaining it just yet year after year I'm achieving this compliance, but it's always a mad rush towards that compliance deadline Then we got about you know, we went about sort of securing that maturity and you know going on that journey We are not just being compliance driven.

[00:09:09] Now we evolved into being risk driven and then that was not enough, right? Because if you think about it, you are, your risks are ever changing, but if you have to, if you don't have a robust resilience plan in place and you don't have, you know, sort of your incident response aligned with your business continuity does not align with your disaster recovery and you're, you know, you brought up a good point about.

[00:09:34] Not just cyber resilience, digital resilience, the same conversation sort of extends towards digital trust, if you will, right? So if you the key outcome that you're enabling by cyber resilience is enhanced decision making and being able to really have that digital trust as an outcome, that is something that is You know, not just a technology or a technical metric or measure, right?

[00:10:01] So it really aligns back to your business operation. So when you are as a CISO communicating, let's say your cyber spend, your, you know, different projects that you have in place, or when you get asked, what are you doing so that this ransomware attack does not happen to us? Or why did you end up, you know, let's say picking a specific product or a service?

[00:10:22] How do you answer all of those as a CISO? If you don't tie it back to the resilience metric, if you're just going to talk about sort of mean time to detect, mean time to respond, number of phishing attempts prevented really from a business audience, you're losing them, right? So if we asked for a seat at the table as the security team, and we said the CISO function is a C level function that aligns itself well with the business outcomes, then I think it's key for us.

[00:10:51] Um, and I'm seeing quite a few CSOs that are, you know, trying to figure out how to use resilience, not just cyber resilience, digital resilience, as a way to be able to chalk out each of the initiatives that we are working on in an organization back to that outcome. And I'm seeing quite a few CSOs that are Really encouraging collaboration between cybersecurity teams and other business units, right?

[00:11:13] So what I'm seeing more and more of these days is legal operations, finance and the CSO are in it together. Any CSO that is successfully bringing together these cost functional teams. To help develop what I call the, you know, digital resilience strategy, no longer just like a cyber security road map, right?

[00:11:34] Really extending it beyond just a technology spend plan and thinking about how do you gain? Stakeholder confidence and trust. How do you build trust with your customers, partners, regulators, you have to be able to really go back to that digital resilience goal that you're going to slowly reach and yes, that goal post is going to change over time because your technology and innovations will change, but the goal should not be about meeting a compliance requirement or reducing your risk level to something that you think is Appropriate based on, let's say, a study or based on an analysis that you did that is very, um, you know, sort of short focused into it versus really being holistic from a business standpoint.

[00:12:25] Rob: Totally agree. You mentioned several things I want to kind of circle back on. One is the risk aspect and that connection point, I think, is critical because again, it's also well understood from the board, the C suite. Um, it does obviously become very dependent on the. Risk appetite for a given organization.

[00:12:43] So not every banking organization has the same risk appetite, obviously. Right. But again, you have to be very precise on that, but it's the right type of conversations to be having. It's also part of the evolution of maturing the CISO role to be much more business oriented, as you were discussing. I would go back to the aspect of using these kinds of traditional, uh, let's say kind of the, the comfort level conversations are, you know, at the level of the board that CISOs have traditionally have around, uh, the Our mean time to respond, our mean time to detect, again, over their head, they've already tuned you out.

[00:13:14] There's, there's been actually the issue, honestly, in my opinion, as to why they haven't historically had that seat at the table. So the pivot of having the right conversation points are critical. And the third piece that you called out was the compliance oriented, kind of, the point in time compliance audit that's happening.

[00:13:29] We have to be prepared for that. We do a pre assessment. We understand the gaps, we go close those gaps, we pass the audit, and then all of a sudden, ah, don't worry about that till next year. That doesn't work any longer. What I would say that is, obviously, where you can, within your program, align to compliance requirements, because you just have to, but most importantly, take the funding.

[00:13:50] That's going into the compliance programs to better support the growth of your cyber resiliency based program and approach. That's what you want to do. So let's go into the data discussion a little bit. Um, you do tons and tons of consulting. We talked about that in the introduction, very large organizations, a lot of years of experience doing that.

[00:14:10] Data sits at the core of what the attackers are after at the end of the day. Um, so in the principle of looking at it from an organization, getting a better understanding of what really is sensitive keyword being sensitive data for the organization, right? Um, what kind of guidance have you provided different clients you've worked with over the time?

[00:14:30] You know, can they get much more focused understanding that there's all these different solutions out there, different approaches to how you protect your data. If you don't even know what your sensitive data is in the first place, Then you're throwing money at potentially the wrong things at the end of the day.

[00:14:44] So what have you been discussing in that topic? 

[00:14:46] Bindu: Yeah, you know, it's definitely a critical focus area Um, you know because of you know storage being so cheap, right? We're all about You know, gathering as much data as we can and trying to use data in all forms. But every organization is unique, right? In terms of what comprises sensitive data and how most, most importantly, it's how it's flowing within that organization.

[00:15:11] And who has access to it outside of your organization? Only then you're able to really define what sensitive is. And then once you define that sensitive data that you think, is it sensitive because of the regulatory environment you're in? Is it sensitive because of your specific business use that you're using it for?

[00:15:33] Is it sensitive based on the industry that you're in, right? All these, you know, sort of, Really is the core of a security program that you should be looking at and, you know, going back to, you know, not all security controls need to be applied to all types of data because that could just make it, you know, overly complex and expensive for you to manage.

[00:15:54] So the 1st step that we do as part of any consulting engagement that we recommend is. You know, year after year, it is important for you to have a data inventory that you do and go through that classification again, right? So the key is you need to, you know, I know it sounds, uh, sort of, you know, archaic to say this again, but, you know, um, you would be surprised where you bring together four business units of your organization and have them whiteboard what they think is, you know, their set of, you know, Let's say sensitive data and you start asking questions like where does this data reside?

[00:16:35] Is it on premise? Is it in the cloud? Is it with your third party vendor and start mapping out how that data flows between systems? You would actually, it's, it's pretty revealing in terms of a task to be able to see the silos in which we all operate in, right? Because of that sort of functionality where we all have like our sort of enclaves or, you know, circles of data and we don't really map out the flows.

[00:17:02] So it's not only important for you to know what type of data, it is also very important to know How that data flows within your organization and externally so that you can apply the appropriate controls to it. Right? So engaging the different business units. I didn't have each of them identify their business critical data.

[00:17:23] But beyond that regulatory definitions, organizations have to make sure these business units collaborate. To identify the flows as well, right? Only when you're able to identify that flow and know your data, you'll understand that, you know, not all data needs to have the same level of protection. So when you do your risk assessment, now you're able to look at your critical data set and prioritize them.

[00:17:49] And then once you have analyzed that data based on, let's say, sensitivity, the value, uh, the volume of the data, and potentially if If this data gets breached, what sort of an impact would it have? Then you can get into really developing a data governance policy, right, or a framework..

[00:18:07] So, you know, many organizations, when you look at how they, you know, establish a data governance framework, um, You know, they, they're not able to enforce those data protection policies that align with their risk tolerance and business needs because they've missed that fundamental step of being able to identify what sensitive data is and how it flows, right?

[00:18:29] So the key is, you know, adopting that risk based approach to data protection, being able to implement that data governance framework. You know, you're, you can use your DLP solutions that you already have. All of that is effective. Only if you've done that first homework step, and that is not a one time effort.

[00:18:48] And I think where organizations tend to sort of take a misstep is they do it all right once, right? But none of these activities. is a one time task because your organization is evolving. Your applications are evolving. You're trying to innovate and you're trying to provide, you know, better and better service to your customers.

[00:19:09] So obviously the type of data you're using is changing. So All of this, you know, you really have to think about it as that consistent, continuous framework, right? So I think that's key, you know, if I were to say one thing about, you know, achieving resilience is to be able to say that your security measures that you are putting in.

[00:19:32] You really have to think about it as a life cycle approach. You need to make sure that these are things that you're doing on an ongoing basis. And it's it. I know it feels like is this ever going to be done? And the reality is no, it's not ever going to be done. It has to work as a life cycle. You have to work on your security program to be able to achieve the resiliency over time.

[00:19:56] The, the best way to approach this is think of using your digital resilience as a competitive advantage, right? So if you think about it from that angle, then you're going to do whatever it takes to maintain it. 

[00:20:09] Rob: Yeah, totally. And, uh, I like what you just said at the end, it is a competitive advantage if positioned properly.

[00:20:15] There's also a couple other things you mentioned that I think are rather important. You know, if you kind of connect back to, um, just the, the aspect of how Organizations have typically kind of gone after what they're supposed to protect for data. Again, they do have that major disconnection and you discussed it in a way that I've always positioned very strongly, which is you have to meet with the specific stakeholders.

[00:20:39] Like let's say it's an organization that has several lines of business. Each of those key stakeholders have an understanding of what the data is that's relevant for their particular, if it could be containing PI information, it may be intellectual property, whatever examples you listed off, but getting that initial buy in and I'm sure in your case, it's also providing guidance as to, let me give you examples of the type of data that you may be concerned yourself with that kind of opens up their mind to realizing, Oh, these are the different ones.

[00:21:07] And these are the right classifications of sensitivity for those data elements. But the key point is the continuous, because as you opened up and how you address the question is, we know data is consistently flowing in. There's a desire to leverage more and more data for different insights to look for different opportunities to drive new revenue streams.

[00:21:27] So it's never going to slow down. And the risk of sensitive data being put into these different locations, on premise cloud environments, wherever. Are always going to be there. So I think that was very, very important to call up as you, as you did with continuous, let's transition into the aspect as relates to kind of that second goal of resiliency, which is minimizing the impact, right?

[00:21:47] Cause we know things are going to happen as we said, but I'd love to hear from you an example of where you had an organization and we don't need to get into detail of who it was, what happened, but more about the realization that either from an type of incident that occurred or just the buy in they ended up getting.

[00:22:04] an understanding of the value to actually put resiliency in place that helps them minimize the impact that helps them continue to operate as best possible while then they're moving to the kind of next phase of recovering as quickly as possible. So focus on that aspect of minimizing impact and buy in that you receive from an organization, individual, whomever.

[00:22:24] Bindu: Yeah. So, you know, I'll tell you this, like, you know, um, incident response plans, right? So, um, you know, every organization has some form of it, right? So we all know that, but it's typically not always the case. sort of focused on that two critical areas, right? So the first thing is, do you have a tiered recovery plan?

[00:22:48] Like when I talk about that, incidents are going to be at different levels. You might have a minor disruption to a full scale breach, right? So these plans that you have should ensure that your most critical business functions. Or backup, but then you need to have a tiered recovery plan. So, for example, does your customer service come first or your financial operations come first?

[00:23:14] Does your financial operations come first or does your supply chain management come first? So how do you maintain operations and quickly restore if you have one incident response plan that you apply across different types of incidents and you don't really have Sort of that tiered model, right? So one of the things I would urge organizations to look at is implementing sort of a tiered recovery plan because gone are the days when you're, an incident is going to affect only certain part of your organization.

[00:23:52] Gone are the days where it's, it's going to be just one level, right? You're going to have, you're going to uncover Sort of the layered breach scenario. So you need to have plans that are sort of layered as well. Then the other thing I would say is, you know, we have seen organizations that keep repeating sort of their tabletop tests and they'll do these, you know, standard scenarios, right?

[00:24:16] Like check me for ransomware, check me for a phishing attack. And while that is great, right? You need to evolve those scenarios to something that is. Definitely more current and more nuanced, right? Like, for example, if you've, um, you know, invested in OT, for example, if you have new medical devices, if you have, let's say, a different channel through which you're retailing, if you have a different payment mechanism, make sure that your incident response tabletop scenarios.

[00:24:48] are reflecting how your business has changed, right? So one of the things that I often discuss is there is no point in us just rehearsing the same thing that we've rehearsed every six months and sort of having this feel good moment, right? Yeah. My, you know, incident response plan is working. My BCP is working.

[00:25:08] My DR plans are working. Have you really pushed Your tabletop scenarios to become more realistic. Have you really looked at when you are, you know, we all think about engaging stakeholders. Have you really involved cross functional teams, right? So one of the ways that you can minimize impact when sort of that crisis hits is You've really involved the cross functional team, and I'm not talking just the IT team, not just the doers, right?

[00:25:42] You have to really involve IT operations, legal, PR, executive leadership in these exercises. And you have to think about what is minimum viable operations for your organization. That means you need to keep these Five core functions running at a basic level during an incident. So, you know, we work with a lot of clients to help them establish that, right, because a knee jerk reaction is every single thing is important, right?

[00:26:13] I need to be back up fully, like how I was, while that is, you know, uh, a great goal at the end, it's not practical, right? You need to define what is minimum viable operations. For your organization, what is your essential business function? Like, for example, if you're a financial service firm, you might prioritize basic transaction processing and customer communication, um, and make sure those are the top two functions, let's say, let's has to come first, right?

[00:26:43] If you do not identify what I call your MBO, what happens is. You're not able to prioritize resource allocation and response efforts, then you will not be able to focus on getting those critical systems and data recovered first. And we really have to think about essential and non essential. Services within our organization, and I would encourage every organization to think of this and be realistic about that goal, right?

[00:27:13] You cannot really set up a goal where you want everything back online immediately. And then you're also going to be looking at things like, you know, Hey, this organization lacks segmentation, right? There's no way you can come back up, right? So some of those fundamentals, you need to go back and take a look at it.

[00:27:31] After you set this minimum viable operations and say, Okay. So these are the five things I want back up immediately when there is an incident. And so that is dependent on, you know, one, two, three factors, for example, availability of, you know, let's say a third party support that you might need availability of segmentation within your network.

[00:27:54] So you can contain that incident. Do you actually know, and have you rehearsed this so that you know what your Ideal response time is right. So these types of activities while until an incident happens does not feel critical as a concept. In reality, every organization that has planned this and rehearsed it and pushed the, the objective is not for your tabletop exercise to go smoothly every And you get a check.

[00:28:27] I would actually encourage to see, let's see how we can make you fail that tabletop so that when real situations occur, you're better prepared. Right? So don't sort of, you know, go into this sort of false aspect of saying, okay, you know, I'm just going to run through these scenarios and go through this with the same audience that knows this.

[00:28:47] Because in a real life scenario, it's never going to be that known audience that you rehearsed it with, with that limited sample. And it's never going to be exactly sort of that cookie cutter scenario with injection triggers, right? If that were the case, we should be recovering from every incident in minutes, right?

[00:29:04] And that's never the case. 

[00:29:05] Rob: Bindu, I think, you know, you gave great examples there, especially as it relates to the tabletop exercises and being a feel good moment. Hey, let's throw these wrinkles in there. Let's make these changes, uh, and, and, and really press upon what you have to be thinking about differently, continue to evolve those exercises.

[00:29:21] And I think there's a good example we had recently on a previous episode as it related to a wrinkle they threw in, which was the type of incident they were dealing with. Actually, if they communicated that out. To government officials could have actually really impacted them negatively as related to their response because two of their key team members may have been called into the National Guard response need.

[00:29:43] So it's just thinking differently. But another key aspect as you were conversing there on that minimize the impact is how you tied it back to again. The business side of it, everything you were discussing was the operational impact of particular parts of our business. And I think that's, what's really again.

[00:30:01] Made it come to fruition and the realization of value around digital resiliency. So Bindu, it's been a pleasure having you on. I'm really glad that we're able to have this conversation and show how it's actually really been further adopted. Um, a lot of great further opportunity in front of us all to really start shaping and re reaching or reshaping, I should say, the culture.

[00:30:21] And many organizations to take this approach. So thank you so much. 

[00:30:25] Bindu: Yep. Thank you. It was great having this conversation and, you know, little by little, we are going to get there to the digital resilience and digital trust. So thanks. 

[00:30:33] Rob: Absolutely. One step at a time. Thank you.