The paramount theme of this podcast episode revolves around the critical necessity of preparing for crises within cybersecurity frameworks. As we navigate an increasingly chaotic landscape, it becomes evident that security must be accessible and comprehensible for all stakeholders involved. We engage in an enlightening dialogue with our esteemed guest, Joe Sullivan, who elucidates his remarkable journey from a federal prosecutor to a prominent figure in security leadership across major tech enterprises. Throughout our conversation, we emphasize the importance of cultivating resilience in the face of potential adversities, advocating for a paradigm shift from mere prevention to proactive crisis management. This episode serves not only as an exploration of individual experiences but also as a clarion call for organizations to invest in robust preparedness strategies to mitigate the impacts of inevitable security incidents.
In this episode of the Security by Default podcast, host Joseph Carson interviews Joe Sullivan, a prominent figure in cybersecurity. They discuss Joe's journey from a federal prosecutor to the Chief Security Officer at Facebook, exploring the challenges and expectations in transitioning from government to private sector roles. The conversation delves into the evolving landscape of cybersecurity, the impact of ransomware, and the importance of crisis management and preparedness. Joe shares valuable lessons for aspiring security executives and highlights the significance of understanding technology in leadership roles. The episode concludes with Joe's current projects, including his nonprofit initiative, Ukraine Friends, which provides laptops to children affected by the war in Ukraine.
Takeaways
Sound bites
Chapters
Additional Resources:
https://www.joesullivansecurity.com/about
https://ukrainefriends.org/
https://www.linkedin.com/in/joesu11ivan/
https://en.wikipedia.org/wiki/Joe_Sullivan_(cybersecurity)
The discourse presented in this episode of the Security By Default podcast delves into the intricacies of cybersecurity through a rich narrative framed by the experiences of Joe Sullivan, a distinguished figure in the cybersecurity landscape. The conversation commences with a reflection on the current state of security in a world rife with chaos and challenges, emphasizing the necessity for clarity and preparedness in addressing security concerns. Sullivan recounts his unique journey into the realm of cybersecurity, marked by an initial aspiration to pursue law, which ultimately led him to blend his legal expertise with a burgeoning interest in technology. This intersection of law and technology is pivotal in understanding the evolution of cybersecurity practices, as Sullivan highlights the early days of his career at the Department of Justice, where he was thrust into the intricate dynamics of cybercrime prosecution. His narrative underscores the significant shifts in the cybersecurity landscape, illustrating how the role of cybersecurity professionals has evolved into one that requires not only technical prowess but also a profound understanding of business operations and risk management. As the discussion unfolds, listeners are introduced to the concept of operational resilience, a theme underscored by Sullivan's experiences at major corporations such as eBay, PayPal, and Facebook. He elucidates the necessity for security leaders to transition from a purely defensive posture to one that encompasses proactive crisis management and resilience building. Sullivan’s observations regarding the expectations placed upon security professionals in the private sector contrast sharply with his experiences in government service, where the pace and metrics of success differ markedly. This dichotomy serves to illuminate the complexities faced by modern security executives who must navigate not only the technical challenges of cybersecurity but also the imperative to align their strategies with broader business objectives. In conclusion, the episode encapsulates the essence of security as a multifaceted discipline that extends beyond mere technical solutions. Sullivan advocates for a paradigm shift in how organizations perceive and invest in security, urging a balanced allocation of resources towards both prevention and crisis preparedness. His insights serve as a clarion call for security professionals to engage more deeply with the business side of their organizations, fostering a culture where security is seen as an integral component of operational success rather than a mere compliance obligation. The conversation ultimately reinforces the notion that in the face of evolving threats, a proactive and well-prepared security posture is paramount for organizational resilience and success in an increasingly digital world.
Hi, everyone.
Speaker A:Welcome back to another episode of the Security By Default podcast.
Speaker A:It's all about making sure that security is possible for everyone.
Speaker A:And we live in a world of chaos and challenges, and sometimes it's hard to see the light.
Speaker A:And this podcast is all about bringing the clarity and, you know, to, you know, be able to see through that challenges and see the light at the end of the tunnel.
Speaker A:And I'm always looking for interesting guests and interesting topics in order to help educate the world and help make sure that security is possible for everyone.
Speaker A:And that also kind of gives some of the trends and what's happening in this, in.
Speaker A:In this.
Speaker A:And I'm really excited about having an awesome guest, somebody who I've seen speak a few times in the past, someone that I bump into the hallways at some of the major conferences around the world.
Speaker A:So welcome to the show.
Speaker A:Joe Sullivan.
Speaker A:It's an awesome and an honor to have you on the show today.
Speaker A:Do you want to give the guests a bit about your origin story?
Speaker A:Because I usually like to hear, you know, from guests here the first time in the episodes in the podcast about how they get into this crazy world of cybersecurity and what were some of the kind of the interesting journeys that you've had through the time.
Speaker B:Sure, yeah.
Speaker B:Thanks.
Speaker B:Thanks for having me on.
Speaker B:I would say, like a lot of people in security, I didn't especially, maybe in our generation, didn't go to school specifically because I wanted to do cybersecurity, because that really wasn't the.
Speaker B:Really wasn't a program back then.
Speaker B:It was more just like a passion for technology.
Speaker B:And that kind of led down that path.
Speaker B:The interesting thing for me is that I, I grew up always wanting to be a lawyer from the time I was a kid.
Speaker B:And I don't really know why, because I didn't actually know any lawyers, but I'd gotten in my head that being a lawyer might be cool.
Speaker B:And so I, I was just focused all the way on going to law school.
Speaker B:And so I did.
Speaker B:And I had in my head that I was going to go to law school and then I was going to go into government service.
Speaker B:And that's what I did right out of law school.
Speaker B:While I was still in law school, I applied for something called the U.S. department of Justice Honor Law Grad program, which was the only way you could get into the federal Department of Justice straight out of law school.
Speaker B:It's a high bar to work for the U.S. department of Justice.
Speaker B:And I was very lucky to be able to get into.
Speaker B:Get in that Program.
Speaker B: And so I started my career in: Speaker B: etting into technology was in: Speaker B:I moved.
Speaker B:I had originally been with the Department of Justice in Miami, where I went to school, and I moved to San Francisco.
Speaker B:All of a sudden I was in the middle of these political asylum cases where people were saying that they'd been facing persecution to the United States government.
Speaker B:And I was assigned to kind of look into a bunch of these cases.
Speaker B:And they were saying I faced persecution in this country for this political act or this religious act.
Speaker B:And it was people from all over the planet telling stories that I'd never heard about social disruptions and things.
Speaker B:I started going on the Internet.
Speaker B: I think originally in: Speaker B:We had like a Department of justice email system and things like that.
Speaker B:I think we used Wang wp.
Speaker B:We couldn't even email the outside world, but we could email with inside the Department of Justice.
Speaker B:So we had all this interesting old technology.
Speaker B:We were also.
Speaker B:I think that was back when in those years the Department justice took.
Speaker B:Had an antitrust suit against Microsoft.
Speaker B:So we weren't allowed to use any Microsoft products.
Speaker B:So we had all kinds of interesting tech.
Speaker A: ld be challenging back in the: Speaker A:At least, you know, desktop computing.
Speaker B:Yeah.
Speaker B:And so I. I could.
Speaker B:I started doing online research, and it helped me so much in the cases.
Speaker B:And so I asked the Department of Justice, let me have a direct Internet connection to my desk.
Speaker B:And they said, we do allow that.
Speaker B:And eventually I. I convinced them, but they.
Speaker B:They put all these special rules in.
Speaker B:So I was the only person who had direct Internet connection, but I wasn't allowed to connect my government computer to it.
Speaker B:And, you know, it.
Speaker B:Nobody really knew what they were doing, what they allowed me to do.
Speaker B:But so.
Speaker A:So you really started OSINT literally, you know, back in 19, and then 95 was OSINT, which is.
Speaker A:Is a kind of major area of expertise these days.
Speaker B:Yeah.
Speaker B:And it was.
Speaker B:Sometimes it was just simple things, like someone was seeking, as from, say, the Punjab region of India, and they wanted.
Speaker B:And they said that they were a member of the Sikh religion and that there had been this persecution and I'd be able to look up and understand what's the Sikh religion, what are the.
Speaker B: pened at the Golden Temple in: Speaker B:You know, like, I was.
Speaker B:I was able to do all this research and then could go into the courtroom, like with a, with a foundation that other people didn't have.
Speaker B:And so it just, I ended up doing research for myself.
Speaker B:I ended up doing research for the other attorneys.
Speaker B:And it just kind of went from there.
Speaker B: Before you knew it, in: Speaker B:So I moved down to Las Vegas to be a frontline federal prosecutor.
Speaker B:And within a month they said to me, oh, we're supposed to have one high tech prosecutor in the office and you're the only one who has a computer on their desk, so you're the high tech prosecutor.
Speaker B:And then they gave me all this awesome training and next level equipment and I started spending all my time with the FBI CART team and all the forensics people for Secret Service doing e crime stuff.
Speaker B:So I just got thrown into the deep end of technology crime.
Speaker B:In the late 90s, I think I prosecuted the first ever federal ebay fraud case.
Speaker B:Went after where sites where everyone was downloading the software from had to deal with some child exploitation cases.
Speaker B:Unfortunately, those cases existed back then too, and dealt with.
Speaker B:I think probably the biggest hacking case I dealt with was a hack of NASA's JPL, the Jet Propulsion lab in Pasadena.
Speaker B:And the attacker happened to be not too far from where I was.
Speaker B:So I worked with NASA's.
Speaker B:NASA actually has a little law enforcement agency inside them that had a cyber one investigator who I worked with on that case.
Speaker B: got recruited over to eBay in: Speaker B:And I was in this weird space where I was like, am I a lawyer?
Speaker B:Do I like doing the fraud stuff?
Speaker B:Because at ebay I had a bunch of different hats that I wore.
Speaker B:I oversaw our fraud investigations team.
Speaker B:I oversaw the team that decided the policies for what you could sell and not sell on ebay.
Speaker B:And then I also was doing some legal work.
Speaker B:Finally, you know, after bouncing back and forth and like, legal hat, security hat, what is it?
Speaker B:Facebook.
Speaker B: I joined Facebook in: Speaker B:They asked me to become a chief security officer.
Speaker B:So I just, I left the legal hat behind and went all in on building security teams.
Speaker B:And that's what I've been doing ever since.
Speaker A:Fantastic.
Speaker A:I mean, that's really, it's impressive.
Speaker A:I always find it, you know, really interesting when you're starting off on the legal side as well, from the government side.
Speaker A:How was it that transition from government to, you know, the private industry and you Know, and such a large company at the time at ebay.
Speaker A:How was that transition experience?
Speaker A:And then also moving more into the, you know, the security side of things.
Speaker A:What did you, you know, what was the skills that you learned that was important at the time?
Speaker B:Yeah, those are good questions.
Speaker B:I would say, first of all, like, for most, it was not a typical path for a federal prosecutor to go move into a tech company.
Speaker B:But there were a couple of people who'd done it, and there was one who I really looked up to, and he was, he had been a federal prosecutor.
Speaker B:He prosecuted Aldrich Ames, the spy and the CIA.
Speaker B:He'd done a lot of really high profile stuff himself, and he was running the trust and safety department at ebay.
Speaker B:And so he was kind of a mentor to me and he talked to me and helped me on the transition.
Speaker B:I will say it was a shock to the system to go into work in a corporation because I had figured out how to get by in the government.
Speaker B:You know, I was doing well.
Speaker B:I had as the first full time cybercrime prosecutor in the country.
Speaker B:I got to do all kinds of interesting cases, got to travel a lot.
Speaker B:I worked on the 911 investigation, got to speak at conferences.
Speaker B:It was a very exciting new world.
Speaker B:And then I went into a corporation and I had no idea how corporations worked.
Speaker B:I didn't know the difference between a marketing department, a sales department, a product team versus an engineering team versus.
Speaker B:I just didn't even know how you would like what the jobs were that people did inside corporations.
Speaker B:And so I had to learn it all on the fly as I, as I was kind of like navigating, doing a job there.
Speaker B:I joke with people that I got an MBA through osmosis after spending the last 25 years inside corporations working, you know, working for them.
Speaker B:I've worked for so many different excellent companies and now advise and consult with amazing companies.
Speaker B:And so I've seen now, like, I know how corporations work.
Speaker B:I know how CEOs think, I know what the role of a security function is.
Speaker B:I know what the role of marketing is, you know, and so on, just.
Speaker B:But it took a while.
Speaker B:And I would say the other thing that was a shock was expectations in terms of impact.
Speaker B:I hate to say it, but you know, in the, in the federal government, even in what I thought was like the elite federal prosecutor world, not everybody worked really hard, I'll say that, but people had balance in their life and the government pay wasn't like the expectations in the private sector.
Speaker B:But when I jumped into tech, the expectations were so High.
Speaker B:I remember my first performance review with my mentor and manager at ebay and he said, how do you think you did?
Speaker B:And I said, I worked harder than I've ever worked in my life.
Speaker B:I was, you know, I was in here at 7 every morning and I definitely never left before 7pm and he's like, Joe, I don't care how hard you work.
Speaker B:What did you get done?
Speaker A:Yeah, what, what, what was, what was the impact that you had from, from that time?
Speaker B:You know, but then that was such an eye opener for me.
Speaker B:It's like it doesn't matter how fast I, I run, it matters like what, what I accomplish.
Speaker B:And so that, that was, that was interesting.
Speaker B:And I just, I kept learning and growing from that.
Speaker B:And it's good, it's good to be around people that have high, high expectations because it definitely pushes you more.
Speaker A:Absolutely.
Speaker A:I always find that some of, some of my most valuable lessons throughout my career has all been about the people that I've worked alongside and the knowledge that they've shared and sometimes the feedback that they've given to me as well.
Speaker A:It really helps shape a lot of my path in this industry.
Speaker A:One question I've got for you is that, you know, in ebay, of course it's very clear with ebay we always find that in the security industry there's always, you know, the financial side of things.
Speaker A:So of course it's very clear into, in the ebay side is that you would be, you know, looking at potential frauds in the systems and, you know, you know, what, you know, products that you know, would be sold in the platform and so forth.
Speaker A:As you move from ebay into the likes of Facebook at the time, which is a very different type of platform, what was the transition?
Speaker A:What was kind of was the positions similar from ebay to Facebook or did they change significantly because, you know, the platforms do operate, you know, one's a marketing platform, you know, the ones, you know, a good platform, let's say, or a product platform.
Speaker A:What was the transition between those like?
Speaker A:And that was you were really moving away from being, you know, the legal and privacy and trust side of ebay into the security officer role.
Speaker A:Was that a big transition?
Speaker A:Was it also kind of a major shift in kind of in the industry as well?
Speaker B:It's funny, a lot of people who work in cybersecurity have spent most of their career in business to business or in companies that are focused on delivering products to other companies.
Speaker B:I, until I went to Cloudflare, my last CSO stop, I always worked in B2C.
Speaker B:So eBay was a platform where consumers were buying PayPal, consumers would use to pay for things and send money to each other.
Speaker B:Facebook obviously, is a social network, and Uber, you know, is also a platform that consumers use.
Speaker B:And I think it's.
Speaker B:It's a little clearer in the consumer world than the B2B world.
Speaker B:The importance and how privacy and security work together in terms of.
Speaker B:They add a lot to the like.
Speaker B:In the business world, we think a lot about frameworks and compliance and things like that.
Speaker B:And there's a lot less of that in B2C.
Speaker B:But what there is is a consumer expectation and the need for a company to invest in their brand around safety.
Speaker B:And so that was, I think, a really big part of what.
Speaker B:When I think about my years at eBay, PayPal, Facebook, Uber, being an advisor, DoorDash and Airbnb and other companies like that, they were all very consumer focused.
Speaker B:And so they were investing in thinking about privacy and security and safety kind of hand in hand in hand.
Speaker B:And it helped me a lot to think about fraud plus human risk.
Speaker B:Like when I was at ebay, we worried about bringing together people who'd never met each other, first virtually, but then later on when we owned a part of Craigslist and we had other classified sites across the planet.
Speaker B:And if you start bringing together people in the physical world, then a lot of interesting risks come up.
Speaker B:And so I was always thinking about physical world risks, fraud risk and traditional, what we call trust and safety risk, and then cyber risk.
Speaker B:So it was just like thinking about it from a few different angles at once was probably made for a steeper learning curve.
Speaker B:But a lot of lessons that in one discipline you can learn something that can help you on another discipline.
Speaker B:And that, that really for me was.
Speaker A:Was the fun part from the organizational structure was, was your role reporting into the executive team like the CEO, Was it reporting into the CIO or the board?
Speaker A:Did you have a role in the board side?
Speaker A:Because we've seen that over the years.
Speaker A:We've seen many companies redefine the CISO in different areas where, you know, might fall into the cio, might get, you know, if the company wants to accelerate it much quicker, they might put it directly into CEO.
Speaker A:Has yours.
Speaker A:Where has your role fallen in with the organizations?
Speaker A:From a structure.
Speaker A:And an question to that as well is what was your.
Speaker A:How did you measure success?
Speaker A:Because you said, you know, earlier it was really important to kind of, as you transition from government into the industry and private industry on the corporation side, that it wasn't about working harder and longer.
Speaker A:It was about how your results were impacted.
Speaker A:So what way did you measure?
Speaker A:What was some of the metrics you had?
Speaker B:Yeah, I learned a lot about measurement and getting things done from, from the earliest days at ebay.
Speaker B:When I started at ebay, the trust and safety department and the idea of the trust and safety department was, were all pretty new concepts.
Speaker B:We were figuring it out ahead of most companies because we were dealing with these new sets of risks with this new online world.
Speaker B:And when I started in trust and safety, I reported to the head of trust and safety and he reported to the general counsel.
Speaker B:And I think that was a legacy of the fact that he, he had come from being an attorney himself.
Speaker B:But then not too long after I was at ebay, they moved us under the coo and that was intentionally done to drive more discipline and accountability around metrics and getting things done.
Speaker B:So like our, our COO at, at, at ebay, I think of him really as, it's interesting, in a modern company he'd probably be the CTO because he was the technical leader.
Speaker B:But he, but for ebay, that was a lot of operations work and infrastructure work and front end work on the website and stuff like that.
Speaker B:And so, but he was a, he was a really good leader when it came to what are the operational metrics, how do we measure the impact of what we're doing and things like that.
Speaker B:And, and so from him, Maynard Webb, the COO back at eBay, we got a lot of discipline and accountability.
Speaker B:And one of the things I've seen over and over again is that different types of abuse have different mechanisms for capturing and measuring.
Speaker B:And for example, in the world of fraud, you have these things called chargebacks or reversals of payments because, you know, because of the fact that there is a third party evaluating the transaction outside of you.
Speaker B:And people have a way to go and, you know, file and say this was an unauthorized charge or it was an excessive charge.
Speaker B:And because of that, in the fraud world, we have very, very good measurement metrics.
Speaker B:We, we know what percentage of bad transactions go through because we pay dollars for, for each one that we, we fail to stop.
Speaker B:And so in, in the world of fraud, my dialogue with the CFO is a lot more fun than my dialogue with the CFO around cybersecurity risk.
Speaker B:Because in the context of fraud, I would say to the cfo, okay, for, for next year's budget, if you give me a million dollars, I'll reduce our fraud by this many basis points.
Speaker B:And they'd be like, wait, A minute you're saying if I give you a million dollars, you'll reduce fraud by 5 million?
Speaker B:And I'll be like, yes.
Speaker B:They're like, oh, that's a no brainer.
Speaker B:Why don't I, I'll give you 5 billion instead of 1.
Speaker B:The CFO is trying to give me more money to get me to sign up, to make more fraud go away.
Speaker B:They're literally pushing money at me.
Speaker B:Whereas over on the cybersecurity side, like, you know, we've got to tighten up these firewalls, we gotta clean up these endpoints, we gotta invest in our single sign on.
Speaker B:And they're like, well, quantify the risk for me.
Speaker B:If we don't invest this money, how much are we gonna lose?
Speaker B:And you're like, I don't know, it's like quantifying risk in cybersecurity.
Speaker B:Like, we do know what the downside risk is more than ever now in terms of like, there's so many concrete examples of companies that have had major cybersecurity impact in a negative way.
Speaker B:I mean, just think of Jaguar Land.
Speaker A:Rover in the last huge, in excess of a billion.
Speaker A:And that's not even including the supply chain impact as well.
Speaker A:Local vendors, suppliers, even the companies are providing meals to the, you know, the employees that would have been typically working the whole supply side.
Speaker A:And you know, it's, it's, it's always hard to watch those types of scenarios, you know, because you can only think about, you know, the employee and the mental health side of things because that also has a, you know, an impact to people's personal lives as well.
Speaker A:So it's, you know, and we do, but you're absolutely right, we can quantify the value and the risk to organizations because we've had many cases, you know, that we can use that as a learning or, you know, input into the probability and quantifiable risk.
Speaker A:Yeah.
Speaker B:And I think something changed fundamentally in the last five years.
Speaker B:Ransomware changed everything.
Speaker B:And so when we Talked about risk five to 10 years ago, when we were meeting with the CFO, we were talking about data leaving the building and it was actually pretty hard to quantify.
Speaker B:What's the list?
Speaker B:What's the risk if we lose our customer database with their, with their credit card information?
Speaker B:Most consumers just roll their eyes and move on after they get another consumer.
Speaker B:No data breach notification.
Speaker B:They're just like, what am I supposed to do?
Speaker B:My credit card's going to protect me, hopefully, and I'm just going to go on with my life.
Speaker B:And ideally there's no identity theft, whatever.
Speaker B:Like that.
Speaker B:That used to be the.
Speaker B:When we would meet with the cfo, that was the worst case scenario.
Speaker B:Ransomware changed everything because now it's about operational resilience.
Speaker B: ecurity has kinetic impact in: Speaker B:There might be a little harm to the company.
Speaker B:But mostly companies that had data breaches, there were data leakage.
Speaker B:The company just chugs right along and the impact fades over time.
Speaker B:Companies that had the operational impact of being forced to shut down for a period of time, if they recover at all, it's a hard journey and the cost is so much more.
Speaker B: at are a little bit easier in: Speaker A:Absolutely.
Speaker A:It's a financial loss to the company, and that's what you can really measure these days.
Speaker A:But there's those implications that it does have a financial impact of business.
Speaker A:When you can't serve your customers or your site's down or your services offline for a period of time, there is the value.
Speaker A:And I remember, you know, even 10 years ago, I remember having a conversation.
Speaker A:I always find that my conversations with the CFO were the most valuable over the years, is because they were the best at quantifying risk.
Speaker A:That's what they're.
Speaker A:They were looking at the numbers and they could actually really understand about if this service was offline for two days, they could tell you right away how much that would impact the business financially.
Speaker A:And that's what we always had to look at, is that, well, we're not doing security for the sake of security.
Speaker A:It's.
Speaker A:It's not, you know, security isn't the business by itself, but it is a business that basically supports the other lines of business.
Speaker A:And I always try to see it as a service.
Speaker A:It's a part of the service.
Speaker A:And therefore you look at, you know, what is the service basically supporting from a business revenue perspective or from a, you know, critical infrastructure perspective.
Speaker A:And that's where you start really getting the quantified quantification.
Speaker A:It's interesting.
Speaker A:One of the things you said earlier, you know, that you originally reported into the legal counsel.
Speaker A:I've seen actually, you know, more recent years, the CISO reporting what used to be CIO and CEO reporting now back into legal counsel.
Speaker A:A lot of, I kind of guess A lot of the reasons is those CISA roles are becoming more of a governance and compliance role in order to meet regulatory.
Speaker A:There's a lot of more regulations now it applies.
Speaker A:Is that something you're seeing again happening, you know, that, you know, where it does make sense, you know, to be from a risk perspective?
Speaker A:Is that something you're saying as a trending area and does it make sense for the organization?
Speaker B:Well, I, I think there are a couple of important trends happening here.
Speaker B:I'll tell you one of the trends that's happening is that especially in Silicon Valley tech companies, this, the CIO role is fading away and the security executive role is growing dramatically.
Speaker B:And talk about both of them, in many ways the CIO role is diminished because so much of what the CIO traditionally did has been, has moved to SaaS apps.
Speaker B:And so like I don't want to be demeaning of the CIO role, but in a lot of tech Companies now the CIO's responsibility is, you know, keeping the conference rooms working and the SaaS apps running and some backend infrastructure.
Speaker B:But so much of it is outsourced now and the role became less strategic.
Speaker B:I do a lot of projects where through my security consulting business, we help fast growing startups build out security.
Speaker B:And it sort of, I think engaged with three different companies now at different stages of that where we, we help them hire security.
Speaker B:It some help desk people, some security people with different skill sets and as we, as we build and so I think a lot about like at a, at 100 employees, do you, do you need a dedicated security person?
Speaker B:Do you need dedicated it person?
Speaker B:What do you need at 200 people, what do you need at 500 people?
Speaker B:And so on.
Speaker B:And you just don't get to that place where you're like, oh, we really need a cio.
Speaker B:But you do get to a place where I, I really need somebody who has good judgment around security within that first couple hundred people.
Speaker B:And so the big trend that I'm seeing is that the security leader is taking over it.
Speaker B: Cloudflare in the tail end of: Speaker B:And so I think I can think of four of them right now and I'm pretty sure all four of them have security.
Speaker A:And it, yep, it's almost like a security architect in many cases because it's all about, as you're mentioning that they're moving to SaaS, they're moving to cloud infrastructure, moving to edge computing, Everything's running in the cloud.
Speaker A:So therefore the real role is about how do you connect all those clouds together in a secure way.
Speaker A:So you know, thinking about it from a security perspective, but also from an architecture perspective, how's all the plumbing and workflows work, how's all the APIs and integrations work?
Speaker B: hat so many of our attacks in: Speaker B:And so a lot of security leaders have reached in and pulled identity out of it in the last decade of their own volition.
Speaker B:Just being like wait a minute, it is not investing enough in identity, I'm going to take it over.
Speaker B:Like when I was at Uber we had a software engineering team that was redoing authentication for all of our customer auth and we did that.
Speaker B:Like we stepped in and took it over because we needed stronger, you know, we wanted to have good multi factor authentication at every auth flow.
Speaker B:We wanted to be able to get the data from the authentication because we needed it for dealing with fraud safety and cybersecurity risk.
Speaker B:And so like I, I just went to our CTO and said like you good with us taking over identity?
Speaker B:And they're like, you're going to invest in it, great, I can focus on something else.
Speaker B:So that, so anyway, that, that trend of like security growing in importance as it has diminished in importance has been interesting.
Speaker B:Security is also growing in importance a lot because of the way risk has evolved.
Speaker B: already talked about like in: Speaker B:During COVID was a time when a lot of security leaders stepped up and helped their companies pivot the way the company worked.
Speaker B:That was well time to shine for a lot of security leaders and they have.
Speaker B:And then as we came out of COVID these new risks, like introducing AI into the enterprise were start.
Speaker B:There are just so many new complicated risks.
Speaker B:And what I see with CEOs is that they see that cybersecurity and just security in general is a exec level responsibility.
Speaker B:And so the other trend I'm seeing is that security leaders are moving closer and closer to reporting to the CEO.
Speaker B:At my last two companies, at Uber and at Cloudflare, I reported to the CEO and I felt like I was so much better able to do my job.
Speaker B:When I reported to the CEO because I was in the room, I got to hear the debates about new business opportunities and I got to be in the debate arguing for and against because when you get to that level, it's not just your job to point out the risk, it's part of be part of the business deciding team on what to do, not just what not to do.
Speaker A:Absolutely.
Speaker A:I think it's really important to have somebody with a security voice that can communicate to the board because not every organization has someone on the board that is security knowledgeable.
Speaker A:So sometimes it is important to be able to.
Speaker A:Sure.
Speaker A:And to advise and to consult in decisions because they're primary focus on a risk side.
Speaker A:And I think it's really important to have the cybersecurity voice, the risks from the technology perspective and.
Speaker A:Absolutely.
Speaker A:I've seen over the years where security all was set in the IT side.
Speaker A:It was always about technology.
Speaker A:Now technology is so much ingrained throughout the entire business.
Speaker A:It's not just about, you know, putting desktops in people's rooms and in homes, but it's now about every piece of service that runs through the business, from sales, marketing to engineering to production.
Speaker A:Now it depends on technology.
Speaker A:So the more ingrained it becomes across all those different parts of the business.
Speaker A:Absolutely.
Speaker A:It should be an executive responsibility and that's why it's important to have, have those voices in the room.
Speaker B:Yeah.
Speaker B:And I think it's the wrong path when people go down like, oh no, the role's becoming less technical and it's more about business judgment.
Speaker B:Look, every single executive in a company needs to understand technology needs to be strategic and go deep in their area of expertise, but is also expected to be a business leader.
Speaker B:It's not an either or, it's a both.
Speaker A:Yeah, absolutely.
Speaker A:So what's some of the, what's some of the lessons you've learned over the years?
Speaker A:For somebody who's coming into the scissor rules today, there's a lot of people I'm seeing that organizations are really establishing that is a core part of the function.
Speaker A:What, what lessons would you share?
Speaker A:What, what would be some of the, you know, the areas of things they should be learning about or focusing on or if they're a technical person, what should they be looking to to enhance their skills?
Speaker A:What would you advise CISOs from, from the lessons you've had over the years?
Speaker B:Yeah, I think a big challenge in our profession is often that you kind of, when you work in a security organization, the security organization sits off in a corner and works by itself and doesn't get enough exposure to the business side.
Speaker B:And even kind of like the strategic technology side, like why are we deploying a certain technology?
Speaker B:What's the benefit, how does it help us?
Speaker B:Why are we hiring hundreds of engineers building out a product?
Speaker B:The more we put our business hat on and understand what is the strategy of this company, what are we passionate about, the more that's gonna infuse your whole team.
Speaker B:So as part of my security consulting, I do get asked to mentor security executives.
Speaker B:And so I think I'm working with two security leaders at companies right now.
Speaker B:And I think the biggest challenge for them is often taking off their own hat and putting on the hat of the other executives to see where they're coming from and to understand why they're pushing something.
Speaker B:The business people aren't stupid when they do something that we think is stupid.
Speaker B:They're smart, they're thinking about some business angles.
Speaker B:They just didn't know about the negative angle because that's not where they spent all their time.
Speaker B:But they, they, they, they see three quarters of the pie and they need us to be a good partner and, and, and pull them in to the risk side.
Speaker B:We have a tendency to, in our, in our profession, like be an absolutist.
Speaker B:And the business, especially in technology and Silicon Valley, every single business that comes along, the only reason someone didn't do the business before wasn't because nobody thought of it.
Speaker B:It was because everybody who thought of it decided it was too risky, like there wasn't enough upside of revenue.
Speaker B:And then somebody new came along is like, hey, now that we have AI, we can actually build something that will do abc.
Speaker B:And you're just like, yeah, but the same risks still exist, so let's see if we can use the technology to reduce the risk too.
Speaker B:So like for, for a fast growing business, it's always about pushing into new areas of risk.
Speaker B:You're investing money in a new business line that is not likely to succeed.
Speaker B:And that's the nature of new business.
Speaker B:And we have to learn how to be a partner to that new business, not just the old business.
Speaker A:Absolutely.
Speaker A:I was, I always think of us, you know, in the security world as a very boolean.
Speaker A:Like, you know, it's either on or off.
Speaker A:We're very binary, yes or no.
Speaker A:But we always struggle with getting into having the conversation around what's your appetite for risk?
Speaker A:What's, what type of risk are you willing to allow and, or what do you want to mitigate or to at least offset?
Speaker A:And there's many different conversations around how to do that.
Speaker A:But we are very much, we were always the no, no, no, no, no.
Speaker A:We don't want to accept any risk.
Speaker B:Yeah.
Speaker A:And we have to learn how to adjust and find what's the balance so that the business can be at its most optimum to succeed.
Speaker B:Yeah, these don't always play out very publicly, but I think of an example from the news in the last couple of Weeks, you know, OpenAI launched a new browser and within 24 hours of them launching this AI enabled browser, their CISO had a big post publicly about how I read it.
Speaker B:And what I read was, we're sorry, we can't stop prompt injection attacks on our new browser.
Speaker B:And I'm like, wow, the conversations inside of OpenAI before they decided to launch a browser that they know is vulnerable.
Speaker B:Like, I would have loved to been a fly on the wall in those conversations because they decided to take some risk.
Speaker B:And then essentially a day after they launched it, you know, people were, were successful with prompt injection attacks and they had to come out and essentially apologize.
Speaker B:I mean, I don't know if they would characterize it an apology, but I don't like, clearly there they knew what they were doing when they launched it.
Speaker B:They knew that it was vulnerable, but they chose to do it anyway.
Speaker B:And because they wanted to get a product out there and have people iterate on it with them while they're solving, you know, the security issue.
Speaker A:Absolutely.
Speaker A:Sometimes it's not the whole great world of the secure by design, sometimes that's.
Speaker A:And which is a whole emphasis also, you know, by default as well.
Speaker A:It should always be the default.
Speaker A:It should always be on, everyone should have it.
Speaker A:That sometimes is still an afterthought for many products.
Speaker B:But, you know, at the same time, are we comfortable with companies putting out beta products that they label?
Speaker B:It's not like we're buying a car where, you know, if they sell us a car that doesn't have brakes, that's a real problem.
Speaker B:But if they put out beta software that is not 100% secure and they tell us it's not 100% secure, it's, you know, some of us still want to go play with that software and download it and see the possibilities and stretch it and poke at it.
Speaker B:And so what's the right balance and how do you message it and how do you communicate it?
Speaker B:A lot of the times this is what's happening behind the scenes in terms of new products being launched.
Speaker B:I just give up that example because it was very visible and obvious that there must have been something.
Speaker A:Absolutely.
Speaker A:I mean, we are in a race.
Speaker A:I think the whole emphasis from an AI perspective, it's who gets there first is going to dominate.
Speaker A:I think that's the perception that many of the organizations have and they want to be the first.
Speaker A:And I think this is what's pushing it.
Speaker A:I think they're, you know, just like OpenAI.
Speaker A:They're probably seeing others, you know, trying to, to get out there as well.
Speaker A:And it's, it is a race, you know, it's, it's the old going back to the VHS Betamax, you know, scenario is whoever gets there first, the HD versus Blu Ray.
Speaker A:We've seen this play out many, many, many times.
Speaker A:And now we're in the same, the same scenario doesn't mean one technology is better over the other, but does raise big concerns from a safety perspective.
Speaker B:Right.
Speaker A:You know, because if, if, if you get out there first with the car and you find that, you know, it is unsafe, then they end up having to have the massive, you know, cost of recalls.
Speaker A:In this case, it's, it's of course a patch.
Speaker A:Yeah, but interesting scenario.
Speaker B:Yeah, there, there's a lot of terminology in Silicon Valley for that, you know, getting out there first.
Speaker B:You know, we call it the, it's first mover advantage, you know, or that's the optimistic way to describe it.
Speaker B:And then the pessimistic is, we call it cookie licking.
Speaker B:You know, it's, I want to get out there first and mess things up so that nobody else can, you know, jump into our space, whatever.
Speaker B:I'm going to claim those cookies by licking them.
Speaker B:Not always pretty.
Speaker A:It's not always the best way, you know, and sometimes it can make or break decisions because, you know, I always remember back in the Betamax and the vh at times, you know, the Betamax was, I would say slightly better, but it just one had more, more customer base and that's kind of what you get to is.
Speaker A:And I think that's, again, we're back in that scenario is the more people you get using it, the more dominance you get, the more stickiness you might get.
Speaker A:Some people struggle with change.
Speaker A:So what things you're working on today?
Speaker A:I mean, you, you've, you're speaking a lot of events around the world.
Speaker A:You've done lots of speaking events recently.
Speaker A:Where can the audience find you in the, in the coming months and so forth?
Speaker A:Do you have any, any events that you're going to be speaking at coming up or any, any activities that you have coming on?
Speaker B:Yeah, right now I have a, I think three or four different ones.
Speaker B:I, I, yeah, I just got home from spending a couple weeks on the road more kind of like trying to recover from the past speaking and then thinking about the future.
Speaker B:But yeah, I have a. I really, I really enjoy my work these days because it's a mix of few things.
Speaker B:I spend.
Speaker B:I have my security consulting business, I have a team of a few people.
Speaker B:Sometimes I think I have eight different people who work with me and for me and we go, we do a lot of different projects with companies.
Speaker B:I work part time as a venture partner at a venture capital firm helping them on invest and then I do some advising of startups, founders, myself.
Speaker B:But then the public speaking is something that I set out to do intentionally.
Speaker B:A couple of years ago I was coming out of the Uber case and I wanted to get back on my feet and tell some of the lessons learned from that.
Speaker B:And then it's just kind of now that I spent a lot of time mentoring and working with security executives, you know, it's just constantly seeing new insights and get invited to share them in different contexts.
Speaker B:So this Friday, I'm flying to Australia.
Speaker B:Next week run, I'm doing what's called a masterclass.
Speaker B:We're going to get 20 CISOs in a room for four hours and we're just focused on building resilience to handle crisis.
Speaker A:Oh, fantastic.
Speaker B:A lot of our organizations get hit by crisis and we didn't invest enough upfront in managing the risk.
Speaker B:There are so many.
Speaker B:So we spent a lot of energy and a budget and security on prevention.
Speaker B:I'm a big believer that we need to anticipate crisis and prepare for crisis.
Speaker B:And if we do a good job preparing for crisis, we'll come out of it and our organization will come out of it.
Speaker B:And so for the masterclass, we're going to spend an hour talking about how you as an individual can be stronger when you face a crisis.
Speaker B:Then we're going to spend an hour on how do you build a security team that can be really strong and resilient during a crisis, prepared for a crisis with the tools and the equipment and the people who can jump in and put out the fires.
Speaker B:And then we're going to talk about how do you do it at a company level.
Speaker B:So it's a kind of whole progression of a day of thinking, not just like about reacting to crisis, but being intentional, like what are the people, processes, technology, training.
Speaker B:All of these things come together to make us strong in that moment of crisis.
Speaker B:So that's next week in Australia and then I come back home and finish the year.
Speaker B:I think there are a couple of little CISO events here in the Bay Area around kind of holiday parties and stuff.
Speaker B:Like that, that I'm talking at.
Speaker B:And then in January I'm going to go to, I'm keynoting a conference in Japan.
Speaker B:And now when we're talking about the risks around AI and I spent a lot of time, I've been advising, I've advised a couple of companies that were securing AI.
Speaker B:Le Cara and Pangea both got acquired last month.
Speaker B:I was an advisor to both.
Speaker B:So I spent a lot of time with both of those companies seeing, you know, how they were attacking prompt injection and the other types of risks that were still a challenge.
Speaker B:I've been asked to do some talks around how are security organizations thinking about all these different AI threats and how are we dealing with them and what are the controls we're putting in place, what's working so far, what's not, stuff like that.
Speaker A:Absolutely.
Speaker A:I do see AI as a massive regulatory compliance like a GDPR nightmare for many organizations because when you start letting your agents make decisions about what data they should have, you hope that they're going to be, you know, auditing and reporting themselves as a result of that type of access.
Speaker A:And you also, you reminded me of importance and apart as well, you messed about, you know, having, you know, preparing one of my roles in the past.
Speaker A:I used to work in ambulance service and for me that was always the case of, you know, you have, you know, and I, I operated the emergency phone line as well.
Speaker A:So ambulance service, emergency phone line.
Speaker A:And we also had, then had police and fire and you want to put your fire alarms in, you want to put your emergency, you know, phone lines in.
Speaker A:You want to make sure that one is, you can detect as quickly as possible.
Speaker A:That's fundamentally what you're, you've got your prevention tools and stuff.
Speaker A:But once the fire starts, you want to have basically the ability to quickly.
Speaker A:The quicker you respond and the same in an ambulance, if you basically contact the ambulance service, minutes matter and the quicker you respond, the less impact it has.
Speaker A:One is for the victim or for, you know, the property, whatever it might be that you're responding to and how you respond.
Speaker A:And that's where in those types of environments, emergency services, fire, ambulance, they train and prepare and do incident response and they simulate it as many, many possible possible scenarios as they can.
Speaker A:So that becomes by habit, it becomes part of their cultural DNA is response is something that they don't take time thinking about.
Speaker A:It's just that their body is and their mind is set to react in such a way that speed is essential.
Speaker A:And I think that's one of the things as you know, in IT and security and business side is that when we have to get into where it becomes habit is, we know immediately what to do, who to call, you know, how to respond, what's.
Speaker A:What's the flow.
Speaker A:And the more we get teams to operate like that, I would say that the impact of a lot of incidents will become less financially to the business or less to.
Speaker A:To.
Speaker A:To, you know, the operational side or the service side.
Speaker A:I think that's such an important, you know, training and role you're providing, because I think that's really where we need to invest is instances will happen.
Speaker B:Yeah, I make almost the exact same analogy.
Speaker B:I'll remind people, when you see a fire person run into a burning building, do they look like they're running into a burning building?
Speaker B:Do they look panicked?
Speaker B:How would you feel running into a burning building?
Speaker B:When I see a fire person running into a burning building, they look like, I'm just doing my job.
Speaker B:This is my job.
Speaker B:I'm prepared, I'm trained.
Speaker B:I have the right equipment.
Speaker B:I know, like, I know I've got people behind me, people in front of me.
Speaker B:I have the right tools.
Speaker B:Someone else's, like, we spent all light getting the truck ready.
Speaker B:I know where every piece of equipment is.
Speaker B:I know, like, they're calm because they're not.
Speaker B:They're not in a crisis.
Speaker B:They're just doing their job.
Speaker B:And that's like, we are going to have massive outages at our companies.
Speaker B:We are going to have massive attacks.
Speaker B:We have to be able to have that same calmness under pressure because.
Speaker B:But this is the frustrating part for me is that when I go and spend time with security, I look at their budget and I look at the team that they built.
Speaker B:They didn't build it for this crisis day, but at the end of the.
Speaker A:Day, they built it for prevention.
Speaker A:They don't want to have to deal with that.
Speaker A:And typically what happens, they don't have the resources of the training to deal with it.
Speaker A:You know, when the lights go off and the mess.
Speaker B:So the reason I do this training and why I've been doing keynotes and talking about crisis response is because I believe we all should go in knowing, like, no matter how big our prevention budget is, it's not big enough.
Speaker B:There are going to be compromises.
Speaker B:There's no company that's bulletproof to cyber attacks.
Speaker B:It doesn't matter where you are, how big your resources are, how smart your team is, whether you report to the CEO, you're going to have bad days, and you need to be able to Build an organization that's ready for bad days.
Speaker B:Too many organizations spend 95% of their budget on products and people who are good at prevention.
Speaker B:Like you walk the floors of the conferences, you don't see a bunch of people selling you products for dealing with crisis.
Speaker B:But we're, there are products and there are, there's a lot of ways that we can get ready for crisis and be intentional.
Speaker B:And we should be shifting more of our budget over to preparing for that.
Speaker A:Absolutely.
Speaker A:It reminds me of I recently did.
Speaker A:I'm a scuba diver and my kids started scuba diving recently as well.
Speaker A:So I went through the process of doing the rescue diving certification and again it was same thing is it's your, your training and preparing for the worst case scenarios that you can and to the point where you know all the possibilities.
Speaker A:When you see something, you know how to respond.
Speaker A:When equipment fails, you know how to respond and it should kind of, it goes through all of that and it gets so ingrained in your brain and then you get into the emergency first responder side as well.
Speaker A:So that's always about, you know, now you've, you've got a, I've got a victim or a patient how to deal with that.
Speaker A:And it was, when I was going through it, it had so many kind of similarities that I see in the day, the day to day world of security.
Speaker A:So for me it was a very valuable lesson to take something from a different field and to see though the overlaps that you have was always very, very interesting and educational for sure.
Speaker A:So tell me what's, what's for the audience, what's the best way for, you know, if they do have questions afterwards and they want to follow up and they want to learn more about.
Speaker A:You've got the Joe Sullivan Security company as well.
Speaker A:What's the best way for them to contact you or stay in touch and what's.
Speaker B:Well, yeah, technically you can get me through two different websites, Joe Sullivan Security, which is we use for the consulting business and some of the speaking stuff as well.
Speaker B:And then the only thing I didn't mention that I spend time on is I, I also run a nonprofit called Ukraine Friends.
Speaker B:Yes, we at Ukraine Friends we are all volunteers.
Speaker B:We take donations of, of laptop computers from corporations, used computers and we bring them over to Ukraine and we give them to kids who lost a parent in the war and are still doing remote schooling and things like that.
Speaker B:I went over to Ukraine, not too far into, into the.
Speaker B:After the full scale war started and was doing some volunteer work helping out and I immediately Saw that the kids, like, there were lots of medical equipment starting to flow into the country.
Speaker B:There's lots of military equipment starting to flow.
Speaker B:But the kids are still trying to do school.
Speaker B:They're still trying to, like, keep up with their education.
Speaker B:They're starting to stay connected with relatives and friends, even though it's not easy in a war zone.
Speaker B:And it's not like you can go online and go to apple.com and have a computer shipped to you and you know, in a war zone.
Speaker B:And so what we do is we ship these laptops over.
Speaker B:I think we have our biggest ever shipment going right now.
Speaker B:We call it our big, beautiful shipment.
Speaker B:Very big.
Speaker B:It's very beautiful.
Speaker B: nd so it's currently close to: Speaker B:We actually, when it's a smaller shipment of a couple hundred, sometimes we can fly them over to Poland and then drive them in.
Speaker B:When you're talking thousands of machines, we ship them over on a boat.
Speaker B:So I've learned a lot over the last few years about shipping lithium ion battery equipment across the planet and helping kids.
Speaker B:And that's.
Speaker B:So yeah.
Speaker B:UkraineFriends.org and Joseph.com and then, and then a lot of people message me on LinkedIn.
Speaker B:Still, I try and stay on top of that too.
Speaker A:Fantastic.
Speaker A:I'll make sure they actually include both.
Speaker A:You know, both will.
Speaker A:I'll.
Speaker A:I'll add it to the show notes as well so that at least people, if they want to learn more about the Ukrainian friends, if they want to contribute and help.
Speaker A:Because I know a lot of organizations, we go through life cycles of hardware and sometimes, you know, disposing them is sometimes one of the challenges and the doing it in a way that leads to a good cause and a great way because I completely, you know, lots of friends and peers look in different ways.
Speaker A:And me being based in Estonia, Estonia is a big area where, you know, supporting Ukraine in many different ways, I think it's a great thing.
Speaker A:And we definitely want to make sure that wherever possible to at least give the kids in a war zone a chance of a alternative future is something that we should all look to make that possible.
Speaker B:Yeah, I'll just say one word on this.
Speaker B:Like, it's been amazing.
Speaker B:Every single computer that we've shipped into Ukraine to give to kids came through some connection that I made through cybersecurity.
Speaker B:We build relationships with security executives at different companies and they step up, they look at the recycling practices of their company.
Speaker B:European companies like we, we've had Accenture in Europe donate laptops.
Speaker B:We've had Santander bank, we've had Suisse and now ubs.
Speaker B:We've had lots of US Banks.
Speaker B:Lots of tech companies in the United States have stepped up.
Speaker B:And in every instance, it's been someone who, you know, maybe they saw me talk at a conference and they're like, oh, I wonder what we do with our used laptops.
Speaker B:And you look and you're like, oh, we can peel off, you know, 50 laptops and ship them over.
Speaker B:And, you know, we make sure that the company has a good.
Speaker B:Most companies have pretty good recycling processes already in terms of making sure that nothing like the machines don't have data or something.
Speaker A:Absolutely.
Speaker A:I think it's really, you know, we think about it, you know, as one organizations, let's say waste can be somebody else's treasure and future.
Speaker A:So I think it's, it's a great cause.
Speaker A:So we'll definitely, I'll make sure to have that on the show notes so it's easy for the audience to go and find.
Speaker A:So, Joe, it's great catching up with you.
Speaker A:It's been what turned into an elevator ride a little about a year ago and a couple of conference bumped into throughout the year.
Speaker A:It's, it's fantastic knowing you, seeing you speaking and what you're doing to the industry and the world is, is definitely making the world a safer place and a better place at the same time.
Speaker A:So many thanks for everything you do, and it's a pleasure having you on the podcast and sharing your story with the audience.
Speaker A:I think it's, it's definitely going to make a lot of people think about their futures and also what they can do to make the world a safer place as well.
Speaker B:Yeah.
Speaker B:You know, security is an amazing profession.
Speaker B:It's full of people who got in it for the right reasons.
Speaker B:We didn't, we didn't get into security because we thought it would be the path to the CEO role.
Speaker B:We got into it because we get to use technology for good to help people reduce risk.
Speaker B:And so I love getting out and spending time with other security people because, like, we share the same passions.
Speaker B:It's awesome.
Speaker A:Absolutely.
Speaker A:And it's one of kind of my passions as well.
Speaker A:I had two choices in life.
Speaker A:It was tech, gadget or art.
Speaker A:And I do see, you know, I've chosen the tech side, but I do see it as a different form of art from what we can do.
Speaker A:And my goal is to make the world make security for everyone and the world a safer place at the same time.
Speaker A:So it's a pleasure, so for everyone.
Speaker A:Joe Sullivan, definitely go to the site, check out the stuff he's doing, and definitely go visit the Ukraine friends as well.
Speaker A:Tune into the Security By Default podcast every two weeks.
Speaker A:Bring different topics, different guests, great stories in order for you to learn about where your career might go and also some of the great things that's happening in the world.
Speaker A:Some things are security can be a good thing and a positive thing, so let's focus on bringing it and making it fun and making it a good thing for the world.
Speaker A:So everyone stay safe and take care until the next time.