Aligning Cybersecurity Strategies: Zero Trust with Fadi Daood

Show Notes

In this episode of the Entropy Podcast, host Francis Gorman speaks with Fadi Daood, Zero Trust Strategy Lead at Swift, about the evolving landscape of cybersecurity and the concept of Zero Trust. Fadi shares his journey into cybersecurity, emphasizing the importance of aligning security strategies with business needs and the misconceptions surrounding Zero Trust. The conversation delves into the role of change management, the necessity of embedding Zero Trust principles into organizational processes, and the impact of emerging technologies like generative AI on cybersecurity. During the conversation Francis also highlights the importance of human resilience and critical thinking in navigating the complexities of modern cyber threats.

Takeaways

• Zero Trust is seen as an opportunity to do the right thing in cybersecurity.
• Aligning cybersecurity with business needs is crucial for effective strategy.
• Change management is essential for successful implementation of security measures.
• Technology is only a small part of the cybersecurity equation; people and processes are key.
• Zero Trust should be embedded in organizational processes for sustainability.
• Generative AI is changing the landscape of cyber threats and defenses.
• Understanding the 'why' behind security measures can foster better compliance.
• Common sense approaches are often overlooked in cybersecurity practices.
• Stakeholder engagement is vital for aligning security with business objectives.
• Human resilience and critical thinking are necessary to combat evolving cyber threats.

Sound Bites

• "Zero Trust is an opportunity."
• "Never assume you know the business."
• "Our job is to protect the business."
• "Common sense is not so common."
• "Technology is just 20% of the job."
• "We need to show them the why."
• "We are not here to make your job difficult."

Transcript

Francis Gorman (00:01.588)
Hi everyone, I'm Francis Gorman, this is the Entropy Podcast, Episode 9. I'm delighted to be joined by Fadi Daud, Zero Trust Strategy Lead at Swift. Fadi, how are you today?

Fadi Daood (00:13.086)
good Francis 

Francis Gorman (00:20.966)
I'm really looking forward to delving into a, into a world of zero trust and all of the interesting facts that that will, will bring with it. You've had an incredible journey so far in your career from building PwC's global zero trust practice to now leading the strategy at Swift. What drew you into cybersecurity first?

Fadi Daood (00:43.694)
Great question. mean to be quite honest with you my path into cyber security wasn't really a straight line it kind of grew over time so I started my my career as a telecommunication engineer and one of my first big role was within the UN system United Nation and so there I was focused on improving their wide area network so really connecting their offices to

Headquarters and to the data center and it was more about bandwidth optimization quality of service and of course security But security was just little part of the job I have to admit that it was the most exciting part Anyway, four years later. I think I've done a good job. I was called for another agency to do exactly the same thing But then there where I started to realize that really security was something I really enjoyed

and I wanted to go deeper, I switched or shifted to the CSO office there and I took the role of program management. And then I was exposed, of course, to the whole domains, you know, from CM data classification, EDR, application development, so you name it. The area that really clicked, it was IM, or Identity and Access Management. For me, it just made sense.

But to be quite honest with you, mean like many things we do in cybersecurity, especially back then, it was really, how do I say this? We were looking at it from operational perspective without any real strategy or alignment to the big picture. So people were managing access but not really thinking of why we're doing this or what is the why behind this. So I started digging into it.

especially in identity and how can we connect to the border security landscape. So I began exploring how policies could be mapped to user groups, how posture could influence access decisions. I wanted to really tie identity into everything. If it is EDR, if it is NAC, if it is VPNs. And it's funny that, you know, the more and more we went forward with it,

Fadi Daood (03:04.588)
the term Zero Trust came into the picture and Zero Trust people started talking about Zero Trust I was a little bit also involved with NIST there so without even knowing at the time that this is really the groundwork for Zero Trust so to be quite honest with you I'm curious from that perspective and think this is what really my mission is about

making security smarter, simpler and more connected, but also strategic and connected to the business at the end of the day.

Francis Gorman (03:42.654)
Yeah, I think the most interesting part when I, when I talked to cybersecurity professionals and my journey is similar. It's the, don't go straight into cybersecurity in most cases when you've got that season. Look, you start off somewhere else and your interest peaks on a topic and then you pivot and then it peaks again and you pivot, but it's an evolution. It's a, you get different flavors of different technologies and different approaches and then it kind of forms the, the professional that you become. And I think, I think Zero Trust, you know, ever since John Kindervag

kind of term all those years ago and Forester and you know, it's become a marketing tool very much so to sell product. But what does your trust really mean in practice?

Fadi Daood (04:27.956)
I'll be completely honest with you here. For me, Zero Trust, mean, of course, you're right. I Zero Trust is a name that gets thrown around a lot these days. It's been some people call it strategy, others call it mindset, framework, architecture, buzzwords, you know, you name it. There's a lot of buzz around it. For me, of course, I don't say that all the time.

But for me, reality, what really drives me is Zero Trust is an opportunity. That's what I see it. That's how I see it. So I call it Zero Trust opportunity. What I mean by this, it's an opportunity to finally be able to do the right thing. So what do I mean by this? I think that cybersecurity as a field is relatively new. mean, really, if you go back in history, I think it's around 1990. This is where the first time we had

the firewalls and internet security standards. And this is where all the product of cyber security start to go into the market and all of this. But at that time, the setup was quite simple. users were employees of a certain company. Devices were really managed by that specific company. Applications were just sitting next door in the data center, which is the room next door to you.

But then, if you see the history and around the year 2000, everything changed. Users become customers, partners, suppliers, contractors, you name it. Devices scope also changed. Now bring your own device, mobile devices, tablets, whatever. Cloud, of course, start to become a big thing. So we start moving data to the cloud.

standard or the way of doing security, you know, it's hard to show its limitation, but I think us as security people, we just need to adapt. We just need, you know, we've been thrown to the reality and ask, fix it, do it. A few years after we have COVID and overnight we have to change the way we work. And again, last minute we brought our security professionals and do it, fix it.

Fadi Daood (06:52.77)
We needed to adapt to it. And then now, I mean, you what can I start? I mean, you you have geopolitics, have global instability, regulation, Dora, NIST 2, AI, you know. So you have all of these issues. And again, you know, we are, we need to adapt quickly, but often reactively, you know, in a reactive way. So I think what I'm trying to say is always we brought the last minute and we thought fix it.

But I don't think this is sustainable going forward. So I think for me, Zero Trust again, is an opportunity to do finally the right thing, meaning that change your approach into cybersecurity. Instead of being reactive, be proactive. And I think today we have a lot of documentation, a lot of framework that we can follow on how to do Zero Trust the right way. There is many methods. mean, John Kanderbeck has the five steps method. There, CESA has the maturity model.

and so on, that how can we implement zero trust in the right way, which is really going to resolve the root cause of the issue on why we are always reactive instead of being reactive.

Francis Gorman (08:04.896)
And I think, think that's a really nice way of framing it, Fadi, especially in terms of opportunity. And it realigns it with business language as well. You know, we're looking at opportunities. Where can we improve? Where can we make things better? But the strategic aspect of that has to come to the fore as well. You know, you can't execute an opportunity without having a vision of where it is your goal and how it is you want to execute. So when, when you look at simplifying zero trust for organizations that are just starting their journey, how do you, how do you go about

bringing them on that journey that this is an opportunity, that this is something that can prevent the reactive nature that may be driven by income and regulation, by pandemics, by the geopolitical instability that surrounds us all every day at the moment. How do you frame that to them?

Fadi Daood (08:57.836)
Interesting point. I think you can apply the zero trust principles even here. So what do I mean by this?

Again, especially in my journey or through my career in PwC, I had to, of course, with a lot of and answer this kind of questions or help security professionals and C-level on how can we really build a strategy and how can we exactly do this, move with it. And I think that what I like to say here is never assume you know the business. Never assume

that you know I think security people we are always you know behind our masks and we always trying to do the right thing but I think the first thing and I think the most important thing is remove this mask and go to the business and ask simple question like really how do we make money what is the most important thing for you what is really what are the risks that keeping you awake at night you know this kind of question get closer to the business because

Never assume, verify, know? Apply this principle here. Because I think we need to drop these walls that, you know, security are there in the back, they are slowing us down, you know, they are not aligned. So get aligned first. For me, it's interesting that once you ask this question, sometimes the answer is just like, wow, I never knew this. I never knew that.

you as C-level you are dealing with this specific partners that this is the first time I hear about but then you discover that these partners they come up with their own security issues with their own problems and maybe this is actually that time where the C-levels they are afraid because they hear their partner get compromised and they think that we are not doing fine so you see I think

Fadi Daood (11:07.222)
Sometimes it's just building these bridges and understand the business from their perspective, from the business perspective. What are the risks? And I think from there you can frame out how can you protect the business? How can you... And you start there. You start by protecting the business. That is our job, really. Our job is not to build the best EDR possible or best identity solution possible. It's really what problems I'm trying to resolve here from business perspective.

and this should be your vision, your target state. It's very common sense what I'm saying, but again, during my time in consultancy, I was surprised that this is not the case. It is common practice, but nobody does it.

Francis Gorman (11:52.299)
You know what to say about common sense. It's not so common. And I think that that is a reality. It's something I see the whole time myself and I'm a big believer in security as a business enabler. I quite like the SAPSA model from that extent that you need to consider the business drivers, et cetera. I think you hit the nail on the head that the common sense aspect, a lot of these issues or programs or solutions get bundled into program delivery mode and they become a thing that was written on the page.

Fadi Daood (11:54.156)
Yeah, exactly.

Francis Gorman (12:21.738)
People get so focused on the thing that was written on the page that they don't actually look at the wider spectrum of the problem. Which kind of leads me to the other question. You've coached over 300 enterprise architects across your career. What's the most common misconception they have about zero trust? Or how do you help shift your mindset into that business driven enablement mode?

Fadi Daood (12:44.94)
Yeah, yeah, so from that perspective, I think the other misconception, so we talked about, of course, the business side and being aligned with the business, but the other misconception is actually about, still today, I must say that Zero Trust is seen as a technology issue. And you know, in all of...

You know, since I've been doing cyber strategy and zero trust and all of this, really, think technology is like 20 % of my job. It's really about... So the biggest part is really stakeholdering. And this is the people aspect. Because, you know, sometimes you need to, again, how do you align with the business and all of this? This is all about people perspective. Change management, that's a huge thing. Change management, mean, you know, not like...

requesting for change, but you know, how do you do communication awareness and prepare the people for what's coming so you don't get pushback and all of this. The other area is of course the processes, you know, the technology is there to support or enable the processes, but sometimes the process is broken. So you want to, I don't know, for example, you have, you need to implement EDR.

But then you don't have a process in a place or a policy in a place saying if you don't have EDR then you cannot connect to the network anymore. So it's not about you know just deploying the solution it's about coming back and see the policy behind it the standard behind it how do you enforce it what are the exceptions there and and that's what I mean technology is really just 20 % of the thing.

Once you finish your process and once you do the due diligence and prepare your people and everything, then technology is just a matter of click and get deployed everywhere. I mean, it's not that easy, I'm exaggerating, but you get the sense of it, no? It's really about all the processes and people aspect. And I think that's where we spent most of our time.

Francis Gorman (14:54.112)
Yeah, I was just going to comment on that, Féaillí, because it's a really key piece that you've touched on there. I'm just, I'm having flashbacks, having flashbacks over years of program delivery. And I think that's really key. you deliver, you deliver this core technology component and the program stands down and it goes into an operational environment. And there's a team there that manages and their job is

keep it alive. But what you're talking about is you've delivered a key component that can bolster security, but you haven't gone to the next level to say, that almost always have this component up to date active and in situ, or you cannot enter this network segment. You can't enter this application. You can't do these things. It's the policy enforcement aspect and the governance that ensures that

this piece is executed on property and it's itch you that really makes it. It's the strategic and governance oversight. It's how do you leverage all of these technologies you have deployed to get the most out of them, to be effective in terms of what the user can access, what's their posture, what's their baseline security level, et cetera. If you don't tie all these things together, you can have lots of technologies.

but they may not be effective. And is that what you see in organizations that the process implementation, the next level of that, okay, we've got the thing in. Now, how do we milk the asset? How do we make sure that it does what it's supposed to do to give continuous security and to set some thresholds that if you don't abide by these rules, then you don't get on the field.

Fadi Daood (16:46.434)
Yeah, so I think that... So even, know, policy enforcement... So there is, of course, there is the whole operating model, no? So you do whatever project within Zero Trust that could be, again, anything. But then how do you ensure that that will continue even after the project, you know, finish or get completed? So this is where the...

operating model come into place and how can you ensure that really zero trust is embedded in your operating model? So you know next time someone from an ex-company go and want to procure a new solution how is zero trust principles embedded in the procurement processes? How is zero trust principles embedded within your application development and your enterprise architecture team for example?

So you ensure that whenever in the future you develop a new application, everything is already part of the checklist. But not only the checklist, but also from the policy enforcement perspective. for anyone who is not being... By the end of the day, Zero Trust is really about Never Trust Always Verified. So you have this comply to connect policy, meaning that if you don't have that, you cannot connect.

But that's just a policy. Then how do you make it actually from a technology perspective? How can you enforce it from technology perspective? How can you ensure that also your technology supports this kind of processes? So to go more on practical side, your SSE solution, Secure Service Edge solution should not allow you to connect without having

123 as comply to connect prerequisites. Your PAM solution should do the same thing. Your conditional access policies, if you're using Azure in this case, should also check this kind of things. So any entry point, any enforcement point need to comply to these policies. So you ensure that there is no entry point that can, you know, will not...

Fadi Daood (19:11.81)
comply to this policy. So you do it from policy perspective but also from technology perspective that there is no other way you can connect unless you have these prerequisites and of course you always have exceptions but these are you need to manage them of course with more compensating controls. Does this answer your question?

Francis Gorman (19:30.784)
It does, it does value indeed. And the exceptions piece, I suppose, is that, you know, we're always going to have that pocket of risk that needs to fall within your envelope of acceptable. And when I talk about security risk, I always think two things, business agility and innovation. And when people hear security and zero trust and, know, we're going to, we're going to turn the dial right down on what you can do to very specific tasks.

you get resistance. do you, how do you find that in some organizations when you come in that maybe led to someone that was always an administrator can now only have just in time access, for instance, as an example, how do you, how do you, how do you go about the culture change or the mindset of, especially in technical roles like development or, you know, people that like to be able to do lots of things.

and don't like hurdles in their way and know, security's blocking me, security's slowing me down. How do you approach that piece?

Fadi Daood (20:31.96)
Yeah, that's a very good point and that's what I meant by, know, at the end of the day, you do a lot of stakeholder and change management perspective of communication awareness. So I think in my experience and all of my experience, I think all people are very, what is the right word, are really committed to their work. They really want to do the right thing, but sometimes they don't have all the information.

So once you start explaining the why and once you start explaining the, you know, facing the reality, showing them the news, you know, I mean, go back to without mentioning any name now, but you know, you've seen some threats in the past where just because of one specific employee who downloaded a wrong

or a malicious Chrome extension, the whole company went, you know, they had a compromise and that the leak and all of this. So I think, you know, these people, I'm talking about the company that they are resistant, the people that they're resistant to change, maybe they want to do the right thing, but they are not aware of these issues. They're not aware of these threats.

So, you know, we need to show them that hey, you know what if you get a root access every time you want to develop an application That's not really good because one two, three, four five six And therefore that's why we are offering you for example the the privilege session management tool so you can do it through this way Because that's more secure that's why you don't need to have all of these privileges or or standing privileges because

If anything happen and you get compromised and you're really handing all of these keys to the attacker that will use these privileges and then your name will be all over the news. Because thanks to this specific person, I get to get all of these data leaked from that specific organization. So do you want to have your name all over the news, you know, from this perspective? I'm here to help you. I can tell you that...

Fadi Daood (22:53.794)
In the past we did this change management session where at the end of the session people came to us and they started asking us how can I do this on my Gmail account? This specific feature because they were really fearing that finally they understood that we're not here to make your job difficult but today there's a lot of threats, there's a lot of attacks you need to be secure

And they ask us, how can I do this for my private stuff as well? So the mentality's changed completely.

Francis Gorman (23:26.656)
And I think, yeah, it does. And I think that's, that's always, I'm always conscious of the, you know, whipping up fear just to get an outcome. But I've had a couple of conversations on this podcast in the last couple of weeks, with some really clear examples of why we should actually have a level of fear and it's to do with the change in technology landscape. I'll give you two examples. Michael Freeman was on the last episode, episode eight actually. And he spoke about

the emergence of some attacks using large language models that once they exploited an organization, they sucked the data out of things like your Slack channel or your teams or your Outlook. And then he actually used that data to identify where individuals within the organization may have made decisions that could get them in hot water legally, let's say. So let's say you told your

CFO about something and they said leave it there The bad actor is then going after the CFO to say if you don't pay X Y or Z in You know Bitcoin or if you don't give me certain access or certain information I'm gonna hand this information over to the relevant authorities and therefore you may suffer legal consequences So there's there's a level of blackmail happening using information that's available

from a breach within an organization, which is a bit of a sinister twist in terms of how we've used these things before. And I had also had Francesco Cipollone on a couple of weeks back, and he was talking about identifying vulnerabilities in the wild using large language models that they have now seen attacks within a number of minutes where they've identified a vulnerability in the perimeter and been able to target and exfiltrate a foothold on an environment using

large language models and generative AI techniques and approaches. So two examples that would both be minimized or mitigated by a proper strategic deployment of zero trust across your organization. So I do think the stories are going to start changing in 25 and 26 as these types of attack paths materialize and we start to see them in

Francis Gorman (25:52.722)
in more light, but it's definitely, it's definitely a lens of acceleration. We haven't seen in the last several years, you know, most, most attacks are slow, steady, you know, insider leaked information, credential breaches, et cetera. But now we have a whole new attack service that has unlimited intelligence, depending on the compute power that's behind it to potentially identify.

loopholes or access points or nuances in your entire perimeter that you may not know yourself because of the ability to crunch so much data at a singular level and then bubble up those attack paths from it. I think Zero Trust, even though it's been around for a number of years, is going to start being a really key driver into a lot of cybersecurity strategies. And it's something we're all going to have to watch and

I suppose foster and mind as an industry to really get that message across. So off the back of that, what innovations or shifts in cyber threats are you watching closely in the financial sector at the moment or in the wider ecosystem?

Fadi Daood (27:08.558)
Yeah, I mean, mean so was the the LLMs and generative AI in general I think that a lot is happening there but even you know, I mean it's getting smarter and smarter because even Simple things like even phishing is getting really smarter these days. Thanks to of course Generative AI the other thing is really about post quantum

that is also gaining a lot of attention and how can we be ready for it? Especially with all the innovation happening there as well. So these are the two things. Now, is Zero Trust going to resolve this? I don't think of course, I mean, sometimes people see Zero Trust as the holy grail of security, but at the end of the day, I mean, we just need to remember that Zero Trust is just...

Principles and how do you apply them? So it's not like a product or something that you're going to apply and it's going to resolve or set of product You apply and it's going to resolve your problems. It's really principles That you need to adapt in your security strategy at the end of the day So for example if you go to the generative AI and all the attacks we're hearing about I think that At the end of the day if we

If you just follow the zero trust model by, for example, from identity perspective, how can you ensure that all x is mapped to your specific identity? And from there, you get access to the required data that is mapped to your attributes. That is already a big achievement, I think, that you can do. Same things like how...

you know, different components within the LLMs can talk to each other. So how can you really use secret managements and to enhance that and enhance all the privileges assigned. So, know, by following these best practices, I think from Zero Trust, I think we can get to, we can raise the bar to a higher place, but that will not be it. I mean, that's not only it. There's again a lot of processes and a lot of user awareness.

Fadi Daood (29:27.374)
that we need to include because yeah I mean it's a very new field the the Genitive AI and I think there's a lot of education that need to happen for people to how to use it the right way

Francis Gorman (29:44.222)
I fully, I fully agree. I fully agree there, fatty. And I think it's a double edged sword at the moment. I'm seeing conversations now on them. really thankful to see conversations happening around brain drain that we're, we're leveraging augmented intelligence and actually replacing our own intelligence. And what I mean by that is we're no longer taking pen to paper or working a problem. We're typing a prompt. How do I do such, how do I do this? How do I do another?

I think that's a dangerous trend, to be honest. I think there's a lot of value in working a problem and then approaching the augmented AI to refine on it. You know, I've identified these parameters against this type of a system. Can you help me mold a strategy to, you know, go against it and invalidate it, you know, but I think people are going quite the opposite. They're going, this is my problem, solve it for me. And it's doing the taught piece.

Fadi Daood (30:40.534)
Yeah.

Francis Gorman (30:44.242)
I will watch with interest what taught leadership and critical thinking looks like in five years from now, because it may be a very different, different playing field we're on, but it's, it's, it's, it's certainly a watch item for me. And it's something I think we need to be talking more about as an industry, especially around human resilience. If we remove our ability to think critically about a problem specifically in cybersecurity, what, what does that mean in terms of

emerging talent and how we, how we crack an issue. Because I think we talked to the start of the, of the podcast around most cybersecurity professions evolved through interest. You know, you, you, you found something you liked and you went down the rabbit hole. And when you got out the first side of the rabbit hole, there was some other thing that caught your attention and you pivoted over there. You know, I think that's a natural evolution of a lot of technology professionals. And I had Chris Dale on a couple of weeks ago and he said something really interesting.

He said he's a real problem with education at the moment in terms of how people are learning cybersecurity. You run a tool and you get root and you're delighted and you go, I've got root. And then he finished the whip. But why did you get root? Did you understand why you got it? How did you get there in the first place? And I think that why is a really important question that we need to bubble back up in the industry. Okay. You can execute that thing.

Do know why you can execute that thing? What underpinned you getting that outcome? What underpinned the bad actor getting a foothold? What underpinned X, Y, or Z? If we don't understand the why, I think we're in real problem. So I am watching aspects of it with interests, particularly around human resilience. There's a lot of good there. Do a lot of really good things. We can definitely speed up process and remove some of the minutiae of...

the day to day, I would be cautious of where you apply certain levels of gender of AI specifically into your end user estate.

Fadi Daood (32:50.478)
The thing, Francis, I think that, I mean, here's the thing. think that, I mean, it reminds me, you know, with like, with the first time we had GPS's, you know, and I don't know, for example, taxi drivers will hate using it because they think that they are experts in the roads and I'm not going to use GPS. But now everybody use it, not because it just show you the road, but it show you traffic and show you everything. So it's definitely a fascinating tool. I think...

If you look at Genitive AI, it's just amazing. It just really does the job and does it really, really well. But you're right. It's like we are not realizing how much information we're giving also. mean, especially now with ChaiGPD, that it remembers the things you've said in the past in different chat and different conversation, and then it used that. It's just for me, it's really scary.

I mean, you've seen, I'm sure already, the Facebook issue we had with Cambridge Analytica and all of this years back. So what about now GenJPT or Gen.AI from this perspective? Can you see the risk there? all this information is there, lying there. And we are really, in this case, trusting.

OpenAI or all the others about what are they going to do with this kind of information?

Francis Gorman (34:19.796)
Yeah, it's fascinating. I saw something the other day where someone really brought this to life for me. says, can lose your entire life's work in two clicks of a mouse. And his point was, if you upload the wrong file or folder to the wrong generative AI or large language model, it's then sucked in. It's then in the eater. It's in that system. It's there to be trained on, et cetera.

Fadi Daood (34:29.463)
Yeah.

Francis Gorman (34:48.572)
It's simple to use. It's powerful. It's fascinating. I use generative AI all the time. We just had a newborn. I loaded all of the medical guidance for babies into it and query it on a daily basis when something goes wrong and it gives me back-sided and specific information. So it is very valuable in that regard.

Francis Gorman (00:00.793)
So yeah, look, think Fadi, as we said, think generative AI is extremely powerful and really beneficial, but we also have to be conscious of the nuances and the other side of the coin. So for me, that's a real watch area. And one I will watch with interest, just before we finish up, you touched on post quantum and I agree with you that zero trust won't solve that one. That's got to do with crypto agility and a whole different strategy that's needed.

Based on your experience within the financial sector, what does the mobilization look like? you know of you? Have you seen quantum readiness programs starting to stand up or are people getting a little bit more conscious that they need to take action?

Fadi Daood (00:46.284)
A great question. think it really depends of course on the specific, you know, not sector, how do I call it, it depends on the specific organizations at the end of the day. I know some organizations that are already partnering with universities in research and with vendors. So I see there is definitely

a lot of organizations are coming together again with universities, with vendors trying to of course to see how can we approach first this specific area. So a lot is happening from that perspective. Vendors starting to lay out their roadmap on how to do this but I think that it's not an... Here also you have a lot of change management perspective and aspect on how you're going to do this, how you're going to prepare the road for it and...

so yeah, I think a lot's happening. I unfortunately cannot give more details from Swift perspective, So, but yeah, I mean, I can say that, you know, specifically within organizations and again, even coming back to my time at PWC, I think that, it's people are looking into this and working heavily into this, and the specific aspect.

Francis Gorman (01:52.515)
I wouldn't expect it.

Francis Gorman (02:11.587)
Look, Fally, it's been an absolute pleasure to have you on. I really enjoyed the conversation. I'm gonna go to bed tonight and dream about all of the different strategic elements of Zero Trust I can implement over the next year or so. So really, thank you for coming on, appreciate it.

Fadi Daood (02:27.458)
Thanks for having me, it was a pleasure.

Francis Gorman (02:29.562)
Thanks a million, thank you.