Episode Transcript
[00:00:02] Richard: We've seen a lot of hot topics hit the radar in cybersecurity land over the last couple of years. Things like metaverse, things like quantum... And they're all valid, but they just haven't had the same here and now impact as what generative AI is having.
So it is real, it is here now. And I think understanding how generative AI will be adopted both in cyber attack, the threat that it creates. But in cyber defense, you know, should be a priority. And so I would urge organisations to immediately. Take a look at how they are performing cyber defense and understand the opportunity for AI to speed things up.
[00:00:46] Jen: Welcome to Decrypting the Future, the podcast from EY, designed to help you better understand and prepare for our cyber tomorrow. I'm your host, Jen Waugh, and along with our guests, I'll be exploring the current state of cyber, and the predictions and projections based on the work EY does every day. In this first episode, I'm joined by the cyber-guru himself, Richard Watson; EY's global consulting cybersecurity leader.
[00:01:13] So, without further fanfare or fuss, let's dive in. Richard, please let the audience know more about who you are, and more importantly, what you do.
[00:01:22] Richard: Yeah. Hi, Jen. Good to be with you here today. Yes. I'm Richard Watson, global cybersecurity leader at EY, based in Sydney. Looking forward to talking to you all today about some of the trends we're seeing in Australia, but also further afield when it comes to cybersecurity. So looking forward to the chat, Jen.
[00:01:40] Jen: Awesome. Awesome. And today the focus we're going to have is on our 2023 Global Cyber Security Leadership Insights Study, which I have thoroughly enjoyed reading. So really keen to get your insights, your views, and some of those stats across to our audience, Rich. Keen to kick off. I think one of the things that we want to kind of discuss is, is things going on in the market here in Australia.
[00:01:59] So we are witnessing an increase in number of organisations being impacted across various industries, including telco, finance, and supply chain. Becoming more and more common, the headlines are hitting us every single day as a topic of concern. I'm keen to kind of get your view on, on the sudden increase, the complexity and who it's affecting most.
[00:02:17] Richard: Yeah, I mean, I think cybersecurity continues to be a top two or three board level issue in Australia. I present to a lot of boards, very, very focused on ransomware and the resilience that their organisations have when it comes to ransomware. Very, very focused on their supply chains and the cyber risk they're exposed to in their supply chains.
[00:02:41] And obviously we've all seen the headlines over the last two years or so of some really major cybersecurity incidents in Australia. I think that's got everyone very worried. You know, why does it feel like it's getting worse? I think we're more and more dependent on digital connectivity. You know, the period of working from home over the last four years has really drilled home just how reliant we are on being able to communicate and use the internet just to do basic everyday tasks and now for organisations to run.
[00:03:11] So this whole concept of resilience, how do we make sure we're always online, always connected, always able to operate, has really raised the bar on the conversation about cybersecurity. It's not now just about protect my data and protect my customer's data. It's about, you know, can we continue to run this business if anything were to happen to our connectivity?
[00:03:34] Jen: It's not a unique conversation, right, and I think the topics the survey itself touched on are exceptionally relevant. I know we did the survey in 2023, but coming into 2024, a lot of those numbers are quite insightful. Some of the things that, that I think I do want to touch on is the concepts you raise around is that you're prone enterprises and secure creators.
[00:03:52] Richard: We've coined those two terms of prone enterprises and secure creators, but perhaps just to give a bit of context on the study. Worldwide, we looked at 500 different organisations across eight different sectors and really tried to understand from those organisations who is doing cyber security well, who isn't doing it so well.
[00:04:12] And for those companies that are doing it well, you know, what are they actually doing? And, and we did find some, you know, quite interesting statistics in the sense that companies we all know have been spending millions of dollars on cybersecurity now for a good number of years, but only one in five organisations in our study felt they are well positioned today against the cyber threat and also well positioned against the cyber threat of tomorrow.
[00:04:39] But there were a small group of companies. We called them 'secure creators' who are doing cyber security. Well, what does that mean? They're having fewer incidents when they do have an incident. They're responding quickly and they've successfully found a way to position cybersecurity as a value creation narrative.
[00:04:58] It's not just a cost of doing business. So, you know, there are a group of companies that seem to have cracked the code. And we've called those secure creators. The other end of the spectrum prone enterprises, you know, not doing so well, don't exhibit the same hallmarks as these companies that are thriving.
[00:05:16] Jen: Some interesting stats there, Richard. I think one of the stats as well that jumped out for me that I was particularly interested in was the actual compound annual rate of growth with the cyber budget as well. So it's kind of saying 16.6% growth in the current investment of 1.3 trillion. Is that where you expected it to be?
[00:05:33] Or did you see kind of, is it what you were anticipating it would be? And do you think the growth is on trend?
Richard: Yeah, I mean, I think, as you pointed out earlier, we did this study in the second half of 2023, we released it publicly in early November 2023, but even in that period of time, the whole attitude, I think, to cyber budgets has changed.
[00:05:55] We have seen a steady increase in the amount of money that has been spent in cybersecurity consistently over the last five years. And that obviously varies by industry with banking, capital markets have been the bigger spenders, you know, we're now starting to see other regulated industries. And particularly in Australia, the energy sector is increasing its spend to comply with the energy market operators, minimum requirements, and the security of critical infrastructure act.
[00:06:24] But what we're actually seeing, I think more generally now is a flatlining in cyber security budgets. I was with a group of CISOs, Australian CISOs, a couple of weeks ago, and we did a bit of a straw poll, you know, who is getting an increase in their budget in 2024, and basically none of them are, you know, yet, you know, the compliance burden is going up, the appetite for a cybersecurity incident from the board's perspective, you know, continues to remain very, very low.
[00:06:53] Uh, yet the technology landscapes that these companies operate is getting more and more complex and of course, we now have generative AI to contend with as well. So it's really become a question of how do you do more with less? How do you optimise the tooling and processes that you have on the ground to tee up budget, to enable compliance activities and to enable spend on reducing risk profile to meet with the board's appetite.
[00:07:20] Jen: There is a theme that I kind of got from the survey as I went through it, which around the consolidation piece of tech and really having an understanding. And, and I think I've done some architecture in the past and it is something that I know a lot of organisations do struggle with. Can you talk a bit around kind of what you have seen, um, through the survey as you've kind of gone out and kind of, is it something that you think is a realistic expectation as things start to move?
[00:07:45] Richard: Yeah. I mean, when we talk about secure creators and what do they do well, that very much is one of the, of the key points, but essentially secure creators to do four things. Well, they adopt emerging technology quickly and specifically they adopt artificial intelligence, machine learning. They adopt automation, they adopt passwordless technologies when it comes to identity and access management.
[00:08:13] They focus on managing their attack services across cloud ecosystem and supply chain. So they have a cyber strategy that spans those three different domains. They're not just focused on their own organisation or their own perimeter. They've got a deliberate strategy; Integrate cyber across the enterprise.
[00:08:33] So getting line one operatives in the business accountable for cyber risk management. Obviously the cyber function itself often operating as a line two, a risk function, and then ensuring that internal audit has a focus on cybersecurity from a line three perspective as well. And then finally, they're embracing simplification, which I think is the theme you refer to there.
[00:08:57] They are trying to move away from the best of breed model around technology and moving towards one of the large cybersecurity integrated platforms that's driven both from a risk perspective, you know, the fewer technologies you have, the less integration there is, and therefore the less chance that attacks can kind of slip through the gaps between technologies, but also back to my earlier point from a finance perspective as well.
[00:09:25] It's obviously cheaper to get better economies of scale if I'm going to integrate it on a single platform, than you do from stitching together 50 plus technologies in the security technology landscape.
Jen: And for sure, I think some of the things that did pop out, there's, there's a lot of things in the study for me, but the scale piece, yes, exactly, that was one of them. But the second piece is around DevSecOps. So, something that is very close to my heart. I was actually quite surprised on the uptake of DevSecOps. I think the stats was at 34 versus 35%. So still quite low for secure creators. Is that something that surprised you considering the scale of speed at which organisations kind of need to, to not only develop, but release these new products to the market?
[00:10:05] Richard: Yes. I think DevSecOps is still a little bit of a mysterious concept for a lot of organisations. We're used to, you know, more waterfall delivery and I used introducing security, you know, towards the end of these, uh, large technology development programs, but, you know, as we all know, intuitively, the earlier that you engage security in technology build programs, the more effective security can be in terms of making the right design decisions and testing as we go.
[00:10:39] And of course, therefore the less expensive, the security aspects of projects can be. So I think DevSecOps is something you need to continue to embrace and educate people around, but it's easier said than done just because of the entrenched ways that many projects have delivered. Now, I think generative AI is going to change this storyline altogether because what you have with generative AI is essentially shadow IT on steroids.
[00:11:08] You have the ability for almost anyone in the business to spin up, pretty straightforward kind of technology, and getting cyber security into that conversation, I think will be really, really important. There's such a high risk of disclosing confidential information into public large language models with the use of generative AI that it's really more important than ever.
[00:11:34] That security is baked into that first line, as I talked about earlier, the people that are actually building the generative AI queries. And essentially the kind of DevSecOps principles are extended to just the general businesses use of artificial intelligence.
Jen: Thanks, Rich. I'm really glad you mentioned AI.
[00:11:51] Jen: It was something that was a topic I certainly wanted to bring up and a topic you and I have discussed, and we're certainly talking to a lot of our clients on it at the moment. We have kind of seen already some piece, some companies who have made the mistakes of releasing sensitive information unintentionally through chatGPT and other areas.
[00:12:07] What are the things that you yourself are doing? What are the conversations you're having with clients on how they can secure themselves as they adapt into this new technology?
Richard: Yeah, I mean, we're really thinking about AI and cybersecurity in three dimensions. The first is really the threat that is created by AI, cybersecurity threat and the privacy threat.
[00:12:30] The cybersecurity threat being, you know, all of a sudden cyber criminals have the capacity and ability to generate malware much more quickly than they were able to before and a much greater bandwidth to attack organisations. So there's a sort of, and, you know, make more authentic attacks and think about phishing emails.
[00:12:49] You know, generally speaking, we've trained people to recognise phishing emails based on things like spelling mistakes or inappropriate grammar or punctuation. So, you know, generative AI can create much more authentic phishing emails that are more likely to succeed as an example. So there's the, the cyber threat from AI, privacy threat is the one you're referring to.
[00:13:10] You know, the fact that inadvertently sensitive information may be introduced into public large language models and therefore retrievable by organisations and people that aren't supposed to be looking at that data. So, making people aware of these new threats that have come on the scene, I think is one aspect of that.
[00:13:29] There's a whole another category as well around just how do you ensure the integrity of large language models? And there's particular threat factors like data pollution, you know, deliberately polluting large language models. So they give wrong information affecting operational decisions and so on.
[00:13:47] But really trying to raise awareness of that whole piece is one tranche of the cyber and AI story. The second piece is around, as the business uses AI, how do you ensure that they're doing that in a cyber secure way? And so again, we're looking at developing things like a confidence index. How do you score AI queries against a set of metrics, things like privacy, things like explainability of what the query is doing, but really helping people assess and understand what they are doing with the query.
[00:14:26] AI and essentially putting a cyber wrapper around that. And that requires a whole different approach to governance. It's a bit like the DevSecOps conversation we've just had. You've got to be there in real time, but really you've got to put the ability to manage this in the hands of the end users. And then the final bucket we're thinking about.
[00:14:45] When it comes to AI and we call it, uh, AI for cyber is how do we leverage AI more effectively in, in cyber defense? You know, there's a few use cases that are really well suited to, to AI. So for example, you know, the creation of security policy documentation, the comparison of controls to frameworks that are out there to score maturity, the understanding of documentation to see.
[00:15:14] How accurate it is and how it compares to frameworks, you know, AI is really useful in that space. There's great AI use cases around identity and access management in the sense of reconciliation of privileged users to. accounts and so on. And then finally in threat intelligence as well, you know, that typically has been a very manual process, turning raw data into, you know, sector based intelligible. That's been a pretty manual process, but with generative AI, that can be really short circuit as well.
[00:15:46] So, you know, at EY we're exploring all of these things, you know, building our AI skills to essentially help speed up client's ability to comply and, and obviously, you know, deliver faster outcomes.
Jen: That's awesome. And I love that we're kind of getting ahead of the game, I think, in our thinking and really trying to take clients on that journey.
[00:16:07] Jen: I was listening to news the other day and one of the things I heard was around kind of a lot of the deep fake science of AI kind of hitting the general public. And then some of these cases are pretty sad. So, I know what we're doing kind of focuses in on organisations. So in order to, to help them, to help kind of end users is a big objective.
[00:16:24] But what we're trying to do, the whole world is changing very, very fast. You did mention earlier on around the C-suite side of things, and we touched on the cyber budget side, and I was really happy to kind of have read that cyber budget is not necessarily the number one problem, internal problem or challenge kind of faced by CISOs and cybersecurity leaders.
[00:16:41] I think it's currently ranked sixth, if I'm correct. One of the interesting points for me in the survey was that confidence level as well on, uh, show these kind of secure creators feel protected for that future side of things. I think only 54% of creators are confident in the advancing world and how well they're protected.
[00:16:59] So there's a 46% gap, a 'Captain Obvious' statement there. But 46% is a gap that kind of would keep me awake if I was a CISO. Is it something that you're seeing in the market?
Richard: Yeah, we've seen an interesting change in the wind here, if I'm honest with you, um, because we've been doing surveys of various types over many years.
[00:17:19] Richard: And what has been the trend in the past has been You know, the CISO of an organisation is, is relatively confident that they have a program and they have the control bill or the controls in place to manage cyber risk. But the board has been, uh, very, very concerned and isn't satisfied that what the organisation is doing is enough.
[00:17:42] And, you know, there's been a number of reasons why there is that gap. You know, traditionally board members have not been as technology literate, as they have been, for example, financial statements literate. And so there was a lot of questions born from a, perhaps a lack of technology training and an understanding.
[00:18:01] There's also been a challenge on the other side of the fence where chief information security officers have not been able to articulate the value of what they are doing, you know, not being able to speak in the language of business risk and have been too operationally focused. So historically we've had CISOs who are struggling to get their opinion across the boards and we've had boards that are concerned.
[00:18:25] You know what our survey data is showing now is actually the tables have turned and boards are less worried in our survey and this was 500 organisations with a billion dollars plus of revenue worldwide are less worried in our survey than the CISOs are. So why is that? Perhaps it's because there's a degree of fatigue that's setting in, you know, board members are perhaps, say, well, look, we've been spending millions of dollars for years and years on cybersecurity and surely we've got a basic set of controls and some protection.
[00:18:59] Now it may, it may be that factor, or it may be that the CISO could see this avalanche of new technology that is coming downstream, you know, the new threats created by things like AI, the increasing complexity of the attack surface because of cloud and on prem and the whole hybrid situation there. And also the fact that a number of these attacks are now really beginning in the supply chain.
[00:19:25] You know, it's really hard to protect your organisation. You know, if you're trusting data or processes to an organisation that isn't spending the same money as you are on securing themselves, that doesn't have the same, you know, high bar around cybersecurity that, that you do. So, actually, it's very interesting that we've got such a low confidence level amongst security executives and, you know, only one in five feel that they are both well prepared today and well positioned for tomorrow to manage the cyber threat landscape.
Jen: You did mention supply chain. And it's something that, you know, when I started out in security, it was one of the areas I dabbled in first. And even at that time, you know, I remember getting in front of leaders, business leaders in particular, and really trying to get the message security was their problem, um, in a sense that we had to work collaboratively in order to, to secure the data and to kind of secure our services.
[00:20:22] Jen: So, I see in the survey, that kind of team is still there in relation to getting in front, engaging security areas. And, you know, the team as well on really trying to kind of push that continuous monitoring. Are you seeing any kind of shifts in there? Cause you know, I reckon it's been a decade of the conversation, but now I think we're starting to make headway.
[00:20:42] Richard: Yes. And where I'd say we've seen the most headway is in that, you know, we call it third party risk as a service, essentially. That whole process of testing organisations in the supply chain, that they have the right policy document in places, that they have the right procedures, assessing them on a kind of risk basis and advising them to take either remediatory action or in most extreme cases, you know, refusing to use organisations if their security protocols aren't up to scratch.
[00:21:16] So there has been progress in that space, but I would describe that as really testing the kind of organisational protocols of all of companies in the, in the supply chain. I think where a lot of the issues occur is in the software supply chain. You know, the software that we're consuming from these organisations, in other words, their products.
[00:21:37] And it's much harder to test those on an ongoing and, and real time basis than it is to do a, you know, what's your spot check of, you know, whether their security policies are ISO compliant and so on. So we're seeing progress, but it's a really hard mountain to climb that one. The good news is, you know, that is another great use case for generative AI in terms of being able to automatically scan and form opinion on the quality of code and so the expectation is that over the coming months and years, this assessment process around software that we are consuming that is third party software, you know, we'll be able to cover much more ground than we've been able to to date where it's been spot checking on the specific pieces of software. So, it probably still is the largest unaddressed that many organisations have. It links to that whole piece around patching, which I'm sure many of the listeners have heard on a number of occasions, but, you know, getting onto the latest code where vulnerabilities have been identified and resolved, you know, it's still one of the easiest ways to be compromised because it's so publicly broadcast what patch levels
[00:22:54] organisations are, you know, aware those vulnerabilities are in those patches. It's really like a map to say, here's how to enter my domain. And so yes, difficult, but maybe technology has some of the answers here.
Jen: I'd like to think it does. 10 years is a long time waiting and the dial has shifted. However, probably not shifted anywhere near where it needs to be.
[00:23:14] So, potentially that conversation does need to be raised on how to leverage AI within a space, especially where humans are quite dominant in these manual processes. So therefore they're quite prone to gaps and issues that sit there. There's also this big kind of point of trust that we have on our service providers, which don't necessarily think we shouldn't have, but we should be checking. If AI can help, bring on AI.
[00:23:37] The other thing, if I bring the conversation slightly back to the survey, the DevSecOps component we've touched on that, that did surprise me a little bit, but I was quite pleasantly surprised to see cloud orchestration at 52%. The movement to cloud, there's been a lot of kind of movement at pace we've touched on that cyber leaders are really kind of challenged with at the moment.
[00:23:57] And the survey does mention the pace of change with cloud and the adoption of cloud orchestration. Is that something that you see increasing further, or do you see a switch to kind of protection over AI? What, what are your kind of predictions?
Richard: Yeah, I think that the movement to cloud is past the point of no return.
[00:24:15] Richard: You know, it is so clearly beneficial to organisations from a business economics point of view that having data in the cloud will, will be a feature. Now, all business from this point forth, of course, you know, you can't use cloud all the time everywhere. And so you're going to end up in a hybrid situation.
[00:24:36] So it is really important to be able to orchestrate your security controls across both your cloud environment and your on prem environment. And then of course, we need to talk about operational technology as well. You know, many organisations have a high dependence on operational technology. In other words, the technology that supports factories, train signals, traffic lights, et cetera, et cetera. And therefore being able to run a consistent set of controls across all these different domains becomes really, really important. And unfortunately we still see a lot of segmentation of security where one person in an organisation is responsible for looking up to the IT set of security controls,
[00:25:23] and another person is looking after the operational technology security controls. The sooner we can, as I say, create a consistent set of controls across all different domains. I think the more secure organisations will be, and be less, the opportunity to kind of fall between those cracks or to get to a different level of maturity across different technology domains will, will fall away.
[00:25:50] Jen: So you, you just kind of mentioned around roles and responsibilities and role segregation. I do want to touch on, on the survey and kind of what, what you've found in relation to cyber professionals and the market, especially considering the economic climate, what's going on? I know the cyber, cyberspace is still a hot field to be working in.
[00:26:07] Richard: Yes. Although again, that has changed over the last 12 months, you know, during the sort of COVID era, it was nigh impossible to hire or retain a cyber professional. You know, the market has softened in that sense, but there is still a huge shortage of talent and there still is that challenge for each individual organisation to retain their own cyber cohort, if you like, on the books.
[00:26:34] As a result of that, ,any organisations are switching towards managed services and we've still seen a huge uptick in the number of organisations that are moving to a managed service consumption model when it comes to cyber security, it's the largest part of the cybersecurity services market and it is growing.
[00:26:54] So managed services, I think is a reaction to two things, resource scarcity in terms of people, but also just an inability to keep up with the technology. Evolution and a desire to want to outsource that responsibility to a third, a third party because the technology landscape in cybersecurity moves so quickly.
[00:27:16] It's better to have someone else responsible for keeping technology up to date and on latest versions, et cetera. So I think resourcing is a big challenge, but perhaps not the challenge it was two years ago. I think we're all looking as well to automation, generative AI to be a bit of a panacea here or a solution, studies vary on this.
[00:27:39] In our own assessment, you know, we think we can get anywhere from about 15 to 40% efficiencies through AI, you know, versus delivering services with people. But some market assessments, you know, particularly in the more repeatable domains of things that IT operations think we can get to 80 or 90% automation in those spaces. So again, it'll be interesting to see how automation affects the sort of cyber security job market, and whether we all stop talking about resource scarcity, you know, as we get a better understanding of how automation can help in, in cyber defense. The, the mood music at the moment is, is very much around automation, supporting the human and making better decisions and directing the human effort onto the right tasks rather than the wrong tasks.
[00:28:33] And therefore it's, it's an efficiency story, not a disintermediation of humans, but that in itself obviously means that each human can go further in terms of productivity, which, which will help this resource scarcity problem that we've been talking about. You know, ever since I entered this profession over 20, 25 years ago.
[00:28:52] Jen: And here was me thinking it was only this last decade we had the scarcity issue. Obviously wrong. It is something that, that does interest me. And again, we kind of come back to the hot topic of AI as a possible solution for this, which is exceptionally positive. And there are kind of some conversations I know I'm having, and I can see an increase on managed services, which is, is great.
[00:29:10] I know we kind of had a period where it was staff augmentation and things to support, but the other shift as well is it's very outcome based rather than throwing a body at it, it's give me a solution to this problem. And I think there's definitely a way in which, you know, humans are there, but they're supported by technology.
[00:29:26] So, uh, it's exactly kind of what you've touched on. And I think an awesome kind of way to, potentially wrap this particular session up, but I will kind of end with this. What are your predictions kind of when it comes to 2024, what do you believe should be the topmost concern occupying the minds of board members plus CISOs?
[00:29:44] Richard: Yeah, I think this whole generative AI piece has to be based into, you know, I think we've seen a lot of hot topics hit the radar in cybersecurity land over the last couple of years. Things like metaverse, things like quantum.. And they're all valid, but they just haven't had the same here and now impact as what generative AI is having.
[00:30:07] So it is real, it is here now. And I think understanding how generative AI will be adopted both in cyber attack, the threat that it creates. But in cyber defense, you know, should be a priority. And so I would urge organisations to immediately. Take a look at how they are performing cyber defense and understand the opportunity for AI to speed things up and improve efficiency.
[00:30:32] So that would be one thing that I would focus on. You can't ignore regulation as almost like a threat. I mean, some organisations think of it as like a threat, but you know, we've seen in the US the new rules around SEC disclosures, which apply to listed companies and what the US has effectively done is put the same protocols that we in Australia have in place around critical infrastructure on all listed organisations. And so it really puts the emphasis on organisations to demonstrate that they have a cyber risk management plan, demonstrate that the board is engaged in that, and then crucially, to report within 72 hours when they've had a material incident and so complying with regulation.
[00:31:16] And we expect, you know, the SEC disclosures type regulation to, to move around the world in the next kind of three to five years. And as I said, some companies in the critical infrastructure sectors are already really subject to them now in Australia. But regulation, you know, is, is a good thing, I think, because it drives investment.
[00:31:35] Uh, the trick is to use that investment to do the right thing, not to take a minimum compliance approach. We talked about managed services. I think that will continue to thrive in 2024, but probably the last point will be back to this secure creators concept. And the reason we said creators is because the best organisations are creating value from their cybersecurity investments and they're using cyber as a growth strategy differentiator.
[00:32:04] Good examples of this might be having a competitive advantage in a acquisition scenario. You know, if you're more secure, you may be able to convince regulators or existing ownership that you're a better home for this business than perhaps a less secure organisation. You know, we've seen it in the financial services sector, you know, really marketing to the consumer around the quality of security as a differentiator for why you might want to bank this bank versus another bank.
[00:32:35] So, I think turning cybersecurity from just a pure cost of doing business and a risk management exercise into something that could be used as a platform, but differentiation will be another big theme for 2024. So still a lot of work to do. A lot of progress has been made, [and] some great new technology to take advantage of now as well.
[00:32:57] But, you know, at the end of the day, effective cybersecurity really is in the hands of the people, how they use technology, uh, what controls they put in place and how we think about the data that they're using from a day to day, will really make a difference between whether you have a big incident and how secure your customers feel dealing with you as an organisation.
[00:33:19] Jen: I could not agree more, especially on the regulator side. I think we see in Australia as well, a lot of kind of movement from the IOC on the back of recent data breaches. And it's really good to see that stance as it kind of gives companies a clear direction where they need to go. So, Rich Watson, thank you so much.
[00:33:34] That's awesome. Thank you for joining me. Thank you for your insights. And I encourage those who have not taken the time to take a look at our global insights survey, please take a look and feel free to reach out for any questions.
[00:33:46] Outro: This has been an EY Cybersecurity podcast, a KBI Media production.
