Sign Alabama Banking Agreement Secure

Industry sign banking alabama agreement secure

the framework was originally too over the course of one year through a series of five meetings with probably in total a few thousand people between government and private sector it was heavily influenced by the private sector including folks from the financial services industry and elsewhere when it was released I was - I think a fair amount of fanfare because it was one of the first times that government in the US anyway in the private sector the broad swath of the private sector had actually come up with something that everybody thought was pretty good not perfect but pretty good and that's a lot better than some of the public private outputs that we see where private sector says government doesn't know what they're doing government says private sector don't know what they're doing so this was a pretty monumental effort I mean it was accomplished inside the space of one year which was pretty awesome so most recently version 1.1 of the framework has been released it incorporates among other things a lot of supply chain elements so if you're in a supply chain which almost everybody is there's a fair amount in there to help sort of guide your risk management practices there as well it's composed of three parts there's a core which I'll show you in a second there's implementation tiers which I'm not going to show you because what we're doing in financial services is a little different so I'm going to talk about what we're doing there with tearing and then the profiles which of course is the basis for what we've developed and then the core is a set of best practices you're gonna see a lot of things that you're very familiar with if you're working in cyber security mapped to us and international standards all right so this is the core probably a little hard to read there I apologize for that but the things I wanted your attention to in particular on this left-hand side the framework breaks things down into these five functions what these stand for is identify protect detect respond recover all right we could run day-long seminars on each one of those but we're not going to that's not what we're here for but what I want you understand is that there's five functions inside of that functions there's a bunch of different categories and if you work in IT if you work in information security these are all going to look really familiar asset management risk assessment detection processes analysis mitigation so on and so on right not reinventing any wheels pulling from what's already out there to try and build something comprehensive underneath all of that that I didn't display is over a hundred subcategories that fall into different categories then of course under different functions no sense in displaying those I've got a graph that'll give you an interesting thought initially of what that means so finally the part that matters I think most here today is this notion that the framework talks about profiles the idea was that in the original framework we had 98 sub categories right that's a fairly high number now it's a lot less than what you would find 800-53 controls right if you're familiar with NIST 853 but it's still a fair number of controls that your organization would need to look at to try and say uh which of these things do I need to do so what the pro the framework allows you to do is it can say whether it's for an organization or a sector even focused on a particular threat model like DDoS it can say of all of these 98 it's how actual 103 105 controls which are the ones that matter most to me what are the highest priority ones what are the areas that we want to focus on alright so originally the idea was an organization would make that decision they would go through their risk management process they would decide here of the 98 controls here's the seven we care about based on our risk those are the ones that we're going to build our program to and around but it was adopted by sectors as well including the energy sector and the financial services sector with the goal being we have enough in common in the financial services sector that we should all be building towards the same sort of standards around managing our risk so why would it matter so much that we need to build to a common standard in the financial services sector well this is part of the reason now you can't read this and amusingly the bottom the footnote that you also can't read says yeah this is pretty complicated but it's actually way worse right is what that footnote says what this is depicting is the US financial service regulatory landscape so if you're a bank if you are a credit card company anybody that sort of lives in that space you have an awful lot of government agencies including state local and federal and quasi governmental agencies that are always looking at what you're doing I have friends in the financial services sector who work at banks they have entire teams that spend 24/7 12 months a year dealing with compliance dealing with audits they can have as many as 12 audits going on at one time by outside organization because there are so many of them just across this top range alright so this is a pretty complex landscape so if you're responsible for meeting compliance responsible for being able to say yeah we're protecting our data or yeah we're protecting our systems you've got an awful lot that you have to prove and the challenge is that in many cases in fact most of them what these organizations are looking for is similar but defined differently so there's no common way of saying all of these agencies along the top are all looking for the exact same set of things notionally in many cases they are but at the specific level at the granular level it can be varied and that gets very expensive it gets very complicated for banks and others to be able to do this they're spending a lot of money to meet compliance in this space because of the complex regulatory environment so does this help I'm not sure right this is a different way of thinking about the challenge when we start thinking about the cybersecurity framework so what are we looking at so what we've done is we've taken all that stuff from the last slide and we try to map it down and compress it into something but here's what you end up with so over here here are some of our regulators right FFIEC EFT see others here you've got all the NIST subcategories I've talked about I can't decipher that I don't know this you know you need a microscope to be able to go in and say which one of these regulations maps to which then this should say categories I apologize that's a typo so now it gets to be a little bit more manageable and we get over to functions and we can see all right we can take all of these regulations that are out there everything that I've got to meet compliance for at my bank and now I can start to break it down in ways that maybe are a little bit more helpful so instead of dealing with 20 different compliance requests in 20 different documents from 20 different agencies or more now I can start to think about the problem a little bit more cohesively and a little bit more holistically because what I'm doing underneath all of this as you'll see is I'm mapping my own risk never mind what the agencies want me to tell them it's what am i doing to manage my own risk on behalf of my organization on behalf of my customers and it starts to pivot into this interestingly you'll notice that a lot of the regulations seem to fall under identify and protect we could probably spend the afternoon talking about why that is my personal opinion is that it has to do with a maturity level of the regulatory agencies right if you think about sort of the cyber hygiene model you can't manage what you don't know about so we need to have good asset management we need to have good vulnerability management those are things that fall under the identify function we need to put protection processes in place what are our firewalls our ids/ips so on and so forth and a lot of those fall under protect when you start to get to other places in the risk management there's a lot less regulation there so that in itself is interesting and oh so we could talk more about that but I'm gonna keep moving here oh we're doing good on time all this making sense so far this is a small group so if you got questions just raise your hand at any point help me know that somebody's listening anybody I know you had to like wander amazed to get over here but we all made it so yeah I'm happy to delve into anything deeper as we go through this all right so now let's kind of break it down into something even a little bit more digestible so we saw two slides that basically are impossible to parse unless you're a machine so now we start to think about well how can we take all of that and start to turn it into something that the organ not just my organization but in fact our entire sector can use so this is what the profile structure looks like and there's a couple things I'll draw your attention to one of the things that we did was we loved what NIST did with the five functions right so remember identify protect detect respond recover what we found was that there were some gaps in that that didn't quite align with how the financial services sector in particular a lot of the bigger banks were thinking about risk and so we added a couple new functions to it right and they overlap and they're very coherent with the rest of them but we added a couple we added governance function and we added a supply chain and dependency management function now since then NIST has done more on the supply chain side which is great but we're gonna hold on to this function because there's things that we've added in there that again are very specific to financial services so we didn't change anything in the core framework nothing that's all exactly the way that NIST has released it but we wanted to add some pieces in order to make this more useful for the financial services sector so categories just as it says here same paalam is in the NIST CSF some categories have been moved like I said into the other functions they haven't been changed and named they haven't been changed in definition but they've been moved Brown subcategories same thing we kept all of the ones that NIST had moved a couple around and we've added some right to build it out and then finally what we call diagnostic statements I'll show you an example of this but these are think of these as ways of helping you to start thinking about how do I measure the risk so it's great so you tell me I've got to do asset management that's fine okay so what how do I measure that what are some standardized ways that I can go and actually start measuring how well I'm doing Asset Management or vulnerability management so we have these things called diagnostic statements that are in there as guidance and bear in mind I should have started with this the Financial Services Roundtable is not a regulatory body right so this is not something that's coming out as a new regulation as a new requirement this is something that as I mentioned is designed to help deal with all of the regulation and requirements that are already out there so putting these diagnostic statements in is meant to be helpful it's meant to provide guidance for organizations that may need to better understand well how do I know if I'm doing what I'm supposed to be doing how do I know if I'm doing a job right I need to be able to measure that I need to be able to communicate it and then finally it goes back just as we've been talking about out into some of these financial services specific regulations clear as mud so far I got nods that's good so I'm not doing a very good job because you're saying it's clear as money I got it all right so what are the benefits of using this profile approach so this is sort of a summary of some of the things I've already talked about we reduced the cyber security administrative burdens right so go back to that first slide I showed you again think all of that regulation think all of these controls that are out there hundreds of them several hundred of them having a profile that the industry can agree to the financial services industry can agree to helps to scope that down right it starts to give everyone a common way and it doesn't matter whether you're a big bank a small bank or wherever you fit into that mix it starts to give you all a common way of saying okay I know what my target needs to be I know what sort of cybersecurity program I need to be building you're probably already building it or you already have it but now you have something that the industry is saying this is what we think we need to be doing and it then becomes a common voice out to the regulator's enhanced internal and external oversight so if you have a common way of talking about risk a common lexicon a common set of things that you're looking to do it makes it easier to communicate one of the places where the NIST framework has been helpful just overall has been with third-party management so if I am procuring services from you we've got a partnership whatever the case may be I care about what your cybersecurity risk profile looks like because if I'm giving you data if I'm giving you my customer data financial data whatever the case may be I'd like to know that you're doing good things to protect it and most contract language even still today basically says you know you agree to apply industry best practices bla bla bla bla bla right I said I'm not a lawyer but I work with a lot of them so I see a lot of these contract languages right that's not useful right if you don't have that industry best practice to point to then what does that really mean so if my partner lets me down and they've got a breach and they lose my data you know what really is my recourse if that's all my contract language says so one of the things that the framework is being used for is to be able to say you partner Bri to adhere to these elements of the NIST cybersecurity framework right and to measure these things and to report on them if that's part of what the deal requires but now we've got a common way of communicating it it's not your homegrown risk management framework against my homegrown risk management framework we have one common way of discussing it one common way of framing it and then communicating when things go wrong about what controls didn't you do how were you able to have a breach alright let's think about that let's think about what led to that breach what part of the framework do you need to build out in order to reduce the likelihood of that occurring so that third party management risk has actually been an area where the framework has been really helpful greater interest sector and cross sector international cybersecurity collaboration again same idea but now when you're looking across sector and obviously the financial services sector interacts with pretty much all other sectors right so if other sectors are using it again you've got that same sort of be able to go back and forth be able to start assessing or thinking about understanding assessing and managing risk in a more common way so it you have a better chance of avoiding that he said she said type arrangement enhanced collective understanding I've mentioned that improve the boardroom engagement and this is one that has been really interesting too you know when the framework came out originally it's not a deeply technical document but it does fall well below where most boards would be interested but what we discovered was that it started to fill a really interesting gap between the technologists and the people that they were reporting to and if you've had to do that in your career you know how challenging that can be as a technologist to be able to report up to a CEO or to a board that may just not have the expertise right or the understanding or the knowledge because of some of the press that the framework has received and because of the adoption by a lot of large organizations boards have a tendency to know what this is right they're likely to have heard NIST cybersecurity framework more so than they may have heard of COBIT or ISO 27001 or whatever the case may be those are all perfectly good risk management frameworks but they don't have that same level of attention at the board level that we've seen with the framework over the last couple of years and in part it's because of the way the framework was developed by a lot of big companies and small companies and the fact that it has been publicly discussed by a lot of these large organizations saying we're using the framework or here's how we're using the framework so we've started to see boards get a better understanding so if you're responsible to reporting up to a board using the NIST cybersecurity framework to help you frame that discussion of risk it's probably only going to be a positive right it's you certainly won't be any worse off if your board doesn't know anything about cyber greater innovation at technology companies including financial services startups so why is that well in part it's because we heard dr. Ross this morning talk about the importance of building security in and I'm sure that you've heard that time and time again we've got to build security into these devices and our applications well what does that mean if I'm a start-up and I've got some cool new app or some cool new you know cool new cloud service what does it mean for me to be able to say well I'm secure I'm doing the things that I'm supposed to be doing to secure this I've built in the right mechanisms having a profile like this for those companies gives them a target to look at they can say hey I get it I understand that the banks that I want to sell this software to this is what they care about right and very clearly understood terms I know that my application which fits in this piece of the supply chain or this part of the infrastructure needs to be able to meet these security requirements and I'm going to be building to the exact same controls that the bank that I'm selling to is building to right so it can be hugely valuable from that perspective and the inverse is true so if I'm a bank and I've got a startup saying hey I've got this cool new whiz-bang thing gonna save you a lot of money make things easier or whatever and my question is well how are you securing it now that startup has a common language to be able to say I have applied these things from the financial services sector profile and the bank goes ah I know exactly what you're talking about because we use that too so it has a lot of applicability as this thing continues to gain traction making sense so far everybody good yes sir clean different from the cat because the reason why I asked is that coming from financial services there's a lot of effort to even though it is so so it relates right so FFIEC like you said is one of the organizations that we had up there on that chart they've been involved in this effort and what's driving this primarily though has been the banks that need to try and meet FFIEC because what they're also saying is goes back to my earlier point is okay yeah I've got to do that but I've got to also do all these other things so this is specifically an effort to try and bring those pieces into alignment right it's not meant to be a replacement and the cat tool is very very useful there's some other tools related to this that you can also go and see and it's all mapped so let me where perfect so here's an example from the profile so let me show you some things here so that's these are sort of bringing together all of the pieces that I talked about so this is one example out of the the financial services sector profile so here's our functions over here we're gonna talk about governance remember that's one of the ones that the financial services added to this we've got a category it falls under policy organization established cyber security policy in support of its cyber risk management framework technology okay pretty straightforward the subcategory we're talking about the policy has been established has been approved by appropriate governance bodies again pretty straightforward that's only one of the actual subcategories under policy it's got a reference ID here's the diagnostic statement I talked about so for this one right now it's the organization maintains a documented cybersecurity policy or policies approved by appropriate senior officer appropriate governing authority that's actually pretty simple to measure right do you have the policy yes or no you might not be able to find it right away depending on the nature of your organization but you either have one or you don't did the appropriate authority sign off on it yes or no those are two binary questions doesn't mean they're not hard to figure out but they're binary questions which means from this statements perspective you can actually say yes we have a policy yes it was signed off on good you're doing it right you've met the static right Iria to be able to say we're doing this thing and here's some of the potential responses right not applicable I'm not sure why you would ever use that for a security policy don't do that you should have one yes yes it's risk based yes it uses compensating controls it's partial it's not No okay and these are just examples right this is a draft I meant these over fine over time but hopefully it's starting to make sense in terms of how you might be able to use something like this now coming back to the other point so this says here FFIEC one right so what we're basically saying is that within the way that the FFIEC talks about risk and controls everything that's in here is mapped to one of those things that the FFIEC has so if you're working in inverse order that is if you're working to get compliant with the FFIEC great do that come back to here and now you map in the opposite direction right what does that tell you so much i'm FFIEC complying across the board well guess what that also buys me NY DFS 500 zero three right I don't even know what that one is but it's in there there's a lot and then if you care about it outside of the financial services sector now you've got mappings and other things that says COBIT here's ISO 27001 here's NIST 853 and so on so to some extent it doesn't matter where your starting point is if you're building towards some compliance regime this profile helps you to as an entry point to bring what you've already done into it and expand that into other areas and that's ultimately what we hope the outcome will be is that you'll be able to go from your starting point and be able to start answering other regulators and other auditors much more quickly and with much less expense because you will have already excuse-me done it in part through this through this profile questions about this is this making sense does anybody see how this might be useful in their organization or is this just like hey this is cool but I don't really care that's great thank you I appreciate that and that's absolutely right it's a good way to phrase it right you know if there was a leader here in terms of what NIST and others did to build the framework in the original framework had financial services companies involved in its development right from the get-go so they like others the financial services that is have taken this and expanded it just as the federal government has taken it and expanded into things like D FAR's and so on and we're going to see more of the framework in government since the cybersecurity order so we'll start to see more of that as opposed to just talking about 853 and the 801 71s and all those pieces we're gonna start seeing more of the framework across government as well yeah that's right now none of us are gonna be out of work anytime soon I don't think I don't expect to be anyway okay so when you go and look at the profile right which you can find online you'll see that there's a whole bunch of these things right and it hopefully will start to paint a picture for you all right let's keep going I want to be conscientious of time here so the other part of this that matters is where you fall on the spectrum so I know not everybody here is in financial services but if you're in financial services or if you're in any sort of critical infrastructure sector this type of tearing is impactful because what we're talking about here is and so and it might be a little hard to read but there's basically broken into four levels right so this one level one you have a national or super national impact if you were to be compromised so if you are a bank and you fall into this category or rather you would fall into this category if the impact is T of a cyber security incident of some sort were deemed to have a national or super national impact to the system right and in fact financial services recently I'm sure you may be familiar with the FSI sack but they also recently stood up a new organization called FS arc which is specifically designed to look at systemic threats that is what is what are those threats that are out there that are could be potentially could bring the markets down could cause massive financial loss massive issues from a cyber security perspective organizations that fall into this category they know they're in this category right generally speaking you don't get to decide whether you're in this category or not it's already been decided for you you've got the section nine entities which anybody that's working government might be familiar with that it's a classified list of companies around the United States for whom it's believed that any sort of negative impact to them could cause catastrophic damage to the US so they got to be knighted you are section nine entity right and that comes with some additional government oversight and interaction and in fact some benefits as well but once you kind of get below that right there needs to be a system to to help your organization figure out where do I fit in the mix right you may be able to say I'm a big bank I'm a little bank I'm a regional bank whatever the case may be but we needed to build some rigor into that so that we could make that a little bit clearer and a little bit easier to manage so it sort of goes down from there and just you know quickly sub-national mission-critical services high number of services not designated as most critical provider of services down here under level 3 could be risk to an organization or to a region but wouldn't necessarily be systemic if a regional bank say here in Huntsville or somewhere were to be negatively impacted by a cybersecurity incident were taken offline that would be horrible for that Bank it would be horrible for the people of Huntsville Huntsville but on a national level it may not rise to that level of a threat to the United States all right so we need to be able to make those determinations and then finally localized impact right so that again it's important but not necessarily important to the safety and security of the nation as a whole so some of the ways that we break this down I've already talked about these there's North American government designations again that's section 9 there's some other designations that go into that as well where the government basically says yeah you're that big too big to fail I suppose would be one way of thinking about it I'm interconnectedness as the other piece right you may be a smaller organization but you may be at a critical juncture in terms of payment processing in terms of Clearing House in terms of whatever you may be doing that if you were to be negatively impacted the ripple effect across the entire system could be pretty significant all right so it's not just about the size of the organization because criticality has to do with what would the impact be if your organization were effective geographical and geopolitical factors for example where do you host your data right as your data hosted here in Alabama or do you have a big data center say somewhere in Syria that's probably a bad example but you get my point right probably not the safest place to host a data center so the point being is that you're looking at those factors and saying what is the risk that you have and then consumer impact right how many consumers are going to be impacted by something bad that happens to your particular institution and all of those things factored in so all that's well and good but we wanted to be able to create a more rigorous process by which organizations could sort of self assert that or self assess rather again outside of the tier one which in most cases those organizations and already know who they are so what we did was we've created a list of questions that are sort of cascading you sort of go through them and there's off ramps so when you hit a question where you say yes or no there's instructions that say okay this is your off ramp you are tier two or you've made it all the way to the end you are tier four all right so an example of that is this one so this is an example of an off ramp for tier one okay does your organization consistently clear or settle at least 5% of the value of tracks actions in a critical market check all that apply so you're looking across all these different markets if you say yes to any single one of those that is you're doing more than 5% of the total transactions for say federal funds or corporate equity securities tier one that's your off ramp you don't have to answer any more questions you're already designated as a Tier one and all of the things that come along with that but then there's lots of other questions underneath of that so you say no to all of them okay then you get to the next question right there's other questions I've got somewhere you can go and see these things so you can start to assess and say and then if you get all the way to the bottom and you haven't answered for any off ramp then the final off ramp is your tier four okay and then once determined that tier just generally stays the same right there's only a couple of conditions where it would change one would be as if the nature of the organization were to change right change an event maybe it grows to smaller banks merge into one big bank so you need to reassess and figure out are we now Tier one or have we gone from a Tier four to a Tier three as a result of that change that can happen could be other triggers but growth generally would be one or if you've entered into a new space right remember I said it's not just about the size of the organization if you introduce new services or new products that may introduce you into a different part of the the financial infrastructure that could change your criticality as well and then there's periodic controls assessments right to make sure that you're still doing what you need to be doing within the profile based upon your tears okay so I'm gonna leave just a few minutes hopefully for some questions otherwise I'll tell some stories or something next steps this is a little out of date we had workshops at NIST actually I was actually at the Department of Commerce in April where we had a bunch of folks come together talk about the current state of the the draft profile talk you know a lot of banks of some government and banks of all sizes right and I facilitated a number of the sessions and it was really interesting for me because you know we had sessions that were targeted for the smaller smaller banks so regional and local banks and it was great to see them engaged and great to see them thinking about it you know I work a lot with the big banks and they're always thinking about this problem right they're always thinking about cybersecurity but it was great to see that smaller institutions are now starting to think about it as well that's not to say that many haven't but there are many who are still a little bit behind the curve and they understand that and so they're getting engaged in efforts like this to be able to understand well what can I be doing where do I fit into the mix what's available to help me and so on end of this quarter we're going to incorporate the feedback from the workshop I guess that may have happened since the quarter I think is over overlay the impact hearing with the profiles we're gonna finalize a version 1.0 and we're just a little bit behind on that but that should be coming soon and then moving forward you know start we're gonna start to see its utilization across the entire sector so it will start to promulgate out as I mentioned a lot o the big banks I just met with JPMorgan Chase a couple weeks ago they're huge supporters of this so they've been tracking it they've been contributing to it they're gonna be looking at how do we utilize this across organizations how do we push it down to other organizations that we interact with promote domestically obviously that's where we want to start we want to start with national security first but certainly not limited to that the financial system obviously is an international system right it is not just a domestic system but we think about critical infrastructure domestically but we need to think much more broadly than that so we need to think about what does this mean internationally how do we socialize this with international regulators so that again it starts to bring that regulatory management down into something that can be done in as most efficient as possible which saves everybody time and money so I've got a few minutes left I know that was a lot I know that again not all of you are in the financial services sector but I'll remind you that even if you're not think about how a profile could help your organization so if you translate these ideas of okay I want to simplify my risk management I want to be able to communicate with my partners my supply chain in a way that is more consistent that is well-defined these are all things that almost any organization can use you can do it as a single organization or within whatever sector that you're in so let me stop there and I'll take a few more questions or comments or whatever yeah I think it yeah I know that but that's that's I mean so I worked at both NIST I worked at Microsoft as well in the Azure group and dealt with the standards I helped to develop but on the private sector side so I've lived both sides of that right so dealing with 871 and the D FAR's and so on from the Microsoft perspective so it really kind of boils down to the the thing you said which is there's a lot in the federal government obviously there's separation of authorities NIST has no authority right they can't dictate anything to anyone so they develop a standard of some sort whether it's an 853 which is really not even a standard it's just a huge catalog of controls okay it's up to other organizations to decide what compliance means right there is no there it I missed compliance is useful shorthand but there is no NIST compliance program this doesn't run a compliance program for 853 now you may have the DoD say you need to do these things from nest-like 871 or whatever the case may be but that's what you're complying to so where the help often has to come from is from whatever organization that you're trying to sell to again from own Azure perspective much like Amazon we had certifications out you know out the door because not just for locally whether it's FedRAMP or whatever but we were certifying to those things because that particular customer was saying here's what I want you to do now they're using NIST and they're gonna start using the NIST framework but it's gonna be those organizations that set the standard that said this does provide some types of guidance around how do you actually do risk management but they're not going to say you're doing a good job or a bad job at risk management right or they might say here's some great things for small businesses to think about right they releasing li released a small businesses guide but they're not going to say you're doing a good job or a bad job somebody else will make that determination and within government it could be DHS OMB could be Jie GSA or every individual agency or systems purity officer who decides this is what compliance looks like and what security looks like and so you have to build for that so what's different here is what we're seeing is that the the financial services sector is saying we're actually going to kind of step out in front and say here's what we think good means so that we're not all making it up as we go along I think the government is going to do the same thing they have to some extent if you go back to the cap goals and other things that have been in place for a long time but the government hasn't necessarily done a great job of coming together and saying here's what good really means in a standardized way and I think we're seeing that in some of these sectors and hopefully the government will be able to learn from that and pick up on some of these things and be able to start saying we can we can reach agreement so that it's not every agency who says I decide what's secure and what isn't because that's clearly not what happens every agency makes a lot of their own determinations other thoughts or questions I don't see anybody clamoring for the door yet so we probably have another minute or two go for it I love it yeah so I mean look I don't mind getting up on my former government soapbox a little bit because I lived this right with the National Security Council the issue isn't that people don't know what to do or that they haven't been given guidance on what's to do it's that there's little to no accountability right agencies get hit all the time the only time I know of anybody that ever lost their job as a result of a breach within the federal government was at OPM that wasn't the last time the government got breached by the way right and I'm not sure that anybody else has really lost their job as a result of that so in the absence of accountability it's not going to be I didn't know what to do so don't punish me it's you didn't know what to do and now you are going to be punished whether it's through appropriated funds whether it's through losing your job whether it's through other types of issues so I think the government's problem is an accountability problem and that's not to say that the government are the only ones that suffer from that private sector tends to have a little bit of an easier job of saying you were hired to do this job and we paid you a bunch of money to do it you've clearly failed to do it we're now going to replace you with someone else this doesn't happen in government that often for a whole host of reasons we could spend the day talking about but we're not going to see the change you're talking about until that attitude changes because OMB has the authority to do it they have the authority to say here's what you have to do and actually go and they measure it right we just saw a report come out well is that a week or two ago 29 agencies or something like that with failing grades okay now what right what's going to happen as a result of that and it's a complex problem because you don't want to take money away from agencies that perform critical public services but we've got to strike that right balance so I think efforts like this to try and drive common ways of thinking in a particular sector and of course public is its own sector I think will help no such thing as a silver bullet we all know that we're not going to solve all of the problems but this is a really really important step and I think the fact that we're seeing so many institutions in the financial services sectors who compete fiercely with each other fiercely are coming together and saying we need to put that aside for a second and come up with a way of solving this problem that we all face shared problem shared solution and it's true in other sectors and suckers done something similar to this government's trying to do something similar to this so that's the mentality that we need it's a ubiquitous challenge we all face it we need to come up with shared solutions so that we can get back to competing in ways that don't damage our national security or economic prosperity I'll take one more question nobody know the hook has not come out yet so or comment I'll survey the audience then was this at all useful be honest I've got a very thick skin so if you didn't like it that's okay two people liked it okay okay all right three people liked it eight people did up there's another one there people are being shy there's a couple more thank you whoo yeah I know well I had no idea sort of what the setup was going to be but I think these are available on the site so you can go and download those I forgot to put the link in here but if you just go online and put in FS our NIST profile you'll find this and you can go and download the whole thing I had I did have one other oh I took it out oh well I did have a slide in here oh here so this is in the slide deck as well it's after the thank you slide there's some links in here you can find so here's where you can find the profile itself in the risk tearing and there's a downloadable version the American Banking Association has actually developed an interactive cyber risk tool that uses a lot of those questions and stuff so you can go and grab that as well and again it's it's in the it's in the slide deck there for you all right well I guess if that's it I'll wrap it up thanks for winding your way over here I appreciate the time have a great rest of your day [Applause]