Thank you. Yeah. So, um, it's a long road to become. Ah, chief information security officer, Uh, a zai am in banking. Um, and I did not enter the world of cyber security on purpose. It was largely by accident. Um, the the industry is a lot more mature now. When I was a student, you couldn't study cybersecurity. It wasn't offered in colleges. It wasn't. Nobody in high school was even aware it really existed. There were one or two movies out about hackers, but we didn't really know anything about it. And I studied English and geology. So nothing relating to computer science or even technology. Um, I went to work doing inside sales and contract negotiations for a very large company and along the way got lured into a job in an area where there were very few people being trained, which was technology. And I actually worked on the help desk supporting a group of external users. And this was in the nineties and very quickly, um, essentially learned on the job. Thio learn all of the technologies which were sort of coming out. Then there wasn't a big Internet as we know it today. There was there was mainframe computing. There was dial up. People could attach with modems, two different things. And so I became part of a group that had to developed technologies for a bunch of remote users. And in doing so, um, learned about, you know, the Internet because it was cheaper than using 800 numbers for dial up learned about L DAP and excess management because we had to figure out how to authenticate users. Um, so I was in a company called Xerox at the time, which had about 100,000 people in it and rapidly developed an understanding various Web technologies, mainframe technologies, access management, various controls and it sort of took me to a cyber career. Uh, so within just a couple of years, in those days, I was the global information security officer for Xerox. I'd only been in technology for four years, and I'd only been in security for about a year. So it was. It was a very different time is very immature nowadays, um, students can actually study and talk to people who have sort of made the journey through the through the industry. Um and and so I went from that job to consulting. And I was a consulting partner at IBM, Iran Security and Privacy consulting for the financial sector. Ah, lot of information, security and cyber as we know it today has been developed at banks because banks have spent by far the most money since the eighties on this space and so many of the good jobs. It's not true today. But again, many of the good jobs when I was coming up had to do with banking and financial services. And so there wasn't really a normal career path. You started out, you did some consulting. Maybe on then, if you took a corporate job in a bank, you were sure of having a long term job with good pay. Andi. Eventually, you might, you know, you might become an executive, a bank executive, which is what happened to me probably 15 years ago. And so since then, I've been a bank executive running really large cybersecurity programs. My current one is probably about 75 people. My last one was in a bankbasically the sum up. You know, I had a very strange career because of the time that I started on DSO there. There wasn't a simple path to becoming, Ah, anything in cybersecurity. Whereas today you can actually be interested in it, learn it and have a career path in it. But my world was very different because I started before the industry was very mature.

Yeah. So, um, if you're the chief information security officer, essentially your work tasks are really in three or four areas. The first is the one that everybody thinks of, which is you have a team of people who are running threatened incident. So that means they're looking at all the things going on in the world and all the different types of attacks, all the different techniques that exists. And they're looking at our environment and monitoring for different types of alerts and reacting to them to determine whether they're actually serious or not. So that's ah portion of what I dio. The second part of what I do is really, um it's really the risk side of security, and that's understanding our footprint and what could go wrong. So by understanding the footprint, that means for the company that I work at. I have a team of people who have to evaluate what are the things that could go wrong? And what are we most afraid off? Because at the end of the day, we want to spend our money and defend the parts that are really high risk and were less worried about things that are lower risk. So an example of that is doing risk assessments to find out where we have customer private data or where we move money or where we do financial reporting, which has to be accurate where we do those things aware if something got wrong, either accidentally or by direct attack, it's something goes wrong. We have a really big problem. And so those are the places where I'm gonna put the most controls, the most effort. So I have a whole team that does that. They essentially risk assess our environment all the time. The third thing is really more relates to people, and it relates to How do you influence a group of people to do intelligent things? What we've learned. And if you're watching the news it all on, let's say ransomware attacks, which have been very common this year. It's generally speaking, um, somebody clicking a link or giving up their credentials. Somehow somebody doing something that's a simple mistake. And there's no amount of tooling their technology that I can put in place to actually stop somebody from doing something foolish, whether on their own devices or on ah company laptop or whatever. And so training and awareness and influence of people is actually probably just is important, if not more important, than all the technical things that we dio and and when you're in a more junior role, you're usually sort of doing one of those things. You're sort of working on risk assessment or you're patching systems to make sure they're always up to date or you're monitoring for threats or you're reading alerts and trying to do forensics to figure out what happened. But but the higher up you get, the more you have a mix of all those things, and you understand that you've got to do to kind of influence. One is influencing people to make good decisions through training programs, through fishing exercises, through trying to lure them into, you know, safe honey pots, things like that versus corporate influence, which is where I'm trying to make sure my company spends enough money on the different types of tooling. We need the different types of training we need that were really careful with our third parties and our vendors and people we do business with to make sure that they're operating safely. All of those things, it gets much more complicated as you sort of move up the ranks when you start out your generally in one area and you're sort of working on one set of things at a time, which makes it a little bit less complicated. Um, I work, Um, I work kind of common hours for an executive, which means I work probably 9 to 10 hours a day on dime. Always alert on weekends. So I'm one of those people that I feel more comfortable when my phone is turned on and I could see if anything's going wrong, and in 99% of the time, it's not so in the, you know, 25 years I've been in this business, I've never had a serious breach at any of the firms have been running the programs for, But I've had 1000 little things, you know, that woke me up in the middle of the night or made me made me aware of what was going on again today, with better organized shops and a little bit more shift work and online, sort of on call kind of scheduling. Um, you know, those 10 and 12 hour days aren't really so common most people work sort of normal days on shifts or, uh, you know, regular business hours, and then they have some kind of alerting going on. So, um, for me, it's a little different because I'm a senior executive for, you know, for most people, it entry level rolls, its's now much better organized than it was when I started, when we were just sort of always online.

so I think that the single there are two kinds of challenges. One is just this year number of things that can go wrong, the number of different places that we have to defend ourselves, the larger organization that you work for, um, the larger number of pain points you have because every person can be a weakness. Every system could be a weakness. Every application could be a weakness. Every time somebody who's a developer says, Oh, I want to go pull down that open source tool you know or goes and grab some code to get hub or whatever. Those things are all dangerous every single time, and it only takes one one time for us to fail. So we have to be The basic pain point of the job is it's an asymmetrical battlefield. That means we're not attacking anybody. But everybody can attack us. Um, and it's against the law for us to fight back. I'll talk more about that in a second. I'll give you an example, but all we need is one person whose un disciplined or doesn't really understand what makes things dangerous to make a single mistake, and we can devastate the entire company. So I worked for a $50 billion bank. In terms of assets, we have about 5000 employees and contractors. Um, it only takes one person in development deciding they want to download a piece of code, which in fact, has been written with, you know, some sort of Trojan in it. And so they think they're getting something for free that rapidly moves forward our development efforts, Andi. In fact, you know it may be a seed for somebody to export trade all of our private data for our customers, which ends up being, ah, you know, a 10 or $50 million event for us between the fines that we pay buying privacy protection for all those customers. So one little dumb thing, which seemed like it was a good idea at the time, can take you down completely. The second, the second thing that you face in cyber and this is just something. It's just a fact of life in the US. On been most of the Western world is be asymmetrical Battlefield, that is, People can attack you, but you can't. You can't take them down even if you're capable of taking them down. So in 2012 there was widespread denial of service attacks. Um, and they were targeted at banks. They told the team that was doing it overseas. Told the banks that they were going to do it every Tuesday morning. They took down there next five banks off of a long list. So we knew it was coming. And quite frankly, the bank I worked out at the time, Uh, which is Toronto Dominion or TV? We had massive resource is and massive server power. And one of my biggest jobs during that was holding my guys back, not launching counter attacks on the country. That was the origin off the of the attacks because it wasn't Russia or China. Ah, place with just massive infrastructure. It was country with much smaller infrastructure. And so we could have probably taken down their state government sites and done a lot of things offensively. You would never do that A because it's illegal and you'd be arrested. But be once you sort of balkanized or once you start weaponizing the Internet, um, unilaterally than you know, everything gets worse. Everybody's attacking everybody, and it just gets much worse. So you have to really stay on the on the side of defense on DBI. Really brilliant about how you're defending your own enterprise, how you hide your enterprise, how you morph what it looks like to the outside world. All of those things are within our reasonable. But going on the attack never is eso psychologically for people who are getting started. Especially if you've seen movies about hackers and you've seen anything about warfare where you're, you know, you get attacked to go on offense. Uh, this is very different. You have to be brilliantly defensive, but you don't really get to go go after anybody.