CISO Series Podcast

All links and images for this episode can be found on CISO Series (https://cisoseries.com/three-years-experience-required-for-sub-entry-level-positions/) Our motto for hiring: We never give up on our unreasonable expectations. This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our sponsored guest is Brandon Traffanstedt, global director of systems engineering, CyberArk. Thanks to this week's podcast sponsor, CyberArk. At CyberArk, we believe that sharing insights and guidance across the CISO community will help strengthen security strategies and lead to better-protected organizations. CyberArk is committed to the continued exploration of topics that matter most to CISOs related to improving and integrating privileged access controls. Are we making the situation better or worse? On LinkedIn, Gabriel Friedlander of Wizer asked, "Should we be doing home risk assessments?" Could we create bigger problems if we do that? Gabriel's post generated a debate on what actions can significantly reduce risk. Is there value in a home risk assessment and if so, what's it going to reveal? It’s time for “Ask a CISO” On reddit, crossfire14 asks, "Why are helpdesk roles requiring 2-3 years experience? I thought they were entry level friendly? Im trying to start at lower positions to work my way into infosec yet I cant seem to qualify for any helpdesk roles because of exp?" I looked and actually these entry level positions are often asking for 3-5 years experience. Is this required? If not, what IS required for an entry level help desk role and what's the best way to show that? "What's Worse?!" Two horrible company debilitating options that have happened in real life. How would you survive either one? Please, Enough. No, More Our topic is Privileged Access Management, or PAM. What have Mike and Brandon heard enough about with PAM, and what would they like to hear a lot more? The great CISO challenge Outsider attacks, insider attacks, your assets, networks, people, and controls - what DOESN'T always change in security? If we assume that consistency is synonymous with simplicity, is it always an uphill battle to try to keep security simple especially if we're expanding into new services and cloud environments? Could this be why the foundations are still a struggle for everyone?

All links and images for this episode can be found on CISO Series (https://cisoseries.com/look-freshmen-cisos-get-ready-to-pounce/) What could possibly be a better way to welcome newly hired CISOs to the security community than with a shiny new sales pitch? This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest is Wayne Reynolds, CISO, Toyota Financial Savings Bank. Thanks to this week's podcast sponsor, AppOmni. AppOmni is the leading provider of SaaS security and management platform for the enterprise. AppOmni provides unprecedented data access visibility, management and security of SaaS, enabling organizations to secure mission-critical and sensitive data. With AppOmni, organizations can automatically and continuously enforce rules for data access, data sharing and third-party applications. On this week's episode Why is everyone talking about this now? Our guest, Wayne Reynolds posted the good news about his new CISO role. While he got the expected kudos, he also got lots of sales emails. In the short conversation we had in preparation for this episode, six pitches came in. He counted 731 vendor pitches in just five days. Given the situation, we have all seen an uptick in pitches, across all industries, not just cybersecurity. Vendors want to make some type of connection. If they weren't pitching, what would be a more acceptable outreach? It’s time for “Ask a CISO” What can security startups do to prepare for and prove to prospects that their solution won't slow down operations? Thanks to John Prokap, CISO, HarperCollins for pointing me to this great article on CIO.com by Yoav Leitersdorf of YL Ventures on mistakes security startups make. One concern was on the issue of startups losing this specific focus. From the article, Peter Bodine, AllegisCyber Capital said, "I cannot stress how much of a difference productivity makes to the CISOs we consult with. So, as an investor, our attention is immediately piqued when we learn that a POC took fewer resources than a regular POC, because it often means that they developed their process early enough with a customer satisfaction person. We really don't see that very often, but when we have, we've written a check almost right on the spot, just because they take so much sand out of the gears and make it so much easier for a yes decision to occur.” "What's Worse?!" Do you want to be the one to reveal the cybersecurity incident or do you want somebody else to reveal it? What's a CISO to do? In the world of DevOps I'm constantly seeing the desire for developers to be security aware. But the point of DevOps is to be aggressively competitive. That's something I often don't see security people understanding or literally being aware of. Nicolas Valcarcel of NextRoll gave me heads up on a post by Mike Sherma of Square about having dev champions on the security team to advocate for the software engineering experience and design principles. Is this a good idea, and if so how would it be rolled out and what would be the benefits? How to become a CISO Prior to the unfortunate COVID-19 crisis we at the CISO Series were planning on hosting our very own one-day event to train security leaders. That event will happen eventually, but right now it's on hold. The whole idea is we were going to have a group of CISOs training a group of wannabe CISOs to be CISOs. Wayne is a strident mentor for wannabe CISO. At any time he's got 4 or 5 security professionals you're mentoring. We discuss the core skills security professionals are lacking to become CISOs, and what mentorship does to help you get those skills.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/cleaning-those-tough-to-reach-digital-identity-stains/) We're trying to erase our past and it's becoming harder and harder to clean that history. This week’s episode of CISO/Security Vendor Relationship Podcast features me, David Spark (@dspark), producer of CISO Series, and co-host Mike Johnson. Our guest is Davi Ottenheimer (@daviottenheimer), vp of trust and digital ethics, Inrupt. Thanks to this week's podcast sponsor, Reciprocity. ZenGRC by Reciprocity is a cloud-based GRC software that automates and simplifies compliance and risk management, solving critical problems at scale while customizing to your business needs. Adhering to the majority of regulations is a snap with pre-built templates and a unified system of record. Learn more at reciprocitylabs.com. On this week's episode Why is everybody talking about this now? On Quora, the question was asked, "What are some ways to protect identities on the Internet?" Mike and Davi offer their advice. It's time for "Ask a CISO" The Three As: Authentication, Authorization, and Auditing or Accounting. How do they interrelate? What's the order? And have we been doing it wrong? It's time to play, "What's Worse?!" How are you going to handle having a very well known exploit? Close your eyes, breathe in. It's time for a little security philosophy. On Quora, the question was asked, "What should I do to completely erase my digital identity for good?" It seems impossible, and probably is, but how what steps would one need to get rid of our online identities? It's time to play, "What Is It and Why Do I Care?" We're introducing a brand new game today called "What Is It and Why Do I Care?" Here's how the game is played. I have three pitches from three different vendors who are all in the same category, application security. I have asked the reps to first, in 25 words or less, just explain their category. So give me a simple explanation of application security. That's the "What Is It?" and then for the "Why Do I Care?" I asked them to explain what differentiates them or makes them unique also in 25 words or less. It is up to Mike and Davi to pick your favorite of each and explain why. I only reveal the winning contestants and their companies. If you would like to be a contestant for "What Is It and Why Do I Care?" just go here and fill out the simple SurveyMonkey form.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/lets-just-dump-on-zooms-security-and-offer-no-solutions/) Sure, we're all in this together, but isn't it fun just to trash a popular product's really bad security? This week’s episode of CISO/Security Vendor Relationship Podcast features me, David Spark (@dspark), producer of CISO Series, and co-host Mike Johnson. Our sponsored guest is Brian Johnson, CEO and co-founder, DivvyCloud. Thanks to this week's podcast sponsor, DivvyCloud. DivvyCloud provides continuous security and compliance across all CSPs and containers, including AWS, GCP, Azure, Ailibaba, and Kubernetes, providing a comprehensive view of what’s in your cloud, along with the tools and automation you need to manage it today, tomorrow, and into the future as your business grows and changes. On this week's episode Why is everybody talking about this now? Yaron Levi, CISO, Blue Cross Blue Shield of Kansas City a frequent and recent guest of the podcasts, had an incendiary post on LinkedIn where he challenged the long held belief in cybersecurity that "we're all in this together." Well that theory was put to the test with the outcries of Zoom's security and privacy flaws. Levi believes the security industry failed. Instead of trashing Zoom we should be offering suggestions of how they could fix a now universally used application. His challenge exploded online with over 200 comments. How could we/can we handle this situation better? Look at this, another company breached Oh Marriott. You blew it again. Two massive data breaches in two years. This one just gave too much access to too many customers from a branch office. Years ago this would be a front page story we'd be talking about for weeks if not months. Now they're just another breach and it doesn't seem that the affected users seem to care. How much damage are these breaches doing to companies if the customers have breach fatigue and can't see the damage immediately or even directly? And what percentage of these breaches do you believe are the result of poorly architected or implemented security programs? It's time to play "What's Worse?!" We get a chance to talk about Mike's favorite topic, toxic team members. Please, Enough. No, More. Today's topic is Identity Access Management or IAM. We discuss what we've heard enough about with IAM and what would we'd like to hear a lot more. It’s time for “Ask a CISO” We have a question from a listener, a college student. Here's her question: "I'm a college student interested in majoring in cybersecurity. However I'm more of a people person and I'm afraid cybersecurity is just dealing with computers and having no people interaction. I'm just wondering what I should expect if I continue to pursue a cybersecurity major."

All links and images for this episode can be found on CISO Series (https://cisoseries.com/weve-got-a-dozen-features-only-two-work/) If you don't focus too much on quality you'll really be impressed with the quantity of features our product has. This week’s episode of CISO/Security Vendor Relationship Podcast features me, David Spark (@dspark), producer of CISO Series, and co-host Mike Johnson. Our guest is Yaron Levi (@0xL3v1), CISO, Blue Cross Blue Shield of Kansas City. Thanks to this week's podcast sponsor, DivvyCloud. DivvyCloud provides continuous security and compliance across all CSPs and containers, including AWS, GCP, Azure, Ailibaba, and Kubernetes, providing a comprehensive view of what’s in your cloud, along with the tools and automation you need to manage it today, tomorrow, and into the future as your business grows and changes. On this week's episode Hey, you’re a CISO. What’s your take on this? What's the value of a vendor-derived security meter? I sat down for a vendor presentation that was chock full of dashboards with meters. Some made sense and others appeared they were derived through some mysterious black box. When do you trust a vendor-derived meter? Can you? If not you, who are they for? Is it possible to ignore the absolute numbers in a vendor-derived formula and value only the changes over time? If you don't trust a vendor-derived meter, what meters do you create for yourself that you do trust? How do you go about discovering new security solutions? Tip of the hat to John Prokap, CISO, HarperCollins for forwarding me this excellent CIO.com article by Yoav Leitersdorf of YL Ventures. How feature rich should a startup product be? In the article, Richard Rushing, CISO, Motorola Mobility talks about the need to trust a startup and the quality of each feature. “It's not enough to just focus on three out of five. All five have to be spot on because I can't miss, which means you can't miss." How does a vendor avoid the classic case of trying to be everything to everybody and really you're serving no one? What's Worse? What's better for the business, compromised security occasionally, or unnecessary overhead that grows over time? Close your eyes and visualize the perfect engagement There's a well-known paradox in the healthcare industry when it comes to working with third party vendors. Because of HIPAA regulations there's a desire to keep information private, but at the same time, what about all these wonderful third party tools. Let them have access to our data. What's the advice for vendors eager to work with a healthcare organization? How should they demonstrate their awareness of this paradox (e.g., scope of responsibilities, efficacy of controls, attestation, accountability)? Why is everyone talking about this now? We recorded this episode on March 30th as we talk about this next topic and that is should companies challenge their employees with a COVID-19 phishing test? Tip of the hat to Louisa Vogelenzang of Kroll who pointed me to this active discussion started by Grant McKechnie, Telstra, who asked this very question. There was a lot of debate. We debate both sides and offer an ultimate recommendation.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/lets-ask-cisos-if-theyre-concerned-about-data-security/) I'm just learning about cybersecurity and I just realized that data security is really important. I don't know if everybody knows this. Do CISOs know? I should email all of them and ask. This week’s episode of CISO/Security Vendor Relationship Podcast features me, David Spark (@dspark), producer of CISO Series, and co-host Mike Johnson. Our guest is Steve Zalewski, deputy CISO, Levi Strauss & Co. Thanks to this week's podcast sponsor, DivvyCloud. DivvyCloud provides continuous security and compliance across all CSPs and containers, including AWS, GCP, Azure, Ailibaba, and Kubernetes, providing a comprehensive view of what’s in your cloud, along with the tools and automation you need to manage it today, tomorrow, and into the future as your business grows and changes. On this week's episode Why is everyone talking about this now? On Quora, the question was asked, "What is the most common unaddressed cybersecurity risk at companies?" Looking through the list, we've talked about all of these issues: people (malicious and negligence), program maturity, data privacy, and just basic network. They're all important, but we discuss which one we believe is least addressed. There’s got to be a better way to handle this What happens when a cloud provider breaks a service level agreement or SLA? On a recent episode of Defense in Depth, Taylor Lehmann, CISO, athenahealth said that putting ultimatums in SLAs just doesn't work in reality. No one really pulls the plug just because a cloud provider fell short on providing a certain level of uptime. We walk through the steps of the SLA. What's needed? What's too much? What do you do when something is violated? How do you right the ship and maintain the relationship? What's Worse? What happens when there's a political motivation to select a vendor? What do you think of this pitch? and Why is this a bad pitch? We put a good one and a bad one back to back so you can hear the range of what comes in a CISO's inbox. Um… maybe you shouldn't have done that As a security vendor, how do you catch yourself if you're cybersplaining? Brian Haugli of Sidechannel Security offered the following definition: "When a salesperson or company representative explains in detail how a basic attack, ransomware, BEC, or other threat works to a CISO or current cybersecurity expert in order to push a sale." From what I see, it appears that cybersplaining is the norm mostly for those who are very green in cybersecurity. I'll also say I've seen the complete opposite where someone at a much higher level assumes you're already in their head and agree to the same assumptions they have about cybersecurity as well. This plays out that they'll state an issue in cybersecurity and conclude with "right?" not waiting for an answer but just assuming you're on the same page so that they can go on with their rant. What are ways to check yourself on both sides of the spectrum and what's the happy medium?

All links and images for this episode can be found on CISO Series (https://cisoseries.com/i-dont-need-anymore-advice-on-how-to-work-remotely/) It appears everyone has tips on how to work remotely. And after the deluge the past two weeks, most people have hit their wall. We don't care. We're pushing through with even more advice, just for security professionals. This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our sponsored guest is Brendan O'Connor, CEO, AppOmni. Thanks to this week's podcast sponsor, AppOmni. AppOmni is the leading provider of SaaS security and management platform for the enterprise. AppOmni provides unprecedented data access visibility, management and security of SaaS, enabling organizations to secure mission-critical and sensitive data. With AppOmni, organizations can automatically and continuously enforce rules for data access, data sharing and third-party applications. On this week's episode Why is everyone talking about this now? Adapting a line from Wendy Nather of Duo Security, what's the security poverty line for remote work? Gabriel Friedlander of Wizer started a thread of best advice for employees working at home. And then he compiled a list of the best tips. We talk about our favorite tips and add a few of our own. There’s got to be a better way to handle this Mike and our sponsored guest, Brendan, are both security leaders who have been thrust into managing their entire team virtually for an extended period of time. On top of that, their teams are going to have new pressures on them (e.g., kids at home) that are going to conflict with their ability to be efficient employees. We talk about what they're doing to adapt and their greatest concerns. What's Worse?! How are you dealing with patch management when you've got an all-remote workforce? Please, Enough. No, More. Our topic security cloud or specifically SaaS apps. What have we heard enough about on this topic and what would we like to hear a lot more? A serious confounding feature of public activities like elections and climate change discussions is the proliferation of actual fake news – stories created by bad actors and distributed by bots and which include deepfaked video and propaganda that lead audiences into a state of not knowing who to believe anymore. Security experts including the International Security Forum categorize this as a cyberthreat called Distortion, the loss of trust in the integrity of information. As threat actors continue to hammer away at the cyber defenses however they can, it is extremely likely that Distortion attacks will be yet one more way of bringing organizations to a point of extreme vulnerability, just like ransomware and siegeware. Though the Distortion content may be generated externally, it has the potential to be implanted in a company’s environment through phishing, MFA fraud and hacking, leading to media crises, drops in market valuation, destruction of public credibility and of internal stability. More from our sponsor, ExtraHop. Um… maybe you shouldn't have done that Some really well-intentioned people are responsible for some really bad data practices. When I was in Tel Aviv I ran into a number of companies offering discovery solutions to show you where your data is, identify the sensitive data, the PII, and who has access. We learn a lot about sensitive data after it's breached, but there are also plenty of bad data practices happening internally which lend themselves to misuse or greater damage when there is a breach.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/the-department-of-no-thank-you/) Just go to the front desk, sign in, and then the receptionist will say “no” in the most polite way possible. This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest is Nina Wyatt, CISO, Sunflower Bank. Thanks to this week's podcast sponsor, CyberArk. At CyberArk, we believe that sharing insights and guidance across the CISO community will help strengthen security strategies and lead to better-protected organizations. CyberArk is committed to the continued exploration of topics that matter most to CISOs related to improving and integrating privileged access controls. On this week's episode There’s got to be a better way to handle this The hot new cybersecurity threat is the Coronavirus. Not the virus itself or the possible fake phishing emails connected to it, but our overall fear and its impact on work. According to data from Boardish, there is a 42% increase over baseline in fear of immobility, or staff not being able to operate effectively remotely. To put that number in perspective, phishing and ransomware have each seen an 8% threat increase. I read immobility's huge number to mean companies are simply not prepared for how their staff may need to operate. What we’ve got here is failure to communicate What's the best way to say 'no' to a vendor? This was a question that was asked of me by Eric Gauthier, CISO at Scout Exchange. He wants to say no because his cloud business has no need for certain services, and he doesn't want to be rude, but just saying no doesn't seem to work. What are the most successful techniques of saying no to a security vendor? And what different kinds of "no" are there? "What's Worse?!" A tough decision on a company built on acquisitions. Walk a mile in this CISO’s shoes For many CISOs, there is a "What's Next?" as they don't necessarily expect "CISO" to be their final resting place professionally. Gary Hayslip, a CISO for Softbank Investment Advisers and frequent guest, wrote on both LinkedIn and Peerlyst about next steps for CISOs who want to move out of the role. The recommendations were other C-level positions, going independent, and starting a new company. On January 2 of this year, parking meters in New York City stopped accepting credit and parking cards. At fault? Security software that had expired on the first day of 2020. Reminiscent of Y2K, this draws attention to the next two time-related bugs predicted for 2036 and 2038. The 2038 problem affects 32-bit systems that rely on timecodes that max out on January 19 of that year. A similar rollover is expected in 2036 for Network Time Protocol systems. In all likelihood, affected systems either have been or will be replaced over the next 18 years, but the dangers still exist, in situations where vulnerable devices remain buried in a legacy system or in cases where advanced calculation of expiry dates are needed, or like New York City, where the upgrade was apparently overlooked.  It serves as a reminder that data security must look to its past while it plans for the future. More from our sponsor ExtraHop. Hey, you're a CISO. What's your take on this? What's the impact of Europe's Right to Be Forgotten (RTFB)? It's been five years and Google has received ~3.2 million requests to delist URLs, from ~502,000 requesters. Forty five percent of those URLs met the criteria for delisting, according to Elie Bursztein, leader of Google's anti-abuse research team. Search engines and media sites hold the greatest responsibility, but what responsibility are companies forced to deal with and do they have the capacity to meet these requests?  

All links and images for this episode can be found on CISO Series (https://cisoseries.com/we-pick-the-best-security-awareness-programs-for-your-staff-to-ignore/) It doesn’t matter which security awareness training program you purchase. Your staff is going to do whatever they can to either tune out or get out of this annual compulsory exercise. This week’s episode of CISO/Security Vendor Relationship Podcast was recording in front of a live audience at athenahealth in Watertown, Massachusetts. The recording features me, David Spark (@dspark), producer of CISO Series, my guest co-host, Taylor Lehmann (@BostonCyberGuy), CISO, athenahealth, and guest Marnie Wilking, global head of security & technology risk management, Wayfair. David Spark, producer of CISO Series, Taylor Lehmann, CISO, athenahealth, Marnie Wilking, global head of security & technology risk management, Wayfair Check out all the photos from our recording. Thanks to this week's podcast sponsors, Check Point and Skybox Security. It's no secret that today's cyber attacks are targeted and sophisticated. Leaving even one point of entry vulnerable to a cyber attack endangers your entire organization. Check Point created the Secure Your Everything Resource Center to help you develop a comprehensive approach to prevent cyber attacks. At Skybox, we remove complexities from cybersecurity management. By integrating data, delivering new insights and unifying processes, we help you control security without restricting business agility. Our comprehensive solution unites security perspectives into the big picture, minimizes risk and empowers security programs to move to the next level. On this week's episode Pay attention, it’s security awareness training time Jinan Budge of Forester finished a report on security awareness training programs. She found a trend that supported both the need for compliance and the need to actually train employees to be more security aware. We discuss what actually works to get people to be more aware of cybersecurity. What do you think of this vendor marketing tactic? At RSA, I talked to a vendor who told me about their new solution. It was so unique that Gartner was creating a new category for their product with yet another acronym. UGGH, another category for which you have to educate the market? And now you have to convince buyers to create a new line item for this category? And now what is that going to do to your marketing budget? It didn't take much convincing for me to point out that their product was just third-party risk management. Admittedly, cybersecurity professionals love the new and shiny, but where do we draw the line about learning something new in cybersecurity and adding confusion to the marketplace? It's time to play, "What's Worse?!" Two rounds, lots of debate. Where does a CISO begin? When we hear about digital transformation, it is being done for purposes of speed, accuracy, and business competitiveness. Scott McCool, former CIO at Polycom was on our show Defense in Depth, disputed the common notion that security serves the business. Instead, he believes that security IS the business. And if you deem that to be true, then security can no longer can take a consultative role. It must take the role of brand and value building. This is more than just a discussion of "shifting left." What are actions that security must take to make it clear that they are part of making the business fast, innovative, and competitive? Um... maybe you shouldn't have done that We tell talks of the worst proof of concept (POC) efforts. Audience question speed round We close out the show with a series of quick answers to audience questions.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/buy-our-product-we-have-no-idea-what-were-selling/) What do you think of our confusing non-descriptive ad copy? We think it’s brilliant. We’re patting ourselves on the back on the latest episode of CISO/Security Vendor Relationship Podcast. This episode was recorded in front of a live audience in NYC at the coworking space, Rise NYC. It's hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and JJ Agha, vp, head of information security at WeWork. Our guest is Mike Wilkes (@eclectiqus), CISO, ASCAP. David Spark, producer, CISO Series, JJ Agha, vp, head of information security, WeWork, and Mike Wilkes, CISO, ASCAP Thanks to this week's podcast sponsor, Check Point It's no secret that today's cyber attacks are targeted and sophisticated. Leaving even one point of entry vulnerable to a cyber attack endangers your entire organization. Check Point created the Secure Your Everything Resource Center to help you develop a comprehensive approach to prevent cyber attacks. On this week's episode There’s got to be a better way to handle this How well are you configuring your controls today and tomorrow? At RSA, I chatted with Adam Glick, CISO, Rocket Software. He said what he'd like is a tool to test the maturity of his deployed controls. How are his controls optimized over time? What does it looks like today vs. a year from now? How are we currently trying to solve that problem and what could be done to improve it? Hey, you're a CISO, what's your take on this? "Which cybersecurity certification should I get?" It's a question I see repeated often, especially on Quora and Peerlyst. Your best bet would probably be the one that most employers are looking for. And according to job board searches, conducted by Business News Daily, CISSP is the overwhelming favorite. Do our CISOs prefer certain certifications over others? Is it a requirement for hiring? And what does a security professional with certifications vs. experience tell us about that person? What’s Worse?! Split decisions on both and the audience plays along as well. Is this the best use of my money? "One of the common complaints I repeatedly hear is that cybersecurity vendors are not solving real problems. They're just looking to make money. I think that's a rather unfair blanket statement, but regardless, I hear it a lot. I think why I hear that so often is that we're all in the cybersecurity fight together and we need to help each other. Helping each other is often done by participating in the open source community. Why is it critical to contribute to the open source community? Um... What do they do? I read copy that appeared on various booths at RSA 2020. Most are confusing and non-descriptive and don’t appear to assume a pre-existing understanding of cybersecurity. The expo hall at RSA is filled with security professionals who are already security minded. I honestly don't know exactly the reaction they're looking to get or what type of information these vendors are trying to convey. Audience question speed round We close out the show with a series of quick answers to audience questions.