ERP050 - Selling Cybersecurity with Jennifer Bleam

Welcome to Evolve Radio where we explore the evolution of business and technology. Today on the podcast, I'm speaking with Jennifer Blem with MSP Sales Revolution. Selling cyber security is critical for any IT service provider. After all, the impact of a cyber attack on your client has an impact to you for recovery time and also the potential damage to your reputation. So how do you sell cyber security to your clients? Is it appropriate to use fear as a sales tool? And how do you counter the pushback that you get from some clients? Jennifer and I talk about these questions and much more, so please enjoy this topical and actionable conversation with Jennifer Blem. If you enjoy the show, be sure to subscribe on iTunes, Stitcher, or wherever you get your podcast from. Also, be sure to check out the webpage evolvedmgmt.com/podcast for show notes, links to my guests and to check out previous episodes. Now, let's get started. Today on the podcast, I'm joined with Jennifer Blem. Welcome, Jennifer. Thank you so much for having me. So we're going to be talking about everyone's favorite topic in IT lately, security. Um, I think a great place to start on this, we're going to touch on a couple of different areas around engaging your clients and talking about security, the need for security and how you can approach that conversation. Which is something that needs to happen a lot more given sort of the threat landscape that's out there. We'll also talk a bit about that internal security for the IT providers as well. And um, I the part of the reason I reached out to to have this conversation is is a good launching point. And I was wondering, is it possible and is it advisable to talk about this uh need for security with clients without using fear, uncertainty and doubt? The fud model of just scaring the hell out of people and convincing that they need to spend more on security. Is that the appropriate way to approach this? I feel like we shouldn't try and scare people around this topic. But uh in our quick conversation leading up to recording, maybe you've convinced me that the threat is large enough that we should scare them and maybe that is appropriate. So I'd love your thoughts on this. Yeah, for sure. So it's interesting, every once in a while I will pose a question out on social media that to me is is a slam dunk easy no-brainer question. And I think in the back of my mind I always think I'm going to get 100% of the same answer and everyone's going to agree with me. And it's fascinating because this morning I literally just posted it out, um true or false or yes or no, it is always right to do what's in the best interest of the client. And I figured I would get 100% of people saying yes, yes, in in you know, unquestionably, it is always right to do what's what's in the best interest of the client. And I got very few yeses, actually I got, well, it depends and sometimes and no, and I got a couple of of, you know, very, very staunch yeses. But it very strongly leaned towards the no or the maybe. And so I guess that's part of where this discussion really comes from is if you don't believe that cyber security is in the best interest of the client, then you're not going to have the conversation. Or you're going to rely on fear, uncertainty and doubt. And and so to me, if security is a big deal and anytime MSPs start to really do research into what is happening, the threats that are out there, they realize security is not an option anymore. It's really a requirement. So then we get to the question, okay, how do you convince your clients that it's that it's required? And I think you have to rely on some level of fear. Now, relying on fear and relying on fearmongering are two different things. So I want to start there because fearmongering is helping wanting people to see something that is not super likely to happen. And so a crazy example would be if I'm trying to sell someone a backup disaster recovery unit and I have somehow convinced them that there is going to be a dinosaur that runs in the front door and is going to eat their server and their data is now going to be gone. And I base my whole argument on you need a BDR on that, that's fearmongering. Because it's legitimately, there's probably a 0% chance that that's going to happen. But selling a BDR based on employee theft or employee error or fire, flood, electrical storm, those types of things. That is selling based on fear because it is the fear of what could happen. But what it really is is selling based on the implications or the impacts to the business, which is scary and it should be scary to the end user. And most IT companies are concerned by it, so they have an emotional state where they're concerned. It is important to pass that emotional state onto your clients and obviously prospects as well. Now, psychologically, the reason that you have to sell based on fear is that nobody ever makes a decision without emotion being involved. There are actually studies that that when your brain is is not wired correctly due to brain damage or something like that, if you cannot feel emotion, you cannot make a decision. Now, some of the things like habit, what am I going to wear to work, things like that, but you could make those types of decisions, but not anything that is truly critical, a major decision. And so if there's if there is not emotion, in the lack with with lack of emotion is lack of a sales decision. And so you have to use fear. Now, do you have to get them to the point where they're unreasonably fearful? Not necessarily. But is it reasonable to start to paint the picture that there are threats and that these threat actors are targeting small business owners and small business owners because they haven't invested in security are that proverbial low hanging fruit? And then painting the picture for the end user, for the CEO, for the CFO, here's what this could mean for you. It's the same conversation as the BDR conversation. And probably when BDRs first came out, five, seven, eight years ago and were really accessible for small businesses at that point, there was probably the same exact concern. I don't want to sell based on fear and it isn't fear so much, it is an awareness of how a business impact can impact the client and that is fear. That is a concern. So it's it's it's a business level conversation, but you have to pull on emotion. Yeah, I think that those are really two points that I I wrote down that I think are are important is legitimacy of the discussion that you're trying to generate, right? So if if it is like you're just trying to get a sale and you're leveraging fear to do that and you know, maybe that the solution actually doesn't even address the problem that you're that you're raising, then sure, that that's sort of uh sort of underhanded. uh approach. Um, so the legitimacy I think is very real and I I think just generating the conversation that needs to happen uh through some awareness and and fear, I think is is actually uh legitimate. The other point that you made around people making decisions on emotion, I think is a really important one to underline. Because a lot of people sort of looking at their own decision making will say, well, no, that don't that decision made sense to me. And and the studies that you're referring to, a lot of them suggest that people make a rationalization for the decision that they've already made emotionally. So I think the the necessity to use some level of fear in order to elevate the conversation is really important because you have to heighten the emotion in order to engage that person and have the conversation that you know is necessary. So this also leads to kind of the the next step of this is uh especially in the SMB market, a lot of people, business owners, you know, they they the 10-person office, the 20-person office that are not particularly tech savvy. The the pushback that they often give to IT providers that are trying to have this conversation with them is, well, you know, I'm not a target. No one would would want to attack me. I'm just, you know, this lowly little shopkeeper or I run a professional services office, you know, who would want to break into this place and attack and and and attack us with some type of cyber attack. Uh and I think you and I and everyone in the IT industry know that that's not how it works. So what's the conversation that you should be having with those people that just resist the idea that cyber security is something that they need to be concerned about because they are a small business. So, so that objection or that conversation with the end user where I'm not a target or it wouldn't impact me or those those types of conversations, that is that is the epitome of not being on the same page with the end user. And so, so I like to call that the gap. And so I'm I'm in the middle of reading gap selling, which is a phenomenal sales book. I was not familiar with it. Um and and it he talks about the fact that your when you know that there is a gap, which is where all of us are today, we know that there is a gap in security. We know that we need to somehow move our clients from where they are today to where they need to be. And and the interesting thing is they believe they are on the other side of this gap. They believe that they're safe. They believe that they're not going to be impacted. They believe that the threat actors are not targeting them. They believe that they're not going to be swept up into just a broad-based attack that happens to catch them. They believe that their employees are flawless and would never click on a link. And so that is a gap, that is a a tremendous gap. I'm picturing in the Grand Canyon in my mind, they believe they're on one side of the Grand Canyon and we all know they're on the other side. So how do we get them to bridge that gap? Well, the first thing is you have to reveal it. You have to reveal to them that there's a gap. And so that's the first step is reveal that gap and that is through education, it's through conversations, it's through bringing to their awareness the fact that these breaches are happening and that they are impacting small businesses and then painting the picture of what those impacts look like. So that's the the revealing of the gap. Like there is a security issue, you are not safe, what you are paying me is for IT, it's not for security and those are two different things and so that's your educational conversation. And then once you've revealed the gap, even if they they mentally understand that they're on one side of the Grand Canyon and they want to they need to get to the other. Humans don't like change. Doesn't matter how great that change is going to be, there is still pain involved in change. And it could be a little bit of pain, it could be a lot of pain, it it you know, we can all paint it as being painless. But there is pain, you know, instituting multi-factor authentication, it's a pain. Like every time I have to pull my phone out and take it out of airplane mode and get the stupid code and put it in. Like it is a pain, but it has to happen. And so once you've revealed that pain, you have to um or once you've shown them that pain, you have to help them feel it. So you reveal the pain, then you heal the you help them feel the pain, reveal it, feel it, and then that's when you can have the sales conversation, which is about healing, healing that gap or healing that pain. So what are some of the approaches that you've seen successful that we can kind of bat this around as as sort of lead ins to that that discussion? Couple that come to mind, you you mentioned uh, you know, my staff are fine, they wouldn't click on these links, they're smart people. Um and immediately would jump to mind is run a fishing campaign internally and you'll have a very different story. It's it's incredible how sophisticated these things can be and how just uh, you know, absent-minded people can be with their link clicking. Uh even IT people, I see follow for fall for fishing campaigns all the time and they're the ones that are supposed to know about this stuff. So the average office employee is they're they're they're going to be desperately uh uh uh problematic in in that type of campaign. Uh the other one that I I I've seen used or leveraged in a sales model is the ID agent and dark web monitoring where you can approach someone in a business meeting and say, you know, your CEO is so and so. Hey, have you used this password in the last year and a half? And you know, usually their face goes white and they're like, how do you know that, right? Uh so those are those types of models that I've seen used fairly effectively. Are there those that your feeling on those or any others that you've seen as as good starters for those conversations? Yeah, those are definitely both good starters. Um and and the fishing campaigns you can even institute those yourself. As long as you've got the ability to to click have um to track whether or not a link is clicked or not. And you can certainly use a vendor to go through that, but a if I have time just to tell quick I think it's a funny story. I don't think the uh end user necessarily thought it was funny at the time. Uh but when I was over in Australia a few years ago, a company there had sent out a fishing campaign and it was the day that payroll was supposed to be processed and it was from the the CFO. So, you know, from the CFO to all of the employees, apologizing profusely, we submitted our payroll, something happened with the payroll company. They never got uh all of the information and so they're not planning to pay you. However, I've already talked to the CEO, if you simply click here and put your bank routing number and all of the information, we will just transfer the money, we'll worry about all the taxes and things later. And it was like 80% of the company clicked on the link and then they called everyone into a meeting and they were like, guys. It was a small company, you know, 12 people, 15 people. They're like, guys, we would never do this. Like that was a classic fishing attempt and you fell for it. Well, all the employees got really angry and they're like, but this is our money. And they're like, sure it is, but don't you think the the bad guys know the types of emotional triggers to pull on, whether it's payroll or a coronavirus or you know, so and so wins the the, you know, hockey game and so now there's all kinds of sites or emails that come up. Click here to order your gear, get it before your neighbors. Like they're pulling on all these human emotional triggers and they're very good at it. They know what works. These are businesses that split test these types of emails and then they find a winner and now it's someone's job to beat that winner by testing it on all of us. So, um to circle back to your question, yeah, those are both really, really good um fishing campaigns, um I'd even seen broader employee awareness training. So specifically, um a training, like for an hour or a half a day where you go in and you do that training and now you've got your foot in the door and if you're there for an hour or a half a day, you know you're going to uncover other issues. Whether they're security focused or things that you can handle inside of your managed services agreement, but getting in the door is huge. Yeah, that's uh really important points there. The one about the emotion being a trigger. And also that this stuff is a is a business. Right? Like this is no longer the uh uh the threat landscape of the Nigerian Prince scams. Like this stuff is is uh you know, the same people that are trying to sell you toothpaste. And from a marketing standpoint are the people now coming up with creative uh cyber attack campaigns and fishing campaigns. The the level of sophistication is tenfold what it was even three years ago. So I think just that that risk alone is is massive. Um the other one, um the just providing some level of education and awareness. Obviously, there's some tools and some vendors that you can leverage for security awareness for people. But I think where people get stuck with this in a lot of cases is their own knowledge gets in the way of what they think would be valuable for the average person to understand. And I've seen this as well where I've done cyber security training for clients when I was running an MSP and, you know, what what was pretty rudimentary stuff was like mind-blowing for these people. And you have to step out of your own sort of knowledge space and say, I may think that these things are pretty rudimentary. This is not amazing insights or anything like that, but it's also not common knowledge. And I think that that's where people get stuck is thinking, what's the level of awareness that I need to teach people? Start a lot lower than you think, right? Like go right to the basics and when and providing that education. Even if you just put together a 30, 40 minute webinar or a lunch and learn session for your clients, there's high value in that stuff. And I think that's a great place for people to provide some additional value and and sort of raise the awareness and bring up the conversation. Yes, it's also important from a mindset issue because I hear a lot of IT company business owners saying, I don't feel like an expert. And my response is typically, well, you may not feel like an expert, but you absolutely are an expert. I did a webinar um or a online training with an MSP about two months ago and I mentioned in passing something about if you don't secure your computers properly, you're going to come into the office one day and find that all all of your data is going to be encrypted. And and and I said encryption is kind of like scrambled, so you're going to go to try to open up your documents and I was very proud of myself because I didn't assume they understood the word encrypted and so I'm describing ransomware in such a way that in my mind, any small business owner could absorb. And the the Zoom chat just filled up and said, wait, wait, wait, what was that? My data could be encrypted. What is that? Yeah, but I have a firewall. And I mean, the the level of questioning that I got was so eye opening because in my mind and and probably in most of your listeners' mind. Like ransomware was so five years ago. But your clients don't know about it. The small businesses in your area don't know what ransomware is. Now, that's a broad brush stroke, but it's probably 70% of the companies in your area don't know what ransomware is. And so just to circle back to the sales conversation, when you walk in and you say, I have this great tool that can keep you safe from ransomware, is it any surprise that they're not going to buy it when they don't even know what ransomware is? And so that was really eye opening to me because I'm in the space and I'm a sales leader and yet I made this assumption that this group of professionals who showed up to learn about securing your network, so they weren't like nobody lassoed them and forced them to come into the room, had no idea. They they really were uneducated. And so again, very eye opening and so you are an expert, especially compared to the very low level of knowledge that most of your clients have. Yeah, 100% and you you nailed it with the expression of what the the pushback is as well. I have a firewall, I have antivirus, we're safe, right? And it's like anyone in in modern IT will say, no, like it's way more complicated than that. But that's the base level of understanding of most of the businesses that you'll interact with that are clients and that's the important part is raising the level of awareness, making sure that they understand that um, you know, not having a door on your house means that it's not very secure. That's the equivalent of a firewall. But that doesn't protect you from someone that's going to smash a window and try and get in or, you know, someone that's going to send send you. uh knock on the door and try and sell you an alarm system when they're really just casing your house. Like there's there's a level of sophistication that has to be uh brought up when you're dealing with those clients. And that that sort of leads us to um a stat that you shared with me. We're not clear on the source of this. I think you got this from from info from continuum, but basically continuum said something around 13% of MSPs have had a meaningful conversation with their clients about security. And we kind of wondered as we you shared that with me, we're like, is this number right? Like it seems really low. But then as we talked about it, I was like, you know what, this sounds right to me because if you underline meaningful conversation, in my line of work, the the MSPs and the IT service providers that I deal with, the number that are not even having technical business reviews and quarterly business reviews is pretty low to begin with. So the fact that they would be going a step further and having meaningful security discussions is questionable. I would say, you know, 15, 20% uh at a high note of the the conversations that are happening. I think that that's probably true. And that's obviously a problem because we're not even having these basic conversations about security with the client base. Well, what's interesting is I I think what you just notated is is true is that a lot of the companies aren't even having quarterly business reviews, but I think the problem starts earlier than that. The vast majority of IT companies have not figured out how to adopt security. They haven't figured out what that ideal solution stack is, how do I go to market with it, how do I differentiate myself, do I absorb the cost or do I mark it up and if I mark it up, now we're back into the sales conversation, how do I prove the value without using fud? And so, so the majority if you look at the the technology adoption life cycle, which is just fascinating to study, it's this beautiful bell curve and and basically it this this bell curve is what every technology follows as far as adoption. And so if you think about like a fax machine, you know, back in early 1980, nobody was buying fax machines because they didn't exist. And when they were initially invented, you had that really small portion of the market that were those bleeding edge consumers that were convinced if they adopted a fax machine, it would really change their business. It's usually, you know, five, five to 7% and then you have another five to 7% that aren't quite bleeding edge, but they're maybe we would call them cutting edge. Well, then you get this 30 this really large chunk, 35% that are somewhat early adopters. It's that early majority, they didn't quite get on at the beginning because like is this going to is the fax machine really going to take off? Is something else going to be better? And and then after that peak it it trails off and you now have the the laggards or the late adopters. Well, with cyber security, we are just getting to that 13 to 15% where we're about to see a large number of IT companies even decide that today is the right day to adopt cyber security. And so when you don't even have the majority of the market today adopting security or buying into the need for cyber security, why would they ever have those conversations with the clients? So we all of a sudden we take the channel, I mean, the numbers are all over the map, but let's say it's 40,000 IT companies that make up the channel. That's a broad number, but let's just go with that number. And if we say 20% of those have adopted cyber security and I'm just going to 20. I don't think it's that high to be honest with you. Uh but let's go with 20% of that 40,000, that's what 8,000 companies. That that could even have a meaningful conversation with their clients about cyber security. And yet they haven't quite figured out their stack or their pricing or how to have the conversation and so and then they're not having quarterly business reviews or they're business review philosophy is that it's not a sales conversation, it's a business building conversation and relationship building, which is which is fair. But then where in your process are you allowing for those sales conversations? So all of a sudden it be that 13% number does pass the sniff test just be when you start to put these various pieces together, you start to get a pretty clear picture of of why the adoption on the small business side is so low. When quite a few of those small business owners are using MSPs who haven't absorbed the fact that cyber security is a need because they don't know it's a risk and they haven't figured out the sales conversation, they haven't even picked their first vendor yet. So it's this it's it's really a self-fulfilling prophecy that small business owners are going to continue to get hit by cyber attacks until it changes at the very beginning of that of of that supply chain if you will. Yeah, I I 100% agree. I think this does smell pass the the sniff test as you said. I think we're past the point of MSPs in particular kind of getting to that MSP 2.0 model where they're they're they're stuck in that reactive phase. But if you look around at the industry, there's still so many companies that are still stuck in that 1.0 model where they're just reacting and trying to address issues as they come in and not acting in a truly proactive fashion. So if that is still, I would honestly say maybe the majority of the market still. So if you're looking at those companies that are stuck in that reactive model and not being able to be proactive, how could they really get to a point where they're amplifying the value that they create and having more strategic discussions because they can't really get past sort of the starting gate as it was around the value that they're producing for those clients. So I think that that's a huge risk and something you noted is uh how do you as an internal IT company, an MSP, how do you build that security muscle? And I see this question get asked a lot where people say, you know, my boss told me to start an uh a sock or, you know, now we're doing the MSSP, the security managed service security provider. And those questions scare the hell out of me because if you're just sort of tactically going about this without any strategy, uh you don't have the sophistication to build this stuff internally and you're not looking to outsource to the experts for some type of security outsource center. Uh and and leveraging a partner to do that, I think there's a massive risk around them not building the appropriate systems internally to be able to properly defend their clients. Right? So kind of false walls and and you know, we'll just do this because this is what's going on in the market without really going about it the wrong way. or the right way. So that that really scares me. Are you seeing a bit of that as well that people just kind of fall their way into that security model? Yes, I I'm seeing a couple of different things. I'm seeing this this belief that I can become an MSSP in 90 days or less. Which that if you talk to almost any vendor, they will tell you that's a pipe dream. It's just it's it's not just a set of solutions, like you alluded to, it's really a shift in how you think and how you approach the network infrastructure and data. There's it's a very, very complex uh challenge. And so I often describe it as as almost a completely different skill set. Like infrastructure is the traditional IT support, whereas security is a totally different skill set as far as your approach. You you deal with the same systems, but the the knowledge that's necessary and the approach is very, very different. Yeah. Well, and and it's interesting because you mentioned expertise and I am a big believer in outsourcing areas that I am not an expert in. But the challenge is and and zero issues with that. Kudos to an MSP that says, I don't want to build a sock because I don't have half an idea of how to do that and and you're you're probably right, you don't. But the danger is I am starting to see startup vendors, startup MSPs who are dynamite business owners, have built a really solid IT company, they see dollar signs and they say, I'm going to spin up a sock and sell it to all my IT colleagues. And the danger there is that if that IT company has not become a security expert or invested in someone who is, then they're not an expert, but the MSP isn't an expert enough to even know what type of questions to ask that vendor. And and I am seeing with with several vendors in particular, a train wreck coming because they don't know what they're doing, but they're really good at selling and and that's a recipe for disaster. Yeah, that's a big one. So, um let's dig a little deeper on that because I think um one one part we touched on is that the building this as an internal model and make sure making sure that you look after your own house from a security standpoint. Uh is is more prevalent now, um but you you can't you can't sort of teach what you don't know yet. Um and focusing on the internal stack is is is said is is more prevalent now because the MSPs are becoming the target. I had um uh Kyle Hanslovan from Huntress on before and we talked about sort of the threat actors that are targeting MSPs, leveraging their platforms to encrypt all of the clients. So, you know, before you start talking to your clients about their security, making sure that at the base level, you've got 2FA on all of your control systems. Like that that those types of things. What are some other things that you're seeing or advising people that you're working with on, how do you build that internal muscle around security and your security posture in order to make sure that you secure your own house before you start selling cyber security services to your clients? Yeah, so several things, what you just mentioned are any of the basics, you know, the the 2FA and not reusing passwords and not using admin credentials, not allowing your clients to have admin credentials if we're going to go outside of your own house. Um, but if you're focusing specifically on getting your own house in order, I always advocate that if there is a tool that you're planning to deploy to your entire client base, deploy it internally first. Because typically, you know your network very well. Now you can see what types of alerts come up, how does this integrate with your PSA, how do we roll this out? What kind of error messages did we get? So it makes you a better a better sales person, it makes you a better troubleshooter, you understand those parts and pieces intimately, so you can now deploy them, but then the the benefit is now your house is protected as well. The other things that I would mention are are things like getting a vulnerability assessment or a risk assessment, potentially getting a pen test, even though we're talking about probably $10,000, probably not a bad option. If you don't want to to foot the $10,000 bill, then we could probably have a philosophical conversation about whether or not you're you're ready to start selling cyber security. But I'm not the one that's stroking that $10,000 check for your company. So, you know, if you're if you're launching a new division, which is really what this is. Yeah, how committed are you though, right? Yeah, right, right. So, you know, if you're if you're launching a new division, which is really what this is, you're going to have to pony up some money. So if you can't do the pen test, at least a vulnerability assessment or a risk assessment. And then the other thing that I would recommend is that you you hire a company to help you run through a table top exercise. Which is a a piece of incident response, think of it like a a fire drill, you know, just like you would probably do for for your BDRs, you know, you do that test restore. How quickly can we pull the data down, you know, that type of a thing, it's that same concept, but it is what happens if you the MSP are breached or one of your clients has an incident, how are you going to respond? And so that's all part of laying a really solid foundation so that you're ready to sell your solutions. So what are some other models that you've seen that are applicable that people can use as an internal checklist? Uh certainly Nist framework tends to get a lot of attention. I find it's a really decent playbook to kind of leaf through, work as a line by line item to do some internal verification and say, you know, we've got this, we don't have this. These are some things that we should shore up. Is that a good framework to start with or is there any other uh frameworks that you would or uh uh third parties that people could look at for verification and to improve their security posture? So the Nist framework is actually actively working on a recommended framework for MSPs specifically. And so that's due out later this year. I don't I don't know that I have a date on that. But that is a really solid framework for for a couple of different reasons. Number one, there are some solid resources on the Nist framework online that you can take a a fairly quick look and I mean three, four hours to scan through the 80-page PDF and get a really solid understanding of how Nist is configured. It won't necessarily help you identify what solutions you need, but it will open up your eyes. I mean, it is a framework and so it walks you through what, how should you be thinking as a security professional? So, all right, you need to stop the threats before they get in, you know, you need to protect and then you need to detect and you need to defend and all of those layers. So it it does provide a very solid cyber security overview. The other reason I like Nist is that many of the channel vendors are aligning their solutions to those those five categories that are part of the Nist framework. So it will become very easy for you to say, okay, what solutions do we have in each of these five categories and you'll be heavy heavier in one one than the other. That's just normal, but but because it is becoming the standard that a lot of other frameworks are based upon, the Nist framework is a great place to start. Yeah, excellent. Okay, well, we'll uh we'll look to wrap up here. any um uh channels that people can follow you. I know that you're you're fairly active with videos and things on LinkedIn. I say that that's a great place to connect with you and get more info. Any other places on social or websites that you would direct people to that I can link in the show notes? Yeah, for sure. So cyber security roadmap, uh on that site, I actually give a 30-day roadmap for launching your cyber security division. Now, like I said, this is not MSSP in 30 days or less, but this is designed to get you headed in the right direction because as you can tell, this is this topic is it is a beast. And so there's no way to cover everything in 30 days, but I break it down into very simple steps to take to start to wrap your head around what does this whole project look like and it gives you a tremendous amount of a head start um as compared to trying to figure that out yourself. So that's cybersecurityroadmap.com and then as you mentioned, I'm active on LinkedIn and Facebook as well. Awesome. Well, I appreciate your input, Jennifer, and this has been a really practical and helpful discussion around cyber security for IT. And uh really appreciate your time. I appreciate you. Thanks for having me on.