CarahCast: Podcasts on Technology in the Public Sector

CyberTalks with the CISO with Venafi

Episode Summary

Stream Venafi’s latest podcast to hear from former USPS CISO, Greg Crabb as he presents his analysis and recommendations for Improving Your Federal Cybersecurity Practice in 2022. In this podcast, Greg Crabb will review the impacts of recent events and makes recommendations for planning for 2022.

Episode Transcription

Corey Baumgartner 

On behalf of Venafi and Carahsoft we would like to welcome you to today's podcast focused around cyber talks with the CISO, where Greg Crabb, former USPS CISO will discuss his analysis and recommendations for improving your federal cybersecurity practice in 2022.

Ben Boykin 

We here at Venafi are excited to have a former federal system. Join us today to share his perspectives. My name is Ben Boykin, I'm the VP of public sector for vinify. Today, our guest is Greg Crabb. Today, Greg is a strategic adviser to identify and several other global organizations. He is here to support the growth and development of our federal community. Greg, would you please share your background with the audience?

Greg Crabb 

Thank you all for joining. Wonderful to be here. And it's a great opportunity. So, thank you. I was the former CISO for the US Postal Service. In the last six years of my federal career, I retired from government service in March, after a very unusual journey into the field of being a chief information security officer. I was a federal law enforcement officer for 25 years, and I have my badges behind me that are a reminder of that time in my in my career. So, I bring a lot of experience to be able to help information security practitioners to be able to improve their cybersecurity practice.

Ben Boykin 

You know, we're excited to have you, Greg as a resource. And Greg's here to share his experiences and give back to our public sector community. So, Greg today, where are our federal CISOs and their teams in their cybersecurity journey?

Greg Crabb 

They're very busy and they're tired? is the short answer to that question. And back to the audience perspective, if you jot down where you're at in your journey, there's a couple of things that really are important for us to think about. And the first is if you just jot down the four or five things that you're working on today, I think you would find that you've got directives coming from DHS, you've got requirements coming out of the White House, you've got third parties wanting to know what's going on with your data, you've got so many external forces that are demanding your attention. And one of the things that I personally like to do is watch sports on television football's a big family favorite thing to do. And if you listen to any commentator before a game, they always say, this team, whether it's your favorite team, or the opposing team, has to play their game in order to win. And I find that cybersecurity professionals are so preoccupied with the other external demands that are being placed on them. They're not playing their own game. And I think one of the things that I really want to relay in today's discussion is how do you as a cybersecurity professional, play your own game? And I think that'll be a key theme as we talk through today's discussion. Right?

Ben Boykin 

Love football, Washington, great games this last weekend.

Greg Crabb 

And I'll bring that up in a little bit later, but a great foreshadowing then I'll talk about the importance of a scoreboard.

Ben Boykin 

Well, in May of 2021, the White House issued the Executive Order on improving the nation's cybersecurity. The US faces persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector and ultimately the American people's security and privacy. All these entities must improve their efforts to identify the tear, protect against, detect, and also respond to these actions and actors. The federal government must also carefully examine what occurred during these major cyber incidences, and apply lessons learned. Great Mike, can you please share your perspective on the status of agencies against this border?

Greg Crabb 

Absolutely. And I've been very grateful to have had the opportunity over the last nine months, since I retired from federal service to support the Department of Homeland Security CISO organization, and more specifically, the cybersecurity division and their strategic planning, as well as helping them to drive what their operating plans would be for fiscal year 22. And currently support them and in their journey. So, I've had a perspective inside the seat of, or I shouldn't say inside the seat, actually, alongside those people in CISA, that are driving a lot of these activities. One of our colleagues, we iterated back and forth on LinkedIn prior to this event, Kelvin more. He's the CISO at SBA, he asked a really good set of complex questions relative to the Executive Order, and what's coming out of here out of that order, and how do I as a CISO prioritize all of those things. And so, I want to walk through five prioritized items that I think federal CISOs should be considering when they when it comes to the Executive Order. The first is their incident response capabilities and our threatened ship threat intelligence sharing. We'll talk about that briefly. Then addressing vulnerabilities. Obviously, it's been one vulnerability after another kind of starting since SolarWinds. And third is Zero Trust, everybody's talking about Zero Trust, how many people have this scorecard that I'll talk about, that are really moving forward relative to Zero Trust. It's an important part of the Executive Order. Fourth, I want to talk about your third-party data. It's a component of the Executive Order where organizations agencies need to consider how federal enterprise, we're going to address the protection of controlled unclassified information. And finally, the how do we escalate the cyber risk discussion in organizations. And so, I'm really excited to talk about those five items. I encourage our attendees, if you have any questions along the way, I'd love to address them. And I'll hop it right in with a story. And so, this story started with early in the election cycle and 2020. For the 2020 elections, there was a very public pronouncement of how the concern would be relative to the Postal Service delivering ballots for the American people. And I had the great honor of being able to protect the technology assets that were necessary in order to be able to move the election, from the Postal Service associate, I protected over 1.2 million devices, and was involved in trying to do whatever we could in order to understand what our threats would be and how to respond to those threats. And the first thing that I did was reach out to CISA. CISA Under the leadership at that time of Chris Krebs had assigned Matt Hartman to be the head of the election task force within CISA. They accepted us with open arms, of course, we were going to be moving Hindsight is now 2020, we moved 40 or 45% of the return ballots for the election, so over 70 million ballots. But as you can imagine, we faced a significant amount of threats prior to the election, everything from criminal actors wanting to impact the environment, to nation state actors to even the administration, as unusual as that was. And so having that seat at the table and looking at that from an incident capability perspective. So, I assigned my deputy chief information security officer and my manager of threat intelligence to the task force that CISA had stood up for the election. And they were really my preparation for being able to respond to anything that would come up. And so earlier this year, late last year, CISA came up with a new incident response playbook. That had been called for me Executive Order. And this playbook really is a nice guide for agencies to consider. It's called operational procedures for planning and conducting cybersecurity incident vulnerability response activities in f7 Information Systems. And so this resource really provides agencies with a great guide on what they should be doing through that lifecycle of an incident, from preparing for detecting and responding to containing eradicating, and then looking at post incident activities, and how do you coordinate all of that do post incident learning in order to be able to improve every year AI as a part of the discipline of information security in my organization. At the time at the Postal Service, I had an incident response team of about 80 professionals that were devoted to 24 by seven 365 over the practice, we would review the sufficiency of our incident response playbooks and our incident response manual. And I think this resource that CISA has published in November of 2021, was a great resource for us to for you to leverage in order to be able to improve your incident playbooks. So, you know, that to me, is really an important component of some of the good that's come from the Executive Order. And, you know, just stop there and, and take any questions.

Ben Boykin 

Yep. So, we've got a question from the panel. So, Greg, where else have you applied a cybersecurity incident response at a major scale that you could share some learnings from within CISA's framework?

Greg Crabb 

Yeah, I'll go back to a major incident that occurred in 2014. For the Postal Service, it was the same time as the OPM breach, the Postal Service had worked very closely with actually received notification from CISA, that there was some unusual activity on the perimeter of the Postal Services Network. And we did our due diligence in order to be able to identify what had happened worked very closely with CISA. Crispy Tara, who is currently the Technical Director of CISA, cybersecurity division, led the incident response at that time. And so, I worked hand in hand with Chris on that. And we were able to identify the source of the attack, do computer forensics, we worked very closely with the FBI, they were a great partner, as well. And so, I think one of the things that agencies should consider is making sure as soon as you identify even a suggestion of a challenge to get the FBI and CISA involved in order to be able to support response. And so, we were able to do computer forensics on over 100 servers, we were able to identify that the adversary had exfiltrated, the HR data of the Postal Service, so the records on over 600,000 employees. And in doing so, I'm personally moved from leading the criminal investigation to becoming the Chief Information Security Officer as a result of that attack. But one of the most important things that I did, that's called for in the incident response, playbooks is post incident after action reporting. And I brought in Carnegie Mellon University at the time, and they wrote a detailed account of everything that occurred over the six weeks of the investigation, so that we could get to the source of being able to address those sort root causes and to improve our information security practice. And so, I can't understate the importance of having a solid set of playbooks and a discipline around constantly improving your incident response capability to improve your organization. Without any other questions. I'll move on to kind of the next discussion set and that's around addressing vulnerabilities. Obviously, vulnerabilities are at the center of all of these attacks that we've seen. The Executive Order was really focused on how do we address the solar winds situation. It was released at the time of the Colonial Pipeline attack and shortly thereafter was the Casaya ransomware attack. And, you know, we're today dealing with love for j and the executive director, the emergency directive relative to the vulnerabilities that were identified early in fiscal year 22. vulnerability analysis is extremely important. I learned this through a call that I received from when it occurred, I would have called him a really good colleague, Brian Krebs, the different Krebs, Brian, and I had done some work prior. But Brian called me one day and said, Greg, I've identified a vulnerability on your perimeter, it involves the exposure of your customer records. And I'm gonna go to press in the next 24 hours, what do you have to say about it. And that occurred in November of 2018. That is never a good call. And you'll learn a lot from those types of calls. And I learned the importance of being able to bring a team together in order to be able to address the situation. And fortunately, I was had a great working relationship with the CIO at the Postal Service and brought her team together as well as the Corporate Communications organization and others in order to be able to really address the root cause of the issue. Fortunately, we were able to identify the source of the vulnerability and have that patched before Brian Krebs made the release to the public. I also had a very robust threat intelligence capability. And I think before the Arctic, or shortly after the article hit the press, I had law enforcement officers knocking on the doors of the individual that identified the vulnerability to Brian Krebs and the researcher that confirmed the vulnerability for Krebs. So, I knew with high certainty that we didn't have any other exposure than those two entities, and Brian, which allowed us to take a step back and do remediation activities. And I think that was also the importance of law enforcement as well, being able to have that relationship and act quickly. But that set me on a journey that set me on a several year journey to really look at the perimeter of the Postal Service, identify the vulnerabilities in our applications, analyze those vulnerabilities against the OWASP framework, and determine where our exposures were from a root cause perspective, manage that exposure from a vulnerabilities set perspective, bring in a set of tools in order to be able to address those from a identification, changing the solutions development lifecycle, and making sure that all of the dies, i's are dotted T's are crossed before threats would get into our before to code would get into production that was unsafe, and then have a backstop and implement a robust bug bounty program that would even help us kick it up a notch. You know, in summary, we have a lot to do from a discipline perspective in the area of vulnerability management as relates to information security. Organizations need to have a robust method to identify and analyze vulnerabilities, manage the exposure to those vulnerabilities and perform massive root cause analysis and really get back to the heart of the situation. That work helped me when it went into the 2020 election. Because adversaries were saying, well, there's a vulnerability on your website. Well, I could say with high degree of certainty, there were no vulnerabilities on the perimeter. And that was that was extremely helpful.

Ben Boykin 

Yeah, that's, that's, that's some story, Greg. with law enforcement and everything else, you've seen quite a bunch. And as you're discussing the vulnerability management piece, we've got a question. It's and you're also familiar with some of vinifies open-source projects, but our question comes around supply chain risk management. Can you talk more about your experiences with the supply chain and what you think the Fed should be doing around that.

Greg Crabb 

Sure, I think that the work that the White House has done this month is outstanding. Assembling the team of individuals from some of the leading high-tech companies has been very helpful bringing them into the White House, having those conversations about supremacy securing the software supply chain. But quite frankly, I also want to make a shout out to identify in the work that you've done to improve your supply chain, and open sourcing that work from a controls management perspective, the software security blueprint that you have defined, and put that out on the GitHub repository, so that organizations can really break down where in the process, they need to be inserting, inserting controls over the identity of individuals that are responsible for code development, committing code into production, testing that code in order to assure that it has integrity, looking at all of the integrations to make sure that you've got properly signed code. That's at a very high level, what your blueprint print is all about. I'm really exciting. I'm excited about advocating for that blueprint. And, you know, I believe that there's going to be a lot of good that comes from that particular activity.

Ben Boykin 

Great. Thanks, Greg. That's the only other question so far back to you.

Greg Crabb 

Yep. So, you know, I'd like to talk about Zero Trust, everybody's trying to sell you a Zero Trust tool these days in the area of cybersecurity. And, quite frankly, you've got to play your own game. And, you know, when we started, Ben and I were kind of talking about football. And this weekend, there were four NFL games that were just amazing. The divisional championship games, four of them were all came down to the last play in the game. Three of them ended with field goals. At the end of regulation in order for the team, the team that prevailed to win. And the last one came down to the Buffalo Bills with 13 seconds left scoring the what they thought to be the winning touchdown. And the quarterback of Kansas City's named Patrick Mahomes. I think he had a different idea with those 13 seconds. So, he had to drive to 50, about 45 yards in order to be able to get his kicker into the position to send the game into overtime. And scoreboards are extremely important. You know what the score is they were down by three points. They had 13 seconds left, they had 45 yards to go, in order to be able to achieve what they needed to do to send the game and over time, moving the ball that far in 13 seconds, is, well, it actually had to be less than 13 seconds because they had to have enough time to kick the field goal. So, in nine seconds, he was able to move the ball, the 45 yards. And he was doing it against the arguably the best pass defense in the league. And they were able to kick the game tying field goal, send it into overtime, and prevail through the overtime period. What's important about that is a scorecard. And I think that a lot of information security practices, missed the importance of having a basic scorecard that all of the employees understand and allow them to immediately know whether they're winning or losing the game. And I think so many organizations are having challenges with Zero Trust, because everybody wants to sell you a Zero Trust tool. But are you playing your A game from a Zero Trust perspective? There's five pillars that CISA says are important to Zero Trust. It's your users. What are you doing on your scorecard that you're looking at on a regular basis to assure that you have all of your users identified that they are properly managed for From a user perspective, from a controls management perspective, to play the game, so that you can win devices, and vinify is all about device identity. Also, identification of devices on your network is extremely important. Do you have a basic scorecard that you can say that I'm making substantive progress in being able to identify and declare these are the assets that should be connected to my infrastructure? The third is network assessment and improving the controls for a network discipline perspective, what are you putting on that scorecard in order to assure that you have proper network segmentation in your environment, and that was something that in my role at the Postal Service was extremely important. And, again, helps me to prepare for the 2020 election was segmenting out my OT environment. And being able to know where all my OT assets, we're having a strong inventory of those, keeping them segmented away from my administrative network and the internet, to be able to truly have that full visibility to assure that any mail piece that moved through the network was properly secure. And that involved making sure that I had all of the I had a full inventory of my OT environment, I had strong controls on my firewalls. And the scorecard that I had was the number of assets, the number of assets that were protected. And the number of firewall rules that I had at each of my mail processing facilities to partition off that OT network from my IT network. That was a discipline that was extremely important to me, so much so that I had checkers, check the checkers, to make sure that everything was good. I had Carnegie Mellon divan, define the architecture, and then I had Raytheon come in and validate the architecture that we had the implementation of that architecture that Carnegie Mellon had set up. But all of that was put on an easy-to-understand scoreboard for my team. And we would visit this scoreboard on a weekly basis. Every Wednesday at 1pm, we would get in my conference room, and we would look at our scorecard. We talk about the number of devices, we talk about these firewall controls, we talk about the number of users in the environment, and how we were moving forward. The fourth pillar in the Zero Trust journey here that that is so important, is around application development and security. And we talked about that in the last discussion. There are very specific controls that we need to have. I shared my story about managing all of those vulnerabilities that we had identified on the perimeter of the Postal Service Network after the Brian Krebs incident of November of 2018. And that was an important part of my scorecard. How many vulnerabilities did we have what was the age of those vulnerabilities who was responsible from an accountability perspective, to address those? And then the last pillar from a Zero Trust perspective is data. And I'll talk more about data in just a few minutes as it relates to third parties. But having a solid inventory of your data assets from an organizational perspective, extremely important. It's as important as your users and as important as your devices that that data architecture in your organization, knowing where all of your sensitive assets are from a controlled unclassified information. Categorization perspective is so very important. So I encourage you to develop a set of tools that allow you to create a simple scorecard, because when your employees and your leadership look at the scorecard, they need to know whether they're winning or losing, and if they're losing, they need to know that they can take heroic efforts like Patrick Mahomes did at the end of the game, to be able to send it into overtime. And I think that's something that We don't talk enough about relative to the Zero Trust journey, that from a security practitioners perspective, we need to be able to really get our arms around and create value for leading our information security practices.

Ben Boykin 

Yeah, I watched that game, Greg, like you said, I mean, these will narrow biting games. And you're absolutely right. And so, we've got a question from the field. One, it was around, how did you develop your scorecard when you were there, at postal? And just the thought processes around it? And a question is, isn't a security assessment enough to continuously monitor and kind of NSS the security posture around those Zero Trust in our journey?

Greg Crabb 

Great questions. So, the first question is about how do you develop your short scorecard? First thing I would have to say is, you need to play your game. And if you look at the guidance that's come out from NIST relative to Zero Trust, it gives organizations a number of federal agencies a number of different places to catch yourself in that Zero Trust journey, whether you've got a bunch of legacy infrastructure that you need to be able to address, or whether you are creating new cloud infrastructure, you are in different you're playing different games. One is rugby, and one's American football. And you need to create the scorecard that's appropriate for the game that you're playing. And so, I would really point you to that NIST, Special Publication around Zero Trust that they published at the end of the calendar year, to help agencies really understand where they're at in their journey, and simplify that down from a strategy perspective. Make it so that everybody that's in your organization is going to know whether you're winning or losing, keep it statistical, keep it current, because you've always have to measure. The second part of your question is a simple security assessment enough, I argued that, I'm going to go in the way back way back machine. And long before I ever entered federal service, I learned about process discipline from a little organization called McDonald's. In high school, I got a job at McDonald's, I worked my way up to a manager in the local McDonald's that I worked for. And they were all about process, discipline, and discipline, the process is what information security practices have to do on a day in and day out basis. And if you're only going to be assessing yourself once a year, that's probably not enough to know whether you're winning or losing the game from a discipline perspective. Because once a year, you shine up your shoes, you get your best suit on, and you look good. But throughout the year, and this is what I learned, you have to deliver for your customers. In that case, it was, you know, disciplines to you know, every McDonald's, you go to the burgers the same, the customer experience, they try to drive the same performance requirements. It applies to the information security practice, as well. Your threat intelligence organization has to be disciplined to their process in order to be able to win the game. And so, I highly recommend that you do thorough assessments each year to make sure that you're playing the game that you want to play. However, I also suggest that you drive your organization from a performance metrics perspective, to know whether you're winning or losing. I wasn't planning to talk about Venafi, but I will for just a moment 12 in 2016, December 18, 2016. The date is extremely I shudder every time I think about the date. Because Christmas at the Postal Service is it. We deliver over a billion packages every year so that Americans across the country can celebrate their holidays December 18, is seven days before the biggest day of the year. And the most important system that you have at the Postal Service for that day is the product tracking system. Unfortunately, I was a rather new CISO at the time. And I didn't realize that our certificates for the product tracking system were set to expire on December 18, 2016. That was a bad, bad day. Nobody wants to take a system outage on the most important day of the year for your business. And I learned an extremely important lesson, I learned an important lesson about the intersection of operations and security, and the importance of putting a set of tools in place integrated with all of the IT operations workflows in order to be able to deliver on the business needs of the organization. And we had a blackout period for development from early November to January 15. For the next two years, I was insanely committed to making sure that I had no certificate that would expire in that timeframe. And so, I did everything I could, our enterprise information repository that held all of the information about who was the owner of our applications from business perspective, and from an IT perspective, it stunk. I was committed, because I needed to know who was responsible for updating that certificate. Let me assure you, I got on the CIOs case, every twice a week, it was a subject in the CIOs daily huddle that we were talking about, I don't know who's responsible for this certificate. We cleaned it up. It took two years because we had a two-year lifecycle on our certificates. But by the end, we were humming from a ability to update and refresh certificates, which allowed us to move into automated certificate refresh capabilities that are available through the vinify platform. And I just share that story because it really hits at the heart of what we just talked about. You can go in once a year and assess that certificate capability. But without dedicated process discipline, and a scorecard that I covered twice a week with the CIO. And at the end, I required that all the certificates be updated by September 15. On September 12, there were some heroic activities that would go on in the organization to hit that deadline. Right. And so that's the importance of a scorecard. And as we look at the importance of Zero Trust, that's really where we need to go right.

Ben Boykin 

That's great, Greg. And I remember that date as well. I was the new VP. And I remember some very tough conversations are around that right, and how we could help you get there. So, I remember that day, quite frankly, and, and I was new to the Venafi organization as well. We've got another question on Zero Trust, what portion of Zero Trust and these other strategies is rooted in the technology. And what portion is rooted in the hiring, training and retention of our people.

Greg Crabb 

In my frame of the world as it relates to information security, it comes people process technology, when somebody comes to me and says we need to buy a tool, I push back and say, I can't implement a tool until I've got the process and the people down in order to be able to manage that tool properly. And so, it all starts with having the right people on board and whether that and I had a very mixed workforce. I had about 120 postal employees, and then the balance of the organization 280 or so employees or contract personnel and so being a Well, to have a balanced workforce that allows you to have the technical expertise in order to be able to implement a tool is extremely important. And my certificate authority team at the Postal Service was eight people. So, you start with people that know what they're doing in order to be able to get the success out of building the process, and then leveraging the tool to be able to maximize the organizational benefit. But I think it comes in that order. I don't think you can do it the opposite and get results because if you don't have the people in the organization that are committed to the process of improving, you're going to find that you've got vaporware, because you can't implement the solution. And so that's my perspective on the importance of people to leave any of these initiatives.

Ben Boykin 

Thanks, Greg. So far, that's the remainder of the questions in the fields. Back to you.

Greg Crabb 

Outstanding. I want to hit on two more topics here real quick. The first is the importance of protecting your controlled unclassified information in your networks, the Executive Order calls out, agencies need to improve in this area, they have CISA, conducting a study, I've had the occasion to work from both a law enforcement capacity and as a protector capacity. Talk about two things. 2004 This is Wayback Machine. I'm sitting in my office as a law enforcement officer, I get a call from a colleague in Cyprus, I'm sitting in in a task force in San Francisco, California. He says, Greg, I need you to come to Cyprus, we have a very important recovery. And I'm going to send you some files. And he sends me an email that it contains the flowchart, and the flowchart is of a network that does credit card processing. And it happened to be the credit card processing for a huge, huge US retail organization, hotel chain. And I go in talk to leadership, they've got me on a flight. The next day to Cyprus Rive in Cyprus work with the Cypriot national police conduct a computer forensics on the machine. And not only do I find the credit card information for millions of Americans, and global passenger cars, travelers, I also find the CAD drawings of US Navy ship. And this was a compromise of a clear defense contractor. And this was many moons ago. And today in my consulting work, I have been doing a lot in the area of helping small and medium sized companies improve their level of play against NIST. One 80171 and protecting Cui. If the federal enterprise is relying on the same companies that the DoD is relying on from a supply chain perspective, we have a lot of work to do. And so, I encourage the adoption of 80171, like, DoD has in CMMC, level two in order to be able to improve our level of play relative to data security. And I also suggest that we improve our relationships with our procurement organizations. After the breach of 2014, I talked about the importance of having that relationship with it sat down with the vice president of our supply management organization, and I said, the next breach is going to involve a third party. We don't write most of our code, we don't manufacture our hardware equipment, we buy commercial off the shelf software, the next breach is going to involve a third party. And so, we sat down and really looked at that whole lifecycle of procurement and where we could insert those requirements for impairment perspective, to be able to protect the data that the Postal Service holds from a sensitive perspective and really forced upon the procurement organization to help us play our game. And so, I highly recommend that organizations really foster that relationship in collaboration with their supply management or procurement organization and move requirements into their departmental acquisition regulations to assure for the protection of control information. And then and so that's really where I see a very important move from an Executive Order perspective, and really where I think this needs to continue to grow and develop for the Federal enterprise. Finally, Kelvin Moore, CISO at a small business administration agency asked me, you know, how do I manage this whole complex of prioritization across directives, and all the technology that I need to deliver and all of these external threats, it comes down to risk management. And so, building a effective cyber risk management practice within the organization and escalating and elevating that discussion among the leadership team is extremely important. And it's the importance of how you frame your stories. I've heard a lot of excuses over the years as to why we couldn't address risk. And I would encourage federal practitioners, to get to the facts and forget the story. We need to as a federal enterprise, address these risks, so that our organizations are improving. And sometimes the story is not the story that you want to tell, you know, I shared the Brian Krebs story, that's not the story that you want to tell about vulnerabilities on your perimeter. However, when you tell that story and escalate that, and the scorecard that you're presenting to your workforce becomes the scorecard that you're presenting to the executive leadership team, the organization, that means that you're really having substantive risk conversations, and you're addressing those things that are most important. And when you find the situation where you have to balance paying, you know, whether to, you know, Rob from Peter to pay, Paul, when you do that, with a prioritized set of risks for your organization, you really are able to say that we are buying down and are we are a risk led organization. And so, in the last several years of my time at the Postal Service, I was able to take the risk register, and make solid statements to my CFO to General Counsel to the leadership team of the organization, that we were addressing those most urgent risks with the investments that we were making. And it allowed me to continue to get more money, because I could show that we've got this risk, and I can't steal from that risk. To be able to address this risk, you need to give me more resources in order to be able to address those issues. And I love to talk about this stuff. As you can tell, I can go on for literally hours about any of these specific topics that we've talked about. Ben, thank you so much for giving me the opportunity to talk today. I'd love to address any other questions before we wrap it up.

Ben Boykin 

That is all that we have. Greg, again, we want to thank Greg, you for your time today. We encourage each of you to reach out to Greg, if he can support you on his journey. He's here for you. He can be found on LinkedIn or at his website at 10 Eight cyber.com and we here at Venafi. Our mission is here to deliver innovative solutions for the world's most demanding security conscious global 5000 organizations. We are fanatical when it comes to protecting right your customers machine identities and making sure their companies are successful. And to accomplish this, we actively partner with our customers. Greg used to be one and invest in their ongoing success, right So identify as a trust protection platform that powers enterprise solutions, giving our customers the visibility, intelligence and automation to protect machine identities throughout your organization.

Corey Baumgartner 

Thanks for listening. If you'd like more information on how Carahsoft or Venafi can assist your organization, please visit www.carahsoft.com or email us at Venafi@carahsoft.com. Thanks again for listening and have a great day.