Protect Your Financial Assets Against Cyber Attacks

The other thing I think that's important for business leaders to recognize is when it comes to phishing, people are gonna click the link. If a single click on a phishing link is gonna cost your business a hundred thousand dollars, you're doing it all wrong. Yeah. You know, we've gotta take those data points to figure out what it is that they're failing at. Are they struggling with impersonations of the IT department or HR department? Then we turn around and then deliver more education. But again, yeah, it's all about that culture, all about that influence. Welcome back to another episode of unraveling IT expert tech talks. I'm Garrett Wiesenberg, VP of Solutions Consulting here at Corsica Technologies. And today, I'm joined by T.J. Patterson, the Information Security Officer at a local community bank. We're going to take a look behind the curtain at what it takes to run security at a modern financial institution. We're not just talking about generic best practices or frameworks. We're talking about the real tactical day to day operations and and what it's really going to take to secure the modern financial institution at scale. Welcome, T.J. It's great to have you. Yeah. Thanks for having me. So what does information security look like from from your perspective as it relates to, you know, the the financial institution or running it at a bank? Yeah. So, you know, information security for us is largely, you know, protecting the confidentiality. Pretty common, right? If you have sensitive information, whether that's internally, you know, making sure that data stays contained within those lines of business or externally. You know, we don't want the general public obviously to see sensitive data. And some of that's driven by compliance. You have things like the Graham-Leach-Bliley Act and there's other regulatory groups that require us to do certain things. But then there's also just, you know, doing the right thing. Right? Think about even with your organization or any others that have any level of sensitive data, you know, it's our job to protect that. And then secondly, you know, another big component is around our technology systems. So if you think about it, we, as a as a bank, while we're local here in Indiana, we invest a lot in technology. Therefore, there are lots of new cybersecurity risks associated. And so for us, there there's always a lot of pushing the envelope, you know, making sure that we're ahead of even those regulations. There's another component here. So while we deal with cybersecurity, you know, we're also involved with paper. Right? I mean, people still use paper, people still write checks, companies still issue checks and pay stuff. I actually just had to go get a check yesterday Yeah. From the bank because I don't own a checkbook because no one uses checks anymore. And and think about it. What's what's on that check? Your routing number, bank account number. Yep. Account number. All the things a cybercriminal needs to do the really bad thing. And so our job is not only to protect information in cyberspace, but then we also protect it on paper. That goes across, in our case, you know, 35, 36 locations. Then on top of that, you know, think in total, we've got around 75, 80 locations where we have a digital presence, where we put even a video ATM. So we've Mhmm. To to speak towards some of that innovation, we've put video ATMs in rural areas so that people who can't necessarily get to a bank, they can go to that video ATM and get the same level of service. Mhmm. So again, it's really protecting that confidentiality, that that availability of that information. You look at the news and the media and you see all these companies, hey, look who was attacked by this threat actor or this ransomware happened. You know, our goal is to make sure that doesn't happen to us because one, that involves data being stolen, but two, that involves a massive disruption to our business, reputational risk Yep. So on and so forth. So what's a typical day in the life of T.J. Patterson look like? Yeah, so a typical day doesn't exist. It's very interesting. Fortunately, so in the role I'm in now, in the past, a lot of my roles were more reactive in nature. So I may be focused on a particular project, spending a lot of time on that, but then, you know, organization A or whoever I was serving from a customer standpoint, they would have an incident or an event that required attention. So I would always get deviated. Mhmm. Whereas now, a large portion of my role is more strategic. So it's about planning ahead, planning months ahead. So I can say, all right, I'm gonna spend four hours this week focused on security management activities. That may include third party risk. So I'm involved in our third party risk management program where we assess our trusted partners to make sure sure they have adequate controls to protect customer data. The reality is, we're a bank. We're not capable of doing all these other things, but other organizations are. There might be a week where I spend four hours, I might even spend 16 or 20 hours just looking at third parties. There may be another set of two to three weeks where I'm doing nothing but IT related activities. I'm looking through configurations of systems to validate that what IT is delivering is appropriate for the our risk appetite. But then I may go weeks where I'm doing a lot of presentations. Fact, here in a couple months, I'll be speaking to a large number of business owners, business leaders. I'm working with one of my colleagues at the bank, and we build out kind of a show with it, make it little bit entertaining, but also bring a lot of value. So Mhmm. I could spend weeks building the right presentation, learning how to tell the right stories, and then do that. And so, again, it shifts. It's all about telling stories. Right? Storytelling. It's key. Yeah. So can you maybe touch on some of the differences between the regulations in a banking industry versus, you know, maybe manufacturing or just your standard, you know, small business or something of that nature? What's different? Yeah. So some of it is, you know, some of it's similar, but you also have the, you know, audits and exams. So in our case, we go through annually in some cases, sometimes it's every year and a half, different types of audit engagements where we're required to. We'll have bank examiners, so the actual regulatory body that enforces rules and governance on banks, they look at us and say, hey, are you all doing the right due diligence from an IT perspective? So when you look at IT controls, are your controls not only in place, but are they effective? Let's look at that over a period of time. So a lot of other industries, you'll hear things like, you know, we need to have policies, we need to have standards, procedures, but we get audited on that stuff. And so frequently, we're having to show things like, you know, meeting minutes, let's say, from six months ago to prove that a governing body inside the organization received communication, approved this set of policies. So it's no longer about what kind of policy can you produce. It's about can you show that you've produced it? Can you show that that policy is effective, that employees know about the policy? And so that's one example. But we also deal with multiple regulating bodies. So you have things like the CFPB, I think it's into maybe data retention territory sometimes. That's more of a compliance and fraud related, but there's still data retention. We deal with the FDIC in our case. We have guidance from an FFIEC handbook, which is another examination group, and they provide guidance, but essentially that guidance is law per se. And so we're assessed to make sure that we're following that guidance. So really, it's more site and the accountability. These governing bodies are really holding you accountable to whatever the regulations may be, whereas Yep. You know, other other industries may have similar, you know, standards or or regulations, but the auditing is less stringent. Correct. Yeah. And and I think there's a misconception. I think some organizations look at it and they say, you know, let me just check the box. And Yep. Some people that's that's how they approach it. For us, you know, we certainly wanna check the box, make sure we're doing things the right way. But again, it's for us, it's more important that we we push the envelope, we we align better with things like NIST cybersecurity framework, the CIS controls. We wanna align with those Yeah. And not just do the the bare minimum. Well, part of it's got to be cultural. I mean, you've talked a lot about putting systems into place and, you know, putting the technology wherever you can. But at the end of the day, the end users or your staff are really the weakest link within your organization, right? Yeah. So so staff are certainly, when it comes to those links, that that chain of protection against your organization, at the end of the day, humans are gonna fail. I'll just say it candidly. Right? Think about Yeah. Phishing. Everybody knows about phishing. Yep. And and two things I like to to cascade. One, the thing that people see is phishing. So the thing I think about is, how do we influence a culture through phishing? Everybody sees the phish report button. We can we can emphasize how important this thing is, but if you can take that button and you can somehow relate it to these other ten security topics Yep. Well, now they're gonna be able to relate to that. When you give someone the easy button, I call it. You give someone the easy button, you can say, hey, person. I want you to report this thing. We wanna make it easy. You don't have to submit an IT ticket. Just hit the button. And when you hit that button, we'll deliver a response back to you that says, hey, this was a confirmed threat. It came from this group. Here was a business email compromise. We can deliver all that back to a user with Mhmm. With low labor effort on our part. And then now they know, hey, I I was able to help stop a thing. Yeah. Not only that, but we can take that simple report from a user, and if three hundred other people in the company were targeted as well, we can rip that message out of their mailbox, we can now tell that story. And then the other thing I think that's important for business leaders to recognize is when it comes to phishing, people are gonna click the link. If a single click on a phishing link is gonna cost your business $100,000, you're doing it all wrong. That's just how it works. People are gonna click that link. In our case, there's a percentage of users that we have every month or two months during those tests. We know what percentage of users are gonna click the link. And instead of very black and white saying, alright, they failed, they failed, we've gotta take data points, figure out what it is that they're failing at. Are they struggling with impersonations of the IT department or HR department? Mhmm. We take things like that, then we turn around and then deliver more education to make sure that they're they're getting it. But again, yeah, it's all about that culture, all about that influence Yeah. Because that then sets the tone for when we do need to do the really big things, whether that's third party risk, whether that's tabletop exercises and incident response, people take it more seriously. And it's really a security minded focus and just keeping people aware and and bought into the idea of security. Because I think that's usually the hardest thing with any I mean, can tell me, I mean, any cybersecurity professional is getting the buy in from the organization tends to be the hardest part. Correct. But it seems like your bank is fully bought in and you guys are there. I mean, that's why they have an Yeah, absolutely. Yeah. Yeah. Think for us, we're pretty well bought in from the top down and also from the bottom up, which again, that's important. When our case, you think about, you know, people on the front lines of any bank or financial institution, they may be dealing with a customer who comes in and says, hey, so and so, they stole my life savings. I mean, I I there's people, there's businesses that will lose tens of thousands, hundreds of thousands, even millions of dollars over these simple things. And so when people on the front lines hear those stories firsthand, you know, and that emotion hits, they're like, oh my gosh, this is terrible. Again, that the light bulb starts to go off, and again, that lets us be able to deliver the messaging we need. Yeah. So along those same lines, I mean, what's your personal approach to getting that buy in and getting that that culture built within an organization across departments, you know, from the top down or bottom A lot of it's storytelling. That that's a big thing. Storytelling, think, is critical. I also think a skill that's very undervalued is listening. People just don't know how to listen. Security professional, just talk about the industry as a whole, sometimes whether we're consulting, whether that's internal or external, we come in, we say, hey, here's all the problems we see, let's get them fixed. But they fail to listen to what the business leader is looking for. Mhmm. But if if a person comes in and can listen to those executives say, hey, here are the problems we're having. We're struggling with the customer journey or the, you know, we we wanna minimize customer friction, let's say. Well then as a security leader, can you take that and say, alright, we know that MFA and these other things can cause friction. How do we make sure that as we push those things that are necessary or as we pitch those things, we can prove, hey, these aren't a big deal. If anything, doing this stuff now teaches your customer that we're in alignment with their expectations. Mhmm. So customers of any business anymore, they expect still a high level of security. Yep. And so when you can show executive leaders that, hey, this is the expectation of the customers you're serving, we're helping you get there. We're enabling you as a business to get there and aligning with all the risk management we need to do. To me, that's one way to to sell that. How is strategy defined at the executive level? And what's your role in in shaping the overall strategy of the security of your organization? Yeah. So for us, as many organizations, your strategy, your corporate strategy is built from the top. And then in organizations that might be a little bit larger, there are governing bodies inside those that may build sub, I'll call them sub strategies. So in our case, there's a strategy within our IT group that aligns with that corporate strategy. And then more specifically, I chair a a cybersecurity committee. So we have a dedicated committee focused on cybersecurity, and that then feeds up into our IT group, our IT committee, and I just I help facilitate with that committee. Here are the things that I'm thinking based on everything I've seen. So I've looked at the business. I know the risks in the business. I talk with other people, and that's one mechanism of how I learn about those risks. Take all of that together, make sure I understand what the corporate strategy is rolling all the way down through IT, and then piece together kind of a draft. Here's what I think makes sense, and then I bring that to the cyber committee, and then we talk through it in-depth. Because the people on that committee, you have representation from IT. You have representation of compliance, fraud, all these different groups that are involved with risk management to the company. And then we collectively help formalize that and then adopt it. Once that's adopted, then over the next, you know, twelve months as we execute on that, as a committee, drill through those key action items. That's how that gets adopted and built, and then from there, it's all about executing that. And that's done through multiple methods. So really, you're there to influence. Of influence. Yeah. Lot of influence. Influence and storytelling. Yeah. That's what it's all about. Influence and storytelling. Do you have any creative or or maybe nontraditional examples of of how your organization has implemented security? Yeah. So for us, I mentioned we deal with paper. Yep. And one of the things we do to validate its effectiveness, so making sure that our sensitive documents are shredded or secured every day, is we do an audit. So after hours, we don't announce it. We go through facilities, and we will actually comb through people's desks. We'll break into everything. For as a security professional sometimes it's a lot of fun, but our goal is to make sure that data isn't sitting there. Yep. And and historically what we've done is we you know go around, we look through desks, we write up a report, talk to managers. Reality is it's just boring and influence isn't quite as strong there. So then we decided, you know, let's print out business cards. Because if you think about it, hitting those five human senses, you start to influence subconsciously a message you need into someone's head. So we printed out these business cards that say pass or fail. I kid you not, when you drop a pass or fail off in everybody's desk, some people freak out. They're like, oh my gosh, am I in trouble? We had to manage that a little bit. That was a struggle. Then after talking with some teams, what we ended up landing on is this really cool branded business card. The very top, it's green. It says, you passed the audit, but underneath it says, for improvement. We can check a box, because it might take us four or eight hours to go through a facility. Yeah. And we do a pretty thorough job, and then we document it on a spreadsheet, we pipe that into, we've got Power BI and all sorts of tools set up to measure that, and we can actually say, at the end of the day, here's a dashboard that shows a percentage of success. Mhmm. So, we're no longer quantifying, here's who failed and passes. We're saying here's a facility, here's its risk when it comes to clean desks. What is the risk that information's gonna be out? That's how we measure it. Yeah. And if we have someone blatantly doing a thing, we would deal with that. But at one point during this, and this did not work well, but I did get a sample set of smells. Right? The five smells. And I got one that smell smell like, you know, fish smell. Was a terrible idea. Thought, here, let's put these on the the cards that that fail or don't do well. Did not did not work. So we didn't we didn't continue to do that. Right. But it is it's crazy as that sounds, again, you think about it, it's so different. But what we found as an outcome is people take these cards and it's again, this sounds elementary a little bit, but it's like Pokémon, gotta catch them all. So Yeah. People will collect these cards and they will brag like, hey, I gotta pass. I gotta pass. And as goofy as that sounds, you think about it, you just influence this culture within pockets of people. And then over time, a year later, when I'm walking around the building, hey, don't be dropping a card on my desk. What that means is that person now knows clean desk is important. They're not supposed to leave data out. Mhmm. They're now an advocate and a champion, and they're not a cyber committee. They're not any of these formal structured governing bodies. Yeah. They're out there selling cyber on behalf of information security. Mhmm. That's the power of influence. Yeah. So a little bit unconventional, but it works. I would say that fish sent on on business cards is wildly unconventional. Yes. Unconventional, a little far. We decided to not do that one. Yeah. You hit on the topic though of of reporting and piping the data that you were taking from those field tests into, you know, Power BI or or whatever it may be. Obviously, as an ISO, I'm sure you're delivering reports at an executive level on a consistent basis. What are some key metrics you typically hone in on that you think most organizations may not may not focus on? Yeah. Think a lot of it a lot of it's fundamentals. Right? Mhmm. I mean, if you think of system patching, Windows patching Yep. Most of most of your network environments are gonna be Windows. There's your your Macs occasionally, but a large portion of the enterprise is gonna be Windows. So you need a strong patching program. And, you know, when you think about executives, I say this loosely, they don't know what patching is. They know, hey, there's a system update, and I know that it protects my business. So as subject matter experts, IT teams, in our case, our IT team says, look, we're telling you that patching is important. So then as a as an executive, they need to know that what you're saying is important is is being done and measured effectively. So for us, it's about service level agreements. So if we say that patching is important, you need to be patched within two weeks of that being delivered, we wanna know, we wanna communicate to executives that ninety five percent of the organization or ninety seven percent is patched within that two week window, and then we have a report that shows that it was done. So that would be in your patching territory, very fundamental. When you look at phishing, I think different organizations, I've seen some where, you know, this model of three strikes, you're out, and and yes, clicking phishing links isn't great, but when you look at phishing, you're you're looking at the overall risk. So here's the percentage. Say you're a company where 2% of your organization fails phishing tests every month. Well, if it's not the same two people, is the risk really that heavy? Mhmm. But if you take that 2% and you're like, oh, wait a minute. There's one person in there that they seem to always be in that two percent bucket. Yeah. Then you can dial into that and and manage that. But again, it's more about showing executives risk. They don't care about, you know, how many packets were dropped in a firewall. They care less. They don't care about the IT aspect of it. They just wanna know is my business at risk? Correct. And if so, how? Yeah. And so those metrics are always based on risk management. Yep. One item, T.J., I don't think that we've we've touched on yet is what's the differentiator between fraud and cyber? Mhmm. Absolutely. So there's what I would consider this intersection. Right? So you think about organizations other than financial institutions. What you see in the news, what you see kind of marketed is, you know, ransomware. That's the big thing. The reality is it's a real threat. It will shut down your business. It costs money. They extort, so on and so forth. But when you think about it from a labor perspective, so you have these underground businesses that commit all this cyber security activity. So you have call centers. You can buy ransomware as a service, phishing as a service, go do all these really bad things to scale. But think about banks. Banks manage money. Mhmm. When you call into your financial institution and you need to wire, you know, say it's a large wire, we're we're talking hundreds of thousands, you need to move money from point a to b. Imagine a cybercriminal, they don't need a call center necessarily. They don't need, you know, ransomware as a service. They don't need to deal with all that. They can now just get really good at breaking into a couple email accounts, convincing a person of it, and they can walk away with a quarter million instead of spending months inside of a customer environment or a business environment trying to do the really bad thing. It's a lot more cost effective for bad guys. And so for us, we'll see business email compromises. We'll see things like domain squatting where businessA.com is the domain, but then the bad guy turns up businessA.com, but they swap out the the u with a three or whatever the the case is. And with someone's not paying attention very closely, that can result in a ton of money lost. Mhmm. And so for us, we see a lot more fraud in that space. We see social engineering. I mean, you've got all the, you know, the acronyms in the cyber industry. We see phishing. We see smishing. We see vishing. We see cyber criminals put themselves in between two different parties, calling the opposite party and convincing them, hey, I'm your bank. I'm trying to do this thing. Here's the first six or eight digits of your card number. Can you just give us the rest of it so we can verify the security on your account? Well, guess what? That data's public anyway. But in that moment, the consumer doesn't realize that. So then they're like, yeah, here's the rest of my card. Next thing you know, bad guy has a card number. That goes into the pool of things to be sold on the dark web. So part of what we get into is things like brand abuse. Are very active in stopping some of these social engineering campaigns or websites that are designed to steal user credentials of consumers. Yeah. So that I think is a very key difference. And so when it comes to, I I talk a little bit about storytelling. A lot of IT professionals, they see ransomware, don't click the link. For us, that's a big piece of it. But also, you know, it's about how do you communicate? How do you respond? If someone sends you an email and says, wanna do this transaction, or I need to update data on my account, any organization, if you rely on a person to send you information like a driver's license, they send you a driver's license and you go update it on your account. Well, if your organization has security built around that, around calling the customer, reaching out to whoever's on your account, the bad guy can do that thirty to sixty days ahead of time. They now have gotten into your business, updated their contact information maliciously, they sit for sixty days. Then when they call in, they can circumvent different controls. There's tactics like that that are used. Yep. And so that I think is one of the things we deal with more in the banking industry. Yeah. That makes sense. Maybe switching topics just ever so slightly, but have you seen any real world impacts of this, you know, AI boom when it comes to cyber specifically? Yeah. So specific with cyber, the one I think a lot of people see and we certainly see it are just around email communication. So often, not always, but often in the United States, a lot of communication and the the threats coming in aren't based out of the US, and so there's a there's a language gap. Mhmm. The other parties trying to commit these acts, they don't fully understand the culture, and so when they communicate, they might struggle a little bit, versus when they have AI and they can say, hey, imagine I'm in the United States. They get tools like WormGPT, so you have ChatGPT. You also have FraudGPT and WormGPT. They can take those where it strips ethics out. They then craft an email to an organization and say, hey, speak as if you're in the US, and now they've hit that cultural barrier, or they've passed that cultural barrier. So that's one thing we certainly see. Wow. In terms of scale, I mean, deep fakes, we see some brand abuse where AI is used. We, I mean, I will say we do see a lot of times threat actors will do their really bad thing or set the stage, and we we may see those activities. For example, if threat actor wants to set up a website and try and steal passwords from somebody, those are done within minutes. They're not done within, you know, weeks. They can do it within minutes. Yeah. And there's, we were able to take, see that through the tools they're using, you know, AI tools or whatever, and they're able to do that to scale. Then they sit and they wait. So, now they have efficiency with AI tools to build their infrastructure. They sit for weeks before they do the bad thing, and then they go after the bad thing. That's a scary thought. Yeah. Just a little bit. Along the same lines, what what do you see as the state of cyber over the next five years? Like, are the up incoming or upcoming trends, threats that, we should be paying attention to? Where do you see this evolving now that AI can do these deep fakes very quickly? Yeah. I think AI is the the I'll just call it the buzzword. It's the buzzword across the Everybody talks about AI. But I do think AI is changing the game. I mean, I'll tell you from personal experience even, I can leverage AI tools to do things that would have otherwise taken me weeks, and I can do it a lot faster. If I can build, let's say, a brand or I can build the foundation of a business within seconds, think about these underground markets. Mhmm. The entry point, and actually this is a thing to really think about and be cautious of, the entry point for getting into cyber security, there's training everywhere to do that. But the entry point to learning how to steal money or commit fraud, that entry point's a lot lower too. So imagine somebody coming out of college, they're strapped for cash, or you know, whatever circumstance they have, they're like, man, what the heck? Let me just take this two hundred bucks. It's only company A, they can afford two hundred bucks. They learn how to use these AI tools. That's the next level of real threat is is they just they're just using the tools to get a bunch of cash. It lowers the barrier to entry for Exactly. Both the good guys and the bad guys Correct. Essentially. Yeah. I think that's a a big thing. And Yeah. Then there's certainly and I forget where it was. There's a country that, you know, there's quantum computing, some of that, I think. As soon as someone really gets into that space and they're able to crack password hashes, I think that's gonna open some new doors Mhmm. In a bad way. But definitely AI, and I think that's specifically it. That barrier of entry is a lot lower. Also think about brand abuse. So think about reputational damage. If you look, there's plenty of videos, lot of humor videos, not exactly business appropriate, but there are a lot of videos all over the Internet right now involving AI. So here, I want you to show me a video of this. What if you can convince an entire group of people, I mean, we're talking nations, like actual countries, or even Yep. Consumers of a business. If you get upset with a business and you can write a thing that says, hey, show me the CEO and the CFO doing this, you can convince the broader public that this really happened. Everybody's gonna share everything. Whether they they look at Facebook, they see one little picture, and then they share it. Mhmm. That stuff, it goes viral, if you will. Yeah. And so I think that is going to cause reputational harm in the wrong hands of somebody. Yeah. I've actually seen a few videos where the AI created image or video is better quality and more realistic than the, you know, professional VFX shots. It's unbelievable. And think about it from this perspective. You've got all these AI companies. They're trying to do good things. They're trying to sell and show how awesome this thing is. Well, people are excited. Everybody knows about ChatGPT now. People are now, oh, let me let me try this. Let me try that. Literally the entire globe is feeding all this information to all these tools. And that's kind of where I thought you would go Yeah. With it because organizations do it's difficult to stop people from using ChatGPT Yeah. And people need to be trained on what information is okay to share Exactly. What information is not. So so think about this. You're Okay. Let's say you're in sales and you're trying to sell to somebody, but grammar isn't your thing. You can go out to chat GPT, Copilot, Google Gemini. You can go in there and say, here's my email. Write it for this type of audience. I'm an IT person. I don't know how to speak to an exec. Write it for an exec. Mhmm. But if you plug in account information, not thinking about it, well all of a sudden that data, technically that's by definition a breach, depending on who you are. It's a breach when you put that sensitive data into Chad GPT. That data's now in the pool. And I can tell you from firsthand experience, I've seen cases where in our organization, we've had people contact us thinking, hey, this really bad thing is happening, you're involved. No, we're not. It's Google's AI tool gave you bad data Yeah. Because of all of what it collected. It's completely inaccurate. Yep. But yeah, I think, you know, as an organization, you can say, look, don't use all these tools. But the reality is it's it's all across the globe, and it's kinda like mobile phones. Early on when those were coming out, nobody's gonna you know, businesses don't wanna deal with mobile phones. Nobody wants the iPhone. Guess what? That's business high business impact if you don't have an iPhone now or any kind of phone. Well, think about AI. It's all over the place. Everybody wants it. Consumers want it. It will be in businesses. No matter what people want, it will be. Yeah. And so businesses have to think, how do I use that tool that everybody wants and it's gonna happen anyway? How do we wrap controls around it and enable people to use it in a safe way? Yep. So TJ, know we've covered a lot today and I want to thank you for being here, but I do kind of have one more, I'll say, parting question that I typically ask all guests. What advice would you have for someone who, you know, might be a cybersecurity engineer, an architect looking to jump into an ISO role or even a CISO role Mhmm. Or somebody that just wants to may not have the title but still wants to lead. What advice would you have for them? Yeah. I would say, you know, several things. One, I think I touched on it earlier is learn to listen. So Mhmm. I come from a very technical background, and in a lot of cases was a subject matter expert. The reality is moving into this role, I essentially know nothing. I mean, I've had to relearn and learn things from the ground. So I've had to learn to listen. I'll give an example around audit and compliance territory. As an engineer, never necessarily agreed with certain things that were conveyed from auditors or or examiners. However, now that I've sat in this seat, I've learned that I need to talk and partner up with folks in compliance, build relationships with folks in these other areas, because the more I'm around them, the more I learn, oh, this is how they think. So, as I do my own job, even if it's technical, I now can switch and I can think a little bit differently. Yeah. So learning to listen has been huge. Building relationships is huge. Soft skills really is the biggest thing for me. You know, mastering storytelling and influence, I mean, I'm still I still call myself a beginner. I'm still learning, but if a person can really hone in on that skill, you can do a whole lot of things. But I think most importantly, whether you master storytelling, influence, relationship building, is authenticity behind it. I think a lot of times, you know, I'll look at in the sales space and any industry, I think a lot of times, hey, what can you do for me? Let me make a buck. Well, I think in a role like this, not only do you have to do things on behalf of the organization, but you've got to make sure if you ask somebody, hey, tell me about your weekend last week, actually care about it. Yeah. And and keep authenticity in there. Don't That's key. Don't do the Midwestern thing where we're like, hey, how's it going? Everybody's just like, good. Exactly. Because I mean, you can absolutely do this role without any of the authenticity. You can Yep. Make it all up and and do your thing. But if you don't have authenticity, that shows your character. Alright. Well, again, thank you for coming in today. Absolutely. Appreciate it. For having me. I found your your insights to be very valuable and I I hope our audience does as well. Awesome. Thank you. Thanks, man.