Name: Navigating Your Security and Compliance Strategy? Start Here.
Uploaded: 2025-01-28T19:16:05.217Z
Duration: 52 min 24 s
Description: Navigating Your Security and Compliance Strategy? Start Here.

Transcript for "Navigating Your Security and Compliance Strategy? Start Here.": My name is Justina. I start in a few seconds. Just gonna let some more people come on. K. Great. Thank you so much for joining us. My name is Justina Kukarchek. I'm a senior portfolio solutions marketing manager here at Cloudflare, and I'm excited to talk to you things all things compliance regulations today. I'm joined by Grace Trinidad, and I'll let her introduce herself. Thanks so much, Justina, and it's a privilege to be here today with Cloudflare. My name is Grace Trinidad. I am research director for trust measurement and metrics at IDC. At IDC, I'm continuing the trust and privacy research that I really did start at the University of Michigan where I published academic research on trust, privacy, and data sharing. So thanks for having me. Thanks, Grace. I'm so excited to do this to today together. I think it'll be a lot of fun. Just before we go ahead and dive into, into the the full talk track, we're, giving you a quick preview. So I'm gonna kick things off with market trends that are impacting compliance and security at a high level and what we're seeing from the CloudFlare perspective. Then I'll be joined by Grace, We'll cover the IDC perspective on compliance and how new technologies such as AI are impacting, regulations. So excited for for that as well myself. So we'll we'll round things out with steps you can take on your own, how to on how to navigate some of these changes, whether they're in the threat landscape or, across, the compliance regulation. So without further ado, I'm just gonna go ahead and and get started. So when we talk about market trends, you know, here at Cloudflare, there's, no surprise. Like, a lot of you have already, heard this before. You know, digital modernization is is is here now, and that means more data in more places. You know, the IT landscape has changed significantly, and rapidly over the last few years. It's everything's more complicated. We've gone from on prem solutions to hybrid and cloud and SaaS models, which makes everything a lot more distributed, especially people too. Right? So, the Internet users, apps, they're, all, globally distributed, creating new attack vectors, and that's why it's more important than ever that we implement policies, you know, new policies such as PCI DSS 4 point o or or, Dora and EMEA, to help really, minimize risk, across across these environments. Along with, you know, the the changes, in terms of digital modernization, at CloudFlare, we're really, you know, because of our network presence, we're seeing a sharp increase in targeted cyber attacks, especially on critical infrastructure. So, the public sector, financial services, health care, not not, not you're all probably very familiar with that, as a lot of, these have been headline grabbing events, but, these attacks are often linked to geopolitical events. So, taxers are choosing prominent targets to track the most attention at at, specific times. Right? And, for example, at Cloudflare, we saw that, we fended off 8 and a half 1000000 DDoS attacks in the first half of twenty twenty four alone compared to 14,000,000 attacks all of, all of 2023. So a significant increase, and you can read more about this in in some of our our reports, on on our website around application security. One other aspect to this that we're seeing is I mentioned, you know, a lot of these attacks are happening at critical times. And some of these these, geopolitical events are are really timed with with, some of the the the tax taking place and why compliance is so important right now. So 25% of the world, for example, was going through an election cycle last year. You know, global hot spots are also, you know, ripe for attack, concurrent attacks. And that's why we've seen an increased regulations across, you know, the world with Dora and NIST 2 in Europe, but, also new state and privacy acts coming up in the United States. So we'll talk more about that with Grace. But, without further ado, I wanted to hand it off to Grace to to take us through some of the the latest research and and how all of this stuff is, shaping up to be a very, exciting and turbulent kind of, compliance environment that we're coming into. Yeah. Thanks, Justina. So given all of the changes that I think we're all witness to and, like, the explosive news that happened yesterday with deep seek, it's no wonder that half of the organizations that we survey at IDC feel completely or or, like, varying degrees unprepared, in their own compliance posture despite spending despite allocating increased spend towards compliance. So in the next few slides, we'll show you some data points that indicate where other organizations are thinking, worldwide and where they're placing their priorities in the compliance and security space in reaction to a lot of these regulatory changes. So here in this next slide, we're seeing that in order to offset some of these regulatory some of this regulatory uncertainty organizations, and here we're looking at North American organizations in particular, North American organizations are seeking vendors who hold compliance certifications with global, regional, and industry standards and I put this data point here up against 2023 and 2022 to show you that this is a slight departure from the priorities of years past, where we saw just in 2023, we saw a preference for skilled staff in, global regulatory compliance. And then in 2022, we saw a real focus on trust centers or making availability of your compliance and privacy postures, more self-service. We're seeing now a departure towards whether or not these vendors have or hold compliance certifications in the regulations that are important to organizations by industry or by region. And so what this means is that organizations are looking to offload some of that regulatory uncertainty onto their partner vendors, selectively working with those vendors that offer reassurance that in that partnership or in bringing that vendor partner on board or into their organization, they aren't also inheriting compliance vulnerabilities. And so this is worth noting for not only buying organizations, but for vendor organizations that, proof of compliance certifications is becoming a central focal point at least in 2024 into 2025. And so if you're curious about other regions, APAC, the second group from the left here, is also prioritizing compliance regulations or or I'm sorry, compliance certifications to also help them navigate, complicated regulations and frameworks that are coming out of both the United States, North America, and EMEA. European respondents, however, are are, still prefer the Skilled Staff and Leadership and Global Regulatory Compliance, and this is likely because EMEA European, organizations in general have a more or enjoy a more holistic or harmonized regulatory approach. And so they don't have to spend as much time navigating the, kind of complicated, interwoven, you know, landscape of regulatory frameworks that we're having to navigate here in the US. Okay. And so on this slide, I wanted to show that, these concerns were also hampering efforts to adopt AI, which is a big deal considering all the effort that we've been putting into AI and generative AI adoption since 2022. It was really a focal point for my research in 2023 and 2024, and I'm sure it's a focal point for your organizations. And so that it that these concerns are also hampering AI efforts is a natural reaction to this continually evolving regulatory landscape. And we're finding that organizations are pretty hesitant to take on any technology that could result in both technological momentum, AKA they don't wanna become entrenched in the technology and the regulatory risk that could, make them subject to fines that they were unprepared to, or or fines that they were unprepared to meet or, or, weather or meet, you know, regulatory frameworks that they weren't prepared for. And so really concerning because that's where all of our industry is pointing. And then also worth noting is that 32% of the of organizations that we survey hold auditing for compliance, and this is for our vendors out there. Auditing for compliance is the number one most important capability when evaluating AI platforms. Meaning that these organizations who are concerned, again, about the security and compliance of AI generally are looking for audit activity as one of their top selection criteria. So if you're unsurprised by the data points that I just showed you, that's great. You're on the right track. Really, the point is that compliance certifications, evidencing compliance certifications for both buyers and vendors is becoming a standard expectation in our industry, which is a subtle departure from years past. And so from this point on the in the conversation, I'm gonna move on to digital sovereignty and data localization efforts. And there has been a lot of activity in this space in the last few weeks, and I hope that's new. I hope that's interesting. But, but it's really gonna cause some consternation. So adding to our compliance woes, things are changing in data localization requirements as well. As we've seen with both GDPR, which is older, and NIST too, which is newer, data sovereignty is helping to drive adoption of digital platforms. Part of this is because of the greater efficiency offered by digital platforms. Platforms are helping to streamline access to and integration of necessary security controls. But much of the, push towards, platforms is because of the inherently global nature of the largest platforms who navigate these worldwide regulations as a matter of course. And, ideally, they're on top of the regulations from the moment of introduction to public comment or public commentary to final rulemaking. And so we're seeing this, like, you know, in 2023, we're looking for skilled staff and leadership and global regulatory compliance, and now we're just looking for compliance certifications, as proof positive that you've somehow managed regulatory risk. Some of us are some organizations are just pushing those concerns outward to their, digital platforms, and we'll talk about them more, in the next few slides. This data point is really to show that data sovereignty considerations do are having an impact on where organizations are deciding to deploy their compute and storage resources. While security, if you look at closely at the data, accounts for the lion's share here, We can see that data sovereignty considerations are having as much of an impact as infrastructure requirements and network costs, as, as much of an impact on as application latency and performance constraints. So it's really up there in determining where organizations are pointing their resources. And on this slide, here's another reason for the adoption of digital platforms, is the ability to scale because data sovereignty restrictions are also feeling to some organizations like a limitation they need to overcome. So despite data, so the adoption of digital platforms helping the ability to scale is is in part because data localization efforts can fragment data, or or fragment access to local data centers. Sorry. It's fragmenting data in that, like, we're having to restrict where that data is flowing. And so you can't just take a cohesive like, you can't just dump all of the data into a single pie and then run your training and, refinement protocols on that. Thankfully, the some of these digital platforms are allowing us to, enable data localization using their their current infrastructure, their existing infrastructure. And some organizations are adopting digital platforms as a way to speed time to market or increase operational efficiency. And here, I wanted to note that the adoption of digital platforms has also helped guard against, API security vulnerabilities. And that's top of mind, especially in the last couple years as we've seen API, attacks, which have broad implications for all of all users, and we've seen that here in the US. There has been explosive growth in API use as businesses use APIs to connect applications and services. And as the main gateway for both sensitive data and critical services, they have become an incredibly attractive target for adversaries. And I'm sure that's not news to this audience. But because we've been attaching services and then attaching services, as Justina noted earlier in this presentation, some organizations find themselves in this really, kind of scary position of API chaining, which be which can become a bird's nest of vulnerabilities, that can kind of go unnoticed by an organization if they're not taking a hard look at their APIs. So bunch of challenges and adding to those, you know, evolving challenges outside of the organizations. We have challenges within the organizations that at IDC we see, our clients still struggle with. And and these these, challenges, I find, can be grouped into 4 buckets, and and this is up to argument. But we're seeing that organizational silos are making a unified organization wide compliance approach way more difficult. Talent and resource resource shortages, which have plagued us for years and and are are not going to abate anytime soon. Again, this changing regulatory landscape is really a complicated regulatory landscape, which is the topic of today's presentation. And then adherence to point in time compliance. And I'm seeing this less, but it's still, I'm still seeing this in some organizations. Adherence to point in time compliance as opposed to continuous monitoring and compliance, which I'll describe in the next slide. So, from IDC's perspectives, these challenges can be and by and for some organizations have been, met with, and in the blue you can see, overhaul of the old siloed model and reengineering or reconfiguring business functions, to take a more holistic approach to security and compliance. We're seeing organizations deal with the talent and resources is tripping me up today. Dealing with the talent and resource shortages by having to by really just triaging their risks. So that requires taking inventory of which risks present themselves to your particular organization. That in and of itself is a pretty, tall effort. It's a pretty pretty involved exercise, but it's valuable in allocating your resources more efficiently and and more in keeping with your organizational policies. And this really reflects this kind of acceptance that risk is always going to be present, that we can't, buy our way out of all risks. And so clarifying for the organization which risks must be dealt with and which risks can be endured, is a is actually a pretty key step in in in addressing your overall regulatory compliance posture. In these changing in this changing regulatory landscape, we've seen organizations, reviewing their security controls for alignment with key frameworks. And that may seem like, well, obviously, we should be doing that. But there are a lot of legacy controls that some organizations have on board that maybe, like, take PCI DSS for exam as an example, that maybe the the the regulation itself has matured, so so far so much so that even your the security control that you initially had in place to meet the that regulatory framework may be out of date or no longer necessary because another security control meets its needs. But we're also seeing the streamlining of security controls using outsource compliance functions. And this is really a nice evolution in the industry. And we'll talk about compliance automation in the next section. So compliance automation, is really, helping to, it's really, actually helping organizations deal with their, like, these repeated requests for security questionnaires. We're seeing this real, this increased burden on security teams to meet compliance requirements. We're seeing these compliance or security questionnaires hamper, sales or go to market. And so by automating or or having compliance automation that's sort of, like, continuous as opposed to point in time, We're seeing this burden get offloaded off of the security teams and onto the compliance automation partner, which has been a real boom because, again, we have talent and resource shortages. We have, increasingly complicated security questionnaires that security teams are having to deal with. Our security teams are really burned out. And then some of these newer compliance or if you outsource your compliance functions to, other to other vendors, You also can benefit from innovations in compliance which are occurring on the fly, which is mainly, integration of AI and ML, capabilities and predictive analytics for risk management. So kind of flagging where existing, weaknesses may may be found in the organization, which is really, really a boon for for organizations with really complicated regulatory landscape, considerations. Okay. So we're gonna move on to take a closer look at regulations and frameworks. And this is sort of a pet project of mine because I find that we talk about how complicated these regulations and frameworks are without really grounding that conversation in the language found in each of the regulations and frameworks. And so some of you who may be on the compliance and or are part of the compliance teams, this will you could probably just mute me for a minute. But I think that it is important for when we when we talk to the other lines of businesses, when we talk to our newly reengineered and more holistic organization, that helping them to understand why this is so complicated is, is a really beneficial exercise. And so we're gonna bring up throughout the next few slides this piece of research that, Cloudflare and IDC conducted in conjunction with each other. And it we really did look at multiple regulatory frameworks regulations and frameworks and looked at where they overlapped. And so we'll talk about that more later on in this presentation. But right here, we have a selection of regulations and frameworks with worldwide significance, and some of these names will be familiar with to you. Some of these, you're navigating in your own, organizations. But we pulled out language specifically pertaining to identity and access management. And in just these examples, we see that if you look at the 2nd row at, PCIDSS or payment card industry data security standard, we are seeing changes being applied in just this year, March 2025, PCIDSS version 4.0.1 takes effect. And then we also see how vague these regulations can be. So if we look at the NIST 2 directive, it says there that the measures will protect the network from incidents. Right? And so that leads organizations to sort of like, how are we going to meet this regulation in a way that actually secures our network when we have all these complicated considerations, depending on the size of the organization, depending on the number of connections, APIs, number of vendors you have. This all gets more and more complicated, which is why this has become a headache for organizations. So in our research, we examined these and more regulations and frameworks and how these align with security controls to help organizations have this conversation and navigate their overall compliance approach. We show where the frameworks overlap, which can provide, or where more comprehensive coverage is can be found. So that way we can simplify the conversation and kind of say, well, if we've met, you know, ISO or NIST, then we are covered in these other areas as well, which can just help the conversation flow in a more streamlined and less kinda crazy way. Okay. So while the regulations themselves can be quite vague, we do know that a suite of security controls fall under identity and access management, and we can start here. So within identity and access management, we have these controls on the left hand side for consideration. And then to stay on top of regulations, many organizations are moving to, and I have this in notes, a zero trust approach. So, yeah, I know that this adds another complication, but but we're kind of reaching this point in the industry where, kind of umbrella approaches that exceed the regulations and frameworks and position the organization in a stronger cybersecurity posture are being adopted. So that way, we just don't have to have these, painful conversations about, like, did we meet this? Did we meet that? So to stay ahead of changing regulations, many organizations are adopting for a zero trust approach. This does engender customer trust. By by implementing it, it's more than just continuous validation of identity. So I think this is something that, zero trust has come into under, like, fire based you know, it's been it's been around for a long time, but then I think there are misinterpretations that happen year after year. I've seen different misinterpretations occur. I see different things kind of, become part of the 0 trust conversation. But it still remains that 0 trust includes multifactor authentication, network micro segment segmentation, continuous monitoring and logging, encryption, and, and this is really key, dynamic policy enforcement. And then I also wanted to note that on this slide, I have API security here at the bottom. Because of the authentication mechanisms and role based access controls that can define access to particular API endpoints, and the fact that some of the, identity and access management policies are not being uniformly, or not being consistently applied by all APIs. And so I strongly recommend to, the attendees in the audience that you go through with your organization through a discovery effort to locate active APIs and their end points to ensure that your identity and access management policies are actually being consistently applied. And I don't have this data point in this deck, but in 2024, kinda similar to how, compliance certifications with global, national, and regulatory frameworks or industry frameworks, kinda left to the top of the compliance priority list. Identity management has left to the top of the security priority list for 2024 through 2025. And we saw this trend happen first to RSA, and organizations have taken note. And so it's gonna be a strong focus point for this year in particular. And then here on on, on slide 22, under data protection and encryption, we again have the associated security controls on the left. And, again, the the selection of of the security controls on the left really does, depend on your particular organization, your particular, data, on the particular data that your organization is collecting. But for this slide, I wanted to focus a bit more on data localization efforts because of recent changes that have occurred in the US. So on December 27th, like, right after we all left for the holidays and were probably in food comas, the Department of Justice issued a final rule implementing executive order 14117, that was initiated by Biden in February of 2024. And this rule is is known as preventing, quote, unquote, preventing access to Americans' bulk sensitive personal data and United States government data by countries of concern, which means that from December 27th, we have 270 days from its issuance to comply, which means that we in the US have to hit compliance by October. And so for some of my clients, this is sort of like a, excuse me, what? But it's gonna be okay because I think the key considerations or key compliance, efforts that we have to hit in October are are not not huge. Mainly, we have to identify whether, our organization trades data with in any way with countries that are of concern. We we have to audit or determine who are covered persons under this rule and whether we have in our organizations any sensitive data that qualifies as sensitive data within this final rule. And if you have any questions about this, I'm happy to answer them. It's a 400 page rule, so breaking that down can occupy a great deal of time in this presentation. So please ask questions about, the final rule in the chat, and I'll do my best to answer them at the close of this presentation. And I know that logging and monitoring may not be like the most exciting topic, but for me, it is because of the way logging and monitoring data has contributed to the advancement of AI enabled security. So we have reviewed security controls that fall under logging and monitoring as in identity and access management. And as in data protection and encryption, there are a selection of security controls that can apply to your own organization, depending on your own needs. But it really is interesting to me, and I think it's worth noting for organizations that this data has played a critical role in advancing AI enabled security, which is something we're really looking forward to in the future. This data provides the foundation for training and testing intelligence security systems. And so, really, we're at IDC, we're looking closely at this space, because it can really help junior cybersecurity analysts perform at a more senior level. It can help offload the work off of our seniors, so that way they can work on the more, more important, more triage, more critical risks to the organization, sort of free them up from this, kind of monitoring nitty gritty, so that they can work on other on other on other ways to secure the organization. And from there, I'm gonna hand it off to Justina, and I hope you have questions coming. I'll try to prepare for them as she speaks. Justina? Yes. Hi, Grace. Thank you so much. I, I'm so, I've really learned so much today even just in in, I know we've been preparing for this, but even today, I've learned new information. So I hope a lot of you have joined us have as well. So now we're just gonna quickly shift gears and talk a little bit about Cloudflare, in context of of what Grace has has shared with us, and we'll finish off with q and a. So, definitely, if if you still have questions, stick around and, put them in the q and a window, and and we'll try to get to all the questions we can. And if we don't get to your question, we will be emailing you with with our feedback or response also. So when when looking at kind of compliance here at Cloudflare, we look at it as kind of a 4 4 keys and a a to a a more a comprehensive and streamlined approach to compliance with our our platform. So at Cloudflare, you know, as a leader in cybersecurity, we're facing a lot of the same challenges you are, ourselves, and we're trying to help you navigate these evolving regulatory changes as well as minimizing risk with with the expanded threat landscape. We do this in in four one a's. 1, we give you kind of visibility into where your data is, how it flows, and who has access to it. It's really important to to know where your data is across this kind of, as we talked about, expanded landscape. Next is, you know, taking action. So what we mean by that is securing or protecting your data and minimizing the risk and and meeting those compliance obligations. And and, we we see this as kind of across 3 different, 3 different areas of of your, infrastructure. So one is your network and your employee access, and this can be done with as as, Grace mentioned, a zero trust approach to, to, security and balancing privacy and security. Right? Next, you wanna make sure that you're also encrypting your data and using the latest cryptography to make sure that the data is secure wherever the data lives. And then finally, we look at this from an application standpoint as well. So ensuring your applications are secure without sacrificing their performance. So a lot of, what what people are, coming to us, with challenges is is, when they're trying to balance those 2, both the security and performance aspects. And then the steps 3 and 4 maybe sometimes get overlooked, but nothing really, happens without them, in in the world of compliance. So good governance, making sure that you're maintaining strong data governance over time as your business evolves. So making sure your policies and your processes are built so that they can move and evolve with your organization. And finally, audit and and reporting, so important to meet internal and third party audits, making sure your logging, monitoring, and data for all of your tools is in in one spot is is helps streamline streamline efforts and creates operational efficiencies for your teams. So how do we, how do we, at Cloudflare, do this? Well, a lot of you may be familiar with our connectivity cloud. It's it's, as we mentioned earlier, you know, businesses are facing sprawl with the apps data everywhere, and the networks that connect, their users, developers, and customers being pretty fragmented. And this will only become faster, not slower with people automating and driving AI initiatives. And, you know, that visibility is gonna become more and more of an issue, and you can't separate, you know, you can't look at your web traffic separately from your cloud traffic, or manage your data protection with different tools. You really, we're really seeing a push for, customers to streamline some of these things. And sometimes, also, when you're managing things in different tool silos, you know, are are are, present across across your organization. So, we've defined our connectivity cloud, which is our platform, as a way to connect, protect, and build across your business, and so you can be more agile and retain control over over these environments. And this enables you, to have any to any connectivity, innovation with AI and applications with flexibility across cloud environments. And we do this, you know, all with, keeping in mind all of your compliance, requirements and your challenges. So some of the thing we didn't talk about earlier today is, you know, what are those challenges? Well, the, when it comes to compliance, you have time and resource allocation challenges. As regulations are changing, you have expertise challenges, you don't have people that are experts in this, so you really need a strong partner in this space, and hopefully, you know, Cloudflare is one of those partners. And, in order to solve for some of these challenges with, you know, the complexity in your tech stack integrations, your vendor, compliance, and and all your auditing needs, we have this one Internet native platform, that's that, protects your people, apps, and networks in 1. So without further ado, I wanted to go ahead and and and, share, just a quick reference for you. Everything that we talked about today is in a spotlight paper that we did with Grace, on IDC that we sponsored. That is now available and will be sent to you by email after this presentation as a thank you for attending, today. So you'll get a deeper dive in everything that Grace talked about today, but also specifically really, really helpful is that, the mapping of those security controls that we talked about that Grace just went over and how those are mapped to all the regulations that are that exist or that are are are are are pretty recent. So, certainly, like data localization and and and some of the considerations that she talked about with, the new executive order. I think, you know, you'll find some of that information in this this paper useful as you tackle, some of these regulations. So, without further ado, I wanted to hand it back to our, our audience with some questions. So if you have any questions, feel free to, pop them in, the the chat, and we'll try to get through them, through all of them. But, some of them, we've already gotten some ahead in advance as well. So, Grace, just, a lot of these are are for you. So are there specific you mentioned some of the regional and, trends, but are there specific regions or verticals that will be feeling a bigger impact by some of the changes in regulation in the regulatory and compliance environment? And if so, you know, which are they, and and and what are the changes? So, unfortunately, the easy and hard answer is that all industries in particular are I think are gonna feel the crush of these regulations this year. Part of the part of the kind of mix up, the toss-up is is the changing administration in the US. We still don't know a lot about what the proposed tariffs mean for manufacturing, for technology even. Right? We're looking at tariffs on on exported technologies like chips. And then we just saw on the last day the, like, crazy knotted toss-up that DeepSeq has put our, industry in. And then the financial sector is dealing with integration of digital assets and cryptocurrency in a way that I don't think anyone really expected before November of last year. And so this is a really, tumultuous time. And I think if I were to say that any one organization is go or I'm sorry. One industry is gonna feel the pain more than others that other industries would, like, gang up and yell at me, because I think everyone's feeling the pain in their own way. Complicating all of it are, you know, data localization efforts that are now occurring occurring across the globe. Right? On the previous slide, I'd noted that the OECD had I think there were, like, a 100 different localization efforts across 40 different countries or regions, and now you can add the US to that mix. US previously had hadn't taken its own stance on data localization efforts. But I saw Tiffany's question. I'll will include the link to the Department of Justice final rule. And some of the I think if you do trade with one of the countries of concern, you might have a little bit more painful year than others. So it might not be so much an industry kind of, like, who's gonna feel the worst, but whether but how your organization has been configured and who your partners are. So I wanted to note that the countries of concern as identified by the Department of Justice, and I do wanna note that Biden, in his February 20 2020 sorry, 2024, when he first signed the executive order, it was still unclear, it was up in the air, as to which countries were, quote unquote, countries of concern. Well, the Department of Justice final rule clarifies which countries are, quote, unquote, of concern, and they include China, which includes Hong Kong and Macau, Cuba, Iran, North Korea, Russia, and Venezuela, which have been named. This might change depending on how, you know, organizations, implement their own compliance, but we're looking closely at this at at IDC to see how how things are going to evolve. And then you also have to look at, in your organizations, whether you have sensitive personal data that falls under the purview of the final rule. So is it, uniform pain across the board? I think that's the more accurate answer is is is the uncertainty, given the political changes, the geopolitical changes, is really, causing people or organizations to sort of either pause or kind of I think our compliance and security teams are gonna feel this this year pretty badly, unfortunately. I hope that answers the question. Sorry, Justina. No. No. No. It does. It's super comprehensive answer, and I love the examples you gave across tech and manufacturing and and financial services and specific, scenarios that they're dealing with in their vertical. So, I I hear you. That makes sense. So everyone is gonna be feeling in in in kind of a unique or different way for for their specific industries. I know you talked a bit about AI adoption, and how it's being impacted by compliance. Can you talk a little bit more about what this means for orgs and how teams may have to work together maybe differently to to achieve success when adopting AI? Yeah. So, thank you for this question. So in addition to, like, my trust and privacy hat, I work a lot on on on on trusted AI research. And when we started when Trusted AI started entering into the conversation more broadly, I've been doing AI research since 2016. So for me, this is like, I'm just glad everyone's here. When we when we started this conversation more broadly, there were, clear problems in how AI was being governed. Because in 2023, we really saw governance just pivot around the, around information security professionals, which leaves out all the other lines of businesses that were interested in implementing AI into their work processes. And so that wasn't a really that was an untenable, situation to be in. And so so at IDC, we saw organizations we saw that it wasn't like we've been asking organizations to reengineer their business functions for a more holistic approach since since data management. Right? Where we're seeing, like, shadow data repositories. We were seeing different approaches to data management depending on which, business function you were part of. All of that was causing really big problems for a holistic privacy approach. So, you know, problem, problem, problem, problem. And then AI hits. It's still a problem, but because of this, like, shared interest in implementing AI, we saw more movement at reorganizing, business functions so that they were there was more crosstalk at the very least between, each business function. So rather than having just information security at the table, it was information security, it was compliance, It was the IT teams. It was, customer support. It was marketing. Right? We saw more people at the table because of the, the concerns being voiced by the public in how AI was being implemented by these organizations. So that's actually been a really wonderful shift, and I think positions, has helped position our organizations for, not just AI adoption, but but to kind of tidy up their overall approach to security, data privacy, data management, where they're storing data. Right? So we've been calling for this to happen for for years and and that it's happening now is, you know, however it has to happen, that's fine. But TLDR, it's causing organizations to reengineer their business functions so that they talk in a more consistent and, open manner. And it it's it's it's it's a nice shift that I think enables better, more positive changes down the line. So it's it is breaking down organizational silos and, and with, you know, the move to, digital platforms, I think we're gonna see more of those silos breakdown as organizations can benefit from packaging together their, their separate organizational approaches. Great. Yeah. I think, you know, it's it's it's nice to hear that we're not alone at Klevler. This has definitely helped us be, you know, more collaborative, more focused on some of the our our disparate data, data needs and teams. So I think it's it's it's a silver lining in in a complex kind of, environment. I think that's there there's definitely benefits to solving complex challenges collaboratively. Right? And that's what we're seeing with the adoption of AI and and breaking down those organizational silos. So glad we're not we're not the only ones. One other question I think we have time for is, you know, I think a lot of people found your information around the DOJ's final rule really interesting, since that happened in December. And a lot of folks, might have not, been around then or, might have not gotten a lot of publicity really right, around, the holidays and and the new year, but Yeah. Would love to understand what does the DOJ's final rule really mean for compliance right now, and do you have any recommendations for organizations? I know you talked about it a little bit already, but anything to add? Yeah. So it's gonna be really quite fun to watch this unfold. So I've already talked about what the countries of concern are. But, you know, in addition to this rule, there's also and I'm going to misquote it. There's executive order 14144, and that is about strengthening cybersecurity, broadly. And that one was signed in Jan on January 15th. So even newer and even less guidance around it, but I think everyone should pay attention to the contents held therein because there are approaches to cryptography that that I think we should all, be thinking about in terms of how our organizations manage cryptographic, approaches. But I do wanna note that for the DOJ's role, which becomes effective this March and then compliance hits in October or March or April and then compliance hits in October, at a minimum, I think that there is an expectation of role based access controls, multifactor authentication, sort of your standard, identity and access management stuff, data encryption, which we talked about on, slide 23 on this presentation, and then on conveniently logging and monitoring, which we've talked about on slide 24. There is also a lot, a lot of of attention in the rule about third party risk management, which also includes API security, because that is largely how we're managing a lot of our third party risks at the moment, depending on what level you have platform, have transitioned to a platform. But it is nice that the rule does point back to NIST and ISO for framework alignment. And so if you have already taken an organization approach that says, like, we're gonna prioritize NIST 853 or ISO 27, 1, that you're in a pretty good spot already. I think then the the onus is on identifying whether or not you do via via your organization or via any partner, if there is any data exchange. And this and and and also note that it's bulk data exchange of sensitive data. And so that is in the rule itself, those key provisions that kind of it it's well articulated. I I think they did a nice job of outlining exactly what what that means. But it it does point back to the NIST and ISO frameworks. So, so they're closely linked. Thankfully, they just that that favor at the very least. Awesome. That's great. That that's, I think, super helpful for for those of you that are, looking for more information and kind of tips on where to start first. That was a great, great help, Grace, in summary, for how to approach that. Well, I think we're, running out of time. I know there's a few questions that we will follow-up with, the individual, attendees with, But, Grace, learned so much today. Got a preview to a lot of things coming in 2025 with you. So, you know, on my behalf, thank you so much, Grace. I don't know if you wanted to say anything else before we dropped. Yeah. This is gonna be, an exciting year for all of us, and, I look forward to continuing the conversation. Please reach out if you would like more specific guidance. I think these are incredibly interesting conversations, and thank you so much cloud Cloudflare for having me, and for inviting this commentary. I appreciate it very much. Thanks, Grace. We we loved working with you. So thank you, everyone. Have a great afternoon. We'll give everyone a few more minutes back on your day. Have a great week.