Video: Modernizing Security: Real World Stories with Werner | Duration: 4396s | Summary: Modernizing Security: Real World Stories with Werner | Chapters: Introducing Modernizing Security (26.75s), Security Modernization Factors (115.155s), Zero Trust Journey (388.17s), Modernizing Tech Stack (530.27s), Vendor-Customer Partnership (1066.0751s), Deploying CloudFlare Services (1180.63s), Email Security Challenges (1376.655s), Cybersecurity Transparency Importance (1840.48s), Future Security Steps (2021.025s), Lessons and Takeaways (2227.205s)

Transcript for "Modernizing Security: Real World Stories with Werner": Welcome everyone to today's session, modernizing security. Got real world stories with Werner today. My name is Justin Knapp, part of the product marketing team here at Cloudflare. I am joined by Dara Mahone, executive vice president, CIO of Werner Enterprises. You wanna say hi, Dara? Hey, Justin. How are you? Hi, everyone. Good to see you. Hey. And now I'll let Dara do a little bit more of an intro about himself, about Werner here in in just a minute, but let's go ahead and take a look at what's on the agenda today. So here's where we're going. We're gonna take a very brief look at why modernization is is critical, look at some of the primary factors that are pushing, a lot of companies to modernize their security stack, look at the objectives, what are the goals of of this modernization. I know modernization can be a bit of a a vague, ambiguous word, so we'll go down a little bit deeper. And then really get into the heart of of this whole webinar. So find out a little bit more about Werner, about Dara and his role there, as well as their IT and security priorities. We'll get into how they start evaluating different vendors, why they gravitated towards CloudFlare, how they even began their deployment. And then looking at how how they scaled up, how they matured, what kind of roadblocks they ran into, deprecating older solutions. And then finally, we'll get into, looking ahead. What what were the lessons learned? What are their next steps? And maybe some tips on just best practices for anybody else who's who's jumping into this type of initiative. And of course, if anybody has any questions in in the audience during this time, feel free to go ahead and, put those in the chat, and we'll be sure to respond to them. Alright. So real quick, let's just quickly look at some of the forcing factors around, a lot of organizations looking at security modernization. So, here's a constant. We've all heard this. Right? Increasingly automated, elusive threats. If there's one thing that never changes, it's the fact that cyber threats are always changing. Right? There's always new tactics. There's always new techniques. And it's always about how can we efficiently keep pace with a lot of threats that we're seeing, within our landscape. The second is gonna be around accelerated adoption of cloud based services, cloud based architectures. This isn't really anything new. You know, we've seen this for a number of years. We saw during COVID and lockdown, there was this acceleration of that adoption because people were being forced to work in different places, work remotely. This continues today. Right? That is not a journey that is a several months or even one year journey. That is a multi year journey and we're still seeing it today. Now the big one, of course, increased AI usage. We've all heard the buzzword a million times, but this is really a double edged sword. Right? So you have bad actors who are utilizing AI to be able to, you know, increase the velocity, the volume of the different types of attacks that they're launching. On the flip side, you also see organizations trying to figure out how do I adopt AI usage to create these operational efficiencies within my own org. And then you also see organizations being able to utilize this defensively. Right? How am I utilizing AI to keep pace with these changing threats and be able to, provide defensive mechanisms to automatically react to that as well. And then another constant. Right? Always increasing compliance and regulatory requirements. I I never hear anybody complain about the number of requirements decreasing over time. So this is something that that everyone's had to deal with and it only grows over time as well. Alright. Now objective wise, what are we trying to accomplish when we talk about modernization? What are some very practical goals that we can set in a place? First and foremost, I think we've all deal you know, dealt with the complexity of having, it may not be 75 plus security tools, it may be 50. Whatever it is, there is an overabundance of security solutions and that typically comes because as we see more security gaps, new threats that that surface, we have to be able to patch it up with a security tool. Well, over time, that just inflates to a number that is just not manageable anymore. And so the goal is really consolidation and be able to create unified management across the solutions that you do have. So maybe it's not dropping it down to a single platform, but maybe it's, you know, decreasing that number by half to a third, in your consolidation effort. The second piece is really, you know, moving from this manual detection response type motion to, being able to actually utilize AI to be able to keep pace with, what you need to be detecting so that you have visibility into attacks that are being launched against you so that you're not being reactive in in how you approach this, but being more proactive, both on the detection response side. Compliance reporting, we know with a lot of tools comes a lot of complexity when it comes to fulfilling your compliance, requirements. Now we wanna move into more global governance so that you're applying these policies uniformly and you're able to have visibility and reporting capabilities to to centralize a lot of the management of that. And then last but not least, with a lot of security tools, a lot of niche, point products, you're going to have security gaps. Right? Because if you're managing all these different products, they're not all talking together, they're not all integrated together, and so naturally, you're gonna have some blind spots. And what we wanna move towards, and this is part of that consolidation offer, but it's moving towards this bidirectional, what we'll call signal sharing. So this works on on a couple of fronts. You can, share different signals. Let's say, for instance, you see a malicious email, or malicious link within the email and you wanna be able to block that domain. But you don't wanna just block it for your email, you wanna block it across, you know, your web gateway as well. And so how do we share those signals and then create this kind of automated motion so that when we see a threat in one area of our business or one solution, it propagates to other relevant solutions as well. Again, it's about that bidirectional signal sharing in in, reaction as well. Alright. And then for anybody who just wants to kind of understand what does this journey look like? There there's a lot of different starting points and in fact, you know, Daryl will kinda talk through, where they started. One common thing that we see across a lot of a lot of our customers is they they start with this phase one of modernizing remote access. So this first step can be, you know, maybe clientless access for your riskiest users. And then step two can be starting to, provide this continuum continuous refinement of these different policies. So now we're implementing multi factor authentication, identity, tying in device posture to that as well. Step three is eventually getting to the point of actually retiring your VPN, for this access. Then then moving into phase two, that can be more of your workspace security type of approach. So maybe starting with augmenting your web gateway, your email security, before you actually get to full replacement. Then you get into more of the the protecting your data across multiple channels. So, again, if you think about the the phishing scenario, right, you don't wanna just protect data across your email. You wanna protect across all the different channels, where your data is at rest or in transit. And then finally, consolidating all these controls together. So, you know, if we look back at that first goal, it's really about consolidation creating more of a unified management experience as well. One last thing I'll just say about this slide too is is again, we we have multiple starting points. Another good one could be possibly email security. I know for CloudFlare, our email security solution ties in a lot of our zero trust capabilities. So, you you know, you have DLP for outbound email, you have RBI, remote browser isolation, for malicious links so that you can isolate those those links when you open them. There's a lot of ways that you can experience our zero trust portfolio without actually having to deploy all of it and you can start with email security. So I say that just to say there's a lot of different starting points, but, you know, I'd love to hear about about Dara's starting point. So before we get into that, Dar, maybe you can talk just a little bit about Werner, what Werner does, your role within Werner, maybe, you know, what what you've been trying to achieve within your role, in terms of, like, your vision and to get into some of the the very specific priorities, and how you landed on those priorities as well. Yeah. So just I'm glad to do that. I think, first, to start with Werner Enterprises, we we are actually next year will be our seventy fifth, anniversary. So seventy five years in in business, started with, you know, one driver. That driver was CL Werner, the guy who started the company. Still alive and kicking today and, completely retired from the business, but he built quite a a behemoth in terms of transportation. So what we are is a we are we're known as a truckload carrier. We are one of the top five truckload carriers in The US, but we also have a large brokerage. We do intermodal. We, we manage dedicated fleets, and we have a van network, which essentially is a one way or a van, you know, the van network, which which moves freight, basically from any source to any source versus dedicated, which we we put a dedicated fleet with a customer, and that fleet stays with that customer, through the life of the contract. So we we have about, you know, roughly 8,000 trucks, seven and a half to 8,000 trucks, 28,000 trailing assets or trailers, of all kinds, flatbed, refrigerated, but mostly van. And, we also do we do about $3,000,000,000 in in revenue. So that's kinda Werner in a in a snapshot. Like I said, it's a very complex business, an awful lot more complex than I believed when I came in the door five years ago. You kinda you know, even even though I had a background in in trucking, like, I initially, my very first job when I came to The States in in 1994 was I drove a truck for, for about nine months for one of our competitors who I'm not allowed to mention. But, you know, I knew it was somewhat complex, but it really is complex. And what makes it less complex or what can help with complexity is technology, and that's sort of what I was hired to do, which was modernize the tech stack. So, I think where where do we wanna go from there? I think that, you know, if we were to talk about priorities, you have them listed there. I mean, I think, like I said, my I was hired to to modernize the tech stack in general, all of the infrastructure. I'm very much, you know, I believe very much in in build versus or buy versus build. I don't wanna build anything, and I wanna buy everything I can because I believe somebody's probably done it better than I'm gonna be able to build it or any team I put together will build it. Right. So so that's why and I also believe that I wanna put everything, every single thing, every part of our operation into the cloud. And the good news is after, you know, four years of really hard work, we're we're almost there. We're, like, we're this far away from being complete with that. The the tech stack I I inherited when I got here was largely mainframe a s 400, which we still run a large portion of our business on today, although we're moving off of it. And you can imagine the one of the first areas I looked at was security. And, you know, there there were some areas of the business in the cloud, some run on sort of local, you know, VMware type infrastructure. You know, virtually virtualized, but but still running on prem, and then AS four under running on the mainframe. So you kinda had this sort of hybrid of areas to secure, and that, you know, has been the the not problematic over the years, but as we move more and more to cloud based platforms and systems, it becomes less and less problematic for me, and that's where CloudFlare come into the picture. Well, yeah. That that's a great point. And then let me ask this question, Dara. How did you, you know, modernizing your tech stack, pretty massive initiative. Right? So how do you even begin to think through and plan for where to start? And and was it really based on maybe biggest pain points? And what were your biggest pain points? I I mean, I I think I obviously said everything. You have started at the beginning. Right? And and, you know, I'm not a and this is gonna sound a little bit strange coming from a guy who's four years into into a major initiative like this, but I'm not much of a planning person. Right? Like, I I very much believe in, you know, pick your biggest pain point, sort of the the find your North Star, but to find it in a very fuzzy kind of way. And and the mentality here is we know where we wanna be. And for us, that North Star initially was all of our technical operations in the cloud as soon as possible. And that's where we're headed. So let's take that as the first step. And the North Star, I I say keep it fuzzy because I think as soon as it gets to a pinpoint or very much in focus, you need to push it out further and make it a little bit fuzzier. Because tech changes so much and so quickly that I think looking beyond like, I think today, looking beyond a six month horizon, you're getting into very, very hazy ground. You who knows what's gonna happen? So back then, I was saying, like, we we should know very clearly what we're doing for the next twelve months, and we should have a good idea for the following twelve months. And beyond that, we're just going to go with the flow and be ready to change because tech will change as we get there. So so I think you just have to you have to start at the beginning. You have to pick your biggest pain point. For us, the biggest pain point was was literally a s 400. How do we get off a s 400 as quickly as possible? And not because a s 400 is a horrible platform. It's not. I mean, it's it's old, but it runs well. It's fast. It's reliable, but it is old school, and it is hard to connect to, and it is hard to get data on and off of, and it is hard most importantly, hard to secure. So, that was the biggest pain point we had. We also had some legacy tech that was in really, really bad shape from a tech debt perspective that was a problem. So so, you know, I think, at first, identifying those areas, identifying what was gonna replace them, and then getting into gear and going was was the was the starting point. Yeah. I I I feel like everybody feels that pain in terms of not being able to plan out too far. Right? Because it changes the equipment, you're just gonna replan again. So so you have your North Star, you know, kind of what you're getting into. So maybe we can talk a little bit about how you even start thinking through evaluating vendors. Where where to look, like, did you already have kind of a subset of vendors you knew you want to work with? Or what did that process look like? Yeah. I I mean, I think if we're talking about from from the vendors that I would use to replace existing applications, yeah, I very definitely had, you know, a good you know, I I believe, like, you know, I I I went and looked for some of them, some of them I worked with for years and used and had great faith in. So, you know, big companies like Salesforce, Workday, very comfortable going there. For a TMS, which is the lifeblood of a of a of a transportation organization, we didn't have one. Everything everything had been built legacy in house over the over the previous forty, forty five years, so we had to go find that. And we we did. We found a startup, called Mastermind. Mastermind was in the company. Mastermind is a product. So we we we took a bit of a gamble going there because it was a startup, and we were about to put $3,000,000,000 worth of business on that startup. But we we we've done it, and we're still progressing through it, and they've been a fantastic partner. And then when it comes to, you know, everything else, that's where I started to go and look at startups. I love, like, I love the startup ecosystem. I love it for a couple of reasons. Mainly, though, the main reason is because that's where innovation is happening. So what I did was I sorta I went out there and looked for good, resilient, like, startups with with innovation in their blood, good founders who are who are out there, you know, just trying to hustle and get stuff done. And I use those you know, we use those startups to sort of fill the gaps where nobody else was doing some of that work. And luckily, in the logistics space, there's a massive amount of investment coming in. I think Silicon Valley and other VCs and PEs realized the value in in transportation and logistics. So there was a lot of money floating around and still is. So those guys were getting funding. Now from a security standpoint, absolutely, I had companies I'm gonna go work with, Cloudflare being one of them. I mean, I had not used Cloudflare before, but, you know, I I did have I knew some people who worked there. So, you know, I had had a really, really good feeling for the platform and what you guys were about. So when I got here, there was actually conversations going on with CloudFlare, and I just expedited those conversations and got us to a contract signing state and then got going. So that was kind of the the that was the that was the impetus for getting CloudFlare in here. It was just I knew people who had recommended it highly, and I trusted those people. And, my team, when I got here, were ready to open to you guys. Amazing. So starts with the relationship, building the trust, and going from there. So, yeah, I mean, capability wise, was there anything that stood out or was it more so the trust and the people you already knew who were here at CloudFlare? Yeah. I think it's, like, you know, the the key thing you said there was building the relationship and the trust. Right? I I I I love partnerships, and and the legal team are always happy about using that word because we really don't have partnership. But but I love the idea of building a partnership with a with a company, and I don't wanna even call them vendors. So, like, I I'm a customer. Yes. You're the vendor. But what I really wanna have is I'm the customer. You're also you you act like a customer. You act like a part of us. And what I'm looking for is, you know, influence over your product. I want I wanna I wanna partner that listens to us when we talk to you about our about your product and what we need from that product. And I want I want you guys to always be there for us. So when we pick up the phone and we have a problem, there's a resolution, you know, there's some kind of path to resolution, and we can have a conversation, that you listen to us, you take us seriously, and you do something about whatever problem or issue we're having. And then I also feel like the product has to stand up. Right? It has to be a good product, and it has to do and I will say, like, without anyone putting a gun to my head, this this that's exactly what this relationship has been. It's it's it ticks all the boxes for me in terms of what I'm looking for in any vendor and any partnership. Yeah. And I think that's a pretty common message that we hear across the board is, like, hey. No solution is perfect. If something comes up though, we need that flexibility to be able to talk to you, to work with you, to work through it. Right? And as long as you know that you're open to having those conversations and working through those problems, then you feel much better than if everything's rigid and it's just like, no. Sorry. Like, that's beyond what what we're gonna be able to provide to you. So Yeah. And and and I think we talk about it. It doesn't even have to be about the product that's fully built out and fully featured yet. It just has to be that the the, you know, the the basis is there. It's a good product and that there's a path to getting to whatever features and whatever functionality we need in the future. And I almost prefer, and this is why I like the startup community, if if it's not fully built out and we're a customer and we're we're a part a partner with you, then we have some influence on what that product's gonna look like in the future, and that's important to us. Yep. And that input from you is important to us. So it works, it's a mutual benefit. It better be, Justin. It better be. Well, one one last question on this slide. Curious. So, you know, obviously, modernization is is a big endeavor. You kinda found CloudFlare for a specific subset of, of, you know, working through that initiative. So when you start looking at some of our services and and decide to go with us for certain services, like, what was your approach to deploying? How are you thinking about it in terms of kind of ramping up with, the services you were interested in? So I think the first thing for me about deploying and and, honestly, it's I think it's true of anything that you're deploying in the tech world. Right? You gotta and even coming in as a new CIO. Right? What you gotta do is get quick wins. You gotta build confidence, build trust. Right? That's really important. So that kinda hit the low hanging fruit. Like, when, you know, when I came in here as a CIO, there was an awful lot of things that would make the user community an awful lot happier with tech than they had been, and they were relatively easy to do. And what that does is it gets it's a quick win. It it says, hey. You know what? This guy has got the right you know, and his team have got the right idea, and they're starting to make life easier for us. And it's sort of the same thing, especially as I'm coming into a world that is largely on premise and we're moving to a world we're starting to move towards a world that's mostly in the cloud. So, you know, I looked at ways that we could do quick stuff that would build confidence, that would get my team comfortable with the CloudFlare platform and comfortable with you guys as as partners. And, so, you know, when started with domain registration, DNS, because, first of all, they're they're foundational, and you have to have them. They have to be, you know, they have to be they're tied directly to our availability, and they were in a little bit of a mess if I'm truthful when I got here. So that was the first thing we did relatively easy, worked really well, built that confidence I just talked about. We learned on WAF, which again Matt, sorry. Go ahead, Justin. Oh, no. No. I'm just agreeing with you. Like, the the quick wins is so important. Yeah. And and it's and it's important just you know, there's nothing worse than slogging through for four or five or six months on on an implementation and then it's going live and not really working well, which is why I love the incremental approach. Like, start small, start with something that's impactful, but is relatively easy to do, and and it just changes the whole demeanor of the implementation in general. So, I I I've never been a big bang guy, and I think that's one of the worst things you can do. So after domain DNS, we we then did WAF. We SSL, TLS management. We did DDoS protection. We then moved on to PageShield, which, you know, is sort of in deployment even now as we speak. But we also you guys, you know, acquired AreaOne at one at some point in the middle of all of that, and we deployed AreaOne for email security. And I will tell you that was a was a revelation around here. Really, dude, it's a fantastic product, and it just I mean, I to the point where, you know, I had I had part members of the c suite calling me going, like, what the heck did you do to my email? It it the the the volume of email just disappeared overnight. They thought there was something wrong. And so just stuff like that was really again, small wins for that one Yeah. And a and a major impact across the organization. Yeah. And that, you know, that's a that's a great transition into this this next piece about kind of roadblocks of scaling, deprecating older solutions. I'm curious before I get into just, like, understanding a little more of your experience about maybe roadblocks that you encountered because, again, I I think you want those quick wins because if you hit some major roadblocks early on, that just leaves a bad taste in in everyone's mouth. But they're they're sure to come up, you know, and surface in certain areas. But but let me just ask about email security because that that's, you know, such a different, element of security than than what you're doing with WAF and DNS and, how did email security come into the picture? So I wanna start with, you know, I I do this and I kinda you know, I know it kinda irritates people, but I I I have a public service announcement to make. And that is if we could get rid of email today, we should get rid of email today. I I, it's one of those. Like, we all know this. Right? We all know this to be true. It it it's responsible for 95%. I mean, responsible is probably too strong a word, but it is the vector that carries 95% of the attacks that we experience in corporate America every single year, 95% and above. And I I say this all the time. Like, if if we had any other piece of technology that put us at such exposure, and created such a big, big, wide wide open alleyway and vector for for the bad guys to walk into our building. We'd shut it down immediately, but we still leave email up and running. So, unfortunately, it it's how business in America gets done, but I'm slowly, slowly trying to make people realize that there are other ways we don't need email. If we shut it off tomorrow, we'd figure out how to move on. So that's the first thing for me. Like, I I think it's so important to emphasize that that the more we can get people, the more we can we can get rid of that reliance on email and start to to think about using chat tools, about using encrypted channels, about using, you know, file shares, you know, even shared file shares outside of companies. The quicker we do that work and the quicker we get people off sharing attachments and files through emails, the better. So that was my PSA, and I'm gonna I'm gonna keep beating that drum every opportunity I get. Now I, you know, I I appreciate it because I think it's it's funny. You you're absolutely right. The, you know, 90 something percent of all attacks start with a phishing email. And yet Yep. So often, I feel like people just undervalue the amount of exposure that they have in in the email space. And so it's definitely not something to take lightly. I'm glad that you appreciate that. And and I can see why that was one of the top priorities, you know, coming in as you were taking on this big modernization initiative. And and very happy to see that that you enjoy the product as well. I I mean, honestly, if I if I went to my boss and said, hey. I'm going to implement this application, but just be careful. It's responsible for 95% of of of, ransomware attacks in The US last year. He'd say you're out of your mind and fire me. Right? But but we we leave emails sitting here. So we we've all got it as security professionals, we've all got to do a better job of making sure people are so aware of the risks and pushing them to different ways of doing business. And and those ways are out there. Yep. Absolutely agree. Well, let me let me ask you about any roadblocks that that you hit just whether it was initial deployment or even scaling up. What what did you encounter? Whether it's, you know, technical difficulties or even just, I think a lot of times it can be cultural. Right? Like, we're we're creatures of habit, and so sometimes it can be difficult to get people to change their mind on certain things. Yeah. There's no question for me that the biggest roadblock and it's not just it wasn't just here at Werner. It's been at every sort of modernization project I've undertaken and every sort of security project you take. It is culture. Right? It it it it really has to be a change management exercise. I say this all the time. If you gave me the choice at the beginning of a project of this magnitude, if you can have 10 extra developers or 10 extra change management people, I take the change management people every single time. And that's because, literally, the the tech part is relatively easy. And if everyone sat around the table and agreed that this is the way we're gonna do it, I'd I'd deliver the tech in a quarter of the time. But the problem is is that people are resistant to the change. People think about change as a bad thing and not as a good thing, and people are very, very reluctant to do it. So you you have to have that change management capability. I think for me and for my team, you know, it it comes down to how do we, like, how do we get people to think about it differently? And security was no different than that. So we go from, you know, largely perimeter based security, a little bit of knowledge around the fact that, hey. Don't click on links you shouldn't click on. You know, at the time, no two factor authentication. At the time, and, you know, very, very little authentication. No zero trust in the environment at all to go on. Okay. We're gonna move to two factor authentication. We're gonna pull back on email. We're gonna really, really examine it on the way in. We're gonna do some things from a security perspective that make your life a little bit different. And and it took a lot of change management effort. Like, when we moved to two factor authentication, it really was most people, you know, just didn't even think that we would ever do this, and it became this big problem for them. Hey. I gotta tap on something, or I gotta answer an SMS text. And, ultimately, you know, we got through it, but we didn't do a very good job of the change management. So Yeah. We sorta had to we had to work on that. Now with my own team, again, technically, we had people who had been here for quite a few years, very, very smart people, people who were used to a single way of doing things and and the perimeter security and the firewall being on prem and all of the security goes on prem to say, hey. We're moving to a much different method. And again, I had we had to do the change management there too. Now thankfully, we got through that curve, and I ended up with a team that went from being that that sort of on prem centric team to being a cloud centric team. And they they were champions here. They jumped through those hoops. They learned all of this work. I think your I think your product team would say we've given you a ton of feedback. Most of that feedback has come from guys who've been here for years and just made the transition. So I think we did a really good job of it. But I think the main roadblock in any organization on any change of this magnitude is cultural and it is change management. Now when it comes to deprecating your your older solutions, still the same? Is that the biggest roadblock as well, or or were there any kind of, you know, tactical considerations? Like, I I think what you do is you prove that, you know so no. I I honestly, Justin, right now, I don't think what we the only robot we have right now is speed. We just gotta get it done as quickly as possible. I think people are largely over and have accepted the change. I do think that there are things, like, around business outcomes that we talk about that make it better. Like, when you when you have these small wins and you start to show people for example, like, we had a we had a we had a platform here that was homegrown. It was our brokerage platform. And I won't give you the stats on downtime for that platform when I got here, but they weren't they weren't healthy. I know we I know we moved to systems that I honestly, and I'm touching wood right now. I can't remember the last time they were down. So people go from, hey. I'm not gonna have an outage, you know, once or twice or three times a week. You know, so uptime is massive. Like, so now people come in and they know that, you know, 99.999% of the time, when I walk in the door in the morning and log on to a system, it's gonna be up and running. They also know there's better performance. They they do appreciate as much as it take like, when when you know, none of us are perfect from a security perspective, but when they do hear and see about some of the cyberattacks that are happening all of the time, and we haven't experienced one yet. And I keep telling people, you know, it's probably a matter of when, not not not if. Yeah. But we haven't experienced it. So so they do appreciate the extra security. People do appreciate now the fact that we take the effort, the time, the expense to make sure the two factor authentication is up and running, that we have firewalls, that we do examine all inbound emails. So I think they appreciate that in terms of especially when they most people know, you know, friends and family who have been at a company that's had some form of a cyber attack. And, thankfully, we haven't, and hopefully, we won't. But that makes a difference when you can point to all of those things that are a result of the technical CRNE, the migration that we've been on. Yeah. And and you bring up a good point. I think so often it's about setting expectations. You you gotta kinda keep it in front of people because otherwise you forget and not having any incident becomes the new baseline. So Yes. Even if they even if you have one incident over over a great period of time, like, people tend to get unless you're showing them, like, what you're doing and what it's And and it's one of the things we're very open about publicizing the incidents when we do have them because I want people to know that, hey. These are happening all the time. I mean, I you know, people their minds get blown away when I tell them that we ingested 13,000,000,000 events into our SIM, in the last quarter. Like, nobody fathoms that number of of sort of of things that happen on our firewalls, on our security systems that we have to go and examine. So I think that's a big one. Like, right now, I'll be be honest with you. You know, we we've just had some weird stuff go on getting getting hit from on using Okta, like, like, where people are trying to you know, it's it's not brute force path. It's more like password, spirit. Like, they're just trying to get passwords. They're using usernames. And that's been going on for the past seventy two hours. Now we we finally have it shut down, and we've worked with Okta to to shut down that vector. But it's been there, and I'm very open about telling people, hey. For the past seventy two hours, we've been having this happen. We want you to be extra vigilant. And I think, apart some companies I know tend to hide those things and not talk about them. Like like, it's a it's an embarrassment that it happened, whereas I look at it, they say the embarrassment would be if it happened and we didn't know about it and we were shut down. I'm proud of my team that we we we we caught it using tools like CloudFlare. Tools from you guys, we monitor enough to catch it, and when it does happen, we're able to thwart it and we're able to work with our vendors to shut it down. Yeah. I mean, same perspective that we have at CloudFlare, about transparency and and being more open and honest when something does happen versus just not even knowing about it. Right? Yeah. Yeah. It it's it's I I say the same thing, like, when we have vendors and partners who who have their own events, like, tell us about them. We we will have nothing but sympathy and empathy, and we'll actually, in most cases, offer to help. And if we can't help, we will. But the worst thing is not knowing and having, you know, having a partner or even a customer or somebody out there, they're having an event, they're shut down, we have no idea what's going on. That's really, really tough, and it leaves a really, really bad taste in people's mouth. So I'm all for honesty and transparency and and just being very open about what's going on. Couldn't agree more. Alright. So looking ahead, what are your next steps? Well, as you mentioned, you know, big endeavor, multi step process. Where are you at now? Kind of what are you looking forward to next? So I think, our long term goal, is just to get to to a zero trust model across the entire organization. Now for us to do that, we have to finish the the the migration, the application, the the infrastructure migration we've been on for the past number of years, and we're very, very close. We're probably we're at this point seven or eight months away from shutting down most of our legacy systems. And that and that becomes, boy, I'll tell you, we'll have a party that day. But, you know, I I I I I think we'll bring the s 400 and maybe, I don't know, dust it in gas and burn it or something. But, but that's but that's a yeah. A big celebration. But that that's a big day for us, and that's when we can really feel like we have zero for us to implement it where we're you know? And and I used to be one of these guys who thought, you know, security shouldn't be in a position, and it shouldn't get in people's way. And and now I feel exactly the opposite. I used to think that I've gotta like, as we went through security, as I think about zero trust, I give people as much access as is is good for them without without putting you at risk. And now I'm more about you know, I want people to think about security all day every day. And one of the ways to do that is maybe they have to log on multiple times even though, that's not what they want to have. But if I wanna make our HR systems really secure, I might have to make you two factor authenticate onto that platform just even though you you're already two two factor authenticated onto the network. And and I feel like that's one of the things that we wanna do is just, like, create all these micro segments, which we're working on. And and not only do we not do we trust you not trust you in the environment, I don't trust you moving from segment to segment, and I don't trust you when you're within the segment because I might have a micro segment that I asked you to to factor again. And and a part of it is, you know, to get to zero trust, we put an awful lot of effort and work into it, and I wanna make sure that we utilize it fully and don't sorta take shortcuts because of user convenience. I want to be as convenient for users as I can, but I also wanna remind them all the time you've got a you've got a security obligation here too. I also feel like I you know, a part of me, and I said this, quite loudly at a conference I was at about a year ago, I kinda wanna scare people. And and that's not my natural, you know, instinct is to scare people about anything. But when it comes to security, I want you to be a little bit afraid every time you open an email and look at a link, oh, should I click on that link, and what will happen if I click on it and something goes wrong? So I wanna scare people a little bit. So getting to a zero trust model is really important to us because I believe it gets it makes us so much more secure. You know, I think we look ahead, you know, to to Flare your zero trust services. Like, the team are really, really excited. So I think we we have where we wanna go, and we have the tool to get us there. So I'm very excited about that. And then we we look at you guys as as a just a great partner. You know? It's it's it's on my notes in front of me, a strategic enabler. That's exactly what you guys are and have been for us over the past couple of years. So from that regard, I think it's it's the path ahead for us is largely from a security perspective, it's largely driven by by you guys, CloudFlare, and and what products you deliver to us, the ones that you already have, we haven't implemented, and what you're doing, and what your product road map looks like. I love it. And and we obviously appreciate the partnership as well. Just wrapping up here. Last question for you. Any takeaways, any lessons learned you'd like to share with the audience? Maybe if you were to go back and start over again, is there something that you would do differently, that you wanna share with everybody? No. I'm I'm perfect. I I wouldn't do anything differently. Yeah. There's so much I would do. I mean, I think you can boil it to a few things. First of all, is you can't try to boil the ocean. Like, just pick like I said earlier, pick the small wins, pick the easy stuff to do. First of all, it builds credibility for you and your team if if if each each of these wins are are impactful, but they're small and not hard for you to do. Pick the ones that are most impactful, especially to use for user experience in the beginning, and give people a good sense of, hey. Wow. We're doing stuff that's really important here. I think that's important. I think you gotta make it you gotta remember, it is a business conversation. You gotta talk about it as reducing risk. You gotta talk about it as keeping us safe. You gotta talk about, you know, this is the future of the company, and that's what we're trying to protect. But you also have to remember that it is a good customer tool. It is a way to increase reliability. Customers love reliability. Customers love the fact that they can trust that we're doing everything we possibly can to thwart the bad guys. Make partnerships, stop vendor relationships. Like, there's nothing worse than a, especially in this area, right, where you need to trust the people and the company that are giving you the the tech to secure your your company. You you gotta just make sure that we pick the right partners, and I will tell everyone who listens to this, CloudFlare absolutely the right partner. But pick the right partner, make sure that they have the same motivation that you have, and that motivation should be about security in this case. Make sure that they have everything that you're looking for for from a partner, you know, just the ability to to work with you, to treat you like like the partner that you should be, that it's not a transactional thing. I sold you software, and I'm walking out the door, and you won't see me again until the renewal is due. So make sure that they have all of that and that they can scale with you. And and then I I think the last part is never underestimate the change management part of it. Like, it's if you can if you figure out the change management part of it, which I challenge is very, very hard to do, but if you can figure it out, you spend an awful lot of time on that and don't ever shirk that change management piece, the culture piece. The tech takes care of itself. Like, it really does. We we all have good technicians working for us. We have good partners like you to help us along the way. So we'll get the tech figured out. Don't ever, you know, I would spend more time on change management, and we spend an awful lot of time on it. So I think that's probably my my three or four lessons learned. Excellent. Well, I'll just reiterate one last thing before we, we wrap up because I I couldn't agree more on this partnership. I think, we think about it in terms of mutual, mutual goal. Right? We want your success and and to be able to achieve that, it takes a lot of input and feedback from you and us being flexible to to also, be able to take that input and incorporate it into our own thinking, our own process. So, so with that, thank you, Dara. Been a pleasure having you on here. I appreciate you letting me pick your brain for a little bit, and for sharing your journey with with the audience here as well. And, thank you all for joining. Take care. Alright.