From Audit to the CISO Seat

Show Notes

A contract clause can change your entire security roadmap overnight, and in healthcare the stakes are higher than most industries want to admit. We sit down with Brian Waltz, longtime healthcare technology leader and former CISO at Cardinal Health, to unpack how cyber risk becomes business risk the moment patient care, diagnostics, or critical operations get disrupted.

We start with Brian’s path from audit to executive security leadership and why an auditor’s skepticism can be a superpower when it’s paired with empathy and clear communication. From there, we dig into governance, risk, and compliance as more than a rearview mirror. Brian shares how he gets leaders to define what a “bad day” looks like, then ties technical threats to financial impact, operational impact, and regulatory exposure so decisions don’t stall in jargon.

Subscribe for more, share this with a security leader or business partner, and leave a review with your biggest takeaway.

🔗 Connect with Us & Get in Touch  

Tune in to Simplifying Cyber wherever you get your podcasts, or watch exclusive video content right here on the channel. Subscribe for hot takes on emerging technologies, tips and tricks for everyone looking to stay secure, and in-depth conversations about complex cybersecurity topics. 

No gatekeeping and no BS. We’re here to simplify.  

Official Website: www.revealrisk.com  

LinkedIn: https://www.linkedin.com/company/reveal-risk  

🤘 Stay Secure with Us 

If this content helped you understand cybersecurity better, please give it a thumbs up, subscribe to our channel for more expert insights, and hit the notification bell so you don't miss our latest updates. 

Reveal Risk delivers cybersecurity results, not just reports. 

Chapters

• 0:00: Welcome And Guest Intro
• 0:24: Brian’s Path From Audit
• 2:30: How Audit Shapes Cyber Leaders
• 3:30: GRC As A Forward Tool
• 5:17: Why Healthcare Cyber Hits Hard
• 6:48: Turning Risk Into Business Terms
• 8:20: HITRUST Contract That Escalated Fast
• 10:35: Scoping HITRUST Without Boiling Oceans
• 13:09: Board Level Shift To Resilience
• 17:06: Disaster Recovery Ownership And Grading
• 18:55: When Security Has To Say No
• 20:15: Career Advice: Get Uncomfortable
• 22:39: The Real Balance For CISOs
• 25:23: Cleveland Fandom And Favorite Travel
• 26:52: Final Takeaways And Thanks

Transcript

Welcome And Guest Intro

SPEAKER_02 0:09

Thanks for tuning in to Simplifying Cyber. I'm Aaron Pritz. And I'm Cody Rivers. And today we're happy to be here with Brian Waltz, most recently CISO at Cardinal Health. Welcome to the show, Brian. How are you doing today?

SPEAKER_01 0:21

Doing well. Pleasure to be here. Appreciate you having me.

SPEAKER_02 0:24

Awesome. Well, we like to start off every episode with just getting to know our guests. So we've met you before, but we want our guests to have the chance to meet you. So give us a little bit of an overview of the Brian Waltz story and specifically your journey to CISO and into cyber. I know when we first met, we shared some audit lineage in our history, but give us give us the quick and dirty.

How Audit Shapes Cyber Leaders

SPEAKER_01 0:46

Yeah, absolutely. Appreciate it. So I actually started my career in public accounting working for uh EY for the first six years of my career, kind of splitting time between financial and IT audit. And uh at that point in time, uh, as typical consultant was doing tons of traveling and decided I wanted to get off the road and and find something a little bit uh closer to home. So moved to Cardinal Health, where I spent um probably 22 plus years in that organization, kind of starting in IT audit, but quickly pivoted into IT after a couple of years there. And I think that was kind of the great thing was the opportunity to try different things and move into different areas of the business. And so moved into a role that was uh primarily focused on uh risk uh management, compliance, governance type role. So kind of leading our stocks program office, building out some FDA capabilities and things like that. Um, and did that for about uh seven years and got to a point where I was just like, I'm tired of telling people what they're doing wrong. I actually want to go build something. And so you know did kind of a career pivot uh for me, probably spent the next seven to nine years in more traditional IT roles, deploying things like ServiceNow and you know, ITIL capabilities across the organization, um, doing a stint through infrastructure, and then uh switched into a couple more business uh facing IT roles where I was an IT business partner, you know, helping to build out IT-enabled business strategy, um putting together business cases and then executing large projects to help the business uh move forward. And then probably about six years ago, got a call from our CISO at the time, who I had worked for in a prior role. And she's like, hey, I'm creating a deputy CISO role. Is that something that you would be interested in? And I said, absolutely, would love to get back into security. So kind of the security has been the bookends of my career so far, but uh have absolutely enjoyed my time in it. Oh, that's great.

SPEAKER_02 2:32

And yeah, we both shared as when we first met uh that kind of early career audit background. And I know um for me it was it was formative to kind of understand internal controls and both the process side as well as the technical side uh of controls. What what impact did audit have in kind of shaping you as a as a cyberleader and specifically as a as an IT practitioner as well?

SPEAKER_01 2:55

Well, I think the the first and foremost, right, like just being skeptical, right? And it's not that you're just like the negative Nancy, right? But I think you've got to have that view on everything as as you kind of do your work, right? Is understand like the what could go wrongs. And I think that's very much the same way it is with security, right? You're always looking for those holes that could be breached in your um, you know, in your security posture, and right, and it's kind of like Swiss layering layers of Swiss cheese on top of each other to make sure that you've got enough layers to close those holes and make sure that uh that you're in in good shape to protect the business.

GRC As A Forward Tool

SPEAKER_00 3:29

Yeah, awesome. Well, I have a question kind of kind of going from the audit, and like I think of like GRC as a kind of a resurging topic in a lot of cyber programs, but I looking at yourself with with two decades of perspective at one of the world's largest companies, you've seen GRC evolve. So is GRC finally becoming the GPS that tells us where to spend our next dollar, or are we still just using it as like a rearview mirror?

SPEAKER_01 3:54

Yeah, I I I mean, I think it is about how you look forward on there too. And I think um cyber has a bigger seat at the table than we've ever had before, right? And the opportunity to help influence the business, right? And it's been interesting to kind of see, you know, nobody was really talking about cyber as a risk. Then it started to show up on enterprise risk management uh lists out there. But then when you start to dig into it and pull the layers back and ask the business, like, what are you most concerned about? They're like, I don't know. I read a lot about it in the newspapers and I see stuff on online, um, and I know it's a risk to the business, right? So that's when you really have to start to kind of peel those layers of the onion back and start to dig in and understand, well, are you concerned about operational disruption, right? Are you concerned about data loss, et cetera? And so I think those have been very rich discussions to really help them understand um how we view cyber risk and making sure that they understand is not just the CISO or the CIO that owns it, right? Like it is a collaborative um discussion and collaborative ownership around those risks, right? Because we may have a part in the the remediation or the mitigation step that we put in place, but part of that could also be on the business as well with continuity plans or diversifying their you know their supplier base and things like that. So um so I do I do, while you can always learn from history, I do view it more as like how do you move the business forward and manage that risk for them?

Why Healthcare Cyber Hits Hard

SPEAKER_02 5:16

Yeah. Yeah. So two decades in healthcare, and I was on the pharmaceutical side, you're on the payer healthcare side for the two decades. Um, what for you, what makes human health and healthcare unique in cyber? And why, and why did you choose for you know two decades to focus on on that sector?

SPEAKER_01 5:36

I I think for me, it's just more of a personal thing, right? Like the mission of healthcare, right, to help people get better is very personal to me. And I, you know, I always kind of put myself in that seat, no matter what role I was in, right? And I think just even going back to my time in infrastructure, I led our uh enterprise database team, right? 7,000 plus databases. And um nobody gives you a lot of uh kudos when things go well, but when that thing goes down, right, like you're hearing lots of noise about it. And I remember one time we had a pretty major outage on one of our key systems in our nuclear pharmacy business, and it ended up stopping um, you know, us getting prescriptions out to a particular hospital to run diagnostic tests, right? And so they ended up having to send some uh patients home who couldn't get those diagnostic tests, right? And so you kind of just step back and say, that could have been me, could have been one of my family members, right? And you you just don't ever want that to happen again. Same thing with security, right? Um clearly you don't want to have any disruptions or data loss in there that could negatively impact those patients and their their families, right? And so you take that mission very personal. I think that that's what kept me at Cardinals as long as I was there.

Turning Risk Into Business Terms

SPEAKER_02 6:47

That's awesome. Talk to me about translating risk into business language. And obviously, um GRC, that a lot of the art of it is in how you tell the story and communicate things to non-technical audiences. For you, uh, one, how did you form those skills as you were coming up in your career? And two, like, do you have examples of where um the way that you communicated something uh made made the difference of whether you know an initiative moved forward or it didn't?

HITRUST Contract That Escalated Fast

SPEAKER_01 7:19

Yeah, I think um it's it's difficult. Some of those conversations are very difficult, right? Trying to be able to translate a very technical topic um into something that they can really understand. But I think, as I mentioned before, just starting to ask the question around like, hey, help me understand what a bad day looks like for you. Is it your systems are down for a period of time? Is it you know a uh file with you know patient uh information in it getting exfiltrated? Is that what is you're most concerned about, right? And and just helping them understand what are the regulatory and compliance risks associated with that, but then also like, what does that process look like, right? Like if you were to have a major incident like that, you've got to spend some time to help them understand that um and translate that risk into into something that's more business oriented, um, numbers talk, right? So making sure they understand like what is the financial and operational impact of that, I think, is is usually beneficial to doing as well. Um, I think in terms of kind of you know, maybe stories or or instances of us having conversations with the business, one that kind of comes to mind from a GRC perspective was you know, we had a business unit that was um getting close to signing a contract with uh a pretty major customer for them. And as they engage the security team, it we were looking at some of the contractual language and and um understood that the customer is requiring high trust compliance, right, within a period of two years. Now, for anybody that's gone through that, it is a pretty lengthy and time-consuming process to be able to do that. You know, not only understanding what the current state looks like, but then also remediation that you need to do, going through the certification process. And so um they were in a hurry to get this contract signed, and we kind of just said, hey, time out. Um, one, this is a big deal. So you need to understand and recognize the investment that you need to make to satisfy this contractual requirement, but also recognize that this customer is also one of our largest customers or our the largest customer in another business unit of the organization. So whatever decision you make impacts those folks as well. And so while we were kind of operating at senior management level of that one particular organization, it got escalated all the way up to our CEO and CFO before we made that, you know, that decision on whether we were going to invest the money and then move forward with the you know the contract as it was. And we ended up doing that and got the support we needed to get that high trust certification in place. But again, it it is really about making sure you've got collaboration across the business to surface those risks and make sure that you're making some educated decisions.

SPEAKER_02 9:52

That's awesome. I I love that you had um that business area one at you guys were at the table reviewing the contracts, calling that out early. We've had examples of of clients and people within our networks that have uh the business has made a decision on a contract and they've found out about it afterwards and sometimes with a lag in the time period that they had given them to make it down that journey. So maybe give us a little bit more about the the decision process that you you know, you you probably had high trust. Is it going to be for the entire company end to end? Is it specific to that business unit? Is it um only for that specific client? So how how did you walk through scope to get it to the right size to be both effective and scalable?

SPEAKER_01 10:35

Yeah, I think as we kind of walk through that, um that that request or that requirement wasn't coming up in any of our other contracts with that customer. So we kind of just made the decision early on. We're gonna really just focus on certification for that one business unit. And then to your point, it was a matter of then talking through, well, what from a system impact, what are the what are the applications we want to bring in scope for that too? And so we tried to take a minimalist approach to that to say, hey, what are the what are the items that the customer cares about and the data they care about? And let's make sure that we use that as kind of the you know how we orient the the scoping for that. So we we ultimately determine that we could leverage that to our advantage, right? Like I think as we kind of made that determination of you know, high trust certification, yes or no, is like, hey, this could be a market differentiator for us if we're kind of first to market with this. And so we can use that as we go out and and try and win uh additional business. So that's kind of how we we viewed it is like you know, that would be available for any potential future client out there. But the one thing I would say, and you kind of brought it up, is like you definitely don't want to get um notified of these situations after the contract's been signed. So like that collaboration across the business, across procurement and legal is extremely important. And I think um, if nothing else, like you're looking out for each other's best interests to say, hey, you know, I saw something coming down the pipe uh that's got some privacy concerns around. Let me make sure I get our head of enterprise privacy engaged in this to at least understand do they know, are they aware of this particular contract and piece of business that we're trying to sign off on? And so I think that that was extremely important for us um in that situation.

SPEAKER_00 12:13

Well, and and leaning into this high trust thing on say it's it's a yes, but you know, we know high trust is the Iron Man of security certifications. But if if a company for our listeners is just starting out that journey because a contract requires it, uh what's the one mistake they make in the first 90 days that costs them the most later from your from your experience?

SPEAKER_01 12:36

Um I think scoping could be that, right? Because again, it's not only the kind of pre-assessment you need to do to understand, like, hey, are my controls good or bad? And where do I need to go um, you know, take some remediation steps, right? If you don't scope that right, you could be creating a bunch of work that doesn't add a ton of value to that certification or doesn't need to be part of it, right? So I do think that's an important part of it is taking your time to kind of lay put a ring fence around what you're gonna go and certify out there, at least for you know, based on our experience.

Board Level Shift To Resilience

SPEAKER_00 13:08

Yep, yep. And I I think too, kind of going into kind of changing here a little bit, here like the resilience versus security mindset. You know, you've mentioned that cyber attacks and healthcare aren't just IT issues, they're patient safety issues. But when you're talking to the board about like cyber resilience resiliency, how do you shift the conversation away from like preventing breaches to surviving them without losing the trust of the customer?

Disaster Recovery Ownership And Grading

SPEAKER_01 13:33

Well, I think honestly, like we we spent a lot of time with our sales team too, as they were engaging with customers on some of the stuff. And it even got to a point where we participated in like some of their resiliency exercises as well to kind of talk about like, hey, if if we were down, like what would you guys do? And vice versa. Like, how would we how would we partner together? So I think that's an important part of it as well. But in terms of like talking to the the board and the executive leadership team around that, um, one of the things that I had done like early in my tenure as a CISO there is we had brought in an external speaker into our board. And the message she kind of delivered to them was like, it's not a matter of if but when a cyber event happens. Like you can't expect Brian and the CIO at the time to prevent every single incident out there, right? So it's about how do you how quickly do you understand what's going on and uh and and stop the attack, but then obviously recover if if some of your systems are impacted. And so I think it was good orientation for the board to understand that. And then I think you've got to put some programs in place to help measure the maturity of your um resiliency program out there. And so, kind of within the scope of my remit, I owned all of the disaster recovery planning and things like that and crisis management. Um, and so a lot of what that team did was working with the business to understand like what are the critical systems. And I think that's probably the most important thing is to understand like everything isn't created equal, right? Because if everything's a priority in that situation, nothing's a priority. And so we really had to spend a lot of time kind of going through the business impact assessment and understanding, you know, critical processes for the system or for the businesses and then what systems support them and making sure we could weave that um into the plan. And then from there, it's about understanding what types of recovery plans do you have in place, how frequently are you testing them? Clearly, something that's more critical. You want to test it more frequently and understand that you could go and execute in some kind of a disaster scenario. Um, and then you know, making sure that you're scorecarding that and and reporting that out to the business. And like one of the things that I thought was kind of genius from from my team was starting to look at it more from like a uh a letter grade, right? And so everybody understands what's an A, a B, a C, and a D, right? Like we've all been in school, and so we understand that. And so they started to kind of put that lens on it for our uh internal leadership team to understand it too and to really drive action. Because in, you know, in a more or a less mature organization or um program, you're you're probably doing a lot of heavy lifting for those teams, right? They don't understand how to write good DR plans and what all the components need to be. And so we did a lot of that hand holding for them. And we did a lot of that like fingers of the keyboard as we as they were executing tests in their non-product environment. And we kind of got to the point where we said, hey, listen, if we have a major incident, it's all hands on deck. Like our team can't support thousands of applications being recovered, right? And so you've got to understand your own plan, you've got to be able to execute it, and you should be able to execute it in your production environment. And so we created kind of a formula to help measure each of those steps in the maturity journey around resiliency for those teams. And then we would scorecard it and put that in front of the leadership team on a quarterly basis. And um, it's always interesting to see like, you know, it's a very competitive culture there. Like, people don't like CNCs and D's associated with their name, right? So um, so that tended to drive action for them and help improve uh the current state uh for those.

SPEAKER_02 17:06

Yeah, so what what you're talking about, we see at a lot of companies where the cyber team or um risk management owns business continuity planning. And what you hope that means is you you own coordination, but the true business leaders that are going to need to run those functions when IT is down in a major crisis or cyber attack or whatever, but there's still a lot of the central ownership where everyone's having it done for them. And it sounds like in your story, you knew that that wouldn't scale and you needed to both one federate the ownership to the true leader that should be responsible, but then two put a measurement system in place to gamify or give them some some drive to not be that C. Is there any other kind of tips along the way to kind of when you transition from the former state to the the the future state? How did you get that sh ownership shift to happen?

SPEAKER_01 18:02

Uh well, I think part of that is making it part of folks' performance goals. Um and so we didn't necessarily describe like, hey, you've got to have an A for all your critical systems, but you know, we we kind of looked at it just overall like a percentage maturity, and we kind of said, hey, you need to improve X percent over the course of this next fiscal year. And so we tried to drive it into performance goals, which obviously is tied to compensation and your year-end performance review. And so that that tended to get the action that we needed in those uh particular scenarios.

SPEAKER_00 18:33

And what about time? How about let's see, when do you had to be the bad guy? Let's let's say, let's say you know, you had told a business not to sign a contract because of X requirements were a bridge too far. Give us give us that. How did that go? I'm sure that wasn't a message what we're seeing, but how do you kind of handle that conversation when when it's when the answer is we shouldn't do this?

When Security Has To Say No

SPEAKER_01 18:54

Yeah, I I would say there there are very few times that we've had to go there. Um, and it's not it's not easy, right? But I think one, you've got to build trust with those folks in the business too, so they understand like you are doing this in the best interest of the organization. It's gonna create problems down the road if we go and enter into this agreement. And so we kind of just take a very factual view of like, hey, we did a third-party risk assessment, and that we did have one vendor in particular that we kind of said, hey, this you know, this is a no-go for us. Um and so we kind of just laid out and said, hey, we you know, we had X number of criteria, you know, 20, let's say 20 criteria that we evaluated them on. They, you know, passed on 10 and they failed on 10. And these are this is why these 10 matter for you, right? And you know, based on the maybe the HIPAA data that you're putting into this application, right? There's a high chance that there could be some kind of a breach at the at the vendor. And obviously that has a major impact on on us as a healthcare organization. So again, it was just coming to the table with some data points to have that conversation with the business. And I think they understood, and they were quite honestly, they were prepared with two or three other alternatives that work for them and they were able to move forward with it. So it wasn't like we stopped the project, but you know, maybe wasn't the exact vendor that uh that they wanted. Sure, sure.

Career Advice: Get Uncomfortable

SPEAKER_00 20:10

As well, good, great, good, excellent, excellent answer. So, like, very seasoned executive answer there. So now, like you get a phone call to Brian of 20, 20 years ago, you know, to start now's career and kind of get going. What's what what's a couple of nuggets of advice you're giving yourself, you know, that hey, I didn't know now that I can tell you now, hey, here's some nuggets. So what's what's the Brian of now telling Brian of then?

SPEAKER_01 20:34

This is a great question. And I like I think for me, you know, knowing I spent the first six years of my career in public accounting and then the first couple at Cardinal in audit um was like be uncomfortable, right? Like push yourself outside of your comfort zone, right? Because um, after I moved out of audit, I was still doing risk and compliance stuff, right? So I was still the auditor, I had my auditor hat on, trying to find problems and you know, get people to care about it and go do something. Um, and it wasn't until I made that transition into more the more traditional IT roles that I felt like I really started growing um as a leader. And it was because I was being put in situations where I wasn't the expert and I had to rely on a lot of other really smart people to do their jobs to make the team successful. And so, like I'll never forget when I was um uh approached about the the database role there, and I had a conversation with my VP at the time, and I was like, dude, the last time I looked at a database, I was in college, right? So I had I have no idea how to manage people who've been doing this for 20 plus years. And you know, what he told me was like the issues, the challenges they have are more around lack of process, morale of the team, and those kinds of things, which you're really strong at. And so view it as a compliment to that team that you can help them get through that and get to a better end state. Um, and so you know, I I took As a challenge. But then I also had to kind of just roll up my sleeves and spend a lot of time on uh phone calls at night, you know, where we were having outages to understand their world, right? And to be able to not know it, but know to how how to ask the right questions and maybe challenge them to think differently. And so um I I probably grew more in that three years and and like it was a long time to be in that role as a meat grinder, but I probably learned more about myself and my leadership capabilities doing that than if I had just stuck in that that audit typo for you know for three more years. I don't know that I would have necessarily been on the same trajectory from a career perspective.

The Real Balance For CISOs

SPEAKER_02 22:38

Yeah. There's a lot of debate in the industry of like, and it's usually technical leaders debating that a CISO must be, you know, have worked in a SOC and reverse engineer, reengineered malware. And then there's another faction that would be like, that's been the model for decades. Like business, you know, we need people that can talk in boardrooms. And obviously the answer is somewhere in the middle. But um, get given your experience and kind of what you've seen work work well, what what is that right balance? And kind of similar to your reason why I thought to ask this question, like your leader for the database team was like, we're not looking for a 20-year database leader, we're looking for someone that can lead teams and help to have the right conversations to get barriers reduced.

SPEAKER_01 23:20

Yeah. Yeah, I mean, it's it's a great question. Um you know, I think um part of like what I tried to do is just establish trust with those people too, right? I think that's an important part of of um of going into those kinds of situations is making sure you establish trust. They understand you've got their best interests at heart, you're gonna listen, you're gonna learn, you're gonna try and understand um the challenges that they have on a daily basis. And I think about like when I went into uh the deputy CISO role, that was, I would say, more operational. So again, I may not have had the experience as a leader of a security operations center or you know, somebody application security or whatever, like I had managed teams that they worked with on a daily basis, right? Like clearly one of the key teams that we worked with are we work with in security is infrastructure. Um, application security teams are working with the app teams to make sure they're writing better, more secure code, right? And so I had led those teams and understand how to work with them and maybe what types of messages would help resonate with them, right? So I think it's it's really just trying to make sure your team understands, like, hey, here's what I bring to the table that I can help you to be successful in here. It's not necessarily to your point that I know how to reverse engineer malware. Um, we've got lots of really smart people that do bet, do that, but it's helping to understand like what does that mean for the business if something bad happens or what if malware gets loaded on a laptop, like what does that mean? What are they, what, what are we going to expect them to do in those particular situations? And I think maybe that's what I learned having spent time in those traditional IT roles, is I've been on the other side of the table from those or helped with an incident investigation and could translate, you know, what is what's the impact of the business, or be be there to have that conversation with the business of hey, we've got a we've got a problem. Here's what we need to do to go resolve this, right? And so again, you've got to build that trust ahead of time so that it makes those decisions and those conversations a little bit easier. So hopefully, hopefully that answered your question there.

Cleveland Fandom And Favorite Travel

SPEAKER_02 25:22

Oh, that's awesome. Uh, one last question before we go. Uh, we'll we'll make it a fun one. What is one thing that most people, maybe they didn't even work with you, don't know about you, that you want to unveil and I didn't prep you for this question, but what's that one fun fact uh or surprising thing?

SPEAKER_01 25:40

Oh my gosh. One surprising thing. Um, dude, I'm I'm boring, man. Like I everybody asks you.

SPEAKER_00 25:47

You could be like you can juggle, man. You know, who knows? Think of that.

SPEAKER_01 25:50

Yeah, I don't I don't have yeah, I can't, I can't juggle. Um, unfortunately, I'm like, I'm a Cleveland sports fan, so that's not fun. Like, that's that's pretty much misery. Um 360. But you're you're committed. I don't know that I'm committed.

SPEAKER_02 26:02

You've built resilience though over the year.

SPEAKER_01 26:04

And that's what I yeah, that's what my wife says all the time like, hey, why did you raise your kids to be Cleveland sports fans? Look at how miserable you are. I was like, two point it helps you build resiliency, like you learn how to deal with disappointment. There's lots of good life lessons to be learned um rooting for those types of sports teams. But uh um, yeah, like the golf, travel, all those kinds of fun things.

SPEAKER_00 26:24

But uh favorite uh vacation or favorite travel location?

SPEAKER_01 26:28

Oh gosh. Well, we did we did a big uh a big family vacation to Europe last year to celebrate our son's uh high school graduation, a couple other milestones we had in the in the family. So it was the whole Clark Griswold um vacation with the you know the five-page itinerary, and so we we hit it all pretty much the same, the same, same cities they were in too.

Final Takeaways And Thanks

SPEAKER_02 26:50

So very cool. Well, awesome. Thanks, Brian, for coming on the show today. It's been great to get to know you a little bit better. And uh hopefully we uh talked about some topics that revealed some some answers and options for people that are facing some similar challenge to the like the high trust uh or compliance level thing or trying to get business ownership from their resiliency program or BCP program. Appreciate you coming on. Yeah, appreciate it. Thanks for having me. Thanks, Brian.