Every month ThreatSwitch hosts a webinar on a topic of interest to the security and compliance community. Thousands of security leaders and practitioners have attended these webinars, but not everyone has an hour to spare. That's why we'll be sharing our CEO's lessons-learned each month right here on the ThreatSwitch blog. 

For this webinar, John Dillard, ThreatSwitch Founder and CEO steps out of his usual “moderator” role and is our featured speaker.

John has spent 20+ years of his career in security and intelligence. He’s a recognized speaker on security insider threat and counterintelligence topics. 

Our purpose is to highlight some of the findings of our annual industrial security survey which wrapped up in December.

(For reference, we polled 230 experts, 4 membership organizations, 17 industries, and designated 5 size classes.)

Make sure you check out the full webinar here for a LOT more information! (You can also read the transcript below.)

Here are five of the most interesting findings from the survey. 

1. Top threats are phishing and spills  

This concern was among the top two or three in last year’s survey, but this year it outpaced other responses for the security professionals who participated.

Interestingly, insider threat and espionage didn’t even make the top five, which is a little worrisome. Several reasons may explain why, including a simple overuse of the word, or the fact that all of the issues and concerns are insider related.

2.  Size drives perspective 

The following are some interesting comparisons between the way large and small companies answered the survey question:

• 53% of large companies vs 23% of small companies say insiders are a top threat
• 42% of large companies vs 22% of small companies list supply chain disruptions as a top threat
• 16% of large companies vs 4% of small companies say their security budget will decrease in 2022

3. CMMC uncertainty affects budgets 

Far fewer experts expect CMMC to see additional spending, but it’s still near the top of the budget: 74% in 2021 vs 46% in 2022.

Everyone expected to spend money on it last year. In fact, the poll was happening during the switch, which means that number could be even lower now.

4. Government is (still) the problem 

The community overwhelmingly sees regulator confusion as the #1 obstacle to security program success. (It actually got worse compared to last year!)

Perhaps the most troubling aspect is that it’s a problem that’s largely out of our control yet has a massive effect on if we can do the right thing.

5. Software spending over audits

In 2021, 80% of respondents expected to spend more on audits. That dropped to 29% for 2022, which may be attributed to CMMC’s shifting status.

Full Webinar Transcript

John Brooke: hey good afternoon everybody on the east coast on the west coast good morning thanks so much for joining us today for the top five findings from the Industrial security benchmark survey webinar my name is john brooke i'm the head of sales here threats which threats which software helps enterprises manage Security compliance with obligations like cmc this palm and nist while reducing the cost and the risk from complying with those obligations.

Before we get started i'd like to run through just a few housekeeping items first again, thank you for your interest in today's topic and today's webinar.

we're happy to have you here with us, we do this, frequently and we'd love to have you join us for future events as well if you'd like to ask a question at a point during the webinar.

Please submit the question by the question and answer the Q amp a functionality down at the bottom will address those towards the end of the presentation.

We got a fair amount of ground to cover today, so if we're not able to answer your question directly during the during the webinar.

We will follow up with a response afterwards and one reminder one further reminder this webinar is being recorded and the recording and a copy of all the slide materials that are presented.

will be shared with everyone who signed up for the webinar or attended following the conclusion of the event so with that i'd like to introduce our speaker today we're going to kind of do a Q amp a fireside chat without the fire.

i'd like to introduce john dillard he's the founder and CEO of threats which john spent over 20 years of his career in security and intelligence.

he's recognized author and speaker on security insider threat and counterintelligence topics, and you know, look forward to hearing from john take it away.

John Dillard: Thanks john appreciate, many of you are used to seeing me in the in the moderators chair for these things.

But this is a survey that threats which conducted itself, so I get to be yes, this is very exciting on thanks for moderating john brooke on as many of you know we conduct an annual industrial security survey which wrapped up in December and the reports being prepared now and the purpose of today is really for me to share.

Some of the key findings five specifically that we thought were interesting that tease what's going to be in the full report which will be able to get your hands on in early February.

And and just give you a sense of of the kind of indicators that we think are of note.

You know, in many cases it's it's findings that we're a little contract or expectations, based on what we saw last year.

So it's pretty neat so that some some things about the report on this is a survey of 230 experts.

Are our survey focused it wasn't like a broad, open survey, we really targeted people who know what they are doing and really lean heavily on the membership basis of insight.

In cms nda and assets, so the folks who responded were a various levels from analysts to senior executives a few a few sea sea level folks as well that.

 Are in organizations all over those for membership organizations as well, some others that we can fix so.

That was pretty good representing 17 different industries so pretty pretty broad coverage everything from some healthcare.

To the you know the usual suspects in aerospace and Defense so a lot of interesting different kinds of perspectives and five distinct size classes, which do make a difference, so we break our

Questions down by the size of the company in terms of both the number of employees, as well as The revenue size of the company and that yield some pretty different results, as you might expect some in some in some pretty obvious good ways so i'm in some a little frightening way.

Which we'll talk about so i'm really, really good results this year we're excited about what we found so i'm just going to jump right into this and then i'll pause after each one and let john brooke ask any questions or highlight any from the audience potentially So the first thing that we you know with the first question, the surveys is, what do you worry about what are the threats or risks that you're most concerned with.

On and to some extent, this was pretty straightforward, we saw fishing, which was also in the top two or three last year.

outpacing the other responses, a lot of these are sabo related so you know really the top the top four in particular.

 And number five all have to do, specifically with attacks on you know the the IT infrastructure or applications or or.

Environment of the companies that we pulled remote employees being The one exception, and I think the thing is interesting about this one.

Is that insider threat and state sponsored activity really didn't explicitly make the list now granted, you could have malware ransomware attributable to a nation state actor or espionage, but.

That one was not in the top five, which I thought was a little bit interesting so yeah that's that's number one job.

John Brooke: yeah no That was my observation is there was no Of course I think Russia had some troops on the border with Ukraine at that time the survey was going on.

But nothing about you know those nation states being a threat, the other interesting thing I saw you might want to expand on is is the remote employees i'm.

Trying to recall from last year, whether that was is a concern or it's the same concern or or it's now being thought of as just kind of business as usual.

John Dillard: I think it's starting to shift, I mean last year I was, I was number two in our list so it was very important, and I think that there's a certain amount of expectation that that is getting normal.

And you know that there were some distinctions on size here, I think, large large companies have higher expectation of risk of employees.

than smaller companies do, possibly because a lot of the smaller companies were already operating remotely we're at least partially remotely or their IT infrastructure is not nearly as complex.

And you literally know everybody's name and a small company which it's a little bit different than when you know when you're managing a workforce of 10s of thousands and you're not entirely sure where they are.

So I think that it was shifting in the data, but I think you know if that trend continues to be interesting to see if it starts to fall out of a top concern.

In the 2023 survey so that was my thing, but the the nation state when worries me a little bit because you know.

From you know, I have the luxury of sitting in your answers search string policy reform Council I get threat briefings.

A little bit more regularly than the average bear and I kind of know what some of these characters are up to on it, you know it's reemerging as a certainly a top threat.

From the government's perspective on you know what companies should be worried about and it's a little it's a little concerning that it's not front of mine for the folks who respond to the survey so that's not yeah.

John Brooke: yeah and one more before we leave this one, why do you think insider threat wasn't wasn't in the top five.

John Dillard: You know, I have a theory on this, that that word is so overused.

And that you know, really, you have to ask the question because it's the insider threats important it has dedicated you know policy associated with it, but really all of these things, to some extent, or an insider threat problem right all.

John Dillard: True so.

 You know I think some of it, and I think there are a number of folks out there who you know, even when he was coming out a sort of the signature.

From in the security community there's a little bit I rolling because, like within that what we are already worried about is just you know we weren't good enough at it and that's why we have these problems.

But all of them are inside are related in many cases like even the cyber ones, you know if you think about fishing and malware and ran some winter and spills.

 Usually there's an insider involve either winning or unwitting, so I think that's part of it is a recognition that insider threats, whatever the latest thing underneath the surface.

John Brooke: yeah and i'll just say you know, Richard just posted a comment in the chat for everybody, and that he kind of mirrored that that response so yeah it's it's it's the threats are our DEMO fine wrap up in those areas you're identifying so thanks Richard for that yep.

John Dillard: On this, the second one that I thought was interesting is how different perspectives from big company to small company where and when I say big company i'm generally talking about.

John Dillard: companies that have more than 5000 employees, small companies less than 500 and you know and how that distinction plays out, you know I mentioned the insider threat issue, so you know large companies.

John Dillard: Have it listed in their top five small companies don't now is that because it's small company you literally know susie Bob Ray Jimmy.

John Brooke: You know.

John Dillard: Laura you literally know who those folks are and there's an intimacy that perhaps cause you not to worry about it very much which.

I think is possibly unwise, because a lot of insider threat is one wing So even if laura's the best person ever she could still be compromised unintentionally unwittingly.

But large companies are far more focused on insider insider threat and supply chains, the same sort of thing.

This one is a little bit you know predictable, in some ways, we would expect large companies, because they are, in fact, in many cases, managing the supply chain, they are the ones who are managing the so contractors.

On interestingly, though I think small companies actually bear a lot of the burden of participating in the security management of those and that they have to.

adapt to a variety of different problem contractors supply chain security requirements so on, it was interesting to me how different the priority level was on supply chain, and the one that.

I thought was a little little worrisome I guess is that is that the word i'd use small companies, nothing there but security budgets are shrinking it all that we didn't see an F now I should say okay i've got this.

Everybody expects security budgets to increase on average that's what the survey said.

You know that, so, in fact, you know it most on a factor of three I think three times more people said there would be a significant increase in security budgets and said that there will be a decrease so.

On balance, people see their security, which is increasing, but 16% of large companies expect a decrease in their security budget this year.

which, given the threat environment, the additional compliance obligations that we have whether that's an s or C M and C.

c three whatever whatever driving it that one's a head scratcher for me i'm struggling to know how that's possible small companies didn't say that at all so just an interesting segue yeah.

John Brooke: I got a question for you on the supply chain stuff do you think the the smaller companies do you think they view themselves as part of the supply chain of the large companies, or is it.

Or is it you know they're they're not thinking in that manner or did we get enough in the data to kind of answer that question.

John Dillard: um I don't think we got enough into the data to find out why which I would love to know, but I think you may be right that they don't perceive themselves as part of a supply chain.

 or it could be that that's not a vocabulary they think of right when they're I mean where you know, even though certainly you know a lot of regulators talk about supply chain and security, all the time, solar winds was you know.

Everybody should heard that story already on that you know vulnerabilities down in the supply chain can make a big big difference To two companies throughout it, not just the one at the top on, so I think that's part of it is they don't use the supply chain vernacular, which is a training, education.

right on in seeing themselves as part of an ecosystem is something that maybe comes naturally to large companies, because they have to manage it from a business perspective.

 On small companies don't think of it that way, on the security side because they don't really think about it that way, on the business side either so that's that's my hunch.

 But yeah we we unsubstantiated by data just I should say.

John Brooke: that's fine yeah they you know opinions are okay, and this thing, but some of them are supported by data one other thing on the budgets to any other any other interesting nuggets on budgets and if we're going to cover it, you can say we're going to cover it later.

John Dillard: I mean, there are a couple of I mean Overall, I think, the one thing is that there's.

John Dillard: far stronger indication of security budget increases and then i'll talk a little bit more about what they expect to be spending money on here in a second so great nuggets there.

One of those speaking of is cmc and now cmc last year, everybody expected to spend money on cnbc I said and then this 74% of the companies we pulled for the.

report indicated, they expected cmc to be consuming more time and resources, which was not terribly surprising that number of fell, all the way to 46%.

And that was before I should say this poll was going on, when they announced the shift from the old team MC MC MC.

So if we did it again, I might expect it to fall further, and you know, I think that what's what's going on here on is that companies, you know, in addition to the shift of of what the what the actual requirements are going to be.

 A lot of companies realized that even if they wanted to get audited this year or in 22 or, for that matter in 23 you're not gonna be able to find ways.

They can want to spend money on.

cmc but it's kind of hard to plan anything when you know it's just not realistic to be able to deploy those budgets.

And so we saw you know see why staying in a top position, in fact, it was pretty critical and they're spending was.

And in terms of what regulatory frameworks, they expect to be spending time on, but this was a big deal, I thought.

You know, he would hold steady but it felt like quite a bit now that's still they still expect to be spending more money on it, then they did the prior years but it's not the overwhelming favorite that it was last year.

John Brooke: yeah but that we've seen that just anecdotally and in the market in sales team we caught the cmc exhale everybody's kind of.

You know they don't they didn't have to they'll have to deal with it as much, I mean it's still going to be there and they're still requirements and they're still you know penalties for deviation but it's not it's not the hair on fire issue, it was.

In 2021 so then yeah accent.

John Dillard: yeah and I think you know when you when the company started getting their heads around seed three.

and see why, in particular, I think they realized that there was very little chance that cmc was going to out outpaced those two topics for attention and time and money so and I mean, then the broadest sense it's also about.

Not necessarily what you're throwing money at it's also about how many people and how many hours are dedicated to working that part of the compliance problem so yeah.

i'm fourth one this one, I think, was notable that didn't change.

 Last year we ask people what's your biggest obstacles security program success and everybody said the government's clarity on regulatory frameworks was driving him nuts and that did not change.

at all in fact it got a little bit worse on that you know, I think that most people if you pull this out of there right, which I think is an important observation, if you pulled the regulator clarity and confusion.

Out of out of the mix, you know I think we would be talking about employee engagement and organizational and cultural stuff which I think is a heck of a lot more interesting for a lot of folks.

In a problem they can really sink their teeth into, whereas the government clarity that I think the thing that's particularly maddening about it is that it is largely outside of our control.

But it has a massive effect on whether we can do the right things so that was that was key and you know I think you know, in terms of that number last year.

You know, we pull it again looking for you know necessarily for it to you know go away because.

The government's always going to irritate us because we're the regulators are going to irritate us a little bit, but it shouldn't be the biggest problem.

 On you know, I think, and maybe that ought to be the goal for regulators is you know not your biggest problem you know we're always gonna be problem, but if we can not be number one then we're doing a good job, and right now, they are far away number one.

John Brooke: So if we do you know death taxes and government, you know clarity, being the Constance.

Last year did the number to change, you know organizational silos and employee participation seem to be the the you know if you pull out the one that everybody said yes to those seem to be the one and two are they was that different last.

year was a little shift actually do a little bit of a shift last year, we saw more people saying internal support and security culture.

John Dillard: as being a problem we saw this year so employee participation being really you know pulling out government right the employee participation, which I think tells us that.

Something that I think that you know john you and I talk about this, all the time, is that the that.

The thing that's weird about security regulation and security obligations when it comes to this bomb as emc certainly.

Public trust ci there are a lot of obligations for the individual employees not security team.

But for individual people to go do things whether that's fill out a form or follow a process or board something they're supposed to report.

Or you know provide some piece of information or take an action that the security or team needs to take on that's the number one.

it's it's it's holding people in security programs back so solving that part of the equation could go a long way.

In working on what we can control right, which you know other than working with great people like your hundred sims and in this back and.

You know the seam MCA be to try to give them feedback, which I know we all do, on which is a good thing to continue doing.

That you know largely you know there's not a lot we can do about you know, whatever is going on in the policy making circles so i'm focusing on this employee participation thing seems like something that we really can put a dent in in our companies, so I might take away.

John Brooke: that's great any any.

organizational silos is I don't remember that one from last year's.

John Dillard: yeah I know that will come up a good bit too, I mean they're definitely it's interesting that it's related it's kind of a soft.

yeah it's a soft thing you know and organizations that you know have and we see this all the time that again anecdotally.

You know the way security and compliance is managed in companies it's a little bit hard and you have a security team.

Sometimes you also have a compliance team, you have the individual contracts and the program managers who have specific obligations to fulfill certain tasks sometimes there's a bunch of it stuff.

Really, the all these regulations that really falls to the CFO or CIO.

00:22:28.560 --> 00:22:39.810

And so, coordinating those activities is I think frustrating for a lot of blackhawks and that, I think, is what you know, especially as a lot of these regulations become not they're not just cyber right.

They they're not just personal security, they are all of those things simultaneously and they overlap in ways that cause a lot of organizational conflict inside of companies, especially bigger ones.

So one thing I haven't actually looked at this slice, but one that will be the full report is, you know the big companies see this differently, I mean.

The big companies in particular have pain and organizational silos and I would I would hypothesize that they do that that's particularly probably.

John Brooke: yeah and you know the employees are the program right it's not something that the company, you know is is doing on its own it's reliant on those employees.

to manage the the security and risk posture that they are are advertising to their customers as as part of the reason that they should do business with with that particular contractor so yeah.

John Dillard: That makes a lot of sense good and number five spending another another spending one on, I think the thing that changed from last year, a lot of folks last year thought they spend money on third party.

yeah and I think you know when you when the company started getting their heads around seed three and see why, in particular, I think they realized that there was very little chance that cmc was going to out outpaced those two topics for attention and time and money so and I mean, then the broadest sense it's also about.

Not necessarily what you're throwing money at it's also about how many people and how many hours are dedicated to working that part of the compliance problem so yeah.

i'm fourth one this one, I think, was notable that didn't change.

Last year we ask people what's your biggest obstacles security program success and everybody said the government's clarity on regulatory frameworks was driving him nuts and that did not change.

at all in fact it got a little bit worse on that you know, I think that most people if you pull this out of there right, which I think is an important observation, if you pulled the regulator clarity and confusion.

Out of out of the mix, you know I think we would be talking about employee engagement and organizational and cultural stuff which I think is a heck of a lot more interesting for a lot of folks.

John Dillard: In a problem they can really sink their teeth into, whereas the government clarity that I think the thing that's particularly maddening about it is that it is largely outside of our control.

But it has a massive effect on whether we can do the right things so that was that was key and you know I think you know, in terms of that number last year.

You know, we pull it again looking for you know necessarily for it to you know go away because.

The government's always going to irritate us because we're the regulators are going to irritate us a little bit, but it shouldn't be the biggest problem.

On you know, I think, and maybe that ought to be the goal for regulators is you know not your biggest problem you know we're always gonna be problem, but if we can not be number one then we're doing a good job, and right now, they are far away number one.

John Brooke: So if we do you know death taxes and government, you know clarity, being the Constance.

Last year did the number to change, you know organizational silos and employee participation seem to be the the you know if you pull out the one that everybody said yes to those seem to be the one and two are they was that different last

John Dillard: year was a little shift actually do a little bit of a shift last year, we saw more people saying internal support and security culture.

 as being a problem we saw this year so employee participation being really you know pulling out government right the employee participation, which I think tells us that.

 Something that I think that you know john you and I talk about this, all the time, is that the that.

The thing that's weird about security regulation and security obligations when it comes to this bomb as emc certainly.

Public trust ci there are a lot of obligations for the individual employees not security team.

But for individual people to go do things whether that's fill out a form or follow a process or board something they're supposed to report.

Or you know provide some piece of information or take an action that the security or team needs to take on that's the number one.

it's it's it's holding people in security programs back so solving that part of the equation could go a long way.

In working on what we can control right, which you know other than working with great people like your hundred sims and in this back and.

You know the seam MCA be to try to give them feedback, which I know we all do, on which is a good thing to continue doing.

That you know largely you know there's not a lot we can do about you know, whatever is going on in the policy making circles so i'm focusing on this employee participation thing seems like something that we really can put a dent in in our companies, so I might take away.

John Brooke: that's great any any.

 organizational silos is I don't remember that one from last year's.

John Dillard: yeah I know that will come up a good bit too, I mean they're definitely it's interesting that it's related it's kind of a soft.

yeah it's a soft thing you know and organizations that you know have and we see this all the time that again anecdotally.

You know the way security and compliance is managed in companies it's a little bit hard and you have a security team.

Sometimes you also have a compliance team, you have the individual contracts and the program managers who have specific obligations to fulfill certain tasks sometimes there's a bunch of it stuff.

Really, the all these regulations that really falls to the CFO or CIO.

And so, coordinating those activities is I think frustrating for a lot of blackhawks and that, I think, is what you know, especially as a lot of these regulations become not they're not just cyber right.

They they're not just personal security, they are all of those things simultaneously and they overlap in ways that cause a lot of organizational conflict inside of companies, especially bigger ones.

So one thing I haven't actually looked at this slice, but one that will be the full report is, you know the big companies see this differently, I mean.

The big companies in particular have pain and organizational silos and I would I would hypothesize that they do that that's particularly probably.

John Brooke: yeah and you know the employees are the program right it's not something that the company, you know is is doing on its own it's reliant on those employees.

to manage the the security and risk posture that they are are advertising to their customers as as part of the reason that they should do business with with that particular contractor so yeah.

John Dillard: That makes a lot of sense good and number five spending another another spending one on, I think the thing that changed from last year, a lot of folks last year thought they spend money on third party.

 And, which is great which can't find an auditor it's gonna be really hard to do.

I mean, I know that they were approving some but there's just the backlog i'm sure they were staring a massive one of the day, so I think that was a big shift is a third party is just right way down the list.

of spending priorities for 22 and software was at the top of the list last year too, so it's not that's not new it's just a little bit amplified because third party on the team way way down.

You don't see it necessarily see a ton of headcount or outsourced services spending growth.

But you know, certainly on compliance and other software, I think there are really a couple different categories that some of these fall into.

Some there's a security compliance software component and then there's you know and other software component which you know.

In many cases, relates to how you're managing these regulations, like key management physical asset management, you know detection tools, there are a lot of things that I think we have to deploy the only be compliant and then spending is going to continue to grow there.

John Brooke: that's good any any I can't also can't recall if we if we you know kind of lined out the software and other.

Any any particular items that that stood out more than others.

John Dillard: Well, we break it into two very intentional buckets in the survey and one of them.

You know you have sort of the what I would call you know sniffing tools right there, they are tools software tools intended to do a specific thing usually related to a cyber problem right.

On and you know that's an entire class of software that doesn't really have anything to do with the management of compliance obligations in general.

And then the other category, has to do more with compliance workflow management.

and tools to basically help you manage the security program notwithstanding all of the you know the backups different kind of tools that you might deploy.

 Both of those were about the same in terms of the percentage that expected growth so very comparable, which I think is interesting that you know there's a recognition that both of those are discrete problems that have to be solved, and you can't necessarily do one without the other.

John Brooke: Well, and if you're doing all the sniffing, as you said.

That that's designed to identify the potential anomalies that then have to be treated by.

 Introducing right yeah So do I rely on other software tools to do that.

Or do I just pitch it over the fence to some people, and hope they can do it with with whatever process, they have place.

John Dillard: yeah Those are the two pieces.

Every.

John Brooke: Great.

John Dillard: So um that's a teaser we want to keep this pretty short on and i've covered the five top takeaways here, and you know and john I know you'll mention the full report release here but there's a lot more in here that is interesting had to had to stop.

But the flow report, I think, will be definitely worth a read we're we're pretty pleased with some of the things that we learned picked up as we were conducting and so on, that is, the just good.

John Brooke: So, before we start questions, I do have some questions from from the attendees and I appreciate that.

we're going to we conduct a poll on every one of these webinars.

Since we are in the security compliance software space it's always nice to see that that's a.

Big spending line item for the for the industry, but with That being said, if you want to learn more about threats which, if you take a couple of seconds here i'll count it down.

To you know just let us know we will will stop the poll here in a.

: couple of seconds we'll we'll be glad to follow up with you and.

All right, I think that's long enough.

Alright, so let's get to the questions I have one here from Matthew he asked how do you increase industry internal accountability, why does industry always have to wait till the government comes in and regulates them.

self regulation is preferred, but when it doesn't happen, the government has to step in to protect the consumer or the customer, in order for themselves right because they're the customer.

john you want to take a swing.

John Dillard: You know, when we didn't ask that question specifically I think um what you see is the Government knows something, and what I what is obvious in this in the results of the survey.

Is you know, the government has a hammer, that they can use and wherever they point that hammer is what industry will tend to spend money and time on.

Now that might be misplaced and we probably shouldn't be doing those things, but I think what's clear having conducted these surveys and others like them is that.

You know as much as we want the carrot to be the thing that drives behavior it's usually the stick and so you know the government's got a big stick.

They cannot pay us on contracts and if they want us to do something like you know, make sure that we're keeping track of all of our crypto keys.

There you know they send us a regulation that says, you have to do that and and the vast majority of us may do it, I think the The thing that I would point out and i'm not necessarily in favor of more regulation of not.

But in the complex supply chain environment where you only need one supply chain participant to fail.

 For something terrible to happen it doesn't so everybody, and you know you look at something like the F 35 program which is literally 10s of thousands of suppliers.

And it's not a matter of whether you know the best ones are well behaved and they're doing the right things and they're self regulating it's the one that doesn't they create a vulnerability that can infect the whole thing on so and and that's just the I think that that's the challenge.

 You know the government's got to step in and protect for that, for that reason it's I mean, I think the problems have it a huge role to play, or two in their you know their reputation is on the line, as much as the government is so I that's my take.

John Brooke: yeah you know the other thing i'll just add on that you know the folks we speak with on a regular basis as as i've said many times we've never.

interacted with an overstaffed or ever funded Security Department and that some of that, I think, has to do with the view of security from within organizations in a lot of situations so.

there's no payback for internal account you know internal accountability necessarily so it's you know do do the bare minimum and.

The great thing about the folks that are on this call and others that that we speak with on a weekly basis, I mean they're doing all they can with what they have you know in front of them they're they're MacGyver in my in my world so.

yeah they're also had a couple of great points in the chat.

You know, Richard again mentioned after a you know, an observation by by Lawrence in the chat that a lot of the budgetary increases don't necessarily show up under.

FSA budgets right so even a lot of those security tools, the cyber tools, you were to sniffers.

You were talking about are going to show up in an IT budget that isn't necessarily under the control of the ssl.

And you know, most of these you know, things are a team Sport also right so that's not necessarily the episode it's going to be responsible for all of it a lot of times it's it's it's gathering the the rest of the organizational pieces, in order to make things happen.

John Dillard: yeah and the way we asked them budget questions typically we try to drive them towards organizational spending as opposed to just what's in your jobs or.

And you know the FSA certainly work portion of the respondents here but they're quite diverse actually so we added a lot of it people to.

In terms of general you know affects it so you know, hopefully, some of that spending patterns stuff that just other departments would show up.

Elsewhere, and still be reflected in the budget data and the other thing that I think you know.

I think is interesting, other than physical security, which I think is often those are a capital expenditures, you know, to build a wall.

I think that's a little bit different but that's generally not we're talking about here, most of the software and IT expenses.

On that that you know that we see, at least in our customers are recurring like there aren't a whole lot of i'm going to go spend a million dollars on this this year and then.

You know if that's it then the tail is like only 10% of that is usually not nearly so dramatic so i'm not sure that we know, but I think it's a really good question and and finding out what the breakdown is some of those are just beyond the scope of what we're really asking the survey

John Brooke: Great great yeah, then you know, Lord said a nice.

follow up in the chat section, you know the Government gave industry, the opportunity to do it themselves, and unfortunately.

Industry failed so the the.

You know the regulations.

John Dillard: I mean.

I mean yeah reality guys's business 101 71.

It was pretty loosely you see.

 At least we could tell and that you know cmc was certainly a reaction to tighten that up so yeah.

John Brooke: Right JESSICA rabbit right oh i'm not bad, I was just drawn that way.

yeah yeah and I think you just answered Scott had a question here about delineation between cyber physical.

I think you just answered that one as.

John Dillard: Far yeah I mean we we looked at, I mean certainly the categories that we ask the questions and Scott were you know there were.

Even more granular than that there were a variety of different cyber specific questions several physical several personnel some couple calm SEC.

So it covers the gamut of problem sets I do think you know, in terms of just the accounting complexity cyber continues to be

The most them, you know at least it's the most broken out, at least in our survey, but they kind of matches our industry thinks about a two.

On whereas you know personal security, I mean there are three or four things involved in that, but it's not nearly as diverse as the cyber problem but yeah we did bring some of that stuff down and that'll be in the full report.

John Brooke: All right, that's it that's all I see on the question front, I can't Thank you guys enough for asking them, and you know.

Now we want to tell you about the full report it's going to be available on February 7 again you're going to get a copy of these slides so you can click there to pre register to go get it and.

You know, we look forward to you, taking advantage of it that that thing was extremely valuable last year to other customers as as well as others in the industry.

We were we're honestly surprised it with the citations that the thing got and i'm sure this one will do the same will continue doing this because we love.

We love seeing the differences year over year, and you know the participation was just fabulous so I look forward to you guys download the thing and to your feedback.

John Dillard: thanks for having us.

John Brooke: yep take care, have a great rest of the week.