Episode 296 Deep Dive: Vishwanath Nair | Emergence of IT/ Cyber Leaders as Trusted Advisors and Business Value Creators

[00:00:00] Speaker A: When does it get involved? What role does it play? Is it due diligence, is it gap assessment, is it addressing the gaps or is it taking to the designing the future of the emerged environment? So there are multiple phases that will be there and then understanding who plays a role at what point is crucial. [00:00:22] Speaker B: This is kvk. So the primary target for ransomware campaigns. [00:00:28] Speaker A: Security and testing and performance scalability, risk. [00:00:30] Speaker C: And compliance automatically take that data and use it. Joining me today is Vishwanath Nair, more commonly known as Vish, head of cyber risk and compliance from Baptist Care. And today we're discussing the partnership between IT and the business. So Vish, thanks for joining and welcome. [00:00:50] Speaker A: Thanks for having me, Carissa. It's fabulous being here. [00:00:53] Speaker C: Okay, so before we jumped on we did say it was about a year or so ago that we probably spoke and then things happen and then, you know, you get sort of caught up in delivery of certain things. So I think that I want to get into that a little bit later on the delivery side. But what's your view on where the partnership between IT and business would stand at the moment? Now depends on who you ask, but I'm really keen to hear your thoughts. [00:01:17] Speaker A: Absolutely. This is a very good question. Now personally I feel that we are in a very, very crucial phase in the industrial revolution. I feel that we've been business and it had never been closer. And there are three factors in my mind which I think determine this. One is the number of digital transformation exercises happening across organizations. It is someone sometimes leading some of those initiatives as well. So that's one aspect. Data is considered as the fuel for the business operations now and not something that's a byproduct. So it's essential for IT and business to understand and value that data appropriately. And third, the proliferation of the AI tools in the market. These three factors together I think ensure that it works very closely with the business, is aligned to the strategy and goals and sort of partner and drive sometimes the outcomes for the business. The other aspect also is that many of the customers, current and future customers, are very tech savvy. So they are used to using the devices and everything else. So the mode of operations for the business and the way we do business has to adapt to that. And if it is in a different tangent, it will not serve this purpose. I think these are some of the aspects that I feel leads this close partnership. One very crucial thought that I have is none of these are compliance led or forced due to some regulations. That tells me that this is more longer term relationship that we are developing and compliance and governance frameworks would then adapt themselves to adapt to adopt this kind of a new thinking. So I'm feeling very positive at this point of time. [00:02:54] Speaker C: Do you think historically, I mean, in my experience there seems to be be a little bit of animosity between IT security and then the business. What do you think's changed over the years? [00:03:05] Speaker A: I would put it other way. It is the lack of trust which has been causing this gap. I feel predominantly because I business is made of people, human beings after all. Human beings know are we comfortable doing what they've been doing and if someone comes and challenges them or poses questions which changes the way that they operate, they would always have the first line of asset defense going up. And the trust becomes a difficult aspect at this point of time. So what happens generally is that you have the shadow it's across the business where business runs its own IT. And this leads to a immensely highest trend for the organization. There's a complete lack of standardization, the operational overheads are extremely high. And these things have been happening for long. I think the things that's changed is. I would suggest one of the aspects that's helped in this transformation is that the regulations in a way have helped that because the regulations have asked the measurements to be such that the business and IIT have a consistent view of what is being measured. So that's helped a lot. There's been a lot of cross pollination between business and it. From a personal perspective, you have lots of business people, leaders coming to IT and starting to lead the changes and vice versa as well. I also feel that the way that business is operating these days with more dependence of it. For example, if I look at it from a financial industry perspective, there's very less requirement of visiting a branch to get an operations done. So everything can be done using your devices and your applications. That's because the business and IT has worked together such that the business outcomes are delivered using those services and also helps the environmental goals. So I think there's been lots of changes happening and driving slowly these discussions forward. At the end of the day, it's the bottom line for the organization that matters. So any decisions, any actions that both IT and business take, which is helping the bottom line would go longer. I think this has been driving these changes in my view. [00:05:09] Speaker C: So going back to your trust comment, so you were saying originally or historically there was a lack of trust. Do you still think that there is somewhat a lack of trust there now? Only because of things like constantly going wrong or there's breaches or the thing is that people get frustrated because, you know, there's a lot of friction that's introduced around oh, you know, MFA and everything like that. It's annoying for certain employees, employees as they see it as an additional thing that they've got to do. So do you think that maybe there is trust and the. It's still there, but it's sort of like people's perception of security has changed. So maybe the trust is there. Maybe now people are feeling more annoyed because they feel like they're slowed down a lot. [00:05:50] Speaker A: Yes, of course that is a matter. But as I said, going back, going back to the initial statement that I meant, business is driven by people, by human beings. So every human being have that different thresholds for accepting change. With the threats landscape changing so constantly, the security controls are also trying to keep abreast with those changes. This obviously introduces a huge amount of disruption in the way that people operate. So adoption of technologies such as multi factor authentication or deciding what applications they could use on their devices and whom to call at what point of time and all those kinds of restrictions do come in. And it all depends on how these changes are being communicated. The changes are required to operate in the current threat scenario to ensure that the organization is sustainable and is able to go forward with its goal. So the changes are required, but the way that it is communicated, modularized and sort of you show the benefits of these changes rather than the impact of these changes is something that needs to be required. Now the best way that cyber professionals do this is obviously try to link your work profile and your personal profile. So when your messaging changes for multi factor authentication, you try to liken it to the impact that cyber impact would have on your personal life. And you try to say that okay, you don't want to lose your personal information. You would need to protect the information that you are managing at your workplace. So bringing in a different way of communicating, working with them, co designing it and collaborating. I think the changes is the best way forward. And this is not going to stop because the threat landscape is going to change. There will be more fatigue introduced by the existing technology which will be replaced by something else in the future. So there has to be this constant discussion, technology teams and the business users. And as I said, it has to be co designed. The way forward has to be co designed. [00:07:45] Speaker C: So you said before how the changes are communicated. So given your position and your experience, can you walk through perhaps not an ideal way of communicating and then the other side of that, a more ideal way of communicating. Because what I've often seen in the space is people say, oh, you know, it's how we communicate. But do you have any sort of examples that you can share? [00:08:05] Speaker A: Each organization needs to do some budgeting for the course for IT controls and, and show why you're spending this fund. The other aspect is we also need to show how the returns on investment are being achieved. So we have lots of reporting going back to the business showing what we're doing with that funding. But this discussion generally don't really gel well with the organizations because the business has a different view of what's happening, what's required, and the IT might not be getting to that view at all. So the ways that I have personally tried out in the past, some of the tips that I would suggest is one is rather than view it, viewing it as an application or a system, we need to start looking at it as a service that is being rendered. So what that means is the IT service is part of the business service and there's always an upstream and a downstream impact of that service. When you are looking at as a service as a customer or sets of customers, or it has some suppliers and service providers. So you're sort of expanding the ecosystem by looking at it as just an application, you're not having that view at all. So when you're designing something as you're implementing a change, for example, you're not considering the impact that's happening outside that application. But if you look at as a service, you are having much more broader impact. You know, okay, if I make this change here, it will impact a set of customers who are not using this application the way that they're supposed to. And so I need to address that separately. The support that I have at the IT service desk might not be catered to the way that we are rendering that service. So the support has to change. And third parties, obviously this is a very big factor. Understanding how the suppliers impact the change and also adopt the change is also going to be a major factor. So as I said, viewing IT and designing it as a service is something that would be very, very, very beneficial. The second aspect that I've tried a lot is that IT and business, they have, they're always operating at their own positions in a way. So that's a concept called as when you're designing something, you need to look at from the balcony view and the dance floor view. So basically have multiple inputs coming in. So what I had used in the past was I used to take the cross section of The IT representatives to business operational areas and let the business talk about what happens on a day to day basis in the business operation areas, irrespective of what, what systems or applications or whatever they use. So this gives the IT representatives much better idea of what that black box that is supporting does for the business. So that's the understanding increases. And also from for the business, it gives a better view of what are the different teams in IT who are involved in providing the service back to them. And so getting this discussion together is very, very useful. And that's how the partnership works. This has been tried and tested and works. IT generally assists those organizations which are very operational in nature. So I think these are some of the things that I've been, I would, I would suggest doing and I've tried it out. It might not work every time, but I think most of the times this should work. [00:11:08] Speaker C: But going back to the communication side of things. So in terms like is there, is there language that perhaps that people should be avoiding? I know that, you know, even in my experience of working in the field historically, maybe people said things a little brash or people communicated things that they didn't mean to, so their intention was there, but it just came across probably the wrong way. So is there anything that really stands out for you that people maybe don't even realize that they're doing? And then also what are some of the things that you think people are doing? Well, in terms of communicating the value. [00:11:41] Speaker A: Of this, that's very interesting thing. Now, for example, when we are reporting cyber hygiene to the business general KPIs that we report are the incidents that we have had or number of phishing attempts that's gone or the security awareness sessions that the teams have attended. These don't really mean much to the organization, to the business stakeholders. I think what we need to do is understand what's required. So for example, if I'm talking about awareness, my KPI that I'm measuring and communicating is how many times in the past reporting month has a business individual assisted us in preventing an incident from happening by highlighting near misses or phishing attempts. So this is a very good measure of showing how it is working in the organization and how the. And that's a very good ROI as well. If I'm looking at just incidents, rather than showing the number of attempts that's happened to the perimeter, I would rather show how many of those have translated into a formal attack and how many of them were prevented in time. So that shows how the investments that we have put into the teams and the technology is working together as a unit. I think the definition of KPIs and reporting is one of the most difficult challenge that cyber leader or an IT executive has because it has to be subjective and not objective. So we need to understand the subject that the people that we are reporting it to, we need to understand who's what. That frame of mind is so changing the reporting is very, very key. The other aspect that I would say is engagement plan. So we need to ensure that we have the right communication going be it. For example, if you have a cyber uplift project happening and we need to update the business appropriately, it is essential to understand what are the acceptable means of accepting the information for business. So giving a one way presentation, showing where we were and where we are going to be is might not really gel in that case. So I have employed things such as attending team meetings, removing presentation materials entirely, just showing, putting people in front and talking about it. Or I get industry experts come and talk about what's happening in the industry and sort of give a view of how we are benchmarked against them. And that's what the executives really like to know. I think what's required is a bit of thinking outside the box of how the communications should happen, which is very, very key. And it has to be contextual, it has to be concise and it has to be clear. I think otherwise we lose the game completely and we lose the stakeholder numbers. It's a never ending thing and I don't think anyone has the right solution for it. Everyone has to develop their own ways of doing it. [00:14:29] Speaker C: So when you say clear, would you say at times people in this space can get very detailed very quickly and then people seem to get lost about what this person's talking about. I've seen that happen a lot. Is that what you mean by clear? [00:14:41] Speaker A: Yes. So for example, clarity in what we are trying to talk about showing a dashboard of, from the, I don't know, from the SoC for example might not really mean anything. We need to show what it really has meant to the business. We also need to be sure that it is not confusing the business a lot. So basically it has to be consistent in the way that we are showing. If we are showing putting our messages across in one way for this month and changing it entirely in the next month, it's not going to help you at all. The other aspect is that we have to link it with set that we are addressing so that gives a clarity of thought. We are showing why we are doing it and it's clear. So business is understanding why we are doing this and not to a technical control. That language is not going to help at all. Linking it to business threats, linking it to the business risks that are facing, the benchmarking against the industry standards. I think these are the things that we need. Also avoiding technical jargons and we are very accustomed to using acronyms where to stop using the short form. You use the entire terms in effect. I mean, sometimes I just avoid using the technology terms and the technology names completely. I just say what the, what the control is doing. So rather than telling, I'm using an XDR which the business doesn't understand, I'll say that I'm using something to protect that information and the endpoint data, the device that we are having. So change the language, make it more understandable. It's a very easy thing to say, but it's extremely difficult to implement in navia. [00:16:12] Speaker C: So then in terms of everything that you discussed, which is important, right. How would you advise then to build a closer working relationship? Because as you said, there's a lot of things going on, a lot of new projects, you know, people are, the business is very, very heavily involved with IT and security professionals, even more so than before. But is there anything else that you would sort of add that people can build on with the business? [00:16:36] Speaker A: I think what the business would really like to have is a platform where business and IT partners can sit together and discuss on what's happening now and in the future. So having that seamless interactions and the platform which is enabling that seamless interaction is very, very essential. That's, that's the number one thing that I would say. Second thing that I would mention is bi directional transparency and continuous assurance that we are working together. So both parties need to be very open in the way that they're discussing. So if there's any hidden aspects, such as there's some technology that's coming up in the future which we don't want to talk about right now, but that can impact the business. It's not the right way of starting. So rather than doing that, just understand and be upfront. These are the things that you want to do in the future. This can impact you this way and it can also help you in such a way. So this, that's something that we could do. The other thing that I think we should be very conscious of is that business needs an early warning system. So how do we work on that together? How do we identify what can go wrong, what has gone wrong in the industry in the past. And how can that factor into your discussions and your future plans? I think that's very, very crucial for them. I mean all of us have that issue of being in the silo and working in a rep. We tend to ignore what's happening outside. Getting that view into our discussions is very essential. We also need to ensure what are the minimum baseline controls which are non negotiable so that we cannot go ahead and implement something in the business or start thinking of something without having this minimum baseline controls. This ensures that you have sufficient and necessary controls and security in place. When we are doing launching into an activity, I think that is all about the engagement model. Engaging the right teams at the right time with the right information will only then can we have the right outcomes. [00:18:32] Speaker C: So you said engaging the right teams at the right time. How does someone know if they're at the right time? Is there any sort of indicators or. [00:18:40] Speaker A: It depends on the process. For example, if you're doing an M and a merger and acquisition example. So the merger and acquisition starts off with the business goal of expanding, having organic growth. So in this case, how do we, how do we know which parties need to be engaged? So this means that there should be a view of what are the different services and the service organization in our organization which can help us in this discussion. So having a clear view of the existing catalog of services is essential and understanding how those services would impact my M and A activity is going to be essential. So when you're planning the life cycle of the M and A, we know which team has to be involved at what time. We also need to have clear measurements in place so that we understand that this engagement is working effectively. And the goal is obviously to have a seamless way of ensuring that the M and A goes ahead while we consider all the risks and plan for it and manage it and meets the timeline for the business. Because the M and A as an example is always time bound. If you don't do it in time, it doesn't serve the purpose. So getting all the teams required aligned at the right time. So when does it get involved? What role does it play? Is it due diligence? Is it gap assessment? Is it addressing the gaps or is it taking to the designing the future of the emerged environment so there are multiple phases that will be there and then understanding who plays a role at what point point is crucial. We might not get it right always. So there will be a trial and error involved in this. But then documenting those learnings and then ensuring the next Attempt more correctly is the only way forward. But having that engagement plan to start off with gives an understanding of how do we approach a particular activity or a problem. [00:20:29] Speaker C: So Vish, it sounds to me what you're saying that you obviously very well organized and very method methodical and a lot of planning is involved to do some of these things. I would say there are definitely people out there who are not. So how do you sort of approach people that perhaps haven't been as methodical or they had literally a couple of hours before they've got to start quite a heavy project because they've been directed to and they're scrambling. Do you see that a lot? And then if so, how can people manage that more effectively? Because in a perfect world these, these things are really amazing to do. But what about in an imperfect world, worlds? [00:21:04] Speaker A: I mean to get to the perfect world, it started with an imperfect world. So it's all this fine tuning and learning and improving that's required that continuous learning, continuous improvement is essential. So I'm not saying that all of my projects have been so well planned. There have been instances where we have to do something immediately. So we need to prioritize. We need to look at what. What are my tactical goals versus what are my strategic goals and how do I marry them together. That is essential. We need to look at what are the key risks that we are managing. How do we address that first, for example, operations are always. And security operations are a key aspect. So how do we address that? We have the adequate protection for the organization while we are doing a project. Any uplift, ensuring that as a high priority and then everything else could be done. We still have some more breathing space to sort the things out. Which also ensures that I can always revisit my operations in the the future. Once I have managed the rest of the activities, I can go back to the initial one and then fine tune it, make it better so that I have a longer term solution or a service. So everything is a continuous improvement. Everything has to have a feedback mechanism. If you stop learning and accepting what you're from your learns from your mistakes, I think that's when the organization stops and the individuals also stops growing. I don't think there are many organization because I mean it is human nature to keep on improving himself or herself. So I think it is not something that is very difficult to adopt. But it is just that reluctance to change that sometimes come in which we have to overcome. And only way of doing this is if you have a good leader, good mentor, someone who can who can share their thoughts with you, Never be afraid of asking questions, never be afraid of doing a mistake. I think that's one of the. So if you can, if the, the fear of failure is always the issue. So if you can fail fast and learn from that and recover is the best thing to do. I have failed in many of my projects in the past, but then obviously I'll need to go back, understand what I've done and then improve so that next time I don't do the same mistake. I think it's a, it's a never ending cycle, just keep on improving ourselves every day. [00:23:15] Speaker C: So going back to the feedback mechanism, so I have a question around that now. I get a lot of industry events as you know, and sometimes you'll ask me for feedback, but then sometimes I don't know if they like the feedback. So how do you set it up where you want people to give you feedback but then people can't necessarily be offended by the feedback. How do you find that balance? Because then like you said, if you don't have the feedback, you can't get better. But then equally you may not get the feedback that you are hoping for and people may be critical or negative. So how do you balance that out from a team perspective? [00:23:50] Speaker A: It's an interesting one and I think the one thing that has worked for me in the past and I continue doing that, is having that 360 degree feedback. So rather than having seeking feedback from someone who we know will be giving us good feedback, let's go and be a bit more brave and ask feedback from someone who's not worked with us quite well in the past. So that will help us identify what, say what are the gaps. Taking it outside your team for a change, going to your, your supplier partners, your business stakeholders and asking them on the feedback is something that I have done in the past. The thing that we can't enforce is we can't enforce someone accepting our feedback. That's something that individual has to do. But if you have you, if you have providing a mechanism of, of sharing open feedback. The other aspect is also we don't need to enforce, just seek the feedback for that, just for that purpose. It has to be, there has to be intent behind it. So that's something that an individual also needs to learn. So I have always gone outside my HR system and asked, sought for feedback and I keep it outside the HR system because sometimes HR systems might not have that kind of mechanism. So I use it for my own personal improvement and I would rather put the outcomes into the HR system as a measure. So we need to work that way. Sometimes people might not give us feedback or might just delay seeking. So that's something that you need to understand as well. So either you stop asking feedback from such persons in the future or just have an open discussion on why they can't provide the feedback. So I think it's all about being open and engaging and having a conversation. [00:25:26] Speaker C: Okay, so now I want to sort of slightly shift gears for a moment. So you say you can achieve better business outcomes by driving better service delivery. So I want to get into this because I want to understand how or what are the mechanisms for that and what does this sort of look like in your eyes? [00:25:45] Speaker A: I worked in an airline industry earlier, and in my view that's one of the best industries for an individual to work in, simply because you have an opportunity to work with the customers directly and the actions that you do has a direct impact on the outcomes. So if I take the baggage systems in the airline industry, none of the airline would give 100% KPI or assurance that your baggage would follow you when you're traveling. That's not possible always. You would always have lost baggage issues. The intent is always obviously to have that at a very minimal, as minimal as possible. So if the intent is to say if the target is 80% of baggage traveling with the passenger, how do I ensure that I'm not going beyond 80 or going below 80 or I'm improving that? So for that to happen, what needs to happen is that the business service delivery teams and the IT teams, which is supporting that business service, as I said, going back to the previous discussion of viewing it as a business service and not as an application or a system, work together and identify what are the areas where there might be single points of failures or there might be latency coming in, and how do we try together to measure and manage that? So for example, if there is one server which is doing the scheduling of people who are working on the baggage systems or handling baggage handling systems, how that server going down can impact the entire row string of the other team. So that is not nothing to do with the baggage system at all, but the people who are managing that system. So how do I ensure that that component, which is a single server, doesn't cause a disruption? So we plan for resiliency for that and everything else. So this drives the funding discussions to a much more effective level and then the service delivery impact is directly improved and at the end of the day, your customer is more happy. So I Think this is just an example, but each industry would have their own unique way of doing it. I took the airline experience because all of us are directly can feel it, can understand and can relate to it. And this is something that I've worked on personally, so I know that this works. So it's all about getting understanding the entire business flow, understanding what the different components are, the dependencies are and how do I remove or manage the risks around those dependencies to ensure that this delivery is not impacted. [00:28:06] Speaker C: So just on that note, I've interviewed people in the past Vish and they've said that there are some security people out there that they've experienced in their career that when they're speaking to other security people in the team that they can't explain how the business makes money, for example. So does that sort of leads into the business flow. So do you think that there's people out there that doesn't understand how their business makes money? They should probably understand that in terms of a better service delivery. But it also gives a holistic view, like you said, on the, on the business flow. Have you experienced that as well? Because like you said, sometimes people do operate in silos, right. And sometimes things can be missed because it's a big corporation and you sort of feel like a cog in the wheel. You can't really see things moving as substantially perhaps. So have you seen that before? [00:28:54] Speaker A: Oh yes, I have seen it multiple occasions Now I think it's more the mature organizations which have realized this and then put these business flows into onto paper and have this co designed with the different teams. Now there are always these chances where as I mentioned, if you make a change to a particular system, we don't foresee the impact of that to all, all the stakeholders or the all the users that you have. For example, if you're making a change to a telephony system, but we have not understood whether the contact center for a location a which is not operational always has the same kind of an impact. How do I change that? Or we have not seen that and factored that into the change. The other aspect is when you are making flywall changes to our systems to talk to another system through the firewall, we don't really look at what are the information that is going through, how is it, is it really relevant for it to go through. So we need to get that. There's been always incidents where we open the firewall ports, but we find that there's more than required information being shared across systems. This has higher impact to the organization. So I think it's essential to document what their outcomes is. Now there are multiple ways of looking at it. There is a school of thought which says that we need to have the sort of a line of sight. So what mechanism, so basically what changes you're bringing in? How is it impacting to the final outcome of the, of the service or of the business? That has to be documented and analyzed. It all goes back to the level of data that we have accumulating. What is the analytics. We are going behind it, understanding what the impact of the dependencies between the upstream and downstream processes are. Again going back to the airline. The airlines have something that's called as T minus 180. So what they do is for T is the time of departure for any flight. And so they have documented activities to be done by different teams to 180 minutes prior to that departure. So you understand that you have a better understanding of what can go wrong and at what time and how do we have redundancy built in so that the departure of the flight which is of paramount importance to the airline is not impacted. What I've done in the past is if I'm rolling out patches to the, to the airline's service, I mean check in systems at the, at the airport we always do it alternate systems so we don't take the service out completely. So the way that you're designing the network could be then having an alternate paths for each of these checking desks which, which ensures that you are not impacting the departure of services. So these are some thoughts that has to go in. Again, it, it takes an incident for sometimes to teach you the right way of doing it. But then there are other ways to sit together, collaborate and co design the entire architecture and the system flow. [00:31:45] Speaker C: So then lastly, I really want to understand more about. You know, you said you've got some simple tips on how to partner between the, you know, the business and IT and how they can work better. What are they? [00:31:56] Speaker A: This is something that I spoke about earlier. First step I would say is view it as a service and not an application. So have a broader view of what, what's happening. And it's not only for it, it's also the business. Business also needs to look at it at a much broader view of what are the different people, teams involved in rendering the services understand. If it is service, there's always peaks and troughs. So we understand when is a critical period, what do we do with it and how do you manage it. Second aspect is to understand the problem Statements much deeper rather than having so use design thinking, keep on questioning the problem statement so that we have a better understanding understanding of that before you jump to the decision making. Then we have a more effective solution design in that case. And the other aspect is aligning the business the KPIs between IT and business operations such that there's a close dependency between both them. And to do all of that we need partners who can understand speak the same language between IT and business we have a much more better understanding they are speaking. They sort of serve as a bridge, a conduit between these two organizations. So this advisor slash partners that are called are shielding the business from the different specialists that we have in IT and just giving the business the right view. And also the other way provides it the right the picture of what the business really wants from a outcome perspective and drive that decision making and designing. So that model of having a trusted advisor kind of a role between business and IT will serve a lot. We can avoid shadow it's. We can really streamline spending. We can look at having much more. The cyber hygiene improves tremendously because we the business understands why the cyber security teams are asking questions that they're asking and there's a better adoption of the technology as well. So I think having that trusted advisor role in my view or a business partner role would be very essential for the success of such an engagement. [00:33:58] Speaker C: I think it was a really good summary on just recapping some of the main points that you discussed. So then do you have any closing comments or final thoughts you'd like to leave our audience then? [00:34:09] Speaker A: I had been doing some bit of reading on this for some years now. Now I'll just talk a bit about how the medical industry has worked. If you notice there are around there are more specialists in the industry than the general physicians. So I did a study had said that there are more specialists than 40% general physicians. And the issue, I mean obviously it's more lucrative for an individual to become a specialist because individually you can make more money. But the issue is that with lesser physician general physicians you have a lesser holistic health management of an individual or of a family. So that personal touch and understanding the human being is getting lost. Similar thing can happen for any organization if you have many specialists who are directly working with business and driving change on their own behalfs, but not keeping the whole holistic goal and match. So we need to have those business partner kind of people who work very closely with experts such as cybersecurity and translate the changes, the ideas that cybersecurity teams are bringing in to the business and showing the positive impacts of it and also serve as a feedback mechanism. I think that's the only way that this partnership would really help the organization a lot in the long run and I really believe that we we'll have this tribe of trusted advisors growing in the future which is much more beneficial for the organization rather than having a load of functions who just doing their individual activities and taking their own individual agendas forward. We need that player to help the business and find the organization to grow up. [00:35:51] Speaker B: This is KBCast, the voice of Cyber. [00:35:55] Speaker C: Thanks for tuning in. For more industry leading news and thought provoking articles visit KBI Media to get access today. [00:36:04] Speaker B: This episode is brought to you by mercset. Your Smarter Route to Security Talent mercset's Executive search has helped enterprise organizations find the right people from around the world since 2012. Their on demand Talent acquisition team helps startups and mid sized businesses scale faster and more efficiently. Find out [email protected] today.